Saturday, August 31, 2013

QuickPost: VMware Player micro-fix

A quick-post in case others search for a solution for this particular issue:

I’ve been running VMware Player 5.0 on my Windows 7 x64 system for a long while now.

This morning when working in all my Modern.IE Tester VM’s (Win7Ent, Win8 & Win8.1) as well as a fully-installed (and licensed) version of XP Home I noticed the following issues:

  • No options showing on VMWare Player tool-bar for three-key toggle, etc.
  • Unity working fine however allowing drag/drop of files between host and client desktops.
  • After shutting down the running virtualized OS cleanly (Start--shutdown/power-off), the running vm window just stays black and doesn’t close after any length of time.
  • Trying to close or force shutdown with the VMware Player options says it is still running and to wait.
  • Checking the running processes showed the sub-process “vmware-unity-helper.exe” still running:
  • I was able to kill the process tree to close out the window but that seemed very brutal.

I first tried running a “repair” of VMware Player from the “Programs and Features” options but it would not work as it said the core installation files were missing.

I re-downloaded the VMware Player setup file from VMware and then ran it.

I selected the “repair” option and let it do its thing.


Once finished I relaunched the vm’s and all ran fine, my VMware Player toolbar was restored, and after closing the vm out, after a brief pause, the window closed and the running processes terminated normally.

Not sure what caused the issue but all is well again.

VMware Player “repair” is your friend!

--Claus V.

Sunday, August 11, 2013

Network & Network Security Quickpost - Last call NFAT edition

I just couldn’t wrap up the weekend without sharing these links. I’m so going to be nodding off in my training class tomorrow. Must bring Thermos of extra coffee with me! Don’t want to make the teacher unhappy!

So many network tools, tricks, and nuggets came out last week I’m still exciting thinking about how to use them all!

Security Advisory: Two Vulnerabilities in NetworkMiner - NETRESEC Blog - Don’t let the boring post title fool you! Based on this, Erik Hjelmvik has released a new version of NetworkMiner! Now sparkling at version 1.5 (free/pro editions)

NetworkMiner packet analyzer - Download NetworkMiner version 1.5 (free) here.

While I was doing some super-fast (but apparently productive) beta testing for Erik on some Windows 7 and Windows 8/8.1 systems, I noticed I wasn’t getting great results from my test captures made with and being processed in NetworkMiner. My “doh”. Erik kindly reminded me of his post NETRESEC RawCap - A raw socket sniffer for Windows where he pointed out that using Windows raw socket sniffing has some problems. I had forgotten I didn’t yet install Wireshark/WinPcap on these particular test systems. From Erick’s post:

Microsoft's newer operating systems (later than WinXP) have limitations associated with raw socket sniffing of external interfaces, i.e. everything that isn't localhost. Known limitations in Windows Vista and Win7 are:

  • Windows 7 - Can't capture incoming packets
  • Windows Vista - Can't capture outgoing packets
Due to these limitations in the raw sockets implementations of Microsoft's current operating systems we suggest running RawCap on Windows XP if you need to capture from external interfaces.

Baselining Dropbox With Wireshark (by Tony Fortunato) - LoveMyTool blog video presentation.

Editing Tracefiles With TraceWrangler (by Tony Fortunato) - LoveMyTool blog video presentation. This short video presentation on a new (Alpha release) tool, TraceWranger blew me away. There are methods of sanitizing trace files for sharing/training but they are fraught with challenges for mere mortals. This new tool is amazing and I really hope the developer Jasper Bongertz gets the support needed to encourage his continued refinement and development of this valuable tool for analysts.

Nmap - Now at version 6.40 - Free Security Scanner For Network Exploration & Security Audits.

Message Analyzer Beta3 Refresh has Been Released (Build 6215) - MessageAnalyzer - Lost in all the news was a quiet announcement of the next generation of Microsoft’s own network traffic analysis tool MessageAnalyzer getting a Beta 3 refresh release. The interface is very different (to me) from Wireshark, but since I used NetMon a ton to supplement my Wireshark work, it is taking some getting used to.

HolisticInfoSec: toolsmith: C3CM Part 1 – Nfsight with Nfdump and Nfsen - HolisticInfoSec blog - Russ McRee’s post rocks on so many levels. Well worth the read and review.

Firefox Developer Tool Features for Firefox 23 - Mozilla Hacks – the Web developer blog. In case you missed it, Firefox 23 was released last week. Included in it (besides the new app icon update) was a new network tool called “Network Monitor.” 

I so love this! “F12” is the new “must know” hotkey in these modern browsers!

