Palo Alto Networks – Email
Story
Well back to work, so what other than another story of fun times troubleshooting what should be a super simple task. When I was hit with a delayed greyed out screen on the management UI and the subsequent error.
“Unable to send email via gateway (email server IP)”
The
Hunt
Let’s see if others have hit this problem:
Second and Third basically state to ensure legit email addresses are applied to both to and addition to fields. My case I know the only one email to address is fine.
And finally the How to By Palo Alto Networks themselves.
Well that’s annoying, bascially tell you to ensure the email server is accessible but they do so from other devices cause the PA can’t even do a telnet test… uhh ok useless, I know it’s open.
Things to Know
I had contacted my buddy who specializes in PA firewalls. There are some things to note.
- Service Routing
By default all traffic from the firewall, will go out the MGMT interface. Unless otherwise specified. In my case I was using a Service Route for Email to use the interface that was acting as the gateway for the subnet in which the email server was residing. - Intrazone and Interzone Rules
By default if traffic doesn’t hit any rule it will be dropped, watch the video by Joe Delio for greater in-depth understanding.
The Solution
Now even though I had a “clean up” rule as stated by Joe. I was still not seeing the traffic being blocked (and I know it was being blocked).
Once my buddy told me to override the intrazone rule and enabled logging on that rule, I was finally able to see the packets being dropped by the PAN firewall within the Traffic Logs/Session Logs.
Sure enough it was my own mistake as I had forgot to extent an existing rule which should have had the PAN’s gateway IP within it. After I noticed this I extended the rule to allow SMTP port 25 from the PA IP (not the mgmt IP) I was able to send emails from the PAN firewall.
Hope this helps someone.
Also note I ensured a dedicated receive connector on the email server to ensure the email would be allowed to flow though.
Resolving a 503 response from HAProxy
Story
A while ago I blogged about using OPNsense with HAProxy as a reverse proxy for Exchange services. Now you can serve many other applications but HTTP(s) has become very common place. This has simplified network requirements at layer 4 and has pushed most security up to level 7 (either patch management (updates) or a next generation firewall (NGF)). Anyway, sometimes the best form of security is simply blocking access to areas that shouldn’t need to be accessed, specially from public facing sides. Imagine a dedicated room, such as a server room, you would keep the doors to this area locked, and generally not directly accessibly from the outside (a door facing an outside wall), same concept applies here for services. Of course you still want users to be able to access the receptionist area. In this case, receptionist area is like the OWA portal, and the server room access is like the ECP portal.
Now in my previous post, I did attempt to not have a public way access to the ECP area, you’d have to be on the inside network to reach it. However much like the comment on that post, if you new about the redirect URL with application layer (HTTP requests with URL parameters) and manually entered the redirect URL path you would still manage to get the ECP login page from the public facing side. (whoops).
Now this isn’t the point of this blog post but will be a nice follow up once the actual concept of this post is… presented?
The issue
Anyway, when using HA proxy one might notice that the logging is rather low. (this is by design for them as to prevent flooding the server’s local storage with well, logs). Why don’t they simply define limit based logging and do FIFO (first in, first out) log rotation based on these limits? Not sure, anyway, first thing you’ll notice is that you’ll get 503 responses, and nothing but “client connections” in the log area:
As you can tell, pretty ****in’ useless. Nothing we didn’t already know, connections on port 80/443 are allowed and passed to the load balancer. However the load balancer is still not servicing content correctly. Let’s move on.
Troubleshooting
At first I was fairly confident all my real servers, conditions, and rules were created successfully and the order was good within the “public services”(interface listener).
Googling the generic issue provided, well, generic answers which didn’t help me. If I knew what the HAProxy service was doing I could stand a way better chance to solve it.
Enable Logging
First we enable logging on the actual service from “info” to “Debug”.
*Note remember to change it back to info to avoid log flooding*
However, This still didn’t provide me any insight when I went to check out the log section.
