Windows Administration: Difference between revisions
Line 404: | Line 404: | ||
* ... turns out policy was disabled in domain group. Switching group fixed the issue. |
* ... turns out policy was disabled in domain group. Switching group fixed the issue. |
||
=== Change Lock screen from Powershell === |
|||
<source lang="powershell"> |
|||
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name LockScreenImage -value "Path/to/your/image" |
|||
</source> |
|||
== Open Issue == |
== Open Issue == |
Latest revision as of 11:11, 2 January 2025
CMD.EXE
Configuration
- Enable file / path extension (see
help cmd
):
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar <-- 09 (tab)
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar <-- 09 (tab)
- Command Extension are enabled by default
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
- Delayed expansion is not enabled by default:
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
Other useful config tools:
- DOSHere
- Open a cmd prompt by right clicking on any directory in windows explorer
Device Management
View and Delete Unused Devices
Open a cmd.exe console:
set devmgr_show_nonpresent_devices=1
devmgmt.msc
In the Device Management Console, select show hidden devices. Unused devices are grayed out.
Disk Management
Convert Logical Drive Letter to PhysicalDrive
The following C program illustrates what Win32 API to use to convert a logical drive letter like C: to the corresponding PhysicalDrive specification.
#include <stdio.h>
#include <w32api/wtypes.h>
#include <w32api/ddk/ntdddisk.h>
int main()
{
HANDLE hDeviceHandle = NULL;
char drive[] = {'\\', '\\', '.', '\\', 'A', ':', 0};
DWORD driveMask = GetLogicalDrives();
for(int i = 0; i < 26; i++)
{
drive[4] = 'A' + i;
printf("Drive: %s\n", drive);
hDeviceHandle = CreateFile(drive , 0, 0, NULL,
OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL, NULL);
if (hDeviceHandle != (HANDLE)-1)
{
STORAGE_DEVICE_NUMBER sdn;
DWORD returned;
if (DeviceIoControl(
hDeviceHandle,IOCTL_STORAGE_GET_DEVICE_NUMBER,NULL ,0,&sdn,sizeof(sdn),&returned,NULL));
{
printf("\tDevice type: %d number: %d partition: %d\n",sdn.DeviceType,
sdn.DeviceNumber, sdn.PartitionNumber);
if(sdn.DeviceType == 7)
printf("\t-->\t\\\\.\\PhysicalDrive%d\n",sdn.DeviceNumber);
}
}
}
return 0;
}
Compile with:
% gcc logicalToPhysicalDrive.cpp
Example of output:
Drive: \\.\C:
Device type: 7 number: 0 partition: 1
--> \\.\PhysicalDrive0
SSD Configuration
Optimization after ssd installation [1]:
- Enable AHCI in BIOS
- Verify TRIM is enabled: The following command must return 0
fsutil behavior query disabledeletenotify
- Check partition alignment (done in Linux).
- Turn off disk indexing (Disk → properties → uncheck Allow files on this drive to have contents indexed in addition to file properties).
- Turn off defragmentation (Disk → Tools; → Defragment now... → Configure schedule... → Uncheck Run on a schedule (recommended)).
- Turn off system protection (Computer → Properties → System protection → Configure... → Turn off system protection).
- Disable prefetch (
regedit
→ go toHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
)- Set
EnablePrefetcher
to 0 (was 3). - Set
EnableSuperfetch
to 0 (was 3). - Go to
services.msc
, and disable service SuperFetch.
- Set
- (no change to GUI boot)
Regedit
Command-line
Using regtool (cygwin):
regtool /s registry_file.reg ;Silent merge registry file (no user confirmation)
Using reg.exe (windows):
;Silent merge
regedit /s registry_file.reg
;Create a global USER environment variable (persistent)
SET MYROOT="%CD"
echo Setting global USER Environment variable to %MYROOT%
reg add HKCU\environment /v MYROOT /t REG_SZ /d %MYROOT% /f
Regedit .reg File Format
See also Microsoft's reference page, here, here, here and on Wikipedia.
See also regtool chapter on Cygwin page.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\Setup]
@=dword:00000000
"SetupType"=dword:00000000
"CmdLine"="setup -newsetup"
"SystemPrefix"=hex:c5,0b,00,00,00,40,36,02
; Comments are created with a semi-colon
; Delete a value by assigning a minus to it
"SetupType"=-
; Delete a key by preceding the name with a minus sign
[-HKEY_LOCAL_MACHINE\SYSTEM\Setup]
The header line indicates the version and can be either
Windows Registry Editor Version 5.00 for Windows 2000, Windows XP, and Windows Server 2003 REGEDIT4 for Windows 98 and Windows NT 4.0 (but is also accepted in 2000, XP or 2003)
Network
Detect Network Environment Change
The following VBS script can be used to detect automatically when a network cable is connected or disconnected ("network cable unplugged"), as in [2]. Some explanations at [3], and more on [4].
Use MSNdis_StatusMediaDisconnect to detect when a cable is unplugged.
Set colMonitoredEvents = GetObject("winmgmts:root\wmi")._
ExecNotificationQuery("Select * from MSNdis_StatusMediaConnect")
Do
Set strLatestEvent = colMonitoredEvents.NextEvent
WScript.Echo "Connected! Do something here"
' enable the line below if you want to exit after the first event.
' Exit Do
Loop
Same script a bit improved in order to limit detection to some specific adapter:
Set colMonitoredEvents = GetObject("winmgmts:root\wmi")._
ExecNotificationQuery("Select * from MSNdis_StatusMediaConnect" _
& " WHERE InstanceName = '3Com 10/100 Mini PCI Ethernet Adapter'")
Do
Set strLatestEvent = colMonitoredEvents.NextEvent
WScript.Echo "Connected! Do something here"
' enable the line below if you want to exit after the first event.
'Exit Do
Loop
Wireless network
netsh wlan show profiles # Show list of available profiles
netsh wlan show all # Show details
netsh wlan export profile folder="PATH_TO_FOLDER" name=PROFILENAME # Export profiles with folder/name
netsh wlan export profile # Export all profiles
# More advanced
Netsh WLAN show drivers
Netsh WLAN show wirelesscapabilities
Netsh WLAN show interfaces
Netsh WLAN show profile name="Profile_Name" key=clear
# Troubleshoot
Netsh WLAN show WLANreport # Generate troubleshoot report (html)
Tips / How-tos
Re-Enable Hibernate Option (Vista)
On Vista, Hibernation is disabled after running the disk cleanup wizard and removing the hibernate files. To re-enable (see [7]):
- Go to the command prompt icon in the Start menu under Accessories and right click the icon: click “Run as administrator”.
- Paste: “powercfg.exe /hibernate on” and hit Enter and also paste “powercfg -h on” and hit enter just to be safe.
- Open Control Panel and type in “Hibernate” in the Search.
- Click “Turn hibernation on or off”
- Click “Change advance power settings”
- Scroll to and expand the “Sleep” option.
- Select “Off” to the “Allow hybrid sleep” option.
- Scroll to and expand the “Power buttons and lid” option.
- Select “Hibernate” for the “Sleep button action” option.
- Select “Hibernate” for the “Start menu power button” option.
Enable Login Verbose Status
Reference: [8]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"VerboseStatus"=dword:00000001
Patch file version data
Some windows file have a specific record that stores release information on that specific file (like file version, company name, etc ). One can see this record by using the NT Explorer → right click → properties → Version panel. It is quite easy to change the content of this record by using an Hex Editor such as UltraEdit. Just look for either of the hex string below in the file:
560053005F00560045005200530049004F004E005F0049004E0046004F00 // V.S._.V.E.R.S.I.O.N._.I.N.F.O.
460069006C006500560065007200730069006F006E // F.i.l.e.V.e.r.s.i.o.n.
Note that the version number (file version) given at the top of the Version panel is actually coded in hex. The example below gives a file version 1.2.3.4.
xx xx xx xx xx xx xx xx xx xx 56 00 53 00 5F 00 // xxxxxxxxxxV.S._.
56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 // V.E.R.S.I.O.N._.
