KB2918614 – Not only does it break MSI Repair .

“What the security bulletin doesn’t say is that the change in Windows Installer repair operations means that application repair attempts will be met with a User Account Control credential window each time. However, the credentials required are administrator access.”
Bug or Feature? KB2918614 Alters Windows Installer Behavior

KB2918614 Should your application install use Active Setup, to say, personal per-user settings, then this MS14-049 security patch causes a UAC prompt as well.

The current workaround, courtesy of happysccm,  is as follows:

  1. Uninstall the application and reinstall it with the security update installed. (sourcehash file generated with security update)
  2. Manually copy the sourcehash file to c:\windows\installer folder. As the sourcehash file is generated based on the application files, the sourcehash file generated on computer A can be used on computer B.

Not scalable if, say, you have 500 packaged applications deployed to customers.

Forgeries, Fakes and Forensics

Forgeries Fakes and Forensics Recently went to a talk by Victoria Police Chief Forensic Scientist, Bryan Found PhD, titled “Forgeries, Fakes and Forensics”.

Bryan Found is a very engaging presenter.  Things I found of interest, in no particular order:

  • You can sign your signature with different parts of your body.
    Which is to say the mechanical motions to write your signature can be used by your foot, or your bum.
  • In one security role I held, the mantra was “burn the paper, and then stir the ashes”.
    As burnt paper can be coated to stop it disintegrating, and the burnt writing can then be read.
  • All photocopiers now print a digital watermark, which can be used to identify the photocopier, and the time and date of printing.
    Printer manufacturers will extend this to all printers over time.
  • Think using a black marker to react lines in your diary will make the original text unreadable?  Think again…
  • The devices used to reassemble shredded paper files are called “graduate trainees”. 🙂

How to determine why a user has failed to logon

By looking at the Security Event Log, and Event ID 529


In the above example, the user tried to logon to the computer while it was disconnected from the network.  You can tell this from the Logon Type of 11.

Other logon type values are as follows:

Logon Type Description
2 Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10.
3 Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon – Never logged by 528 on W2k and forward. See event 540)
4 Batch (i.e. scheduled task)
5 Service (Service startup)
6 Proxy
7 Unlock (i.e. unnattended workstation with password protected screen saver)
8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with “basic authentication”)
9 New Credentials
10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance)
11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)

Reference: Auditing User Authentication

15 Password Managers

Sorry - Your Password Isn't Not Long Enough

You might have seen this cartoon here before, but it’s worth repeating, as it’s that time of month.  Some organisations require passwords that are longer than the 12 digit codes needed to arm a nuclear weapon.

I’m not the first to notice this. Jesper M. Johansson wrote about in-actionable security advice in an Microsoft Technet magazine article series called Passwords and Credit Cards.

So how do people remember passwords?

  1. Write them down and stick them under a keyboard (aka Koolpin$Gorge*)
  2. Store them in a password spreadsheet/document?
  3. Use a password manager?

It’s option 3 for me.  I use the LastPass password manager. But here are some others to consider:

Name and download link Comments Free / Commercial?
1Password Version available for Macintosh, Windows, iPhone, iPad & Android.  It’s possible, via Dropbox, to sync your 1Password databases between your different systems. $49.95
AcrylicApps Wallet Mac and iOS only $9.99 (iOS) $19.85 (Mac)
LastPass I use this.  There is a portable version called “LastPass Pocket”.   Does form-filling as well. Free version.
Premium version adds mobile device support amongst other features.  $12 per year.
KeePass Free.  Open source.  Maintained. Free
Microsoft Credential Manager Free with Windows 7 & 8.  Stores Windows and website logons. Free
PassBox Windows only. $5
Passgen Written by the great Jesper M. Johansson.  Hosted by Steve Riley @ his old Microsoft Technet blog.
Not a password manager as such.
Passpack “Store logins to all online accounts. Share passwords on a need-to-know basis. 1 Click Login for everyone.“
They blog! (thanks Louise)
Non-free versions from $18 per year.
Password Gorilla Windows & Mac Free
Password Manager XP I know large companies which use this. $24.95
Password Minder Written by Keith Brown.  Worth a look.
Note: Download link here.
Password Safe As mentioned by Jesper.  Free.  Open Source. Free
RoboForm More of a "web form filling" application, but it stores passwords as well.   Multi-platform (ie. iPhone/Windows/Macintosh/Linux). Free.
RoboForm Everywhere adds multiple device support.  $9.95 per year.
Sticky Password Evolved from the multi-Pass password manager.  iPhone and Android version available as well.   “Sticky Password is now also supporting Android as well and is cloud based with option to choose offline version for those who do not like to have their data being synced over the cloud.” $12 per year.
UsableLogin Generate unique secure passwords for each website you login to.   Multi-platform. Free

