Why new hard disks might not be much fun for XP users
XP and Server 2003 will run slower with new-new hard disks that use 4K blocks because of partition alignment boundaries in the OS (unless you were fortunate enough to have taken a class years ago where the instructor advised creating partitions manually before installing the OS and using the parameter "align=64")
Sunday, March 14, 2010
Friday, March 12, 2010
Too many arguments in command line.
Too many arguments in command line.
The magic is in the help, more /?, which contains the (oddly) helpful line "Switches can be present in the MORE environment variable."
Apparently Windows' default is to add the '/e' switch to more.com somewhere in the registry. I don't know what I did, but suddenly the command
more mytextfile.txt
produced the complaint "Too many arguments in command line."
I restored the behavior to which I was accustomed by adding the environment variable MORE with the parameters
/e
I also tossed in /c and /s for good measure:
/c - clear screen before displaying page
/s - squeeze multiple blank lines into a single line
The magic is in the help, more /?, which contains the (oddly) helpful line "Switches can be present in the MORE environment variable."
Apparently Windows' default is to add the '/e' switch to more.com somewhere in the registry. I don't know what I did, but suddenly the command
more mytextfile.txt
produced the complaint "Too many arguments in command line."
I restored the behavior to which I was accustomed by adding the environment variable MORE with the parameters
/e
I also tossed in /c and /s for good measure:
/c - clear screen before displaying page
/s - squeeze multiple blank lines into a single line
Tuesday, November 10, 2009
FortiAnalyzer and traffic monitoring with an HP ProCurve
A client has been seeing unusual traffic volumes on the Internet side of their Fortinet firewall, FortiGate FG-80C.
We connected a FortiAnalyzer to perform traffic analysis.
Scenario:
FA port 1 is the management port, connected to the HP ProCurve in VLAN 1.
FA port 2 is the traffic collection port, connected to the same ProCurve on port 26.
ProCurve ports 21 and 22 are configured as VLAN 2.
The inside port of the router is connected to port 21.
The WAN1 port of the FG is connected to port 22.
configure the ProCurve:
conf t
no ip routing
mirror-port 26
vlan 2
name "external"
untagged 21-22
ip address
exit
int 21
monitor
exit
int 22
monitor
exit
write mem
Then enable Network Analyzer on the FortiAnalyzer and set Port2 as the mirror port:
config log settings
set analyzer enable
set analyzer-gui enable
set analyzer-quota 10240
set analyzer-interface "port2"
end
(Logoff the GUI and logon to see Network Analyzer under the 'Tools' menu.)
Configure the Fortigate to log to the FortiAnalyzer
config log fortianalyzer setting
set status enable
set server 192.168.1.99
end
Start the monitor from the FortiAnalyzer
Tools -> Network Analyzer -> Real-Time -> Start
The easy part is done. Now *you* have to figure out what to make out of the logs ;o)
We connected a FortiAnalyzer to perform traffic analysis.
Scenario:
FA port 1 is the management port, connected to the HP ProCurve in VLAN 1.
FA port 2 is the traffic collection port, connected to the same ProCurve on port 26.
ProCurve ports 21 and 22 are configured as VLAN 2.
The inside port of the router is connected to port 21.
The WAN1 port of the FG is connected to port 22.
configure the ProCurve:
conf t
no ip routing
mirror-port 26
vlan 2
name "external"
untagged 21-22
ip address
exit
int 21
monitor
exit
int 22
monitor
exit
write mem
Then enable Network Analyzer on the FortiAnalyzer and set Port2 as the mirror port:
config log settings
set analyzer enable
set analyzer-gui enable
set analyzer-quota 10240
set analyzer-interface "port2"
end
(Logoff the GUI and logon to see Network Analyzer under the 'Tools' menu.)
Configure the Fortigate to log to the FortiAnalyzer
config log fortianalyzer setting
set status enable
set server 192.168.1.99
end
Start the monitor from the FortiAnalyzer
Tools -> Network Analyzer -> Real-Time -> Start
The easy part is done. Now *you* have to figure out what to make out of the logs ;o)
Fix .pdf file association
Windows Explorer has its own file associations, independent of HKCR.
A client needed to replace Foxit Reader with Acrobat Reader on their Citrix servers because some third party software required the Adobe rendering engine. After removing Foxit and installing Acrobat Reader, users couldn't open any .pdf documents from Explorer or Outlook.
