Can change the user name
Uncheck the automatically update email addresses. Email address won't be changed
Wednesday, December 17, 2008
Changing User Name in AD Users and Computers
Monday, November 3, 2008
Restart Information Store
How to Restart the Microsoft Exchange Information Store Service
Topic Last Modified: 2005-05-13
The core data storage repository for Microsoft Exchange Server 2003 is the Microsoft Exchange Information Store service, which contains both mailbox store and public folder store data. The Microsoft Exchange Information Store service uses a database engine called Extensible Storage Engine (ESE), which is a transaction-based database technology.
In some troubleshooting instances or when moving from mixed to native mode, you may need to restart the Microsoft Exchange Information Store service.
Procedure
To restart the Microsoft Exchange Information Store service
On the Start menu, click Run, type services.msc, and then click OK.
In the Results pane, find the Microsoft Exchange Information Store service.
Right-click the service, and then click Restart.
Topic Last Modified: 2005-05-13
The core data storage repository for Microsoft Exchange Server 2003 is the Microsoft Exchange Information Store service, which contains both mailbox store and public folder store data. The Microsoft Exchange Information Store service uses a database engine called Extensible Storage Engine (ESE), which is a transaction-based database technology.
In some troubleshooting instances or when moving from mixed to native mode, you may need to restart the Microsoft Exchange Information Store service.
Procedure
To restart the Microsoft Exchange Information Store service
On the Start menu, click Run, type services.msc, and then click OK.
In the Results pane, find the Microsoft Exchange Information Store service.
Right-click the service, and then click Restart.
Sunday, November 2, 2008
Net Send
http://www.ehow.com/how_2148598_net-send-send-computer-messages.html
Net Send [user name or computer] [message]
Net send stevelaptop Hi steve [enter]
Net Send [user name or computer] [message]
Net send stevelaptop Hi steve [enter]
Friday, October 17, 2008
Linux dd - Forensic Copy
Linux 'dd' basics
Linux dd can be a powerful and flexible tool to have in your box.
You will find it installed by default on the majority of Linux distributions available today and it can be used for a multitude of digital forensic tasks, not least of which is providing a simple means of obtaining a raw image of a file, folder, volume or physical drive. It has a simple, relatively intuitive syntax and a useful set of options to extend its basic capabilities.
On the negative side it does not give any feedback to the user when it is launched, has no error checking by default and perhaps most importantly can be very destructive if you get things wrong, earning it the nickname of "Data Destroyer" (dd) over the years.
As always, read the man pages before you use it [# man dd] and fully test the processes in a safe environment before letting it loose on a job that really matters.
The basic dd syntax is as follows:
# dd if= of= bs=
("if" being "input file" and "of" meaning "output file").
(bs= is actually one of the options that I mentioned above. If you don't include it dd will use a default byte size of 512. The byte size is usually some power of 2, not less than 512 bytes. For example: 512, 1024, 2048, 4096, 8192, 16384. It can however, be any reasonable number). Personally I always set the byte size manually so that I know exactly what is going on with the process that I am running.
It should be easy to work out from the basic command that "if=" is the data being read whilst "of=" is where the data is being written to. It should also be obvious that if you reverse the source and target entries by mistake, you can potentially overwrite your source with your target. In real terms this can mean filling the contents of your suspect drive with all of the zeros from your sanitized evidence drive. Of course, if you have your suspect drive attached through a write blocker as I previously suggested you should be protected to a certain extent from this kind of error. The main thing is to take care with your data entry and get the syntax right before you hit the return button.
If you are wondering what I mean by sanitized evidence drive, it is simply the process of wiping and formatting a drive prior to writing new evidence to it. You should always make sure that you start any investigation in this way so that the danger of residual data on your target drive corrupting your evidence is removed. You can use "dd" to do this using this command:
# dd if=/dev/zero of=/dev/
This process will basically fill your target drive with zeros, overwriting any data as it goes. One pass should be enough although you can of course run it as many times as you like before re-formatting the drive. The byte size used in the example will be the default 512. You are free to choose any size you wish and may see reductions in processing times as a result of using a larger number. Experiment with different byte size entries on a spare drive and see what difference it makes. If time is not an issue, then just stick with the default.
Now that we have the basic syntax (# dd if= of=) we can see that what dd is doing is copying chunks of data from the source, in this example in the default 512 byte blocks, and writing that data to the target, which can be a file or another block device. So we now have a choice as to where, and how we store our forensic image. Lets say that we have an 80 GB hard drive that we want to image. You could send the output straight to a wiped and formatted drive, like this:
# dd if=/dev/ of=/dev/ bs=512 conv=noerror,sync
which produces a straight copy of the original.
You can write the output to a file:
# dd if=/dev/ of=/home/user/linux_image.dd bs=512 conv=noerror,sync
although in practical terms an 80 GB (uncompressed) file might be a little unwieldy to deal with, unless you then use dd again to write the file back to a clean disc (again a straight copy):
# dd if=/home/user/linux_image.dd of=/dev/ conv=notrunc,noerror
Which simply writes the contents of linux_image.dd to your target device.
You will have no doubt noticed that I have introduced several new switches using the conv= (conversion) option on the back of the command. These are very important additions that I had already alluded to in paragraph 3 above. These switches turn on various forms of error checking within the dd command. By default dd will happily copy out data until it locates a sector or block on the source device that it can't read. Then it will just stop what it is doing and you won't have a full image. Using conv=noerror,sync will adjust this behaviour so that dd will pad the bad sectors with zero characters and then carry on copying the rest of the data that it can read. The second part of the switch, sync provides the zero padding and also ensures that the sectors on the target device are aligned with those from the source device, thus ensuring an accurate replication of the original media. notrunc simply tells dd to keep copying to the end of the target device rather than truncating the image early.
There are a number of other useful switches within dd. Open up # man dd to see an explanation of them all.
There is just one more area that I want to cover briefly before I move on and that is splitting images into manageable size files using dd and a unix tool appropriately called split. To do this on the fly using dd you simply have to pipe the dd if= through the split command like this:
# dd if=/dev/ | split -d -b 2000m - image.split.
I intend to talk about splitting images in a later post so won't elaborate too much here. Suffice to say that the above command takes standard output from the dd command and pipes it as standard input to the split command. The result (in this case) is a series of 2 GB files, in the current directory, that will be named 'image.split.01', 'image.split.02' and so on.
As I say, there will be a more detailed look at this technique in later posts. For now just get used to the difference in syntax from a standard dd operation (i.e. no of= string).
Well, that's a brief overview of Linux dd, it should certainly be enough to get anyone started with the basics of using it as a forensic tool. As always I would advocate further reading (man dd) and of course a Google search will throw up a good amount of reference material.
--
Reprinted with permission from PC-Eye (Digital Forensics)
Pasted from <http://www.forensicfocus.com/linux-dd-basics>
Wednesday, October 8, 2008
RDP Remote Desktop - troubleshoot
Tuesday, October 7, 2008
Blackberry
Log on to server: bseadmin
D11d6 or admin password
Troubleshooting server - try restarting the services.
