Sunday, July 28, 2013

ForSec “Value Package” Linkfest - No coupons required!

One last Linkfest from a now exhausted GSD blogger this weekend.

Cleaning out the “to-be-blogged” hopper is always rewarding, but I tend to get very behind on the weekend chores. My saving grace this weekend has been frequent scattered showers and an equally tired Lavie who hasn’t been interested in going out for shopping, groceries, or dining out. The kitchen has been cleaned. The laundry has been done for the week.

Next stop, a few hours of rest, post-blogging, then a wind-down with Endeavour on PBS Masterpiece.

Too Funny Not To Miss

Bloody galah scammers still not getting the message - Troy Hunt’s blog. Security guru Troy Hunt has had his fair share of “this is (not) Microsoft cold calling you…your PC is infected…let me remote control it” scams and has picked them all apart to the bone.

This time he takes a new angle…in a way that only an Aussie could pull off!  This is a classic! Troy, please offer us some of those sound files or link to where we can get them!  I need to put together a Texan sound-effect package for similar fun with unwanted callers. Brilliant!

Microsoft Security News

Microsoft Releases New Mitigation Guidance for Active Directory - Microsoft Security Blog

Overview of Microsoft`s "Best Practices for Securing Active Directory" - SANS Computer Forensics and Incident Response blog’s Mike Pilkington does a great summary and takeaway of the new AD mitigation guidance.

Security Awareness Training: Your First Line of Defense (Part 4) - WindowSecurity.com’s Deb Shinder discusses evaluating training effectiveness short and long-term.

See also these previous series posts:

Network Security, News and Techniques

Wireshark 1.8.9 and 1.10.1 Security Update - ISC Diary

Next up are some great and detailed video presentations from Sharkfest 2013

Recent Forensically Focused Posts

Physical (In)Security?

Duplicate house keys online - Keys Duplicated - This is either freaking amazing or super-scary. I just can’t decide! According to their Security page, precautions are taken.

The Keys Duplicated Blog - A couple really cool and technical posts on the behind the scenes things that make their keys pretty good.

…as spotted on Lifehacker’s post: Shloosl Copies Your House Keys Using a Smartphone Photograph

When 'Smart Homes' Get Hacked: I Haunted A Complete Stranger's House Via The Internet - Forbes

ForSec LiveCD Distro News

AV/AM Bits

Microsoft Security Essentials quietly released version 4.3.216.0 engine update for their free antivirus scanning program. If you use MSSE, you should get it via the automatic updates…if you have them turned on…you do have them turned on right?

Download Microsoft Security Essentials - Microsoft Download Center - Like most things MSSE, trying to figure out just what got updated is next to impossible so let’s just say for now that this one must be better than the previous version and move on.

I’m still using MSSE around the Valca home on all our home systems. I also continue to recommend it to friends and family (generally everyone non-work-related) who I provide friendly IT support to. I find it is pretty non-threatening to the non-technical users I know and though it loves to alert on many of my security programs (potentially unwanted programs) since they can also be used for 3vil, it seems to do a more than adequate job security the systems.

For my Windows 8 systems, I’m instead relying on Bitdefender Antivirus Free. In some ways it’s a bit different model in that you need to sign up with an email address to set up your account. Then you can download the client to the system. What is nice is that if you manage multiple systems in your home, you can log into your account at their site and then get a console feedback on the status of those systems. That’s something that I do at work with another vendor’s enterprise AV client health/status management console. That’s super cool for a free product. I’m seriously leaning to expanding it’s coverage to my main Windows 7 laptop at home. Performance has been outstanding on my Windows 8 systems.

Kaspersky tops real world protection test - BetaNews - this post does point out that Bitdefender tied Kaspersky with a 99.9 % protection level in AV-Comparatives Independent Tests of Anti-Virus Software for July 2013. While Microsoft Security Essentials rated a 92.5 % protection level. There are some additional disclaimers so read the short BetaNews article carefully. Then head over to AV-Comparatives to dig deeper and see the full findings.

Finally, we wrap up this segment with this interesting discussion:

The evolution of Ronvix: Private TCP/IP stacks - Microsoft Malware Protection Center

It’s a bootkit infection that has its own private TCP/IP stack. By doing so it can be extra stealthy and bypass personal firewall hooks and can lurk unseen in standard tools and utilities (such as nbtstat). Doing so, depending on packet/network monitor off the infected machine may be ineffective. However, it still must talk ON the network, so an independent network monitoring and forensics analysis approach using a network monitoring appliance or span port capture may detect the traffic. This may be why comparing outside network traffic captures from a system on the network to network traffic captured on the system may be a useful exercise for incident response and monitoring purposes.

Legally Focused

I’ve been reading a wider range of subjects, and a small part of those touch on our legal system. Mainly they apply to digital law and crime but some are more general. I’m just tossing them out there for the interested or curious. Generally they tend to analysis of current events or provide a more detailed lawyer’s review than the talking/shouting legal heads we encounter on mass-media “news-like” entertainment outlets these days.

  • CYB3RCRIM3 - Susan Brenner’s blog on cybercrime and cyberconflicts in technology and law.
  • Popehat - group blog with a mostly legal focus (though topics can range far afield!)
  • Le·gal In·sur·rec·tion - group blog with mostly legal and law-in-today’s-culture focus. Pretty vibrant opinions. Alignments may vary.
  • Lowering the Bar - Sometimes lighthearted (though always serious at the core) look at some of the nonsense the legal system contains, or foists on others from time to time. Great site.
  • Massad Ayoob - legal, cultural, and educational postings primarily dealing with legal private firearm ownership issues. Also analysis of public media trends and news stories.

Have a great week!

--Claus Valca

SysAdmin Linkfest - Chock'-o’-Videos Edition (G-rated version)

This is a super-heavy linkpost filled to the rim with video presentation linkages. Make sure you have some extra time and bandwidth set aside for all these.

Seriously. You think I’m joking, but all it takes is one sysadm running around careless with streaming video file links and then “bam” someone ends up loosing their bandwidth.

