blog.saalmink.nl

Today i needed access to a domain of servers, but one of our competitors would not provide us with the Administrator password, so i needed other ways to get in.

Petri.co.il has a nice page on that subject that consists of 2 steps:

1. change the local administrator password (so you can boot into Active Directory restore mode)
2. install a service to change the domain password

Somehow step 1 lead me to corrupt SAM/Software/system files so after restoring the original files i figured a way to skip that.

All you need is a Windows live cd or usb stick and the zipfile below. BartPE will do. Or use a commercial product like Active@ Boot Disk, which is really nice because of the fact that it’s based on a Vista kernel which supports the loading of drivers without rebooting. So you’re able to load drivers for raidcontrollers or other devices and your drives will appear directly.
Download this file and put it on a usb stick.

Now here we go:

1. Boot your Windows live environment.

2. Extract the content of the zip-file to c:\.
   You’ll have 2 directories.
   C:\RegEditPE
   C:\srvany

3. VERY IMPORTANT: make a copy of your c:\windows\system32\config now. Just copy the entire directory to some location.

4. Start C:\RegEditPE\RegEditPE.exe and after it’s done browse to HKEY_LOCAL_MACHINE.
   You’ll see new hives for windows installations that have been found, e.g. “SYSTEM_ON_G”.

5. Edit C:\srvany\_service.reg and replace (ctrl+h) “SYSTEM_ON_E” with the one on your system.

6. Check the line that says:

   "AppParameters"="/k net user Administrator 123456abc /domain"
   

   As you can see the password will be changed to “123456abc” but keep in mind that your domain can have complexity policies! Change to something more complex if needed!

7. Save the file.

8. Now doubleclick the file to merge it into the registry and close RegEditPE.

9. I’ve provided cmd.exe from Windows 2003 SP2 in the zipfile, but you might want to do:

   copy x:\windows\system32\cmd.exe x:\srvany\
   

   (where x is your drive with your Windows installation.

10. Reboot and wait a little. Now you can log in with your new password.

Tested on Windows 2003 SP2

Took me quite some time to figure out the problems this client was having:

• couldn’t see properties of users in Active Directory Users and Computers
• couldn’t see properties of events in the eventviewer
• couldn’t move icons on the desktop
• certain software wasn’t functioning

All came down to one simple solution:

regsvr32 %systemroot%\system32\ole32.dll

Microsoft KB 926932

Running around 300 servers in small environments (meaning: only one 2003 server as domain controller and file/print/exchange) lead me to the following tweaks:

@echo off

echo "This server has 1 GB or more of physical memory"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v HeapDeCommitFreeBlockThreshold /t REG_DWORD /d 262144 /f
echo "This server is running Windows 2003"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v SystemPages /t REG_DWORD /d 0 /f
echo "This server is a domain controller - faster shutdown"
reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v WaitToKillServiceTimeout /t REG_SZ /d 20000 /f

You’ll probably find this all across the internet, but just for my own reference:

@echo off
cd /d %windir%\system32
net stop vss
net stop swprv
regsvr32 ole32.dll
regsvr32 oleaut32.dll
regsvr32 /i eventcls.dll
regsvr32 vss_ps.dll
vssvc /register
regsvr32 /i swprv.dll
regsvr32 es.dll
regsvr32 stdprov.dll
regsvr32 vssui.dll
regsvr32 msxml.dll
regsvr32 msxml3.dll
regsvr32 msxml4.dll
pause

I deliberatly removed the “/s” from all the regsvr32 commands so i can see the results.

Sometimes you need to access Active Directory Repair mode through RDP.
Add this to your boot.ini and reboot:

/SAFEBOOT:DSREPAIR

Make sure you have the restore password though!
After making your desired changes to the system, remove it from boot.ini and reboot again.

Having problems with sending mail?
You might want to try to simulate a smtp session to see what goes wrong exactly.

Start a msdos prompt and type:

C:\WINDOWS>telnet smtp.xs4all.nl 25

Your smtp may be different offcourse.

