September 2008 Archives

I'll start with a weird one.  This is less of an article and more of "Finding a needle in a haystack" story.  It started with a client that had a series of laptops that would not surf off site.

First answer "WINSOCK! FIX THE WINSOCK! SPYWARE!"

Nice try smart guy.

Running the NETSH RESET doesn't fix it, nor does renaming the WINSOCK,WINSOCK2 and reinstalling TCP/IP OR getting your hands on any one of a dozen "Stack fixers"

NEXT!

How about this

Onsite (Corporate lan) no issue.

Offsite Not working.

"EASY!" You scream out. "PROXY SERVERS!"

Swat.  Back down and sit at the back of the class.  Checking the Proxy settings in the browser.  Clean.

"STATIC DNS!" I see somebody jumping up "STATIC ENTRIES IN THE HOSTS FILE!"

No no no no and No.   Remember I said "Needle in a Haystack."

So let's see what I have for info.  Notebooks had Novell Client32, 3 party dialup, any one of three internet connections and a domain configuration.

And to boot?  A new install was doing it too.

Right.  System restore.  Back to domain membership and before applications installed.   Install dialer.  Hey it works! It works!  Reboot and test several times STILL WORKING.

Now add in Novell Client32.   Login working.  Offsite NOT WORKING.  My first GUT reaction.  Some type of policy applied with Novell.   Other than the Service Pack, nothing had really changed.  Must be a service pack issue.  I beam with pride having pointed out the troublemaker.

Client taps me on the back.

"We have one with SP2 doing it as well as SP4 Novell Client32"

Magic words burst forth to the computer gods in the sky.   The gods look down and smile with glee.  "Buah hah hah hah! Ye shalt not solveth this one! Buah hah hah hah!"

The only hint.  Running NSLOOKUP would show the two internal Corporate DNS servers as default, hard coded.  Finally in desperation, a regedit search.  Maybe it's in plain text.

FIND 10.x.x.x

DING.  It shows up under a policy "DNS SERVERS".  My eyes roll in my head.  Some old legacy policy? NT 4! An NTCONFIG.POL file!  But why today?

Why is not relevant.  A fix.   Try renaming the key.  Poof.  Internet surfing working immediately.  The bandaid?  A simple REG file created for the user to purge that entry.

Deleting a registry key is not difficult.  You can do some fancy RUNDLL or Vbscript stuff.  If you have Powershell that's built in (LOVE Powershell!)

But with a .REG file (text file for importing changes to a registry) it's not difficult.

Using REGEDIT, use the File/Export option to export the key in question.  Now it all depends if you want to delete the WHOLE KEY or just specific entries.  It's still easy but a teeny bit different.

So let's say the contents of "SAVED.REG" is

-----------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe\""

-----------------------

Let's pretend the offending key I want to remove is the "iTunesHelper" (not picking on Apple, just a random sample, so put the lawyers away!)

To remove the "Bad Apple" (sorry, bad pun!) from the system you simple make the file look like this.

----------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="-

-----------------------

So you change the contents being assigned to the value in the .REG file with a simple "-" (Minus, dash, hyphen, pokey thing) character

Resaving the file as FIX.REG or UNDO.REG or OHJANESTOPTHISCRAZYTHING.REG will get you a nice little file that will allow a merge into the registry to purge THAT SINGLE ITEM.  You will of course need adminstrative privaledges to do this but it IS handy to know this.

Now if you wanted to delete the entire key (BACK IT UP FIRST!) the command looks like this

----------------------

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

---------------------------

Did anybody spot the difference and what we use to pull all of this off?  That's right, the "-" (minus, dash, hyphen or whatever you would LIKE to call it).  Placed just after the "[" in that entry of the REG file will cause it to purge that ENTIRE key.  Careful.   This is a VERY powerful and dangerous option and should be used with extreme caution.