As tempting as it is, I’m just providing the links to the video rather than embeds of the video in a player itself. Not that Mark and the Defrag Tool guys aren’t handsome or anything, its more because I just hate seeing the Flash SWP pre-load in everyone’s web-browser when I then get behind in posting and you fans are hit with it when you land on a GSD blog page with embedded video and you aren’t using a Flash-blocking plugin, or have it disabled for my blog.

w1fil0k5.j3p

(the evidence as seen in Process Explorer as happened back from April 2013 - late June 2013 )

General philosophy: wipe the baby and keep it, toss the diapers

Why wiping decommissioned IT assets should be a must - Help Net Security - Duh.

The cost of cleaning up - ISC Diary

GrandStreamDreams blog has written heavily regarding securely wiping hard drives. It should be a no-brainer in today’s digital age…and coupled with some whole disk encryption (to boot). Likewise I just can’t grasp how it is cheaper to trash 170 PC’s because they were infected rather than having a secure-wipe/standard-image reload process. Don’t skip the ISC Diary article’s Comments section.

Sysinternals/Pass the Hash TechEd North America talks

Sysinternals - and Pass the Hash - at TechEd next week- Aaron Margosis' "Non-Admin" and App-Compat WebLog - These were five keynote talks back from June. In case you couldn’t stop by New Orleans last month, you got some serious catching up to do now!

The Case of…

Case of the Slow Logon – Anti-Virus vs 3rd Party Application - chentiangemalc

Case of the Windows 8 Explorer Hang – Part 1 - chentiangemalc

Defrag Tools takes on Windows Performance Toolkit

You may recall the GSD blog post Case of the Unexplained Donut of Death where I started out using Windows 7 Xperf tool to do some performance troubleshooting. I then jumped from it to the new WPT set in Windows 8 SDK and outlined just how amazing the level of logging detail and analysis was.

Windows Perfmance Analyzer SDK 8

As the time there was not a considerable amount of documentation out for us mere mortals on how leverage the true power the tools contained.

No more. The team at Channel 9 has hit the ground hard with a series of videos going into the details on the tool and its features. I suspect more will come. Now I can really start figuring out what all those indicators shown above really mean!

Offline Windows Updating

WSUS Offline Update - I have been a longtime fan of this tool, updated a few days ago to version 8.5. I never leave my cubicle to respond to a system or re-image/deployment without it on my USB stick. It is the #1 tool I know of to help conserve bandwidth and minimize impact at a site where we are doing a deployment. It remains highly Valca recommended! If you are a Windows PC deployment tech or analyst and you don’t have this tool, you either have some super-big circuits, an internal WSUS server, or you can swagger like Beckham and just don’t care.

Portable Update - This “bravo-ware” tool is new to me. Like WSUS Offline Updater, once built you can use it to redeploy Windows/MS patches to a target system. The process seems considerably different that USUS-OU but it may work better for your needs. I’m hoping to test it soon and have a better side-by-side experience to compare them against. For more information on the tool check out the application’s How to use page as well as this AddictiveTips post: Apply Windows Update To Multiple PCs From A USB Drive While Offline.

SysAdmin Tips

Run any app under the NT Authority\Local System account - TinyApps.org - Comparison between ETS (Elevate To System) tool (it has an optional GUI) and psexec.exe from Sysinternals.

FREE: Get Local Admins GUI – Find users with administrator rights - 4sysops

How To Make UEFI Bootable USB Flash Drive to Install Windows 8 - Next of Windows

Making a better, somewhat prettier, but definitely more functional Windows Command Line - Scott Hanselman’s ComputerZen blog

How To Quickly Unlock Local Administrator Account in Windows 8 - Next of Windows

Finally a Windows Task Manager Performance tab blog! - Ask the Performance Team

SysAdmin Utility & Software Leads

Updates: Mark's TechEd Sessions, Autoruns v11.61, Strings v2.52, ZoomIt v4.5 - Sysinternals Site Discussion

Updates: Autoruns v11.6, Procexp v15.31, Procmon v3.05, Sigcheck v1.92 - Sysinternals Site Discussion

Update: Autoruns v11.62 - Sysinternals Site Discussion

Free Windows virtual machines for Mac, Linux, or Windows - TinyApps.org blog - Official developer virtual machine files for XP, Vista, WIn7 and Win 8. These are really for Internet Explorer developers but are great for other software testing purposes. Even more details here: Making Internet Explorer Testing Easier with new IE VMs - Rey Bango.  Main VM’s download link here.

CopyToFlash - Foolish IT - This could be really dangerous. REALLY dangerous. Like most stuff over at Foolish IT. However it could just be dead-helpful for the right audience and application. Basically it just starts a drive monitoring process and then (with a few configuration actions) will copy the contents of a monitored source folder location to any USB flash drive that attaches to the system. Yeah. Dangerous but helpful if you are responsible for updating new content to tons of USB sticks. Oh, did you know it uses RoboCopy? Yep.

Office 2010 Service Pack 2 Released…(mostly)

Just in time after a major Office 2010 rollout at our coal-mine. Nice timing guys…

Microsoft delivers Office 2010 Service Pack 2 - ZDNet - Mary Jo Foley

Office 2010 and SharePoint 2010 Service Pack 2 Availability - Office Sustained Engineering Blog

Description of Office 2010 SP2 - Microsoft Support

How to obtain and install the service pack

Method 1: Microsoft Update (recommended)

Note In addition to the products in the Office 2010 suite, the service pack 2687455 also updates Microsoft Project 2010, Microsoft Visio 2010, and Microsoft SharePoint Designer 2010.

To download the service pack from Microsoft Update, go to the following Microsoft website:

Microsoft Update

You can opt in a computer to the Microsoft Update service, and then register that service with the Automatic updates to receive the SP2 update. Microsoft Update will detect which products that you have installed, and then apply all updates to the products.

Method 2: Download the SP2 package from Microsoft Download Center

The following files are available for download from the Microsoft Download Center:

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

For more information about a complete list of all released SP2 desktop packages, click the following article number to view the article in the Microsoft Knowledge Base:

2687521 List of all Office 2010 SP2 packages

Cheers,

Claus Valca

New Apps and Utility Updates

Submitted here for your frustration is a jumble of new and updated software applications I’ve collected over the past couple of weeks.

Think of it like the “pot-luck” box where everything is free for the taking after the week-long garage sale has concluded.

Only you might really want something in this mix.

MetroTextual 1.5 - SingularLabs - slick notepad replacement has some new improvements in this edition. Including Transformers (Plugins).

