Are you the publisher? Claim or contact us about this channel

Embed this content in your HTML


Report adult content:

click to rate:

Account: (login)

More Channels

Channel Catalog

Channel Description:

Resources for IT Professionals

older | 1 | .... | 885 | 886 | (Page 887) | 888 | 889 | newer

    0 0

    If you developed a 64-bit application, tool, or agent for Windows Server in C/C++, you can use NanoServerApiScan.exe to check if your app will also run on Nano Server. Remember that Nano Server is 64-bit only and won’t run 32-bit binaries.

    NanoServerApiScan.exe scans a directory containing your binaries and reports an error if it finds an API that is not available in Nano Server. It even provides replacement API suggestions in many cases. NanoServerApiScan.exe requires .NET Framework version 4.0 or higher.



    1. Download the attached exe file and copy it to a local folder
    2. Open a Nano Server image and copy all the files under c:\Windows\System32\Forwarders to the same local folder you copied the attached exe to.
    3. Download and install the Windows 10 SDK:


    NanoServerApiScan.exe /BinaryPath:<directory containing your binaries> /WindowsKitsPath:<Windows SDK directory>

    /BinaryPath (Mandatory): The directory containing your binaries. NanoServerApiScan.exe will parse all sub-directories as well.

    /WindowsKitsPath (Mandatory): The Windows 10 SDK contains OneCore.lib and other important files for NanoServerApiScan.exe. Use this parameter to specify the Windows 10 SDK directory.



    NanoServerApiScan.exe /BinaryPath:e:\Temp\Test /WindowsKitsPath:"C:\Program Files (x86)\Windows Kits"

    Sample output from NanoServerApiScan.exe:

    === e:\Temp\Test\LrmApi.dll ===



        GetStartupInfoA (Proc not found)

          Please use API GetStartupInfoW as substitution.

        SetHandleCount (Proc not found)


    For a list of supported APIs in Nano Server, please go to:



    0 0

    Jabil, uno de los principales proveedores de diseño y fabricación de soluciones en el mundo, cuenta con dos plantas, una en México y otra en Malasia, que son denominadas fábricas digitales, inteligentes y predictivas. Estas nuevas instalaciones se valen del aprendizaje de máquina, análisis predictivo y la nube para saber antes de tiempo, cuándo una pieza de sus instalaciones puede fallar; en lugar de tener descomposturas inesperadas, y con esto hacer...(read more)

    0 0

    Hello everyone!

    As you know, Azure RMS Premium is part of the Enterprise Mobility Suite. Microsoft Intune and Azure RMS team are coming together to provide more cohesive experiences for your Information workers.  Shalini from our team and Max from Intune team are here to explain the first of these join efforts.  

    Hello folks, 

    RMS sharing app on iOS and Android devices helps you view protected files that others have shared with you. Taking a step further to provide a unified experience to protect your devices, apps and data - the app on Android is now integrated with Intune Mobile Application Management (MAM) capabilities (iOS has built in viewers and thus this is not necessary on that platform).

    You can use the new RMS sharing app on Android to view PDF, image and audio/video files from Intune managed applications like Microsoft Outlook. IT can also configure policies for the content viewed through the app, restricting actions such as cut, copy, paste, and “save as” of corporate data between managed and unmanaged apps (ex. personal apps such as Twitter or Facebook). The device doesn’t need to be enrolled for management in order for Intune to manage the app. This is great for BYOD scenarios where employees use their own unenrolled devices for work.

    The current RMS sharing app capabilities of view protected PDF, images and text continue to be available in a non-Intune environment.

    If you’re interested in learning more about Intune MAM policies in Intune, this article is a great place to start. Here are a few FAQ questions: 

    Q:  Do I need Intune subscription to use the RMS sharing app on Android?

    A: The existing capabilities of RMS sharing app do not require Intune subscription. In order to use Intune MAM capabilities for the RMS sharing app, you'll need an Intune subscription.

    Q: Can I continue using the existing Intune viewer apps for PDF, AV and image?

    A: You can but we're in the process of deprecating these viewers. There will be notifications for organizations using these viewer apps. We encourage you to use the RMS sharing app to view PDF, audio/video and image files.

    Q: What restrictions can be applied to prevent data loss from this app?

    A: Following restrictions can be applied when the RMS sharing app on Android is Intune managed -

    • Data relocation: Prevent corporate app data from being transferred to personal apps and locations including backup, copy and paste, and sharing data to other apps or cloud services.
    • Screenshots: Prevent user from taking screenshots while in the application on Android. On iOS, this can be configured via device policy.
    • Application access: When the user is opens app, require a PIN or corporate credentials to be entered.

     You can download the RMS sharing app for Android from Google Play.  As always, if you have any questions, email us at

    Shalini and Max.


    0 0

    こんにちは。日本マイクロソフト Outlook サポート チームです。
    Office のグループ ポリシーは、エディションによってサポートされないものがあります。

    Office のグループ ポリシーのサポート範囲

    以下の表で○となっているエディションのみがグループ ポリシーのサポート対象です。


    グループ ポリシーのサポートについては下記の弊社公開資料にも説明があります。
    Office 2013 向けの内容ですが、それ以外のバージョンも同様です。

    Title: Office 2013 のグループ ポリシーの概要

    -- 抜粋ここから --
    グループ ポリシーでは、次に挙げるバージョンの Office 2013 を管理することができます。
    •ボリューム ライセンスで入手可能な Office スイート。たとえば、Office Standard 2013。
    •小売店から購入できる、またはボリューム ライセンスで入手できる個別の Office プログラム。

    Office を Office 365 の一部として購入した場合は、購入したライセンス プランに応じて、グループ ポリシーを使用して Office プログラムを管理できるかどうかが決まります。
    グループ ポリシーをサポートしている Office 365 プランの一覧が、「Office アプリケーション サービスの説明」に記載されています。
    -- 抜粋ここまで --