Trying 194.109.6.51...
Connected to smtp.xs4all.nl.
Escape character is '^]'.
220 smtp-vbr11.xs4all.nl ESMTP Sendmail 8.13.8/8.13.8; Mon, 14 Sep 2009 15:03:50 +0200 (CEST)

Type “helo” followed by your domain

   helo bogusdomain.nl
250 smtp-vbr11.xs4all.nl Hello xxxxxxxxx [a.b.c.d], pleased to meet you

Type “mail from:” followed by your email address

   mail from:[email protected]
250 2.1.0 [email protected]... Sender ok

Type “rcpt to:” followed by your email address

   rcpt to:[email protected]
553 5.3.0 [email protected]... Relaying denied,Authenticate with your username and password first

Now we see what is wrong here. This server doesn’t allow me to relay.
Type “quit” to exit.

   quit
221 2.0.0 smtp-vbr11.xs4all.nl closing connection
Connection closed by foreign host.

If you didn’t get an error after “rcpt-to:”, continue with:

250 2.1.5 Ok
   data
354 End data with <CR><LF>.<CR><LF>
   hello hugo

   .
250 2.0.0 Ok: queued as 60D2A4A24A

  quit
221 2.0.0 Bye

Mail should arrive now.

One of my customers has a directory filled with home directories of all students.
Due to some copying, the ownership of all files was set to “administrator”.
Since quota was enabled, quota usage of all students was practically 0.

They needed a fix to set ownership back a.s.a.p.

I created the following batchfile. You need the subinacl utility from microsoft though.

• Put the script in the directory you want to make the changes for.
• Usernames must match the directorynames.

@echo off
for /f "tokens=*" %%a in ('dir /b /ad') do subinacl /file %%a\*.* /setowner=%%a
pause

Maybe you want to grant the users (just to be sure)

@echo off 
for /f "tokens=*" %%a in ('dir /b /ad') do subinacl /file %%a\*.* /setowner=%%a 
for /f "tokens=*" %%a in ('dir /b /ad') do subinacl /file %%a\*.* /grant=YOURDOMAIN\%%a 
pause 

Today i logged in to a server and this is what i saw:

Microsoft has an article on this matter: http://support.microsoft.com/kb/906510

I have no clue what caused this, however the resolution is simple. Import the following .reg file:

Windows Registry Editor Version 5.00 

[HKEY_USERS\.DEFAULT\Control Panel\Colors] 
"ActiveBorder"="212 208 200" 
"ActiveTitle"="10 36 106" 
"AppWorkSpace"="128 128 128" 
"Background"="102 111 116" 
"ButtonAlternateFace"="181 181 181" 
"ButtonDkShadow"="64 64 64" 
"ButtonFace"="212 208 200" 
"ButtonHilight"="255 255 255" 
"ButtonLight"="212 208 200" 
"ButtonShadow"="128 128 128" 
"ButtonText"="0 0 0" 
"GradientActiveTitle"="166 202 240" 
"GradientInactiveTitle"="192 192 192" 
"GrayText"="128 128 128" 
"Hilight"="10 36 106" 
"HilightText"="255 255 255" 
"HotTrackingColor"="0 0 128" 
"InactiveBorder"="212 208 200" 
"InactiveTitle"="128 128 128" 
"InactiveTitleText"="212 208 200" 
"InfoText"="0 0 0" 
"InfoWindow"="255 255 225" 
"Menu"="212 208 200" 
"MenuText"="0 0 0" 
"Scrollbar"="212 208 200" 
"TitleText"="255 255 255" 
"Window"="255 255 255" 
"WindowFrame"="0 0 0" 
"WindowText"="0 0 0"

Big thanks to my friend at Tech Notes for helping me out so quickly.

I’m involved in a lot of network migrations (client/servers).
Usually, migrating the server isn’t that difficult. However, the software on the clients can be tricky. There can be a lot of registry keys, ini files or all sort of pointers pointing to the old servername.

There’s one sneaky trick that makes it all a lot easyer!

• Raise your domain funtional level to 2003.
• Download and install the latest Support Tools
• Use netdom to add a server alias, e.g.

  netdom computername newserver /add:oldserver.domain.local

• Import this regfile:

  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
  "DisableStrictNameChecking"=dword:00000001

Regedit
Connect to remote registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000

Then reboot the machine remotely, e.g.

shutdown -m \\yourserver -r -t 0

Thnx to my mate at http://www.tech-notes.nl

Most of you probably know that ctrl+shift+esc brings up the task manager.

Today i learned a sneaky way to disable that combination

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
"debugger"="Disabled"

Roaming profiles. How convenient. No matter which computer you are sitting behind, the roaming profile will always make sure you have all your personal settings.

In practice however, roaming profiles tend to grow (slow logins), give problems with permissions, get corrupted and most of the time there’s nothing you can do but to start over with a whole new profile.