If only Mozilla (or Chrome or IE 10) were “approved” web-browsers in our enterprise. This feature alone would so help with network and web-app diagnostics and troubleshooting from the end-user desktops.

What’s that you say? One single element of your cloud-based web-application seems to time out in IE 8, crashing your session? The network is fine, site bandwidth is fine. Your PC is fine. Seems like it could be a server-side application issue. Let me make a ticket for your issue and send it up. (Response often comes back, “There is no problem…must be a client-side issue…check the PC and bandwidth, follow our response template and let us know…”) (Sigh…)

Turns out Chrome web browser can do this trick as well

Turns out that Internet Explorer (IE9, IE10, IE11) also have a “F12” feature for network analysis in the browser.

And in IE11, it’s about to bring the house down on the competition!

Debugging and Tuning Web Sites and Apps with F12 Developer Tools in IE11- IEBlog. OMG!!! I am so crushing on the new “F12” profiling and responsiveness tool interface in IE 11! Please tell me this is going to be backwards compatible with Win 7. (Why yes, Virginia, it is…)


Anyway, back to more Firefox 23 release news and details.

Troubleshooting TCP/IP Connectivity Issues with This Command-Line Utility Portqry.exe - Next of Windows. Been using portqry.exe from the command line along with the PortQueryUI GUI fro some time. Dead helpful in a pinch!

PuTTY: a free telnet/ssh client - just released at version beta 0.63 for you console fans! See the extensive Changes page for all the details

KiTTY - let’s not forget about this fork version of PuTTY that has some additional bells-and-whistles!

  • News - latest KiTTY news is update minor update in late May 2013.
  • Recent changes - tracking site-changes at KiTTY’s house
  • KiTTY Portable - why “yes” there is a build version as well for KiTTY fans.

Finally, at home I run Mozilla Firefox, Portable Edition and Google Chrome Portable rather than installing them directly on my system. However I was trying to use some of NirSoft’s Browser Tools to explore and check my Google Chrome(ium) cache and wasn’t finding anything at all.

Strange.  Bug in the tool?

Turns out the answer was “of course not dummy” it’s the dummy’s bug.

Where is the Google Chrome Portable cache folder? - Bruce Pascoe kindly puts it like this:

Chrome Portable, like FFP, doesn't save the cache by default.

Note that unlike Firefox however, there's no way to turn the cache off completely in Chrome, so while it's running the cache is stored in the local temp directory (%TEMP%), but then it's immediately deleted when you exit Chrome.

So anyway, yeah, no surprise that you couldn't find it.

and cleared up a bit by “The MAZZTer”

The cache folder is saved in %TEMP%\GoogleChromePortable.

Where the %TEMP% is the user’s temporary file location under their profile.


This is interesting as it explains why the NirSoft tool ChromeCacheView wasn’t finding anything while pointing to the default user profile location in my Portable Apps application structure that ChromeHistoryView didn’t seem to have any issue with parsing. So even though the files were removed when the program terminated, it most likely did not “secure” delete them, so (depending on overwrite activity of the file system/free-space scrubber utilities) it might be possible to carve and recover them from a system that the portable-apps version of Chrome was used on. And that sounds like a challenge for another day…


--Claus Valca

Security-minded - QuickPost

And now for a change of pace, these caught my eye this week.

Presented in no known order.

My kind friend the TinyApps bloggist tipped me to these super-juicy fruits.

Which led to a fun correspondence, from which I then jumped and found this great resource:

Moving on we also have…

The RSA Blog has some great material here for incident responders:


Constant Vigilance!

--Claus Valca

Utility updates and stuff - Quickpost

Updated recently.

Other uninstallers worth considering (for the common folk)

  • MyUninstaller - NirSoft - Alternative uninstaller to the standard Windows Add / Remove module - This is my “go-to” uninstaller, especially for Windows XP systems.
  • GeekUninstaller - This one is really growing on my fast, especially for Win7/8 systems. My # 2 favorite, may be my new favorite after a few more dates.
  • IObit Uninstaller Portable -
  • Revo Uninstaller Portable -
  • ZSoft Uninstaller Portable -
  • Wise Program Uninstaller Portable -
  • Uninstall Tool - - I used to love, love, love this tool back when I was first getting started in my “technicians” career. A much modernized version (no longer freeware) is now available but if you want v1.6.6 (the last freeware version), you will have to grab it from here.
  • Free Uninstaller 1.1 - Freeware replacement for the system applet - Jacek Pazera. Like Uninstall Tool above, I still carry this one on my USB stick but I never use it. Hasn’t been updated for a very long time but hey, it works on all systems from NT to Vista, so if you need an uninstaller tool for your NT/Win2K/Me/98 box, this might be the girl you are looking to dance with!