Now back to my "Needle in the Haystack" story

So digging into Group Policy later we found entries in the Default Domain applying hard coded DNS servers.  Why today.   That we didn't isolate.  But it was revealed to me that the original consultant who setup the network years ago (Think just as A/D came out in Windows 2000) didn't like using Active Directory Users and Computers and had turned on EVERY stupid legacy feature they could.  Best we could guess some automatic update triggered something between Windows and Novell to cause this beast to rise to the surface.   Normally I would have assumed a Group Policy, but it only applied when Client32 logged in.  

Boy doesn't THAT throw you for a loop?

But I'll tell you it was both interesting and frustrating to find it.  It also goes to show what can happen when you start over customizing the system.   Especially a) If you don't document it and B) if you know JUST enough to get in trouble.

But it also shows that almost ANY problem CAN be solved without a full re-install of the operating system.  You just have to dig sometimes.

Sean
The Energized Tech
Dedication and Inspiration creating the new Generation

techdays_canada

That's right everybody.  In a short time of barely 40 days Techdays_CA 2008, THE premier technology tour will be making it's way through the dangerous highways and bi-ways.  Facing danger like no other human has ever seen. 

Professionals armed only with knowledge and NOTHING ELSE, are coming your way.

All joking aside, it will be here before you know it.  Techdays_ca 2008 is barely 40 days away.  Registration should happen soon.  Remember to register before October 15th 2008 to get the best price.

And you know what?

HERE'S THE INSIDE TRACK!

That's right! An actual GLIMPSE inside the tour-de-force that is Techdays_ca 2008.

"You mean they're going to show us the whole show before we get in?"

No, I mean I can tell you what you should be in store for.  

Think of it this way.   You want to learn?  Techdays_ca 2008 is cheaper than most courses.   It's a day (or two depending where you are) away from work, hanging out learning stuff, inspiring AND relaxing at once.  

TechDays-LittleMan

Like a peek?

Track details on Day one

image

Track Details on Day two

image

One word.  WOW!  Your brain will be stuffed good by the the end of THIS!

So ready to jump in? Convinced?  Get registered now, get two those two days off !  Do it now!  Get registered online.  Do it before Octobert 15th for the best rate.  Do it before all the spots are filled.

Do it before your boss finds out.  They just might want to go too... :)

It's a time for learning and a time for growing.

Techdays_ca 2008.   It's a time for you.

TechDays-Banner

IT Pro Toronto

| | Comments (0) | TrackBacks (0)
Hey

Don't miss it! The new season is upon us all!

ItPro Toronto a place where all computer can meet up and check the latest technology meets tomorrow night at its *NEW* location!

Bahen Centre for Information Technology (BA)

40 St. George Street, Toronto, M5S 2E4

Meeting at 6:30pm this is within walking distance of Queens Pk subway stop!

Cost? Just your time.

Featuring the Great and Powerful Mitch Garvis and SBS 2008!

Be there or be lost in between time dimensions!

Oh this is AMAZING! 

Microsoft is going to release a Stand-alone free version of Hyper-V!

So the ability to have Virtualization without having to buy Server 2008 to get INTO Virtualization!

Check out this video from Adam Carter of Microsoft and you tell me why I shouldn't be excited!

 

 


First Look: Hyper-V Server

It's common place knowledge with any IT Professional, Generalist or Enthusiast that Sysinternals has some astounding free tools for Windows.  

But not everybody knows.     Especially people new to the field.

www.sysinternals.com

Now don't be shocked, yes it now re-directs to Microsoft.    But the same Utilities (and some New ones) are still available.

"What are you talking about?" a new long Enthusiast asks.

How would you like a Task Manager pumped up with so much power your eyeballs will pop open?  Or multiple desktops in Windows?  Like to get a gander at potential Rootkits hooking into your system?

That's all part of Mark Russinovich and his amazing pile of utilities (which is STILL be added on and expanded to this very day!)

Think about this.  If you're troubleshooting some obscure problem and you'd just LOVE to see what the O/S is doing... YOU CAN!