Turns out there’s separate level of logging for each listener you have. So under your specific “Public Service” aka interface listener, enable advanced logging on it:
Once I had this level of logging enabled I could finally see which backend server was being hit after the request.
Solution
In my case it turned out it was hitting a completely different backend then what the rules defined within the “Public Service”/Listener was defined. When I checked the rule on which the wrong backend it was hitting, it turned out this rule was missing the very condition it was suppose to have on it, and actually had no conditions defined. As such it was hit on any request that was passed to it, since it was higher up in the list of rules in the list of rules on the “Public Service”/Listener.
I hope that made sense, anyway. In this case I ensured the rule for that backend server had the actual condition attached to it that it was suppose to serve. In this case it’s all mostly hostname based and not even complicated using things like regex, or path parameters, etc.
Icing on the Cake
Now remember my story at the beginning trying to block ECP and failing at the redirect. Now I didn’t like that and I came up with a Condition and Rule set that works.
Now as you can see from this, I created two conidtions, if the path ends with ecp (this might be an issue if there are any other backends that happened to have a path that ends in ecp) lucky for me that’s not the case. This woulda been great if managing alternative domains on the same interface, but the second condition is a bit more direct/specific. As you can see from the first image it states to look out for any URL with the parameter of URL if the parameter of the redirect to the ECP. Then in the rule specified the OR condition so if either condition is met, the request is blocked.
Cheers!
Lync/Skype Enable User – Email is Invalid
I’ll make this post really short. The other day I needed to enable some new users within a domain that has trusts, users in one domain with some services in the trusted domain. This service in question is Exchange, and thus these were linked mailboxes.
First Symptom:
Opening Outlook for the first time and letting auto configure wizard run wouldn’t auto populate the User name and email in the second window of the wizard.
At this point I simply worked around the issue by filling in the name and email address, leaving the password field blank and clicking next, the rest of auto configure worked without a hitch.
Second Symptom:
Lync/Skype control panel, enable user; Email address is invalid.
At this point I sort of had an ‘ah ha’ moment and decided to check the user’s object in AD (on the source domain with the active accounts, not the disabled accounts in the exchange domain) and sure enough their email fields were blank, normally this would be populated if exchange was on the same domain, but since they were linked mailboxes with disabled accounts within the trusted domain, this is something Exchange I guess just doesn’t do in this situation.
Solution: Populated the email field on the User’s AD object on the source domain.
This sure enough resolved the first symptom as well 😀
Removing “Network” from File Explorer
SOURCE: Winareo
Update I wouldn’t recommend this way.
- Go to the following Registry key:
HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
- Set the value data of the DWORD value Attributes to b0940064.If you are running a 64-bit operating system, repeat the steps above for the following Registry key:
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}}\ShellFolder
The Issue with this method is it requires you to take ownership of the key, usually by running regedit as system using psexec. I thought maybe if I created a GPO to deploy these settings it would work, but instead got Error Code: 0x80070005, which apprently means access denied.
After farting around a bit down a rabbit hole about HKCR and how it’s apparently derived from HCLM\Software\Classes. I then decided to simply ask Google how to remove that icon via a GPO as much easier techniques usually exist. Where I found this Spice works thread post where a user by the name of Adam Sneed provided a adm file, which if you are unaware create configuration areas within GPMC to manage workstation. If you also know GPO’s generally when pushed down to client machines are nothing more then registry changes. So opening up the shared adm file from Adam shows the following:
CLASS User CATEGORY !!Custom CATEGORY !!ExplorerExtras POLICY !!HideNetworkInExplorer KEYNAME "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum" EXPLAIN !!HideNetworkInExplorer_Help VALUENAME "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY END CATEGORY [strings] Custom="Custom Policies" ExplorerExtras="Windows Explorer Extra's" HideNetworkInExplorer="Hide the Network Icon in Explorer 2008/Vista/Windows 7" HideNetworkInExplorer_Help="Enable this to hide the netowrk icon, disable or unconfigure to show the network icon."