There is however something you can do to figure out what’s going on.
It’s called User Environment Logging (http://support.microsoft.com/kb/221833). You’ll get a log from milisecond to milisecond about what’s going on.

Paste this code into a regfile and import it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserEnvDebugLevel"=dword:00010002

Login and logout and afterwards you’ll have a nice logfile called %SystemRoot%\Debug\UserMode\Userenv.log giving you all the details you need to know about your profile, what happens in the background and what goes wrong.

Good luck!

Whenever you put a new piece of hardware into your computer, Windows will try to find a driver within it’s own database (”%windir%\inf”).
If no matching driver is found, you will be prompted for other approaches (windows update, choose, removeable media, etc).

You can however add extra directories for Windows to look for drivers.

The key used for this is:
HKLM\Software\Microsoft\Windows\CurrentVersion\DevicePath (REG_EXPAND_SZ)

Add extra directories separated by “;” e.g.

c:\windows\inf;c:\drivers\audio;c:\drivers\chipset;c:\drivers\massstorage;c:\drivers\modem

Ok but when do you actually need this?

This is often used when creating images for computer deployment and you want to add lots of drivers in order to support all sorts of computers. After deploying the image, Windows will find new hardware and look for drivers in all directories.

Whenever i create an image, i always run this batchfile first:

@echo off
mkdir C:\Drivers\audio
mkdir C:\Drivers\biometrics
mkdir C:\Drivers\bluetooth
mkdir C:\Drivers\chipset
mkdir C:\Drivers\hid
mkdir C:\Drivers\massstorage
mkdir C:\Drivers\modem
mkdir C:\Drivers\nic
mkdir C:\Drivers\proc
mkdir C:\Drivers\sensors
mkdir C:\Drivers\sound
mkdir C:\Drivers\storage
mkdir C:\Drivers\tpm
mkdir C:\Drivers\vga
mkdir C:\Drivers\wlan
mkdir C:\Drivers\extra1
mkdir C:\Drivers\extra2
mkdir C:\Drivers\extra3
mkdir C:\Drivers\extra4
mkdir C:\Drivers\extra5
mkdir C:\Drivers\extra6
mkdir C:\Drivers\extra7
mkdir C:\Drivers\extra8
mkdir C:\Drivers\extra9

echo "bla" >C:\Drivers\bogus.inf
copy C:\Drivers\bogus.inf C:\Drivers\audio
copy C:\Drivers\bogus.inf C:\Drivers\biometrics
copy C:\Drivers\bogus.inf C:\Drivers\bluetooth
copy C:\Drivers\bogus.inf C:\Drivers\chipset
copy C:\Drivers\bogus.inf C:\Drivers\hid
copy C:\Drivers\bogus.inf C:\Drivers\massstorage
copy C:\Drivers\bogus.inf C:\Drivers\modem
copy C:\Drivers\bogus.inf C:\Drivers\nic
copy C:\Drivers\bogus.inf C:\Drivers\proc
copy C:\Drivers\bogus.inf C:\Drivers\sensors
copy C:\Drivers\bogus.inf C:\Drivers\sound
copy C:\Drivers\bogus.inf C:\Drivers\storage
copy C:\Drivers\bogus.inf C:\Drivers\tpm
copy C:\Drivers\bogus.inf C:\Drivers\vga
copy C:\Drivers\bogus.inf C:\Drivers\wlan
copy C:\Drivers\bogus.inf C:\Drivers\extra1
copy C:\Drivers\bogus.inf C:\Drivers\extra2
copy C:\Drivers\bogus.inf C:\Drivers\extra3
copy C:\Drivers\bogus.inf C:\Drivers\extra4
copy C:\Drivers\bogus.inf C:\Drivers\extra5
copy C:\Drivers\bogus.inf C:\Drivers\extra6
copy C:\Drivers\bogus.inf C:\Drivers\extra7
copy C:\Drivers\bogus.inf C:\Drivers\extra8
copy C:\Drivers\bogus.inf C:\Drivers\extra9
del C:\Drivers\bogus.inf

pause

Then i use the “sysprep driver scanner” (http://www.vernalex. … spdrvscn/index.shtml). It will scan a directory and all subdirectories for .inf files. When found, the directory will be added to the list. This list will then be save to the registry key mentioned above.

Either use the GUI or use the commandline functionality, e.g.

spdrvscn.exe /d %SystemRoot%\inf /p C:\Drivers /e inf /a /s /q