Saturday, September 24, 2011

Windows 8 Linkage: “Majestic Metro” version

cc image credit image by hyku on flickr

imageI’m having a really, really hard time getting excited about Windows 8 and its “majestic” Metro design style and interface.  So hard I almost skipped posting these links.

I’m now more comfortable in the Windows 7 environment and experience than I was/am in Windows XP. Don’t even get me started on my limited Vista run.

There are a lot of technical pundits much smarter and more versed in pre-analyzing the pre-Windows 8 packages that Microsoft have pushed out.  Though I have dutifully downloaded the public “Developer Preview” version and got it spinning on a virtual machine (VitrualBox if you care to know), I haven’t tried (nor care at this point) to dual-boot it via a VHD container on real hardware. Nor do I have access to a “tablet” or touch-screen device to really take full advance of the Metro touch interface. (Yawn)

However my initial response is that it pleasant and somewhat interesting. I’m sure the new advances in the kernel and OS functionality will improve the already quite refined Windows 7 version in terms of security and user-perceived performance.

However, unlike Windows 7, I will not be rushing out to the store to snap it up and upgrade our Windows 7 systems.  They just work too well, are too stable, and are too nice to bother. For now.

Heck, I can’t get my dad to upgrade from Vista to Windows 7.  He actually likes and trusts it. Forget about getting him to leap to Windows 8!

Which leads me to my next concern; with so many enterprise and businesses just now finally making the upgrade jump from XP to Windows 7, will Microsoft be able to sell them on Windows 8 with it’s funky Metro interface (noted, it can be disabled for a more “Classic” business-like desktop experience) and even newer under-the-hood architecture?  Probably, eventually I suppose…maybe in the general timeframe as those XP to Windows 7 adoption rates.

So, here is the obligatory GSD post of everything you probably need to know (IMHO) about Windows 8, for now, to satisfy your curiosity, and get you started kicking the tires.

First, a Meet and Greet

Your Windows 8 questions, answered - TechBlog’s Dwight Silverman

Making business lust for Windows 8- TechBlog’s Dwight Silverman

Windows 8–First thoughts - Mister Goodcat' on

Getting Windows 8 Developer Preview

Windows Metro Style Apps Developer Downloads - Microsoft MSDN Dev Center. Get the ISO’s here.

Installing Windows 8 - Virtual Box method

This was the method I went with. I used Mister Goodcat’s pitch-perfect walkthrough post to get my version  -- Windows 8 Windows Developer Preview English, 32-bit (x86) -- up and running in just a few minutes. Check them all out first as they all provide good perspectives before starting.

Installing Windows 8 Developer Preview in a virtual machine - Mister Goodcat' on

Pay particular attention in that post above where Mister Goodcat explains at the end how to manually adjust the screen size resolution outside of the VirtualBox session to allow you a better “wide-screen” ratio level. It’s worth the read if you go this method.

Windows 8: An installation walk-through - Hardware 2.0 blog at ZDNet

8 and Windows VirtualBox: how it works - (GTranslated) - Caschy on the German blog

Virtualize Windows 8 ... - (GTranslated) - Gunter Born’s “Borns and WIndows IT Blog”

Running Windows 8 on VirtualBox with Additional Wide Screen Resolution - Windows7hacker

Installing Windows 8 - VHD Native/Dual-Boot Method

This is the method I used to pre-test Windows 7 release versions back in the day on my Vista system.  It worked great and there was considerable benefit to running the OS on “real” hardware.  It was easy.  I didn’t love Vista so much so I didn’t really care about data-loss then. I really like my Windows 7 installation on my blazing-fast Dell Studio system so I’m more hesitant this go round.  Maybe I’ll see if Alvis wants to be a volunteer geeklet for the Win 8 testing cause with her laptop…

Guide to Installing and Booting Windows 8 Developer Preview off a VHD (Virtual Hard Disk) - Scott Hanselman’s Computer Zen blog

Installing Windows 8 Developer Preview as bootable VHD - Mister Goodcat' on pitorque.

Dual Boot Windows 8 from VHD using Windows Setup - Concurrency Blog

How to Dual-Boot Windows 7 and Windows 8 Side By Side - Lifehacker

Native VHD Boot Windows 8 as Virtual Machine with Windows 7 - Windows7hacker

USB Install Method & Windows 8 “To Go”

8 Windows install from USB stick - (GTranslated) - Caschy on the German blog

Also interesting is the (native) ability to boot and RUN Windows 8 directly off a USB stick.  This is similar to, but much more fully developed than the Windows PE environment fans such as I have been hacking and using for some time now with great delight.  Rather than running in a diminished (pre hack) OS environment, this would be the full-meal-deal OS on a stick.

