Attack from the ’90s resurfaces more deadly than before

Source: Windows Flaw Reveals Microsoft Account Passwords, VPN Credentials

TL;DR: block LAN->WAN port 445

Note this won’t affect web-dav shares like \live.sysinternals.com\DavWWWRoot as that uses ports 443 and 80.

–jeroen

via:

• TIL NTLM Auth is still a thing, still broken and at the core of all Microsoft properties, including Skype. And that is why we can’t have nice things. – Kristian Köhntopp – Google+
• TIL NTLM Auth is still a thing, still broken and at the core of all Microsoft properties, including Skype. And that is why we can’t have nice things. – Jeroen Wiert Pluimers – Google+

Sometimes RDP limits you to 2048 pixels vertical (or 4096 pixels horizontal)

Just found out why on some Windows versions, the RDP sessions form my 4K monitor has some small black bands on top/bottom: older versions of Windows limit their RDP server to 4096 x 2048.

A 4K monitor will not hit the width limit (as 4K cheats: it is usually “just” 3840 pixels wide), but it does hit the height limitation (2160 is slightly more than 2048: you miss 112 pixels that show as two small black bands).

A 5K monitor is worse: it will hit both limits (5K does not cheat: at 5120 × 2880 it is exactly 5*1024 pixels wide) so you miss 124 pixels horizontally and a whopping 832 pixels vertically.

Don’t buy a 5K monitor yet if you do a lot of RDP work to older Windows versions.

The link below has a table listing various Windows versions, but it omits end-of-life versions so I’ve done some testing: Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2003 R2 share the same limitations as Windows Server 2008 most likely because their latest service packs share the same RDP 6.1 version.

I updated this in the table:

Destination Endpoint	Remote Desktop Protocol Version	Max Resolution Per Monitor	Max Virtual Desktop Limit	RemoteFX vGPU max resolution (guest VM)
Windows XP SP3	RDP 6.1	4096 (w) x 2048 (h)	4096 (w) x 2048 (h)	N/A
Windows Server 2003 SP2	RDP 6.1	4096 (w) x 2048 (h)	4096 (w) x 2048 (h)	N/A
Windows Server 2003 R2	RDP 6.1	4096 (w) x 2048 (h)	4096 (w) x 2048 (h)	N/A
Windows Vista SP1	RDP 6.1	4096 (w) x 2048 (h)	4096 (w) x 2048 (h)	N/A
Windows Server 2008	RDP 6.1	4096 (w) x 2048 (h)	4096 (w) x 2048 (h)	N/A
Windows Server 2008 R2	RDP 7.0	4096 (w) x 2048 (h)	32766 x 32766	N/A
Windows 7 SP1	RDP 7.1	4096 (w) x 2048 (h)	32766 x 32766	vGPU: 1920×1200 (2 monitors)
Windows Server 2012	RDP 8.0	8192 x 8192	32766 x 32766	N/A
Windows 8	RDP 8.0	8192 x 8192	32766 x 32766	vGPU: 2560×1600 (2 monitors)
Windows Server 2012 R2	RDP 8.1	8192 x 8192	32766 x 32766	N/A
Windows 8.1	RDP 8.1	8192 x 8192	32766 x 32766	vGPU: 2560×1600 (2 monitors)
Windows Server 2016	RDP 10	8192 x 8192	32766 x 32766	vGPU: 4K (1 monitor)
Windows 10	RDP 10	8192 x 8192	32766 x 32766	vGPU: 4K (1 monitor)

–jeroen

Via: Remote Desktop Protocol Maximum Supported Resolutions – TechNet Articles – United States (English) – TechNet Wiki

With the increasing number of devices, it really helps to expand all nodes in the Device Manager’s tree view.

You cannot do this with the mouse, as none of the menu options contain an “Expand All” option.

But since the treeview, is the built-in Windows treeview (used in many places, like Windows explorer), you can use these shortcuts to expand/collapse nodes:

• Numeric Keypad *: Expands everything under the current selection
• Numeric Keypad +: Expands the current selection
• Numeric Keypad -: Collapses the current selection.
• RIGHT ARROW: Expands the current selection if it is not expanded, otherwise goes to the first child
• LEFT ARROW: Collapses the current selection if it is expanded, otherwise goes to the parent

This not only works in Microsoft Windows 7: Visual … – Google Books, I think it has been introduced as far back as Windows 95.

–jeroen

I wrote two tiny batch files that would dump the environment variables from the registry.

