Friday, October 12, 2018

QuickPost: Removing Trend Micro Worry-Free Business Security Agent without the password

Not too long ago one of the ministry departments of the church-house needed a computer set up in their room to help manage things.

We had an older Dell laptop that was a beater, but was a business class device that still retained more than adequate performance.

It took me the better part of a weekend to bring the Win 7 Pro OS back up to a fully patched and updated state and clean a lot of older/abandoned applications off.

One of my last tasks was to remove the long-expired Trend Micro Worry-Free Business Security Agent off the system.

add-remove

Before the uninstaller can complete, you must provide an administrator-set password (as a security feature).  Unfortunately, the admin who set it had long-since left the congregation and no documentation was left as to what it could be.

password

Bother.

Luckily, PowerBiz Solutions “down-under” had a promising tip:

How to uninstall Trend Micro’s Worry Free Business Security client agent without the password - PowerBiz Solutions

The link back to Trend Micro’s solutions page is now “404” but it provided a good start:

Basically, it involves setting the registry key “Allow Uninstall” to 1.
For WFBS versions 5.x and 6.x, this key is located here – HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc
For WFBS versions 7.x, this key can be found here – HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\UniClient\1600\Misc

In my particular case, the version appeared to be 7.x.

version

A quick look in the Registry found the “AllowUninstall” key.

Capture-reg

…which I then changed to the needed “1” value.

Capture-regchange

Once set, I was then able to go back and run the uninstaller without any password prompt.

success

Done

Success and done!

I then followed it up with a Microsoft Security Essentials installation that went on without issue and will provide sufficient real-time protection and current signature updates for AV/AM protection.

Cheers!

--Claus V.

Sunday, July 29, 2018

QuickPost: PowerShell Scripts and Win 10 Helps

Since having a system migrated to Windows 10, I’ve noticed a trend of the hard-drive getting significantly fuller now.  I’ve done all the standard post-migration cleanups. I cleared over 40 GB of old software packages off the system and was feeling pretty good.  The next day all my space-gains were lost and I was back at 100 GB of free space where I started.

I suspect there is some caching activity going on in the background and that it running off a quota that keeps me returning to the magical 100 GB free of a 500 GB drive.

Normally, I’d just run one of these tools to identify the space/file hogs and start cleaning up. I’ve ordered these in my general preference; though I like them all for slightly different things they bring to the table on a space-hunt.

However in this case I cannot use any third-party tools and must stick with using Microsoft OS-based solutions only.

So that led me to find a script I could use in PowerShell.

I’ve divided them into file-size analyzers and folder-size analyzers.

I found it is relatively easy to hunt down singular files on your system in PowerShell that are the largest. However, what happens if you have a bunch-load of very small files? Individually they may never float to the top, however in aggregate, they could add up to a lot of space usage.

I’ve listed these as well in my order of preference.

Note: They all seemed to run fine on my Win 10 systems in PowerShell ISE – though tweaking was needed for each one to target specific folders and/or report outputs – depending on the script.

PowerShell File-Hog Hunters

PowerShell Folder-Hog Hunters

If you do export output to CSV and don’t “pre-format” the bytes output to MB, here is a tip on a custom formatting rule in Excel you can use to make it more readable.

formatting - How can I format bytes a cell in Excel as KB, MB, GB etc? - Stack Overflow

I’ve not loaded Ubuntu on Windows to have a Bash console, but in looking for tools, I came across this that looked pretty neat: ncdu: Identify Large Files on Windows 10 - Trevor Sullivan

Finally, on Win 7 I used a pretty small set of common keyboard shortcut to navigate my way around the system.  In Windows 10, I’m finding a desire to expand my quick-access key combo skills. Here are some good resources:

If I’ve missed a useful script or you have any tips for hunting for space/file hogs using only “on-board” native Windows 10 OS tools, please drop a comment!

I expect I’ll be adding to the list of links in this post too as I uncover more PowerShell scripts that could be useful. As I post this, I think I am overlooking one or two others that I found useful

Cheers!

