728x90

Update 2021-12-18 – This looks like a much more competent script for detecting this vulnerability and there is a python version for Linux: https://github.com/CERTCC/CVE-2021-44228_scanner

Updated 2021-12-17 – Script is v1.4 and looks for .war files now too

Original post below

Inspired by the one-liner here: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b#find-vulnerable-software-windows

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

I wrote a script to expand on the command, support Windows Server 2008 onward and to be more automated.

This script is basically the one liner with a bit of logic to get all the local fixed disks on a server and iterate through them all looking for Log4j jar file:

<#
.Synopsis
Checks the local system for Log4Shell Vulnerability [CVE-2021-44228]
.DESCRIPTION
Gets a list of all volumes on the server, loops through searching each disk for Log4j stuff
 
Version History
1.0 - Initial release
1.1 - Changed ErrorAction to "Continue" instead of stopping the script
1.2 - Went back to SilentlyContinue, so much noise
Replace attribute -Include by -Filter (prevent unauthorized access exception stopping scan)
Remove duplicate path with Get-Unique cmdlet
.EXAMPLE
.\check_CVE-2021-44228.ps1
.NOTES
Created by Eric Schewe 2021-12-13
Modified by Cedric BARBOTIN 2021-12-14
#>
 
# Get Windows Version string
$windowsVersion = (Get-WmiObject -class Win32_OperatingSystem).Caption
 
# Server 2008 (R2)
if ($windowsVersion -like "*2008*") {
 
$disks = [System.IO.DriveInfo]::getdrives() | Where-Object {$_.DriveType -eq "Fixed"}
 
}
# Everything else
else {
 
$disks = Get-Volume | Where-Object {$_.DriveType -eq "Fixed"}
 
}
 
# I have no idea why I had to write it this way and why .Count didn't just work
$diskCount = $disks | Measure-Object | Select-Object Count -ExpandProperty Count
 
Write-Host -ForegroundColor Green "$(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Starting the search of $($diskCount) disks"
 
foreach ($disk in $disks) {
 
# gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
 
# Server 2008 (R2)
if ($windowsVersion -like "*2008*") {
 
Write-Host -ForegroundColor Yellow " $(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Checking $($disk.Name): - $($disk.VolumeLabel)"
Get-ChildItem "$($disk.Name)" -Recurse -Force -Include @("*.jar","*.war") -ErrorAction SilentlyContinue | ForEach-Object { Select-String "JndiLookup.class" $_ } | Select-Object -ExpandProperty Path | Get-Unique
 
}
# Everything else
else {
 
Write-Host -ForegroundColor Yellow " $(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Checking $($disk.DriveLetter): - $($disk.VolumeLabel)"
Get-ChildItem "$($disk.DriveLetter):\" -Recurse -Force -Include @("*.jar","*.war") -ErrorAction SilentlyContinue | ForEach-Object { Select-String "JndiLookup.class" $_ } | Select-Object -ExpandProperty Path | Get-Unique
 
}
 
}
 
Write-Host -ForegroundColor Green "$(Get-Date -Format "yyyy-MM-dd H:mm:ss") - Done checking all drives"

Sample output with nothing found:

Sample output with something found:

Good luck everyone.

728x90
728x90

We’ve run into a strange problem with our Windows Server 2019 VMs where sometimes when we clone a new VM from our template it works perfectly fine and sometimes it won’t let you install any new Roles and throws a 0x80073701 error. Better still, sometimes it lets you install a new Role and then months later when you go to add something else it fails also with a 0x80073701.

For the longest time the only solution I was able to find online was nuke it and start over which is typically what we did. That or to manually dig through registry keys for packages installed in Windows with a different language than that of your operating system. I never was able to get that suggestion to work because I couldn’t gain the permissions I needed to delete the registry keys. We also had zero luck running DISM with it’s variety of flags.

At some point a co-worker of mine stumbled across a PowerShell script that solved the problem for us and saved us having to rebuild a few more complicated VMs.

I had to use that script tonight on a VM but this time it didn’t work. I tried to see if I could find a new version but I couldn’t even find the original script. With some fiddling I eventually got the script to work but it dawned on me that lots of people might have having this problem and the script to fix it with out wiping/reloading might not be easily found anymore.

Full Disclosure. I did not write this script, I’ve only used it a few times with success. I searched for the authors name to see if they had a Github repo or something out there and found nothing other than a LinkedIn.

