Saturday, June 19, 2010

Slick Script solution for imagex DVD-based (or USB bootable-based) deployments

No worries dearest GSD blog friends.

I’ve been very busy, hard at work for the taxpayers of Texas who pay my salary, making sure they get the most bang-for-the-buck with their own hard-earned dollars.  Thank you kindly.

I’m also grounded on my primary system…the silly Gateway laptop.  Seems the DC plug fix about a year ago failed again in the past couple of months so now I’ve had to rig the laptop up on my desk…static-style…to keep it running.  Kinda defeats the purpose of a laptop.  However I’m not willing to invest another $250 in a 2nd solder repair.  So I’m negotiating with Lavie and doing some shopping/dream-system config-ing on the Dell site.  I’m bouncing back-n-forth between a Alienware system or a Studio 17 build.  I think the Alienware case is a bit cheezy for my tastes. I’m open to other suggestions as well. Looking around at $1,300 price point or so which still seems like a LOT of money to this penny-pincher.  Leaning to the Dell line as I’ve supported these at work for 10 years or so and they are very reliable and sturdy systems.  Loving my new Latitude E6400 system at work (though it is still running XP Pro).

Dream features:

Quad-core Intel i5 processor (or higher to 8 processor threads with an Intel i7 chip perhaps?), 6GB RAM, 500 GB SATA drive, 512-1GB video system. Blu-ray support and a true 1080 HD supported screen.  I really would hope to find a modular DC-plug solution such that if the jack fails, its not hard-mounted on the system-board.  This is a lot of fire-power but I do lots of virtualization and hope to crank up some higher-end digital video/photo processing work as well.  Besides…it may be the first chance I’ve had to actually design and select my very own laptop system, so as an investment, it makes sense to get something I really would be proud to use.

Only sticking thing is I have a pair of beautiful Samsung LCD screen monitors.  I’d love to find an internal video-card solution that would output to both, while still allowing use of the laptop monitor.  However I will probably have to consider a Matrox DualHead2Go: Three Monitors, One Laptop : The Matrox DualHead2Go type solution, which really wouldn’t be bad at all. (for self reference: Matrox Graphics - Products - Graphics eXpansion Module – DualHead2Go )

Anyway, I digress. On to this post’s “meat-n-potatoes”…

The Setup

As noted, our shop is beginning a round of system refreshes for our end users.  In the end we are looking at close to 1000+ systems.  Our sub 20-person team would be greatly challenged to deliver this so a vendor was contracted to assist.

The factory images are “fresh” but not out of the oven fresh.  So the vendor setup/migration times are running 2-4 hours per system.  I know. Right?  So one of the things we do to minimize migration time for our own techs are deploy the fresh-baked images I prepare for our systems.  These are fully updated with all MS and third-party software patches, as well as contain our own system tweaks that are done post-install.  As such we can deploy a system in less than 1 hour.

Typically we deploy the images using bootable USB HDD’s and manually feeding the disk-prep and image application commands manually.

I’ve always toyed with the idea of scripting the process but with close to ten different images, and different HDD system configurations it is a bit challenging.  So we’ve kept with the manual model for now.

One drawback is that if the techs aren’t paying attention to drive lettering in DiskPart, more than one has wiped the portable HDD they are serving the images from. Oops!

Imaging for the Vendor

However, we wanted to retain some control over the images provided to our vendor, and giving them the system images (2 system configurations at this point) on a HDD wasn’t a popular idea.  Luckily each image would fit on a DVD and handing out/collecting DVD’s is much easier than USB HDD…and much more durable.

So I did some research and came up with a slick scripted mix of command-line batch goodness, ImageX/Diskpart fun, and WinPE to boot; literally!

I found an elegant solution offered by Neil “Frawlz” Frawley on MS Windows Client TechCenter: Scripts to deploy imagex images.

He uses a series of batch files and a text file to automate the process.

I did have some issue with the version/commands offered in his 2007 version and the choices.exe file used at that time and the newer ones.  For lots of sources on additional “choices.exe” background check out this About choice.com and choice.exe page.

However, I eventually got it armed and working.

Construction

I did a stock WinPE 3.0 build in a winpe_x86 folder and added three additional folders under the “ISO” folder; “images”, “scripts”, and “tools”.

In the “images” folder I placed the WIM file for the particular system the DVD was designed for use in image deployment.