--Claus V.

Saturday, May 26, 2018

Windows Defender Security Center Health Report detail missing

Right now I am running Windows 10 Home x64 OS build version 1803 (aka April Update).

There are a few nutty things that I have observed over the past few week. Though the update itself went on smoothly with no issues.

Recently I noticed that the Windows Defender Security icon in the system tray has started to display an error indicator.

yrl10gkv.tda

Normally that means I need to run a “Quick Scan”, however in this build, that also brings up the Windows Defender Security Center that has a Health report.

The error was caused by a Device driver with one recommendation showing to clear.

jszxn15f.ghb

Selecting the down-arrow to expand however resulted in nothing seen.

ug1efk2x.52p

Reboots did not clear the issue.

The non-display of items in the Health report page appears to be a fairly common issue with a number of suggested fixes.

There were a number of different ways I could approach tackling this issue, but here is the way I cleared the problem that most people may find more informative.

I pressed the “Windows” key and then the “R” key to bring up the Run box.

I then typed “perfmon /report” and clicked “OK”.  (more here).

imkqfah4.kut

After a minute or two the same Health report was generated but in greater detail via the Resource and Performance Monitor.

Looking in the Warnings/Error section, it was immediately obvious to me that the driver issue was related to the “Virtual CloneDrive” application I have installed.

(Note: I ignored the Photosmart printer error because my printer was offline.)

pnkjpbe3.i0x

I have used Virtual CloneDrive from Elaborate Bytes for a very long time with great results. It allows me to mount a wide range of “image” files such a ISO, BIN, and IMG types (among others) as a virtual drive letter for quick content access. It is free and says it is Win 10 compatible.  However it hasn’t been updated for some time.

I next checked my Device Manager properties and confirmed that the device driver was in error.

wt43h0is.f2s

Rather than go about trying to fix this particular issue, I just uninstalled Virtual CloneDrive from my system. This cleared the error in the Device Manager view.

amyb333v.lj1

Checking the Windows Defender Security Center Health report found the error now cleared.

lmyu5lhm.a53

…and the Windows Defender system icon restored to a normal health state.

f2lkwy1s.k1u

Takeaway: if you want really detailed breakdown of issues found in the Health Report, run a “perfmon /report” session to collect your system state details then get troubleshooting!

Additional notes:

Because I was already using the incredible (and in many ways more fully-featured) Pismo File Mount Audit Package application from Pismo Technic Inc. to mount most of my ISO image files anyway, I just updated that one to the latest version available and didn’t bother to reinstall Virtual CloneDrive.

I also have these applications as well on my system so I’m not missing anything when I need to mount a  particular image file:

Cheers!

--Claus V.

Saturday, March 18, 2017

Enhanced Mitigation Experience Toolkit (EMET) 5.5/5.52 Uninstall Error 2738

I’ve been taking the layered “defense in depth” approach on my home systems for some time.

Including using (concurrently)…

Last night something started to go wrong with the process and the wheels came off the wagon.

Here’s how I got them back on.

I am running the Premium (lifetime subscription) version of Malwarebytes. Some time ago they came out with a new 3.0 version release.  I’ve been reading the reviews throughout the rollout and have waited to do the upgrade. Once nice feature is it now includes the full version of their awesome Anti-Exploit program at no cost to Premium subscribers; something I was using the limited/free version for but couldn’t protect my Chromium-based Vivaldi browser sessions with as the free version didn’t allow setting of custom protections.

As I said, all the bits had been running fine together although – to be fair – Malwarebytes does warn users of EMET during installation that it has compatibility issues and recommends removal of EMET.  If disregarded, the installation will continue fine.

Thursday night, my Malwarebytes 2.0 version final got auto-triggered to offer me the eligible upgrade to the 3.0 version.

I said OK and let it install.  Installation seemed to go fine. No errors.

However last night, I went to launch Microsoft Excel and EMET went crazy and blocked it from running due to a perceived exploit. That hasn’t ever happened before and I was very confident my system hadn’t been actually exploited. I tried both Excel 2007 and 2010 versions that I have and both got the same reaction by EMET. I then tried Word and it also caused EMET alerts and binary blockage. Hmm.