The "Process Monitor" is astounding for that need! You can selectively isolate what application you're watching and note what it IS or ISN'T able to do with the file system and registry.  Great for Developers too if you're banging your head why and application worked in XP and ISN'T working in Vista.

Don't forget there's also the "Process Explorer".  Think of this as "Task Manager" meets Arnold Schwarzenegger.   IT'S PUMPED UP!

"Rootkit Revealer" is a snazzy little scanner.  It doesn't remove, but it can certainly point you down the path if there is a problem with a Rootkit infestation.

"BGINFO" is a VERY simple and nice program that builds a "BMP" File to use as a background.  That file contains whatever descriptive information you would require for a desktop (MachineName, CPU, Speed etc).  Managing multiple computers?  Use this.  Free and simple and no real overhead.

And if you don't have the time to poke through the entire list on Technet, Sysinternals. now has a live File Listing you can access off the internet.  Think of it as a memory of files from Microsoft.   The list is not descriptive but it IS complete.

http://live.sysinternals.com/

There are so many others to delve into but I highly recommend going into there and poking about.   I could spend all night long talking about this bag of goodies.

And probably will.

Sometimes your browser just "hangs" and "bags out for no reason".  You begin shaking your fist at the sky "STUPID MICROSOFT".

But what's interesting, is most of the time.  The browser itself is not at fault.

There are components known as "Add-ins" which are additional bits of software that interact with your browser to enhance your Web surfing experience.

Examples of some add-ins you may be aware of would be the "Flash Player", "Adobe Reader", "Silverlight" and third party applications written by Web site designers for specific use within their systems.

Now in the newer versions of Internet Explorer I find it sometimes catches the problem and automatically disables the add-in.

But sometimes it doesn't know.   It can't figure out what add-in did it or why things went 'Wonky'

Here's a quick way to find out if an "Add-in" is the cause.

Run Internet Explorer with no add-ons.  It's not a solution but it does help in troubleshooting.   You may find the shortcut on the Start menu marked as "Internet Explorer (No Add-ons)"

If for any reason the shortcut is not there (Aliens, mad overdone recycle bin, Murphy's Law) the command line is

IEXPLORE.EXE -extoff

If you find the browser runs a lot better in this mode, one of the add-ins is not working right.  

How to figure out which one is a bit of Trial and Error.

Go into your Internet options, Click on the "Programs" tab.  Somewhere on there (depending on your particular version of Internet Explorer) should be a "Manage Addons" button.

Now for the fun.

Disable ALL the addons (WHAT?!) You heard me right.   You need to turn off all the add-ons (even ones that are probably ok) to find the bad one. 

To do this, click on each add-on in the list, choose "Disable".  Once you've shut down the entire list.  Start your browsing.  All good?  

Fanstastic.  Now go back in and turn the add-ins back on through the same procedure ONE AT A TIME.   Do this until you've identified the trouble maker.

Once you have nailed the trouble maker down, turn the rest of your add-ins back on.  You should be good to go.

Take note sometimes, the cause of a browsing issue can also be a corrupted folder holding your history data, Temporary Internet Files, bad cookies.  

A quick way to determine that would be to create a new user in the system temporarily in Windows.  Log in and use the browser as that user.  If all works well, it's probably something specific to that user and personal data.

If this is the case, you can usually purge or even just move the data to a new location.  I personally prefer purging which makes the system assume it's not there and make it fresh.  A quick method to do this I have found is the good old command prompt.

Log off and restart the computer.   Once powered up, login as a different account with administrative access.  Start up a command prompt, browse to the suspect location with the Temporary Internet Files.   Fire up good old "RD" (Remove directory) and execute a "RD /S /Q TEMPOR~1" to purge out the Temporary Internet Files folder structure.   Take note, this will also purge out the "Temporary Outlook Attachments" cache. 

This should give you as clean a template as possible for your Temporary Files.  Failing that, recreate the user and copy the necessary information to the new profile locations directly.