SpeedyFox - CRYSTALIDEA Software - Some time back got bumped to version 2.0.4. I run this regularly to clean up my Firefox/Chrome/Thunderbird databases. It really helps with launch speed. See also SpeedyFox Portable - PortableApps.com

CPU Meter Pro - Microsys - The GUI is very nice though the level of detail might be a bit less than some sysadmins might prefer.

DLL UnInjector - NoVirusThanks - unload DLLs within a selected process. More at this Unload loaded DLLs with DLL UnInjector post.

Download Backup Thunderbird - free tool to back up Thunderbird email clients spotted in this AddictiveTips post Easily Backup & Restore Your Mozilla Thunderbird Accounts & Their Data. I personally have always relied on MozBackup.

NetworkLatencyView - Nirsoft - New tool that calculates the network latency. Some details in this NirBlog post: New utility that calculates the network latency of every TCP connection. Looks pretty cool for you network troubleshooting and monitoring geeks.

TightVNC version 2.7.10. - What's New in TightVNC

LibreOffice 4.1 is here! - LibreOffice.org

LibreOffice - Home

LibreOffice Productivity Suite Download - LibreOffice

LibreOffice 4.1.0 Portable - PortableApps.com

Opera Next 16 hints at new features - BetaNews. I don’t really follow Opera web-browser development very closely any longer. Most of my time is focusing on Firefox/Chrome/Chromium/Internet Explorer. Hover there are some detail here that might be worth noting.

Network monitor debuts in latest Firefox beta - Mozilla Links. I really, REALLY like this addition…browser-bloat or not.

SMF v 5.0 – Search my Files - funk.eu - I’ve got more than many Windows file finders, searchers, and file indexing apps that I can summon at will. However funk’s SMF and NirSoft’s SearchMyFiles tools are my go-to file finders without peer. They both have been recently updated with loads new features and rather than see them as competitors, I see them as complimentary utilities depending on the search need at hand.

Intel® Driver Update Utility - Back while I was working on my “What is this “PC-Doctor Module” you speak of?” post, I noted Lavie’s system had the Dell Support Center software installed and how it can help with keeping OEM drivers updated. I checked my own system and the software wasn’t there. Maybe I uninstalled it? Anyway, this Java based application from Intel will do a scan of your system and report if any Intel-based hardware components are present and if a newer driver is available. Sometimes the OEM-branded driver will be preferred, however in most all cases, I have found the Intel driver is much, much fresher and more improved than the OEM version. Yesterday it told me my IntelProNic/WiFi network driver was way old so I updated it to the latest Intel driver version. No issues.

View DELL Service Tag and Express Service Code From Linux and Windows - The Geek Stuff.  Because sometimes it’s a hassle to flip your Dell laptop/desktop around to look for the codes:

1. Get DELL Service Tag on remote Windows system

Login to the Windows remote-host using VNC or remote desktop connection. Use WMIC on Windows to get service tag as shown below.

C:\>wmic bios get serialnumber
SerialNumber
ABCDEF1

Following WMIC command will give make and model number along with service tag.

C:\>wmic csproduct get vendor,name,identifyingnumber
IdentifyingNumber Name Vendor
ABCDEF1 PowerEdge 2950 Dell Inc.

If VNC or remote desktop connection to the remote-host is not available,  execute the following from the local-host to get the service tag of the remote-host.

C:\>wmic /user:administrator /node:remote-host bios get serialnumber
SerialNumber
ABCDEF1
[Note: Replace remote-host with the machine name of your remote-host.]

PeStudio 7.26 - winitor - (updated) - PeStudio is a free tool to perform static analysis and investigation of any Windows executable file. A file being analyzed with PeStudio is never launched. Therefore, you can evaluate unknown executable files and even malware with no risk. PeStudio runs on any Windows platform and is fully portable, no installation is required. PeStudio does not change the system or leave anything behind.”


SoftPerfect Network Scanner - version 5.4.12 - a free network scanner, tweaked and updated. It’s one of my all-time favs.


Get the Start menu back in Windows 8 and 8.1 with Classic Shell - BetaNews - Tip from Mike WIlliams that Classic Shell 3.9 beta has improved their flagship tool for reclaiming the ground lost by users everywhere in the ongoing battle for Win8 Start Menu hill against Microsoft. I really like the way this looks. Pop over to Classic Shell directly to download the beta bits if you are interested. I find that I still (for now) prefer IObit Start Menu 8 Free for my Windows 8 tweaking. One of these days I’ll get caught up and empty out my lethargic Windows 8 post-launch pile-o-links that has more than a few additional alternatives. My little brother recommends Stardock’s $ Start8 application for what it’s worth.


Cheers.


--Claus Valca

Personal Whole Disk Encryption

So about two or three weeks ago I decided to bite the bullet and install a whole-disk-encryption solution to my personal laptop.

We use whole disk encryption (WDE) at work on all our systems for security and data-loss prevention so the whole concept is well covered here and I’ve done a number of posts on PGP WDE in particular, when combined with WinPE solutions.

But PGP is a commercial solution, and like some other commercial WDE products, is pretty costly and not a practical solution for most home users.

The whole concept of whole disk encryption is that even if someone physically steals your computer/laptop/portable-drive, they cannot access the data in a readable format without the use of an encryption key. In many ways, I think this is one of the very last bastions of standard computing security practice that hasn’t made it down to the average consumer level…and sadly…many companies and small businesses.  I always shudder when I see computers in small mom-and-pop businesses sitting out in the open near windows and wonder if their customer data is really safe at rest on them.

Anyway, it was time to lock-down the Valca laptops.

There were a small number of free/$$ consumer products out there for whole disk encryption I could have gone with. The two major factors I was particularly concerned with were 1) would system/disk performance be negatively impacted and 2) would recovery options to off-line mount the encrypted disk be available for me to use under a WinPE platform?

Advances in standard desktop hardware performance pretty much rendered the first one not a concern, and I have been using the portable version of TrueCrypt off USB drives and in WinPE for quite a while.

In the end I went with TrueCrypt and haven’t been disappointed.

The whole process is very easy to go through and I’ve seen absolutely no performance issues. In fact, I did all my recent HD video editing exercise with nary a performance blip shortly after my system was running the TrueCrypt whole disk encryption.