In the “scripts” folder I placed the “choice.exe” file I got working, a “deployimage_localimage.bat” file, a deployimage_networkimage” file, a ”diskpartcmds.txt” file and finally a “menu.bat” file.

The choice.exe file I used reports as 19.5 KB and dated 12/9/1994.  I have some more work to do on this but this one works for now.

Although pulling the WIM image file from the network or a USB drive could be supported, I’ve tweaked it at bit to just support the DVD-based local image disk prepping and imaging.

In the “tools” folder, just my “imagex.exe” file is present.

The menu.bat file consists of the following, slightly tweaked from Neil’s OEM script.  It is this batch file that is called once the PE reaches the CMD prompt.

Note: the blog template is doing some text-wrapping here so double check against Neil’s original and also copy/paste any actual batch scripts below into Notepad or your fav. text editor to ensure you get the full line formats.  Line-breaks in incorrect places can cause the processes to fail.

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SOE DEPLOY SCRIPT
::
:: Language     Win32/MS-DOS compatible Batch File
::
:: Title menu.bat
::
:: Parent:     
::
:: Purpose:     Displays a menu in Windows PE to deploy an imagex image
::
:: Comments: UFD stands for USB Flash Drive
::
:: Author: Neil Frawley
::
:: Version: 1.0
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@ECHO OFF

::VARIABLES
SET title=DEPLOY IMAGEX IMAGE MENU
SET script_dir=%0\..

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Display Title
cls
ECHO %title%
ECHO.

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Menu
ECHO Press the number to select the option
ECHO.
ECHO 1) DEPLOY IMAGEX IMAGE, IMAGE ON UFD OR DVD
ECHO 2) DEPLOY IMAGEX IMAGE, IMAGE ON NETWORK SHARE -- not supported
ECHO.

%script_dir%\choice /C:12

ECHO.
IF ERRORLEVEL 2 GOTO :NETWORK
IF ERRORLEVEL 1 GOTO :LOCAL

:LOCAL
%script_dir%\deployimage_localimage.bat
goto END

:NETWORK
%script_dir%\deployimage_networkimage.bat
goto END

:END

Then the “deployimage_localimage.bat” file gets called up

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SOE DEPLOY SCRIPT
::
:: Language     Win32/MS-DOS compatible Batch File
::
:: Title deployimage_localimage.bat
::
:: Parent: menu.bat
::
:: Purpose:     Deploy an imagex image, with the image being on a UFD or DVD
::
:: Comments: UFD stands for USB Flash Drive
::  This script could be run from a CD instead of a DVD, but it is unlikely the imagex image will fit on a CD
::
:: Author: Neil Frawley
::
:: Version: 1.0
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@ECHO OFF

::VARIABLES
SET title=DEPLOY IMAGEX IMAGE, IMAGE ON DVD OR UFD
SET script_dir=%0\..

SET diskpart_script=diskpartcmds.txt
SET local_drive=C:
SET image_name=imagenamehere.wim

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Display Title
cls
ECHO %title%
ECHO.

ECHO Press the number to select the option
ECHO.
ECHO 1) I AM USING A DVD
ECHO 2) I AM USING A UFD -- not supported

ECHO.

%script_dir%\choice /C:12

IF ERRORLEVEL 2 GOTO :UFD
IF ERRORLEVEL 1 GOTO :DVD

:UFD
SET tools_drive=E:
SET image_path=E:\images
ECHO WinPE run from UFD
GOTO :PREP

:DVD
SET tools_drive=D:
SET image_path=D:\images
ECHO WinPE run from DVD
GOTO :PREP

:PREP
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Prepare hard-drive
ECHO **** PREPARE HARDDRIVE ****
ECHO.
%script_dir%\choice /N "diskpart will now wipe the contents of your hard-drive erasing all data. Do you wish to continue?"
IF ERRORLEVEL 2 GOTO :END
diskpart /s %script_dir%\%diskpart_script%

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Apply Image to hard-drive
ECHO **** APPLY IMAGE ****
D:\tools\imagex.exe /apply D:\images\LatE6400_04-10.wim 1 C:\

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: SECTION: Reboot computer
ECHO We are now ready to reboot the computer to continue system setup; remove DVD and
pause
ECHO **** REBOOT ****
wpeutil reboot

:END

Were the imagenamehere.wim matches the filename of your image WIM file located in the “images” sub-folder.