Claus V.

Some Notes for a Certain Project

Just some scratch notes for a special project I am working on.

Nothing of interest for most other folks.

Remote Desktop and Automatic Login - Microsoft Visual Studio Forum

try using this
   mstsc /admin /v:ComputerName

or these
   mstsc /console /v:ComputerName

Be sure to “Log Off” rather than click the “X” to leave the session running if you aren’t coming back. Kinda like your mom telling you to shut the door behind you on the way out of the house when you were a kid. Heard it all the time…

Generally it seems you cannot use Microsoft’s Remote Desktop Connection service to establish an interactive remote control session with the logged in/active user’s desktop (session 0 ?)  unless you do it with the appropriate above arguments. However doing so may make a mess of things depending on how you exit…at least this appears to be my current understanding.

Just because you can doesn’t mean you should, and if you don’t log off properly…like I said you can make a mess for others coming behind you. If you find just such a mess, these tips might help clean things up.

In the end, RDC/RDP might be great or it might be messy.

If you are fortunate to be able to run UltraVNC services on some of your systems, you have some more options…especially if you are making a “headless” server box on a desktop OS platform. I’m personally more of a TightVNC guy myself but hey, close enough.

One of the problems might be that you want it to be a secure (AD/Domain) authenticated connection, but you don’t want someone to have to click “Allow/Disallow” on the headless system to approve that connection.

Fortunately there are options!

And then…

User Redge wrote:

configure and set MS Logon I or II required only at VNC server.
a) following the doc...
b) no if the UltraVNC setup was followed and exactly.
c) MS Logon I = Require MS Logon ... l#mslogon1
d) MS Logon II = New MS Logon ... l#mslogon2
Should set and required only at vnc server.
do not set vnc server as New MS Logon II on XP Home, won't work at all.

MSLogon can work, require turn OFF simple file sharing
windows XP

Open an Explorer window>Tools>Folder Options>View>The bottom check box

Headless systems are a pain…even if a modern BIOS can support booting without keyboard/mouse attached, and even if you can admin-pw lock the BIOS settings to prevent the USB ports from being active and used. Your system still may not boot if the NTLDR doesn’t see a proper video driver.

Headless System (Windows Embedded Standard 2009)  - Microsoft Developer Network post

In Windows Embedded Standard 2009 the support for headless devices starts with the availability of null-drivers for the standard MMI devices. Of course, the BIOS needs to support this kind of configuration, as well, but this should not be a problem on recent systems. The generic keyboard and mouse drivers in Standard are still present as well, when no hardware is connected, but the null driver for the VGA adapter needs to be added to the configuration. This requires the following components:

VGA Save could be left out, if there really is no VGA compatible chip on the board. This will create a dependency error, which in this case can be disregarded. Nevertheless, the benefit of having VGA Save in the image is that any time a graphics adapter card is plugged into the system VGA Save gets loaded instead of the Headless VGA driver. This enables screen output e.g. for field personnel troubleshooting the device. The VGA Boot Driver is required by NTLDR at boot time.

One last element,

The BIOS should be configured to “re-spawn” like a good digital soldier in the event that the power is lost (even a UPS dies if power is off too long) or if someone hits the Power-off button perchance.

Likewise, if the Windows system is NOT on an AD Domain, and logging into a local workstation/workgroup account profile, then you lock it down pretty well (to the bare minimums to function, and enable the auto-login to the set profile: Tip: Auto-Login Your Windows 7 User Account | Cool Stuff | Channel 9. Pretty easy stuff for the auto-login.

The challenge comes up if you want to add it to the AD Domain and use a domain-based account for security/auditing purposes.

There are a number of ways to do this, each with their nuances. Some work better than others. Some are more secure than others. Consider the risk carefully before choosing grasshopper!

[SOLVED] Windows 7 - Auto Logon With Domain Computer - post.  Easy enough with this registry-based solution BUT the user account and password are stored in the registry in clear-text.  You can roll your own .REG files for deployment with this method. However this could be a big security risk!

WindowsAutoLogin - freeware - IntelliAdmin. One nice feature of this application is that you can also control the number of times it allows an auto-login to occur and then after that “X” number of logins specified, it becomes disabled. That could be handy for some unattended (but brief) service events that require multiple reboots.