How to create your own Windows 8 To Go Developer Preview - Gunter Born’s “Borns and WIndows IT

(Revisited) Creating Windows 8 To Go on a 16 GB USB-Stick - Gunter Born’s “Borns and WIndows IT

Windows To Go: Bootable Windows Drive May Revitalize Flash Market - EverythingUSB (with video demo)

Just In Case you were Curious

Windows Developer Preview 8-compliant Key? - Gunter Born’s “Borns and WIndows IT

Windows 8 Developer Preview (Build 8102) Expiration Date - CyberNet News blog

Obligatory Tweaking Tips and Utilities

The first link is the utility I chose to use to wrest control back from the Windows 8 interface. The second link I needed because I was impatient and just wanted to shut the thing down.

Metro UI Tweaker for Windows 8 Released - The Windows Club

Shutting Down Windows 8 - Windows7hacker

Metro controller: Disabled MetroUI & Co under Windows 8- (GTranslated) - Caschy on the German blog

Bringing Back The Old Style of Windows 7 Start Menu in Windows 8 Developer Preview - Windows7hacker

How To Shut Down The Full Screen Running Metro Style Apps in Windows 8 - Windows7hacker

Windows Developer Preview 8: Classic Start Menu and switchen MetroUI via context menu - (GTranslated) - Caschy on the German blog

Windows 8: Quick access to applications - Gunter Born’s “Borns and WIndows IT

5 Ways To Tweak Windows 8 Start Menu with Metro UI (Developer Preview Edition) - Windows7hacker

Yeah, that TouchScreen thing


Windows Simulator Lets You Simulate Windows 8 Touch Features Using Mouse - di’ D’Technology Weblog.

8-touchscreen Windows Simulator - Gunter Born’s “Borns and WIndows IT

Open in Case you now need to RTFM of sorts (sponsored by Lifehacker)

Windows 8 In-Depth, Part 1: The Metro UI - Lifehacker

Windows 8 In-Depth, Part 2: The Desktop - Lifehacker

Windows 8 In-Depth, Part 3: Windows Explorer- Lifehacker

Windows In-Depth, Part 4: The Revamped, Vastly Improved Task Manager- Lifehacker

Technically Speaking Now

UEFI Secure Boot in Windows 8 Explained, The Customer is still in Control of Their PC - Windows7hacker

A Close Look at Windows 8 Revamped Task Manager - Windows7hacker

Windows Server 8 Sheds Its Graphical Baggage - ReadWriteCloud

Links...and whatnot - Windows Incident Response blog - Harlan’s post has some initial forensic observations about the Windows 8 Registry hive structure.

Watch List for Future developments

Building Windows 8 - Blog posts from the Windows engineering team on MSDN Blogs

Windows 8 - Windows7hacker

Hard to believe it was a scant three years ago just a few days from now when I was covering all this ground for the (then) dawning release of Windows 7: Windows 7 – Getting my feet wet…Cannonball style!

Ahh memories….

--Claus V.

On the Hunt…

image(no, this is not a picture from one of our network rooms, though the similarity looks uncanny.)
cc image credit: mrtom on flickr

One of the (many) critical projects I’m currently working on has our team upgrading the network switch hardware across our enterprise.

That alone should be fairly simple, get new switches as needed, pre-configure new switches, schedule swap-time with customer, un-patch cables from old switches, put in new switches, re-patch cables into new switches, move on to next site.  Easy right?

However a few very critical things (from a network security standpoint) are causing a lot of work and late nights.  Until recently, there was no real documentation kept on where all the network cables/jacks in the facilities were located, patch panel labeling at “old” sites was spotty at best, and furniture and office improvements left access to jack pates and trust in their labels weak at best.

So to take control back of the physical layer, my partner and I have to physically survey and account for the location and labeling of every cable we patch down into the new switches.  Considering the size of some of our facilities and number of users, this is a tremendously daunting process.  Oh yeah, the two of us typically have just a day on-site to do everything…from survey to final patch down.

Semper paratus, we load up and head out.

When we complete this project for all our facilities, we will have up-to-date floor plans of our physical cable topology and the documentation to match. Couple that with being able to administratively disable the actual ports (not in use) on the switches now, and we can go a long way to extending our network security and troubleshooting.  And this is just laying the foundation.

So, here are some free tips and tools and the methodology I’ve painfully worked out as our project and techniques have matured, that maybe can help others taking on this task; YMMV.