As you can see the key we are interested in is “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum”
Checking it out manually on the client machine is HKLM, which I later found out is directly answered in this TechNet post.
Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Value name: {F02C1A0D-BE21-4350-88B0-7367FC96EF3C} Value type: REG_DWORD Value Data (hex): 00000001
Doh, requires reboot to work.
*UPDATE* Bonus, remove Quick Access.
Hive: HKEY_LOCAL_MACHINE Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer Value name: HubMode Value type: REG_DWORD Value Data (hex): 00000001
No reboot required, just reopen file explorer.
3D Printing
3D Printing
Overview
I wanted a 3D printer for a while since being introduced to it from our current hackerspace in the city; Skullspace. Check em out. Many of the awesome guys I know are right on the homepage. Amazing people.
Anyway, they had some first couple version that had many issues which had me worried when getting into it. However it turns out the Ender 3 has amazing reviews, and a solid following with it being introduced into some good software we will cover aa bit later in this blog.
Buy a 3D printer
So I finally pressed the trigger and bought a 3d Printer… since I got an amazon gift card I searched 3D printer on amazon and the main thing that showed up was a Ender-3 as their choice pick.
Set up Printer
Was a really good price specially with the gift card I had. I got it really quickly too, and on top of it came really well packaged with minimal assembly required. I was a confused at only a couple steps during the setup so I watched this guys YouTube video to get it assembled. Which was an amazing help, he even provides upgrade parts you can print once you get the printer running, which I’m currently printing as I write this.
However there was one part I was a bit confused about and that was how to level the bed.
Leveling the Bed
Now as mentioned by Vlad in his setup video, he was surprised to find there was no auto leveling. This doesn’t surprise me for the price of this amazing machine, beggars can’t be choosers and let’s level the bed.
For this I watched this great video by 3dprintingcanada on youtube.
After following these 2 video I was ready for printing and my first couple prints came out amazing. Of course this requires other basic knowledge I haven’t covered yet.
How 3D Printing Works
Now in order to understand what’s going on in the next bit it’s important to understand how 3D printing works. and that’s basically like this: “A 3D printer essentially works by extruding molten plastic through a tiny nozzle that it moves around precisely under computer control. It prints one layer, waits for it to dry, and then prints the next layer on top.”
In order to do this normally you model your object (with FreeCAD, or Fusion360, or whatever) and once you export your model out it usually comes in an STL file for a normal object file you can use to CnCing or other things… like “slicing” which takes the object and well “slices” it into layers which will determine the resolution of the final print (that and the diameter of the extrusion nozzle being used by the 3D printer.
Slicing
Now normally you have to do some math’s and calculate all these things and enter their values into the Slicer of choice. Two top ones right now in the FOSS area are Cura and Slic3r. I have most of my experience with Slic3r and then I read about this gem; PrusiaSlicer!
“PrusaSlicer now comes with Ender3 profile”
Sure enough running it, out of the box I could select a profile for my Ender3 (having profile is a specific set of the variables I mentioned above already configured for specific printers out of the box). Since my Endor-3 was out of the box without any modifications (to the extruder nozzle mainly) I was good to go.
With the setup and testing off all parts good (as mentioned and linked to the two YouTube video to accomplish this) it was time to grab an object and slice it.
The First Print
The first thing I printed was a Ghost from Packman.
Then I quickly went to upgrades to the Ener3, starting with the main upgrade which was the upgraded blower nozzle.
Final Thoughts
Over all the first couple prints without changing any infill settings, or supports were super easy going, and I’d say the industry has finally got it down pretty well and cheap enough I’d say go for it. This is a great starter printer.
Watch this video on more about how to customize supports in PrusiaSlicer.
If you run a 3D printer let me know what you run in the comments, or if you have suggestions.
Thanks for reading!
