Teh Tech » Security

Cause a Computer to Stop Booting via Script

admin — Sat, 08 May 2010 18:26:06 +0000

Interesting simple script I wrote today to cause a computer to stop booting. When run the operating system will not load, the issue is easily reversed with a boot cd of any kind. Why would I ever want to do this you might ask. Simple I used it at the request of an employer. The boss had requested a way to see exactly what a user was doing on his work computer without a chance to clean it up. I used kaseya to push this script down and a few min later I got a call from the user saying his computer crashed. I told him to send it to IT and he did. I got the computer, renamed the file and turned it over to the boss so he could see what he wanted. He was let go a few hours later.

More or less what we are doing is renaming ntdetect.com to ntdetect.bak. When the computer reboots it will loop until you rename the file back by boot disk like bart pe.

[ad]

Script Name: Break the computer
Script Description: Causes the computer to stop booting until a file is renamed.

IF True
THEN
Execute Shell Command
Parameter 1 : attrib -H -R -S c:ntdetect.com
Parameter 2 : 0
OS Type : 0
Execute Shell Command
Parameter 1 : rename c:ntdetect.com ntdetect.bak
Parameter 2 : 0
OS Type : 0
ELSE

This can also be used in a batch file:

attrib -H -R -S c:ntdetect.com
rename c:ntdetect.com ntdetect.bak
Shutdown -r -f -t 0

Could be useful for trying to recover stolen computers, data from soon to be fired employees (not giving them the chance to delete things). Or recovering a computer to investigation. You can also use it as an excuse to go visit that cute new secretary…

[ad]

Scripted Enumeration of Accounts with Local Admin Rights

admin — Sun, 18 Apr 2010 16:15:39 +0000

Beefing up security on networks keeps you from having issues in the long run. An hour today can save you three later. In a effort to improve network security and individual computer security I came up with this fancy little kaseya script. It enumerates the local administrators on a computer and exports them to a text file named whatever the target computer has been named. This can also be run through a batch login script. In the example below “g:” is a admin share on my local server, you can make this what ever you want or use a get file in kaseya to snatch the text file from the computer.

[ad]

Script Name: Get Local Administrators
Script Description: Enumerates what users are members of the local admin group.
IF True
THEN
Execute Shell Command
Parameter 1 : net localgroup administrators >> gadmin_audit%computername%.txt
Parameter 2 : 1
OS Type : 0
ELSE

Here is the same thing in a batch file with mapping a share:

Net use g: \server01admin_share
net localgroup administrators >> gadmin_audit%computername%.txt
net use g: /delete

[ad]

Removing Trend Micro Client/Server Security Silently Through Kaseya or a Login Script

admin — Fri, 16 Apr 2010 15:44:44 +0000

As you might have noticed from my last post I have spent some time cleaning up Trend Micro issues on my networks this week. I have a few installs that are messed up and need a reinstall so I made this.

Script Name: Trend Micro Uninstall
Script Description: Uninstall Trend Micro client
IF True
THEN
Set Registry Value
Parameter 1 : HKEY_LOCAL_MACHINESOFTWARETrendMicroPC-cillinNTCorpCurrentVersionMisc.Allow Uninstall
Parameter 2 : 1
Parameter 3 : REG_DWORD
OS Type : 0
Execute File
Parameter 1 : c:Program FilesTrend MicroClient Server Security Agentntrmv.exe
Parameter 2 : /silent /noreboot
Parameter 3 : 0
OS Type : 0
ELSE

Essentially this will uninstall the trend client from the computer with no user interaction required. Though the silent switch is employed there is still a progress window that I can’t seem to suppress.

[ad]

This can be used as a login script by importing the registry key and then running the uninstaller. Save the below as trend.reg:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWARETrendMicroPC-cillinNTCorpCurrentVersionMisc.]
“Allow Uninstall”=dword:00000001

And run this batch file at login, change the red to match your paths:

Regedit /s g:registrytrend.reg
c:Program FilesTrend MicroClient Server Security Agentntrmv.exe /silent /noreboot

When run on login the Trend Product will be automatically removed thus preparing the computer for a Trend reinstall, or a new anti-virus install.
[ad]

Trend Micro Client/Server Agent Uninstall Without Password

admin — Wed, 14 Apr 2010 13:49:13 +0000

I am posting this because I have had this issue a few times and it seems to be happening more and more often to me. The idea is that when you go to unload office scan, or the trend agent it prompts you for a password, you enter it and away you go. The issue is when you have a client computer that is not communicating with the server as it should be, it cannot authenticate the password. Here is the fix; in the registry key below change the DWORD value to a ’1′ instead of a ’0′. This change will allow for the uninstallation of the software without entering the password.