- See what users are connected and the last time they were contacted.
Blackberry redirector needs this open non firewall
On the desktop: Blackberry Manager
- To configure what sync's when you connect the blackberry
- Intellasync
- Configure PIM (personal Information Manager)
- Delete any things that you don't want to sync (Paul Delano's personal contacts)
- Add anything that you want to sync (public contacts)
- Configure PIM (personal Information Manager)
- Can also edit signature
On the Blackberry device
- Settings
- Options
- Advanced options
- Enterprise activation
- Check for activation status
- Check for activation status
Blackberry Server
- Log in as: semadmin and d11d6
- Blackberry Manager
- Delete user and add again
- Or - attach device to server using USB
- Assign device
- Resend IT Policy
- Restart device
- Watch for the multi-directional arrows
- Or - attach device to server using USB
Wednesday, October 1, 2008
Outlook calendar - Copy
Subject | calendar |
From | Steve Marks |
Sent | Thursday, September 25, 2008 10:27 AM |
Copy your Outlook Calendar with scheduling information
- To show the Folder List, on the View menu, click Folder List.
- Right-click Calendar, and click Copy "Calendar".
- In the Copy Folder dialog box, select a folder to copy your calendar to, such as Drafts, and then click OK.
This copy of your calendar now contains all your scheduling information, in addition to your calendar formatting. - Rename your copy, and then drag it to Calendar.
Copy your Outlook Calendar with scheduling information
- To show the Folder List, on the View menu, click Folder List.
- Right-click Calendar, and click Copy "Calendar".
- In the Copy Folder dialog box, select a folder to copy your calendar to, such as Drafts, and then click OK.
This copy of your calendar now contains all your scheduling information, in addition to your calendar formatting. - Rename your copy, and then drag it to Calendar.
May have to modify permissions to copy to public folder
- Exchange manager and make person an editor
- Also, make owner of their calendar
How to log onto to Stephen's computer
- Download Filezilla
FileZilla - Client Download
http://filezilla-project.org/download.php
Screen clipping taken: 9/28/2008, 2:03 PM
- Run Filezilla
Screen clipping taken: 9/28/2008, 2:09 PM
- The host is: themarksfamily.myphotos.cc
- Username: gary
- Password: themarksfamily
- Press Quickconnect
Screen clipping taken: 9/28/2008, 2:11 PM
The pictures on my computer are here.
Screen clipping taken: 9/28/2008, 2:15 PM
- You can also put files into my computer by dragging files from your computer to mine. You can right click on my computer and choose to create a new directory to put any new photos into.
Your computer.
Select the photos you want and drag them over to your computer.
The files that you have dragged will cue up and
Begin downloading. This will use a lot of
Bandwidth.
Firewall Setup
Comcast Business
- The modem has its own IP address. Point the firewall to the modem's IP, not the public IP.
ON Buffalo: For VPN, have to open GRE port 47 as well as PPTP port 1723.
SonicWALL - Administration for 0006B139C3F0
Screen clipping taken: 9/29/2008, 9:29 AM
BUFFALO
server.lakeproperties.local - LogMeIn
https://server-lakeproperties-local-matuenbvyq.app03.logmein.com/main.html
Screen clipping taken: 9/29/2008, 9:34 AM
Only if secure mail
Not usually
If SBS and hosting Exchange
Edit Rule
http://10.0.0.254/editRule_1.html
Screen clipping taken: 9/29/2008, 9:31 AM
Secure Mail
For VPN, along with PPTP
How to access the internet and your desktop computer
- Restart the computer
- It should connect to the internet automatically and your Internet Explorer will open
- Minimize Internet Explorer
- Click this icon to log onto Dicor (VPN)
- Click this icon to log onto your desktop
Randy,
I have set up windows and your anti-virus. When you want to access your computer at work, follow the directions below.
- Click this icon to log onto Auspro (VPN)
- Click this icon to log onto your desktop
Screen clipping taken: 9/24/2008, 11:12 AM
Blackberry
Show Hidden Icons - Hold down Alt Key and press track ball. Choose show all
Setup up icon is a briefcase with 4 arrows
Transfer Profile when joining new domain
- Reset local admin password to no password
- Log in as local admin
- Join the computer to the new domain
- Restart computer
- Make sure that user's domain account has local admin rights or this fails
- Restart computer
- Rename user's profile to .old
- Log in user's domain account (make sure created in AD first)
- Log out of user's domain account
- Log back in as local admin
- Rename new domain profile to .new, rename .old to whatever the login was before renamed .new
Trans
New Computer Setup
- WEP key
- Password to old computer
- Old Computer
- Share profile
- Manage | Shares | New share
- Manage | Shares | New share
- Ipconfig to get IP
- Log off as user | Log on as Admin
- New Computer
- Join to domain
- Log in as user -
- Log out as user
- Log in as Admin
- Rename profile for user .old
- Connect to old using IP
- Run | \\192.168.0.10
- Run | \\192.168.0.10
- Copy profile from other computer and name it the same as the ".old" profile
- Log out as admin and back on as user
- Open Outlook
- Set up to use Exchange (must be logged in as user)
- Set to exchange
- Name of mail server (look at another email in active directory users and computers)
- Users name (not log in)
- Click the folder icon to see the Public folders
- Set to exchange
- Join to domain
- INSTALL FILES
- Look on the server for serial #'s and install files for Office
- Look on the server for serial #'s and install files for Office
When rebuilding windows- Image the computer using Drive Image
- Copy Drivers using ______
- Copy down all Keys using magic Jellybean Keyfinder
Tuesday, September 23, 2008
A Guide to Basic Computer Forensics
http://technet.microsoft.com/en-us/magazine/cc137738.aspx
At a Glance:
The Fundamental Computer Investigation Guide for Windows
The Malware Removal Starter Kit
Creating an investigation kit with Windows PE
Preserving information for forensic analysis
There are countless ways malicious people can use a computer to perform illegal activity—hacking into systems, leaking trade secrets, unleashing new viruses, using phishing messages to steal personal information, and so on. And we are constantly hearing about new exploits
and techniques. What you don't hear about as often is all the ways computers can be used to investigate these sorts of activities.
While some investigations rely on highly trained professionals using expensive tools and complex techniques, there are easier, cheaper methods you can use for basic investigation and analysis. In this article, we will focus on computer forensic techniques that are readily accessible to you as a mainstream administrator.
Our discussion relies on two solution accelerators you can download for free: "The Fundamental Computer Investigation Guide for Windows" (go.microsoft.com/fwlink/?LinkId=80344) and The Malware Removal Starter Kit (go.microsoft.com/fwlink/?LinkId=93103). In this article, we'll show you how you can combine these two solutions to build a bootable Windows® PE environment that will let you conduct an effective investigation and preserve your findings for reporting and analysis. Note that you can't use the method discussed here to investigate a hard drive that has been encrypted or that is part of a RAID volume. And if the hard drive is damaged, you'll need to perform additional steps ahead of time to restore its state.