Manage iPhone4 Music Library in 2020
What a pain… tried linux could easily see the photos, but then again I could also see that in Windows, so stuck with using Windows. Since it an older phone figured older OS would work just fine, I tried an older copy I had of CopyTrans manager but would constantly not show the phone in the app when connected.
I wanted to see if iTunes could see it, the latest download says to go to the Microsoft Store (gross), so you have to find an alternative download for 12.5 or something to grab an actual executable installer.
I was getting this weird error installing it about the service not starting and I read all these posts, here and here all full of advise that was useless, you check the service it shows up, do all the things shows up fine at boot but complains with iTunes. and I’d always get this annoying pop up
“This iPod cannot be used because the required software is not installed.”
Well what kind of rubbish lies is this, everything was installed just fine and for the proper version (x64), like what the heck gives. Then I stumble upon this random post from over 11 years ago…
“I got it. I just first uninstalled iTunes then this:
1.Open up the Command Prompt as an Administrator (Go to All Programs > Accessories and Right Click on Command Prompt and then choose Run as administrator)
2.Type cd C:\Windows\SysWOW64
3.Type regsvr32 vbscript.dll (This registers VB Script with your computer.)
4.Now install iTunes as you normally would by double clicking on the install program and wait for iTunes to finish installing.
5.Type regsvr32 /u vbscript.dll (This unregisters VB Script with your computer.)”
I followed the same steps and low and behold I saw my iPhone 4 in iTunes. I was like Woah… but also like… I don’t want this I wanted simple drag n drop with CopyTrans Manager.
If you grab the latest copy of it.. it’s now shareware with limited use, when running it.. I couldn’t even get a delete context menu when (this version even wanted to install drivers even though itunes was installed, and wanted to uninstall itunes in the process…. well don’t let me stop you). But still now the phone shows up in the app but I couldn’t delete. I managed to find an older copy I think version 1.2 or something. Will have to double check which I ran standalone after the most recent version install, and I was able to get the add and delete buttons to show up. And then updated my playlist and finally updated the phone and it worked!
I now created a backup of this VM for future use as is.
FreeNAS Volume Down.
Quick Note, This is NOT a deep dive post into troubleshooting a downed volume, in this case I knew the drive was unavailable since boot and my goal was to re add the logical drive after correcting the physical connection issue.
This happened to me due to a Hardware issue. A power surge killed my UPS, like fully in that it wouldn’t turn on. SO had to rip it out and rebuild my DataCentre since I’m a poor man without proper servers, or server mounts. It’s a ghetto mans DataCenter.,.. anyway. The single USB enclosure housing a 2 TB HDD which was mounted and shared via SMB on the FreeNAS server didn’t power on. I decided to open the case to see if I could find the issue (the PSU was fine as I was reading 12 v from the standard barrel connector. After I removed the case I was shocked find it was powering on… ok what gives. Put the case back on and nothing, it’s like the power barrel isn’t reaching the internal pins all of a sudden. I’m not sure if this was cause I swapped it with another 12v unit within the rack, either way I found an adapter to fit the same female and male ends and amazingly it worked lol, how useless but randomly came in use in my life.
So now back to FreeNAS with the USB drive powered on and connected.
First thing on the UI was the critical alert of the Volume being down. I wasn’t sure how to bring it back online with commands like lsusb being useless.
I found this FreeNAS form post with someone having a similar issue were the logs stated the simplest solution:
Recovery can be attempted by executing ‘zpool import -F vol1′
I SSH’d in and ran that command ageist the known volume that was down and lo and behold it appeared to have fixed my mounted USB drive…. but my SMB share just wasn’t available…
SO restart the SMB share… nothing… OK what gives… I dont’ remember documenting exactly how I set this up and it older FreeNAS 11.1-U1… so now I check the source server via SSH…
“zpool status” now shows the volume is there. checking “df -h” shows it’s mounted as /SMB… yet going to the Sharing -> Windows Shares and checking the shared volume states it should be /mnt/SMB but it’s not mounted as such hence why it’s not showing up…
Now 2 questions pop in my head 1) did I mis-configure something or 2) is the mount process different during boot in which it will mount the volume under /mnt instead of the root… not sure what happened here.. also not sure exactly how I should fix it. I want to avoid a reboot as it hosts iSCSI based VMFS volumes for my ESXI hosts.. what a pain…
ok… sigh mmmm I can either link or mount the volume accordingly at this time, but not sure how that will affect the server at boot….
