2010-09-12

๑ Deleting the Win32_Product WMI Class to hide local software installed

I know very few people have had the need to delete WMI Classes, but incidentely i was once one of them, why? Well, WMI is a great resource to obtain information about remote machines, so perhaps you just like to be selective on what to provide from yours, right?

Various network administration tools take advantage of the WMI component to know how their co-workers computers are doing, or what the co-workers are doing with it. This information is passed to those tools trough the WMI Classes. So suppose you don't want to tell them what software you have installed on your computer, then, without stoping WMI service ( leading to the administrator knowing that there was a scan error with your machine ) you can instead delete the WMI CLass Win32_Product and Win32_ProductCheck, lets see:

On the command line:

c:\> wbemtest

( the wbemtest window pops up on Windows)

Click Connect, and where it says root\default replace with root\cimv2 press OK

Now press the button Enum Instances... and you should see:


There enter Win32_Product and accept, you should see a bunch of entries like this:




You can conclude that Win32_Product class is announcing that i have, among lots of other stuff, Microsoft Office installed.

To stop this class from reporting software, the simpler solution i know is to delete the class. Just press where it says Delete Class and enter it's name, but beware: I don't think there is a practicall way to reinstall this class again unless you fully reinstall WMI. So proceed wisely.

Of course, there are other ways to obtain the installed software on your machine remotely. :)

Thanks for reading
 

2010-09-04

Stopping All Services Backup Exec 2010 - Job Cancel Pending

This happened to me the other day while i was changing settings for a BE Job. As soon as i hit submit button the job would go to run mode. My fault as i had to define a schedule or submit the job "on hold" first.

When i realize the job was running i right clicked the job to cancel it while it was still in the "pre-processing" fase. But the job would not stop. I tried several approaches, including stopping all services from the BE management console:


And starting them again, but to my surprise the BE server and engine services would not start. Viewing event viewer this was what we got:




Little to no help. After reading symantec words on the subject and before believing the only solution was to restart the server ( after applying the supposed hotfix ) we decided to give it a last shot as we found out that the services woud not start because another process was taking over the 3527 Port and supposedly all we had to do was terminate this connection using a CurrPorts aprroach:


 But the connection would not terminate, the process name was System and thus the unability.

Restarting the server was what ultimately fixed it. Perhaps disabling the network interface and clearing the arp cache would have helped tough.

Thanks for reading

Taken from http://netprobe.blogspot.com/

Disabling Multiple RDP Session with same User

In order to disable multiple RDP Sessions with the same user, enable the restrict each user to one session option. This way you disable concurrent connections from the same users.

With this option enabled, you can still login another session, called a console session. Be aware tough if you do this in a production environment, depending on your software environment and applications running on one RDP Session for user "x", opening the console session for that same user "x" can lead to your custom apps malfunctioning. Happened to me with a VB6 application running in debug mode.


Taken from http://netprobe.blogspot.com/

Panda Desktop HTTP Updates / Ports Used

Well, Panda products documentation altough it's pretty extensive sometimes do not tell you much. For instance, you want to know what ports are required for Panda Desktop to be able to periodically update it's definitions, what are these ports? This is what i will briefly discusse only based on my findings

If you have deployed Panda Antivirus Product in your company then you probably have configured a repository from which Panda Clients are able to fetch periodic updates. This repository can be configured trough regular network shared folder resources, or trough HTTP repository, where you may have a tomcat server serving the client requests. This second alternative is better, as the first one will lead to more unnecessary overhead ( ref.) .

After clients are deployed automatically, a .ini file is configured in each client machine containing a reference to the original server.

This server is the server the clients will query for updates, sending packets trough port 19226 (folder repository), if it does not succed he will try http repository port 8080, if it does not respond, he will try http repository with port 80:



If it still does not respond he will query the internet, where?
1. Regedit.exe
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software\Panda Administrator 3.0\PLAgent

URL is listed on the right side.

The username and password to access the updates are also defined here, altough encrypted.




In sum, the following ports are used from the client side, depending on your infrastructure scenario:

Port 19226
Port 80
Port 8080

This information was gathered using the tool CurrPorts and log analysing.

Panda logs are located in Pavupg folder. The file is called PAVupg.log

To get a detailed log use the command:

Pavupg -c:ALL

It will then try to update the virus definitions and you can analyse the results too.