You might want to consider some of the points that Michael Pietroforte raised last week over at 4SysOps

  • Is TrueCrypt trustworthy? - 4sysops. I think he does make some valid points, but regardless, my primary concern is data loss prevention from robbery/burglary/my-own-stupidity and not from possible back-door exploits from shadowy gobernment data-collection operations run against the citizenry. Anyway, I thought Michael provided a great and often unconsidered perspective.

Alternative whole disk encryption solutions worth considering for home users

CE-Infosys - Free CompuSec PC Security Suite - I first stumbled across this German based software solution back when I was seeing how WDE might protect against KON-BOOT. It is completely free for both personal and professional use.

DiskCryptor - Open Source disk partition encryption program. I am not as familiar with this program but it has been kicking around now for a very long time. In addition it also supports Windows LiveCD integration.

Microsoft BitLocker/TPM - Note you need to be running Windows 7 Enterprise or Ultimate (or other Vista/Win 8 supported editions). Windows 7/8 Home editions don’t support it. A system board with TPM chip is not required, but recommended.

For commercial products, this article may be helpful:

Buyer's Guide to Full Disk Encryption - eSecurity Planet

Cheers and stay secure,

Claus Valca

RoboCopy (& a few alternatives) for network file copying

2zytnmnl.plbGrowing up as kids in Texas, children of an manager at a local oil refinery, in a town surrounded by oil derricks, pump jacks, and refinery noises and smells, it only made sense that one of the most fun games we had to play at home was King Oil. I need to see if mom and my brother know where our game set is being stored. Hopefully we still have it around!

These days, I wonder if someone should make a game called “King Bandwidth” with the goal to successfully manage the needs of the customers, the decisions made by web-based application programmers and OS updating, video feeds and training, “soft phone” communication software, and third party facility service operators who just assume that if there is a network available, they should have the right to hook into it for their own equipment provision and administration. Oh. And you need to manage all potential security threats as well.

One of the challenges we face in our environment is that some tasks for the system administration side of operations involves shuttling very large files across the network. If we do that during primary production hours we run the risk of slowing down the network for our users and the web/cloud-based applications they depend on. If we try it during off-production hours we often get slowed down running into automated nightly infrastructure processes that get priority scheduling.

What I was hoping to do was find some alternatives to allow us to “trickle” copy files around the network that would minimize bandwidth impact.

One might think that if running out of bandwidth is the problem, then just increase the bandwidth.  But as any sys/network admin knows, that gets very complicated very quick. Besides just the raw dollar cost of adding additional capacity (standard copper circuits, coax, fiber) you often have infrastructure costs for additional cabling, upgraded routers/switches, and the like. If you over-buy capacity, your wasting money and facing irate fiscal managers, if you under-plan for capacity you are looking at wasting money and having irate end users and other IT admins. Bother. It is a delicate balancing act to be sure.

So anything we can do to live within the existing parameters, but be more efficient is a Good Thing™ .

What would be great would be to find a file-copy/transfer tool that would support some argument options that respected bandwidth so we could “slow-copy” where needed or “fast-copy” when bandwidth wasn’t an issue.

The very first tool that came to mind was Microsoft’s (Robust File Copy) tool robocopy.exe.  What made this tool particularly nice is that is is Windows-native and is on almost all our systems already.

Robocopy - TechNet Windows Server & Robocopy - Wikipedia

Aside from all the powerful and cool features it brings, the one that really interested me was the following argument: /ipg:n - specifies the inter-packet gap to free bandwidth on slow lines.

Robocopy - SS64.com - More details on the cli usage and some examples.

One potential “gotcha” with Robocopy is that it doesn’t handle open files. From the Wikipedia article:

Robocopy will not copy open files. Any process may open files for exclusive read access by withholding the FILE_SHARE_READ[4] flag during opening. Even robocopy's Backup mode will not touch those files. (Backup mode instead runs Robocopy as a "Backup Operator". This allows Robocopy to override permissions settings (specifically, NTFS ACLs).[5] [6])

The Windows Volume Shadow Copy service is used for such situations, but Robocopy does not use it. Therefore Robocopy is not useful for backing up live operating system volumes. However, one can use a separate utility, such as DiskShadow.exe[7] (included with Windows Server 2008), to create a shadow copy of a given volume, which Robocopy can then be directed to back up.

Mmkay?

Updated: the exceptionally sharp TinyApps bloggist reminds us there are some great apps to help work around the locked-file issue with RoboCopy. For a full and amazing rundown of applications that can help and solution pop over right now (or at least bookmark) the TinyApps post Copy in-use files from the command line. Great tips and resources as always!

Other points to be aware of, Windows XP doesn’t come with it native, you need to get it from the Windows Server 2003 Resource Kit Tools then add it onto an XP system.

Beginning with Windows Vista through Windows 7 and 8, it was included as part of the base Windows OS package. That’s nicer.

All that to say that depending on where you got your robocopy.exe file, it may be one of several versions…each with their own slight idiosyncrasies;

So robocopy.exe may just be the perfect tool our sysadmins need to use proactively when copying files across our networks to play it safe. Only there is one small hurdle to overcome.

robocopy.exe is a CLI tool.  Not a nice, sweet GUI that many (but definitely not all) of todays IT folks are used to. In my mind, that is a major plus, but for some, eyes glaze over quickly…

Fortunately there is a solution for that:

Utility Spotlight: Robocopy GUI - TechNet magazine post from November 2006.  Robocopy GUI is an unsupported GUI wrapper for robocopy.exe

And under the “Monitoring Options” is the “IPG” field to manage copy actions over the network where bandwidth concerns exist:

14aqdblx.xfq

How great is that?!

The Robocopy GUI post notes that there is now a newer tool “RichCopy” that offers improvements over Robocopy GUI:

Free Utility: RichCopy, an Advanced Alternative to RoboCopy - TechNet Magazine post from April 2009.

A careful look in the overwhelming number of options it provides shows a “Trickle” feature under the “Mode” area.

d2iavwol.yjg

Unfortunately for us, while RichCopy may be a great tool in other applications, for this particular case, application documentation (and subsequent forum crawls) report the “trickle” feature is not supported.

3sy3f5ne.khd

More details on RichCopy here: How do I ... use RichCopy for high-powered file copy and transfers? - TechRepublic

So that brings us back to robocopy.exe and/or the RoboCopy GUI wrapper and the “/IPG:N” option to control bandwidth during the copy process.

From what I have read in the forums, there is something to a black-art of trying to best calculate the impact of the correct “N” value you are looking for.

Fortunately, the awesome crew at ZEDA.nl has some great tips and tools to help dial in your range finding.

ZEDA Windows Tip: Copy files on slow links - ZEDA.nl

The delay is calculated in the formula:
[filesize] / 64KB * IPG
A 300MB file and an IPG value of 500 means a delay of:
300MB / 64KB * 500ms = 307200KB / 64KB * 0,5sec = 2400 sec = 40 min.

Example

I copy a 300MB file over a 1MBit/sec line. If all bandwidth is available this will take 40 minutes; 1Mbit/sec = 1/8MB/Sec = 300MB/2400sec = 300MB/40min

Robocopy IPG Calculator - ZEDA Tools - ZEDA.nl - This tool helps automate the estimation of how long it will take to copy a particular file using Robocopy /IPG:N when provided the filesize, the current transfer rate across the network, and the IPG rate you provide. Pretty handy and cool.

Need more examples on how to use Robocopy? Then Bob’s your Uncle! (or rather PramodK who wrote and is actively maintaining it:

Robocopy and a Few Examples - TechNet Wiki

Not satisfied with either the robocopy.exe CLI or RoboCopy GUI tool?  Want some more options or maybe a better way to save you own advanced robocopy commands for reuse?

Here are some more RoboCopy GUI tools:

Better Robocopy GUI - CodePlex - “Provide intuitive GUI for editing optional parameters of Robocopy command line. It was designed for computer literates who like Robocopy but don't use it very often, and need to review legacy commands from time to time. This program is alternative to Microsoft's Robocopy GUI.”

WinRoboCopy - UpWay2Late.com Software - Though I can’t see where the /IPG:N option can be selected and called…you can however manually add it to your cli string.

Getting off the RoboCopy trail…

Up to this point I was specifically looking at RoboCopy itself, because being a “native” Microsoft application carries some additional benefits inside our organization.

However it that isn’t a concern, there are some alternative, third-party copy applications that may have some network bandwidth conservation options as well.

Ultracopier/SuperCopier - freeware - (Teracopy, SuperCopier like), replacement for files copy dialogs. It has an option under “Default options” to set a speed limit. More overview details in this AddictiveTips post: UltraCopier - Limit Speed & Pause / Resume File Copy Operation. Get the bits here: Download. And for more options, Download all version of ultracopier including a portable version.

Advanced LAN Pump - SoftSolo - ($$) - has controls for dealing with network bandwidth usage. Previous versions were freeware. If you want the last free version (v2.32) then you can grab it from The Portable Freeware Collection - Advanced LAN Pump.

I really started thinking about a blog post on this again after TinyApps.org bloggist posted some nice tiny apps for copy actions:

So I reached out and TinyApps bloggist kindly offered the following additional gem of an application that I hadn’t yet found in a forum:

backup - How do you limit the bandwidth for a file copy? - Server Fault - comment left by user “levitation”

I use KillCopy for this purpose. I find it very convenient.
It has separate speed and other settings profiles for local and network copy.
It is also able to resume when a transfer of a large file (or files) is interrupted in case of bad connection, or even when the computer hosting the program crashes.

KillCopy - freeware - tiny GUI app that is skinnable and has advanced LAN speed control options

Advances settings:

    • Speed limit: You can limit maximum copy transfer speed in Kbps units or change what part of current traffic used by KillCopy.

LkN -where N - number 0..10 - speed limit in kbps (see following table)
LcN -where N - number 0..10 - speed limit in bps (see following table)
LpN -where N - number 0..10 - speed limit in % (see following table)

N

kbps

%

0

16

10

1

32

20

2

128

30

3

256

40

4

512

50

5

1024

60

6

2048

70

7

4096

80

8

8192

90

9

16384

100

10

No limit

No limit

Then again, if you just don’t care about sucking all the bandwidth from your site…

…and bringing down the wrath of the end-users and management, then these alternative file copy tools may also be worth looking into. Some have been previously covered here at GSD:

  • TeraCopy - (free for personal use) – Very nice, fast and tiny.
  • Copy Handler - (freeware) – Dependable and fast file-copy activity. Updated periodically.
  • Roadkil.Net's Unstoppable Copier - (freeware) – Special-use tool to get copy files that are “damaged" like off optical media or that give other programs copy-errors.
  • FastCopy - (freeware) - New to me that some claim is the fastest file-copier tool out-there today.

Finally, since we are way off topic now,

Windows 7 native file-copy process is a big leap forward over the XP dialog windows.

And Windows 8 takes it even further.

Which is one feature on Lavie’s Windows 8 laptop I am envious of that my Windows 7 laptop doesn’t’ have.

Cheers and again a special thanks for TinyApps.Org bloggist helping me to track down some additional alternatives to robocopy for file copy bandwidth management over networks.

Claus Valca

PowerShell Reference Post: The Train Cometh Near…

Ever have that experience when you wake up and realize that event, or project, or whatever that you have been working hard at avoiding or denying is “Upon You”?

Very, very soon down in the coal mine, the opportunity to have Windows PowerShell natively installed on all our Windows desktop system will be realized.

I’ve been doing some old-school “BAT” files and even some very light VBS scripts for a while now to help automate some IT sysadmin functions from the CLI to avoid use of EXE based third-party tools and utilities where possible. Sometimes this has proved wildly successful. Other-times, not so much.

What I probably need to do is hunker down and pound my head into the desk and keyboard and learnz me some Ruby or Perl or Python.

However, for whatever reason, those still seem super-overwhelming to try to figure out how to tackle.

Instead (for now), what I think I really need to do is take the big-boy step of getting some basic familiarity and comfort with PowerShell usage under my belt.

Since the base PowerShell should be on all our deploying Windows 7 systems (and upgradable to what, PS 4.0 now?) that would present a great opportunity to extend system and network administration tasks and increase efficiency.  And since I’m fairly comfortable with the Windows BAT file writing/debugging process, this jump may be a bit easier to make.

So anyway, this is just a list of initial PowerShell references I’m dumping so that I can start my learning process.

If my dear readers have any additional recommendations -- books, URL’s, on-line videos, blogs, etc. -- for helping someone get up to speed with learning PowerShell and its support for system and network administration tasks, please drop your tips into the comment jar.