First thought was the file type association. FTYPE and ASSOC showed the correct associations,but I reset them anyway:
ftype AcroExch.Document="C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe" "%1"
assoc .pdf=AcroExch.Document
to no avail.
Then I lucked out and realized that on one of the servers, I'd failed to remove Foxit, had installed Acrobat Reader alongside. Users on that server were still able to open .pdf files and they were getting Foxit.
A quick registry search for "Foxit" returned several values, including one under the "Progid" value beneath HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf
I don't know why Explorer needs a different file association, but deleting it solved the problem and after logoff and logon, users were blissfully (and silently) opening .pdfs with Acrobat Reader.
To delete the key for each user, I added this line to %SystemRoot%\system32\usrlogn1.cmd (it may wrap in this post, but it's all one line):
reg delete "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf" /f
The line could also be added to a domain logon script.
(I initially changed the file type in the registry to point to Acrobat Reader, but then decided to try deleting it altogether. I prefer the deletion, since it appears to force Explorer to lookup the HKCR association. If you need the Explorer FileExt entry, this works:
reg add "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf" /v Progid /t REG_SZ /d AcroExch.Document /f
)
A client needed to replace Foxit Reader with Acrobat Reader on their Citrix servers because some third party software required the Adobe rendering engine. After removing Foxit and installing Acrobat Reader, users couldn't open any .pdf documents from Explorer or Outlook.
First thought was the file type association. FTYPE and ASSOC showed the correct associations,but I reset them anyway:
ftype AcroExch.Document="C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe" "%1"
assoc .pdf=AcroExch.Document
to no avail.
Then I lucked out and realized that on one of the servers, I'd failed to remove Foxit, had installed Acrobat Reader alongside. Users on that server were still able to open .pdf files and they were getting Foxit.
A quick registry search for "Foxit" returned several values, including one under the "Progid" value beneath HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf
I don't know why Explorer needs a different file association, but deleting it solved the problem and after logoff and logon, users were blissfully (and silently) opening .pdfs with Acrobat Reader.
To delete the key for each user, I added this line to %SystemRoot%\system32\usrlogn1.cmd (it may wrap in this post, but it's all one line):
reg delete "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf" /f
The line could also be added to a domain logon script.
(I initially changed the file type in the registry to point to Acrobat Reader, but then decided to try deleting it altogether. I prefer the deletion, since it appears to force Explorer to lookup the HKCR association. If you need the Explorer FileExt entry, this works:
reg add "HKCU\Software\Microsoft\Windows\Currentversion\Explorer\FileExts\.pdf" /v Progid /t REG_SZ /d AcroExch.Document /f
)
Monday, March 30, 2009
Conficker scanner - using Bonn University's scs in a Windows environment
This post is based on information in ZD Net's article this morning
http://blogs.zdnet.com/security/?p=3043&tag=nl.e589
I followed these steps successfully on two machines, a Windows XP SP3 workstation and Windows 2003 SP2 server, and scanned three subnets in a few minutes.
Overview of steps:
create a working directory for downloads and builds. I used
c:\Download\ConfickerTools
ActiveState python
- download the .msi into the working directory
http://downloads.activestate.com/ActivePython/windows/2.6/ActivePython-2.6.1.1-win32-x86.msi
- install the .msi
- accept the defaults (it will install in C:\Python26)
python Crypto module
- make sure Python is installed first
- download into the working directory
http://www.voidspace.org.uk/downloads/pycrypto-2.0.1.win32-py2.6.exe
- run the executable. it should find the Python26 installation and install there
python Impacket module
- download into the working directory
http://oss.coresecurity.com/repo/Impacket-0.9.6.0.zip
- extract the .zip file, preserving the directory structure
- open a command prompt
- change into the extracted directory,
e.g., cd C:\Download\ConfickerTools\Impacket-0.9.6.0
- at the prompt enter
python setup.py install
python will build the module and install it into its library directory
simple conficker scanner (scs)
download from Bonn university, Germany, into the working directory
http://iv.cs.uni-bonn.de/uploads/media/scs.zip
extract
run the tool using the start and end addresses on your LAN, and redirect the output to a text file
e.g.
scs.py 192.168.1.1 192.168.1.254 > scs-out_192-168-1-0.txt
examine the output file for any infected machines
http://blogs.zdnet.com/security/?p=3043&tag=nl.e589
I followed these steps successfully on two machines, a Windows XP SP3 workstation and Windows 2003 SP2 server, and scanned three subnets in a few minutes.