Near as I can tell this script does the following:

  1. Elevates its privileges in a very specific looking way. I did not dig much into it since the rest of the script does not appear to do anything malicious and you should run this “As an administrator” anyway I just went with it
  2. It then asks you for the location of your CBS log file, if none is provided it uses the default location
  3. It then parses the CBS log file for any instances of ERROR_SXS_ASSEMBLY_MISSING and then parses those lines to pull out the specific package names that are causing problems
  4. Using it’s elevated privileges it takes ownership of that packages registry keys and changes the ‘Currentstate’ key to ‘0’ which I assume means not installed or ignored
  5. It does some checks to make sure the ‘Currentstate’ was successfully changed and then completes

Once the script has run you do not need to reboot. You should be able to start adding Roles to the server right away.

I have found that running the script against “C:\Windows\Logs\CBS\CBS.log” does not always solve the problem. Tonight I went into “C:\Windows\Logs\CBS\” and had to run it against the second newest log “CbsPersist_20230310065917.log”. After doing that the issue was resolved for me.

In our case it appears the issue is with KB4598230 which has been pulled from the Microsoft Update Catalogue and can no longer be downloaded. I have seen plenty of form posts involving other KBs causing the exact same error though.

Sorry, that was a lot of reading. Here is what you are after:

 
 
 
 
<#
.SYNOPSIS
 
This script will fix the SXS assmbly missing issue while installing feature
 
.DESCRIPTION
 
The script mark the resolved packages absent which are missing manifest.
 
.PARAMETER
 
Provide CBS file path
 
.OUTPUTS
<Outputs if any, otherwise state None - example: Log file stored in current working directory "AssemblyMissingScript-" + [datetime]::Now.ToString("yyyyMMdd-HHmm-ss") + ".log")>
.NOTES
Version: 1.0
Author: Abhinav Joshi
Creation Date: 14/11/2020
Purpose/Change: Initial script development
 
.EXAMPLE
 
Run the script ERROR_SXS_ASSEMBLY_MISSING.ps1
 
Please enter CBS file path (Default Path: c:\windows\logs\cbs\cbs.log): C:\windows\Logs\cbs\cbs2.log
#>
 
 
function enable-privilege {
param(
## The privilege to adjust. This set is taken from
[ValidateSet(
"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",
"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",
"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",
"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",
"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",
"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",
"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",
"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",
"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",
"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",
"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")]
$Privilege,
## The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,
## Switch to disable the privilege, rather than enable it.
[Switch] $Disable
)
 
## Taken from P/Invoke.NET with minor adjustments.
$definition = @'
using System;
using System.Runtime.InteropServices;
 
public class AdjPriv
{
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
 
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
[StructLayout(LayoutKind.Sequential, Pack = 1)]
internal struct TokPriv1Luid
{
public int Count;
public long Luid;
public int Attr;
}
 
internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
internal const int TOKEN_QUERY = 0x00000008;
internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
public static bool EnablePrivilege(long processHandle, string privilege, bool disable)
{
bool retVal;
TokPriv1Luid tp;
IntPtr hproc = new IntPtr(processHandle);
IntPtr htok = IntPtr.Zero;
retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
tp.Count = 1;
tp.Luid = 0;
if(disable)
{
tp.Attr = SE_PRIVILEGE_DISABLED;
}
else
{
tp.Attr = SE_PRIVILEGE_ENABLED;
}
retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
return retVal;
}
}
'@
 
$processHandle = (Get-Process -id $ProcessId).Handle
$type = Add-Type $definition -PassThru
$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)
}
 
$logfile = [System.IO.Path]::Combine($rootDir, "AssemblyMissingScript-" + [datetime]::Now.ToString("yyyyMMdd-HHmm-ss") + ".log")
if (-not (Test-Path "$PWD\logs")) {
New-Item -Path "$PWD\logs" -ItemType Directory -Verbose
}
Start-Transcript -Path "$PWD\logs\$logfile"
 
$cbspathTEMP = Read-Host -Prompt "Please enter CBS file path (Default Path: c:\windows\logs\cbs\cbs.log)"
 
$cbspath = $cbspathTEMP.Replace('"','')
 
write-host ""
 
write-host -ForegroundColor Yellow $cbspath
 
 
if ($cbspath -eq $null -or $cbspath.Length -eq "0"){
 
Write-Host -ForegroundColor Yellow "No path was entered"
 