Windows PowerShell - TechNet Script Center Introduction - Windows PowerShell 2.0, Windows PowerShell 3.0, Windows PowerShell 4.0

Getting Started with PowerShell 3.0 | Channel 9 - A nine-part Microsoft video series - “This Jump Start is designed to teach the busy IT Professionals about this powerful management tool. Learn how PowerShell works and how to make PowerShell work for you from the experts Jeffrey Snover, the inventor of PowerShell, together with Jason Helmick, Senior Technologist at Concentrated Technology. IT Professionals, Admins, and Help Desk persons learn how to improve your management capabilities, automate redundant tasks and manage your environment in scale.”

Advanced Tools and Scripting with PowerShell 3.0 - Windows Virtualization Team Blog - Coming August 1st - Free Microsoft Virtual Academy online presentation training event -- “Find out how to turn your real time management and automation scripts into useful reusable tools and cmdlets. You’ll learn the best patterns and practices for building and maintaining tools and you’ll pick up some special tips and tricks along the way.” I expect it will also be up on Channel 9 a week or so later.

PowerShell Script to Manage Java Browser Plug-In and Java Security Level - SANS Windows Security Blog

Download Windows PowerShell Quick Reference - Microsoft Download Center - “Quick-reference guide to commonly-used Windows PowerShell commands.”

Download Windows PowerShell 3.0 Step By Step Guide - Microsoft Download Center - “Microsoft by default has decided to display Windows PowerShell in the Windows 8.1 WinX Power Menu, although you can change it back to Command Prompt, if you wish. But for those of you who’d like to try you hand at learning Windows PowerShell 3.0, you can download these step by step guides released by Microsoft.”

The Windows PowerShell Toolbox - TechNet Script Center - Loads of links and references for using Windows PowerShell

Scripting with Windows PowerShell - TechNet Script Center - Webcast series links and references, scripts, download sources and usage guides.

Discover the Easy Way to Begin Learning Windows PowerShell - Hey, Scripting Guy! Blog

Windows PowerShell Team Blog

Download Windows Management Framework 3.0 - Microsoft Download Center - Contains Windows PowerShell 3.0 among other bits.

Download Windows Management Framework 4.0 Preview - Microsoft Download Center - Not yet ready for production release, this contains the bits for the next generation of Windows PowerShell.  Consider carefully before deployment as some big system incompatibilities haven’t yet been resolved.

Windows PowerShell 4.0 Preview - Rick Barber's Blog. From Rick’s brief summary post…

“You should note that the supported operating systems do not include Windows 8 or anything earlier than Windows 7 SP1.  Sources tell me that PowerShell 4.0 will be included with Windows 8.1 when it is released as well as Windows Server 2012 R2.

“Pay close attention to the link above as the Management Framework 4.0 Preview is not compatible with some Microsoft Server applications including all versions of Exchange server, SharePoint server, and other applications.  You really shouldn’t be installing a preview in a production environment, anyway, but rather using it locally on your workstation or laptop for testing and familiarization.

PowerGUI.org - Free Windows Powershell Community. When we did a big rollover from Novell to Active Directory, the AD pros who were brought in had PowerGUI prominently displayed on their secondary monitor as they powered through the transitional operations.

PowerShell Pro! - website with tons of on-line tutorials for Windows PowerShell. It doesn’t look like it has been updated for a number of years, but if you are just getting started from the ground up, most of the material here should still be valuable, especially considering the rich illustrations and screen captures that accompany the primary guide texts.

PowerShell Analyzer - (now free) GUI tool to manage PowerShell scripting. Old TechNet Mag review here: Toolbox: New Products for IT Pros

PowerShell.com – PowerShell Scripts, Tips, Forums, and Resources. Community website.

learn windows powershell - YouTube search results on the terms

learn windows powershell - DuckDuckGo search results on the terms.

Cheers!

Claus Valca

Saturday, July 27, 2013

Fun with Lightworks, the Canon 5D Mark II, and little Bro

A few weeks ago, an exciting opportunity came up.

I had the chance to publically record a nationally-winning high-school student’s (re)performance of his work under controlled settings.

So out came the Canon EOS 5D-Mark II, lenses, and a solid tripod.

My brother had just moved back in town so he got an invite too.

He set up from a different angle with his own amazing Canon EOS 60D.

Someone yelled “action” and we both started shooting HD video on our Canons.

Side note: I am continually surprised and amazed when I learn of feature movies and video productions being shot with the Canon 5D Mark II/III.  I am humbled that I am carrying such a amazing piece of hardware in my camera bag now. Thanks bro! It’s inspiring!

There was one minor flub in the performance so I shot a tight retake of that section with the actor.

Data video files were downloaded and shared. It was grand fun.

A week or two later I sat down at my laptop and faced the daunting task of somehow editing the video from two different camera angles, and the two different audio tracks into a single video performance.

I had a lot of options, both new software and old ones.

In the end I decided to jump off the proverbial cliff and went with the free community version of Lightworks.

The learning curve was very, very high, but I had done due-diligence by spending a few days re-reading the PDF manuals downloaded earlier, I then watched (with full attention) the official Video Tutorials. Peter Bridgman did a bang-up job showing all the core features and things to know to quickly get grounded in the application.

From there I just jumped in (with significant text-messaging support from my brother throughout the day), imported the multiple 4 GB MOV files each of the Canons had captured and started working away.

I had planned on using some of the audio/video syncing features it carries, but in the end the time codes were not quite perfect between the cameras so it took a bit of trial-and-error to manually make all the angle cuts sync smoothly. IU

The different angles and lenses also caused some differences in the color. I was able to edit the color in both to match very closely for continuity.  Even the section of performance “retake” slipped in seamlessly.

The final challenge was exporting the video. My first attempt resulted in almost a 80GB AVI file. Wow!

Another go with some different export settings knocked it down to a more manageable 40 GB size. I still had to run it through a secondary audio/video re-coder app to bring it down to a final 127 MB video file size so that it could play on a DVD format without stuttering.

The end result was a pretty awesome HD video production shot with my bro, after at least 12 hours of learn-as-you-go video editing and post processing. The family of the student we shot the video for were blown away with the results, as were my brother and other family who got to share in the final production.

Through it all Lightworks (x64 bit build 11.1) never choked or had any problems. My Intel i7 processor with 8 GB system RAM kept up with the workload as well.  I’m super glad I made that investment at the time of purchase. It hardly broke a sweat!

