Scripting DNS Debug Logging dnscmd

To be able to script the DNS Debug Location for multiple severs you need to run the following command

dnscmd <DNS Server Name> /config /logLevel <EventFlagSumInHex>

dnscmd <DNS Server Name> /config /logfilepath c:\DNSlogs.txt

However the Hex Value’s are pretty confusing below. So instead you can login to a server and set the options you want via the GUI , then afterwards go to this Registry Location

HKLM\System\CurrentControlSet\Services\DNS\Parameters\LogLevel

And copy the EventFlagSuminHex to the script

This can also be done with VBS ( Google for Code ) using the Deciaml Value

Hex Values

Table 13-2. DNS debug logging event codes

Tags: dnscmd, EventFlagSumInHex, hex, loglevel

Gmail/Google Mail Apps being Spammed Book Enteries 100+ Times

Recently I had a user get in contact with a problem, that they had received thousands of emails from different email address’ of nonsense. Sure enough after checking this was true. It seems that someone was bulk sending paragraphs of a book to this users , new email = new paragraph x 1000 + Interesting , was this just an email bomb or something else?

So sending emails from a book is a new way for spammers / attackers to get around the spam filter , they were sending from legitimate created Gmail/Yahoo address even though they where for email spams.

Upon investigation, the emails had stop being received about 2 hours before the user contacted me , any new emails were not coming through which means the user has hit gmails receiving limit https://support.google.com/a/answer/1366776?hl=en

Why?

This is a sign that the attacker has reset an account password somewhere and wants the email to notify you this has been done to get “lost” so the user doesn’t know he’s being attacked until its too late!

How to stop this?

You will need to purchase Google Apps Premium and enable the Post  Ini filter which can detect emails bombs

https://www.google.com/support/enterprise/static/postini/docs/admin/en/admin_spe_cu/conn_auto.html

Tags: book enteries, email, email bomb, google, limit, receive limts, spam, spam bombed

Amazon Drive – Time before Deleting of your Data

Recently I got an email through from Amazon due to a switched payment method that due to a billing issue I couldn’t upload any new data. 

 

Due to a problem with your credit card, we have been unable to charge your account for your Your Amazon Drive Unlimited Everything subscription.

If your Drive account is over your storage limit you will be prevented from uploading additional files until you delete enough files to be under your quota or you correct your billing information so that we can complete your purchase of your subscription.

To fix this problem, please update your payment information by following these steps:

1. Go to Manage Your Cloud Subscriptions (https://www.amazon.com/gp/photos/storage)
2. Sign in with your e-mail address and password.
3. Click the Change button next to “Preferred renewal payment method”.
4. Follow the on-screen instructions to update your credit card or choose a different one.

A charge can be declined for a variety of reasons. For more information on why the charge was declined, please contact the bank that issued your card.

For more details and instructions on how to manage your Amazon Drive account, please see our Online Help page. If you need further assistance, please contact Customer Service.

Thank you for using Amazon Drive.

Amazon.com
http://www.amazon.com/clouddrive

However they didn’t say how long they would keep the data in this read only state …. indefinitely? A cheaper free Glacier 😉

An email from Customer services says there is a 90 Day window to pay or the account will be deleted

As you haven’t renewed your Unlimited Everything plan, your Amazon Drive account will be considered “over quota,” which means that you can still access your photos, videos, and files to view, download, and delete for 90 days but cannot upload any new items.

After 90 days, your Amazon Drive account will be closed and your content will be permanently deleted.

Tags: 90 Day, Amazon Drive, billing, Deleting Data, permanently

Reset SQL Server SA password with account without sufficient privileges

I’ve come across a great way of resetting a SQL server “sa” password if you don’t have it, don’t have an account with sufficient privileges to reset it via SSMS, and most importantly, don’t have to stop the SQL services so processing can continue.

