Tuesday, December 18, 2012

HP Folio doesn’t get any Windows OEM-Key

I searched and I searched. Under the laptop, under the battery in the bios but the key was nowhere to be found. Finally I gave up and called HP support, they gotta know I figured. Not so, the guy I talked was totally clueless to why I needed that. It’s not delivered anymore with new laptops he tells me.

HP takes full responsiblity for the delivered image he says. Well, if I don’t wan’t to spend another 2 hours cleaning out all the HP-crap that is jammed into the poor machine then? If I don’t want to use recoveryimages, I want to deploy from my MDT.

Well I appearently don’t need them anymore. Hmm, we’ll see….

Friday, December 14, 2012

Autologin to Windows 8

Good for democomputers or bigscreen-computers. This only works if the computers isn’t member of domain. Otherwise “Users must enter….” isn’t visible.

  • Hit run /> netplwiz
  • Uncheck “Users must enter a username….”
  • Autologon problably only works if there only is one user account.

image

References:

http://www.ghacks.net/2011/09/16/windows-8-how-to-automatically-log-on/

Thursday, December 13, 2012

Recommended for you popup

Had this malwareinfection recently. User a get a ad in lower left corner of Internet Explorer.  Funny thing is, when installing firefox instead, the issue was the same!

Symptoms:

  • Ad shows i lower left corner, can be using Flash or not.image
  • Sometimes clicking a link redirects to a completly different page.

Actions:

  • Malwarebytes found malware, cleaned out. Kept coming back. Ran it and rebooted 3 times. Quick and Full. No fix seemed to do any good.
  • Ran Roguekiller, did nothing for the problem.
  • Controlled unknown processes with ProcessExplorer
  • Checked all Internet Explorer addins using Sysinternals autoruns

I finally found that the Hosts file had been tampered with. Those sneaky bastards had put the extra lines in the bottom end of the host-file. No edits could be done. Took ownership, removed write-protection with attrib but still I couldn’t edit the file.

The Fix

I ran Microsoft FixIt50267, which is supposed to reset the hosts-file, but this didn’t work either. Finally created a new host-file with the standard content and copied over the orginal location. This solved the problem. No more malware-ads while surfing.

Final thoughts

The following lines were added to the hosts-file

87.236.195.128 www.google-analytics.com.

87.236.195.128 ad-emea.doubleclick.net.

87.236.195.128 www.statcounter.com.

87.236.195.128 connect.facebook.net.

93.115.241.27 www.google-analytics.com.

93.115.241.27 ad-emea.doubleclick.net.

93.115.241.27 www.statcounter.com.

93.115.241.27 connect.facebook.net.

What they probably do is redirect “real ads” to malwareads-servers instead. The tricky part is that this isn’t something the malwarescanners, autoruns or proccessexplorer will pick up. Since is isn’t malware causing it. Just a few extra lines in the hosts-file.

image

References:

http://forums.malwarebytes.org/index.php?showtopic=116126

http://support.microsoft.com/kb/972034

Tuesday, December 04, 2012

Upgrade to IE8 forces Enhanced Security for all Terminal Server users

Major headache.

Scenario: Users on Server 2003 R2 SP2 Terminal Server experience crashes in Internet Explorer. In an effort to kill these problems the browser is upgraded to IE8. This is done while the users are logged on, in past situations this hasn’t been any problems. Changes doesn’t push through until server is rebooted. Not so this time.

30 minutes after IE is upgraded users call in and report that they can’t mark formfields in IE. For example they can’t input text in google searchfield. Strange I think. Probably some locked files, easy done we’ll reboot the server. And yes, this issue disappeared. But instead Internet Enhanced Security is now enforced for all Terminal Server users and they don’t want to allow every single page they're gonna visit. How did this happen? IEES is disabled, both for users and admins in Windows Components.

1.5hours later we finally solved it, but it wasn’t a pretty solution.

Tried and did not succeed :

  • Change IEHarden = 0 in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap]
  • Changed GPO to lower security settings

Success:

Deployed DisableIIEES.bat through GPO. Cudos to BrentgMS for the solution. Link to orginal below.

----------------------- DisableIEES.bat -----------------------------

::START

ECHO OFF
REM  IEHarden Removal Project
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM  IEHarden Removal Project End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

:: Rem out if you like to Backup the registry keys
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A7-37EF-4b3f-8CFC-4F3A74704073.reg"
::REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" "%TEMP%.HKEY_LOCAL_MACHINE.SOFTWARE.Microsoft.Active Setup.Installed Components.A509B1A8-37EF-4b3f-8CFC-4F3A74704073.reg"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /v "IsInstalled" /t REG_DWORD /d 0 /f

::Removing line below as it is not needed for Windows 2003 scenarios. You may need to enable it for Windows 2008 scenarios
::Rundll32 iesetup.dll,IEHardenLMSettings
Rundll32 iesetup.dll,IEHardenUser
Rundll32 iesetup.dll,IEHardenAdmin
Rundll32 iesetup.dll,IEHardenMachineNow

::This apply to Windows 2003 Servers
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /f /va
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /f /va

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenadmin" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" /v "iehardenuser" /t REG_DWORD /d 0 /f

::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" /f /va
::REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}" /f /va

:: Optional to remove warning on first IE Run and set home page to blank. remove the :: from lines below
:: 32-bit HKCU Keys
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "First Home Page" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t REG_SZ /d "about:blank" /f
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "about:blank" /f
:: This will disable a warning the user may get regarding Protected Mode being disable for intranet, which is the default.
:: See article http://social.technet.microsoft.com/Forums/lv-LV/winserverTS/thread/34719084-5bdb-4590-9ebf-e190e8784ec7
:: Intranet Protected mode is disable. Warning should not appear and this key will disable the warning
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "NoProtectedModeBanner" /t REG_DWORD /d 1 /f

:: Removing Terminal Server Shadowing x86 32bit
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
::  Removing Terminal Server Shadowing Wow6432Node
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f

::END

Se link from msdn below for original blogpost for the issue

 

References:

http://serverfault.com/questions/379123/windows-server-2003-r2-terminal-server-internet-explorer-enhanced-security-won

http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx