A technology scientist. Humans living in a biologically driven existence through which I like to find ways the non biological machines can help us live more meaningful lives; stated in my complex of words and imagination.
In a home environment I have always used and been able to rely upon Trinity Rescue Kit. If your working in an enterprise environment this won’t work on Domain Accounts but if you for some reason don’t have any access at all to the PC you can at least reset the administrator’s password and get in. If I don’t even need to get in to retrieve any information I would just re-image the PC and not bother getting in but in case you need something here is the tool.
You will get an ISO image and just burn it to CD since it is most likely your PC has a cd player. If not then you will have to make a bootable USB drive with it and boot using USB if your PC doesn’t use a CD player. This tutorial is for use of the CD version but if you need to make a bootable USB drive I like using this little tool called YUMI
Boot into your TRK disc and Choose the Interactive WinPass option and then choose option 1 to select your Windows Installment and list its users.
Type in the name of the user you want to clear a password for and your done!(See video for details)
So we like playing music in the car or wherever we are from our phone using youtube. Now lets instead just download our music before-hand and not use our costly phone’s bandwidth! On top of this we just want to download the audio since it is a much smaller file size and will take up little room.
Back to my favorite online video downloader: Youtube-dl – This is our simple command line tool we will run in the command prompt to grab our videos with. I have written a previous post on this on how to use it please check that out on figuring out how it’s used.
This is a quick blogged guide for administrators who need to delete an email from their organization for some reason or another. In my case this was due to a cryptolocker like virus outbreak called Cerber.
The Task: Find the emails and delete them from the system to prevent further incidents from popping up making more work for us because we always have to re-image and physically replace the machines in some cases not to mention user downtime.
First we want to be able to locate and identify the emails targeted for deletion. In my case we received the payload from this address: Sharyn.firstname.lastname@example.org (first just want to say .ru its Russian!) we should never open emails like this but users will still go for it. There are several ways to find where the emails went and find out who read them and so on and this is what we will do going off this address.
Options for Searching: Exchange Powershell OR Exchange E-Discovery Gui
I’ll use both normally. In many cases if the search involves gathering emails it is easiest for me to just run an E-discovery search and shoot them over into a PST file. In the case of deletions though we want to use the Powershell since it is the only way as of now that I know of to delete emails from the system and user mailboxes in mass action.
-This command first grabs all mailboxes within the Organization then pipes it to our search function using the “|” symbol. In our Search operation we “Searh-Mailbox -Search Query” so here we will then specifcy with the “From:” text to find our matching address. The command then follows up with a “target” mailbox and user to send a report of the results. In my case I’m sending it to my adminuser’s mailbox under the “SearchAndDeleteLog” I created for it.
I was concerned that it worked on also infecting file shares but from what I can see it doesn’t touch them. After having a user infect a computer here in our Network it looks like nothing else has been touched but all the files on her computer displaying messages like this:
Every file basically encrypted until you pay the son of aguns.
Basic Steps on handling this type of problem:
Verify none of your other networked file shares have been infected and run a full virus scan of the shares just to be safe. So far I haven’t heard of Cerber jumping to any networked shares so it keeps things local to the machine which means it is mainly targeting end users. Here is a snip of Code from the above link that leads me to believe it is only keeping things local since it’s the only reference to any directories it makes: “folders”: [ “:\\$recycle.bin\\”,”: \\$windows.~bt\\”, “:\\boot\\”,”: \\drivers\\”, “:\\program files\\”,”: \\program files (x86)\\”, “:\\programdata\\”,”: \\users\\all users\\”, “:\\windows\\”,”\\appdata\\local\\”, “\\appdata\\locallow\\”,”\\appdata\\roaming\\”, “\\public\\music\\sample music\\”,”\\public\\pictures\\sample pictures\\”, “\\public\\videos\\sample videos\\”,”\\tor browser\\
Next step is to Burn the infected machine(Just re-image it) Users might ask for the files in which case they can pay the ransom if it’s that important. Something like 2 bit coins or $500 if you pay up before it doubles on you every week. One other thing users have asked me is if they can at least see the files they lost in which case your going to be taking a picture of the computer screen because there’s no safe bets I would take making any kind of digital bridge to that computer(ie: plugging in a usb stick or taking a snapshot to transfer to a usb Stick)
Final step is replace the users PC and restore their files. That is if you back them up!
