Dealing with Event ID 7000

This event could really be due to a couple things, mostly dependencies.
I came across this error notice while checking my workstations event logs. I noticed these events coming from what should be Trend AV. As Trend is an active AV in use I was concerned about it, however the active AV session was OK and showing green across the board.

Entering the exact info from the event into google prompted a nice forum topic about it. I already did my due diligence by checking local service with an admin account both using the “sc query” command and the “Get-WmiObject win32_service | format-table displayname,name,startname.”
This was enough to show me that tmcomm was not an active service installed on my system. Lucky for me the user on this forum was experiencing a similar issue.
This left me to believe these were old services left behind by a previous version of Trend AV..
Following the advice there, removed the service keys from the registry. Browse to HKey_Local_Machine\System\CurrentControlSet\Services under services key, there are many sub keys, find the one named TmComm and delete it, keys look like a folder.
Once I had removed the key and rebooted I had a clean eventlog!

So those are the basic steps, check log, see event, and verify dependencies are starting. If service name cannot be found using the commands listed above then check the registry under HKLM/SYSTEM/CCS/Services and remove the key for the listed service .
Hope this helps someone else experiencing Event ID 7000 in their eventlogs!

Jan 2018 update

Well done.

Extra Registry Settings in GPME

As a systems administrator you’ll often need to clean up (Group Policies) GP’s in many organizations Windows Domain environments.
Before I get into my story, here is some background info on ADM and ADMX files and templates.

While I was working on cleaning up and verifying processed Policies, I came across one that stated Extra Registry Settings.
Thing to check and note is if the polcies templates are derived from the localstore or a central store.
If its using the local store it will check C:\Windows\inf for .adm files, and C:\Windows\PolicyDefinitions for.admx files.
If using a central store, they will be under PolicyDefinitions under the SYSVOL folder, this is used for replication services.
It’s also important to note that when you add an .adm file to a GP (either User or Computer Category) the adm file gets copied to the policies folder in SYSVOL.

So the first thing I checked was under the poclies ID folder in SYSVOL I found a adm template file, and made a copy of it.
You can open .adm file with notepad, and check here for how they are structured.
After checking the structure of the file it was exactly matched to what was displayed in the Extra Registery settings.
I even enabled the settings, removed the .adm from the GP in GPME, checked the settings tab in GPM and they “Extra Registry Settings” were exactly the same.
I was stumped, I couldn’t figure out what was going on, and the .adm file were in all places Windows would look for them.

I came in this morning and decided to give it one more shot… I just can’t let things go when they bother me, and rebuilding the GPO just didn’t seem like a good solution.
What I did was I took the ValueName, and appended it to the KEYNAME string, I left the Valuename the same, and this was enough to work!
It finally showed the correct heading in GPM, I was able to change their settings, and finally remove the .adm file to have a clean GP!

Jan 2018 Update

It’s been a long time since I had to such things as reverse engineer ADM files. This is a pretty cool post, haha.

Windows Shares over SSH tunnel

I am the worst at writing blogs. I seldem get excited enough to write anything. But today…. TODAY! I feel like this is going to be a good blog.

A fanastic blog… anyway, so I moved into a new place, but have my server still running at my old place I run a very lightwheight server from there.
pssssst, it’s really just a router but perfect for hosting a network shares, torrents, web servers (cough this page), ssh and smb (cough this as well)

If you haven’t heard about DDWRT, I’d suggest you check it out here

Anyway, while i use SSH tunnel to manage this router via CLI, I can always tunnel its web management interface port, to my local machine and manage it that way too.
Yes most changes does cause it do it a soft reboot and breaks the connnection, a simple reconnect after a couple minutes useally all it takes.
I figured I’d just forward the servers SMB port just like I do most of my other ports… to my dismay it didn’t work… so I decided to GOOGLE!

As it turns out, there is more tweaking required to do this that I first thought, like disabling the SMB service at start-up, and using a loopback interface..
If you have a Windows share server (SMB) at home and happened to have SSH for management also available, then check this link out!

Bye for now….

