Walkthrough: Boot WinPE on a USB Thumbdrive

I was in a bind. I had onhand, a Lenovo X200 which I was trying to install a Vista image on. But this unit had neither a built-in nor an external CD or DVD drive. And all I had my trusted {Insiders} USB thumbdrive:



The WinPE image I was using to boot up is in an ISO format. I used MagicISO to mount the ISO file to access the image's folder structure and its files. Once I had the files and folders ready, I had to do the following steps to be able to boot from my USB thumbdrive:

1. list disk - displays disk information including disk number, size, and status
2. select disk x - focuses all subsequent commands on a particular disk
3. clean - cleans and removes all configuration information from the disk
4. create partition primary - create a partition (of type primary in our example)
5. list partition - displays partition information of the disk in focus
6. select partition y - moves the focus to the partition y
7. active - marks the partition in focus as the active boot partition
8. format fs=fat32 - formats the active partition with the FAT32 file system
9. assign - assigns a drive letter (the next available one) to the disk

I then copied mounted my WinPE ISO and copied the files/folders to the USB thumbdrive. And off I go, booting up WinPE from my {Insiders} USB thumbdrive.

New-Look Gmail

Have you noticed your new and spanking Gmail lately?



Log-in to your gmail account. Click on Settings --> Themes.



Choose a new theme (you can also add features under Labs). Save the changes and voila, a cool-looking Gmail UI.

Microsoft To Phase-out Live OneCare

Two years after a very hyped launching of Windows Live OneCare, Microsoft just announced today that the product will be phased out next year and a free security solution (codenamed "Morro") will be released to replace it. The yet-to-be-announced product will offer realtime anti-malware protection solution. OneCare, on the other hand, offers this capability on top of backup and management features. This is to be expected given the fact that Morro, according to Microsoft, is designed to use minimal computing resources to make it amenable to low-bandwidth scenarios and less powerful PCs hence the smaller footprint.

Microsoft also announced that sales of the Windows Live OneCare subscription service as well as Windows Live OneCare for Server on SBS 2008 will end on June 30, 2009. OneCare users will have the option to move to Morro (it will be available everywhere OneCare currently is). The fact that Morro is FOC may also entice end-user adoption. However, I doubt it is capable of dislodging the industry leaders off their roosts in the enterprise security field.

Microsoft's entry to the consumer/enterprise security market way back in 2006 was met with mixed reactions. And with this setback, whatever is left of Microsoft's foothold on this arena has taken a major beating.

Deleting *.bak Files When the Computer Turns Idle (VBS)

A similar thread from the Technet Forums:
http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/2991aa59-07c6-413e-8bf0-9ffa2bd8f0d3

Here is a script that deletes all *.bak files on a computer's D: drive when the computer becomes idle after 10 minutes.



There is actually a trick behind this script. Using a script to check whether a computer is idle is not really straightforward, but rather relatively complicated (read my lips, I don't know how to do it). I made use of the Screen Saver timeout property via a registry hack, setting it to trigger after 10 minutes (600 seconds) via the sub procedure SetScrSvrTime():



The script checks if the screen saver process is running (it is implied that in this example, the computer is configured with the "Mystify.scr" screen saver). A connection to the WMI service on the local computer is made and an event notification query which fetches within 20 seconds a list of running processes:



The Do-While loop processes the information gathered from this query and checks for the screen saver "Mystify.scr" process. If found, it goes to another loop where a call to the DelFiles(strDrv) sub procedure is launched (strDrv is the parameter passed to the sub procedure which is actually the drive where the *.bak files are going to be deleted). This sub procedure then recursively checks and deletes all *.bak files found:



This script can be further customize to accomplish other things when the computer goes idle. For example, you may want to send out notification, defrag the hard disk, run a back-up and so on. The possibilities are endless, let your imagination loose!

For those interested to have a copy of this script, please drop this post a comment.

MILF Website Hacked

The Web site of the Moro Islamic Liberation Front (MILF), http://www.luwaran.com/, was reportedly defaced by unidentified hackers last week. It was restored last Saturday after being offline for a number of days.