So after talking to the “experts” apparently I did something wrong (how classic) due to a mix of my ignorance and … ahem… a system design in which the backend shouldn’t be touched outside the frontend… like lame SharePoint… anyway to read the details see this snippet:
Though have to give credit where it’s due and it’s nice to get clarification on things that piss me off so much it actually triggers my “flight or fight” response in my brain and I get like raged.
So taking a few minutes to cool down to hopefully resolve what should have, as usual, been a rather easy process became a royal pain in the fucking ass. But a “learning” experience none the less. Say that shit more than enough times in this stupid field of shit… ughhhh
OK now not pissed…. I went to Storage -> Volumes via the front end, and even though it showed green and healthy from the backend import command, I clicked the volume and selected “detach” from the bottom. I chose not to destroy my data (default, good stuff), and to not remove the share configuration (SMB service stopped anyway).
Then I clicked import volume (no encryption) and lucky for me the volume in question was the only one available in the dropdown list. The wizard successfully imported the volume, and sure enough doing a “df -h” on teh backend showed it mounted as /mnt/SMB ands retarting the SMB services worked and navigating the share also worked.
Yay well this sure was a learning experience…. don’t mess with the backend too much with FreeNAS (soon to be TrueNAS CORE).
Cheers
Windows MPIO to FreeNAS iSCSI Target
Intro
Well I made some mistake, the system worked but not utilizing its max capabilities..
I had been successfully using FreeNAS as a iSCSI target for a disk mounted in Windows Server, but only one path being used at all times…
Windows Side
I first needed the MPIO feature installed:
- Click Manage > Add Roles And Features.
- Click Next to get to the Features screen.
- Check the box for Multipath I/O (MPIO).
- Complete the wizard and wait for the installation to complete.
Noice.
Then we need to configure MPIO to use iSCSI
- Click Start and run MPIO.
- Navigate to the Discover Multi-Paths tab.
- Check the box to Add Support For iSCSI Devices.
- Click OK and reboot the server when prompted.
For me I didn’t get prompted for a reboot and reopening MPIO showed the checkbox unchecked, I had to click the add button then I got a prompt to reboot:
Now before I continue to get MPIO working on the source side, I need to fix some mistakes I made on the Target side. To ensure I was safe to make the required changes on the target side I first did the following:
- Completed any tasks that were using the disk for I/O
- Validated no I/O for disk via Resource manager
- Stopped any services that might use the disk for I/O
- Took the disk offline in Disk Manager
- Disconnected the Disc in iSCSI initiator
We are now safe to make the changes on the target before reconnecting the disk to this server, now on to FreeNAS.
FreeNAS Side
I much like the source specified added an IP to the existing portal.. which I apparently shouldn’t have done.
Stop the iSCSI service for changes to be made.
Now delete the secondary IP from the one portal:
Now click add portal to create the secondary portal with the alternative IP.
There we go now just have to edit the target:
Now, that you have multiple portals/Group IDs configured with different IP addresses, these can be added to the targets.
Editing the existing targets to add iSCSI Group IDs
Once you have a target defined, you can click the Add extra iSCSI Group link to add the multiple Port Group ID backings.
Add extra iSCSI group IDs to each target in FreeNAS
Make sure you have the iSCSI service running. It does hurt at this point to bounce the service to ensure everything is reading the latest configuration, however with FreeNAS the configuration should take effect immediately.