    上記抜粋の「Office アプリケーション サービスの説明」は、以下の資料となります。

    Title: Office アプリケーション サービスの説明

    グループ ポリシーが使えないエディションでの対処方法

    グループ ポリシーをサポートしていないエディションを利用している場合、Policies 配下のレジストリが読み込まれません。

    例えば、Outlook 2013 で新規メッセージの既定の形式をテキスト形式に強制したいとき、グループ ポリシーが使える場合には以下のレジストリを作成します。

    値の場所 : HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Outlook\Options\Mail
    値の名前 : EditorPreference
    値の種類 : REG_DWORD
    値のデータ : 65536

    しかしながら、グループ ポリシーをサポートしていないエディションでは、Policies 配下のレジストリを Office アプリケーションが一切参照しない動作となります。
    こういった場合の代替の展開方法としては、以下の Policies 配下ではない同じ名前のレジストリを配布することが挙げられます。

    値の場所 : HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Options\Mail
    値の名前 : EditorPreference
    値の種類 : REG_DWORD
    値のデータ : 65536 (10進数)

    このようなレジストリは、Office の管理用テンプレートを使って配布することはできませんが、グループ ポリシー管理エディターで配布することが可能です。

    グループ ポリシー管理エディターで配布する手順

    1. ドメイン コントローラーにて、該当するユーザーが所属する OU またはドメインのグループ ポリシー管理エディターを起動します。
    2. 左側のペインのツリーにて、[ユーザーの構成]-[基本設定]-[Windows の設定]-[レジストリ] を展開します。
    3. 右側のペインで右クリックをし、[新規作成]-[レジストリ項目] をクリックします。
    4. [全般] タブで、上記レジストリの設定を行います。

          [アクション] : 更新
          [ハイブ] : HKEY_CURRENT_USER
          [キーのパス] : Software\Microsoft\Office\15.0\Outlook\Options\Mail
          [値の名前] : (チェックボックス) チェック無 / (テキストボックス) EditorPreference
          [値の種類] : REG_DWORD
          [値のデータ] : 65536 (10進数)
    5. [適用] ボタン、[OK] ボタンの順にクリックします。
    6. グループ ポリシー管理エディターを閉じます。
    7. クライアント端末を再起動し、設定が反映されていることを確認します。
       (コマンド プロンプトから gpupdate /force を実行して強制的に反映することができます。)


    上記設定を行っても Outlook の対象箇所はグレーアウトされません。そのため、ユーザーが変更することは可能です。


    0 0

    Olá Wiki Ninjas Brasil.

    Sejam muito bem-vindos a mais uma Wiki Life.

    Dentro do TechNet Wiki é extremamente comum a existência de inúmeros artigos abordando diferentes aspectos de uma mesma tecnologia ou área de conhecimento. Tais publicações representam o esforço de diversos autores preocupados em contribuir com a comunidade, através da divulgação de soluções e novidades sobre os mais variados assuntos.

    No caso específico do TechNet Wiki brasileiro, uma forma encontrada para agrupar estas postagens foram os Guias de Sobrevivência. Do ponto de vista prático, um guia nada mais é do que um artigo com links para outras publicações do Wiki sobre uma tecnologia ou área, possuindo também referências adicionais como indicações de livros, cursos do MVA (Microsoft Virtual Academy), vídeos do Channel 9, blogs (do próprio TechNet/MSDN ou, mesmo, da comunidade técnica), fóruns do MSDN e informações sobre certificações.

    Eis um exemplo de Guia de Sobrevivência:

    Uma relação com os diversos Guias de Sobrevivência do TechNet Wiki brasileiro pode ser encontrada em:

    Importante ressaltar que os guias já existentes podem ser modificados pelos autores de artigos, de forma a contemplar novas postagens. É possível também a criação de um novo guia, caso determinada tecnologia ainda não conte com este tipo de referência no TechNet.

    Caso ainda não seja um autor e tenha interesse em contribuir com o TechNet Wiki, reiteramos mais uma vez o convite para participar desta iniciativa. No link abaixo podem ser obtidos maiores esclarecimentos:

    E por hoje é isso pessoal... Até a próxima!


    Wiki Ninja Renato Groffe (Wiki, Facebook, LinkedIn, MSDN)

    0 0

    If you are currently reading this, chances are you might have seen another post with a similar name that Kevin Holman published on 4/26/16

    Kevin did an awesome job of explaining how we can use Service Security Identifiers (SID’s) to provide the SCOM agent service running on a SQL server with access to SQL and enable monitoring without creating having to create Run As accounts, distribute them and associate them with Run As profiles. 

    I want to take a few minutes to explain why I went looking for a better solution to Run As account management when it comes to SCOM and SQL monitoring, and how I came to the conclusion (with some help) that a solution based on Service SID's could be a better way to manage access from SCOM to SQL.

    Due to the requirements of the SQL management pack, many are faced with the issue of creating and managing Run As accounts to provide SCOM with access into the SQL instances it is configured to monitor.  Kevin has wrote multiple posts on this in the past on ways to try to make this process a better experience.  I myself am currently involved in a deployment of SCOM 2012 R2 at my customer, and like many customers, mine has SQL in their environment.  Also, like many customers my customer has many security policies that need to be adhered to, including changing account passwords on a regular basis.  Knowing that I had multiple instances of SQL to monitor, I started to evaluate my options to make things work with as little overhead management as possible.

    By default, SCOM agents run under the context of Local System.  This works fine for the Windows management pack, as Local System can provide SCOM with access to all of the items that the Windows MP requires access to.  However, when we get to working with the SQL management pack, the Local System account usually does not have all of the access needed to connect into our SQL instances to provide monitoring.  So why not just edit permissions on our SQL instances to allow the Local System account with the required rights needed in SQL?  The security concern with using NT AUTHORITY\SYSTEM is that all other services running in that security context will also gain access to the SQL instance.  This goes against the idea of providing least required privileges and it could be seen as a security risk.