Though our solution details an easy way to collect evidence from a Windows-based computer, it is nonetheless a basic, ad hoc approach. There are several more sophisticated solutions available commercially that can execute the work outlined here in a much more effective way.
Also keep in mind that the technique we discuss here is neither a guaranteed prescriptive solution nor certified by The International Society of Forensic Computer Examiners. Before beginning an investigation, you should consider whether evidence on the hard drive may potentially become part of a legal proceeding. If that possibility exists, a professionally certified computer examiner should be engaged to conduct the investigation. Depending on the nature of any potential legal proceedings, you must also consider whether to hand off the investigation directly to law enforcement officials. There is more information on this topic in "The Fundamental Computer Investigation Guide for Windows."
About the Solution Accelerators
"The Fundamental Computer Investigation Guide for Windows" discusses processes and tools you can use in an internal computer investigation. The guide outlines the four phases of the computer investigation model: assess, acquire, analyze, and report. This is a handy model that can help IT professionals conduct investigations in a manner that preserves important findings.
This guide also covers when it's necessary to involve law enforcement officials—you should include your legal advisors when making this decision. You'll find information about managing computer-related crimes, how to contact the appropriate law enforcement agencies, and the Windows Sysinternals tools and other Windows tools that are useful in conducting investigations.
The other solution accelerator we reference in this article, The Malware Removal Starter Kit, provides guidance on how to build and use a bootable Windows PE CD-ROM to remove malware from a computer. This guide includes a list of threats and some of the mitigations that can help reduce their potential impact on an organization. It also stresses the importance of developing an incident response plan that can be followed in case a malware outbreak is suspected. The Malware Removal Starter Kit also includes a four stage approach to help an IT professional determine the nature of the malware involved, limit its spread, remove it if possible, verify the removal, and proceed with any next steps that may be required.
The Windows PE CD-ROM
There are two prerequisites for running an investigation of this sort: a Windows PE CD-ROM and an external storage device, such as a USB flash drive.
You've probably watched enough television to know that police officers should leave a crime scene unaltered. Well, for the same reason, you want to preserve the data on the hard drive being investigated. Unlike the Malware Removal Starter Kit disc, the bootable Windows PE disc we are building will only run tools in a manner that won't alter the hard drive data in any manner.
The Windows PE disc will boot the system into a limited Windows environment. When you create this bootable CD, you can include tools (such as in the Malware Removal Starter Kit) that are configured up-front for a special purpose. Note that the computer must have at least 512MB of RAM—this is a Windows PE requirement.
The process of building the Windows PE CD-ROM, which is detailed in The Malware Removal Starter Kit, is fairly straightforward. Before you build this bootable disc, you'll need to install the Windows Automated Installation Kit (AIK), the Sysinternals Suite (available at microsoft.com/technet/sysinternals/utilities/sysinternalssuite.mspx), place the Sysinternals tools in your tool list as outlined in Task 2 of The Malware Removal Starter Kit, and install any other malware-scanning tools and utilities. For detailed instructions on creating the disc, use the steps outlined in The Malware Removal Starter Kit document.
The External USB Drive
Since this process will not alter the drive being investigated, you'll also need a USB thumb drive or some other kind of external hard drive so you can store the output files that will be generated. (A USB thumb drive is the recommended media since Windows PE can mount USB devices automatically.) You may also want to use an external hard drive to store an image of the original hard drive. With all of these requirements and options, it's quite important that you plan ahead to take into account the total disk space the investigation will require.
Because you want to ensure that the kit is clean when you start an investigation, all previous data needs to be completely removed from the external disk drive you are going to use to save the investigation files. This can easily be done with a disk wiping utility that overwrites the entire writeable drive surface. The external disk can then be formatted and labeled as necessary for use in the investigation. This precaution ensures that the device will contain no files that could possibly contaminate the evidence you gather during the investigation.
You should also include a chain-of-custody form so there will be official documentation regarding who has handled the computer throughout the investigation. "The Fundamental Computer Investigation Guide for Windows" provides a sample chain-of-custody form. After you've finished packaging the kit (with the necessary bootable Windows PE disc, external storage device, and a chain-of-custody form) you are ready to proceed.
Running an Investigation
Now you're ready to perform an investigation. First, boot the suspect system using the Windows PE disc, making sure that the computer's boot order identifies the CD-ROM drive as the primary boot device. When prompted, press any key to complete the boot from CD-ROM. This will provide access to the tools you installed on the disc.
We will use our kit on a sample machine to demonstrate how you can collect information from a computer (which we will call Testbox1). The CD drive assignment on Testbox1 is X:\ and the default location provided for the tools from the Malware Removal Starter Kit is X:\tools. To access the tools in the kit, we simply type: cd \tools.
There are several tools that can identify the target drives mounted on a computer. Bginfo.exe, which is located in the Sysinternals tool directory, can provide this information and place it in a background window on the desktop for easy reference. Drive Manager can also identify all the drives on the computer, including the target hard disk drives and the external USB device. Figure 1 shows the disk information for Testbox1. The boot drive is X:\, the target hard drive is C:\, and our external USB drive is F:\.
Figure 1 Viewing disk information with Drive Manager
Checking for Malware
It is important to run anti-malware tools before you begin an investigation to ensure that the investigation isn't tainted by a virus or other malicious code. The report that the anti-malware tool generates can be used as evidence, if needed. But not checking a computer for malware can jeopardize the investigation, as well as the examiner's credibility for thoroughness and accuracy. We recommend that you run the provided anti-malware tools in a read-only or reporting mode.
The Malware Removal Starter Kit discusses a number of recommended tools, including the Malicious Software Removal Tool and McAfee AVERT Stinger. When you run the Malicious Software Removal Tool, be sure to include the command-line option /N to instruct the tool to only report on malware and not try to remove it:
Copy Code
x:\tools\windows-KB890830-v1.29.exe /N
The resulting report file will be located in %windir%\debug\mrt.log.
Likewise, when you run McAfee AVERT Stinger, change the preference to Report only, as shown in Figure 2, so that it will scan the computer but not make any changes to the hard drive. And be sure to save a report from the tool when the scan is complete.
Figure 2 Use Report only mode in McAfee AVERT Stinger
Saving Critical Files
If the entire disk was not backed up before you began the investigation, you should at least back up key user files. Configuration information can be used for future review if needed. Begin by collecting the registry files and settings, which contain all relevant information about how the computer has been used and what software is installed on the system.