[HKEY_LOCAL_MACHINESOFTWARETrendMicroPC-cillinNTCorpCurrentVersionMisc.]
“Allow Uninstall”=dword:00000000

[ad]

The 333 Event ID In The Application Event Log

admin — Mon, 12 Apr 2010 02:52:52 +0000

I am writing this because I had a server doing this for a very long time before I pinned down the cause. This will include a lot of what I found on the internet and my own personal fix that worked for me.

Example Event:

Event Type: Error
Event Source: Application Popup
Event Category: None
Event ID: 333
Date: 3/23/2009
Time: 2:44:53 PM
User: N/A
Computer: SERVER1
Description:
An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system’s image of the Registry.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 01 00 6c 00 ……l.
0008: 00 00 00 00 4d 01 00 c0 ….M..À
0010: 00 00 00 00 4d 01 00 c0 ….M..À
0018: 00 00 00 00 00 00 00 00 ……..
0020: 00 00 00 00 00 00 00 00 ……..

Symptoms: Every third of a second or so there was an event id 333 error logged in the application event log on the server. This would start after the server has been up for a few hours to days and will stop for a period after the server was rebooted. The error occurred so often I was reaching 30,000 instances of the error in 24 hours. About 36 hours after the event started occurring no one was able to login active directory, and to get the server back up it required a manual hard reboot.

Things I found on the internet: This error is often caused by lack of resources on the server. Either there is not enough addressable memory, your disk speed it too low, or something is functioning very sub optimally. Everything I found on the internet pointed to checking these:

[ad]

/3GB /PAE and /USERVA switches in the boot ini. It it worth evaluating if you have these set up right. More often than not they are not needed at all. This post on /3gb and /PAE andthis article on /userva

Check performance. Use process explorer to see if there is something creating a excessive number of threads, or handles. Use it to monitor tasks and make sure no process is being greedy with CPU time or memory usage.

Disable Hot add Memory. This has been useful to me on terminal servers before, though it did not fix my issue I have found a significant number of posts where it did. Check out this article.

Out of date firmware and drivers. This especially goes for RAID controllers and hard disks. This can often times be really hard to upgrade without breaking the data on your disks. If you are using a RAID controller with 6 year old firmware, chances are that it is not preforming optimally on your 2 TB RAID 5 configuration. I would start by upgrading in this path: 1. RAID controller driver 2. Motherboard BIOS 3. Motherboard chipset drivers 4. RAID controller firmware 5. Hard disk firmware. Be very careful to check with the vendors before changing firmware on your disks or controller that it is not data destructive.

Update SQL. If you are running SQL make sure you have all the updates, and that your memory usage in SQL is not set higher than 1/2 of your total available memory unless it is a detected SQL server.

Disk Quotas. Turn them off, i really don’t think anyone uses them anyways. If you do make sure you don’t have any service running under a account that is subject to disk quotas. for example if you have a 500 mb disk quota for all users, and your print spooler is running under a service account. If a few people print big things, its not going to work and you will get 333 errors among other errors.

Page File. Your page file should be 1.5 times your total system RAM. On a server with 1 gb of RAM you would set this to 1.5 gb, do not allow for system managed pagefile.

Ntbackup.exe. This can cause strange system hangs if you are having a issue with VSS, are running SQL, or exchange, or any other application that is very did write intensive. I found several posts that pointed to nightly systemstate backups as the culprit. You can disable this temporarily for troubleshooting.

Old Antivirus. Make sure you have the latest scan engine on your antivirus. There were some examples of people that updated their antivirus and the issue was resolved like magic.

Virus/spyware. This goes with out saying in most cases, but make sure there is nothing sketchy running on your server.