Various reasons:

1. Environment variables can be stored in two contexts: System and User (SET will show them all at once and for instance combine PATH up to 1920 characters).
2. Environment variables can be set to auto-expand or not, which you cannot see from a SET command (REG_EXPAND_SZ versus REG_SZ).

show-user-environment-variables.bat:

reg query "HKCU\Environment"

show-system-environment-variables.bat:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"

Filtered results:

User:

HKEY_CURRENT_USER\Environment
    Path    REG_SZ    D:\bin;C:\Windows\SysWOW64
    TEMP    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Temp
    TMP    REG_EXPAND_SZ    %USERPROFILE%\AppData\Local\Temp

System:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
    NUMBER_OF_PROCESSORS    REG_SZ    4
    OS    REG_SZ    Windows_NT
    Path    REG_SZ    C:\Windows\Microsoft.NET\Framework\v1.1.4322\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
    PATHEXT    REG_SZ    .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE    REG_SZ    AMD64
    PROCESSOR_IDENTIFIER    REG_SZ    Intel64 Family 6 Model 58 Stepping 9, GenuineIntel
    PROCESSOR_LEVEL    REG_SZ    6
    PROCESSOR_REVISION    REG_SZ    3a09
    TEMP    REG_EXPAND_SZ    %SystemRoot%\TEMP
    TMP    REG_EXPAND_SZ    %SystemRoot%\TEMP
    USERNAME    REG_SZ    SYSTEM
    windir    REG_EXPAND_SZ    %SystemRoot%

PATH, TEMP, TMP:

PATH=C:\Windows\Microsoft.NET\Framework\v1.1.4322\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;D:\bin;C:\Windows\SysWOW64
TEMP=C:\Users\jeroenpluimers\AppData\Local\Temp
TMP=C:\Users\jeroenpluimers\AppData\Local\Temp

–jeroen

via:

• Where are environment variables stored in registry? – Stack Overflow.
• How to Use Environment Variables in Windows XP.

Slightly updated the answer the /D Y part will recursively accept taking ownership when directory listing is denied in the permissions:

To fix really broken permissions, the best is to run these two commands one after the other:

takeown /F /D Y "C:\path\to\folder" /R
icacls "C:\path\to\folder" /reset /T

The first one will give you ownership of all the files, however that might not be enough, for example if all the files have the read/write/exec permissions set to “deny”. You own the files but still cannot do anything with them.

In that case, run the second command, which will fix the broken permissions.

via: permissions – recursively change owner windows 7 – Super User

–jeroen

Windows Search: Windows.edb

If you use Windows Search (I don’t: I use Everything by VoidTools), your Windows.edb can grow ridiculously large. It is a single file, though it appears to be in two places because there is a symbolic link from C:\Users\All Users to C:\ProgramData :

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb


This is how to reduce its size:

How to offline defrag the index

1. Change the Windows Search service so that it does not automatically start. To do this, run the following command in cmd.exe:

   sc config wsearch start=disabled

2. Run the following command to stop the Windows Search service:

   net stop wsearch

3. Run the following command to perform offline compaction of the Windows.edb file:

   esentutl.exe /d %AllUsersProfile%\Microsoft\Search\Data\Applications\Windows\Windows.edb

4. Run the following command to change the Windows Search service to delayed start:

   sc config wsearch start=delayed-auto

5. Run the following command to start the service:

   net start wsearch

Notes:

1. I did not perform the last 2 steps as I’ve kept Windows Search disabled.
2. If you want to reduce the size of the C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\ directory:
   1. Before step 1, choose what kind of Windows Search indexing options you want
   2. Between step 3 and 4, delete the directory

Windows Update: DataStore.edb

Windows Update uses the same database structure and is a single file:

C:\Windows\SoftwareDistribution\DataStore\DataStore.edb

This is how I reduced its size:

net stop wuauserv
net stop bits
esentutl.exe /d C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
net start bits
net start wuauserv

Talking about Windows Update: you might also want to Clean Up the WinSxS Folder

–jeroen

In addition to the two methods mentioned at Two Quick Methods for Finding Shared Folders in Windows (use net share or compmgmt.msc) I like this one:

fsmgmt.msc

It directly gets you to the “Shared Folders” inside compmgmt.msc

–jeroen

Source:

History repeating itself: [Archive.is] 31607 – C:\nul\nul crashes/BSOD then, now it’s this:

• [WayBack] A bug in NTFS, or hang the entire system / Blog Aladdin RD / Habrahabr
• [WayBack] Баг в NTFS, или как подвесить всю систему / Блог компании Аладдин Р.Д. / Хабрахабр
• [WayBack] In a throwback to the ’90s, NTFS bug lets anyone hang or crash Windows 7, 8.1 | Ars Technica UK
• [WayBack] NTFS bug allows any website to crash Windows 7, 8.1

Via:

• [WayBack] NTFS bug allows any website to crash Windows 7, 8.1Users of older versions of Windows aren’t having the best time of it lately. Last week it was disco… – BetaNews – Google+
• [WayBack] Writing solid code is really hard these days … – Lars Fosdal – Google+

All versions prior to Windows 10 and Windows Server 2016 seem vulnerable.