To save the registry hive for Testbox1, we first create a folder on the removable F:\ drive and then record the date and time when the investigation started by using the following commands:
Copy Code
f:
Mkdir f:\evidence_files
Date /t >> f:\evidence_files\Evidence_start.txt
Time /t >> f:\evidence_files\Evidence_start.txt
Now we save the registry hive using the xcopy command to copy the entire configuration directory and its contents. The registry files you'll be interested in are located in %windows%\system32\config. In our case, we run the following:
Copy Code
xcopy c:\windows\system32\config\*.* f:\registrybkup /s /e /k /v
This command copies all the configuration information located in the config folder. Textbox1 contains approximately 95MB of information in the config folder.
Next, focus on user data, which can be located anywhere on the hard disk. For our sample, we are copying only data from a directory called c:\HR. To ensure the data is collected completely, we copy all the data in the directory and its sub-directories using the following xcopy command:
Copy Code
Mkdir f:\evidence_files\HR_Evidence
Mkdir f:\evidence_files\documents_and_settings
Mkdir f:\evidence_files\users
xcopy c:\HR\*.* f:\evidence_files\HR_Evidence /s /e /k /v
Now you can focus on personal folder information. Again, we want to copy all the data from these directories and their sub-directories. To do this, we use the following commands:
Copy Code
Xcopy c:\documents and settings\*.* f:\evidence_files\documents_and_settings /s /e /k /v
Xcopy c:\users\*.* f:\evidence_files\users /s /e /k /v
This sample collected about 500MB of data, which we can now analyze if necessary. As you can see, the amount of data you are collecting can be enormous—especially if you encounter audio files, videos, and photos. Still, it is important to preserve as much original data as possible because an investigation may require not only the evidence you physically collect, but also the assurance that this information has not been altered during the collection process. Ideally, you should do a full disk image for your investigation, but this can be difficult due to size constraints. Needless to say, you can see why it's important to scope out ahead of time just how much storage space your investigation is likely to require.
Gathering Additional Information
System files can also be a useful asset in the evidence collection, but gathering this data may require some exploration of the target computer since these files may not always be located in the same place. Still, certain types of files are worth looking for because they can provide useful insight. Swap files, for instance, contain information about what files have been accessed by memory. Furthermore, swap files can even provide detailed usage activity. Similarly, Web browser data and cookies offer information about browsing behavior and patterns.
Finding this data may require some detective work, especially if a user has changed his configuration to store data somewhere other than in the default locations. There are several Sysinternals tools that can help you find critical files. Figure 3 lists five useful applications and describes how they can help your investigation.
Figure 3 Tools to locate files and data of interest
Application
Description
AccessChk
Displays access to files, registry keys, and Windows services by the user or group you specify.
AccessEnum
Displays who has access to which directories, files, and registry keys on a computer. You can use this to find places where permissions aren't properly applied.
Du
Displays disk usage by directory.
PsInfo
Displays information about a computer.
Strings
Searches for ANSI and UNICODE strings in binary images.
At a Glance:
The Fundamental Computer Investigation Guide for Windows
The Malware Removal Starter Kit
Creating an investigation kit with Windows PE
Preserving information for forensic analysis
There are countless ways malicious people can use a computer to perform illegal activity—hacking into systems, leaking trade secrets, unleashing new viruses, using phishing messages to steal personal information, and so on. And we are constantly hearing about new exploits
and techniques. What you don't hear about as often is all the ways computers can be used to investigate these sorts of activities.
While some investigations rely on highly trained professionals using expensive tools and complex techniques, there are easier, cheaper methods you can use for basic investigation and analysis. In this article, we will focus on computer forensic techniques that are readily accessible to you as a mainstream administrator.
Our discussion relies on two solution accelerators you can download for free: "The Fundamental Computer Investigation Guide for Windows" (go.microsoft.com/fwlink/?LinkId=80344) and The Malware Removal Starter Kit (go.microsoft.com/fwlink/?LinkId=93103). In this article, we'll show you how you can combine these two solutions to build a bootable Windows® PE environment that will let you conduct an effective investigation and preserve your findings for reporting and analysis. Note that you can't use the method discussed here to investigate a hard drive that has been encrypted or that is part of a RAID volume. And if the hard drive is damaged, you'll need to perform additional steps ahead of time to restore its state.
Though our solution details an easy way to collect evidence from a Windows-based computer, it is nonetheless a basic, ad hoc approach. There are several more sophisticated solutions available commercially that can execute the work outlined here in a much more effective way.
Also keep in mind that the technique we discuss here is neither a guaranteed prescriptive solution nor certified by The International Society of Forensic Computer Examiners. Before beginning an investigation, you should consider whether evidence on the hard drive may potentially become part of a legal proceeding. If that possibility exists, a professionally certified computer examiner should be engaged to conduct the investigation. Depending on the nature of any potential legal proceedings, you must also consider whether to hand off the investigation directly to law enforcement officials. There is more information on this topic in "The Fundamental Computer Investigation Guide for Windows."
About the Solution Accelerators
"The Fundamental Computer Investigation Guide for Windows" discusses processes and tools you can use in an internal computer investigation. The guide outlines the four phases of the computer investigation model: assess, acquire, analyze, and report. This is a handy model that can help IT professionals conduct investigations in a manner that preserves important findings.
This guide also covers when it's necessary to involve law enforcement officials—you should include your legal advisors when making this decision. You'll find information about managing computer-related crimes, how to contact the appropriate law enforcement agencies, and the Windows Sysinternals tools and other Windows tools that are useful in conducting investigations.
The other solution accelerator we reference in this article, The Malware Removal Starter Kit, provides guidance on how to build and use a bootable Windows PE CD-ROM to remove malware from a computer. This guide includes a list of threats and some of the mitigations that can help reduce their potential impact on an organization. It also stresses the importance of developing an incident response plan that can be followed in case a malware outbreak is suspected. The Malware Removal Starter Kit also includes a four stage approach to help an IT professional determine the nature of the malware involved, limit its spread, remove it if possible, verify the removal, and proceed with any next steps that may be required.
The Windows PE CD-ROM
There are two prerequisites for running an investigation of this sort: a Windows PE CD-ROM and an external storage device, such as a USB flash drive.
You've probably watched enough television to know that police officers should leave a crime scene unaltered. Well, for the same reason, you want to preserve the data on the hard drive being investigated. Unlike the Malware Removal Starter Kit disc, the bootable Windows PE disc we are building will only run tools in a manner that won't alter the hard drive data in any manner.
The Windows PE disc will boot the system into a limited Windows environment. When you create this bootable CD, you can include tools (such as in the Malware Removal Starter Kit) that are configured up-front for a special purpose. Note that the computer must have at least 512MB of RAM—this is a Windows PE requirement.
The process of building the Windows PE CD-ROM, which is detailed in The Malware Removal Starter Kit, is fairly straightforward. Before you build this bootable disc, you'll need to install the Windows Automated Installation Kit (AIK), the Sysinternals Suite (available at microsoft.com/technet/sysinternals/utilities/sysinternalssuite.mspx), place the Sysinternals tools in your tool list as outlined in Task 2 of The Malware Removal Starter Kit, and install any other malware-scanning tools and utilities. For detailed instructions on creating the disc, use the steps outlined in The Malware Removal Starter Kit document.