Mohagher Iqbal, a senior MILF leader, confirmed Saturday that their Web site was hacked by unknown individuals last October 4. Television giant GMA 7 reported that the MILF website had several photos of pigs, animals considered unclean by Muslims. Links to news articles in the MILF website also led to defaced pages featuring pigs. "I love pigs," "i love pigs :D," "Prite bac Prite" and "digdigdig," the headlines read.

Iqbal said that he has no suspect to pinpoint at the moment, refusing to speculate that the Armed Forces of the Philippines (AFP) may be behind it. Meanwhile, the AFP insisted that they have nothing to do with the problem encountered by the MILF website.

A quick check of the http://www.luwaran.com/ domain shows a lot of updates from August to October 2008. The hosting ISP also changed a number of times. I'm still checking for a mirror of the defaced site to provide more clues as who the culprits are. Hackers normally feel they have one-upped the administrators and oftentimes cocky enough to display their tags and "gr33tz".

White Tigers Maul Zoo Cleaner to Death

Last Thursday, white tigers attacked and killed a Malaysian working as a cleaner in the Singapore Zoo after the man jumped into their enclosure. It was reported in the papers that the man, apparently showing signs of distress and uneasiness, leapt into the moat of the white tiger exhibit and was attacked. The attack happened in full view of a number of people who tried to distract the tigers away from the man by throwing rocks at them. Keepers and other zoo workers managed to pull the man away when the tigers went back to their den obviously distracted by the raucous crowd. The man, however, died on the way to the hospital.



An endangered species, white tigers are mostly found in the wild in South Asia, predominantly in India. A full grown white tiger could weigh over 100 kg and 8 feet from nose to tail. Their distinctive color is actually due to a genetic condition that strips their fur of the orange pigment, leaving the animal with snow white fur, black stripes and blue eyes.

The zoo has temporarily closed the tiger exhibit.

VBS Logoff Script to Log User Information

Part 1:
http://badzmanaois.blogspot.com/2008/11/script-to-track-local-logins-vbs.html

Here's a follow-up of the login script posted earlier. This is executed when the user logs off. It will log the following information to the output log file:

Event Type (Login/Logoff)
User (Full User Name)
Computer
Date & Time of the Event

The output log file looks like this:



The script defines the location and name of the output log file (C:\LogFile\Login.csv) and calls the sub procedure Main:



The sub procedure Main checks for the current logged in user's account properties such as .UserName, .DomainName, and .ComputerName. The user's full name is then extracted and is passed to the log file (together with the other earlier-mentioned variables):

The user must have modify permission on the output log file.

Microsoft Fixes 7-Year Old Flaw + MS08-068 Exploit

One of the two patches released by Microsoft for the month of November addresses a vulnerability first reported in 2001 by Josh Buchbinder, better known as Sir Dystic from the Cult of the Dead Cow (cDc). He found a vulnerability in Microsoft operating systems which enables an attacker to gain complete access to a user's computer. He wrote a utility, SMBRelay (and its NETBIOS-bound brother, SMBRelay2), which demonstrates the flaw. Employing man-in-the-middle tactics, the program receives a connection on port 139, connects back to the connecting computer's port 139, and relays the packets between the client and server of the connecting Windows machine, making modifications to these packets when necessary. On top of that, SMBRelay collects the NTLM password hashes and saves it to a file readable by L0pthcrack for cracking.

Apparently, it took Microsoft 7 years to finally address this vulnerability as mentioned here. According to this article, exploit code of this flaw is currently available in the internet. In fact, Metasploit has a PoC/working exploit which runs under the 'sploit framework.

The released patch, although given just a criticality rating of "Important" (whereas, MS08-069 was rated "Critical"), appears more interesting given the fact that this fixes a 7-year old flaw.

Going back to the SMBRelay tool, here are some switches and parameters that the tool uses:

Usage: smbrelay [options]
Options:

/D num - Set debug level, current valid levels: 0 (none), 1, 2 (Default is 0)
/E - Enumerates interfaces and their indexes
/IL num - Set the interface index to use when adding local IP addresses
/IR num - Set the interface index to use when adding relay IP addresses
Defaults to 1. Use /E to display the adapter indexes
/L[+] IP - Set the local IP to listen on for incoming NetBIOS connections
Use + to first add the IP address to the NIC
Defaults to primary host IP
/R[-] IP - Set the starting relay IP address to use
Use - to NOT first add each relay IP address to the NIC
Defaults to 192.1.1.1
/S name - Set the source machine name
Defaults to CDC4EVER

SMBRelay2, on the other hand, has the following switches and parameters:

SMBRelay2 [Options]
Options:
/A LanaNum - Use LanaNum
Defaults to 0
/D DebugLevel - Level of debug messages, valid levels 0 - 3
Defaults to 0
/L LocalName - Listen for primary connection on LocalName
Defaults to SERVER
/R RelayName - Listen for relay connection on RelayName
Defaults to RELAY
/S SourceName - Use SourceName when connecting to target
Defaults to CDC4EVER
/T TargetName - Connect to TargetName for relay
Defaults to connecting back to client

Siloso Beach Sentosa (Singapore)

Considered as one of the better beaches in Singapore, Siloso Beach lies on the west portion of the southern coast of the island resort of Sentosa. The stretch of beach is home to a number of dining and shopping outlets. However, Siloso beach is better known for the outdoor activities that the beach-going patrons usually engage with such as beach volleyball, canoeing, skim boarding, mountain biking and rollerblading.

Each time my family goes to Sentosa, a Siloso beach stopover is always part of the itinerary. The kids love to frolic by the beach, building sand castles, scouring for sea shells, the usual kidstuff. Me, I just relax and enjoy the scenery. With my wife beside me, of course.

Microsoft Security Bulletin Advance Notification for November 2008

The usual heads-up from Microsoft for this month mentions two vulnerabilities, one critical and one important. The patches which will address these vulnerabilities will be released on 11 November 2008 (12 November for those in Asia-Pac) during the routine "Patch Tuesday" cycle. Both the vulnerabilities affect the Windows OS from Windows 2000 Pro/Server up to Windows Server 2008 including Windows XP/Vista and Windows Server 2003. Furthermore, a Microsoft Office component is affected. For more information on the affected OS and application plus other relevant information pertaining to the release, please visit the following link:

http://www.microsoft.com/technet/security/Bulletin/MS08-nov.mspx

Expect another busy week ahead, what with all the regression testing, deployment tests, and more that the sys admins and application owners/testers will go through prior to the productive release of the patches in an enterprise. No rest. For the wicked admins.

My Bak Kut Teh Discovery

I was walking by the Serangoon Bus Interchange last week when I caught sight of this one coffeeshop where all the patrons appear to be eating the same stuff. The ever curious me (and my grumbling stomach), proceeded to check the place out, albeit, a cursory glance at the stall where the dish was being ordered. Upon closer scrutiny, the dish turned out to be the celebrated Bak Kut Teh.




I ordered one from the auntie manning the stall and asked for extra chili and sauce. It was a tough call since I was really trying to watch my diet and consuming this sinful dish would require me to sweat out (through jogging or basketball) tons of calories. But seeing the satisfied look of the shop's patrons across the table I was seated settled it. Basketball over the weekend for me.

The verdict, it's a must-try dish. The soup base had a not-too-strong peppery aroma and the mix of the herbs and the pork ribs blend to a taste-bud gratifying tang. The meat, soft and tender, seemed to melt in the mouth. Heavenly.

If you are anywhere near the interchange, head north towards the, iirc, 688 coffeeshop. You won't miss the spot, you'll see tables with steaming hot bak kut tehs.