So add $MFT to this list:

The following device names have been known to render a system unstable: CON,
NUL, AUX, PRN, CLOCK$, COMx, LPT1, and CONFIG$.

Oh BTW: history repeated itself this year too. With NUL

In short, Steven Sheldon created a rust package named nul which broke the complete package manager on Windows:

• [WayBack] How I Broke Rust’s Package Manager for All Windows Users – sasheldon.com
• [WayBack] I Broke Rusts Package Manager for Windows Users | Hacker News
• [WayBack] I think a crate called ‘nul’ is causing errors for cargo (windows).
• [WayBack] @bstrie: @sheldonut Hi Steven, Rust team here :) We’re having some technical difficulties with the name of one of your crates… feel free to DM
• [WayBack] Null character – Wikipedia
• [WayBack] IRC Logs for #rust-internals | BotBot.me [o__o] – 2017-04-30 – 84953638 – page 4
• [WayBack] List of software package management systems – Wikipedia: Application-level package managers
• [WayBack] I think the name of this project causes issues for windows users. · Issue #1 · SSheldon/nul
  • When cargo updates its crates.io registry, it creates a file for each crate, no extension, just the name.The name nul is not a valid name in windows 10, so cargo fails to update the registry, and then aborts whatever it was doing (building, searching, ect.).

    I think this project should be re-published to crates.io under a new name, something like null-strings perhaps?

• [WayBack] Fresh install unable to install anything · Issue #3982 · rust-lang/cargo
  • Here is what I see with verbose. I get this trying to install clippy or rustfmt. I assume I would get it with other crates.Updating registry https://github.com/rust-lang/crates.io-index
    error: [20/-1] Cannot checkout to invalid path ‘3/n/nul’
• [WayBack] IRC Logs for #rust | BotBot.me [o__o] – 2017-04-30 – msg 84953614 – page=19
• [WayBack] What’s the deal with those reserved filenames like NUL and CON? – The Old New Thing
• The solution: [WayBack] Reserve windows crate names. by withoutboats · Pull Request #695 · rust-lang/crates.io
• [WayBack] @withoutboats boats ✨ on Twitter: “I thought Rust was supposed to prevent nul errors! ;-)”

BTW: one of my gripes on learning new languages is that they come with a whole new idiom of their ecosystem: rust, cargo, crates, all sound like being a truck mechanic to me.

–jeroen

Brilliant:

This is small tool that adds Attach and Detach option to contextual (aka right-click) menu of Virtual disk (vhd) files. That enables those operations to be done without trip to Disk Management console. Detach option is available on hard drive contextual menu also (if selected in options).

Source:

• VHD Attach 4.11 – Medo’s Home Page
• medo64/VhdAttach: A small tool that allows for easy virtual disk attach/detach and auto-mount.

–jeroen

Source: The Most Common VPN Error Codes Explained

1. VPN Error 800 “Unable to establish connection”
2. VPN Error 619 “A connection to the remote computer could not be established”
3. VPN Error 51 “Unable to communicate with the VPN subsystem”
4. VPN Error 412 “The remote peer is no longer responding”
5. VPN Error 721 “The remote computer did not respond”
6. VPN Error 720 “No PPP control protocols configured”
7. VPN Error 691 “Access denied because username and/or password is invalid on the domain”
8. VPN Errors 812, 732 and 734 “The connection was prevented because of a policy configured on your RAS/VPN server”
9. VPN Error 806 “A connection between your computer and the VPN server has been established but the VPN connection cannot be completed.”

–jeroen

via: Could be useful. – Joe C. Hecht – Google+

From a batch-file I recently had to start Windows Explorer, at the same time select a specific file or directory.

This turned out pretty easy: use the /select command-line switch from Windows Explorer.