  • Recon work and data-gathering is the key.
  • A day or two prior to the facility upgrade day, I remotely run a series of scans from a box at the location to collect key data off the local network.
  • Free IP Address Tracker from SolarWinds - This tells me which IP addresses are active (at that moment), their hosts name (in most cases), and some supplement data which could be useful. Results are exported into a CSV file.
  • Colasoft MAC Scanner - This free tool very quickly rips though the local network and provides me a list of active IP addresses, hosts names (in most cases), and, very importantly, the MAC address of the machine. Results are exported into a CSV file.
  • There are some other free tools such as Nir Sofer’s FastResolver and SoftPerfect Network Scanner and Radmin’s Advanced IP Scanner 2.0 that can also handle those tasks but for speed of scan and ease of export, I prefer the first two myself.
  • Once those scans are in hand (usually both in less than 10 minutes), I then prepare a MyIPS.txt file for the location that contains all the IP addresses (one per line) that subnet contains.
  • I then couple that TXT file with the following simple DOS BAT file I worked up. While the ultimate source to be credited for the technique is lost to me at the moment to give credit to, I suspect it is related to some tips found on this page: Ping list of computers from a txt file 


FOR /f %%i IN (MyIPS.txt) DO echo %%i & echo %%i >> SCAN-RESULTS.txt & nbtstat -A %%i | find "<00>  UNIQUE">> SCAN-RESULTS.txt >> SCAN-RESULTS.txt & nbtstat -A %%i | find "MAC Address">> SCAN-RESULTS.txt

  • Normally I include ALL the IP’s for the location in the MyIPS.txt file that is feeding the dos-bat file above. I do so to ensure full coverage. However the drawback is that depending on the number of IP’s that your subnet provides, that can take a REALLY long time to complete. So if you want to save some time, and are willing to accept some possible skips, you could filter one of your Colasoft/SolarWinds export files for active IP’s only and feed it that instead.
  • Note: I typically run these scans around mid-morning or mid-afternoon when I am most likely to catch the maximum number of users at their desks and PC’s turned on.
  • Now that I have my SCAN-RESULTS.txt file which provides me the IP address, the HOSTNAME, and the MAC address of each “active/responding” IP, I have to clean it up into a nice CSV format.  Some quick cut/trim/replace work using Notepad++ usually does the trick in a short order.
  • Lastly, I need one more CRITICAL piece of information, switch/switch-port/MAC mapping.
  • I Telnet onto each of the local switches at the site and after authenticating, I run a “show mac-address-table” command.  I copy this output into a text file.  This proves me the MAC address being reported for each switch/port.  Your command may vary depending on switch manufacturer, model, and firmware version. However, if it is a managed switch, you should have something similar.
  • Whew, get up and stretch and grab a beverage.
  • Returning to my desk, I then use a combination of Notepad ++, Excel, and some clever multi-tab/multi-view work to “basically” create a spreadsheet that uses the MAC as the commonality for matching the information in the various logs.  My final spreadsheet contains rows for the IP address, the HostName, a device-name field (to be used for printers and other non-pc network items that HostName may not apply to), MAC address, switch number, port number of that switch. If you do this, you will have to work out the technique but I think you will get the general idea quickly.
  • For rows where I got an IP address with a MAC address only, after all this work I perform some additional network discovery tricks (attempt to connect via HTTP/FTP to the device), a fresh NBTSTAT -A on just the IP (in case someone turned on their PC late in the scan and got skipped) or some other tricks.  Usually I achieve a 98% success rate.
  • I then create two versions of this spreadsheet; one sorted by HOSTNAME and the other sorted out by switch number/port number.
  • With these now printed out and on hand we hit the site and perform a physical survey:
    • I sketch out our data/relay racks and the patch panels on them.  I later convert this into a sweet Visio diagram using cool object figures of rack components.
    • I have a template sheet that represents our patch panels. I use this during the project rollout to document the physical panel/slot numbers, the actual labels for the ports, the room numbers where the jacks are located, if they are “active”, and if they are patched into a switch.
    • With floor plan in hand, we then perform a physical survey of the site, room by room, wall by wall, public and non-public spaces.  We note the actual data jacks found on the hard-copy, what they are labeled, and the name of the host system/device attached.
  • With results in hand, I then sit down to reconcile the patch-panel documentation against the physical survey. Sometimes it matches nicely, sometimes it does not. Sometimes cables may have been abandoned (in the ceiling, in the wall, etc.) or are lost behind filing cabinets that cannot be moved. These are so noted and all “unknown” cable ends are not patched down.
  • For cases where we were not able to see the jack to get a jack number (behind a desk) I can then pull out my spreadsheet and look up the system’s host-name to find its corresponding switch/port association. My partner or I then back-trace the cable from that switch/port back to the patch-panel to discover the panel/jack label.
  • For rare cases where we were not able to “network discover” the PC-to-Jack-to-Panel-Switch association (example a cable that is found to be “hot” into a switch but has no PC on it and the jack is not labeled), we normally would have to tone it out. However, as anyone who has attempted to tone-out a cable known to be plugged into a switch, it can be a real challenge.  Luckily, I recently found a very reasonably-priced toning tool that has a “cable ID” feature: Psiber Data Systems Inc. Cable Tracker.  Set this little gizmo to Cable ID in one of three “pattern settings” and it will flash a beacon pattern on your switch. Just look for that beacon and you then are able to back-trace up the panel.  Alternatively, you could attach your laptop to the jack, note your MAC address, then telnet to the switch and find what switch/port it is on.
  • Note, a partner and a set of good heavy-duty radio units (does anyone call them walkie-talkies” anymore?) make this a fast-two-person job; one person stationed at the patch-panel the other roams the field.
  • Note: A very cheap but indispensible network testing tool IMHO is the (Amazon linked) Test-Um TP 100 - Network tool/tester kit. Plug this non-powered device into a network (or telco) jack and if it lights up, you will know the other end is connected to your network/switch.
  • Once we are comfortable we actually know where are the jacks are and who is plugged into them (can be done pretty non-intrusively during business hours) and the patch-panel documentation template sheets have been updated with the findings, we wait until operations shut down and start pulling off all the patch cables, out all the switches, and mounting the new ones.
  • Then we pull two hard-copy documents; the first is the patch-panel documentation sheet that tells us where all our active users are, and what jacks they are associated with.  Also I have a hard-copy template of our new switches/ports in tabular format.
  • We look on the patch-panel sheet to find the first active port, patch it down into the switch, note on the patch-panel sheet we patched it, and note on the switch port sheet which physical patch panel/port number it came from. (Note I prefer that notation over “labels” as labels can change but the physical panel/port numbers are less likely to.)  And so we repeat the process until we are done.
  • Final step (no customer accidently left unpatched) is to use the aforementioned Test-Um TP 100 unit at the patch-panel to back-check all the unpatched patch panel ports to see if there is attached network equipment we overlooked.
  • If so these also get patched (for now) and noted on the patch down sheets. More on that in a moment.

