Process Mitigation / Exploit Protection

Process Mitigation (PM)
Win 10 Exploit protection settings are displayed/controlled in Update & Security_Windows Security_App & browser control_Exploit protection settings.

Depending on the GPOs used the settings may or may not be visible or changeable within the user interface.

The powershell cmdlet Set-ProcessMitigation -system can be used to control the settings.  The results of these commands modify a registry key value

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationOptions

Settings for applications are stored here
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<AppName.exe>\MitigationOptions

Using get-processmitigation -system
Many of the PM settings display as NOTSET.  This means that they are at the OS default settings and may be ON or OFF.  Using the -RegistryConfigFilePath to export the settings to an XML file will not include any default system settings, only ones that have been specifically set.

Once Set-ProcessMitigation is used for any settings e.g. to set ON for a given setting, the only way to return to the original NOTSET state is to delete the MitigationOptions key above.

Set-ProcessMitigation only enables or disables settings, it cannot be used to return to the original OS default setting state NOTSET

In Windows 10 1803 and 1809 these are the OS default settings

Control Flow Guard (CFG)
Use default (On)

Data Execution Prevention (DEP)
Use default (On)

Force randomization for images (Mandatory ASLR)
Use default (Off)

Randomise memory allocations (Bottom-up ASLR)
Use default (On)

High-entropy ASLR
Use default (On)

Validate exception chains (SEHOP)
Use default (On)

Validate heap integrity
Use default (On)

Windows 10 Pro Optional Features Missing

Attempting to apply the XPS Viewer feature to a non domain Windows 10 1903 Pro install logged in as a local user results in no features available to select.

Settings_Apps & Features_Optional Features

At this point UAC prompts for elevation, enter the admin account credentials.

Some Optional Features appear along with an Add a feature button.

Click "Add a feature" and again and enter the admin credentials at the UAC prompt.

No features to install appears but it looks optimistic because there are spinning spots which seem to indicate that any minute now the features you are looking for will appear for selection.

But no.  These are not the features you are looking for, user scum.

The spinning spots stop and there is nothing.  Move along.

The problem here seems to be the UAC hand over to the admin credentials.

If you interactively logon as the administrator and carry out the same procedure, the features you are looking for will appear for your selection and installation delight.

Note: The RSATs are Windows 10 optional features but also available for download here
https://www.microsoft.com/en-us/download/details.aspx?id=45520

Office 365 channel change

A normal Office 365 download will default to monthly channel but Semi-Annual channel may be preferable.  To change the channel to Semi-Annual, run the following commands

1. Run CMD as Admin
Search for CMD and then right click on Command Prompt > click on Run as Administrator
2. Type
cd C:\Program Files\Common Files\Microsoft Shared\ClickToRun
Press Enter.
Type
OfficeC2RClient.exe /changesetting Channel=Broad
Press Enter.
Type
OfficeC2RClient.exe /update user
Press Enter.


Channel identity notes

Channel Keyword in CMD or ODT
Monthly Channel (Targeted) Channel = "Insiders" or Channel = "FirstReleaseCurrent"
Monthly Channel Channel = "Monthly" or Channel = "Current"
Semi-annual Channel (Targeted) Channel = "Targeted" or Channel = "FirstReleaseDeferred"
Semi-annual Channel Channel = "Broad" or Channel = "Deferred"

information from
https://answers.microsoft.com/en-us/msoffice/forum/all/to-change-update-channel-office-365/c1b70a1f-4741-4940-9d49-32e6e5607769

Detection

SCCM Application Package Detection

I know what it is.  I can never remember this word for it !

Validation ?
Checking ?

what IS it ?

now it is in my blog I will not forget it.

Checkpoint Website catagories

Use this link to discover how Checkpoint categorises the target URL

https://urlcat.checkpoint.com/urlcat/main.htm

A free login account is required.

Adding AD attributes to SCCM user objects

Needed to create a user collection based on some custom AD attributes.