In fact, Windows Explorer has a few command-line switches, and the “explorer” commandline parameters “/n” “/e” “/select” “/root” “/start” site:microsoft.com query will find quite a few topics about it:

• Windows NT 4 through Windows 2000
• Windows 95 through Windows ME
• Windows XP
• Windows XP including x64
• Windows 2000 (which also mentions the ::{GUID} syntax of specifying the object to show)

The fun is: the Windows Explorer command-line syntax has been consistent since Windows 95:
Syntax:

• explorer [/n] [/e][,/root,object][[,/select],subobject]

Parameters:

• /n
  Always open a new window (even if the specified folder is already open).
• /e
  Use Windows Explorer view. The default is Open view.
• /root, object
  Specify the object in the normal namespace that will be used as the root of this Windows Explorer Folder. The default is to just use the normal namespace root (the desktop).
• subobject
  Specify the folder to receive the initial focus unless /select is used. The default is the root.
• /select
  Specifies that the parent folder is opened and the specified object is selected.

So: the solution was easy:

explorer /select,%FileNameToSelect%

or (note the comma after the /e)

explorer /e,/select,%FileNameToSelect%

Note that this syntax will not select the file, but in stead try to open the default application for FileNameToStart:

explorer %FileNameToStart%

–jeroen

For my link archive: Can I invoke Windows Update from the command line? – Super User [WayBack]

–jeroen

schtasks /End [/S <system> [/U <username> [/P [<password>]]]] /TN taskname

[WayBack] End a Running Task

Every now and then you have those Scheduled Tasks consisting of batch files that – despite trying – still ask for user input.

If – even after a reasonable time out – the Task Scheduler still hasn’t killed them, you can kill them by hand with the above schtasks in a snap.

–jeroen

For shrinking VM disk images, it’s important to consolidate NTFS free space towards the end of the this.

I’ve tried many tools, starting with defrag C: /X (which tries, but doesn’t give good results) and found out these steps give the best results:

1. Perform an Ultradefrag full optimisation,
2. Perform a MyDefrag Consolidate free space script on the drive.

If shrinking still fails then:

1. Try the Ultradefrag at boot time
2. Verify what kind of file(s) prevent shrinking: they show up in red after the MyDefrag session:
   1. Zoom in them (they can initially as small as 1 red pixel) by clicking on or near them, repeating the zoom long enough so you can hover over with the mouse and the lower part of the screen shows a filename like  where you cannot find much information about “$badclus:$bad:$data” but appear to be clusters marked as bad on NTFS level using something like chkdsk /B.
   2. If it was a bad sector like above, then try to resolve it with [WayBack] ntfsfix which ships with GParted live boot:
      1. boot a [WayBack] GParted — Live CD/USB/PXE/HD drive,
      2. run GParted to see the drive path (for instance /dev/sda1)
      3. start a terminal
      4. run this command:
         ntfsfix -b /dev/sda1
         which will give output like this:

         Mounting volume... OK
         Processing of $MFT and $MFTMirr completed successfully.
         Checking the alternate boot sector... OK
         NTFS volume version is 3.1.
         Going to un-mark the bad clusters ($BadClus)... OK
         NTFS partition /dev/sda1 was processed successfully.

      5. boot back into Windows
      6. on an administrative command prompt run this for the affected drive letter:
         chkdsk D: /B
         (reboot if needed)
3. Shrink the drive using diskmgmt.msc

If you still cannot shrink, then try [WayBack] http://ftp.raxco.com/pub/download/pd14.0/pd14.0_pro.exe PerfectDisk by Raxco free trial.

Note:

MyDefrag (formerly named JkDefrag) is not maintained any more but the 4.3.1 version in the WayBack machine still works very well as the underlying defragmentation APIs in Windows haven’t changed.

References:

• [WayBack] UltraDefrag – An Open Source Defragmenter
• [WayBack: MyDefrag v4.3.1]
• [WayBack] MyDefrag – Wikipedia
• [WayBack] Defragmenting Files (Windows)
• [WayBack] The Challenge of Defragmenting an NTFS Partition | Systems Management content from Windows IT Pro
• [WayBack] windows – How do you defragment the MFT on an NTFS disk? – Super User
• [WayBack] hard drive – defrag /x – consolidate free space not really working – Windows Server 2012 – Server Fault

For FAT32:

• [WayBack] hard drive – how to fully consolidate freespace on a defragmented HD – Super User

For GParted / ntfsfix:

• GParted ships with a [WayBack] truckload of file system support including NTFS support (and tools like ntfsfix)
  • I’ve put the [WayBack] GParted — Live CD/USB/PXE/HD on USB via TuxBoot as per instructions at [WayBack] GParted Live on USB
  • Tuxboot helps you to create a bootable Live USB drive for Clonezilla live, DRBL live, Gparted live and tux2live.
    • Download: [WayBack] tuxboot – Browse /0.8/Windows at SourceForge.net
    • [WayBack] Tuxboot – Installation
    • [WayBack] Tuxboot – About
  • The safest version of GParted to download is the i686 version: it works on all processor architectures. Download from [WayBack] GParted — Download.
  • The graphical X environment around GParted often has problems with graphics cards, use the safe boot options that uses VGA mode. Not nice, but very effective
  • You can use GParted to do resizing as well, but if you have a bad sector, then it refuses to do so: [WayBack] [SOLVED]How do I reduce an NTFS system partition with Gparted-live? (Page 1) — Live Media — GParted forum:
    • The volume in the Gparted window shows an exclamation mark in a yellow triangle, and info says:Unable to read the contents of this file system!
      Because of this some operations may be unavailable.The cause might be a missing software package.
      The following list of software packages is required for ntfs file system support: ntfsprogs / ntfs-3g.
    • This command from the terminal will show you if there are bad sectors:

      sudo ntfsresize --info --force --no-progress-bar /path-to-your-ntfs-partition

    • When that happens, us the ntfsfix above to try and fix it.
• [WayBack] partitioning – Removing a bad sector from an NTFS partition. Badblocks gave me an output. now what? – Ask Ubuntu (thanks [WayBack] Mina Michael)

PerfectDisk via:

• [WayBack] ntfs – How do I move the physical location of $MFTMirr, to allow resizing the partition? – Server Fault
• [WayBack] windows – Resizing volume with DiskPart unsuccessful, while there’s enough free space – Server Fault
• WayBack: Tip: How to shrink a volume beyond half its size using DiskPart or Disk Manager regardless of Microsoft’s NTFS restrictions and $MFTMirr | Under My Hat

–jeroen

Here’s how you can find out when your domain password will expire.

net user %USERNAME% /domain

It figures this out for the current logon domain (so it doesn’t work cross-domain) but it is a great help, especially when filtering out just the password information:

net user %USERNAME% /domain | findstr "Password"

This can be done in a more complex way with dsquery or adinfo that are tools to query

Getting dsquery from Micrsoft

When not running on a domain controller you need to install them locally. I mentioned “Windows Server Resource Kit tools” in batch files: getting information from your Windows AD but that was when working at a client that back then was still in the XP / Windows Server 2003 R2 era.

For more modern Windows versions, you get it here (and each takes at least 20 minutes to install even on fast hardware with SSD storage):

• Windows 7: [WayBack] Download Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1) from Official Microsoft Download Center
  • x64/Win64[WayBack] https://download.microsoft.com/download/4/F/7/4F71806A-1C56-4EF2-9B4F-9870C4CFD2EE/Windows6.1-KB958830-x64-RefreshPkg.msu
  • x86/Win32[WayBack] https://download.microsoft.com/download/4/F/7/4F71806A-1C56-4EF2-9B4F-9870C4CFD2EE/Windows6.1-KB958830-x86-RefreshPkg.msu
• Windows 8: [WayBack] Download Remote Server Administration Tools for Windows 8 from Official Microsoft Download Center
  • x64/Win64 [WayBack] https://download.microsoft.com/download/4/3/F/43FAC524-F605-426E-A2AE-EAD03D264FDE/Windows6.2-KB2693643-x64.msu
  • x86/Win32 [WayBack] https://download.microsoft.com/download/4/3/F/43FAC524-F605-426E-A2AE-EAD03D264FDE/Windows6.2-KB2693643-x86.msu
• Windows 10: [WayBack] Download Remote Server Administration Tools for Windows 10 from Official Microsoft Download Center
  • x64/Win64 [WayBack] https://download.microsoft.com/download/1/D/8/1D8B5022-5477-4B9A-8104-6A71FF9D98AB/WindowsTH-RSAT_WS2016-x64.msu
  • x86/Win32 [WayBack] https://download.microsoft.com/download/1/D/8/1D8B5022-5477-4B9A-8104-6A71FF9D98AB/WindowsTH-RSAT_WS2016-x86.msu

(sort of thanks to [WayBack] Where can I get dsquery and other tools useful for debugging Active Directory issues? – Stack Overflow as [WayBack] Eelco managed to have the blog entry he referenced vanish from the internet).