Confirmed with Talos Security group that this is not de-cryptable as of yet
So if you have had to ever do this you will first have to deal with the legal side of the software. With adobe you can order a Device or User license.
User licences are the easiest to deal with because you don’t really manage it other than give a user the license.
With a device license however we need to specifically create a package using Adobe’s Creative Cloud Packager by which we end up downloading the software we want ie: Premier,Photoshop,etc. And then we can create an MSI file from that to distribute in SCCM 2012.
So check it out I have a video for this:)
-Sorry for the Blurred parts, for security purposes
-If there are questions, post in the comments and I’ll reply.
Download Creative Cloud Packager to local HD
Run CC Packager and select the Option to create a package for Teams and Educational licenses(Otherwise you won’t get the Device License Option)
Use the program to download and create a package of the Adobe programs you want
Import it into SCCM as an application
Distribute to your Device Collection as needed. The applications should afterwards run without requiring the device to sign into the Cloud
So I have re-imaged a computer and it has been several weeks. I have already re-provisioned the computer and another user has been writing to it obviously. The simple answer on this one is the chances are incredibly slim. Although after speaking with a Kroll Ontrack recovery rep they did say something can still be recovered but highly unlikely it would be what we were looking for. I also had memory of using FTK imager for file investigations. That ended up being far to pricey just to recover data although their product is great for finding lost data or hidden data; A post for another time on FTK..
I tried the free program Recova to see what thatmight unveil and it picked up some deleted PDF files but even the ones it deemed were in excellent condition were too damaged to work in Adobe Acrobat. And of course its advanced feature will at least let you filter through pictures,files,documents etc.. I will say it was good only for recovering images since it seemed to keep them intact. But again only the ones deemed excellent(denoted by the green circles)
Nonetheless in a situation involving a Hard disk data recovery your best bet is to send it to a professional company and even that isn’t a guarantee but if the data is that important maybe it’s worth the cost. A managerial decision to be made.
And of Course another lesson in Backup. Always backup your information. In this case we had the user wait forever to tell us what was needed and with a backup policy that doesn’t include local hard drives it was close to impossible. You move on and leave it in the past.
So there are several programs to use for this but my favorite has become “Youtube-dl” It’s a simple command line program you can easily use for scripting and more. But simply its just simple to use and straightforward no gui, just type in the commands on your command line and your set!
It involves basically taking the Share URL for the video or Playlist you want and then downloading it to your working directory from the CMD prompt. That’s it we just use CMD for this bad boy.
Here are my notes on the basic uses. I basically just use it to download playlists to play on my phone using my Home internet connection. This saves my phone’s preciously expensive High Speed data!
USING youtube-dl in Powershell
-Download the .exe file for windows and create a folder for it in your Program Files C:\program files\youtube-dl
-Now add it to the environemental path for use in powershell and cmd
Go to>Start Menu > Right Click “Computer” >Properties> Advanced System Properties > Environmental Variables button at bottom > Under “System Variables” go to the PATH variable
Edit and by adding a “;” to the end enter your path C:\program files\youtube-dl
-Start Powershell or CMD.exe(just type them into the start menu search) and use it as any program you would call with the command “youtube-dl” and add any arguments after see below for simple practical uses
-Keep in mind a video downloads to the current working directory displayed in your CMD prompt(Just open file explorer and browse there)
TO DOWNLOAD A VIDEO IN CMD/POWERSHELL
youtube-dl <url from youtube to video>
-Files are downloaded to the working directory.
DOWNLOAD A YOUTUBE PLAYLIST
youtube-dl -cit <url of playlist>
HOW TO GET URL OF A PLAYLIST
-Go to the Youtube channel click on the play list (not play all) and you should see a “share” button for the play list for which you can download.
ie: the share button on this page will generate the playlist url: https://www.youtube.com/playlist?list=PLkHsKoi6eZnzJl1qTzmvBwTxrSJW4D2Jj
ERROR READING URL
-You had to update before using powershell in admin mode
Description: Dells Optiplex 9010 PCs will sometimes become unsigned and the Windows 7 Microsoft Operating system won’t use them rendering the Keyboard and Mouse useless.