    Next, I looked at the idea of using the traditional method of creating a domain account, providing it with access to SQL and distributing the account via SCOM.  As I mentioned, my customer requires regular password resets on their accounts.  So maybe I'll try and make life easier and just create one domain account so I have less to manage and provide it with access to ALL of my SQL servers and distribute it to ALL of the servers via SCOM?  No, that won't work either, by doing this I'll have created an account that has way too much access, again violating least privileged access.  So am I stuck at this point with creating a new domain account for each SQL instance, and all that goes along with managing that process?  What about when new SQL servers come online and the management involved there?  This seemed like more than I wanted my customer to have to manage.

    So I reached out to others at Microsoft to see how I could handle this situation with the least amount of effort in managing everything.  Through some of my questioning about providing the Local System account with the necessary rights, I got a response from a Brandon Adams, a Microsoft Premier Field Engineer who suggested that I look into the Service SID solution.  I had not heard about using Service SID's to grant permissions to Windows Services before, but it sounded very intriguing.  Brandon shared with me the following link, which Kevin also highlighted in his post, that talks about how System Center Advisor requires a Service SID based solution in order to work.  While this article talks about providing the Service SID with sysadmin level access in SQL, it is possible to still follow the low privilege guidance found in the SCOM management pack guide when performing this configuration in SCOM.  Knowing little at the time about Service SID's, Brandon also provided me with the following link, which provides even more details about Service SID's from back when they were being introduced as a part of Windows Server 2008.

    Armed with this knowledge, I began testing and was rewarded with a much easier experience than I was used to when I had managed the Run As accounts via service accounts from Active Directory.  Knowing the work Kevin has put into making the Run As experience better over the past many of years, I reached out to him to get his thoughts and feedback.  After some successful tests on his side, Kevin went and took it the next level, creating a custom management pack that helps to work through most of this new process directly from the SCOM console.  The management pack can be found here:

    Hopefully now that you are armed with this information you will be able to increase your adoption of SQL monitoring in your environment, and this simpler process will make those conversations with database administrators about granting accounts with access all across the SQL environment a little bit easier.

    0 0

    Microsoft's Office 365 services provides a great opportunity for businesses to leverage fluid scalability capabilities to meet their needs. Moving off an on-premise Exchange server can be daunting, however utilization of the Office 365 Import service to import PST files to user mailboxes in the cloud can be of great help to accomplish this. This Step-By-Step details the use of Office 365 Import Service to upload an un-encrypted PST File to Office 365. Pre-Requisites The account completing...(read more)

    0 0

    2016 年 4 月の Exchange ブログをまとめてみました。あなたが見逃しているかもしれないブログも一覧でご覧になることができますので、この機会にぜひご覧ください。

    •4 月 6 日: EWSEditor で OAuth を使用する (Exchange Server Support)
    •4 月 7 日: Office 365 でメールをご利用のお客様へ: コネクタを構成している場合の重要なお知らせ (Japan Office Official Blog)
    •4 月 25 日: Exchange Online でのアイテムの保持機能と削除された場合のアイテムの動き (Exchange Server Support)
    •4 月 25 日: Exchange Server 2007 のサポート終了まで残り 1 年へ (Japan Office Official Blog)

    0 0

    Today’s Tip…


    I pulled this link from an alias and found some extremely useful information regarding Trusted Platform Module (TPM).

    This article includes the following:

    • TPM 1.2 vs. 2.0
    • Security advantages of TPM 2.0 over TMP 1.2
    • Explanation of discrete or firmware TPM
    • TPM 2.0 Compliance for Windows 10 in the future
    • Table of TPM and Windows Features for Windows 7/8/8.1 with TPM 1.2 and Windows 10 with TPM 1.2 and 2.0
    • Chipset options for TPM 2.0 (discrete vs. firmware)
    • OEM Feedback and Status on TPM 2.0 System Availability (certified TPM parts and Windows 7 320bit support comments)

    Reference: “TPM Recommendations”

    0 0

    A couple of weeks ago I showed how to report on Constrained Delegation. This week, I'm going to talk about a related concept - Protocol Transition.

    Protocol Transition

    The lesser know relative of Constrained Delegation! Where you find Protocol Transition, you'll always find Constrained Delegation. Introduced in Windows Server 2003, Protocol Transition allows you to switch from a non-Kerberos authentication mechanism to Kerberos, and then use constrained delegation to pass the identity on. Why bother? It's all rather old school now, but, imagine you have an internet-facing web application that utilises form-based authentication. You then need to use Kerberos authentication and delegation to access downstream Windows servers. Well, in the previous example, it's Protocol Transition that allows you to switch from non-Windows authentication to Kerberos authentication and delegation.

    To find if you have this configured in your domain we turn to our old friend UserAccountControl. User and Computer accounts store a number of configuration settings in the their UserAccountControl property. The option that configures an account for protocol transition is stored as part of a binary mask in the 'UserAccountControl' attribute of the user or computer object. In the binary mask, each positional bit represents a different possible user account option that can be switched on or switched off. Like a light switch - when switched on, the option is active. These settings can be queried using PowerShell's 'binary And' (-band) operator. The hexadecimal setting for protocol transition is 0x1000000 and we use -band to check that it is present (switched on) in the binary mask.



    $Findings=Get-ADObject-Filter {UserAccountControl-band$TRUSTED_TO_AUTH_FOR_DELEGATION}

    if ($Findings) {




    Here's an example of what the CSV might look like.



    It's easy enough to turn off protocol transition with PowerShell.

    Set-ADAccountControl-TrustedToAuthForDelegation$false-Identity"CN=Mr X,OU=Gamers,OU=User Accounts,DC=halo,DC=net"


    And, so, we go from this:


    To this:


    0 0


    With the new release of Microsoft Identity Manager (MIM) 2016, a new feature PAM is added to help organizations restrict privileged access to some certain security groups. However, if you read through the TechNet guide, it is recommended to create a new trusted domain. Then is it a mandatory to have another new domain to leverage the PAM feature? The answer is NO, we can actually just leverage the JIT evaluation which is called “Priv Only” Mode.

    In the lab environment, I deployed the PAM component and MIM Service in the existing CONTOSO domain. Then I run below PowerShell Cmdlets (PAM module) to prepare PAM environments. Please pay attention to the parameter switch PrivOnly allows you to indicate the group already exists in the contoso domain.

    New-PAMGroup -SourceDomain contoso -SourceGroupName ITAdmins -PrivOnly

    After the successful execution of the cmdlet, you shall be able to query the PAM groups as below screen shows. It is a manually managed security group with msidmPamEnabled set to True and some other pam related attributes set


    Then it’s time to setup the PAM roles by specifying some parameters including the PAM groups , candidates and other advanced features like Approval and MFA. Here I just keep the default configuration: once any one of the candidates submit the PAM request, he/she will be added to the two security groups:  ITAdmins and HRAdmin together for the next following hour.


    Finally it’s time to test the privilege access either via Powershell cmdlet or the sample PAM portal. Once I submit the request via the portal, the access will be activated and the below events will be logged under Applications and Services Logs/Privileged Access Management


    Then PAM monitor Service will remove them automatically when the access expires and log an event as below under the same event catalog.


    In a nutshell, following above steps you shall still be able to setup the PAM solution without adding a new privileged domain.

    0 0

    61.     Jak zobrazit obraz i na dalších monitorech a projektoru?

    Dataprojektory umožňující promítat obraz se dnes staly naprosto běžnou součástí konferencí, přednášek, školení a porad. Stejně tak stále více uživatelů přichází na výhody práce na dvou monitorech. Nicméně přepínání obrazu z jednoho na druhý, aktivace výstupu na projektor apod. byla v dřívějších verzích věc poměrně složitá a často se řešila přes ovládací panel grafické karty. Ve Windows 10 je pro tento účel zabudován nástroj, který umožňuje rovnou a rychle vybrat, jak se má grafická karta chovat a které výstupy mají být aktivní, které ne. Nabídka pro výběr možnosti se zobrazí po stisku klávesové zkratky Win + P. Před tímto krokem je ale samozřejmě nutné mít fyzicky připojen projektor nebo druhý monitor k výstupu grafické karty. Nabídka zobrazuje základní možnosti toho, jak může být obraz zpracován:
    ·         Jenom obrazovka počítače – standardní nastavení, obraz je vidět pouze na výchozím monitoru počítače.
    ·         Duplikovat – obraz na monitoru je stejný, jako na druhém grafickém výstupu, používá se právě při připojeném projektoru.
    ·         Rozšířit – druhý monitor je pokračování pracovní plochy prvního, využívá se při připojení dvou monitorů k počítači, kdy na každém chcete mít něco jiného.
    ·         Jenom druhá obrazovka – zobrazí obraz pouze na projektoru nebo druhém monitoru.

    62.     Jak upravit text ClearType

    U LCD monitorů se často používá technologie nazvaná ClearType, která zlepšuje čitelnost textu, ale v tomto směru může každému vyhovovat zcela jiné podání této technologie. Proto je možné obraz kalibrovat i pro funkci ClearType. Konfigurační nástroj najdete v Ovládacích panelechZobrazení. V levé části je umístěna položka Upravit textClearType. Po kliknutí na něj se zobrazí průvodce, který vám na celkem 4 obrazovkách zobrazí různé možnosti zobrazení. Postupným vybíráním té pro vás nejlepší si nastavíte, jak se bude následně v systému písmo vyhlazovat. 

    63.     Jak na nic nezapomenout?

    Čím dál více se na každého z nás valí množství informací a snažíme se na nic nezapomenout. Pokud nepoužíváte pokročilé nástroje pro agendu času (např. Outlook apod.), je možné využít Rychlé poznámky ve Windows 10. Jedná se elektronickou verzi klasických kancelářských žlutých papírků. Na pracovní ploše jich můžete mít, kolik chcete, můžete měnit jejich barvu i velikost. Najdete je v nabídce Start pod názvem Rychlé poznámky. Kromě vlastního psaní můžete na lepíky kopírovat i texty z jiných aplikací.
    Výchozí barvou papírků nástroje Rychlé poznámky je žlutá, stejně jako ve skutečnosti. Nicméně máte možnost si po kliknutí pravým tlačítkem na poznámku vybrat i barvu jinou.

    65.     Jak přiblížit obraz?

    V případě, že potřebujete přiblížit určitou část obrazovky, je k tomu možné využít nástroj Lupa, který naleznete v nabídce Start. Po jeho spuštění se vám zobrazí tento nástroj s možností nastavení velikosti přiblížení i dalšími možnostmi usnadnění práce.

    0 0

    Today’s Tip…

    While data disk encryption for Azure IaaS virtual machines has been available for some time now; we recently announced the public preview of Azure Disk Encryption for Linux and Windows Virtual Machines.

    Azure Disk Encryption is a new capability that lets you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.

    Encryption Scenarios:

    The Azure Disk Encryption solution supports the following 3 customer encryption scenarios:

    • Enable encryption on new IaaS VM’s created from Customer Encrypted VHD and encryption keys
    • Enable encryption on new IaaS VM’s created from the Azure Gallery
    • Enable encryption on existing IaaS VM’s already running in Azure

    The solution supports the following for IaaS VMs for public preview release when enabled in Microsoft Azure:

    • Integration with Azure Key Vault
    • Standard A, D, and G Series IaaS VMs
    • Enable encryption on IaaS VMs created using Azure Resource Manager model
    • All Azure public regions

    The solution does not support the following scenarios, features and technology in the public preview release:

    • Basic VMs and Standard DS (Premium Storage) series IaaS VMs
    • IaaS VMs created using classic VM creation method
    • Ability to disable encryption on the IaaS VM, enabled via Azure disk encryption
    • Integration with your on-premises Key Management Service
    • Windows Server Technical Preview 3
    • Red Hat Enterprise Linux
    • Azure Files (Azure file share), Network file system (NFS), Dynamic volumes, Software-based RAID systems

    0 0

    Today’s Tip…

    In May of last year, we announced the preview of Azure DNS, allowing you to host your public DNS domains in Azure.

    In March, we announced that you can now fully manage Azure DNS in the Azure Portal.  Please note however, that Azure DNS is an Azure Resource Manager only service, it is not supported in the Azure classic portal.

    You can learn more about Azure DNS by visiting its page in the documentation center.

    0 0


    Sysinternals Process Monitor is a powerful tool for investigating and troubleshooting application issues, as well as malware forensics and analysis tasks.
    Process Monitor lets you ‘peek under the hood’: Display files, registry, network and image loading activities in real time; all of the output can be exported to an external file for later viewing. The tool is using a device driver and Event Tracing for Windows (ETW) for tracing these activities.
    Although running the tool is straightforward, it’s a somewhat challenging tool to use because you are quickly overwhelmed by the amount of data presented to you.
    This post I’m going to attempt explaining how to use Process Monitor effectively for dynamic malware analysis, and provide a script for automating these activities that I wrote.
    This post assumes that you have a basic knowledge of the Process Monitor. If you don’t, here are some great resources to get you up to speed:



    Process Monitor Filtering

    When you run the tool it starts to capture system activity and display it as a time-ordered list. You can see the start time, the process name and it’s PID, operation, path and additional information.
    Even on an idle system we can see hundreds and even thousands of events recorded in a very short period of time, therefore we have the need to effectively filter the output.
    Fortunately, Process Monitor has built-in powerful filtering capabilities, which permits you to specify various conditions and decide which records should be displayed.
    You can define the filters by pressing CTRL+L in Process Monitor or through the Filter > Filter… menu option. As you can see, the tool comes with several pre-defined filters to eliminate a small set of common Windows and Sysinternals Tools events:
    But even with these default filters there is too much noise in the log file. Using my experiences I have created a filter to display only “interesting” events when investigating malware activity.
    These are the filters I like to use when doing dynamic analysis:
    Included Filters:

    ·        TCP/UDP Send and Receive - any connections that malware may try to use while it’s running

    ·        Load Image – DLL/Executable loading

    ·        Create File – new files being created

    ·        Write/ Delete/Rename File – any changes to files

    ·        Registry activities – Run entries used for malware persistence

    Excluded Filters:

    ·        Procmon/Procmon64/Autoruns/Sysmon : These will exclude any events related to the Sysinternals tools

    ·        Disposition: Open – used to filter any call for create file used to open a file rather than actually creating a file (See here:

    ·        Page File – In my opinion, the page file is less/not relevant when doing malware analysis

    You can download the filter I'm using from the bottom of this page, and load it to Process Monitor using Filter->Organize Filters menu and then import

    One thing you should remember is that malware can disguise itself as other processes, i.e. the Sysinternals tool, and by using my filter you may not notice such malicious activities.

    Analyze-ProcmonLog Script

    Analyze-ProcmonLog is a PowerShell-based script I wrote to help with the analysis of Process Monitor logs. Analyze-ProcmonLog simplifies the analysis of Process Monitor XML log file, and gives you a summary report for high fidelity events extracted from the log.
    The report contains sections dedicated to Processes Created, File Activity, Registry Activity, Network Traffic and Unique Hosts
    Using Analyze-ProcmonLog requires only Sysinternals procmon.exe (or procmon64.exe) to run. It needs no pre-filtering (though it would greatly help) as it contains numerous white-list items to cut unwanted noise from system activity logs.
    Analyze-ProcmonLog -ProcmonXmlFile <Path to XML File>
    For example:
    Analyze-ProcmonLog -ProcmonXmlFile "C:\Users\motib\Desktop\Malware\Tesla\Logfile.XML"
    Here is a real-world summary of Process Monitor log with Telsa ransomware's initial infection captured in a lab environment:
    In the process created table we can see the ypgugs.exe process created and running the yfhlnu process. We can also see that the malware is invoking the vssadmin tool to delete all shadow copies (common behavior for ransomware)
    Processes Created:
    Time    Parent Process      Process                                                                                     
    ----    --------------      -------                                                                                     
    9:36 PM svchost.exe (888)   consent.exe 888 330 01C01F68 (3316)                                                         
    9:36 PM Explorer.EXE (2152) "C:\Users\mobani\AppData\Roaming\ypgugs.exe"  (2248)                                        
    9:37 PM ypgugs.exe (2248)   "C:\Users\mobani\AppData\Roaming\ypgugs.exe"  (3656)                                        
    9:37 PM ypgugs.exe (3656)   C:\Users\mobani\Documents\yfhlnu.exe (3732)                                                 
    9:37 PM ypgugs.exe (3656)   "C:\Windows\system32\cmd.exe" /c DEL C:\Users\mobani\AppData\Roaming\ypgugs.exe >> NUL (3796)
    9:37 PM csrss.exe (444)     \??\C:\Windows\system32\conhost.exe (3812)                                                  
    9:37 PM yfhlnu.exe (3732)   C:\Users\mobani\Documents\yfhlnu.exe (2852)                                                 
    9:37 PM yfhlnu.exe (2852)   "C:\Windows\System32\vssadmin.exe"  Delete Shadows /All /Quiet  (968)                       
    9:37 PM csrss.exe (444)     \??\C:\Windows\system32\conhost.exe (3628)                                                  
    9:37 PM services.exe (540)  C:\Windows\system32\vssvc.exe (1940)                                                        
    9:40 PM services.exe (540)  C:\Windows\system32\sc.exe start w32time task_started (1984)                                
    9:40 PM csrss.exe (392)     \??\C:\Windows\system32\conhost.exe (1304)                                                  
    9:43 PM yfhlnu.exe (2852)   "C:\Windows\system32\NOTEPAD.EXE" C:\Users\mobani\Desktop\RECOVERdixal.txt (2480)           
    9:43 PM iexplore.exe (2764) "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2764 CREDAT:14337 (3024)           
    9:43 PM yfhlnu.exe (2852)   "C:\Windows\System32\vssadmin.exe"  Delete Shadows /All /Quiet  (3536)                      
    9:43 PM csrss.exe (444)     \??\C:\Windows\system32\conhost.exe (3672)                                                  
    9:43 PM services.exe (540)  C:\Windows\system32\vssvc.exe (2684)                                                        
    9:43 PM yfhlnu.exe (2852)   "C:\Windows\system32\cmd.exe" /c DEL C:\Users\mobani\DOCUME~1\yfhlnu.exe >> NUL (4064)      
    9:43 PM csrss.exe (444)     \??\C:\Windows\system32\conhost.exe (2112)                                                  
    9:43 PM svchost.exe (888)   consent.exe 888 328 01C020C0 (2460)                                                         
    9:43 PM Explorer.EXE (2152) "C:\Windows\System32\cmd.exe" /C "E:\Tools\ExportLogsFromEnvironment.cmd"  (932)            
    9:43 PM csrss.exe (444)     \??\C:\Windows\system32\conhost.exe (2316)
    In File created table we can see the binary dropping of yfhlnu.exe to the user’s documents folder
    Files Created:
    Time    Process      Path                                                                                                               
    ----    -------      ----                                                                                                               
    9:37 PM ypgugs.exe   C:\Users\mobani\Documents\yfhlnu.exe                                                                               
    9:37 PM yfhlnu.exe   C:\Users\mobani\AppData\Roaming\Microsoft\Windows\Cookies\mobani@nlhomegarden[1].txt                               
    9:37 PM yfhlnu.exe   C:\Users\mobani\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROUMP04G\suspendedpage[1].htm 
    9:40 PM services.exe C:\Windows\System32\LogFiles\Scm\d04538ee-5fc9-4d09-b32e-19f854c72043                                              
    9:40 PM services.exe C:\Windows\System32\LogFiles\Scm\d04538ee-5fc9-4d09-b32e-19f854c72043                                              
    9:43 PM iexplore.exe C:\Users\mobani\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{985BCC71-EECB-11E5-8BD9-00155D000309}.dat
    9:43 PM iexplore.exe C:\Users\mobani\AppData\Local\Temp\~DFACC2FEDD5AC80891.TMP                                                         
    9:43 PM yfhlnu.exe   C:\Users\mobani\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROUMP04G\suspendedpage[1].htm 
    9:43 PM Explorer.EXE C:\Users\mobani\AppData\Roaming\Microsoft\Windows\Recent\RECOVERdixal.lnk 
    Network traffic table (truncated)
    Network Traffic:
    Time    Protocol Process      Path                                                                               
    ----    -------- -------      ----                                                                               
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49249 -> win-9vq32olv707.vforest.lab:5985                      
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49265 -> win-9vq32olv707.vforest.lab:5985                      
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49265 -> win-9vq32olv707.vforest.lab:5985                      
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49265 -> win-9vq32olv707.vforest.lab:5985                      
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49253 -> win-9vq32olv707.vforest.lab:5985                      
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49253 -> win-9vq32olv707.vforest.lab:5985                      
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49253 -> win-9vq32olv707.vforest.lab:5985                      
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49257 -> win-9vq32olv707.vforest.lab:5985                      
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49257 -> win-9vq32olv707.vforest.lab:5985                      
    9:36 PM TCP      svchost.exe  Win7-PC.vforest.lab:49257 -> win-9vq32olv707.vforest.lab:5985  
    In unique hosts, we can see that many servers are from domain (malware C&C)
    Unique Hosts:
    The goal of Analyze-Procmonlog is to provide very quick and simple answers to your questions, either for a more in-depth analysis of an infected system, a better understanding of a malware's capabilities without static analysis, or to quickly craft network filters to look for (and block) other infections. Which files were created? What MD5s should I scan for? Which network hosts and ports are being used?
    The pure text report allows you to quickly see data and copy/paste it to a relevant solution.

    Link to script on TechNet gallery:

    0 0

    61.     Jak vložit titulní stranu?

    Novinkou ve Wordu od verze 2007 je možnost vložit titulní stránku dokumentu. Nemusíte již složitě vytvářet nadpisy, vkládat obrázky a další grafické objekty, protože Word má profesionálně vypadající šablony v sobě uloženy. Chcete-li do dokumentu vložit titulní stranu, postupujte takto:
    1.        Na pásu karet klikněte na kartu Vložení a ve skupině Stránky na Titulnístrana.
    2.        V rozevírací nabídce klikněte na jeden ze stylů titulní strany.
    3.        Titulní stránka je vložena na začátek dokumentu.
    4.        Zbývá jen upravit text, obrázky a barvy na titulní straně.

    V základní nabídce je mnoho různých titulních stran, pokud však kliknete v dolní části na nabídku Dalšítitulní stránky z webu, rozbalí se další nabídka titulních stran uložených na tomto webu.
    V případě, že potřebujete titulní stranu odebrat, není nutné pracně a ručně mazat všechny objekty na titulní straně. Stačí, když ve stejné nabídce, v níž jste titulní stranu vytvářeli, kliknete v dolní části na příkaz Odebrat aktuální titulní stranu.

    62.     Jak vložit zalomení konce stránky?

    Jednou z vlastností profesionálních dokumentů, knih, výročních zpráv či jiných tiskovin je způsob zalomení takového díla. V profesionální polygrafii či v nakladatelstvích se zalomením rozumí rozvržení a vyvážení stránek, obtékání obrázků, rozdělení textu tak, aby na jedné stránce nebylo zbytečně moc místa, zatímco na druhé by byl text přespříliš nahuštěn. Díky zalomení je většina knih, které čtete, uspořádána tak, že jedna věta z odstavce z předchozí stránky nepřetéká do druhé stránky a nepůsobí zde „osamoceně“ apod.
    Nastavte se kurzorem v textu na takovou pozici, od které proběhne zalomení a kde bude stránka ukončena. Většinou se jedná o mezeru mezi odstavci či o začátek řádku, v němž se již nachází text.
    1. Na pásu karet klikněte na kartu Vložení.
    2. Ve skupině Stránky klikněte na položku Konec stránky.
    3. Word automaticky vloží zalomení konce stránky a v psaní textu můžete pokračovat až na další stránce.

    63.     Jak ve Wordu vytvořit tabulku?

    Tabulky již dnes neodmyslitelně patří ke každému textovému editoru. Dávno pryč jsou doby, kdy se tabulky v dokumentu musely vytvářet pomocí vodorovných a šikmých čar a k jejich úspěšnému dokončení bylo třeba až kouzelnické trpělivosti.
    Rovněž poslední verze Wordu umožňuje provádět s tabulkami rozsáhlé operace. Libovolný počet řádků a sloupců, různé typy čar, slučování a rozdělování řádků a sloupců, poměrně široká škála grafických možností a mnoho dalších funkcí jsou samozřejmostí.
    Ve Wordu je několik možností, jak navrhnout a vytvořit tabulku. Základním předpokladem je dobře vědět, jak má tabulka v konečné fázi vypadat. I když ji lze kdykoliv později téměř jakkoliv modifikovat, vždy je lepší navrhnout tabulku co nejvíce podobnou původním požadavkům.
    Pokud přesně víte, jak bude budoucí tabulka vypadat, pak asi nejlepší způsob je vytvořit ji pomocí příkazu na pásu karet. Jedná se o nejpoužívanější postup vložení tabulky do Wordu.
    1. Na pásu karet klikněte na kartu Vložení.
    2. Ve skupině Tabulky klikněte na ikonu Tabulka.
    3. Zobrazí se další podnabídka, v níž můžete pomocí pohybu myši v matici nastavit, kolik bude mít tabulka řádků a sloupců.
    4. Klikněte levým tlačítkem myši, tabulka bude vytvořena.

    64.     Jak naformátovat tabulku?

    Vložená tabulka ve Wordu má pouze základní formát v podobě černé slabé čáry. Tento stav je však možné poměrně snadno změnit a to pomocí kontextových karet Návrh a Rozložení, které se zobrazí na konci pásu karet po klepnutí do tabulky. Na těchto kartách pak naleznete nejenom příkazy k formátování buněk a jejich ohraničení, ale i pro vkládání a odstraňování řádků a sloupců, slučování buněk či rozdělení tabulky. Stačí pouze klepnout do vybrané buňky nebo označit oblast buněk a následně vybrat příslušný příkaz.

    65.     Jak provádět výpočty v tabulce?

    Přestože tabulky ve Wordu jsou určeny především pro vizuální potřebu, Word umí v tabulkách i několik základních matematických funkcí – vzorců. Vzorce mají sloužit k tomu, aby uživatel nemusel ručně počítat hodnoty v tabulce, ale aby to za něj provedl Word. Zadávání vzorců ve Wordu a práce s nimi je sice méně pohodlná než např. v Excelu, ale pro použití základních výpočtů dostačující.
    Vzorec je možné umístit do jakékoliv buňky v tabulce, přičemž vzorec může kalkulovat s jakýmikoliv ostatními buňkami v téže tabulce. Mimo tabulku se vzorec nacházet nesmí.
    Ještě předtím, než se začneme zabývat postupem při zadávání vzorců, je nutné pochopit označování buněk v tabulce. Ve vzorcích budete muset nějakým způsobem Wordu sdělit, s jakými buňkami bude vzorec pracovat (například: sečti první dvě buňky ve druhém řádku apod.). Word má proto každou buňku logicky pojmenovanou podle následujícího pravidla: sloupce jsou označeny písmeny od A do Z, přičemž první sloupec vlevo je A a každý další sousedící směrem vpravo je vyšší o jedno písmeno. Řádky jsou očíslovány číslicemi 1 až X, přičemž číslování probíhá shora dolů. Takže například buňka ve třetím sloupci na druhém řádku nese označení C2 (viz následující tabulka).
    Příklady často používaných funkcí
    Co dělá
    Příklad zápisu
    Sečte buňky nebo oblast buněk.
    Spočítá aritmetický průměr ze zadaných buněk.
    Vypíše minimální hodnotu ze zadané oblasti buněk.
    Vypíše maximální hodnotu ze zadané oblasti buněk.

    0 0

    Today’s Tip…

    If you have been facing difficulties troubleshooting Remote Desktop (RDP) connection to Windows based Azure virtual machine or in troubleshooting SSH connection to Linux based Azure virtual machine, then this article will help you mitigate them all by yourself, without looping in support and resizing the virtual machine.  Microsoft Azure will redeploy your virtual machine when you invoke redeploy operation through Azure PowerShell, or clicking the Redeploy button in Azure Portal.



    0 0

    Today’s Tip…

    Check out the following blog at that answer these top questions…

    • I’m a Global Administrator for my Azure AD, so why am I getting this error and how can I make it go away?
    • Tenant, directory, subscription, account… lots of new terms here. Can you explain Microsoft Azure more simply for me?
    • What is the relationship between Azure services and Azure AD?
    • How do MSA and Office 365 subscriptions figure in that explanation?
    • Can I view or edit the list of Azure subscriptions to which I have administrative access, along with the corresponding Azure AD directories that each of those subscriptions is associated?
    • Why can I not see the “Edit directory” button on some or all of the subscriptions on this list?
    • I have an active paid O365 subscription. However, when I log into the Azure management portal, I get the frustrating gray box error (“No subscriptions found”). How is that fair?
    • I don’t have a paid O365 subscription, but I have paid for EMS, Azure AD Premium, Intune or some other Microsoft online service. However, when I log into the Azure Management Portal, I get the dreaded gray box error (“No subscriptions found”). How is that fair?
    • I have an Azure AD directory that I manage using an Azure AD account that is a global admin of that directory. I later created an Azure subscription with my MSA. Is there any way I can manage both my Azure AD directory and the subscription’s default directory using the same MSA login?
    • I have multiple Azure subscriptions. How do I move them under a single Enterprise Agreement (EA)?