You will notice the clever bit is the call to the disk preparation text file “diskpartcmds.txt” which is the following:

select disk 0
clean
create partition primary
select partition 1
active
assign letter = C
format FS=NTFS quick
exit

You can pop over to the original link I provided to find the network imaging deployment batch file if you want.

Final Thoughts

Using an optical-based DVD source for the image does take a bit longer to access/copy the data rather than a portable HDD or flash-media based source.  So keep that in mind.  If you had a few 4-6 GB flash drives you could easily make them bootable and apply this solution to them instead.  DVD’s are relatively cheap and easy to make duplicates of.  And if one is damaged no biggie.  Plus you don’t have to worry about files getting overwritten!

I’m sure there are more sophisticated and elegant solutions.

Because you can “stack” images inside an imagex wim file, with some more work you could easily create a single wim file that could support multiple systems.  Then with some clever updates to the batch file and image-picker lines, you could call whichever image package you wanted from a single wim file.  Depending on how big your base image was and the add-on levels, it might not fit on even a DVD, but still, it would probably work out for an 8-16 GB flash drive; and be crazy-easy on a bootable USB HDD drive.

Pretty cool…

Claus V.

Posted by Claus at 2 comments
Labels: , , ,

Saturday, May 22, 2010

OSTff revisited

In the last post (gosh has it been that long ago?) Blasting the blasted Outlook Secure Temporary file folder… I outlined a number of free utilities that would assist with deletion of the contents of that folder.

The user who had the issue leading us on this learning adventure eventually called back with the same problem again.  Additional monitoring of the user as well as the processes she was doing illustrated to me that some kind of Outlook error and/or interaction with Voltage was causing the opened attachments to remain “orphaned” even when closed out “properly.”

We then were faced with deploying one of the solutions noted.  I was leaning heavily towards OutlookTempCleaner and calling it at startup via a scheduled task or simple bat-file in the Startup folder.

However, in the end, the suggestion was made to just do a batch-file that cleaned it up without any additional third-party code.  OK, I’m game.

There were a number of approaches I could have taken, primarily just making a direct, hard-coded identification to the user’s particular Outlook Secure Temporary file folder location, but if that “randomly” generated location ever got changed, say if Outlook had to be reinstalled, then it might break.

Instead after a bit of research I found a suggested solution offered by GuruGary in this Experts-Exchange post: Outlook Secure Temp Folder Full : outlook, folder, temp, secure.

For a solution how about this in a batch file (that can be run as a scheduled task, or at logoff, etc.:
@echo off
for /f "tokens=3 delims=      " %%a in ('reg.exe query hkcu\Software\Microsoft\Office\11.0\Outlook\Security /v OutlookSecureTempFolder ^|findstr REG_SZ') do rd "%%a" /q /s

Depending on which version of Outlook she is running, you may need to change the 11.0 in the registry key.

However, try as hard as I could in testing, it just didn’t seem to execute correctly.

It was very clever; using the reg.exe utility to query the registry and obtain the key value holding the actual path to the user’s Outlook Secure Temp folder location, then doing a deletion of it.

I then proceeded to rework the batch file using Rob van der Woude’s link: Batch files - Reading NT’s Registry with REG.EXE.

In the end I crafted the following batch file that did work perfectly on our own XP Pro SP3 systems for the problem at hand.

@ECHO OFF

::Place batch file in C:\Windows\32 location so it can find the reg.exe utility.

::Place shortcut to this batch file in the user's Startup folder to run upon login.

::Will auto-clean the user's Outlook Secure Temporary File folder location of all "orphaned" files so gets a clean-slate.

::Queries registry location of that folder location, then uses information to delete all the files present.

:: Note: delims is a TAB followed by a space

FOR /F "tokens=2* delims=     " %%A IN (' REG QUERY "HKCU\Software\Microsoft\Office\11.0\Outlook\Security" /v OutlookSecureTempFolder') DO SET Location=%%B

DEL /s /f /q "%Location%\*.*"

Depending on which version of Outlook you have, you will have to modify the “11.0” number according to this Microsoft Support article 817878 --Attachments remain in the Outlook Secure Temporary File folder when you exit Outlook 2003 or Outlook 2007.