All you will need is psexec  (in the sysinternals  toolkit) available here à https://technet.microsoft.com/en-us/sysinternals/pxexec.aspx

Once the tools are extracted to a directory on the server:

Psexec.exe –s –i “{full path to the ssms.exe”}

This will start the SQL Management Studio as the NTSERVICE\SYSTEM account … enter the name of the SQL Server (or localhost) and then you’re in … reset the sa password in there

Tags: NTSERVICE\SYSTEM, Permissions, psxec, Reset SQL password, sa, system

How to test chrome on mac osx from windows

I help a few friends with their websites to aid my web programming. It’s a constant battle with Browser Updates and Cross OS browsers not to mention Mobile devices. I purchased a Mac purely for testing websites and development on OSX as Chrome on Windows can be totally different to Chrome on OSX especially working with Designers who use Macs!

I recently retired my Mac PC which proved difficult to test OSX on websites now however I just found a cool tool https://www.browserstack.com where you can check your websites in REAL TIME! Across multiple browsers and devices and you get  25 free minutes of first time testing and then 10 free mins each day

Tags: test chrome osx on windows, test mac browers on windows pc

Outlook 2013 Crashing on Startup with pstprx32.dll in Event Log

When opening Outlook , the client would sync for about 4 seconds then crash with a “not responding error”

Faulting application name: OUTLOOK.EXE, version: 15.0.4420.1017, time stamp: 0x506734e2

Faulting module name: pstprx32.dll, version: 15.0.4420.1017, time stamp: 0x506732a1

Basics things I tried 

1. Outlook Safe Mode
2. Repairs OST’s

Online forums recommended I used these steps:

Steps to Revert for C2R:

Disable Updates:

1. Start Word.

2. Click File, and then click Account.

3. In the Product Information column, click Update Options, and then click Disable Updates.

Right click on the Start button and click Run and type CMD and click OK.

For an Office installation in a 32-bit version of Windows:

cd %programfiles%\Microsoft Office 15\ClientX86

For an Office installation in a 64-bit version of Windows:

cd %programfiles%\Microsoft Office 15\ClientX64

Run the following command to revert to May PU:

officec2rclient.exe /update user updatetoversion=15.0.4615.1002

However the version of office was MSI not Click2Run which meant no officec2rclient.exe!

Lots of people here said this was due to a Corrupt Calendar Entry : http://answers.microsoft.com/en-us/office/forum/office_2013_release-outlook/outlook-2013-constant-crashing/1171be81-86cd-4a9e-a17b-e6f6e151b817 , and again this user did not use the Outlook Calendar

In the end deleting the account and rebuilding OST from scratch fixed this!

Tags: autodiscover.hotmail.com, Click 2 Run, EAS, hotmail.com, not responding, officec2rclient.exe, outlook 2013, outlook.com, pstprx32.dll

Update Symantec Endpoint Protection Manager/Clients to 12.1.7004.6500 ( Update to SEP 12.1 RU6 MP5 )

If you have seen the recent news of a Google Engineer reverse engineering Symantec’s Antivirus Kernel Decompresser 

http://www.itnews.com.au/news/symantec-scrambles-to-patch-severe-holes-in-26-products-429907

You will need to update all your Machines Symantec Endpoints to 12.1.7004.6500 ( Update to SEP 12.1 RU6 MP5 ) per Symantec recommendation here

https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00

More details of the patch

https://support.symantec.com/en_US/article.INFO3801.html

To do this on SEPM

*** Important Check for curent Autorestart settings***

• Login to SEPM
• Go to the Clients page
• Select the group your server is in
• Select the Policies tab at the top
• Under Settings select General Settings
• On the Restart Settings tab

First go here : https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken

And enter the license key for your Symantec Endpoint Product ( will start with M! ) can be be found by logging into your Symantec Account

After Download Symantec_Endpoint_Protection_12.1.6_MP5_SEPM_EN.exe

Run the installer on SEPM server ( may need a reboot before and backup of DB ) 

After installing you will have new packages available 

Run through this : http://www.symantec.com/connect/articles/upgrade-clients-sep-121-auto-upgrade-feature

Tags: 12.1.7004.6500, Kernel, patch, SEP 12.1 RU6 MP5, SEPM, Symantec_Endpoint_Protection_12.1.6_MP5_SEPM_EN, vulnerabilities