Taken from http://netproble.blogspot.com/

SMB:R; Tree Connect Andx - DOS OS Error, (5) ACCESS_DENIED

Konica Bizhub 350 - Scan to network Folder

Are you scanning to a network folder and wondering why the files are not there when all the configurations are correct?
What needs to be done to allow a Canon/Konica/Minolta, in this case a Minolta Bizhub 350 to send PDF files over the network to a share folder in a server?

SMB Signing is what this is all about, it was a security measure ro respond to man-in-the-middle attacks.


SMB Signing and Security:

http://www.littlepud.com/windows-information/windows---smb-signing

If your printer does not support SMB Signing you have to choices to allow end users to fetch their scans:

1 - Disable SMB Signing one the remote server that was configured in the printer. For that you need to go to regedit HKLM\System\CurrentControlSet\Services\ Lanmanserver\Parameters and change o RequireSecuritysignature to 0 to disable SMB Signing ( restart not needed), you can observe the successfull ( or unsucsseful connection attempt with Microsoft Network Monitor )

2 - And probably much more confortable. Send directly to user's email and forget SMB Signing ( keeping your servers safe )
Here is a successfull connection attempt:


Taken from http://netprobe.blogspot.com/



Thanks for reading

2010-05-02

PHP file_exists function bug and Domain Migration

First of all, let me say this is NOT a bug report. Just a friendly title to someone who might be asking themselves the same thing.

The other day i was reported that our Intranet website was not working properly. I looked at the PHP code to see if everything was in order and runned a few tests with variable placing inside the file_exists and the function was returning false when the file actually existed. Why is this i asked?! Eventually i found out, there was no bug or change in the code.

We had at our corporate environment migrated the domain and Intranet was running smoothly for 2 weeks. At the end of the 2 weeks the old domain was shutdown. Only by the third day this Intranet communication came to me, but the answer was that in the IIS manager for the Intranet Server, on the corresponding website properties, whe still had issues in the "Directory Security" tab, there was a user still there from the old domain.
The file_exists was trying to access the path with a user that was no longer valid, returning false on the function as it had no permissions.

Hope this helps

Taken from http://netprobe.blogspot.com/

CISCO Pix Device Manager Export List to File


This manager's interface is little intuitive thus why i decided to add this title to Google Search Engine with a few questions and answers here

Can you use PIX Manager interface to perform querys to the DB entries?
No

Can you run reports from the firewall to create an excel sheet ?
No, not that i know of..

So how do you do if you want to export a list containing all the entrys from your PIX Firewall? Do you have to look individually one by one?
Fortunely no. Just go to File and Choose "Save Running Config to a new window"

If you are unsure about this and are afraid that it will write to NVRAM don't, this will generate a file with the firewall users and groups and ask you for a location to save it.


Taken from http://netprobe.blogspot.com/

Can't view desktop shortcuts over the network, why?

Hello,

There are no stupid questions and certainly this is not one of them. The other day a friend of mine was accessing remotely to the C$ share on a computer, trying to access the Desktop folder from the user "Centrino" , altough he knew that Centrino had shortcuts on the Desktop, entering this folder he could not see them. What the heck - He tough. Why is that?

The answer is pretty easy:

Shortcuts from all users are not replicated for each user account and probably before Centrino User was called Centrino he was Called Something else. Why again? Because if someone renamed his account in Active Directory from "Intel" to "Centrino", the SID actually will be the same. So nothing will change on the computer side, meaning that documents and settings will still point to Intel's folder.

You can check this in regedit at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList

There you will see a bunch of SID's, to know what is the SID of Centrino user please check here



At this point you will know what is the correct Image Path on the computer for that user, and if you like to, change it from Intel to Centrino, altough there are some implications with active directory, so if you are unsure of what you are doing don't mess around.



Taken from http://netprobe.blogspot.com/

Getting SID from USER and USER from SID

Sometimes when administrating a network there is a need to know which code belongs to the USER for the operating system. this code is regarded as the SID or Security Identifier.

Getting USER from the SID:

You can use a tool called Sid2user
http://www.chem.msu.su/~rudnyi/welcome.html

Usage:
sid2user [\\computer_name] authority subauthority_1 ...
 