Yes, just having the end user periodically run a free utility when needed probably was much easier, but this will run almost silently in the background at each login and clean things out.  Also, because it queries the actual registry key location each time before running, if that does ever get changed, it can adjust, rather than had I simply “hard-coded” that specific path to begin with.

Rob’s website contains a wealth of detailed and helpful information for CLI junkies and batch-file writers:

He also has lots of great WMI Scripting information as well as an added bonus: Getting Started with WMI Scripting

Wayne Martin has another collection of lots of useful command-line models over at his WWoIT – Wayne’s World of IT blog.

Lots of inspiring commands and operations here…

Cheers.

--Claus V.

Posted by Claus at 2 comments
Labels: ,

Saturday, May 01, 2010

Blasting the blasted Outlook Secure Temporary file folder…

Despite the challenge of the RDC issue last posted about, we did have one small but significant Windows system troubleshooting victory last week.

One of our end-users was working with Voltage to pull mail out of a shared mailbox into the local Outlook client.

When she attempted to open the attached file, the following error was seen:

Can't create file: message_zdm.html. Right click the folder you want to create the file in and then click properties on the shortcut menu to check your permissions for the folder

Several field techs attempted to resolve the issue during multiple site visits, to no avail.

So crack network analyst “Mr. No” and I dropped by while in the neighborhood on an unrelated special project to take a look.

Based on the error message, we doubly-checked the permissions on the user’s Outlook folders. We reloaded different versions of Voltage and fiddled with the enrollment certifications. Checked disk space. Ensured no permission or size limits found on the folders.  Purged the IE temp cache location. Nothing seemed to work.  Comparing this user’s settings in Voltage/Outlook to a co-worker who was similarly configured but not having the issue found nothing different.

So, in a brilliant move, Mr. No decided to Google the error message…and found this:

Turns out the user’s “Outlook Secure Temporary file folder” was filled up and needed to be flushed.

Once those steps were followed, the attachments could be opened again with no fuss.

Problem solved.

However, that wasn’t enough for Mr. Valca here.  What was going on and why was this user, out of the thousand-plus we support, having this particular problem?

Greetings Outlook Secure Temporary File Folder…Nice to meet you.

When I got back to the office I did more research and while not an unknown issue (and not limited to Voltage users by the way), it does seem to be rather uncommon.

I found a few posts in particular that described the issue and potential solutions.

These (and other forum posts) referenced the root-cause as Andy well summarizes from his above-linked post:

“…outlook has a limit on the number of files of the same name that it can store.  If you have 99 “orphaned” files in the temp folder whose source attachment have the same name, when you try to open the 100th, you will get an error saying you can not open any attachments.”

Only my mind was a bit confused.  How you you have up to 99 files with the same name in the same folder location?  That didn’t seem to make sense. And what was our particular user doing so well to cause that many to accrue in the first place?

And how were they being “orphaned” in the first place? The user stayed in Outlook all day long with no Outlook crashes found or reported.

The Experiment

I fired up my own system, dove into Regedit, burrowed down to the location (Outlook 2003) HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security and copied the folder location found in the Value Name: OutlookSecureTempFolder key.

Then I pasted it into the address-bar of Windows Explorer and was taken to that folder location.

I had a few items in there, but none indicating duplicate names.  So I deleted them all to get a fresh slate.

I then popped into Outlook and sent myself a simple Outlook email with a dummy text file attachment called…wait for it…”dummy.txt”

With Windows Explorer still open to my Outlook Secure Temporary (OST) file folder location on the left, I double-clicked the test message to open it in its own window.  Then I double-clicked the attachment to open it.  Voilla!  the file dummy.txt was showing in the OST folder.  I closed the attachment and then closed the message and the file disappeared, automatically removed as expected by Outlook.

Next I repeated the process.  But this time I kept the attachment open but closed the message.  Then I closed the attachment.  To no surprise, the dummy.txt file was left behind and not deleted.

Then I repeated the process…only this time the file in the OST was automatically re-named to dummy_(1).txt (or something like that…I’m having trouble reading my notes).  Repeated testing found that if the email message Window was closed before the attachment, I could quickly add many more dummy_(#).txt files and leave them “orphaned” and preserved in the OST location.