Write-Host "Setting up default CBS path"
 
$cbspath = "c:\Windows\Logs\CBS\CBS.log"
 
Write-Host -ForegroundColor Cyan $cbspath
}
 
 
$CheckingpackagesResolving = "Resolving Package:"
 
$checkingFailure = Get-Content $CBSpath | Select-String "ERROR_SXS_ASSEMBLY_MISSING"
 
if ($checkingFailure -ne $null -and $CheckWhichFeature -ne 0) {
 
Write-Host "Checking resolving packages"
 
$CBSlines = Get-Content $CBSpath | Select-String $CheckingpackagesResolving
 
$Result = @()
 
if ($CBSlines) {
 
foreach ($CBSline in $CBSlines) {
 
$packageLine = $CBSline | Out-String
 
$package = $packageLine.Split(":").Trim().Split(',').Trim() | Select-String "Package_"
 
$Result += $package
}
 
Write-host "Found following resolving packages"
 
$Results = $Result | Select-Object -Unique
 
foreach ($regpackage in $Results) {
 
$bb = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$regpackage"
 
$uname = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
 
enable-privilege SeTakeOwnershipPrivilege
 
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($bb, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::takeownership)
# You must get a blank acl for the key b/c you do not currently have access
$acl = $key.GetAccessControl([System.Security.AccessControl.AccessControlSections]::None)
$me = [System.Security.Principal.NTAccount]$uname
$acl.SetOwner($me)
$key.SetAccessControl($acl)
 
# After you have set owner you need to get the acl with the perms so you can modify it.
$acl = $key.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule ($uname, "FullControl", "Allow")
$acl.SetAccessRule($rule)
$key.SetAccessControl($acl)
 
$key.Close()
 
Write-Host "Mark this package absent $regpackage"
 
Set-ItemProperty -Path "HKLM:\$bb" -Name Currentstate -Value 0 -Type DWord -Force
}
 
Write-host "Verifying package state"
 
$Verifcationcheckvalue = "1"
 
foreach ($Regpackagecheck in $Results) {
 
$CurrentstateOfpackage = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$Regpackagecheck").CurrentState
 
if ($CurrentstateOfpackage -eq "0") {
 
Write-host -ForegroundColor Green $CurrentstateOfpackage of $Regpackagecheck
 
$Verifcationcheckvalue += "1"
 
 
}
else {
 
Write-host -ForegroundColor red $CurrentstateOfpackage of $Regpackagecheck
 
$Verifcationcheckvalue += "0"
}
}
 
if ($Verifcationcheckvalue -notmatch "0") {
 
write-host "========================================================================="
 
write-host ""
 
Write-host -f white -BackgroundColor green "Verification passed, Retry Enabled"
 
write-host ""
 
write-host "========================================================================="
 
$Global:try = $true
 
}
else {
 
write-host "========================================================================="
 
write-host ""
 
write-host -f white -BackgroundColor Red "Verification Failed, Can't contiune. Collect $logfile and CBS.log"
 
write-host ""
 
write-host "========================================================================="
 
$Global:try = $false
}
 
}
else {
 
Write-Error "Error while finding resolving packages"
}
}
 
else {
 
Write-Host "Looks like $CBSpath is not right CBS File, check manually. "
 
}
 
 
 
stop-Transcript
 
pause

Abhinav Joshi, whoever you are. Thank you very much for this script. It’s saved us a ton of time and headache.

728x90
728x90

System Administrator command line shortcuts to popular Microsoft Management Consoles (MMCs).