Well, maybe something in the new Malwarebytes 3.0 was causing a compatibility issue with EMET finally.

So I went to uninstall EMET.  Only I had two versions.

Programs and Features_2017-03-18_15-13-08

Not sure how that happened. EMET 5.52 was supposed to allow for in-place upgrade of EMET over a prior version. Didn’t recall getting an error before.

So I went to uninstall EMET 5.5 and got this:

EMET 5.5_2017-03-18_15-13-43

Same result trying to uninstall EMET 5.52

I tried repairs, changes, etc. to both EMET applications. I still had the original MSI installers for them both but even re-downloaded them from Microsoft. None seemed successful.  Note the dates in the “Installed On” column were yesterday’s so something in the processes I did worked, but it wouldn’t let me uninstall them; continuing to present that same “error code is 2738” message.

Since using Excel/Word were critical last night, I worked around the problem up removing all the EMET setting protections for the Microsoft Office suite application binaries. That let me run them without being blocked.

I figured that would be enough, but this afternoon I went to open a PDF with Adobe Reader – and EMET blocked it too from launching due to some kind of perceived exploit.

EMET had to finally go and I had to punch through that error code.

I ended up in a Microsoft forum where others with previous versions of EMET had encountered the same error but it seemed on installations – not uninstall activity.

Technet forums – Security (EMET forum search for “2738”)

Looking through them many seemed to share a common thread with a previous anti-virus product taking over, corrupting, or locking down a VBScript dll process.

Well, perhaps my Malwarebytes and/or CrytoPrevent protections were keeping the vbscript.dll service from being accessed or running?

So I removed my CryptoPrevent protections and disabled my MalwareBytes application.

Nope. Same error.

I did some more digging on a wider net and the more I read about other non-security applications having a
“2738” error on installation, I became convinced it was all related.

So after reading multiple posts I was confident to do the deeper work needed to try to fix this issue.

Using Registry Finder (under an elevated Administrator session) I searched my registry for the string {B54F3741-5B07-11cf-A4B0-00AA004A55E8}.

It came up 12 times, all in the expected locations, except I did have a single odd-string out under the HKEY_CURRENT_USER location. I was pretty sure that was my problem.

[HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}]

All the rest were under HKEY_CLASSES_ROOT, HKEY_LOCAL_MACHINE, or HKEY_USERS.

I exported the registry key first (just in case) then I deleted it.

I then opened up CMD (under an elevated Administrator session) and ran the following commands (note my system is a Windows 7 Home x64 OS):

  • cd %windir%\syswow64<enter>
  • regsvr32 vbscript.dll <enter>

cjj1w2zq.gps

I then went back and attempted to remove EMET 5.5 and it uninstalled with no more error 2738 codes.

I then followed by removing EMET 5.52 and it came off just fine as well with no errors.

I wrapped things up by re-applying my default CryptoPrevent and MalwareBytes protections states again.

Done.

Again, the trick was to remove the Registry entry just under the HKCU location where it was found present, then re-register the vbscript.dll component properly.

Later while preparing for this post I did find this EMET-related forum post that basically walks one through the same steps for an earlier version of EMET on a x32 bit based version of Windows 7. If you try to follow that and have an x64 bit version of Windows, you will need to adjust accordingly.

EMET 3.0.0 Installation fails on Win7 Pro 32Bit - Error Code 2738 – Microsoft TechNet

Additional resources and guides for addressing the Error Code 2738 problem:

The key to understanding why this works (and where the problem lies is explained nicely in Heath’s above post:

As some people have found, re-registering the runtime libraries vbscript.dll and jscript.dll will fix the errors, but that isn’t always the solution.