The External USB Drive
Since this process will not alter the drive being investigated, you'll also need a USB thumb drive or some other kind of external hard drive so you can store the output files that will be generated. (A USB thumb drive is the recommended media since Windows PE can mount USB devices automatically.) You may also want to use an external hard drive to store an image of the original hard drive. With all of these requirements and options, it's quite important that you plan ahead to take into account the total disk space the investigation will require.
Because you want to ensure that the kit is clean when you start an investigation, all previous data needs to be completely removed from the external disk drive you are going to use to save the investigation files. This can easily be done with a disk wiping utility that overwrites the entire writeable drive surface. The external disk can then be formatted and labeled as necessary for use in the investigation. This precaution ensures that the device will contain no files that could possibly contaminate the evidence you gather during the investigation.
You should also include a chain-of-custody form so there will be official documentation regarding who has handled the computer throughout the investigation. "The Fundamental Computer Investigation Guide for Windows" provides a sample chain-of-custody form. After you've finished packaging the kit (with the necessary bootable Windows PE disc, external storage device, and a chain-of-custody form) you are ready to proceed.
Running an Investigation
Now you're ready to perform an investigation. First, boot the suspect system using the Windows PE disc, making sure that the computer's boot order identifies the CD-ROM drive as the primary boot device. When prompted, press any key to complete the boot from CD-ROM. This will provide access to the tools you installed on the disc.
We will use our kit on a sample machine to demonstrate how you can collect information from a computer (which we will call Testbox1). The CD drive assignment on Testbox1 is X:\ and the default location provided for the tools from the Malware Removal Starter Kit is X:\tools. To access the tools in the kit, we simply type: cd \tools.
There are several tools that can identify the target drives mounted on a computer. Bginfo.exe, which is located in the Sysinternals tool directory, can provide this information and place it in a background window on the desktop for easy reference. Drive Manager can also identify all the drives on the computer, including the target hard disk drives and the external USB device. Figure 1 shows the disk information for Testbox1. The boot drive is X:\, the target hard drive is C:\, and our external USB drive is F:\.
Figure 1 Viewing disk information with Drive Manager
Checking for Malware
It is important to run anti-malware tools before you begin an investigation to ensure that the investigation isn't tainted by a virus or other malicious code. The report that the anti-malware tool generates can be used as evidence, if needed. But not checking a computer for malware can jeopardize the investigation, as well as the examiner's credibility for thoroughness and accuracy. We recommend that you run the provided anti-malware tools in a read-only or reporting mode.
The Malware Removal Starter Kit discusses a number of recommended tools, including the Malicious Software Removal Tool and McAfee AVERT Stinger. When you run the Malicious Software Removal Tool, be sure to include the command-line option /N to instruct the tool to only report on malware and not try to remove it:
Copy Code
x:\tools\windows-KB890830-v1.29.exe /N
The resulting report file will be located in %windir%\debug\mrt.log.
Likewise, when you run McAfee AVERT Stinger, change the preference to Report only, as shown in Figure 2, so that it will scan the computer but not make any changes to the hard drive. And be sure to save a report from the tool when the scan is complete.
Figure 2 Use Report only mode in McAfee AVERT Stinger
Saving Critical Files
If the entire disk was not backed up before you began the investigation, you should at least back up key user files. Configuration information can be used for future review if needed. Begin by collecting the registry files and settings, which contain all relevant information about how the computer has been used and what software is installed on the system.
To save the registry hive for Testbox1, we first create a folder on the removable F:\ drive and then record the date and time when the investigation started by using the following commands:
Copy Code
f:
Mkdir f:\evidence_files
Date /t >> f:\evidence_files\Evidence_start.txt
Time /t >> f:\evidence_files\Evidence_start.txt
Now we save the registry hive using the xcopy command to copy the entire configuration directory and its contents. The registry files you'll be interested in are located in %windows%\system32\config. In our case, we run the following:
Copy Code
xcopy c:\windows\system32\config\*.* f:\registrybkup /s /e /k /v
This command copies all the configuration information located in the config folder. Textbox1 contains approximately 95MB of information in the config folder.
Next, focus on user data, which can be located anywhere on the hard disk. For our sample, we are copying only data from a directory called c:\HR. To ensure the data is collected completely, we copy all the data in the directory and its sub-directories using the following xcopy command:
Copy Code
Mkdir f:\evidence_files\HR_Evidence
Mkdir f:\evidence_files\documents_and_settings
Mkdir f:\evidence_files\users
xcopy c:\HR\*.* f:\evidence_files\HR_Evidence /s /e /k /v
Now you can focus on personal folder information. Again, we want to copy all the data from these directories and their sub-directories. To do this, we use the following commands:
Copy Code
Xcopy c:\documents and settings\*.* f:\evidence_files\documents_and_settings /s /e /k /v
Xcopy c:\users\*.* f:\evidence_files\users /s /e /k /v
This sample collected about 500MB of data, which we can now analyze if necessary. As you can see, the amount of data you are collecting can be enormous—especially if you encounter audio files, videos, and photos. Still, it is important to preserve as much original data as possible because an investigation may require not only the evidence you physically collect, but also the assurance that this information has not been altered during the collection process. Ideally, you should do a full disk image for your investigation, but this can be difficult due to size constraints. Needless to say, you can see why it's important to scope out ahead of time just how much storage space your investigation is likely to require.
Gathering Additional Information
System files can also be a useful asset in the evidence collection, but gathering this data may require some exploration of the target computer since these files may not always be located in the same place. Still, certain types of files are worth looking for because they can provide useful insight. Swap files, for instance, contain information about what files have been accessed by memory. Furthermore, swap files can even provide detailed usage activity. Similarly, Web browser data and cookies offer information about browsing behavior and patterns.
Finding this data may require some detective work, especially if a user has changed his configuration to store data somewhere other than in the default locations. There are several Sysinternals tools that can help you find critical files. Figure 3 lists five useful applications and describes how they can help your investigation.
Figure 3 Tools to locate files and data of interest
Application
Description
AccessChk
Displays access to files, registry keys, and Windows services by the user or group you specify.
AccessEnum
Displays who has access to which directories, files, and registry keys on a computer. You can use this to find places where permissions aren't properly applied.
Du
Displays disk usage by directory.
PsInfo
Displays information about a computer.
Strings
Searches for ANSI and UNICODE strings in binary images.