So it seems that while “technically” the file names are not duplicate names…the attachment name is a duplicate and diff’ed by the addition of the “_(#)” name portion.  When the same file-name is present but the counter reaches “_(99)” then upon reaching the 100th instance, the error happens and the file attachment cannot be opened.  Now that made sense.

What I didn’t test, (and am curious as to) is what would have happened if I just created a file “dummy_(99).txt” in an otherwise emptied OST folder (that’s the only file present) and then tried to open my “dummy.txt” attachment, if the error would trigger due to the “_(99)” counter presence, and not an actual count of files really present.  I’ll try that one on Monday back in the shop but I’m pretty sure I already know the answer…

Knowing this, it is easy to understand the process by which this particular user was tripping over the error when almost nobody else is.

The user is receiving a high volume of inbound messages in the shared mailbox to process as part of her job duty.  These messages include a standard internal form attachment.  That attachment is frequently NOT renamed to something different by the sender. So even though the content of the form attachment is different, the file name is the same.

This end user opens the message, opens the attachment, closes the message (with the attachment still open…now “orphaned”) and proceeds to process the information in the form into another application.  Once done, the attachment gets closed.  This works fine for a while but eventually, enough identically named forms are processed/orphaned and the error trips upon #100.

Again, in our case it was Voltage attachments.  It could easily be PDF files/forms, Excel sheets, Word documents, whatever in your shop.  The attachment type isn’t the issue, it is the attachment “name” and how many times the attachment gets “orphaned” due to Outlook crash or (more likely) closure of the message body Window before the opened attachment itself gets closed.

Mitigation and Utilities

Because the default OST file folder location is typically “super-hidden”, it’s not easy to instruct most end users to browse into the registry and do a copy/past of the key value into Windows Explorer to empty things out.

In this case, it just required showing the end-user that she should either “save as” the attachment first before opening into a different location with an amended name before opening, or consider leaving the email message open, then when done with the attachment, close it, then the message body.

However, there are also some cool utility “toys” that can automate the process to various degrees as well:

  • OutlookTempCleaner -- (freeware) -- HowTo-Outlook. This simple exe file automatically finds and cleans the folder out when run.  What is particularly nice is that it supports CLI options for use in a login batch-file for automated cleaning if needed.  Also cool is the “big-brother” Outlook utility OutlookTools (also free) which brings extra Outlook support options to the table. NYC Tech Guys mentioned OutlookTempCleaner in their Empty Outlook’s secure temp folder post.

  • CleanAfterMe -- (freeware) –NirSoft.  This power-cleaning tool for Windows also has an option in it to clean that folder location, among many other deep-level things. 

  • CCleaner -- (freeware) -- Piriform.  More than one forum post also recommended use of CCleaner (newest versions) to clean this location.  I didn’t see it specifically noted/identified in the options, so maybe it falls into one of the general cleaning options.  Not sure.

  • Outlook Temporary File Cleaner – MSDN by anthonyrsc.  very small exe file (23K) with source-code provided.

So now I and our team are all much wiser to the Outlook Secure Temporary file folder and its solution.

Too bad the error message couldn’t be a bit clearer. I’m sure more than one sysadmin called in on this one has taken a while to check folder sizes and permissions in both Outlook and the local system before eventually associating the issue/solution with the blasted Outlook Secure Temporary File folder.

Cheers!

--Claus V.

Posted by Claus at 4 comments
Labels: , ,

In the trenches…

Been burning extra time working out a nagging Remote Desktop issue.  Still unresolved but I am stubbornly pressing on to solution it.

At the local house of worship, there is a pretty nice LAN setup.  At the sound/video desk we recently installed two Windows 7 Ultimate systems.  These are brawny multi-core systems, x64 bit OS, 8GB RAM systems.  More than enough muscle to power video/sound editing and projection work.

However the desk area itself is very limited.  So we dropped one box (with no monitor) under the desk. Then we use the second workstation on the desk to do a Windows RDC session to the 2nd (headless) workstation as needed.

Only the RDC sessions are a bit “wonky”.

Typically after the first RDC session is started, the login goes through, the remote system desktop is displayed, then the following error message appears on the workstation I am initializing the RDC session from:

“Microsoft Visual C++ Runtime Library
Program C:\Windows\system32\mstsc.exe
R6025
-pure virtual function call”

And the RDP session terminates.

If I try again, each time the connection gets briefly established, then kicks off, and the error appears.