There are also items known as BHO or "Browser Helper Objects". Similar to add-ins.   To get rid of these links I've found using a utility known as "HijackThis" written by an excellent programmer works amazing.  It's meant for spyware removal (which in itself can cause the browser to absolutely freak).   Using this utility you MUST BE 100% comfortable with what you're doing and KNOW what you're removing.  It is possible to mess up the TCP/IP stack severely if you're not careful.  

But you might be able to spot links to BHO that are dead, BHO's pointing to "K001FreeWAREZ.DLL" or BHO's trying to run from a TEMP or TEMPORARY INTERNET FILES location.   Those are all pretty much suspect.

Remember this is not "The only way to fix it".  This is just another piece of ammunition in your utility belt.   You can apply to this to a Mac and Linux browser as well.   Although the commands and parameters are different.  The reasons for failure WILL be similar.   Something added to the browser not by the original programmer that failed.    A bad file the system is tripping over.  Something the programming team could not foresee.

Remember often a small problem creates a much larger problem.  I have found more often than not, stepping back and thinking simple helps nail down the big problem.

Sean
The Energized Tech
Dedication and Inspiration creating the new Generation

techdays_canada

For a long long time.   Canada has been forgotten.

One of the biggest arms in the beast of technology.  A place where technological passion and innovation happens daily yet sometimes quietly forgotten.

But not by it's community.   Not by it's people. 

Not by Microsoft.

It started with Energize IT.   A free conference sponsored by Microsoft and several partners in Toronto to bring the community together.  It continued with Influencers conferences tying the various links of those communities together.  From high end Enterprise specialists, IT Pros, Managers, Community groups and Enthusiasts alike.

And this year, we have something wonderful in Canada.  A True conference to bring computer people together.   To get technology into our hands in a tightly intense session.

Techdays_CA 2008!

Because Microsoft Canada recognized that we as a country are a huge IT Community.   It recognized shortages in the industry.    Microsoft Canada saw that one of the biggest problems is all the conferences that put hands on technology, seminars and training are for the most part south of the border.

But not anymore. No more!   A huge conference is going on across Canada province Wide.   Held inside just about every key IT Hotspot in Canada.   Not a marketing tour.   A Technology tour.

What does Techdays_CA 2008 mean to you as an IT Pro? As a Developer? As a Human who even likes the way a pack of DVD's smells?

It means that chance to hear from people using new technology, getting your fingers into it.  Touching it feeling it.   Expanding your horizons.   And for FAR less than the cost of a lot of the training classes out there.

It also brings people together.  People of a common thread, common country, a common mindset.

n25130657763_790896_8238

Where and When is TechDays_CA 2008?

Presently there are seven planned dates on the calendar across Canada

Location Date
Toronto October 29th / 30th
Montreal November 6th / 7th
Ottawa November 27th
Winnipeg December 4th
Calgary December 10th / 11th
Halifax December 17th
Vancouver January 21st / 22nd

What is the cost?

If you register early you'll save half the cost on the conference in your local area!  Two days conferences such as Toronto will run $499.99 Canadian.  One day conferences like Winnipeg will cost $249.99.   Registering BEFORE October 15th will get you the early bird price which is almost 1/2 OFF! And space is limited to 5,000 people total!  So hurry!

Christmas Presents when it's not's Christmas?

That's right folks!   What's a great conference without something to take away (other that intense knowledge and a fantastic time!).

Check out the the bag of goodies!

6-month TechNet Plus Subscription
Visual Studio 2008 Professional – Full Package Product
Expression Web – Full Package Product
Visual Studio 2008 Team Suite – Evaluation Software
Expression Studio – Evaluation Software
Virtualization Resource Kit
30% off certification voucher – Applicable to All MS Certification Exams
TechEd 2008 DVD Set
$100 Discount Coupon for DevTeach/SQLTeach

No matter how you add it up, Techdays_CA 2008 is worth more than it's dollar value!  I can tell you that Technet Plus Subscription by itself it outstanding!  "Here computer professional.  You've just gotten every key Microsoft application in your hands for the next six months!"