Getting adinfo from Joeware

Joeware has some interesting 3rd party active directory tools many of which started out earlier than dsquery [WayBack] Free Tools:

• [WayBack] AdFind Command line Active Directory query tool. Mixture of ldapsearch, search.vbs, ldp, dsquery, and dsget tools with a ton of other cool features thrown in for good measure.
  • [WayBack] http://www.joeware.net/downloads/files/AdFind.zip
• [WayBack] AdMod Command line Active Directory modification tool. This is the natural extension to AdFind. I was primarily prompted by dsmod,dsmove,dsrm.exe not being what I wanted them to be when I wanted them to be.
  • [WayBack] http://www.joeware.net/downloads/files/AdMod.zip
• [WayBack] AdQueueLoop Command line tool to watch Active Directory Replication Queue.
  • [WayBack] http://www.joeware.net/downloads/files/AdQueueLoop.zip
• [WayBack] ATSN Command line Active Directory query tool. Converts IP addresses to subnet/site info. You can specify which DC you want to do the resolution of IP addresses to subnet/site names.
  • [WayBack] http://www.joeware.net/downloads/files/ATSN.zip
• [WayBack] ExchMbx Command line tool for doing various Exchange tasks such as mail enabling/disabling users, contacts, groups. Mailbox enabling/disabling users. Moving mailboxes.
  • [WayBack] http://www.joeware.net/downloads/files/ExchMbx.zip
• [WayBack] FindExpAcc Command line Active Directory query tool to find expired accounts. This will find accounts that are expired or accounts with expired passwords.
  • [WayBack] http://www.joeware.net/downloads/files/FindExpAcc.zip
• [Wayback] GCChk The is a quick and dirty command line tool to locate active directory consistency issues. It will pick up missing GUIDs, objects in the GCs that may be lingering.
  • [WayBack] http://www.joeware.net/downloads/files/GCChk.zip
• [WayBack] MachinePwd Command line tool to change machine account passwords on the local machine to reset secure channels when broken.
  • [WayBack] http://www.joeware.net/downloads/files/MachinePwd.zip
• [WayBack] MemberOf Command line Active Directory query tool to determine what groups a user is in. As of  V02.02.00 it will also check the membership of computers and groups as well.
  • [WayBack] http://www.joeware.net/downloads/files/MemberOf.zip
• [WayBack] OldCmp Command line Active Directory query tool. Primarily used to find and cleanup old computer accounts that haven’t been used. Can also be used to clean up user accounts when the proper filter is specified.
  • [WayBack] http://www.joeware.net/downloads/files/OldCmp.zip
• [WayBack] PSOMgr Command line tool to manage Fine Grain Password Policy Password Settings Objects in Longhorn Server and Domain Password Policy for any version Active Directory Domain.
  • [WayBack] http://www.joeware.net/downloads/files/PSOMgr.zip
• [WayBack] SecData Command line Active Directory query tool to pull some of the important security attributes for user and computer objects and output in CSV format. I have seen a large number of scripts taking advantage of this tool
  • [WayBack] http://www.joeware.net/downloads/files/SecData.zip
• [WayBack] Unlock Command line Active Directory unlock tool. Will show you currently locked accounts and unlock accounts. One simple command to unlock all locked accounts in a domain.
  • [WayBack] http://www.joeware.net/downloads/files/Unlock.zip
• [WayBack] UserName Command line tool to output current user’s DN as well as other userid formats.
  • [WayBack] http://www.joeware.net/downloads/files/UserName.zip

–jeroen

Source: Finding out when your domain password will expire :: Active Directory :: Admin Tips :: Windows 7 :: Windows Server 2012/2008/2003/2000/XP/NT Administrator Knowledge Base :: KBase Tips :: WindowsNetworking.com

This seems to work on other Windows versions as well: [WayBack] Windows 10 auto-logout on <5 minutes of inactivity – Super User

About a year ago, [WayBack] Rumors of Cmd’s death have been greatly exaggerated – Windows Command Line Tools For Developers got published as a response to confusing posts like these:

• [WayBack] Say goodbye to the MS-DOS command prompt | Computerworld
• [WayBack] Follow-up: MS-DOS lives on after all | Computerworld

But I still think it’s a wise idea to switch away from the Cmd and to PowerShell as with PowerShell you get way more consistent language features, far better documentation, truckloads of new features (of which I like the object pipeline and .NET interoperability most) and far fewer quirks.

It’s time as well, as by now, Windows 7 has been EOL for a while, and Windows 8.x is in extended support: [WayBack] Windows lifecycle fact sheet – Windows Help:

Client operating systems	Latest update or service pack	End of mainstream support	End of extended support
Windows XP	Service Pack 3	April 14, 2009	April 8, 2014
Windows Vista	Service Pack 2	April 10, 2012	April 11, 2017
Windows 7*	Service Pack 1	January 13, 2015	January 14, 2020
Windows 8	Windows 8.1	January 9, 2018	January 10, 2023
Windows 10, released in July 2015**	N/A	October 13, 2020	October 14, 2025

Which means the PowerShell version baseline on supported Windows versions is at least 4.0: [Archive.is] windows 10 powershell version – Google Search and [WayBack] PowerShell versions and their Windows version – 4sysops

PowerShell and Windows versions ^

PowerShell Version	Release Date	Default Windows Versions
PowerShell 2.0	October 2009	Windows 7 Windows Server 2008 R2 (**)
PowerShell 3.0	September 2012	Windows 8 Windows Server 2012
PowerShell 4.0	October 2013	Windows 8.1 Windows Server 2012 R2
PowerShell 5.0	April 2014 (***)	Windows 10

So try PowerShell now. You won’t regret it.