49 00 4E 00 46 00 4F 00 xx xx xx xx xx xx xx xx // I.N.F.O.xxxxxxxx
xx xx xx xx 02 00 01 00 04 00 03 00 xx xx xx xx // xxxx........xxxx
Shut down / lock windows from command-line
Using rundll32.exe (see [9]):
rundll32.exe user32.dll,LockWorkStation
Another one:
rundll32.exe shell32.dll,SHExitWindowsEx [0|1|2|4|8]
:: 0: logoff, 1: shut down, 2: reboot, 4: forced shutdown, 8: powers down the machine
Rename / Delete locked files using Registry
This uses a registry data called PendingFileRenameOperations in key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]. This data is a REG_MULTI_SZ. The syntax is as follows:
\??\source file !\??\target file
To delete a file, target file must be the null string, i.e. 00 00. For instance the registry file below can be used to delete a file named c:\TEMP\Kill-ME.eXe.
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"=hex(7):5C,3F,3F,5C,63,3A,5C,54,45,4D,50,5C,4B,69,6C,6C,2D,4D,45,2E,65,58,65,00,00,00
Another way is to use the windows program reg.exe.
Reset (temporarily) Administrator password from Linux
- Install package chntpw (from universe)
- Edit .../Windows/System32/config/SAM file:
cd .../Windows/System32/config chntpw -l SAM # List available users chntpw -u SysAdmin SAM # Edit user 'SysAdmin'
- Don't forget to umount Windows partition.
For the changes to be temporary [10], simply backup the SAM.* files and restore them afterwards.
To backup the permissions, use the following script (see Linux NTFS for details):
#! /bin/bash
for f in SAM*; do
for ACL in ntfs_attrib_be ntfs_acl; do
sudo echo setfattr -h -v $(getfattr -h -e hex -n system.$ACL $f|grep '=' | sed -e 's/^.*=//') -n system.$ACL $f
done
done > restore_acl.sh
chmod a+x restore_acl.sh
Alternatively, from Windows, use robocopy.exe
to copy the file with permissions:
robocopy c:\Windows\System32\config\ c:\Windows\Temp SAM*.*
Export certificate private keys when export option is greyed out
If the option export the private key is greyed out, this means that private key export is disabled by group policy. There are two options left:
- Use the tool Jailbreak. But jailbreak does not work on Win7 64-bit.
- Use the tool mimikatz (see also [11]). Run the tool (as administrator):
privilege::debug crypto::cng crypto::capi crypto::certificates crypto::certificates /export
- The .pfx file is encrypted with password
mimikatz
- Minikatz
- Background info SentinelOne
Export certificate private keys (win 10)
✐ | This is still work in progress. |
Source:
- Some details about SID-protected PFX files. Background knowledge about DPAPI and DPAPI-NG, Doesn't seem relevant here.
- Detailed flow on how to export some key material. However, it requires to have an exportable certificate at hand.
- In Start menu, launch Manage computer certificates (this is MMC snap-in
certlm.msc
). - Go to Certificates - Local Computer -> Personal -> Certificates.
- We see a certificate with same name as computer, and with intended purpose Client Authentication.
- Opening it, we note the certificate Thumbprint string
693867F321B5764E324F3FB8C5CBCE03CDA3C2A3
- We can find this certificate in registry. Start
regedit.exe
, and go to Computer\HKEY_LOCAL_MAGINE\SOFTWARE\Microsoft\MY\Certificates\3078.... - Copy the keystore using PowerShell
- In Start menu, launch Manage computer certificates (this is MMC snap-in
$a = get-item cert:\LocalMachine\My\693867F321B5764E324F3FB8C5CBCE03CDA3C2A3
$a.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
# 00998a33dbff25a91050b3b1bf9001ef_a5968f4a-5244-4993-830a-363efe3adaed
- We can export the keystore using a console elevated to SYSTEM account.
; Create a SYSTEM console (this must be run in Administrative console)
PsExec64.exe -s -i cmd
; Export the file
xcopy /G /H "C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\00998a33dbff25a91050b3b1bf9001ef_a5968f4a-5244-4993-830a-363efe3adaed" c:\Temp
- ... the flow continues on a VM, trying to patch a working certificate, etc.