As a security measure, Windows Installer will not load script engines registered in HKEY_CURRENT_USER. As a user-writable store, a normal user could get an elevated install to run their library masking as a script engine if the custom action was not explicitly attributed with msidbCustomActionTypeNoImpersonate (0x0800). This is an elevation of privileges attack; thus, Windows Installer returns error message 2738 or 2739 for custom actions type 6 and type 5, respectively, and returns Windows error 1603, ERROR_INSTALL_FAILURE.

Because – somehow – vbscript.dll did get itself registered under my HKEY_CURRENT_USER location, the EMET MSI uninstaller script could not execute. Only by pulling it out, then re-registering it in the correct location automatically, would the removal process complete.

Final thoughts.

I only removed EMET from this particular system as it exhibited the crazy mitigation interceptions for Microsoft Office immediately after upgrading to MalwareBytes 3.0 Premium.

On my other Windows 7 Ultimate system, I am still running EMET (5.52 only) along with the protections noted in the top of this post. The only difference is that I’m using the free version of Malwarebytes 2.0 on it (without real-time protections). So until an issue appears, I’m keeping EMET on that system.

Lavie still is running Windows 8.1 on her laptop with a similar configuration. Lesson learned is that I will first remove EMET before upgrading her MBAM Premium version from 2.0 to 3.0.

Cheers!

--Claus Valca

Friday, September 30, 2016

Fix EasyWorship 2009 issues with new SongSelect site

We continue to use an older version (EasyWorship 2009) of EasyWorship for our church service projection screen management.

We’ve tried the newer EasyWorship 6 release – and it does have a lot of very attractive features – however the process and projection flow just doesn’t fit us as well as the older EasyWorship 2009 layout.

Anyway…EasyWorship has a plug-in like feature that allows you to sign into the SongSelect service with your associated account and easily import song lyrics directly into your EasyWorship song database.

Recently SongSelect updated their website design and it created several problems within the EasyWorship 2009 program.

First, the SongSelect webpage was “broken” in rendering within EasyWorship 2009

EWorship 2009 SongSelect Window - Pre-Fix

It may be hard to see but that banner area is all whacked out and the Sign In link didn’t work well at all.

Secondly, one could go to the SongSelect Classic page using the offered URL in that broken banner area and log in,

EWorship 2009 SongSelect Window - Pre-Fix - SS Classic

However while you could then log in normally, when we went to try to import song lyrics the “Import” button remained grayed out while using this “classic” login method. 

Our workaround was to download the lyric as a text file, then copy/paste it into a new song record in the database. This was less than ideal as you missed out a lot of the “meta-data” for the song item and had to manually put all that in as well.

I did some searching and found this helpful fix in the EasyWorship support forums.

SongSelect Webpage Fix for EasyWorship 2009 : EasyWorship Legacy  (URL change updated 2017-01-12)

Basically, you download an IE Fix patch from them for your Windows OS version and run it. It unpacks the EXE file to a temporary location, executes a batch file, and then applies a REG key fix to your Windows Registry to fix the issue.

In case you are curious, the fix just applies one of these registry tweaks depending on your OS (32 or 64 bit).

For x32 bit Windows OS:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"easyworship.exe"=dword:00000000

For x64 bit Windows OS:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"easyworship.exe"=dword:00000000

Once that was done, EasyWorship 2009 then displayed the new SongSelect website page correctly (compare to before as seen above):

EWorship 2009 SongSelect Window - Post-Fix 1

And the sign-in page displayed properly.

EWorship 2009 SongSelect Window - Post-Fix 2

After logging in this way and selecting a song’s lyrics we found that the EasyWorship application’s “Import” button worked again for full and normal song lyric importation.

Bonus Easy Worship 2009 notes:

While working this issue, I found that our installed version of EasyWorship 2009 is at 1.4 but there is a later version 1.9 that is available to fix some issues.

The upgrade process is very easy.

Upgrade 2009 1.4 to 1.9 Procedure? - EasyWorship Community

  1. Download the full EasyWorship 2009 v1.9 setup installer file
  2. Be sure EasyWorship is closed out on your system.
  3. Run the setup file you downloaded; resulting in an installation over your existing version.
  4. Done. (no license or registration information is requested or needs to be re-entered)

More information about the version 1.9 build change notes here in case you are curious: EasyWorship Community • View topic - EasyWorship 2009 Build 1.9 Now Available!