Admin Snap-inCommandCategory

Quality of Service Control Management ACSsnap.msc Network
ADSI Edit ADSIedit.msc AD Configuration
Authorization manager AZman.msc Security
Certificates Management - Local machine Certlm.msc Security
Certificates Management - Current user Certmgr.msc Security
Certification Authority Management Certsrv.msc Security
Certificate Templates Certtmpl.msc Security
Failover cluster Manager Cluadmin.exe Disc, File
Component Services Comexp.msc  
Computer Management Compmgmt.msc  
Device Manager Devmgmt.msc Hardware
Notifications/Start menu/policy DevModeRunAsUserConfig.msc  
Disk Defragmenter Defrag.exe (formerly Dfrg.msc) Disc, File
Distributed File Service Mgmt DFSmgmt.msc Disc, File
Disk Manager DiskMgmt.msc Disc, File
DNS Manager DNSmgmt.msc Network
AD Domains and Trusts Domain.msc AD Configuration
AD Users and Computers DSA.msc Security
AD Sites and Services DSsite.msc AD Configuration
Embedded Lockdown Manager EmbeddedLockdown.msc Security
Event Viewer Eventvwr.msc  
Shared Folders open files FSmgmt.msc Disc, File
File Server Resource manager FSRM.msc Disc, File
Local Group Policy Editor GPedit.msc Policy
Group Policy Management GPmc.msc Policy
Group Policy Management Editor GPme.msc Policy
Group Policy Starter GPO Editor GPTedit.msc Policy
Local Users and Groups Manager LUsrMgr.msc Security
Teminal Services RDP MSTSC Remote Access
Teminal Services RDP to Console MSTSC /v:[server] /console Remote Access
NAP client configuration NapCLCfg Network
Performance Monitor PerfMon.msc  
Print Management PrintManagement.msc Print
Resultant Set of Policy RSOP.msc Policy
Local Security Settings Manager SecPol.msc Policy
Server Roles, Features ServerManager.msc  
Services Management Services.msc  
SQL Server configuration Manager SQLServerManager11.msc  
Storage Mgmt StorageMgmt.msc Disc, File
Telephony Management TAPImgmt.msc Phone/Modem
Task Scheduler TaskSchd.msc  
Trusted Platform Module TPM.msc Security
Terminal Server Manager TSadmin.exe Remote Access
Remote Desktop TSmmc.msc Remote Access
Windows Mangement Instrumentation WmiMgmt.msc  
Windows Server Backup (Local+Remote) WBadmin.msc Disc, File
Windows Local Backup WLBadmin.msc Disc, File
Windows Firewall WF.msc Remote Access

The commands above can be entered from START ➞ Run, or from the command line.
Availability will vary by OS and by the features installed.

“I don’t do anything in order to cause trouble. It just so happens that what I do naturally causes trouble.
 I'm proud to be a troublemaker” ~ Sinead O'Connor

Related commands

How-to: ms-settings - Shortcuts to settings.
How-to: Run Commands
How-to: Keyboard shortcuts For CMD, PowerShell and Windows.

728x90
728x90

So you’ve got some DNS Zones on your Domain Controllers and you’re building a test lab or another domain that you want to copy these to. Easy right – not so easy if they are AD integrated zones. This means the files for these zones are not stored in C:\Windows\System32\dns an normal, they are actually stored and replicated to all DCs inside AD.

I had a requirement to move an integrated forward lookup zone from one domain to another so I’m sharing what I did below.

Logon to your DC with the integrated zone and fireup our friend Powershell.

Get-DNSServerZone

You’ll see your zones listed out.

You’ll see here which zones are integrated and which are not.

The ZoneName column is key for the next bit, make a note of the ZoneName you want to export.

Export-DNSServerZone -Name <ZoneName from the above> -Filename <Yourzone.dns>

There’s no confirmation for this command, but this will export the zone to a file that can be resuable.

Open up C:\Windows\System32\dns in explorer.

 

You’ll see here you DNS zone file. Take a copy of this and place it somewhere.

Log in to your new DNS server where the zone will be imported.

Open up C:\Windows\System32\dns in explorer and copy the file you just exported into this folder.

Now open the DNZ Management Console.

Right click “Forward Lookup Zones” and select “New Zone”, Select “Next” to get started.

Select the zone type and remember to untick the “Store the zone in Active Directory” option.

I know, I know, we want it to be in AD; don’t worry. It will still be once we are done.

Select “Next”.

Populate the Zone Name and select “Next”.

Select “Use the existing file” and enter the name of the file you copied into “C:\Windows\System32\dns”, select “Next”.

Select “Next” on the dynamic update options. Note: The secure option will be available once we convert this zone to an AD integrated zone.

The zone should now appear fully populated in the DNS console. Now time to convert this zone back to an AD integrated zone.

Right click the zone and select “Properties”.

Select “Change” on the right of “Type”.

You might recognise this screen, Select “Store the zone in Active Directory” and click “OK”. Confirm you want to move the zone to AD.

You now have the option to change the dynamic updates to this zone, select as per your preference.

This wraps up the zone import, the whole process could be easily scripted with Powershell. Happy to take a crack at it if anyone is interested.

728x90
728x90

wuauclt.exe  커맨드 옵션...