My solution: For me the the solution was pagefile and disk quota. The page file was system managed and moved to a disk off the primary partition. This disk had disk quota limitations on it. When things got intense and the server wanted more disk space for the page file quota management would slap its hand and make it put it back. This was decreasing my performance and using causing a ton of errors. I was effectively able to use 1.5gb of my pagefile on a server that was running exchange and SQL. I turned off disk Quotas and change the pagefile to a set size, since doing this I have had no issues at all.
[ad]

Adding ‘Lock My Computer’ Shortcut to The Desktop

admin — Fri, 09 Apr 2010 01:14:55 +0000

In a effort to increase security at one of my healthcare providers they requested a quick way their employees can lock their computers when they walk away from their computers. I found Mklnk, it is a very tiny free utility that lets you make shortcuts from command line. I decided to use this to accomplish this task. I did some research and found that the following command will lock your computer.

rundll32.exe user32.dll,LockWorkStation

So I used this with mklnk.exe to make a shortcut on the users desktop, with a lock icon. Below is the batch file I used. G: is a network share containing mklnk.exe.

g:mklnk.exe -a user32.dll,LockWorkStation -i %SystemRoot%system32SHELL32.dll -n 47 %SystemRoot%system32rundll32.exe “%ALLUSERSPROFILE%DesktopLock”

What this does it it passes the arguments user32.dll,LockWorkStation to the rundll32.exe, and the result is a shortcut on the all user desktop called “lock” that uses shell icon 47 (a cute lock graphic).

To use this with kaseya you have to upload mklnk.exe to the kserver, and then import the following script. Be sure to change the red to match the location you have uploaded mklnk.exe.

Script Name: Lock Computer Icon on Desktop
Script Description: Creates a Lock icon on the all user desktop silently

IF True
THEN
Execute Shell Command
Parameter 1 : md c:temp
Parameter 2 : 0
OS Type : 0
Write File
Parameter 1 : c:tempmklnk.exe
Parameter 2 : adminutilmklnk.exe
OS Type : 0
Execute Shell Command
Parameter 1 : c:tempmklnk.exe -a user32.dll,LockWorkStation -i %SystemRoot%system32SHELL32.dll -n 47 %SystemRoot%system32rundll32.exe “%ALLUSERSPROFILE%DesktopLock My Computer”
Parameter 2 : 1
OS Type : 0
Delete File
Parameter 1 : c:tempmklnk.exe
OS Type : 0
ELSE

[ad]

Conficker; What is it? How to Prevent and clean It.

admin — Mon, 29 Mar 2010 17:12:09 +0000

What is it?: Conflicker is a virus that has been spreading for about 2 months infecting an estimated 15-20 million computers worldwide. Systems running windows 2000, server 2000, windows XP (all variations), Vista (all variations), server 2003, server 2008 and even windows 7 are susceptible. The details of what exactly the virus does are a bit sketchy because of the way the virus is created. At this time it appears that the virus is dormant in the computer and waiting to download the remainder of its payload code on April 1st. Right now it is presumed that the worm spreads itsself through the RPC service and through http, network shares, USB and removable media, and even FTP. The worm has the ability to modify open port exceptions on windows firewall as well as the ability to stop svchost.exe, services.exe, and explorer.exe. It has a built in P2P application so that the virus can both communicate code between each other and web servers and coordinate. This is where the fear of fast changing polymorphic code comes from as well as the ability of the virus to use host computers in a zombie like fashion to attack other computers or servers.

Symptoms of the virus are expected to include and have been confirmed to include:

Services disabling on their own. Namely windows defender, BITS, windows firewall, and some third party antivirus services such as live update.
Massive increase in network traffic. Up to a 10-15% increase in total network traffic is expected on infected networks. This is due to attacks on shares and accounts, as well as spreading of the virus and payload.
Account lockouts reset. If the virus is on a DC it will dictionary attack the admin account and admin shares, if the account locks out, it will automatically reset the lockout.
Lastly some or all AV websites, security websites, and windows update sites are inaccessible. they reply to ping and answer to telnet on port 80, but they are not accessible to any browser. This appears to be done through a virtual proxy system.