After about 7-10 attempts, I am then able to get a “stable” RDC session established with no more kick-offs or errors.  So it does “work”.

I checked the remote system logs and found the following errors noted:

“Event ID: 9015
Desktop Windows Manager was unable to start because the remote client does not support desktop composition remoting.”

and

“Event ID:9003
Desktop Window Manager was unable to start because a composited theme is not in use.”

I’ve already made sure RDC exceptions are enabled on both systems in Windows Firewall.

I have tried reducing the headless system’s theme to “Classic” and disabling all Aero effects as far as I can tell.

I’ve made sure all the theme management services are running “automatic”.

I’ve tried disabling the various extra RDC “experience” options before connecting.

Same behavior.  Only after seven or more aborted RDC connections is a stable RDC session established.

I’ve tried using the RD client files from a “portable” build based on another system’s Win7 RDC files but same thing, so it doesn’t appear to be a corruption issue with the mstsc executable.

I’m still trying to research the root cause.  Other things I need to pursue this weekend:

  • I did have to turn off “Aero peek” on the system I am RDC’ing from as that was pulling “system focus” away from running presentations if accident hovered over.  Not cool during a service…  I’ve not yet re-enabled it to see if that has any bearing.  I don’t think so as the other geek seems to have the same issue from his own independent Win7 system RDC’ing to the target box.
  • I’ve seen lots of forum threads on similar issues.  In many of those cases the posters felt the issues was a bug in the Win7 RDP client itself.  They felt that way as connecting with a “portable” older set of RDP files from, say, XP SP3 didn’t demonstrate the issue.  I think they are using Remote Desktop Connection (Terminal Services Client 6.0).  I need to grab a set of that version to try to see if that makes a difference.

The facts that I see the error start just after the remote system’s desktop get displayed, that the event logs all mention “composition theme” in some fashion even though all settings seem to support a compatible rendering experience, and that with enough attempts, it eventually “works” suggests to me that it might, in fact, be some kind of network issue.  Could it be that the systems are “talking” too fast to keep up with each other as the different services interact and link-up?  I did find this tantalizing post on tweaking RDP network performance: Remote Desktop slow problem solved which tweaks the Receive Windows Auto-Tuning settings in Windows Vista…need to make sure it carries over to Win 7 as well first.

And yes, of course, we could go with a TVNC based remote desktop solution…or one of many others.  However, connection establishment error excepted, RDC fits the internal need just fine.

It doesn’t look like I am the only one wrestling with this issue.

When I finally get it resolved, I’ll post an update.

BTW, one early bonus from this “project” has been the discovery of the Remote Desktop Services (Terminal Services) Team Blog.  Lots of good info there for you Remote Desktop fans….

Cheers!

--Claus V.

Posted by Claus at 4 comments
Labels: , ,

Sunday, April 25, 2010

Playing Catch-up

Despite all my best wishes and efforts, I’ve really been under a tremendous production load of projects at work lately.

Hours stretched, long drives into field office locations for “in-the-trenches” work. Stuff like that.

I have still been checking my RSS feeds and building the linkage piles, but goodness, no time for weekend link posting of late.

One small benefit of the delays is that I will often go back now and re-consider that pile of 20+ links and after a week, find that some just weren’t worth posting comments on after all…so they will be struck.

This slow-simmering seems to result in a much tastier collection of tools and utilities.

So here you go.  About a month’s worth of slow-home-cooking served up for your dining pleasure.

Networking Link Portals

One of the things we have been doing lately is doing site-wide network traffic monitoring and analysis.  Our great network team has developed a pretty easy and deployable process to initiate a remote traffic capture and then internal analysis of the traffic/files.  Nothing super sophisticated but we can now pretty clearly generate a response report in record time.  That’s a small miracle in itself.

Here are three “portal” locations for great linkage and reference materials on Network traffic and analysis.

  • Cheat Sheets - Packet Life. Great collection of free PDF-formatted reference sheets on many things network traffic related. This Wireshark Display Filters (PDF) page alone has been very useful.

  • Network Monitoring Tools – Amazing collection of links maintained by Les Cottrell at Stanford.  Be careful. You could easily loose hours looking through the resources documented and organized here!

  • WinPcap Network Tools and Links – Lots of great tools, reference materials, and what-not all lined up and linked regarding WinPcap-supported tools.