Yes.  Even Server 2008 DATACENTER Edition!  If you're an IT Pro, you know how rare that is.  If you're a budding developer Visual Studio 2008 Professional nullifies the cost and THEN some.

And you're getting hands on with the experts while you're there to boot!

What are you waiting for?

Register now! Register Today!  Watch the TECHDAYS_CA 2008 Website for registration details!

Looking for more details?

Watch these Microsoft blog sites for more information and details from people behind the event!

http://blogs.technet.com/canitpro
http://blogs.msdn.com/cdndevs
http://www.techdays.ca

TECHDAYS_CA 2008! DON'T MISS IT!

n25130657763_790895_8010

It's that day you dread.  The phone call from your friend.

"There's all these things on my computer! I swear I didn't do anything!  They just magically appeared!"

They've gotten themselves infected.

Whether you classify it as a Virus, Malware/Spyware or a Rootkit; in a nutshell; it's all the same thing.  A Foreign application running in your system doing something it SHOULDN'T.

Today I'm not going to debate what is or isn't a virus.   My job is not politics.  It's to get you armed to recover from a problem.

Whether the problem is a friends computer, something cutting edge that slipped by your firewall or just dumb luck.  Take a little relaxation.  You're not completely unarmed.

If you're lucky you can update the Antivirus software and you're off to the races.  But today we're going to assume safely you can't.  You've got a nest of vipers running in that system.  You need a point of attack. 

Let's assume worst case scenario.  It's new.  It's nasty. It's blocking you down.

What can you do?

Spyware/Malware can be scanned for with several free and decent Utilities.  Windows Defender from Microsoft is free for Windows XP and catches many of them.  There is also SpyBot Search and Destroy, Ad-aware, HijackThis and Malware Bytes Malware removal.    None of them are truly 100% but usually a combination of all three will help.

If you're Antivirus software is dead you're not 100% out of the water.  Kaspersky Antivirus is extremely effective on removals, gives you a free 30 day trial; and more importantly allows an AUTOMATED removal (This beats, clean, click, clean, click, hundreds of times).

Rootkits are particularly nasty.  They sit at the Root, before Windows loads and really hide well.   An excellent free utility from F-Prot called BlackIce Defender will scan and remove most of the Rootkits quite effectively and automatically.

The you've got your old good friends from SysInternals.  Download ProcessExplorer.  Think of it as TaskManager pumped up.   You can really see a lot of what's going on, can kill and pause processes.  One feature I like is the ability to see what process is controlling what files.

If you can get access to the registry at all (either directly or by the "Mount Foreign Hive" technique) you have a few key locations to quickly dig into.  They are actually many but this is "the basics"

Check HKCU\Software\Microsoft\Windows\CurrentVersion\Run and it's ilk for any unusual entries.  HKLM\Software\Microsoft\Windows\CurrentVersion\Run for similar entries.  If you're experienced with going into the registry you should be able to spot anything out of the norm.  Rather than deleting, I like renaming.  It's safer and a little more effective.  So if you see an entry trying to run "C:\HP\SuperFileCleaner.exe" rename the contents and add the word "not" to the end so it runs "C:\HP\SuperFileCleaner.exenot" which would fail that launch.

Another nasty spot are those pests that load with Winlogon.  You'll spot them at HKLM\Software\Microsoft\Windows NT\CurrrentVersion\Winlogon\Notify\. 

******* WARNING *********

You REALLY need to be comfortable with the entries here.   These automatically load upon bootup.  Even if safe mode.   A trick I found that sometimes works is Using permissions on the registry keys in question and placing "DENY" permissions on all the groups and users in question on the keys.   Any files they are launching I place those same permissions.  IF YOU ARE NOT CAREFUL THE SYSTEM MAY FAIL TO BOOT.  EDIT THESE WITH CAUTION. IF YOU ARE NOT AN EXPERT, PAUSE NOW and SERIOUSLY consider a re-install.