- Some details about certificate data found in the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates
- 2022-04-22 - Win10 20H2 (19042.1645)
- Used with success the tool exportrsa (GitHub)
- Run in elevated SYSTEM privilege, then run the tool:
; Create a SYSTEM console (this must be run in Administrative console)
PsExec64.exe -s -i cmd
; Export the keys
exportrsa.exe
- Be aware that exportrsa.exe is reported as a virus by VirusTotal, and hence better disable all A/V on Win10 before running the tool.
- Example of output:
Skip cert with NO rsa public key for Microsoft ECC TS Root Certificate Authority 2018 Skip cert with NO rsa public key for Microsoft ECC Product Root Certificate Authority 2018 Key for "f92e9a47-1321-4aff-9600-fd7a6dbef186" is a CNG key Enter password to protect exported cert: *************** Enter password again: *************** SUCCESSFULLY exported cert bundle for "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"in file "1.pfx" Private key for cert "XXXXXXXXXX" is not exportable: 8009000b Do you really want to export Public/private key for cert "XXXXXXXXXX" [Y|N] (default N) >>>> SUCCESSFULLY get private key for "ZAVCWL0136" Enter password to protect exported cert: *************** Enter password again: *************** SUCCESSFULLY exported cert bundle for "ZAVCWL0136"in file "2.pfx"
- Afterwards, the *.pfx files can be imported again to mark the key as exportable, and export it anew with different options.
Manage services from the command line
The following commands may help
sc query sc query SERVICE sc queryex SERVICE sc qc SERVICE sc config SERVICE start= auto sc start SERVICE net start SERVICE
Troubleshoot remote desktop connection
- Guides
- To view current remote desktop certificate:
- Open
mmc.exe
- File → Add or Remove Snap-ins → certificates, click Add.
- Select computer account, then local computer, and click Ok.
- Go to Certificates → Remote Desktop → Certificates.
- Open
gpresult /H c:\gpresult.html
to see current group policies.
Some useful links as well:
- https://shellgeek.com/how-to-get-certificates-using-powershell/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://superuser.com/questions/137500/how-can-i-get-a-list-of-installed-certificates-on-windows
- https://superuser.com/questions/690763/list-installed-personal-certificates-in-batch
TermService was disabled, restarted sc query TermService sc qc TermService sc config TermService start= auto sc start TermService UmRdpService, depends on TermService, set on manual on Win10, is disabled here sc query UmRdpService sc qc UmRdpService sc config UmRdpService start= demand sc start UmRdpService
- ... turns out policy was disabled in domain group. Switching group fixed the issue.
Change Lock screen from Powershell
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization" -Name LockScreenImage -value "Path/to/your/image"
Open Issue
Reduce volume size after updates and service packs
Particularly true for Windows Vsta. Ideas:
- Can we use sysprep tool?
Troubleshoot
Windows 7 Boot Issues
See Windows 7 boot troubleshooting.
Network Connection Folder is Empty
Reference [12]
- Open registry editor, and go to key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network,
- Delete the binary value Config,
There is no normally no need to restart the computer.
The trust relationship between this workstation and the primary domain failed
Relevant links:
- How to fix: [13]
- KB on
netdom.exe
[14] - Test relationship with nltest.exe [15]
- NT Gatekeeper: Finding Out Where NT Stores a Machine Account’s Credentials
- Prevent the problem [16]
The root cause is a desync between the machine account password on the computer locally (known as a local secret) and the computer's computer account object on the Windows domain controller. By default, each windows machine changes the local machine account password every 30 days, and replicates this change to the domain controller. The authentication process keeps the current password and previous password. A desync may occur if the machine is reset to a previous state beyond two password changes.
To fix:
Use netdom.exe
to resync the machine account passwords[17] (need special privilege on DC).
To prevent the problem from happening, edit the following keys in HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
[18]:
MaximumPasswordAge
DisablePasswordChange
ScavengeInterval
Remote Desktop Black Screen issue
Symptoms:
- Connect via RDP, screen is black.
Cause:
- Likely the persistent bitmap caching [19]
Fix:
- Press Ctrl-Alt-END, to go to task manager screen. This should display the desktop in most case.
Create a console as SYSTEM user
- Download and install PsTools
- Start powershell console with Administrator rights (Ctrl-X-A.
- Run
; Create a SYSTEM console (this must be run in Administrative console)
PsExec64.exe -s -i cmd