Microsoft has teamed up with ICANN, AOL, Symantec and other big names in computer security and network technologies to attempt to curtail the infestation of the virus. A $250,000 reward is available for anyone that can provide information leading to the arrest of the coder.
[ad]
Microsoft released a patch MS08-067 on october 15th 2008, that fixes this exploit however, it is estimated that about 30% of computers do not have this patch installed. This patch is available from Microsoft HERE. The patch is available for windows 2000 sp4 – windows server 2008 with the exception of windows xp service pack 1 (service pack one has reached its end of support). Windows 7 has the patch integrated in it already. Many antivirus makers are releasing removal tools for the virus already. Microsoft has a removal tool available HERE. And bit defender has a network/domain removal tool HERE.

What you can do to limit and prevent conflicker spread as a network administrator.

Follow best practice passwords. Require password that include special characters and are at least 6 characters long. This makes brute forcing the password very difficult.
Turn off all unnecessary network shares. Any computer on the network that has a opened share is a vulnerability. Check this out to discover shares.
Turn off auto run. You don’t need it in most cases. Turn it off, it allows for the potential execution of code.
Update antivirus. Make sure you have the last definitions and scan engine. Note that sometimes the scan engine is not an auto update and may require manual processing. Also make sure that all of your computers are showing in the antivirus console. If not you might have a potential issue. Look into it ASAP before it becomes a problem.
Windows update. Update everything. Every computer should have every critical rated patch, always. Check out my past post on autopatcher, and check this out for a alternative way to investigate the security of your network.
Be a bouncer. Do not allow people to bring in home computers, set up wireless, connect external harddrives and other strange stuff to the network. They are not on the domain, not subject to group policy, and they might not have AV or patches. This is a huge vulnerability that often goes unnoticed, but it allows for another way to accidently introduce an infection into a network.

April 1st will be interesting at the least. I have taken a ton of percautions so I can just sit back and watch the news all day while my network stands strong.

[ad]

Autopatcher, a Better Way of Staying Updated

admin — Mon, 15 Mar 2010 16:33:45 +0000

Today, another really nifty tool for update deployment. Weather you have a computer that missed a few patches, or a fresh install you are trying to catch up to the rest of your network autopatcher is a easy solution. All you have to do is download a little exe and it will connect to Microsoft.com, and get the latest patches. When you run the application it will automatically determine what you are missing on the computer. These are automatically selected, then check any add-ons you want to install, and away you go. Now what makes this nifty is once the patches are downloaded once, it works offline. If you have a few computers to update it doesn’t bottle neck your bandwidth. Even better than that it will run off a thumbdrive or a network share and does not require install of the patcher application on the client side. Just another solution when you need to process a update quickly, or update a few computers at a office that is running a low bandwidth WAN. Also it is another substitute to windows update that does not require you to go through the validation process. It supports windows 2ksp4, vista, server 2003, and xp sp3, in a few different languages and over both X86, and X64 architecture.

http://www.autopatcher.com/

[ad]

Service Pack 3 Rollout Options Switches and Scripts

admin — Sun, 14 Mar 2010 19:52:12 +0000

Okay so Service Pack 3. Scary I know, I am always weary of big service pack rollouts. However if you don’t update to SP3, you are open to contracting some nasty bugs. Here are some simple install possibilities if you don’t have it on your network yet. I suggest that you take a look at some of the install articles on SP3 and some of the complications people have experienced before doing a mass rollout. Below are some options that might be helpful to you, but as always test on a few computers before rolling out to a bunch. You might also want to check out this link for a explanation of the switches and arguments for installation. In my scripts below the switches I use will force all aplications closed, and do a backup of of the replaced files, and make a log. A progress window is displayed during the install and at the end the computer is rebooted. I found this to be the best option for rollouts as you can see the progress bar to estimate time remaining, and you do have a log and a backup if things go wrong. I suggest you find the right mix of switches that work for you though.

1. Windows Update: Works on small networks, though it might not be the best option on any network with more than a few computers.

2. Network Install: The file is available from Microsoft here. Then all you have to do is install it, or script it. I used this script to accomplish this at a few of my locations. Note that you can run it over the network, but I like to copy it locally, just incase there is a network failure or i need to rerun it later for some reason.