Sunday, September 14, 2008
Wednesday, September 10, 2008
Tuesday, September 9, 2008
copy profile and set up domain
From: Steve Marks
Sent: Tuesday, September 09, 2008 3:14 PM
To: Steve Marks
Subject: picture
microsoft wireless keyboard change channels
http://www.velocityreviews.com/forums/t227768-using-two-pcs-each-with-a-microsoft-wireless-optical-desktop.html
PC #1Make sure the batteries are fresh, then press the sync button on the receiver. While thereceiver is blinking, press the connect channel button in the bottom of the keyboard to sync it.Repeat for the mouse. This PC was easy to do and is done.PC #2Repeat the above steps until the keyboard & mouse aren't activiting PC #1. This PC could takeseveral tries before you get the keyboard & mouse on their own channel.PC #3Repeat the above steps until the keyboard & mouse aren't activiting PC #1 or PC #2. This PCcould take quite a while before you get the keyboard & mouse on their own channel.
PC #1Make sure the batteries are fresh, then press the sync button on the receiver. While thereceiver is blinking, press the connect channel button in the bottom of the keyboard to sync it.Repeat for the mouse. This PC was easy to do and is done.PC #2Repeat the above steps until the keyboard & mouse aren't activiting PC #1. This PC could takeseveral tries before you get the keyboard & mouse on their own channel.PC #3Repeat the above steps until the keyboard & mouse aren't activiting PC #1 or PC #2. This PCcould take quite a while before you get the keyboard & mouse on their own channel.
Friday, September 5, 2008
Thursday, August 28, 2008
Trend Micro Pc-cillian manual removal
c:\program files\trend micro\internet security\pcctool
choose uninstall
choose uninstall
Friday, August 22, 2008
install printer - server
Download printer driver
unzip to file
add printer
lpt1
have disk
let it install
delete printer
keep driver
log-off of remote session
log back in
If printer driver is on the server, a person can remote (terminal services) in and print to a printer that is locally connected to the computer that is remoting in.
unzip to file
add printer
lpt1
have disk
let it install
delete printer
keep driver
log-off of remote session
log back in
If printer driver is on the server, a person can remote (terminal services) in and print to a printer that is locally connected to the computer that is remoting in.
Windows Profile - things to move or copy
Make a ghost image of the machine
Connect the computers through a switch
Make a new profile with their login name.
Set the password for the administrator account to admin4(companyname)
Turn on remote desktop
Make a shared folder on the new machine in their profile.
http://technet.microsoft.com/en-us/library/bb456988.aspx - domain
http://support.microsoft.com/kb/301281 - work groups
Use file and transfer wizard and copy the info to a shared folder on the new machine. It might take a minute for the shared folder to show up.
What is the ip address? Dynamic or static?
Outlook:
c:\documents and settings\[user name]\Application Data\microsoft\outlook\outlook.nk2
or the kn2 file might be their profile name
ex:C:\Documents and Settings\smarks\Application Data\Microsoft\Outlook\outlook.nk2
PST and Archive file location:
C:\Documents and Settings\smarks\Local Settings\Application Data\Microsoft\Outlook\outlook.pst (or user profile name .pst)
Shared drives and mapped drives.
Install new programs.
Connect the computers through a switch
Make a new profile with their login name.
Set the password for the administrator account to admin4(companyname)
Turn on remote desktop
Make a shared folder on the new machine in their profile.
http://technet.microsoft.com/en-us/library/bb456988.aspx - domain
http://support.microsoft.com/kb/301281 - work groups
Use file and transfer wizard and copy the info to a shared folder on the new machine. It might take a minute for the shared folder to show up.
What is the ip address? Dynamic or static?
Outlook:
c:\documents and settings\[user name]\Application Data\microsoft\outlook\outlook.nk2
or the kn2 file might be their profile name
ex:C:\Documents and Settings\smarks\Application Data\Microsoft\Outlook\outlook.nk2
PST and Archive file location:
C:\Documents and Settings\smarks\Local Settings\Application Data\Microsoft\Outlook\outlook.pst (or user profile name .pst)
Shared drives and mapped drives.
Install new programs.
Thunderbird email
Profile location: C:\Documents and Settings\\Application Data\Thunderbird\Profiles\
Another copy of thunderbird is running error:
Look for a profiles.ini file. that file tells thunderbird where the profile is. Edit that if you are going to copy or move the profile. I think that it is in the Application data folder or Thunderbird filder.
Also, there is a lock file to keep more than one instance from running at a time. That lock file is created when thunderbird is opened and deleted when it is closed. Don't copy the profile with thunderbird open. Delete parent.lock file
Remove the profile lock fileThe application may have shut down abnormally, leaving the lock in place. To fix this, open the profile folder and delete the file,
"parent.lock" (Windows),
For Windows: If you attempt to delete the "parent.lock" file and receive the error, "Cannot delete parent: The file or directory is corrupted and unreadable", restart the computer and run the error-checking tool Chkdsk (Windows 2000, XP) or ScanDisk (Windows 98, ME) [5].
http://kb.mozillazine.org/Firefox_is_already_running_but_is_not_responding
http://kb.mozillazine.org/Profile_folder_-_Thunderbird
Another copy of thunderbird is running error:
Look for a profiles.ini file. that file tells thunderbird where the profile is. Edit that if you are going to copy or move the profile. I think that it is in the Application data folder or Thunderbird filder.
Also, there is a lock file to keep more than one instance from running at a time. That lock file is created when thunderbird is opened and deleted when it is closed. Don't copy the profile with thunderbird open. Delete parent.lock file
Remove the profile lock fileThe application may have shut down abnormally, leaving the lock in place. To fix this, open the profile folder and delete the file,
"parent.lock" (Windows),
For Windows: If you attempt to delete the "parent.lock" file and receive the error, "Cannot delete parent: The file or directory is corrupted and unreadable", restart the computer and run the error-checking tool Chkdsk (Windows 2000, XP) or ScanDisk (Windows 98, ME) [5].
http://kb.mozillazine.org/Firefox_is_already_running_but_is_not_responding
http://kb.mozillazine.org/Profile_folder_-_Thunderbird
Friday, August 15, 2008
Antivirus XP 2008 removal Super Antispyware
Use Super Anti-Spyware to remove
uses processes that start with rhc and often in in 0eggs
uses processes that start with rhc and often in in 0eggs
Thursday, August 14, 2008
Crack Excel
Steve Marks Prime Networking, Inc. Phone: 574.266.6868 Fax: 574.266.6886 Email: smarks@prime-networking.com Web: www.prime-networking.com
Wednesday, August 13, 2008
Offline Files Clear cache workstation
OffLine Files
Stored on workstation under windows\CSC
Clear offline files cache
Explorer window - tools|options|offline files
Hold down ctrl+Alt+Shift and choose delete files
Steve Marks
Prime Networking, Inc.
Phone: 574.266.6868
Fax: 574.266.6886
Email: smarks@prime-networking.com
Tuesday, August 12, 2008
AntiSpyware XP 2008 Virus Removal
rhcrruj0eggs are processes in Task Manager
lphcrruj0eggs
SuperAntiVirus cleans this up. May need to rename the exe or kill process before running.