For being an amateur videographer on a first foray into HD video recording and editing, it was a lot of fun and I’ll definitely have much more confidence the next time we roll into the field.

Not soon after I was done, I spotted news about Adobe Premiere Pro’s own features and multi-video sync support:

Adobe Premiere Pro CC Hands-On: Multi-GPU Support and More - Windows Extreme Blog

While Lightworks isn’t probably going to win most home users away from more friendly video-editing apps, it is a truly professional-grade video editing platform…and the free version will probably be way beyond most average users’ ability to exceed it’s options.

More:

And the New Lightworks Version 11.1.1.e Now Available as Public Beta looks even more amazing!

Lightworks NLE free edition - Highly Valca Recommended!

--Claus Valca

What is this “PC-Doctor Module” you speak of?

Overall, Lavie has really enjoyed her Inspiron 15 (3520) Laptop from Dell.  It runs Windows 8 x64 bit flawlessly, and aside from installing and configuring IObit StartMenu8 Free so she can get directly to the desktop and have a traditional “Start” menu experience, issues have been nil.

So it was with surprise that a few months ago she started cursing it.

After one particularly colorful fuss-session when it locked up (again) right in the middle of some fan-fiction story she was in the middle of, she tossed it to me and said, “Here, deal with it!”

After some careful and tender IT support questioning (remembering the end user was my wife and not a customer at work), it became apparent the issue had been happening daily for some time.

Examining the laptop, it was completely locked. Though one clue that the CAPS lock key still worked, suggested it wasn’t a hardware lockup issue of the system, but rather something process related.

I set all our laptops to run Process Explorer at login, and to display a number of graphs in the system tray. It provides me great visual data…especially when troubleshooting an issue…even during an apparent lockup. Did the CPU throttle up? Did the RAM get all used up? Did I/O or network activity increase? All great clues.

Unfortunately, they weren’t moving either and didn’t look unusual, the spinner donut was stale, and no matter of three-key-toggle coaxing could get the system to respond…the slight good news was that it wasn’t showing a black-screen-of-death.

Each time it locked up, the spinner would first kick off, then the system would freeze.  A hard power-cycle would restore it with no apparent harm done…until the next lockup the following night.

After I power-cycled it and brought it back up I first went carefully through all the running processes in Process Explorer but didn’t find any evidence of malware/foist-ware/etc. Looked clean as a whistle and matched my baseline recollection when the system was first pulled from the factory box.

Next I checked the Reliability Monitor and problem history.

Jackpot!

rgr4yqw0.sr4

Each of those red circle-x’s indicated “PC-Doctor Module” stopped working. Scrolling back in time, it was a consistent and terrible failure, and very likely the core source of the daily laptop freeze.

I wasn’t familiar with it, but it sounded like some nasty malware or scamware that Lavie may have accidently encountered in her web-surfing. Time to play some DuckDuckGo.

The very first link filled me in with enough details to grasp the situation:

PC-Doctor Module has stopped working but not sure if I have it on my computer… - Microsoft Community

Turns out this isn’t an unknown problem with many users who have Dell (and other) systems. Some additional focused searching reveals a large number of forum posts with many complaints about system lockups and crashes.  The general recommendation is to just uninstall PC Doctor and be done with the issue.

I learned some good news from my search, PC-Doctor Module is legit software and could be very helpful and useful to end-users.

However, more than a few users replied in frustration that the “simply uninstall it” option didn’t sit too well as the overall software package that contain it does contain some additional dead-useful tools and utilities--particularly OEM focused--for additional diagnostics work and driver updating.

I have to agree with them.

In Lavie’s Dell laptop’s instance, it is included under the Dell Support Center PC Checkup group.

So I did what any normal IT guy does when handed a regularly freezing laptop by their spouse.

I first launched the app.

b20s3be3.qss

Dove into it.

qizgt2ri.1b0

Confirmed it had some extra features that looked useful enough to keep around, rather than uninstalling…

bnbv5gss.bbs

And planned to tell it to disable the regular scheduled hardware scans.

But there weren’t any scheduled.  Hmm.

efgr0552.iz1

So then I did what any sysadmin IT guy does when handed a regularly freezing laptop by their spouse, fire up Auto Runs, find the auto-start entries for PC-Doctor and disable them.

2hctazjq.jci

Done.  I handed the laptop back to Lavie, grinned with that practiced humble-IT-guy smirk we often have after solving an issue, and went back to whatever it was I was doing.

So I was a hero and Lavie gave her prince a kiss.

Turns out that was a froggy-prince she kissed.

The very next day, Lavie was back with her laptop fussing again about it being locked.

So, that wasn’t quite the brilliant solution I had hoped; to preserve the Dell Support Center but disarm the PC-Doctor Module.

Now it was gloves-off time, my clever IT guy skills were being besmirched by PC-Doctor, and the audacity to do so in front of my precious end-user #1.

I went directly back to the Reliability Monitor after another hard-boot to get it going again.

The same PC-Doctor Module error was there again.

I had learned something very important in my first failure, that something else was calling it to launch, on a regular basis, almost as if…it…were…scheduled?!!!

Yep.

This time I pulled up Task Scheduler and very, very, very carefully picked my way though all the entries.

There it was, the missing bit.

Both “PCDEventLauncher” and “PCDOctorBackgroundMonitorTask” were showing disabled, from my previous Auto Runs work. But I missed one non-PC-Doctor labeled item:

l2xdoswm.r4t

I quickly set that one to “Disabled” as well.

nzbbmy1n.fgn

Since catching this one additional item, no more lockups since.

wec0l5tb.c2s

YMMV with this fix, but I feel confident this resulted in a balanced solution for us; the Dell Support software remains installed and available if ever needed on the system but the utility process causing the lockups has been neutralized.

I wish I could provide some “root-cause” analysis on why that module caused Lavie’s laptop to freeze each and every time. Since it was like clock-work, I suppose I could run a Windows Performance Monitor, Windows Performance Analyzer (especially the new Windows 8 version), or maybe even a simple Process Monitor trace session just before the time it always locks up to see what was causing problem; a resource issue? conflict with another running process? missing file?  Maybe simply re-installing the Dell Support Center to a newer version would resolve it. I’m not bothering right now.