    0 0



    Hi, my name is Deepak and today I will be talking about a common scenario with IE11 upgrade from earlier versions fails with CRYPT_E_NOT_FOUND.

    This issue can happen because the IE11 installation terminated abruptly and the rollback did not complete causing several left over files and registry entries . There are several files and registry entries associated with a package which are created in the COMPONENTS hive and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing in addition to IE specific entries and files.

    Basically when the IE11 installation triggered the setup first stage the files on the disk. Staging refers to the binaries for the feature being present on the machine but not being installed on the machine, this means that the files are physically present on the system but are not in an active, useable state.

    In this situation instead of staging the packages for installation, the installation tries to use the files in the folder C:\Windows\Servicing\Packages folder. The existing packages are invalid since there were not properly removed from the previous installation hence the installation exits with an error that the hash verification failed.


    The CBS log for this looks like


    2016-04-26 14:17:44, Info                  CSI    00000024 Component change list:
    2016-04-26 14:17:44, Info                  CSI    00000025 Couldn't find the hash of component: Microsoft-Windows-IE-HTMLRenderingMedia, Version = 11.2.9600.16428, pA = PROCESSOR_ARCHITECTURE_IA32_ON_WIN64 (10), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the catalog [l:192{96}]"\SystemRoot\WinSxS\Catalogs\".
    2016-04-26 14:17:44, Error                 CSI    00000026@2016/4/26:06:17:44.692 (F) : Error 80092004 [Warning,Facility=FACILITY_NTSSPI,Code=8196 (0x2004)] originated in function CCSDirectTransaction::AddImplicationsToCatalogsAndVerifyComponentHashes expression: (null)
    2016-04-26 14:17:44, Error                 CSI    0000002a (F) CRYPT_E_NOT_FOUND #410453# from Windows::COM::CPendingTransaction::IStorePendingTransaction_Analyze(...)[gle=0x80092004]
    2016-04-26 14:17:44, Error                 CSI    0000002b (F) CRYPT_E_NOT_FOUND #409930# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_Commit(Flags = 38 (0x00000026), pSink = NULL, disp = 0, coldpatching = FALSE)[gle=0x80092004]
    2016-04-26 14:17:44, Error                 CSI    0000002c (F) CRYPT_E_NOT_FOUND #409929# 1217715 us from Windows::ServicingAPI::CCSITransaction_ICSITransaction::Commit(flags = 0x00000026, pSink = NULL, disp = 0)


    To fix this, we need to cleanup the existing IE11 installation. If you browse to C:\windows\servicing\packages, you will notice that there are a lot of files for IE11 and using each one of them to uninstall would be a tedious process. There is, however, a way to remove them in one go. The below command assists us in doing that.


    FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*11.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /quiet /norestart"


    What is does is that it passes each IE 11 MUM file as an argument to pkgmgr which further process it to uninstall the package. Please note that this is applicable only for Windows Server 2008 R2/ Windows 7, Windows Server 2008.


    NOTE : Please note that the machine needs to be rebooted post running the command.


    If the MUM and CAT files for IE11 still exist in C:\windows\servicing\packages , they would have to be manually removed.


    Deepak Gopaluni

    Senior Support Engineer |Microsoft Windows Core

    Disclaimer : This information is provided ‘as-is’ with no warranties

    0 0

    66.     Jaké jsou novinky v aplikaci Průzkumník?

    Aplikace Průzkumník je součástí systému Windows velice dlouho. A stejně v každé nové verzi se objeví nějaké novinky, které Průzkumníka posunou zase o úroveň výše. Jaké to tedy jsou ve verzi Windows 10?
    Tou nejzásadnější a nejviditelnější jsou přepracované karty Domů a Sdílení. Na kartě Domů najdete všechny základní příkazy vztahující se k vybrané položce v rámci aplikace Průzkumník. Na kartě Sdílení pak vylepšené možnosti sdílení, které např. ve Windows 8 byly umístěny v postranním panelu Šém.  

    67.     Jak rychle otevřít Průzkumníka?

    Pro rychlé otevření Průzkumníka slouží klávesová zkratka Win+E nebo je možné kliknout pravým tlačítkem myši do levého dolního okraje pracovní plochy a vybrat příkaz Průzkumník souborů.

    68.     Jak zjistit velikost souboru či složky?

    Při kopírování souborů a složek např. na flashdisk je dobré vědět před samotnou operací, zda se vybraná data na flashdisku vůbec vejdou. Systém sice při kopírování tuto kontrolu dělá za vás a v případě nedostatku místa vás na tento problém upozorní, ale vhodnější je vědět předem, jaké místo dané složky na disku zabírají. Zjištění velikosti složky či souboru se také hodí v případě, že máte na disku nedostatek místa a chcete zjistit, která složka vám zabírá nejvíce. Stačí, když v Průzkumníkovi kliknete pravým tlačítkem myši na vybranou složku a kliknete na tlačítko Vlastnosti.  Hned na první kartě se vám zobrazí informace, kolik MB/GB dat daná složka obsahuje a také počet souborů a podsložek uvnitř této vybrané složky.

    69.     Jaká je klávesová zkratka pro vytvoření nové složky?

    Novou složku můžete v Průzkumníkovi vytvořit buď přes pravé tlačítko myši, kdy z nabídky vyberete příkaz Nový – Složka, nebo můžete využít klávesovou zkratku Ctrl + Shift + N. Případně je možné využít pás karet, kde se na kartě Domů ve skupině Nový nachází příkaz Nová složka.

    70.     Jak v Průzkumníkovi o úroveň výš?

    Pokud potřebujete při procházení souborů a složek v Průzkumníkovi se dostat rychle o úroveň výše, tj. do nadřazeného adresáře, stačí stisknout klávesu Backspace (šipka zpět nad velkým Enterem), využít klávesovou zkratku Alt + šipka nahoru nebo klepnout na ikonu šipky nahoru vlevo od adresního řádku Průzkumníka.

older | 1 | .... | 885 | 886 | (Page 887) | 888 | 889 | newer