Monday, August 11, 2008
Antivirus XP 2008 Manual Removal
http://www.wiki-security.com/wiki/Parasite/Antivirus2008
Remove Antivirus 2008 manually
Another method to remove Antivirus 2008 is to manually delete Antivirus 2008 files in your system. Detect and remove the following Antivirus 2008 files:
Processes
- Antvrs.exe
- AntvrsInstall.exe
- AntvrsInstall[1].exe
- Win Antivirus 2008.exe
- av2008xp.exe
Other Files
- AntiVirus 2008.lnk
- AntiVirus 2008.lic
- %ProgramFiles%\ANTIVIRUS 2008
- Uninstall Antivirus.lnk
- Antivirus Pro 2008
- %ProgramFiles%\Antivirus2008y
- Uninstall Antivirus 2008.lnk
- %AppData%\Antivirus2008y
- %ProgramFiles%\Win Antivirus 2008
- s9201
- %UserProfile%\Start Menu\Antivirus2008y
- %ProgramFiles%\Antivirus 2008 XP
- %AllUsersProfile%\Application Data\SoftLand Ltd\Antivirus 2008 XP
Registry Keys
- HKEY_CURRENT_USER\Software\Antivirus
- HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antivirus"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "3P_UDEC"
- Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC
- Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D
- Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Antivirus2008y
- SoftLand Ltd\Antivirus 2008 XP
Friday, August 1, 2008
Tuesday, July 29, 2008
Monday, July 28, 2008
Friday, July 25, 2008
Thursday, July 24, 2008
Thursday, July 10, 2008
Wednesday, July 9, 2008
Troubleshooting
Command Line:
NetDiag /v >c:\Netdiag.txt
Notepad c:\netdiag.txt
Ctrl + F to search for failed
NetDiag /v >c:\Netdiag.txt
Notepad c:\netdiag.txt
Ctrl + F to search for failed
Starting point troubleshoot DC Domain Controller Server 2003 exchange 2003
Troubleshoot starting point Event Viewer and DCdiag /V
Tuesday, July 8, 2008
exchange 2003 Recovery using images ghost
Most common problem: Drive signature issue that prbents logon after recovery
You keep getting cycled back to a logon prompt every time you try to log on because drive letters get assigned out of order
KB article 249321 and 223188 How to fix:
http://support.microsoft.com/kb/249321
http://support.microsoft.com/kb/223188
You keep getting cycled back to a logon prompt every time you try to log on because drive letters get assigned out of order
KB article 249321 and 223188 How to fix:
http://support.microsoft.com/kb/249321
http://support.microsoft.com/kb/223188
Exchange 2003 xcopy database backup
Before trying to recover anything in exchange, Xcopy the database.
exchange 2003 backup error check log file
exchange 2003 - log files flush after a backup. If the log files are not flushing, check the backup. It is probably not a clean backup
Exchange 2003 disaster recovery webcast
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032288864&EventCategory=5&culture=en-US&CountryCode=US
Procedures and considerations
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032279694&EventCategory=5&culture=en-US&CountryCode=US
Disaster recovery Solutions
http://whitepapers.techrepublic.com.com/abstract.aspx?&docid=264020&promo=100511
Disaster operations guide
Procedures and considerations
http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032279694&EventCategory=5&culture=en-US&CountryCode=US
Disaster recovery Solutions
http://whitepapers.techrepublic.com.com/abstract.aspx?&docid=264020&promo=100511
Disaster operations guide
Monday, July 7, 2008
Thursday, July 3, 2008
Wednesday, July 2, 2008
Tuesday, July 1, 2008
Monday, June 30, 2008
Keyboard Reset
Tap the left and then the right shift, cntrl, alt keys consecutively to reset the keys.
Friday, June 27, 2008
Thursday, June 26, 2008
Wednesday, June 25, 2008
Monday, June 23, 2008
VbScript - Password Reset CS5 Fortres 6
'on error resume next
dim status
dim filesys
dim ccfilesys
Set ccfilesys = CreateObject("Scripting.FileSystemObject")
Set filesys = CreateObject("Scripting.FileSystemObject")
If filesys.FolderExists("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\") Then
StorageType
Else
CCsub
End If
dim choice
choice = MsgBox("Do you want to delete this Password Reset file? (Recommended)", vbYesNo)
If choice = 6 then
'Delete the script
DeleteSelf
else
wscript.quit
end if
Sub DeleteSelf()
Dim objFSO
'Create a File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
'Delete the currently executing script
objFSO.DeleteFile WScript.ScriptFullName
Set objFSO = Nothing
End Sub
Sub Storagetype
If filesys.FolderExists("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\settings\") Then
Set WshShell = CreateObject( "WScript.Shell" )
objStorageValue = WshShell.RegRead("HKLM\Software\Fortres Grand\FSRT\StorageType")
If objStorageValue = 2 then
wscript.echo "Please run this program on your Central Control Server."
wscript.quit
Else
wscript.echo "Storage is set for local machine."
End If
If filesys.FileExists("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.ad") then
file = "true"
filesys.DeleteFile "c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.ad"
End If
If file = "true" then
wscript.echo "Old Password Deleted"
Else
wscript.echo "Password file does not exist." & vbCL & " A new file will be created."
End If
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer)
If filesys.FileExists("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.default") Then
file = "true"
Set objFile = objWMIService.Get _
("CIM_DataFile.Name='c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.default'")
intReturn = objFile.Copy("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.ad")
End If
If file = "true" then
wscript.echo "Your Password is now 'password'"
Else
wscript.echo "Default file missing." & vbCL & " Please contact Technical Support."
wscript.quit
End If
Else
wscript.echo "Clean Slate 5.0 or Fortres 101 6.0 is not installed on this machine."
wscript.quit
End if
End Sub
Sub CCSUB
dim ccfilesys
set ccfilesys = CreateObject("Scripting.FileSystemObject")
If ccfilesys.FileExists("c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.ad") Then
ccfile = "true"
ccfilesys.DeleteFile "c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.ad"
End if
If ccfile = "true" then
wscript.echo "Old Password Deleted"
Else
wscript.echo "Password file does not exist." & vbCL & " A new file will be created."
End If
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer)
If ccfilesys.FileExists("c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.default") Then
Set objFile = objWMIService.Get _
("CIM_DataFile.Name='c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.default'")
intReturn = objFile.Copy("c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.ad")
ccfile = "true"
End if
If ccfile = "true" then
wscript.echo "Your Password is now 'password'"
Else
wscript.echo "Default file missing." & vbCL & " Please contact Technical Support."
wscript.quit
End If
End Sub
dim status
dim filesys
dim ccfilesys
Set ccfilesys = CreateObject("Scripting.FileSystemObject")
Set filesys = CreateObject("Scripting.FileSystemObject")
If filesys.FolderExists("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\") Then
StorageType
Else
CCsub
End If
dim choice
choice = MsgBox("Do you want to delete this Password Reset file? (Recommended)", vbYesNo)
If choice = 6 then
'Delete the script
DeleteSelf
else
wscript.quit
end if
Sub DeleteSelf()
Dim objFSO
'Create a File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
'Delete the currently executing script
objFSO.DeleteFile WScript.ScriptFullName
Set objFSO = Nothing
End Sub
Sub Storagetype
If filesys.FolderExists("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\settings\") Then
Set WshShell = CreateObject( "WScript.Shell" )
objStorageValue = WshShell.RegRead("HKLM\Software\Fortres Grand\FSRT\StorageType")
If objStorageValue = 2 then
wscript.echo "Please run this program on your Central Control Server."
wscript.quit
Else
wscript.echo "Storage is set for local machine."
End If
If filesys.FileExists("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.ad") then
file = "true"
filesys.DeleteFile "c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.ad"
End If
If file = "true" then
wscript.echo "Old Password Deleted"
Else
wscript.echo "Password file does not exist." & vbCL & " A new file will be created."
End If
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer)
If filesys.FileExists("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.default") Then
file = "true"
Set objFile = objWMIService.Get _
("CIM_DataFile.Name='c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.default'")
intReturn = objFile.Copy("c:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\Settings\appmgr.ad")
End If
If file = "true" then
wscript.echo "Your Password is now 'password'"
Else
wscript.echo "Default file missing." & vbCL & " Please contact Technical Support."
wscript.quit
End If
Else
wscript.echo "Clean Slate 5.0 or Fortres 101 6.0 is not installed on this machine."
wscript.quit
End if
End Sub
Sub CCSUB
dim ccfilesys
set ccfilesys = CreateObject("Scripting.FileSystemObject")
If ccfilesys.FileExists("c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.ad") Then
ccfile = "true"
ccfilesys.DeleteFile "c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.ad"
End if
If ccfile = "true" then
wscript.echo "Old Password Deleted"
Else
wscript.echo "Password file does not exist." & vbCL & " A new file will be created."
End If
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer)
If ccfilesys.FileExists("c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.default") Then
Set objFile = objWMIService.Get _
("CIM_DataFile.Name='c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.default'")
intReturn = objFile.Copy("c:\Program Files\Fortres Grand\Central Control 6.0\Settings\appmgr.ad")
ccfile = "true"
End if
If ccfile = "true" then
wscript.echo "Your Password is now 'password'"
Else
wscript.echo "Default file missing." & vbCL & " Please contact Technical Support."
wscript.quit
End If
End Sub
Friday, June 20, 2008
Thursday, June 19, 2008
Tuesday, June 17, 2008
Monday, June 16, 2008
Friday, June 13, 2008
Thursday, June 12, 2008
Wednesday, June 11, 2008
Tuesday, June 10, 2008
Monday, June 9, 2008
How about reconfiguring the 10 PCs for a new Domain while preserving user settings, etc.?
Vista Answer: Use Windows Easy Transfer Wizard
XP or 2000pro Answer: Use File and Settings Transfer Wizard
SBS Answer: Presuming that each of these computers is used by a different (currently local) user account, when you join the domain using
http://server/connectcomputer, you can migrate the user's local profile to the domain. You must always use the wizards in SBS - you set up your users,
your computer accounts that way (on the server) and join the computers to
the domain using the /connectcomputer one.
Alternate Answer: Roaming Profiles
1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is not set
to allow offline files/caching.
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.
3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field
4. Have each user log into the domain once to their usual workstation and log out. The profile is now roaming.
5. If you want the administrators group to automatically have permissions to
the profiles folders, you'll need to make the appropriate change in group
policy. Look in computer configuration/administrative templates/system/user
profiles - there's an option to add administrators group to the roaming
profiles permissions. Do this before the users' roaming profile folders
are created.
How to replace single domain controller in domain with a single domain controller?
| How to replace single domain controller in domain with a single domain controller? | |
| | |
| A | |
Sunday, June 8, 2008
Thursday, June 5, 2008
Restricting the Start Menu, Explorer and the Desktop
Restricting the Start Menu, Explorer and the Desktop
Updated 1/30/00
There are many general restrictions you can make to the Start Menu, the Explorer and to the Desktop itself.
- Start Regedit
- Go to HKEY_Current_User / Software / Microsoft / Windows / CurrentVersion / Policies
- There should already be at least a Explorer section there already
- Additional keys that can be created under Policies are WinOldApp
- You can then add DWORD values set to 1 in the appropriate keys
- To re-enable them, either delete the key or set the value to 0
- ClearRecentDocsOnExit = Clear of Recent Documents on Exit
- NoAddPrinter = Adding new printers
- NoClose = Computer Shutdown
- NoDeletePrinter = Delete Installed Printers
- NoDesktop = Doesn't show Desktop items as well as and Desktop right-click menu
- NoDevMgrUpdate = Windows 98/ME web Update Manager
- NoDrives [hex] = Hides Drives in my computer
- NoFind = Find command
- NoInternetIcon = Internet Icon on Desktop
- NoNetHood = Network Neighborhood
- NoRecentDocsHistory = Recent Documents in Start Menu
- NoRun = Run command
- NoSaveSettings = Save Settings on exit
- NoSetFolders = Folders in Start Menu -> Settings
- NoSetTaskbar = Taskbar in Start Menu -> Settings
- NoSMMyDocs = My Documents folder in Start Menu
- NoSMMyPictures = My Pictures folder in Start Menu
Control Panel Restrictions
Control Panel Restrictions
Updated 1/31/00
There are many general restrictions you can make to the Control Panel
- Start Regedit
- Go to HKEY_Current_User / Software / Microsoft / Windows / CurrentVersion / Policies
- Create a new keys under Policies called System
- You can then add DWORD values set to 1 in the appropriate keys
- To re-enable them, either delete the key or set the value to 0
- NoDispCPL - Disable Display Control Panel
- NoDispBackgroundPage - Hide Background Page
- NoDispScrSavPage - Hide Screen Saver Page
- NoDispAppearancePage - Hide Appearance Page
- NoDispSettingsPage - Hide Settings Page
- NoSecCPL - Disable Password Control Panel
- NoPwdPage - Hide Password Change Page
- NoAdminPage - Hide Remote Administration Page
- NoProfilePage - Hide User Profiles Page
- NoDevMgrPage - Hide Device Manager Page
- NoConfigPage - Hide Hardware Profiles Page
- NoFileSysPage - Hide File System Button
- NoVirtMemPage - Hide Virtual Memory Button
Prevent Changes to the Start Menu
Preparing to move Hard Drive to another computer
Preparing to Move Hard Drive to Another Computer
Submitted 12/20/00
To remove the devices from device manager when taking a HD from one computer to another,
simply:
- Run Regedit
- Go to HKEY_LOCAL_MACHINE\ and delete the Enum section
- This removes all of the hardware specific settings
Submitted by Lee Berry
Subscribe to:
Posts (Atom)