Here's a short and sharp recipe of this wonderful yet easy-to-prepare dish:

Ingredients
1 Spice packet containing:

• 1 cinnamon stick
• 4-5 cloves
• 1 tablespoon white peppercorns
• 1 tablespoon dried hawthorn berries
• 2 whole star anises

500 grams meaty pork ribs

2 whole heads of garlic, unpeeled

2 tablespoon black soya sauce

6-7 cups of water

1 tablespoon salt

Put the pork ribs, spice packet (put the spices in a cloth) and the garlic in a pot. Add water, cover and bring to the boil. Remove the meat scum as it rises. Add soya sauce and salt. Reduce heat and cook until ribs are tender. Serve with white rice and sliced red chilli in dark soya sauce on the side.

(Beta Exam 71-565) Pro: Designing and Developing Enterprise Applications Using the Microsoft® .NET Framework 3.5.

Fresh beta exam news from the Beta Exam Announcement blog:

=============================================

You are invited to take beta exam 71-565: Pro: Designing and Developing Enterprise Applications Using the Microsoft® .NET Framework 3.5. If you pass the beta exam, the exam credit will be added to your transcript and you will not need to take the exam in its released form. The results will not appear on your transcript until several weeks after the final form of the exam is released. The 71-xxx identifier is used for registering for beta versions of MCP exams, when the exam is released in its final form the 70-xxx identifier is used for registration.

71-565: Pro: Designing and Developing Enterprise Applications Using the Microsoft® .NET Framework 3.5 counts as credit towards the following certification(s).

• Microsoft Certified Professional Developer: Enterprise Application Developer 3.5. In order to earn this certification you must also hold the following Microsoft Certified Technology Specialist certifications: .NET Framework 3.5, ASP.NET Applications; .NET Framework 3.5, Windows Forms Applications; .NET Framework 3.5 ADO.NET Applications; and .NET Framework 3.5, Windows Communication Foundation Applications

--------------------------------------------------------------------------------
Availability

Registration begins: November 7, 2008
Beta exam period runs: November 10, 2008– December 3, 2008

Receiving this invitation does not guarantee you a seat in the beta; we recommend that you register immediately. Beta exams have limited availability and are operated under a first-come-first-served basis. Once all beta slots are filled, no additional seats will be offered.

Testing is held at Prometric testing centers worldwide, although this exam may not be available in all countries (see Regional Restrictions). All testing centers will have the capability to offer this exam in its live version.

Regional Restrictions: India, Pakistan, China
--------------------------------------------------------------------------------

Registration Information

Please use the following promotional code when registering for the exam: 999TRYou must register at least 24 hours prior to taking the exam.

To register in North America, please call:
· Prometric: (800) 755-EXAM (800-755-3926)

Outside the U.S./Canada, please contact:
· Prometric: http://www.register.prometric.com/ClientInformation.asp
--------------------------------------------------------------------------------

Test Information and Support

You are invited to take this beta exam at no charge. You will be given four hours to complete the beta exam. Please plan accordingly. Find exam preparation information: http://www.microsoft.com/learning/en/us/exams/70-565.aspx

=============================================

If you are a developer on track of going for Microsoft-centric certifications, you may want to give this offer a shot. All the best!

Offline Files Synchronization Errors (Sync Center)

This has got me stumped. My users' home folders are stored on a NetApp filer (cifs). "My Documents" and "Favorites" are redirected and are made available offline. On the filer, oplocks has been set to "on". When a user syncs his offline files from his Windows Vista Enterprise computer, the "view sync results" windows displays a lot of errors (Details: "The process cannot access the file because it is being used by another process."). On a Windows XP computer, synchronization works like a charm.

KB296264 mentions about modifying the registry of Windows Servers so this doesn't apply in my case. I'm on a quest to find a solution for this. =)

Follow the ongoing thread in the Technet File Services and Storage forum:
http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/26bc65ca-5663-4183-b15b-f49a4cb664d0

Script to Track Local Logins (VBS)

Event 528 is logged whenever an account logs on to the local computer whereas Event ID 540 is generated in the event of network logons. It is oftentimes tedious and a tad straining to the eyes to go through the tons of events stored in the event viewer even if you filter out those events you are not interested with.