Title DO NOT CLOSE!!!
color 1f
echo off
net use x: Serversp3
md c:downloads
md c:downloadssp3
copy x:windowsXP-KB936929-SP3-x86-ENU.exe c:downloads
net use x: /delete
cls
echo A UPDATE IS INSTALLING ON THIS COMPUTER. DO NOT RESTART OR CLOSE THIS WINDOW. WHEN THE UPDATE IS COMPLETE THE COMPUTER WILL RESTART AUTOMATICALLY.
c:downloadsWindowsXP-KB936929-SP3-x86-ENU.exe /passive /forcerestart /forceappsclose /d:c:tempbu /log:c:tempbuxpsp3.log

3. Kaseya with cURLing: This will create a ton of bandwidth usage if you push this to more than a few computers on the same network, as every computer will be downloading it to their local disk. So I don’t recommend this to a really large network, and it is also best done at night just so you don’t get any complaints of slowness. Also note that you are going to have to have curl on your kserver to make this work. Check out this post for a quick explination of cURL or just download it here The script will check to see if the computer is running SP3 already, if it is it will stop, if not it will download it and run an unattended install followed by a reboot.

Script Name: sp3 curl
Script Description:
IF Check Registry Value
Parameter 1 : HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionCSDVersion
= :Service Pack 3
THEN
ELSE
Execute Shell Command
Parameter 1 : md c:temp
Parameter 2 : 0
OS Type : 8
Execute Shell Command
Parameter 1 : md c:tempsp3
Parameter 2 : 0
OS Type : 8
Write File
Parameter 1 : c:tempsp3curl.exe
Parameter 2 : admincurlcurl.exe
OS Type : 8
Execute File
Parameter 1 : c:tempsp3curl.exe
Parameter 2 : http://download.microsoft.com/download/d/3/0/d30e32d8-418a-469d-b600-f32ce3edf42d/WindowsXP-KB936929-SP3-x86-ENU.exe -o “c:tempsp3WindowsXP-KB936929-SP3-x86-ENU.exe”
Parameter 3 : 3
OS Type : 8
Execute Shell Command
Parameter 1 : c:tempsp3WindowsXP-KB936929-SP3-x86-ENU.exe /passive /forcerestart /forceappsclose /d:c:tempbu /log:c:tempbuxpsp3.log
Parameter 2 : 0
OS Type : 8

[ad]

Reset a Local Account Password With VBS

admin — Thu, 11 Mar 2010 15:25:03 +0000

Today I added a bunch of old computers with different local admin account passwords to our domain. So, since I am all for doing things the easy way I came up with a quick script. I added the computers that I needed the admin account reset on to an active directory OU and applied this script.

Option Explicit
‘ On Error Resume Next
Dim objComputer, objWSHNetwork, strComputerName, objUser
Set objWSHNetwork = WScript.CreateObject(“WScript.Network”)
strComputerName = objWSHNetwork.ComputerName
Set objComputer = GetObject(“WinNT://” & strComputerName)
Set objUser = GetObject(“WinNT://” & strComputerName & “/accountname, user”)
objUser.SetPassword “password”
objUser.SetInfo

If you would like to use this with Kaseya all you have to do is copy the above script name and name it password.vbs. Change the variables to meet your needs and then upload it to the server. Then just import the script below and change the path of the password.vbs to match the path of your file.

Script Name: Password Reset
Script Description: This resets an account password to a password of your choice with no intervention from the user.
THEN
Write File
Parameter 1 : c:temppassword.vbs
Parameter 2 : adminVBSpassword.vbs
OS Type : 0
Execute File
Parameter 1 : c:WINDOWSsystem32wscript.exe
Parameter 2 : c:temppassword.vbs
Parameter 3 : 3
OS Type :

This script pulls the computer name from the computer so it is completely portable. This can also be used to reset any local accounts not just admin accounts and can be pushed through active directory or another script management application like Kaseya or n-able. Remember that wscript.exe is what handles .vbs in windows, so be sure to point the script to the right location (usually c:windowssystem32wscript32.exe). Just change the above accountname to match the account you wish to reset and insert the password you wish to set it to.

[ad]