The final documents are then converted into electronic versions to share with our other network administrators for use on an ongoing basis. When new cables are added to the site, the electronic floor plan copy showing the found jacks/numbers/locations gets updated, the panel sheet gets updated also. When customers/equipment is pulled, the sheets get updated, the ports get disabled on the switch. When customers/equipment is added/changed, likewise the sheets.

  • I also use this information to the “label” the switch ports inside the switches with the corresponding panel number and port number.  This lets us find the systems physically very quick if we have an incident and are provided a MAC address or IP.  A few quick searches and I can not only disable the switch port immediately, but can then direct responding staff to the physical location of the system using all the documentation.
  • Yes. All inactive/unpatched switch ports are administratively disabled to discourage local site staff from being creative and moving network equipment around into areas without IT approval and handling.

Later (very soon after we are done), I address the few “unknown” patch-downs we did where we found a hot jack on the panel that didn’t correspond to any physical network items during my scan discovery process or physical survey.

  • Because I had documented the switch/port we patched it into, I can then telnet on the switch and get the corresponding MAC address.
  • Then I run a Wireshark or Network Monitor capture session at the site filtering only for that MAC address.  That almost always nets me the host-name or other identifying information about the device. With that and our asset inventory at my disposal I can trace out the owner/name and assign that to a technician to perform a site-visit to perform another physical location check. Once that is confirmed, they can provide me the missing jack location and documentation is so updated.

We don’t (usually) have to contend with (authorized) wireless devices/access point hardware in our network so that makes things a bit simpler.

Also, after a while, you learn (and are not surprised) to find the odd non-authorized mini-switch/hub unit the local customer brought in without consulting IT (…we thought it would cost too much to request you to run a new cable, …it’s just for a few days, …we are having a meeting and the conference room has just one data jack, etc.).

Eventually once this phase is done, the IT policy makers/managers will need to decide if it would be good policy to implement and enforce MAC filtering on the switches to only allow known and approved hardware/devices to connect.  That will certainly lock down the switches even more but will provide even more IT network administration overhead to keep up with our constantly moving customers in all the offices we support.

See. Like I said.  Easy.

If anyone has any recommendations or additional tips/tools/utilities you have found helpful in your own network surveys and documentation acquisition, please drop your suggestions in the comments.  I’d value anything to refine this process even more.