–jeroen

via: [WayBack] Very interesting clear-up post and comments on CMD, command.com, PowerShell in past and future DOS/Windows versions and Unix shells altogether. – Ilya S – Google+

Interesting: [Ardhive.is] Use Software Restriction Policies to block viruses and malware | Branko Vucinec

via: [WayBack] Ransomware treft Tweede Kamer – Malware versleutelt overheidsbestanden – IT Pro – Nieuws – Tweakers

–jeroen

If you get the below error, then your RDP target server needs to be patched.

You can choose to stay vulnerable and modify your policy or registry settings as explained in the first linked article below: that is a temporary “workaround” which I do not recommend. Please update your RDP target servers in stead.

English:

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occurred.
The function requested is not supported

Remote computer: rdp.example.org
This could be due to CredSSP-encryption Oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

[OK]

Dutch:

[Window Title]
Verbinding met extern bureaublad

[Content]
Er is een verificatiefout opgetreden.
De aangevraagde functie wordt niet ondersteund

Externe computer: rdp.example.org
Dit kan zijn veroorzaakt door CredSSP-versleuteling voor Oracle-herstel.
Zie voor meer informatie https://go.microsoft.com/fwlink/?linkid=866660

[OK]

The link go.microsoft.com/fwlink/?linkid=866660 brings you to [WayBack] CredSSP updates for CVE-2018-0886

It affects these Windows versions:

Applies to: Windows Server 2016, Windows Server 2012 R2 Standard, Windows Server 2012 Standard, Windows 8.1, Windows 10, Windows 7, Windows 10 Version 1511, Windows 10 Version 1607, Windows 10 Version 1703, Windows 10 version 1709, Windows Server 2016, Windows Server 2008 R2 Standard, Windows Server 2008 Foundation, Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 Service Pack 2, Windows Server 2008 Datacenter, Windows Server 2008 for Itanium-Based Systems, Windows Server 2008 Datacenter without Hyper-V, Windows Server 2008 Enterprise, Windows Server 2016 Standard, Windows Server 2016 Essentials, Windows Server 2016 Datacenter, Windows Server Datacenter Core, Windows Server Standard Core, Windows Vista Service Pack 2, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Web Server 2008 R2, Windows 7 Enterprise, Windows 7 Ultimate, Windows 7 Starter, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Home Basic, Windows Server 2008 R2 Foundation, Windows Server 2008 R2 Service Pack 1, Windows 7 Service Pack 1, Windows Server 2012 Essentials, Windows Server 2012 Datacenter, Windows Server 2012 Foundation, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Essentials, Windows RT 8.1, Windows Server 2012 R2 Foundation, Windows 8.1 Pro, Windows 8.1 Enterprise, Windows Web Server 2008, Windows Server 2008 Standard

The initial patch has been rolled out in March 2018, the patch enforcing the use of the patches in May 2018 as per [Archive.is] CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability:

Revisions

Version	Date	Description
1.0	03/13/2018	Information published.
2.0	05/08/2018	Microsoft is releasing new Windows security updates to address this CVE on May 8, 2018. The updates released in March did not enforce the new version of the Credential Security Support Provider protocol. These security updates do make the new version mandatory. For more information see “CredSSP updates for CVE-2018-0886” located at https://support.microsoft.com/en-us/help/4093492.
3.0	05/18/2018	In the Affected Products table, reverted the security update entries for Windows 10 Version 1511 back to the March security update (4088779) because a May 2018 update is not available for this version. See the FAQ section for more information about how to be protected from this vulnerability if you are running Windows 10 Version 1511.

Related:

• [WayBack] CVE – CVE-2018-0886
• [WayBack] Problems with CredSSP updates CVE-2018-0886 breaking RDP connections @ AskWoody

–jeroen

At a client that still runs Windows Server 2003 (despite the fact that it is in the extended support phase now), I needed to enable automatic logon (one of the tools they run sometimes fails when nobody is logged on).