 

/DetectNow
/ReportNow
/RunHandlerComServer
/RunStoreAsComServer
/ShowSettingsDialog
/ResetAuthorization
/ResetEulas
/ShowWU
/ShowWindowsUpdate
/SelfUpdateManaged
/SelfUpdateUnmanaged
/UpdateNow
/ShowWUAutoScan
/ShowFeaturedUpdates
/ShowOptions
/ShowFeaturedOptInDialog
/DemoUI

728x90
728x90

Windows Server 평가판 다운로드 Url

https://www.microsoft.com/ko-kr/evalcenter/evaluate-windows-server-2019?filetype=ISO

728x90
728x90

@echo off

 

 set/p host=host Address: 

 set logfile=Log_%host%.log

 

 echo Target Host = %host% >%logfile%

 for /f "tokens=*" %%A in ('ping %host% -n 1 ') do (echo %%A>>%logfile% && GOTO Ping)

 :Ping

 for /f "tokens=* skip=2" %%A in ('ping %host% -n 1 ') do (

     echo %date% %time:~0,2%:%time:~3,2%:%time:~6,2% %%A>>%logfile%

     echo %date% %time:~0,2%:%time:~3,2%:%time:~6,2% %%A

     timeout 1 >NUL 

     GOTO Ping)

 

728x90
728x90

특정단어찾기


[파일명찾기. 제목찾기]


특정 문자열이 존재하는 행 찾기
dir /s /b | find /i "원하는문자열입력"
-> C:\Users\TY\Desktop\log>dir /s /b | find /i "원하는문자열입력" C:\Users\TY\Desktop\log\원하는문자열입력.txt

dir /s /b | find /i "원하는문자열입력"
-> 해당사항없음

dir /s | find "원하는문자열입력"
-> C:\Users\TY\Desktop\log>dir /s | find "원하는문자열입력"
2019-05-20 오전 11:03 3 원하는문자열입력.txt

dir /s | find "원하는문자열입력"
-> 해당사항없음

 



[파일내용찾기. 원하는문자열찾기]


findstr /s "원하는문자열입력" *.txt
-> C:\Users\mani4u\log>findstr /s "원하는문자열입력" *.txt
a\zzz.txt:123

findstr /s "원하는문자열입력" *.*
-> /s가 하위경로까지 찾으므로 매우많이나옴. 특정 경로에 들어가서 입력 시 조금 나음
findstr "원하는문자열입력" *.*

findstr /n "원하는문자열입력" *mobile.log*
-> /n을 붙이면 라인수가 같이 표기됨
mobile.log:874736:DEBUG|2019-06-11,14:41:41.973|mobile|원하는문자열입력|어쩌구저쩌구

ex)
findstr /s "원하는문자열입력" frameplus.log
findstr /n "원하는문자열입력" *mobile.log*

findstr /s "원하는문자열입력" *.xml

728x90
728x90

wmic process get caption, creationdate | findstr 프로세스명

 

wmic process get caption, creationdate | findstr excel.exe

excel.exe 20200206073039.779888+540

 

728x90
728x90

1. Command 창을 띄웁니다.

2. wmic 입력

3. "memorychip"  또는 "wmic memorychip" 입력

아래와 같이 나옵니다.

Attributes BankLabel Capacity Caption ConfiguredClockSpeed ConfiguredVoltage CreationClassName DataWidth Description DeviceLocator FormFactor HotSwappable InstallDate InterleaveDataDepth InterleavePosition Manufacturer MaxVoltage MemoryType MinVoltage Model Name OtherIdentifyingInfo PartNumber PositionInRow PoweredOn Removable Replaceable SerialNumber SKU SMBIOSMemoryType Speed Status Tag TotalWidth TypeDetail Version
1 BANK 0 8589934592 실제 메모리 2400 1200 Win32_PhysicalMemory 64 실제 메모리 ChannelA-DIMM0 12 Samsung 0 0 0 실제 메모리 M471A1K43BB1-CTD 00000000 26 2667 Physical Memory 0 64 128
1 BANK 2 8589934592 실제 메모리 2400 1200 Win32_PhysicalMemory 64 실제 메모리 ChannelB-DIMM0 12 Samsung

 

윗 방법이 귀찮을 경우

1. Command 창을 띄움니다.

2. "wmic memorychip get capacity" 입력

아래와 같이 나옵니다.
Capacity
8589934592
8589934592

 

감사합니다.

728x90

+ Recent posts