If it's a truly cutting edge one, the other trick is to look for recently modified created files/directories and simply renaming them from "MALWAREFOLDER" to "NOTMALWAREFOLDER".  The same with their files.  Going to the command prompt and renaming all the temp folders (as well as temporary internet files) to something else can also cripple a lot of them.  It also might point to where they're running from if you CAN'T rename the folder.

Nothing is ever guaranteed.    And wiping out the drive and re-installing the operating system will probably clean you up a lot better (Unless it's sitting on the MBR of the hard drive in which case get some free data destruction software and kill it 100%, or just buy another hard drive and play it safe)

There is never a 100% guaranteed method to killing these pests.   All this is, is a little ammunition to put under your hat and maybe de-hurt the computer enough to get the system back up and running.  Sometimes you can be very successful.   But sometimes it's what you need to get the computer running enough to obtain needed settings.

Take note above all.  If you're not sure what you're doing or not sure where data might be, back it all up first.

Remember you can replace the hardware.  You can NEVER replace the data.

Sean
The Energized Tech
Dedication and Inspiration creating the new Generation

Launching November 12th 2008 is Microsoft Small Business Server 2008 and Essential Business Server 2008.

 

Here's my vision of a cool release song for it. 

:)

http://landofsilly.mypodcast.com/2008/09/Cougar_is_Out_SBS_2008_UnOfficial_only_in_my_eyes_Theme_Song_the_New_to_be_released_OS_a_CERTAIN_Software_company-138714.html

Sung along to "My Chemical Romance" and "Famous Last Words", people who can sing and write far beyond my meager abilities.


Karaoke version of song from www.karaoke-version.com. Cheap and high quality Karaoke music!

I always thought COUGAR was such a cool code word for an O/S. It made me sing. Now we're all sorry.

Cougar is Out

Meow

It's comin
Released and from it's cage
The Cougar's out
the Cougar's out

Meow

Come on now
Don't you see it purrin' at your side
The power is yours
The Power is yours
Plug in

Load it
Into your server now
The power at hand
get your business up and running
Get Energized
Go online and see all your staff productive
Get Unified
Tie your systems all together
It's yours!

The Cougar has Released it's got me singin'
SBS 2008 I've waited long
I can't wait to start the implementin'
64bit power is pourin' throughout the LAN

Power it up
Live Onecare protects your way
With Live Office tied as well
To get that integration
Into you now
Oh can you
Can you feel the integration
Of code and mind
A long time in the building
The Cat's out

The Cougar has Released it's got me singin'
SBS 2008 I've waited long
I can't wait to start the implementin'
64bit power is pourin' throughout the LAN

The Cougar has Released it's got me singin'
SBS 2008 I've waited long
I can't wait to start the implementin'
64bit power is pourin' throughout the LAN

Cuz It's here, and in my server now
The cats at hand oh come and let it out
Release the leash
and Turn it loose

Cuz It's here, and in my server now
The cats at hand oh come and let it out
Release the leash
and Turn it loose

Cuz It's here, and in my server now
The cats at hand oh come and let it out
Release the leash
and Turn it loose

Cuz It's here, and in my server now
The cats at hand oh come and let it out
Release the leash
and Turn it loose

The Cougar has Released it's got me singin'
SBS 2008 I've waited long
I can't wait to start the implementin'
64bit power is pourin' throughout the LAN

The Cougar has Released it's got me singin'
SBS 2008 I've waited long
I can't wait to start the implementin'
64bit power is pourin' throughout the LAN

The Cougar has Released it's got me singin'
SBS 2008 I've waited long
I can't wait to start the implementin'
64bit power is pourin' throughout the LAN

The Cougar has Released it's got me singin'
SBS 2008 I've waited long
I can't wait to start the implementin'
64bit power is pourin' throughout the LAN