Autologon - Microsoft Sysinternals - Much better and easy enough to use. Per this post Safely setting autologon for Windows from the “Confessions of a Microsoft Consultant” TechNet Blog, we learn that AutoLogin saves the account/password string in the registry as a LSA secret.  That’s better than storing it in the Registry in plain-text, but it still is “easy enough” to penetrate and capture:

Autologon - commercial product from LogonExpert . I haven’t tried this product but it says it stores the logon information encrypted in AES 256, interacting directly with the WinLogon service to ensure nothing can grab the data. It has some really, really neat features.  The author has an overview of Free Solutions like what I have outlined above, as well as a Learn More about the product. There is an active download link from the page but I’m not sure if it is a limited-trial version or what. This may be a product that can provide both the “setup” features to enable AD-based auto-login and the security-needed for implementation. I’m really intrigued by this particular product.

Use this information wisely!

--Claus Valca

Regarding the Modern.IE Tester VM’s

I’ve spend much of the weekend building and tweaking the various Internet Explorer | modern.IE Virtual Machine builds. I went with the VMware Player versions as I tend to use that platform for Windows systems while using VirtualBox for Linux machines.

Anyway, this wasn’t for kicks and grins. Rather I needed to do some platform testing of different remote-control access and these seemed perfect, after some modifications.

Again, carefully read Rey Bango’s blog post and the comments to get a good sense of these systems; Making Internet Explorer Testing Easier with new IE VMs

Time Limits on the VMs

All of the VMs have a time limit 90 days of total time from the moment you first use the VM. Basically it’s 30 days usage with two 30-day rearms. To rearm, go into a command prompt with Administrator privileges and type in “slmgr –rearm

At the end of the 90 days, you’ll be able to use the VM for an hour before it shuts down. At this point, you’ll need to decide if that’s okay or if you’d like to recreate the VM and use it for another 90 days. Remember, you can reuse the same files you originally downloaded to recreate the VM so don’t delete them (unless you just love downloading big files).

After I enabled Remote Desktop access to the first system (Windows 7 Enterprise) and then started trying to use mstsc.exe (Remote Desktop Connection), it would connect…then instantly through an error and disconnect. Remote Desktop Access is disabled on these VM’s by default. I assume you know how to enable them but if not…Enabling Remote Desktop Connections in Windows 7 | 7 Tutorials

Took me awhile to figure it out, but the system was also configured with the single profile account and to automatically log into the account. Once I connected to the account with remote desktop, it logged the running account off, then that caused it to force the relogin of the same account, knocking me off!

This then required me to disable the “auto-login” feature for the accounts. Again, I’m sure all my dear readers know how to do that but if not…Tip: Auto-Login Your Windows 7 User Account | Cool Stuff | Channel 9 except in this case after first running “control userpasswords2”, for step 4 you want to “Check the option “User must enter a user name and password to use this computer.”  Now you won’t get kicked off when you use Windows Remote Desktop Connection to reach it.

Of course, if you do that, you will now need to enter the default password for these systems.  You do know the default user account password for the VM’s right? No?

I found it clearly documented in this provided PDF: Modern.IE VM Notes - 6-24-2013. The PDF is interesting as the file name says 06-27-2013 but the internal document date is 06-24-2013. Oh well. Here is another earlier version as well: Modern.IE VM Notes. Rey Bango actually references the first one in his post if you can find it in the last sentence of the last paragraph of his “Installing the VMs” section.

What else…Oh…as I was setting these up in VMWare Player, for one of them I somehow configured it to use Home Groups. Oopsie.  It ended up creating a non-delete-able HomeGroup icon on my host desktop. Hmmm. Followed this tip from “reminore reminore” to get it cleared off: Unable to remove Homegroup Icon - Microsoft Community. There are a couple of techniques in the post but this did it simply for me.

This worked for me win 7 - 64 bit home premium
1) Drive to "Folder Options"
2) Click "View"
3) Scroll down to "Use Sharing Wizard (Recommended)" it must be checked
4) Un-Check  the Check -box
5) Click "Apply"......the Icon will be removed from your desktop
6) Re-Check the Check-box .....the icon will not be back

HomeGroup Desktop Icon - Add or Remove - Windows 7 Help Forums has some additional pre-packaged .REG file fixes if that is your thing, or the above doesn’t work.

One last tip. Once I finished tweaking the user-account/settings and adding some core files/portable apps to it in the profile folder, to make future rebuilding of these systems super-easy, I just ran the Easy Transfer Wizard on one of them to build an “myaccount.mig" file and off-loaded it back to my host system. Then after I set up the Win 7 system I could semi-clone that profile setup to the rest of them with much less setup time than the first one, and when I have to rebuild them after the 90-day period ends. How to Use Easy Transfer in Windows 7 - For Dummies


Claus Valca.