Make sure iSCSI service is running in FreeNAS
Now we can go back to Windows to get the final configurations done. 🙂
Back on Windows
Configuring iSCSI
Launch iSCSI on the application server and select the iSCSI service to start automatically. Browse to the Discovery tab. Do the following for each iSCSI interface on the storage appliance:
- Click Discover Portal.
- Enter the IP address of the iSCSI appliance.
- Click OK.
- Repeat the above for each IP address on the iSCSI storage appliance.
Browse to Targets. An entry will appear for each available volume/LUN that the server can see on the storage appliance.
Configure Each Volume
For each volume, do the following:
- Click Connect to open the Connect To Target dialogue.
- Check the box to Enable Multi-Path.
- Click Advanced. This will allow us how to connect the first iSCSI session from the first NIC on the server. We can connect to the first interface on the iSCSI appliance.
- In the Advanced Settings box, select Microsoft iSCSI Initiator in Local Adapter, the first NIC of the server in Initiator IP, and the first NIC of the storage appliance in Target Portal IP.
- Click OK to close Advanced Settings.
- Click OK to close Connect To Target.
The volume is now connected. However, we only have 1 session between the first NIC of the server and the first NIC of the storage appliance. We do not have a fault-tolerant connection enabled:
- Click Properties in the Targets dialogue to edit the properties of the volume connection.
- Click Add Session.
- Check the box to Enable Multi-Path.
- Click Advanced.
- Select Microsoft iSCSI Initiator in Local Adapter. Select the second iSCSI NIC of the server in Initiator IP and the second NIC of the storage appliance in Target Portal IP.
Click OK a bunch of times.
If you open Disk Management, your new volume(s) should appear. You can right-click a disk or volume that you connected, select properties, and browse to MPIO. From there, you should see the paths and the MPIO customizable policies that are being used by this disk.
I left the load balancing algo to Round Robin, as Noted from here:
MCS
Fail Over Only – This policy utilizes one path as the active path and designates all other paths as standby. Upon failure of the active path the standby paths are enumerated in a round robin fashion until a suitable path is found.
Round Robin – This policy will attempt to balance incoming requests evenly against all paths.
Round Robin With Subset – This policy applies the round robin technique to the designated active paths. Upon failure standby paths are enumerated round robin style until a suitable path is found.
Least Queue Depth – This policy determines the load on each path and attempts to re direct I\O to paths that are lighter in load.
Weighted Paths – This policy allows the user to specify the path order by using weights. The larger the number assigned to the path the lower the priority.
MPIO
As above plus
Least Blocks – This policy sends requests to the path with the least number of pending I\O blocks.
Now did it actually work?
Seems like it.. performance is still not as good as I expected. must keep optimizing!
Hope this helps someone…
Copying Registry Keys from Offline Hives
Intro
So the other day I installed a new version of Windows on a new disk, leaving all my old ones on my old drive available if I need something in particular. in this case there was something particular I wanted that was my putty sessions. I do use mRemoteNG, which saves most of my required sessions. However there were still a couple oldies used by putty and mRemoteNG will list these as well automatically as it simply references the same reg keys that putty uses to save them.
But what if the usual method as outlined here, don’t work as the system that has the stored information is not on my running instance of windows? As the answers all assume on major thing, the old system is able to be powered on and brought online.
In my case not so much…. so what do we do? Well this blog post defiantly provides major help in that regards. Basically covers loading offline hives and some caveats as a result of this procedure. Instead of having to read that whole blog I’ll paraphrase it here:
-
- You have to highlight HKLM or HKU for the load Hive to be ungrayed out.
- Loading an offline hive stay loaded until manually unloaded. Ensure you unload the hive after exporting the keys of interest.
- Exported Keys will have paths of unwanted nature, the path will need to be edited to be useful/proper.
As for note 2 he uses and App called RegistryViewer. I have never used this app, and I generally avoid 3rd party apps as much as humanly possible. Specially for things that are pretty straight forward. The second method mentioned was to use a notepad editor to replace the problematic lines within the path. He goes on to say notepad can’t do this and to get notepadd++. While being a huge advocate for notepad++. regular notepad CAN do this, CTRL + H. So let’s so this…
Hold on a second.. where are the files “hives” we need to load on the old Windows files? I used this How-to-geek reference to help me answer this question.