In this case, end-user #1 was delighted to have uninterrupted fan-fiction reading sessions restored and I was happy Lavie was happy. And she loves her new Windows 8 Dell laptop again. We call that a win/win.

If you have Windows 7/8 system, don’t forget about the Reliability Monitor for gathering intel in troubleshooting. It’s super-useful.

If you need to access it directly, you can A) add a Reliability Monitor Shortcut (Windows 7 Help Forums) or B) just start typing “reliability history” in the “search all programs and files” box under your Start menu.

I hope this helps.

Cheers,

--Claus Valca

Sunday, July 14, 2013

ForSec briefs - Low Post Consumer Waste version

Forensic LiveCD News

EMET 4.0 Related

Fundamentals are Everything

Windows Incident Response Blog’s Harlan Carvey is running a great series of “How To” posts

Updates! Get Yer Updates!

Cheers.

--Claus V.

File under “That’s one way to do it.”

A KACE solution is used to produce a multi-platform image of our systems.

I’m not exactly sure how they make the master editions. The Home Office works behind closed doors once every few months when the moon cannot be seen at midnight. I guess it’s an “eye of newt, toe of toad” thing.

Anyway, we get the master USB stick, deploy it with much chanting and spinning to a local system, then pass some Latin command-line FU to the all powerful “Run" box. About 3-4 hours later a completely built KACE system (re)imaging stick spawn results. Then we have to repeat to build the next storm trooper clone.

It’s a time consuming process, and since I don’t have a physical multi-USB drive replication device, it can take up to a week (while multi-tasking) to update all the drives our team carry for system reimaging when a new refresh occurs.

So what I do is to to build a single updated one, then use Alex’s awesome USB Image Tool to capture a full image of the built stick. For the standard 16 GB stick we use, it doesn’t take too long to capture the “IMG” file back to the system HDD.

Once I have that, I just turn around and write that image back to each of the follow-on USB sticks. The process still takes up to an hour per stick to write back out, but that’s several hours faster than the standard process takes.

One alternative is OSForensics - ImageUSB. I like it and USB Image Tool as they allow you to take an image and write an image all with the same tool.  I also found Flash Drive Image Creator which just lets you take an image, and Win32 Disk Imager or USBWriter which then allow you to write that image to a USB drive. I haven’t used them unlike ImageUSB or USB Image Tool so YMMV.

All this is well and good until recently we got some 64 GB USB sticks to use.

The stock scripted process we follow from the master set of building files works fine with them…up to a point. See when done, it results in a 16 GB formatted partition. The remaining volume space is left unallocated in the process.

As I understand it (but haven’t verified myself) the process the KACE tool uses to create each of the sticks using the long-process uses UFDPREP.EXE to do the target USB drive’s formatting and conditioning to make it bootable to the KACE PE (just a custom WinPE) environment from which the image deployment scripts run out of.

It has been said (again I haven’t been able to find documentation to support) that UFDPREP only supports setting the formatting size for the flash drive up to 16 GB.  As I haven’t tested it independently, it might be that the script that the UFDPREP runs for in the drive building process is set somewhere to just use a 16 GB size. Changing its “/size=n” argument value to /size=65536 might work. Maybe.

(Side note: yes I know there are lots of ways and tons of tools to accomplish the formatting and boot-support prepping of a flash drive to almost whatever upper size you want limited only by the physical memory capacity of the device. The challenge here is that the official tool/process automates use of UFDPREP at the very onset of the scripted build process to the target device. So a maximum 16 GB formatted partition is what you get on the output if you want to also get the built image deployment tools and files with it.)

Anyway, I didn’t have the spare time to look into this too deeply. I needed a solution now.

So what I did was take my previously captured IMG file of a 16 GB built USB imaging stick and used “USB Image Tool” to restore it to one of the 64 GB sticks.

It went on fine and quick and resulted (as expected) in a fully functional USB stick for imaging purposes that had a 16 GB volume (just like the original it was captured from) with the remainder unallocated space. That would work “as is” for image deployments but we can’t let that unallocated space go to waste can we?

So I then booted a lab system with a Parted Magic “LiveCD”.

I attached the 64 GB stick and used the “Partition Editor” utility to first locate the device (I think it was listed as “/dev/sdb”), then went though the process to resize the 16 GB partition to take in the remaining unallocated space. I ran the operation and after a warning that it might screw up the data it completed with no fuss. See a visual walkthrough on the process concept below.

When the properties for the updated device were checked on a Windows system, the full 64 GB size available on the stick partition was now showing!  Further testing in image deployments found that no corruption to the files/data occurred. It worked great.

I understand that if instead of XP we were running Windows 7 (or Vista) -- which we are not -- then I could have accomplished the same thing natively with the Disk Management tool. Maybe that day will come soon.

I found using Parted Magic a breeze. It was super fast and has been dead-on reliable all the years I have used it to clean up and fiddle with drive partitions.

However there are some other free partition management software tools that run natively in Windows. Check the licensing requirements to make sure they are not “personal use only” and respect accordingly. Some of the free versions have stripped down feature from the “pro” paid version the same company offers.

I keep one or two of these on my USB utility stick as a “just in case” if either DISKPART or Parted Magic fail me. But they really aren’t the butter for my bread.

That said, they look like they could do the same thing that Parted magic is delivering if Linux isn’t your thing.

Like I said, file this under “that’s one way to do it” for using a USB IMG file created from a smaller sized partition on a larger sized USB flash drive, then restoring the additional unallocated space.

If any GSD readers have any additional ways to accomplish the same thing via Windows Command-Line Fu or a small GUI utility I’d love to hear your suggestions; especially if the utilities are freeware/open-source or command-line only and especially if they would work in XP.

Also, if anyone can find documentation on any formatting size limitations that UFDPREP.EXE carries, I’d love to see the linkage. My Google search skills are not too shabby but I haven’t had luck with the right key search terms just yet. I’d like to know formatting limits of the tool before I tear into the actual process to see if our method is passing it a hard-coded \size=16384 or not.

Cheers.

--Claus V.

PS: Misc links I found in the process of searching for info on UFDPREP.EXE that might be interesting to someone:

WinPE Bootable USB - Creating from XP - The CD Forum - Walkthrough on where to get the binary file (from original source) and how to extract it (note it involves Microsoft’s Windows Embedded feature pack).

A Deep Dive into USB Boot - msdn - How UFDPREP actually does it’s magic.