This was a bit more tricky than just reading [WayBack] How to turn on automatic logon in Windows (now at How to turn on automatic logon in Windows) and following these steps:

To use Registry Editor (Regedt32.exe) to turn on automatic logon, follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type Regedt32.exe, and then press ENTER.
3. Locate the following subkey in the registry:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
4. Double-click the DefaultUserName entry, type your user name, and then click OK.
5. Double-click the DefaultPassword entry, type your password, and then click OK.NOTE: If the DefaultPassword value does not exist, it must be added. To add the value, follow these steps:
   1. On the Edit menu, click New, and then point to String Value.
   2. Type DefaultPassword, and then press ENTER.
   3. Double-click DefaultPassword.
   4. In the Edit String dialog, type your password and then click OK.

   NOTE: If no DefaultPassword string is specified, Windows automatically changes the value of the AutoAdminLogon key from 1 (true) to 0 (false), disabling the AutoAdminLogon feature.

6. On the Edit menu, click New, and then point to String Value.
7. Type AutoAdminLogon, and then press ENTER.
8. Double-click AutoAdminLogon.
9. In the Edit String dialog box, type 1 and then click OK.
10. Quit Registry Editor.
11. Click Start, click Shutdown, and then type a reason in the Comment text box.
12. Click OK to turn off your computer.
13. Restart your computer. You can now log on automatically.

Since this depends on some registry settings, you need to make sure they are actually set.
And logging on as someone else will reset the DefaultUserName registry setting.

The article points to another article on “AutoAdminLogon looses DefaultUserName” to solve this using REGINI (and optionally REGDMP which can provide sample output for REGINI), but there is a much easier solution using RegEdit which – as Rob van der Woude points out – can be used unattended as well (besides: REGDMP cannot be downloaded any more, and REGINI requires an additional download).

This is how to do force the DefaultUserName to be reset after logon using RegEdit:

1. Open an explorer Window in “%ALLUSERSPROFILE%\Start Menu\Programs\Startup“
2. Create a batch file “run-RegEdit-DefaultUserName.bat” there with this content:
   regedit /s Administrator-DefaultUserName.bat
3. Create a text file “Administrator-DefaultUserName.reg” in the same directory with content like this:
   Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultUserName"="Administrator"

Replace “Administrator” with the username you are actually using.

–jeroen

Via: How to turn on automatic logon in Windows.

Updated information from

Use Registry Editor to turn on automatic logon

---

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

To use Registry Editor to turn on automatic logon, follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type Regedt32.exe, and then press Enter.
3. Locate the following subkey in the registry:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
4. Double-click the DefaultUserName entry, type your user name, and then click OK.
5. Double-click the DefaultPassword entry, type your password, and then click OK.Note If the DefaultPassword value does not exist, it must be added. To add the value, follow these steps:
   1. On the Edit menu, click New, and then point to String Value.
   2. Type DefaultPassword, and then press Enter.
   3. Double-click DefaultPassword.
   4. In the Edit String dialog, type your password and then click OK.

   Note If no DefaultPassword string is specified, Windows automatically changes the value of the AutoAdminLogon key from 1 (true) to 0 (false), disabling the AutoAdminLogon feature.

6. On the Edit menu, click New, and then point to String Value.
7. Type AutoAdminLogon, and then press Enter.
8. Double-click AutoAdminLogon.
9. In the Edit String dialog box, type 1 and then click OK.
10. If you have joined the computer to a domain, you should add the DefaultDomain value, and the data for the value should be set as the fully qualified domain name (FQDN) of the domain.
11. Exit Registry Editor.
12. Click Start, click Shutdown, and then type a reason in the Comment text box.
13. Click OK to turn off your computer.
14. Restart your computer. You can now log on automatically.

Notes

• To bypass the AutoAdminLogon process and to log on as a different user, press and hold the Shift key after you log off or after Windows restarts.
• This registry change does not work if the Logon Banner value is defined on the server either by a Group Policy object (GPO) or by a local policy. When the policy is changed so that it does not affect the computer, the autologon feature works as expected.
• When Exchange Active Sync (EAS) password restrictions are active, the autologon feature does not work. This behavior is by design. This behavior is caused by a change in Windows 8.1 and does not affect Windows 8 or earlier versions. To work around this behavior in Windows 8.1 and later versions, remove the EAS policies in Control Panel.
• An interactive console logon that has a different user on the server changes the DefaultUserName registry entry as the last logged-on user indicator. AutoAdminLogon relies on the DefaultUserName entry to match the user and password. Therefore, AutoAdminLogon may fail. You can configure a shutdown script to set the correct DefaultUserName.

• You can use the Sysinternals tool AutoLogon to enable this functionality easier. This tool also helps you to use an encrypted version of password.