Remote System Auditing Tools

In aftermath of yet another incident project, I began looking for an efficient way to remotely audit the physical status and configuration of remote systems in our network.  We haven’t really had a need in the past to do so, and in the past year have only now been running post-deployment audit reports on systems that we initially set up to capture/document key hardware items. However it has become clear I needed the ability to do ad-hoc surveys and reporting on the status of Windows systems long-since deployed in the field.  Our network management infrastructure software can (in theory) do this, but it is non-intuitive and burdensome to do so.  In addition, it requires the workstation objects to have been correctly imported to the container in the first place to access.  Not done so?  No data.  So obviously I could have some big holes in my site/system audit reports.

So I started looking for a simpler reporting solution.

I found a number of great (and free) tools to do so but they were either much more robust that I needed, or required a client/server model of deployment, or the reporting was just not customizable out for rapid site-wide auditing and exportation for additional analysis in Excel/Access.

Some of those tools that “almost” fit the bill but eventually fouled out were:

  • Total Network Monitor – freeware – Softinventive Labs.  Pretty full featured and awesome.

  • Remote System Information 3.0 - (shareware) – nice and had much of the system hardware auditing stuff I needed but the reporting wasn’t robust enough nor was the fact it was shareware and I couldn’t find where the developers were still in business.

  • Network Manager (NINO) - (open source) – Located this one on SourceForge and looks like a really heavy-duty network monitoring tool.  Ended up being too beefy for my targeted needs.

  • OpenNMS – (Open Source) -  Another very robust network management platform.

  • Lan Sweeper – (Free/$$ versions) – I really, really liked this one.  It covers so many of the mission-critical system auditing and monitoring points.  However it is based on a client/server type of model.  I wanted something that didn’t require me to deploy clients on all our systems in addition to the existing network client infrastructure in place.

  • Zenoss – (Open Source) – Another very mature and polished network/systems monitoring platform.  Again, too robust for my needs.

  • Network Inventory - (shareware/$) – Very nice but ultimately not free/OpenSource and cost is king now.

  • Network Inventory Advisor - (free-trial/$) – Also nice, especially in that it was not agent/client based but again, the free trial period is limited and there is no $ in the budget for this project.

  • AdvancedRemoteInfo - (freeware)  — Pet project of Matthias Zirngibl at masterbootrecord.de.  This was an unexpectedly special find from Germany.  Still in development, this beta level utility really has a lot of great bells and whistles.  It provided extensive information about remote system hardware/software and data-points.  It also allowed for some useful remote interactions with the target system and reporting was much better.  However, again, I needed something that let me manage reports on a site-wide number of systems, not one-system-at-a-time reporting.  Still, this is a great tool and I’m going to be keeping an eye on it in the future!

At this point, after almost an entire week of looking for just the right tool, I was almost ready to give up.  I checked in with Michael Pietroforte over at 4sysops.  He referred me to his lineups of Free Windows Networking Tools and Free Windows Inventory Tools  (in fact see his full selection of categorized Free Windows Admin Tools – 4sysops). However, none of those offerings were fitting the bill either.

Then while in the middle of our dialog, I found that an old-favorite had been updated with just the feature-sets I was looking for:

This ended up being perfect as it is a single, portable exe file based utility.  Though not “tiny” at 720K, it still packs an amazing feature set in.

I am now able to remotely run an IP scan against an entire network site range, and then can set WMI-based custom reports to pull data from the systems.  Because by audit is IP based, I’m much more likely to identify the devices on the network rather than those “objects” that were imported and calling home from a client/agent configuration only.

And the WMI-based reporting options are off the hook.

Look for a more detailed post soon on this project, but for now, I highly recommend checking it out.

The only potential “gotcha” is that WMI services and firewall port rules/policy must be configured, up, and running on the remote systems to get all the WMI-accessible data for your reports. If you have that in place, then you can easily run and export tons of highly detailed system audit report data.

Please look below for more useful WMI (Windows Management Instrumentation) resources that are must-reads if you are not yet familiar with it and need to do some homework for deploying and accessing the data it can potentially provide.

New or Improved Fun Utilities

These remaining tools caught my fancy this week.  They “remain” from the many more that seemed interesting from this week but on additional look didn’t make the draft-cut.

