More or less what we are doing is renaming ntdetect.com to ntdetect.bak. When the computer reboots it will loop until you rename the file back by boot disk like bart pe.

This can also be used in a batch file:

Could be useful for trying to recover stolen computers, data from soon to be fired employees (not giving them the chance to delete things). Or recovering a computer to investigation. You can also use it as an excuse to go visit that cute new secretary…

Issues that I have had:

No reboot: This seems to be the most common issue I encountered. If the patch was installed and the computer was no rebooted you will experience things like not being able to type in text input fields. Rundll32.exe memory dumps, and missing menus and toolbars. To fix this rebooting seems to do the trick.

No Header or title in internet explorer: For some reason I have seen this a few times when the computer went from IE6 to IE8 directly. The browser window will not show any title, and will not allow you to open any menus. The fix I found for this is to give the user account local admin rights and login again. Go through the setup wizard and change the rights back again.

Internet explorer will not open after upgrade: I have seen this a few times. First try running the browser as another user. If it opens, try giving the user that is having issues local admin rights. If this does not fix it I found that recreating the user profile works ( I had to resort to this only twice out of 12 browsers that would not open)

Website Incompatibility: MANY products and websites are not compatibly with internet explorer 8. Microsoft chose not to follow internet conventions when developing the browser so there have been a ton of issues encountered. This is actually so prevalent that Microsoft introduced compatibility view to allow people to render websites in Internet Explorer 7. Check out THIS
Spybot – If you have spybot installed on your computer unfortunately it will not work with internet explorer 8. The people at spybot are working to fix this but the only solution I found as of writing this is to uninstall either IE8 or spybot.

ADP – a very common workflow and payroll management provider. If you are using IE8 you cannot log into ADP unless you view the page in Compatibility Mode.

Centricity – A common medical Practice management software, this does not seem to work at all with IE8 installed. I found uninstalling to be the only option.

Solidworks – a Design and CAD application, once installed IE8 will cause web help to stop functioning as well as some other web based services. Uninstalling IE8 seems to be the best option for this as well.

Quickbooks – IE8 will break the web-help application and case older versions of quickbooks to crash on first load. Again until there is a hotfix uninstalling IE is the best option.

General Browsing – About 2400 websites are not compatible with IE8. A bunch of banking sites and smaller sites do not work or allow for login, most of these are fixed with compatibility view. Some big name sites like amazon.com ebay.com and download.com are having issues with the browser rendering. I list of sites that are not rendered correctly is available HERE. 

Options:

Microsoft seems to have messed up again. The browser does not follow conventions, it does not have nearly all the bugs and kinks worked out. It causes a ton of applications and websites to not work, so much so they included a compatibility option out of the box. It seems hardly finished to me.

That said rollback may be a good option for you. Microsoft allows several uninstall options:

Add and remove programs wizard – This will let you remove the browser and all subsequent patches in one wizard.

Restore – Sometimes it is just too messed up, the uninstaller wont work, or something else goes wrong. By defult the install creates a restore point. This may be a option in some situations to rollback the mess.

Login Script: My favorite! This is what I have been using on some domains to remove it.

Kaseya – It for things like this I love kaseya.

Preventing the patch for reaching your system – Microsoft admits that the patch might not be for everyone. Check out THIS. It included a group policy template to prevent the update from installing via automatic updates, and a login script option that can also be used with kaseya.

Disable UAC:

Enable UAC:

Note that in Vista though this can be run from command line but if you make it a batch file you will have to right click and select ‘run as administrator’

Example Event:

Symptoms: Every third of a second or so there was an event id 333 error logged in the application event log on the server. This would start after the server has been up for a few hours to days and will stop for a period after the server was rebooted. The error occurred so often I was reaching 30,000 instances of the error in 24 hours. About 36 hours after the event started occurring no one was able to login active directory, and to get the server back up it required a manual hard reboot.

 

Things I found on the internet: This error is often caused by lack of resources on the server. Either there is not enough addressable memory, your disk speed it too low, or something is functioning very sub optimally. Everything I found on the internet pointed to checking these:

 

• /3GB  /PAE   and /USERVA switches in the boot ini.  It it worth evaluating if you have these set up right.  More often than not they are not needed at all.  This post on /3gb and /PAE andthis article on /userva