--Claus V.

VBScript Resources

For the past few weeks at work, we have been doing some preventative response work on all the workstations across our enterprise environment.

The response was based on log-file results…only a problem was that sometimes the result descriptions we were being provided with either didn’t make logical sense or match what we observed when we manually checked some of the aberrantly reported systems.

I really don’t like chasing shadows, so I set out to find the mechanism generating the raw report data/logs which got re-canned into the report we had to respond to.

Not only did I find it (pretty easily) but I also found where it dumped the raw file daily.  So now we could pre-pull and assemble our own report at least a week faster than the canned report we were using got generated/refreshed. Sweet.

Finding the source, I discovered that the raw log file collector was actually a very nicely coded VBScript. (BTW, did you catch that Nir Sofer released a new CSV/Tab-Delimited file viewer and converter utility? And that MANDIANT announced a new release of their free Highlighter utility?)

Once I had a copy of it, I could then pick it apart to understand exactly what was actually being reported (source) and what the labels provided (on the canned report) actually meant.

Turns out, most of it was pretty close, but because of what the actual data-points are collected off the system, the way the application called to generate the raw-result returns, and those returns are manipulated to generate the report, the labels might not be “logically accurate” as they could be in technical matters, although they may be “practically accurate” for the machine status items being measured and concerned with.

So now our response teams know what the report is “really” telling them, we can all prioritize our responses a bit more finely.

Only to get to that point of really understanding what the VBScript was doing--remember IANAC (I am not a coder)--I had to get up to speed with some VBScript fundamentals.

So in doing so, I found these VBScript resources to be awesome in the process.  Many are in PDF and/or DOC format so you can keep them handy.


--Claus V.

Chrome(ium) Bits

Yep still here.

Required output at the coal-face down in the mine has come off the rails.  Hours are exceptionally long now and I’ve shifted most of the precious little “me time” left to being present with Lavie and Alvis when I see them.  And de-stressing by visiting Maru ( 私信 ).

The poor “to blog” folder is bursting at the seams and my Firefox JSON folder is ripe for breakdown!

So here are some quick-posts just to release the pressure buildup.

Gentle readers may recall back in my Finally! Time to Post! New material list I had been frustrated by the challenge of updating Chromium.  I had been using a compiled “AutoIt” executable from Caschy to make the process a breeze.  It stopped working. We were sad. It was because the source-folder used had been changed. the Updater got updated. We were all happy again.

Only a few weeks ago, we are all sad again.  Index of /f/chromium/snapshots/Win had a README that told the tale.

your are probably looking for

Why yes…I guess I was.

That updated location does contain the new Chromium build sets. Unfortunately, the only compiled New Portable Google Chrome Updater that I am aware of must now be recompiled again (we are waiting) to work for the Chromium builds.

Yes, I can download the latest version each day, manually unpack it, and copy it to my Chromium application folder.  I could even write a script to do all that.

But I’m so tired.

So I checked out the Chrome Release Channels page and read for a while, eventually deciding that the Dev channel for Windows version was sufficiently cutting-edge but stable enough to move to.  As as added benefit Caschy’s Portable Google Chrome Updater tool still works for the Dev channel as that location hasn’t been piddled with.

More Chrome Flavors

Last week I also became aware of an “enhanced security” version of Chrome: Comodo Dragon .  BetaNews has a rundown of some of it’s features: Comodo Dragon: Better browsing security with less bloat

Likewise, SRWare Iron has been kicking around since the very beginning.

If you like portable versions (as I do) then you can check out Iron Portable and Google Chrome Portable both maintained by PortableApps.  Also, during the setup process for Comodo Dragon, it allows you to install as a portable version as well.

Enhancing Chrome’s Search Security

Yes, there are some other good search engines out there, but for plain power, trust, and interface, I still find myself using Google.

Spend any time at all doing packet capture and network HTTP analysis (BTW…NetworkMiner 1.1 Released a week ago) and you quickly find out what happens when users do not use SSL for their searches.

Personally, I now exclusively search more securely with encrypted Google web search.  However, remembering to type in the SSL address for Google secure search is a pain.  So I started to wonder if there wasn’t an easy trick to update the search setting in Chrome…and in Firefox as well.

Yep. Piece of cake, as they say.

How To Make Google HTTPS (Secured SSL) Search Default in Google Chrome? - Mezanul at

Make Your Firefox Search Engine use Google’s SSL (https) Search for Security Reasons - 404 Tech Support

Add Google SSL Search Provider to Firefox Search Box - My Digital Life

So now I’m searching the webs SSL-style by default.


--Claus V.