Jan 2018 Update

These are always neat tricks to keep in the back of your head, even if your playing around just for fun. I wouldn’t see the real world use for this type of hack today as everything is pretty much OpenVPN or some other VPN solution. Still love my SSH though.

Lucky the link is still active otherwise this post would be as useless as tits on a bull.

Feb 2019 Update

Mind Blow

This is a blog post from someone at the Dutch National Institute for Subatomic Physics… dude, that’s awesome!!!!!!

Custom Templates, Server 2008 R2 CA Web Enrollment

Usually the issue is one or a combination of the following things below:

1) In certificate template Subject tab wasn’t switched to Supply in request.

2) The enrollment permissions on the certificate are incorrect.

3) The Template was created for a 2008 R2 CA, but the forest level is still on 2003. A 2008 Cert Template can only be selected if the CA is on a 2008 R2 Server, AND the forest level is at 2008 R2.

4) IE was not opened with elevated creds, even if logged in as a domain admin account, right click IE > run as Admin.

5) Last but not least, You have to add the template to the CA to allow it to be issued.
Open Certification Authority MMC snap-in, select Certificate Templates node. In the Action menu, select New and Certificate Template To Issue.

Enjoy signing certificates on your enterprise CA!

Jan 2018 Update

Even I’m not sure what the heck this post was about, but if my memory serves me correctly, it’s when you attempt to use a particular Certificate template in either the MMC snap-in or the CA’s web portal and find the certificate is not available from the drop down menu to be selected.

Kinda wish i would have referenced some of these claims, but I’ll take my own word for it. Haha 🙂

Copying Outlook 2013 Signatures

Using Windows Easy Transfer is amazing tool for when you want to move all your profile settings and personal files from your old system to your new one.
But like everything it’s not perfect, for instance you can’t go from 64 bit – 32 bit (Who would want to…)
You can’t go from WIndows 7 to Windows 8 (Yes it’ll copy your files but not your settings, should be expected, and only via USB HDD)

and one pet pieve that it doesn’t copy over Outlook sugnatures given its located under a user profile directory (C:\Users on Vista and up versions)

Now copy the files from %APPDATA%\Microsoft\Signatures (%APPDATA% is C:\Users\useraccount\appdata\roaming)
Not to be confused with %localappdata% which is C:\users\useraccount\appdata\local

Since these files are hidden system files I suggest to use xcopy with the /i /e /h options.
You can also adjust Windows explorer folder view settings to show hidden and system files.

Once these Files have been copied to the destination machine with the same user at the same directory,
simply reopen outlook and check your signatures! Boom, they are back baby!

Jan 2018 Update Notes

First off, WET is no longer a thing. I will admit I am very sad to see it go, as a systems administrator it was a thing of beauty and made my life a breeze. Sadly now Microsoft has out sourced this to a partner company “Laplink’s PCmover Express“, and even worse it’s a paid product. I personally think its rubbish, you’d be better off updating/upgrading your software manually and simply moving any associated files with that application manually.

Secondly, You’ll notice the use of Environment Variables. Learn em, use em they are a vital tool to management specially with non-default directories or system drives.

Full Remote Admin in Windows Domain

As an Windows Server administrator, you may find yourself wanting to run some commands or do some tasks on an end users system.
Theres an awesome tool package on MS site called sysinternals, developed by an awesome guy named Mark.
However, I was having issues accessing UNC paths until I provided the options for the admin creds,
even though the cmd prompt that was running the psexec command was already elevated with the same creds.
Then I was having issues accesses local system files until I discovered the -h option.

To have full CMD on remote systems:
“psexec \\remotesystem -u domain/adminaccount -p passowrd -h cmd”

The -h is important as it pushes for an elevated token on Vista+ systems.

XCopy source destination /e /i /h (Copy all hidden and system files for profile use)

/e copy directories and subdirectories, including empty ones

/i assums directory on destination if copy more than one file and does not exist

/h copy hidden and system files

Now you can move all your Firefox settings, IE settings, and more remotely!

Jan 2018 Update

Use Robocopy, or better yet; PowerShell, instead of xcopy.