*Interesting take away* “The registry contains folder-like “keys” and “values” inside those keys that can contain numbers, text, or other data. The registry is made up of multiple groups of keys and values like HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. These groups are called “hives” because of one of the original developers of Windows NT hated bees. Yes, seriously.”
“On Windows 10 and Windows 7, the system-wide registry settings are stored in files under C:\Windows\System32\Config\ , while each Windows user account has its own NTUSER.dat file containing its user-specific keys in its C:\Windows\Users\Name directory. You can’t edit these files directly.
But it doesn’t matter where these files are stored, because you’ll never need to touch them.”
Ahem… There are often times someone may need to “touch” the registry, more often then not devs of alternative apps that did decide to use the registry to store app settings probably didn’t even delete them when running their respective uninstallers I’ve seen this many times. Anyways we won’t go down that rabbit hole instead I need the reg files in the HKCU, and that apparently is in the NTUSER.dat file apparently… well fudge, there might be more steps involved here than I thought…
Found this OLD blog from 2003 with basic info I needed:
“Select the wanted registry database file:
[HKEY_LOCAL_MACHINE \SYSTEM] (%windir%/system32/config/system)
[HKEY_LOCAL_MACHINE \SOFTWARE] (%windir%/system32/config/software)
[HKEY_USERS \.Default] (%windir%/system32/config/default)
[HKEY_CURRENT_USER] (%userprofile%/ntuser.dat)”
Ohhh you really just open the .dat file directly.. huh..
Loading the Hive
*Notes* It’s assumed that the offline Windows files are accessible to an online copy of Windows. how this is accomplished is up to the reader, direct HDD mounting via an open BUS on the mainboard, a USB enclosure with the offline file system mounted. Whatever the case maybe.
-
- Open regedit.
- Click on HKU, then File, Load Hive, Point to users’ offline hive…
ERROR Access denied. “huh, I know I’m not running elevated but I have rights on this dir since it was my old profile path on a domain joined machine.. what gives? fine Whatever I’ll just run an elevated CMD and copy it to a open permission folder (C:\temp) …” Error File not found… seriously What?!
Really.. huh never knew… “my file was hidden that’s why copy couldn’t do the job” wow…
xcopy /h source destination
Weird anyway this might be the reason it fails to load in regedit let’s see…
Nope, even set the attributes to not be system/hidden on the copy and still permission error. So it turns out you HAVE to run regedit elevated or you can’t load hives? I would rant here but, meh … moving on - Now I can finally check the key of interest …
HKEY_CURRENT_USER\Software\SimonTatham
Finally Gees man… ok next…
Exporting the Key
Right click Key(folder) and select export… (Holy man finally something dead simple)
I saved my reg file under c:\temp
Editing the Reg File
Now as mentioned in the source blog we need to clear the mounted Hive name from the paths within the reg file, so open reg file up in Notepad, press CTRL+H and enter the mounted name (hopefully picked something very unique) and include one \, while leaving the replace with field empty:
Click “Replace All”
Don’t forget to save the file, and unload the hive. Now I can open regedit as my standard account, unelevated and try to import the reg file…
WHOOPS one thing I quickly noted was due to mounting it on HKU (since you can’t mount it on HKCU, we have to change all HCU to HKCU:
Now save the reg file and import.
Importing the Reg File
Open Regedit, File -> Import Registry, point to file saved in temp folder.
Baaaaaam, imported in proper spot and opening up my mRemoteNG shows my putty saved sessions.
Bonus Material!!
I was having issues with one of my saved sessions which relied on an SSH auth key. It turned out my USB key that held it was not mounted as the same drive letter as my old system. As soon as i corrected the drive path, the sessions worked.
Well I hope this helps someone…