Thanks to Paul Smith for pinging this over to me.

https://www.systemcenterdudes.com/sccm-2012-custom-active-directory-attributes/

Check out the discovery methods in the Administration_Hierarchy Configuration_Discovery Methods

Epoch Converter

For converting the 18-digit Active Directory timestamps, also named 'Windows NT time format', 'Win32 FILETIME or SYSTEMTIME' or NTFS file time. These are used in Microsoft Active Directory for pwdLastSet, accountExpires, LastLogon, LastLogonTimestamp, and LastPwdSet. The timestamp is the number of 100-nanosecond intervals (1 nanosecond = one billionth of a second) since Jan 1, 1601 UTC.


https://www.epochconverter.com/ldap

App-V 5 Scripting hints.

Scripting

https://www.alkanesolutions.co.uk/blog/2016/05/17/powershell-scripting-examples-app-v/

App-V Passthough Registry Keys

The registry keys which the Virtualised application can passthough to the physical registry are listed in this key

HKLM\SOFTWARE\Microsoft\AppV\Subsystem\VirtualRegistry\RemoteThroughPaths

Useful network troubleshooting reference

Useful network troubleshooting reference

https://support.microsoft.com/en-us/help/325487/advanced-network-adapter-troubleshooting-for-windows-workstations

and it's gone. "Sorry page not found.  404."  Microsoft WHY do you do this? I'll just have to start copying out this stuff and posting it whole instead of using links.

Fortunately some one scraped it so its here

https://mskb.pkisolutions.com/kb/325487

SC

This lists all SERVICE_NAME and DISPLAY_NAME items which match the string.

sc queryex type= service | find /i "string"

The DISPLAYNAME and SERVICE_NAME may be completely different strings though.

This command gets the SERVICE_NAME from the DISPLAY_NAME
sc getkeyname "SMS Agent Host"
returns
[SC] GetServiceKeyName SUCCESS
Name = CcmExec

This shows the windows service status.
sc query "SERVICE_NAME"

These are start/stop commands
sc start "SERVICE_NAME"
sc stop "SERVICE_NAME"

App-V Client Service Error 575

Windows could not start the Microsoft App-V Client on <machinename>.  For more information review the System Event Log.  If this is a non-Microsoft service, contact the service vendor, and refer to service-specfic error code 575.

This occured in some seemingly normal deployment collection change in SCCM.  Machines were moved from one collection where the package had already been targeted due to an upgrade, to another collection intended to be used for the specific version deployment.  The expected behaviour was that the SCCM client would detect the package was already applied and report "Already compliant" for the deployment stats.  That didn't happen........

The App-V clients were affected - in a bad way.

The app involved had the C:\ProgramData\Microsoft\AppV\Client\Catalog\Packages\{PackageGUID}  folder deleted then the service started fine.

Ran the Application Deployment Evaluation Cycle on the client and the SCCM client resurrected the package from the SCCM cache within a minute.

Root Cause - unknown.  Suspected corruption of the XML files in the catalog folder

Thanks to
http://blog.notmyfault.ch/?p=207

It was possible to do a mass correction / repair operation by deploying a powershell script to automate the above repair actions.

ATI 2018 recovery failure workaround

While attempting to recover a partition from a disk image backup, the recovery failed during several attempts, each time at a different disk sector.  The recovery was being carried out by booting from the bootable recovery media previously generated from the Windows Acronis True Image (ATI) Software onto a USB key.  The target drive was a Samsang EVO 840 500Gb SSD where the backup had been made from previously.

The error text is:

Acronis True Image
Failed to write data to the disk <sector number> of hard disk <number>
Failed to write to the snapshot manager drive. (0x1000DA)
Unknown status. (0x9)
The request could not be performed because of an I/O device error (0xFFF0)
Retry / Ignore / Ignore All / Cancel





















Some of the recovery job did proceed until the failure, each time at a different disk sector.  The suspicion was that the drivers for the SSD drive being written to were crashing out causing the failure.

To work around the problem, the latest bootable recovery media was downloaded from the Account area on the Arconis website.  A further problem then occurred.  The downloaded bootable recovery media was linux based and could not read the external USB 3.0 drive containing the disk images.  As the computer was still bootable from another drive and OS, the disk image was copied to an internal drive which the linux bootable recovery software could see.

The recovery then completed as expected without issue.

keywords recovery restore ATI Acronis True Image 2018