I would suggest saving the login/logoff events on a log file in a more user-friendly format for easier analysis. For example, one may want to keep track of login time for monitoring purposes while another may do this to ensure optimal usage, for example, on a shared PC where users are allocated certain hours of access.

Heres a script that saves the login information (event ID 528) on a CSV file; the user name, hostname, and the time of login are captured.

The script opens a file (or creates one if the file does not exist) for appending wherein the captured data are stored. It then calls a sub procedure called Main to extract these information. Note that users must have modify rights on the C:\LogFile\Login.csv file.



The Main sub procedure captures the current logged in user's name, domain and the hostname of the computer and then writes these information, together with the type of action (Login) and time, to the log file:

Simple. Next, we will look at this scripts partner, the logoff script to capture the logoff time of the user (logoff time - login time = total usage time).

America Votes

Today, Americans will decide who will be the 44th president of the most powerful nation in the planet. In this time of  uncertainty and unease, this exercise could very well act as a catalyst to calm down the turbulent global economic state of affairs. Or it could trigger the current global recession to further deteriorate. This new leader born out of this election is poised to steer a nation, nay, a world, reeling from the ill effects of the economic downturn. Whoever comes out the winner will face a challenge far worse than any of their predecessors in the past 70 years or so had faced. As it is, the whole word waits. Eagerly. 

Penang's Batu Ferringhi Beach Sunset

Penang Island is part of the second smallest state in Malaysia (after Perlis) Pulau Pinang (Penang). It is the fourth largest island in Malaysia, with an area of 295 square kilometers, and is home to an estimated 680,000 people.

The famed Penang Bridge, one of the longest bridges in Asia and a national landmark, connects the island with mainland Peninsular Malaysia by. The bridge begins at Gelugor on the island and ends in Perai on the mainland. The mainland portion of the Penang state is known as Seberang Perai (formerly known as Province Wellesley), and together with Penang Island and other smaller islands, form the state of Penang.

One of the better beaches in Penang is Batu Ferringhi, off the northern tip of the island. Lining the coastal road are a number of commercial establishments and hotels. The pasar malam, or night market, around this area is famous for the diverse assortment of goods plied.

But one striking scenery that has remained etched in my memory is the sunset by the beach. The contrast between the orange hued sky and the azure water backdrops makes the scene a photographer magnet. The photo I posted here was taken during one of my trips to this magnificent place.

 

Remotely Removing Users from the Local Administrators Group (VBS)

Scenario: You are an administrator of a domain. You are given a task to remove "rogue" administrators of the computers in your domain. On a few machines, this task would be very trivial; you can just remotely connect to each machine and remove the user from the local administrators group. Complexity comes in when you have to remove different users for each machine. Here is a rundown of what I would do if I were given this task. The usual disclaimer applies.

Step 1: Generate a list of computers accounts of the domain (programatically or by exporting the list from the Active Directory Users and Computers snap-in) and save the output to a text file (computers.ini, in this example). Add the login account of the user you are going to remove for each machine as shown (contents of computers.ini):

Step 2: The main script reads off computers.ini the list to be used as parameters (computer name and user name). Notice that the file is read in one go and the data stored in the array arrComputers. Each object in the array is checked and passed to the RemoveAdmin sub procedure.

Step 3: Script the procedures. Three procedures are used in the script; RemoveAdmin which is a sub procedure, and the sConvert and ping  functions. The RemoveAdmin sub procedure queries the remote machine's local administrators group and if the user account (as defined in computers.ini) is found, it is removed from the group.

The sConvert function will return a string depending on the code parameter passed. If code is set to "1," the value returned is the computer account whereas if it is set to "2," the value returned is the user account (note the Select Case section).

The ping function is self-explanatory. It checks if the machine is online and returns a Boolean value (true if online, false if otherwise).

This script must be ran with an account with administrative rights on the computers listed in computers.ini. If this script is ran from a Windows Vista computer, ensure that elevated privileges are invoked (for example, right-clicking on the command-prompt shortcut and choosing "Run As Administrator").