 
Getting SID from the user:
You can use a tool called User2sid
http://www.chem.msu.su/~rudnyi/welcome.html
 
Usage:
user2sid [\\computer_name] account_name


Taken from http://netprobe.blogspot.com/

2009-11-28

○ Executing commands remotely

RDP - Remote Desktop Protocol is a great resource to remotely administer a computer, TightVNC or UltraVNC also are great resources, that have their advantages in comparison with RDP, but sometimes we just want a remote command-line solution so that there is no interferance with what users using that remote machine are doing.

There are two solutions for this, the first one is to use the wmic command with the help of the Win32_Process class:

wmic /USER:Domain\user /PASSWORD:pass /NODE:"computer" process call create cmd.exe


If you get "Invalid global switch" error check to see if your computer name is within quotes and USER, PASSWORD and NODE are UPPERCASE letters otherwise it won't work ( it didn't when i tried )


The other solution is to use sysinternals pstools, namely, psexec. This tool is a must for any network administrator, usage would be something like:

c:\> psexec \\machine -u domain\user -p pass command

where machine is the machine name, use quotes if it's something like "Desk-NR-1"
where pass is the password for the domain\user
where command is the command line you would write if you where on the other computer, for total command line freedom use "cmd" as the command to have the remote command line on your computer.


Thank you for reading

2009-11-09

○ Updating Panda Client from a migrated Server



If you have migrated your AV Server, in other words your Admin Secure Console to another server, but now your clients are still pointing to the old server, you have to redistribute the client to the several worksations. To do this, you will have to go to:

Tools -> Distribute Agents (or similar) -> Troubleshoot Distribute Agents

Then a wizard pops up guiding you on the method for rearranging these broked clients.

Rearranging clients may take a while so be patient. Beware tough, port 19226 needs to be opened from the server to the client.

To make sure you don't have this port blocked do a telnet to any client on this port using the command line:

telnet client 19226

Where client is the computer name of a Panda client in your network.

If the command line window shows a blinking dash the port is not blocked and you should be Ok.

2009-07-25

○ Unauthorized or Illegal IP Public IP Addresses on Private Network

Yes, they are out there on private networks. Luckily, routers do not route these packets outwards because they already know the interfaces to which those Illegal IP's are.

I say illegal but they are only illegal from an RFC point of view.

I remember a while back trying to look for information about these RFC illegal networks but not finding anything relevant.

I have been on a company that had been implemented with this scenario. They had IP from 190.1.X.X to 190.5.X.X . Even worst these were class B IP Addresses for a small to medium sized company with just over 100 employees.

What happened in theses cases was that altough the routers were routing correctly, the DNS Servers were getting their entries for the local domain hosts from the internet. So, depending on which hostname would register with the Internet's cached DNS, this host could not be reached from another by it's DNS name. Fortunely, NETBios was still in tha game and allowed other computers to ping and whatever to those trough their NetBios name. Nevertheless, caotic in my opinion. Useless to say that any computer in this network could not access outsite resources when these resource IP's were within these Class B ranges. What a mess, like it was not enough datacenter's switch wiring was all messed up as well.
Funny example:


A big restructuring for this network topology was issued some time later which i was a part of to deploy VLAN's and reformulate the entire infrastructure, from Class B to Class C and from Illegal to Legal Addresses ( Reserved Addresses for Private Networking ). Big adventure i tell you, but definitely payed off. Much better.

2009-06-27

○ SMI2SMIR Information / Purpose

I will assume that if you got here you already understand "computer systems terminology" so i won't get into detailed explanations, but will just write here what i know about this. To make things brief, SMI2SMIR is a WMI partial dependency. There is a script from microsoft, the WMDiag.vbs, that allows you to check if WMI is properly installed on a given computer. If you run WMDiag.vbs on a computer with SMI2SMIR missing you will be given the following lines on the resulting log:

WARNING: WMI System file 'C:\WINDOWS\SYSTEM32\WBEM\SMI2SMIR.EXE' is MISSING or is access DENIED but it is an OPTIONAL component.

So, altought it's part of WMI, as it is not a must, you could still query a remote machine for info.

For more information:



Thank you for reading

Taken from http://netprobe.blogspot.com/2009/06/smi2smir-information-purpose.html