If you have to reinstall EasyWorship 2009, there is some information you want to capture first from your currently registered/working software:

Reinstalling EasyWorship 2007 and 2009 - EasyWorship Legacy (URL change updated 2017-01-12)

Locate Your Registration Information

If you do not have your registration info, you can get this info from the old computer.
Your Registration Information consists of the following:

  1. Name
  2. Phone Number
  3. Serial Number

To locate this information on the old computer open EasyWorship. Go to the main menu and select Help>About EasyWorship. The church name and serial number will be shown at the bottom.

To locate the phone number, select Register on the left side of the About window.

See also: Backup and Transfer Your Database (EW 2009) - EasyWorship Legacy (URL change updated 2017-01-12)

I hope anyone still using this older verison of EasyWorship 2009 like us finds this information helpful.

Cheers!

Claus Valca

Prepping a USB stick to play music files in a Camry

A while back little bro adopted a new Toyota Camry.

One of the features it comes with is the ability to play music off a USB stick..

So he grabbed a very nice Lexar brand USB 3.0 64 GB USB stick while at a local office-supply store and copied his music files to it.

Unfortunately it didn’t play. His old USB 2.0 1 GB stick worked fine in the vehicle.

He thought it might be a bad stick (or that the sound system didn’t support USB 3.0) and was getting ready to return it to the store but I asked him a few questions.

First he confirmed it was NTFS formatted. That’s pretty common on many newer USB 3.0 sticks I’ve seen lately. I suggested he might want to try formatting at FAT32.

Note: Per the 2017 Toyota Camry Owners Manual (page 272) this requirement was later confirmed: file system format needed to be FAT 16/32. Other important points are that the USB device can only have 8 levels of folder heirachy, a maximum of 3000 folders, a maximum of 9999 files, and a maximum of 255 files per folder.  Files must be in MP3, WMA, or AAC format.

The next problem was that his Windows 10 system would only offer to format the device in exFAT.

So I had him go CMDo and run DISKPART.

  • DISKPART>list disk
  • DISKPART>select disk # <—picked # that represented USB stick on his system
  • DISKPART>clean
  • DISKPART>create partition primary
  • DISKPART>active
  • DISKPART>assign letter = E
  • DISKPART>format fs=fat32
  • DISKPART>exit

Only that netted him an error during the formatting process that the volume was too big.

Then I remembered a GUI utility from Ridgecrop Consultants Ltd that I used a long time ago.

It is free and can format FAT32 volumes beyond the normal 32 GB size limit that is sometimes encountered. It never let me down in the past.

He downloaded the tool, ran it as an admin, selected his USB drive, kept the defaut allocation unit size, and did a quick format on the 64 GB USB device. Done.

He tested and the USB stick (and media files) were now recognized with no issues by the sound system.

Mischief managed.

This seems to be a common issue many Toyota owners run into with newer/larger USB sticks so I thought I would drop a post for posterity.

Cheers!

Claus Valca

Monday, September 05, 2016

Valca Windows KeyFinder Utilities

Last night I was culling my collection of Windows key-finding utilities.  There were some that had gone “404” and others that didn’t seem stable (or effectively work at all) on newer Windows 7/10 systems.

Many were collected back in the days of Windows XP so I decided to pick through them and dump the oldest ones and add some new ones.

This morning I saw that the TinyApps.org bloggist was hard at work on his own list!

Possibly we are being confronted with similar troublehsooting and service issues?

Here is my list and there are some similarities (as presented in semi-alphabetical order).

Some of these recover more than just the Windows OS key.

Some have not been updated in a while and may not work effectively on Win 7/8/8.1/10.

Then there is there is the manual method using CMD or PowerShell for most Win 10 / 8 / 8.1 systems.

I tend to prefer ProduKey, ShowKeyPlus, and Windows OEM Product Key Tool as my primary tools.

Cheers,

Claus Valca