Overview of steps:
- download and install ActiveState Win32 Python
- download python Crypto module
- download and install python Impacket module
- download, extract and run scs.py
create a working directory for downloads and builds. I used
c:\Download\ConfickerTools
ActiveState python
- download the .msi into the working directory
python Crypto module
http://www.voidspace.org.uk/downloads/pycrypto-2.0.1.win32-py2.6.exe
- run the executable. it should find the Python26 installation and install there
python Impacket module
- download into the working directory
http://oss.coresecurity.com/repo/Impacket-0.9.6.0.zip
- extract the .zip file, preserving the directory structure
- open a command prompt
- change into the extracted directory,
e.g., cd C:\Download\ConfickerTools\Impacket-0.9.6.0
- at the prompt enter
python setup.py install
python will build the module and install it into its library directory
simple conficker scanner (scs)
download from Bonn university, Germany, into the working directory
http://iv.cs.uni-bonn.de/uploads/media/scs.zip
extract
run the tool using the start and end addresses on your LAN, and redirect the output to a text file
e.g.
scs.py 192.168.1.1 192.168.1.254 > scs-out_192-168-1-0.txt
examine the output file for any infected machines
Saturday, January 24, 2009
script to apply Citrix patches
This script applies patches patches to Citrix Presentation Server / XenApp server. It iterates through patch files in the current directory, examines the registry to determine whether the patch has already been applied, and applies it if not found.
Patches are available from
http://support.citrix.com/product/xa/
recommended use:
Patches are available from
http://support.citrix.com/product/xa/
recommended use:
- download the patches
- paste the following script into a .cmd file in the patch directory (e.g, insthfx.cmd)
- the script defaults to Presentation Server version 4.5 on Win2003: if your Citrix version is different or on a different OS, edit the variables under the :setup label (hfxProductVersion or hfxOSVersion) accordingly
- logon to the Citrix server with administrative credentials
- ensure no other users are logged on
- run the script
@if .%ECHO%. equ .. echo off
rem //
rem // script to apply Citrix XenApp (nee Presentation Server) patches
rem // copy script into directory with .msp files
:setup
setlocal
rem // XenApp 5 uses prefix XAE
set hfxProductPrefix=PSE
set hfxProductVersion=450
rem // 64-bit patch version appends x64 to OS version
rem // e.g., W2K3X64
set hfxOSVersion=W2K3
set hfxRollupPrefix=%hfxProductPrefix%%hfxProductVersion%%hfxOSVersion%
:start
rem //
rem // change into the directory where this script is located
rem // (and where the patches are located)
pushd %~dp0
rem //
rem // disable logon
rem // it would also be nice to check for logged-on users
rem // -- maybe later
change logon /disable
rem //
rem // find latest rollup
rem // (iterate through all the rollups in name order
rem // the variable will be set to the latest one
rem // when the iteration is complete)
for %%a in (%hfxRollupPrefix%R*.msp) do set hfxRollup=%%~na
rem //
rem // extract rollup version number
rem // (last three characters of file name)
set hfxRVersion=%hfxRollup:~-3%
rem //
rem // install rollups first
call :hfx %hfxRollup%.msp
rem //
rem // install post-rollup hotfixes in order
for /f "tokens=*" %%a in ('dir /on /b %hfxProductPrefix%%hfxProductVersion%%hfxRVersion%%hfxOSVersion%*.msp') do call :hfx %%a
popd
change logon /enable
goto :cleanup
:cleanup
rem //
rem // reboot after 60 seconds
if /i .%1. neq .noreboot. start shutdown.exe -f -t 60 -r
goto :end
:hfx
set hfxpkg=%*
set hfxpkgname=%~n1
rem //
rem // find out whether the patch is listed in the registry
rem // reg.exe returns 1 if not found, 0 if found
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ProductCodes\Hotfixes\%hfxpkgname% > nul 2>&1
if %ERRORLEVEL% == 1 (
echo installing %hfxpkg%
start /wait msiexec /update %hfxpkg% /qn /norestart
choice /t:20 /d:y /c:y
)
goto :eof
:end
Subscribe to:
Posts (Atom)