• Check performance. Use process explorer to see if there is something creating a excessive number of threads, or handles.  Use it to monitor tasks and make sure no process is being greedy with CPU time or memory usage.
• Disable Hot add Memory.  This has been useful to me on terminal servers before, though it did not fix my issue I have found a significant number of posts where it did.  Check out this article.
• Out of date firmware and drivers.  This especially goes for RAID controllers and hard disks.  This can often times be really hard to upgrade without breaking the data on your disks.  If you are using a RAID controller with 6 year old firmware, chances are that it is not preforming optimally on your 2 TB RAID 5 configuration.  I would start by upgrading in this path: 1. RAID controller driver     2. Motherboard BIOS    3. Motherboard chipset drivers   4. RAID controller firmware    5.  Hard disk firmware.  Be very careful to check with the vendors before changing firmware on your disks or controller that it is not data destructive.
• Update SQL.  If you are running SQL make sure you have all the updates, and that your memory usage in SQL is not set higher than 1/2 of your total available memory unless it is a detected SQL server.  
• Disk Quotas.  Turn them off, i really don’t think anyone uses them anyways.  If you do make sure you don’t have any service running under a account that is subject to disk quotas.  for example if you have a 500 mb disk quota for all users, and your print spooler is running under a service account.  If a few people print big things, its not going to work and you will get 333 errors among other errors.
• Page File.  Your page file should be 1.5 times your total system RAM.  On a server with 1 gb of RAM you would set this to 1.5 gb, do not allow for system managed pagefile.
• Ntbackup.exe.  This can cause strange system hangs if you are having a issue with VSS, are running SQL, or exchange, or any other application that is very did write intensive.  I found several posts that pointed to nightly systemstate backups as the culprit.  You can disable this temporarily for troubleshooting.  
• Old Antivirus.  Make sure you have the latest scan engine on your antivirus.  There were some examples of people that updated their antivirus and the issue was resolved like magic. 
• Virus/spyware.  This goes with out saying in most cases, but make sure there is nothing sketchy running on your server.

 

My solution:  For me the the solution was pagefile and disk quota.  The page file was system managed and moved to a disk off the primary partition.  This disk had disk quota limitations on it.  When things got intense and the server wanted more disk space for the page file quota management would slap its hand and make it put it back.  This was decreasing my performance and using causing a ton of errors.  I was effectively able to use 1.5gb of my pagefile on a server that was running exchange and SQL.  I turned off disk Quotas and change the pagefile to a set size, since doing this I have had no issues at all.

So I used this with mklnk.exe to make a shortcut on the users desktop, with a lock icon.  Below is the batch file I used.  G: is a network share containing mklnk.exe.

What this does it it passes the arguments user32.dll,LockWorkStation to the rundll32.exe, and the result is a shortcut on the all user desktop called “lock” that uses shell icon 47 (a cute lock graphic).

To use this with kaseya you have to upload mklnk.exe to the kserver, and then import the following script.  Be sure to change the red to match the location you have uploaded mklnk.exe.

1. Download:  Download the path from Microsoft HERE
2. Copy: Copy the ENTIRE contents of your windows CD to a working directory.  Your windows CD must have SP2 already. For this example we will make believe my CD is in my “E” drive and I am working out of a folder called “c:SP3_cd”  I would copy everything from the E drive to c:sp3_cd, this can be done with drag and drop or by using xcopy:
   xcopy /e /r /y  e:*.* c:sp3_cd




3. Integrate:  From command prompt CD to the location of your downloaded SP3 file and run the integrate command.  For my example I will use:
    WINDOWSXP-KB936929-SP3-X86-ENU.exe /integrate:c:sp3_cd
4. Rip: Using a utility called bbie (click HERE) rip the boot sector off your windows CD.  Again from command line navigate to the location of your bbie and simply input the source CD.  To drop a file called “image1.bin” in the same directory as your bbie.exe I would run:
   bbie.exe e:
5. Make: Make a ISO with your folder and boot file.  Use Nero, or Magic iso to burn the contents of your patched CD.  Be sure to use the boot file we created.  Select bootable form them menu.  Alternitivly you can download barpe builder HERE. This package contains a file called mkisofs.exe from command line we can pass it a ton of arguments to make it output a iso. Change the colors to match your paths.
   
   mkisofs.exe -force-uppercase -iso-level 4 -A mkisofs -sysid “dos” -b c:image1.bin -no-emul-boot -boot-load-size 4 -hide “boot.catalog” -o c:SP3.iso c:sp3_cd
6. Rejoice:  If you are like me and install windows a lot this will save you lots of time.  

Note: mkisofs is insanely complex switches.  If you have nero or a application with a GUI to browse to the source, boot image and output it makes it much easier.

http://www.magicaljellybean.com/keyfinder/

Symptoms of the virus are expected to include and have been confirmed to include:

• Services disabling on their own. Namely windows defender, BITS, windows firewall, and some third party antivirus services such as live update.
• Massive increase in network traffic.  Up to a 10-15% increase in total network traffic is expected on infected networks. This is due to attacks on shares and accounts, as well as spreading of the virus and payload.
• Account lockouts reset.  If the virus is on a DC it will dictionary attack the admin account and admin shares, if the account locks out, it will automatically reset the lockout.
• Lastly some or all AV websites, security websites, and windows update sites are inaccessible.  they reply to ping and answer to telnet on port 80, but they are not accessible to any browser.  This appears to be done through a virtual proxy system.

Microsoft has teamed up with ICANN, AOL, Symantec and other big names in computer security and network technologies to attempt to curtail the infestation of the virus.  A $250,000 reward is available for anyone that can provide information leading to the arrest of the coder.  

