Archive

Posts Tagged ‘microsoft’

Sysinternal: Ctrl2cap

I am beginning a new series on the Sysinternal tools which is now part of Microsoft Technet tools. This series of posts will highlight both interesting and useful tools available as part of the Sysinternal suite of tools. The most common tool, and perhaps the most important is ProcMon, but we’ll get to that later. Today we’ll review the first tool posted, Ctrl2cap.

Ctrl2Cap was designed to help transition users from old Unix style keyboards where the control key is where the caps-lock key is on a standard windows keyboard. Installing this tool will capture keyboard inputs and will swap control and caps-lock keys to enable an easier transition for Unix administrators to a windows environment. I encounter the inverse-situation when I am at a Unix style workstation, or an AS400 and they are using a Unix style keyboard and am accustom to a standard windows keyboard layout.

Additional information directly from Microsoft on this tool:

On Win2K Ctrl2cap is a WDM filter driver that layers in the keyboard class device’s stack above the keyboard class device. This is in contrast to the Win2K DDK’s kbfiltr example that layers itself between the i8042 port device and the keyboard class device. I chose to layer on top of the keyboard class device for several reasons:

  • It means that the Ctrl2cap IRP_MJ_READ interception and manipulation code is shared between the NT 4 and Win2K versions.

  • I don’t need to supply an INF file and have the user go through the Device Manager to install Ctrl2cap – I simply modify the appropriate Registry value (the keyboard class devices’s HKLM\System\CurrentControlSet\Control\Class UpperFilters value).

More information and the download of this tool can be found at: http://technet.microsoft.com/en-us/sysinternals/bb897578.aspx

 

Advertisements

W32/autorun.worm.aaeb-h Outbreak

Nov 28, 2012 1 comment

I don’t typically post on virus or malware outbreaks because it would consume too much of my time and they are simply too frequently created. For the most part, if you run your network and systems with the concepts of defense in depth and principle of least access, you should be fine. And as long as you are not running as the local administrator of your workstation you should also be fine… But every once in a while a piece of malware becomes noteworthy…

In this case, W32/autorun.worm.aaeb-h infects both removable media and network shares by coping itself to those locations. Once copied, it modifies the permissions so the executable is hidden. When used with removable media (think USB flash drives, or even MP3 players), it will modify the autorun.inf to auto-run the executable. It will also infect files with common file types such as audio (mp3, wmv, avi) and documents (doc, xls, pdf).

The presence of the following file names will indicate you might have this worm:

  • Secret.exe
  • Sexy.exe
  • Pron.exe
  • Password.exe
  • x.mpeg

Defense:

  • Disable autorun feature
  • Prevent the use of USB media for mission-critical servers
  • Ensure scanning is enabled for removable media

Mitigation:

For more information on McAfee product coverage and mitigation for this threat, see PD24169 – Threat Advisory: W32/Autorun.worm.aaeb

DHCP Best Practices

Here are several DHCP best practices as collected from various resources including Comp/TIA and Microsoft:

  • Always include the entire subnet in the scope (192.168.1.1 – 192.168.1.254, or 172.29.0.1 – 172.29.255.254)
  • Add exclusions for ranges which are using static IP addresses, and for future growth area, such as setting aside 10 addresses for printers so they stay within the same general IP address range
  • For networks where DHCP services are critcal or for larger networks, consider two DHCP servers configured in an 80/20 split (however, Microsoft Server 2012 has a new provision for redundant DHCP servers)
  • Configure active directory credentials to enable DHCP to update the DNS server with IP address information using secure updates.
  • Use “server side conflict detection” only when needed – this is a feature which delays DHCP from handing out an address until it has first issued an ICMP ping message to check if the address might already be in use but not known by DHCP already (ie statically assigned within the lease range without an exclusion or active lease).
  • Typical DHCP lease time is 8 days, however if you have a separate scope for guest or wireless clients, consider a shorter lease time such as 8 hours; conversely, leases for fixed devices (printers, etc) consider 16-24 days.

Offline NT Password & Registry Editor

What is it?

  • This is a utility to reset the password of any user that has a valid (local) account on your Windows NT/2k/XP/Vista/Win7 etc system.
  • You do not need to know the old password to set a new one.
  • It works offline, that is, you have to shutdown your computer and boot off a floppydisk or CD or another system.
  • Will detect and offer to unlock locked or disabled out user accounts!
  • There is also a registry editor and other registry utilities that works under linux/unix, and can be used for other things than password editing.
  •  

Read more…

Windows System Crash Analysis (BSOD)

You are all probably aware of the MEMORY.DMP files in the windows directory. You may also be aware of the Windows\MiniDump directory. These files are created when there is a critical system error usually resulting in an automated reboot or BSOD.

The Memory.DMP file contains debugging information plus the contents of your system’s RAM. This file is overwritten each time a crash occurs. The MiniDump directory contains the same debugging information as MEMORY.DMP but does not include the RAM contents. The MiniDumps are not overwritten so they can be used as a historical reference for identifying crash events.

So the question is how do you use these file???? There is a tool from Microsoft designed to do just that! It is called WinDbg and is part of the Debugging Tools for Windows. (http://www.microsoft.com/whdc/devtools/debugging/)

Download and install this tool. There is an x86 and an x64 version. Once the program is installed open it and choose the file menu then Symbol File Path.

Enter the following: http://msdl.microsoft.com/download/symbols/

This will download the necessary symbols as needed. Symbols are a link between the binary application code and programming language which generated the code.

Once this is done you can choose File – Open Crash Dump. This will open both Memory.DMP and MiniDumps. Once opened the program will begin some analysis.

Click on the !analyze –v link to do a verbose analysis. This may give more information as to the reason for the crash. The faulting application code is listed in the default analysis.

Enjoy!

Microsoft Licensing and Virtualization

Just a reminder that when performing p2v from a server which uses OEM licensing, it will violate the EULA to move that to new hardware. So we need to ensure that during the proposal phase we’re purchasing a open license for the server we’re virtualizing. It many cases, after a p2v, during the initial boot up, if it was OEM licensing, it will force an immediate activation with no grace period. Attempts to activate online or automated phone system will fail. You must talk to an agent which may or may not let you activate the OEM software on different hardware.

You can re-enter the product key, and it will cause a new activation id to be generated which will work with an agent most of the time.  But again, this still technically violates OEM EULA. Also know that OEM media will not accept open license keys, only OEM keys.

One other option exists as well for OEM. If you purchased your OEM version of software within the last 90 days, you can simply purchase an Open License Software Assurance (without license) which is typically around 30% of full license cost, and it will effectively convert your OEM license to a standard Open License.

Dell Broadcom Drivers

usb cableWe experienced a strange problem lately with a client where we enabled the second Broadcom integrated NIC on a Windows 2003 Enterprise Server. What we discovered was that when we set the static IP address on the server’s second network adapter, the first network adapter dropped into this semi-DHCP state. When we corrected the first adapter, the second one would go into the semi-DHCP state. I say semi because it actually showed the adapter in DHCP mode, but unable to find a DHCP server so it used the automatic IP address – which is typically 169.x.x.x, but instead of that, it actually retained the static IP address. But when the server rebooted, it would loose the static IP address (since it was set to DHCP mode) and would pickup a new, dynamic IP address.’

So I performed the normal troubleshooting steps from uninstalling the network drivers, reinstalling the existing driver, and then finally installing the latest drivers – which would always fail. So after a bit of messing around I called Dell Enterprise Support and to my surprise the provided a shocking list of prerequisites before we could upgrade the drivers…

Read more…