Steps to Take:
You can verify this issue by checking your Device Drivers and seeing the problematic drivers(Start Menu>Right Click My Computer>Manage>Device Manager)
Quick Workaround restart your PC and spamming the F8 key to get into the Advanced Boot menu. Then choose to start with Signed Drivers ‘Disabled’. This should boot to Windows with generic drivers and the keyboard and mouse should be working again.
Now the Fix: Replace the affected drivers with good drivers. So first you will need to Copy drivers from a working PC into a share somwhere.
We will need to install the Unlocker.exe program or whatever you choose to be allowed to rename the driver files here: %windir%\System32\drivers
Rename the affected drivers to .OLD and replace them with the good drivers(Click on pic for drivers to pull). Pull the good drivers from a working PC.
Copy and Paste the good drivers into the drivers directory and restart the PC. Walla all good:)
UPDATE: seems to have been an issue related to KB2913431
Remove the update from PCs and try to make sure it doesn’t get distrbuted via WDS or SCCM.
UPDATE: Me and a Colleague wrote a script on the process save this into a .bat file and its automated for you! Just remember to edit the part where you will enter your server-name when mapping to it to copy the files from.
@echo on rem * Take Owner of files and make new owner the local administrators group * takeown /f c:\windows\system32\drivers\iusb3hub.sys /a takeown /f c:\windows\system32\drivers\iusb3xhc.sys /a takeown /f c:\windows\system32\drivers\usbccgp.sys /a takeown /f c:\windows\system32\drivers\usbd.sys /a takeown /f c:\windows\system32\drivers\usbehci.sys /a takeown /f c:\windows\system32\drivers\usbhub.sys /a takeown /f c:\windows\system32\drivers\usbport.sys /a
rem * break inheritance, grant modify permission to the local administrators group * icacls c:\windows\system32\drivers\iusb3hub.sys /inheritance:r /grant:r “Administrators”:M icacls c:\windows\system32\drivers\iusb3xhc.sys /inheritance:r /grant:r “Administrators”:M icacls c:\windows\system32\drivers\usbccgp.sys /inheritance:r /grant:r “Administrators”:M icacls c:\windows\system32\drivers\usbd.sys /inheritance:r /grant:r “Administrators”:M icacls c:\windows\system32\drivers\usbehci.sys /inheritance:r /grant:r “Administrators”:M icacls c:\windows\system32\drivers\usbhub.sys /inheritance:r /grant:r “Administrators”:M icacls c:\windows\system32\drivers\usbport.sys /inheritance:r /grant:r “Administrators”:M
Funny how we have to protect ourselves from Microsoft’s own mishaps along with malicious software,oblivious users and all the like… But that’s the IT game.
And so it happens; Your users start to experience freezing across their Microsoft office programs out of nowhere and you need to become a detective. In my experience this has always been because of a recent update that has been applied to your organizations computers. Not sure how everyone else goes about applying updates but in this case It is controlled by a WDS server and then further controlled by System Center Configuration Manager. After checking the sites device collections I found that all affected computers were within the collection that receives all of the most recent Microsoft updates. Upon further research I found that it was linked to installed KB3114717 recently pushed by microsoft on 02/09/2016(Feburary’s Patch Tuesday 2016)
Uninstall this KB and walla; issues gone. Just another thing to look out for and another great reason to put together a Microsoft WDS server that will control which updates to push. This combined with Update groups and Device Collections in SCCM makes isolating and keeping machines from being patched to only a minimum which will serve to keep user outcry to only the selected test machines. Afterwards we just move that affected KB into a “do not deploy” group and collect the rest for deployment to the entire domain of computers.
If your reading this and just need to know how to uninstall it manually use this quick little guide:
Start Menu > Search Bar > type ‘appwiz.cpl’ > click “View Installed Updates” > Search for KB3114717 in the upper right hand corner of the Pane> Find it and uninstall it
As always make sure the users run with the programs for a day before you mark this issue as resolved.