Microsoft released a patch MS08-067 on october 15th 2008, that fixes this exploit however, it is estimated that about 30% of computers do not have this patch installed.  This patch is available from Microsoft HERE.  The patch is available for windows 2000 sp4 – windows server 2008 with the exception of windows xp service pack 1 (service pack one has reached its end of support).  Windows 7 has the patch integrated in it already.  Many antivirus makers are releasing removal tools for the virus already.  Microsoft has a removal tool available HERE.  And bit defender has a network/domain removal tool HERE.

What you can do to limit and prevent conflicker spread as a network administrator.

• Follow best practice passwords.  Require password that include special characters and are at least 6 characters long.  This makes brute forcing the password very difficult.  
• Turn off all unnecessary network shares.  Any computer on the network that has a opened share is a vulnerability. Check this out to discover shares.
• Turn off auto run.  You don’t need it in most cases.  Turn it off, it allows for the potential execution of code.
• Update antivirus.  Make sure you have the last definitions and scan engine.  Note that sometimes the scan engine is not an auto update and may require manual processing.  Also make sure that all of your computers are showing in the antivirus console.  If not you might have a potential issue.  Look into it ASAP before it becomes a problem.  
• Windows update.  Update everything.  Every computer should have every critical rated patch, always.  Check out my past post on autopatcher, and check this out for a alternative way to investigate the security of your network.
• Be a bouncer.  Do not allow people to bring in home computers, set up wireless, connect external harddrives and other strange stuff to the network.   They are not on the domain, not subject to group policy, and they might not have AV or patches.  This is a huge vulnerability that often goes unnoticed, but it allows for another way to accidently introduce an infection into a network.

April 1st will be interesting at the least.  I have taken a ton of percautions so I can just sit back and watch the news all day while my network stands strong.

For anyone that is not familiar with the command ‘shutdown’, it is a windows/dos function that controlls the the shutdown, logoff and restart of a compiter or server either locally or remotely.

Here are the switches 

Just typing shutdown won’t do anything;  you need arguments. 

• -i   This will display the GUI interface for the shutdown command.  This works well in some cases though you do get more flexability with the command line options.
• -l  This will log off the current session on the computer.  This cannot be used on remote computers though. 
• -s This will turn off the computer, this can be done remotely, but carefull you can’t remotely press the power botton on the front of the box!
• -r  This will restart the local or remote computer.  Usefull stuff.
• -a  This will cancel the shutdown restart or logoff process, this must be used before the shutdown commences (during the countdown).
• -m  This is what allows you to specify the name of the computer you want to perform the action on (shutdown, restart or abort).
• -t  This lets you chose how long you want to display the warning message for in seconds.  You can use ‘-t 0′ to immediatly start the shutdown process with no message displayed.
• -c  This lets you specify the reason that you shutdown or restarted in the event log.  There is a max of 127 chracters for this switch.
• -f  This forces all applications to close with no warning.  This should almost always be used with a remote computer so you dont have a box asking if you would like to shave chnages to ‘untitled.txt’ on the screen instead of it actually rebooting.
• -d  This switch will let you specify the reason for the shutdown using microsoft reason codes. ‘u’ is for user code ‘p’ is for planned and the ‘xx’ is to specify a major reason, while ‘yy’ is to specify a minor reason.

So putting it all together.

This will restart the the computer ‘remotecomputer’  after 60 seconds of displaying the message “reboot required to complete software install”.  To abort the shutdown within 60 seconds, issue the following command.

If the remote shutdown is not working for you remember that if you are in a workgroup the account you are logged in with must exist on, and have administrative rights on the remote computer. If you are on a domain, the user account must have SeRemoteShutdownPrivilege and SeShutdownPrivilege to accomplish this. 

Here are some other interesting notes on this function/script:  It can be batched and run as a scheduled task.  For example, saving the above script as a restart.bat and scheduling it to run at a specified time will give you the ability to reboot a server at whatever time you want. Additionally, shutdown commands can be used via telnet.  You can telnet to a remote computer or server and issue the shutdown command to reboot the target computer.  Lets face it, sometimes you have to install something with administrative rights, but you don’t want to wait for it to finish. So just batch it and add a logoff command right after the install.  I use this all the time when I install office.  I login to a computer with an elevated account, and run a batch file to install office silently with a shutdown -l -t 0 at the end of the batch file, then lock the computer.  The install will finish and the account will logoff, its a useful little trick. Lastly with Kaseya; since this is directly a shell command you can issue it with just a few steps. 
 

Script Description: Shutdown the computer using Shutdown.exe

IF True 

THEN

   Execute Shell Command

     Parameter 1 : shutdown -s -f -t 1 -c “Setup complete”

     Parameter 2 : 0

         OS Type : 0

ELSE

Change the red to match your needs and away you go.

http://www.devolutions.net/products/remotedesktopmanager.aspx

And no I have no affiliation with them, just a good chunk of code