Vmware : Cannot create snapshot. Operation not allowed in current state

1. Login to the host where the virtual machine lies and try and do a snapshot via here instead of VCentre
2. If Take Snapshot is greyed out on the host , then check the settings of the device for :

• Does it have an PCI Devices cards mapped to it? E.g. for Use of Tape Drives. If so these will need to be removed as Vmware doesn’t support snapshotting these.
• Does it have any physical mapped Drives to it instead of virtual , again is not supported for snapshotting
  
  1. Try shutting down the VM to see if you can snapshot it shutdown insteaf of powered off

1. Restart the Management Agents on the hosts

Tags: Cannot create snapshot., Operation not allowed in current state, PCI Device, Tape Drive, veeam, Vmware

Activating Windows 10 – Windows Srv 2012R2 DataCtr/Std KMS for Windows 10

A client recently wanted to Add Windows 10 Activation to his KMS Server , you need this https://support.microsoft.com/en-us/kb/3086418

Proves you need some Windows Updates as well as a “Windows Srv 2012R2 DataCtr/Std KMS for Windows 10” Key

It seems you need to call VLSC  ( https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx ) Services to get this key added to your portal as they don’t release it online

Option 4 , then 2 

You will need to give them your agreement number ( Login online and go to Administration , My Permissions ) and Read out the Agreement Number ( Started with V )  under Licensing ID

However I was only being given Windows Srv 2012R2 DataCtr/Std KMS after multiple calls

The “Windows Server 2012 R2 with Windows 10” KMS key is only displayed using the Microsoft Article above or on the phone but to get that key, you need to have an active Software Assurance for Windows Server 2012 R2.

It relies on Server Datacenter having SA. It’s a new Class C key.

The 2012 R2 Datacenter key (of the past) activated Windows 8.1 Enterprise but it wasn’t aware of Windows 10. This is a new Datacenter key that also activates Windows 10 Enterprise (and below).

—————————————— How to increase the KMS count to 25

As an easier alternative, we advice using the following script that allows to increase the activations count on the KMS server. Install the necessary version of the OS (in this example, it is Windows 7 Professional), create an any directory and copy the following BAT file into it. Then in the same folder create two empty files named:

7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

Run increase_kms_count.bat:

@echo off
set skms=kmssrv1.woshub.com
for %%i in (. . . . . . . . . . . . . . . . . . . . . . . . . .) do call :Act %skms%
slmgr /ato
sc stop sppsvc
goto :end
:Act
sc stop sppsvc
xcopy "7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0" "%systemroot%\system32\*" /H /R /K /Y
xcopy "7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0" "%systemroot%\system32\*" /H /R /K /Y
sc start sppsvc
cscript "%systemroot%\system32\slmgr.vbs" /skms %1
cscript "%systemroot%\system32\slmgr.vbs" /ipk FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
cscript "%systemroot%\system32\slmgr.vbs" /ato
sc stop sppsvc
:end

kms1.woshub.com is a DNS name or an IP address of your KMS server.

The number of dots in the line 3 is the necessary amount of requests to the KMS server (in this example, we drive up to 25 requests)

After the script is executed, check the KMS count:

1

slmgr –dlv

or you can try the app https://forums.mydigitallife.info/threads/39665-KMS-Client-Emulator-for-Increasing-KMS-Server-Client-Count

Tags: kms, Software Assurance, Windows 10, Windows 2012, Windows Srv 2012R2 DataCtr/Std KMS, Windows Srv 2012R2 DataCtr/Std KMS for Windows 10

How to find Mac Address to Port Relation on HP 1920G

HP have forced people to use the Web interface on the new range of switches , however you can enable advanced cli through : 

Using _cmdline-mode on

with Password: Jinhua1920unauthorized

To find the Mac and port relation on 1920G

Login to Web interface , go to Network Tab , then sub tab MAC

You can See Mac and port relation there

Tags: _cmdline-mode on, 1920G, Find, HP, mac address, port