Remote Desktop Trick

Windows Remote Desktop is a cool trick to access and manage a system across your network.  But what if you don’t have it enabled on the system? And either the end-user is totally clueless, rights restricted, or otherwise unable to initialize some other remote-control solution?  This might be a trick to try.

Chrome Browser

I’m still nowhere near ready to jump ship from Firefox to Chrome full time, but I do find myself using the Chromium nightly versions in a portable version much more.

Here are the very small set of “add-ons” that I have found useful to load on it.

I’m running a portable version of Chrome (Portable Google Chrome 2.0.172.23 or Portable Google Chrome 2.0.159.0) along with Dirhael’s (portable) Chromium Nightly Updater to keep the package frequently updated.  However, that has required unpacking and copying over the update packages into my the portable Chrome application folders.  No biggie but additional work.

So I was delighted to find that Carsten “caschy” Knobloch has recently started including an multi-build supported updater in his Portable Chrome package: Portable Google Chrome 4.1.249.1059 (German site) has the latest full portable packages for download or you can simply unpack it and copy the single exe updater file to your existing portable Chrome package and use it from there.  It automates the process to check, download, unpack, and install the latest Chrome release versions into you portable Chrome folders.  Way too cool!  See this post Neue Version des Portable Chrome Updaters (German) for additional info on the updater proper.

Firefox 3.7 Stuff

And the next iteration of Firefox is still marching closer to readiness.  I like what I am seeing, but I was surprised when my playing with a portable version of this latest release actually BSOD my Windows 7 x64 system.  First time ever that has happened.  Lots of fun stuff here but be careful!

More Cool Utility Toys and Tips – Part II

I hope you found something yummy for your Windows system here today!

Cheers!

Claus V.

Posted by Claus at 2 comments
Labels: , , , , , , , , ,

Thursday, April 01, 2010

Security and Forensics Roundup: Heavy Version #7

Oh my.  I may have bit off more than I can chew with this load of links.  I’m having a challenging time breaking them all down into meaningful chunks!

Incident Response

  • The Tiger and the Ghost – Nice and reflective thoughts on the changing landscape of incident preparedness from Hogfly over at the Forensic Incident Response blog.

  • Verizon Incident Metrics Framework Released – Verizon has published a framework for categorizing incidents and elements that comprise them.  One of many out there, nevertheless, it might provide some additional ideals for conceptualizing incident events and help guide you as you form narratives that analyze and summarize them for your audiences. Spotted via the TaoSecurity blog.

  • DarkReading Evil Bytes bloggist John Sawyer has posted a trilogy of articles on incident response as well as drive-imaging thoughts and techniques in that response; Adding Forensic Imaging To Your Standard IR Process, Using Hard-Drive Imaging In Forensics, and Drive Imaging Using Software Write Blocking provide an updated refresher on these topics. Good for a quick review particularly for the unfamiliar.

  • Responding to Incidents – Windows Incident Response blog.  Coming in at the anchor position is a great post by Harlan covering all the major points and issues on why establishment and execution of an organizational incident response plan for the IT shop is critical. If you don’t have one, it’s long past time to start building and implementing one.  Failure to do so comes with great peril.

Timeline Merry-go-Round

Having some time ago been faced with the challenge of preparing a digestible incident timeline of a Windows system, I am now paying even closer attention to timeline issues.  Like many, I had reams of data, much of it all valuable. However, the real challenge wasn’t so much the capture and spin-out of the information, it was presenting the findings in an objective manner that successfully and accurately told a story to management and non-IT consultants.  What was of value to me understanding the sequence of events was less valuable to those who wanted the big-picture and major-plot-points.  It end up being as much the art-of-communication as well as art-of-examination.

It’s all about Analysis

  • Flock shepherds in a Life of Grime – Forensics from the Sausage Factory blog.  In which in this installment, we find DC1743 encountering the Flock browser, which is just a fancified version of Firefox geared to the social media experience.

Tools and Toys

Miscellanea: Don’t count out the value of small things…

Cheers.

--Claus V.

Posted by Claus at 0 comments
Labels: , , , , , , , ,

April 1st link-dump

No. No April Fool’s jokes here.  All are refreshingly legit.

Cheers.

--Claus V.

Posted by Claus at 0 comments
Labels: , , , , , , , , , , ,
Subscribe to: Posts (Atom)