* a server, for a sensitive organisation, had the server password stored under the server keyboard. Koolpin Gorge was where the server guy took his last annual leave.

edited 21 September: let’s make it 8 password managers, thanks for the comments folks.
edited 12 October: added Passgen tool description and link.
edited 27 May: added Password Minder.
edited 31st October: added Microsoft Credential Manager & Sticky Password
edited 7 May 2013: updated links/comments.  Added PassBox
edited 26 November 2013: Added Password Gorilla & Free/Commercial column.
edited 5 December 2013: Added AcrylicApps Wallet and updated the Sticky Password comments

Bookmark and Share

Bypassing Internet Explorer Group Policy lockdowns.

We lock down Internet Explorer, to prevent our non IT-savvy staff from changing settings which will break their internet access.  We apply those same settings to ourselves, which isn’t as bad as it sounds.  It ensures that when we make a Group Policy change, we’re impacted in the same way if it goes wrong.

But there are times when we need to bypass those settings.  One way we do that is by deleting the Group Policy Registry keys which control Internet Explorer.  We put the following in a .reg file and execute it:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

It works quite well.

Broken websites, and Microsoft update KB2661254

Did you know that Microsoft invalided/stopped the use of security certificates with a RSA key length of less than 1024 bits?  And they started doing this back in August 2012?  No, we missed that security bulletin too.  So we awoke to a broken website.
(it was the client PC which was broken, but everyone blames the website when they can’t get to it.)

We had deployed KB2661254 that is.

The first we heard of KB2661254 was when one of our support team logged a help desk call about the issue it causes.  The helpful Internet Explorer screen looked like this:
IE Broken

A quick look at the website certificate details confirmed the actual problem:

As this was an internal website, we were able to generate a new (larger) certificate fairly quickly.

Computer Associates eTrust ITM definitions not updating

I was researching (another) eTrust issue today, and found this (defunct) blog post by Brad Benner.  Thought I’d save it from the memory hole.

The virus definitions for one of our internal servers running Computer Associates eTrust ITM v8.0 hadn’t been updated since the last time we rebooted the server (about 45 days ago). I tried updating the definitions manually by right-clicking the eTrust ITM tray icon and clicking Download Updates Now and also restarting the eTrust ITM services – both to no avail.

In looking at the eTrust Distribution Events log, I noticed that the following message had been logged several times a day since the last server reboot:

An instance of the distribution program is running!

Continue reading

Active Directory User account being locked repeatedly

(I don’t know the answer to this yet, so this is just an dump of what I know.)

Customer reports that they’re Active Directory User account is being locked out 2->3 times a day.

  • They have “admin” rights on their PC.
  • They are using Microsoft SQL Management studio, which may/may not be triggering the account lock.
    Googling for some answers, hasn’t been successful.  Here is some of what Google returned.
    Microsoft Account Lockout and Management Tool & download link

    Tool Description
    LockoutStatus.exe The LockoutStatus.exe displays information about a locked out account. It does this by gathering account lockout-specific information from Active Directory.
    ALockout.dll The ALockout.dll tool and the Appinit.reg script are included in the ALTools package. ALockout.dll is a logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario. The tool attaches itself to a variety of function calls that a process might use for authentication. The tool then saves information about the program or process that is making those calls into the Systemroot\Debug\Alockout.txt file
    update 13 Sep 2012: sample log extract below.

    If account lockouts seem to happen most frequently after a user is forced to change their password, you may want to determine which users’ passwords are about to expire. You can use the ALoInfo.exe tool to display all user account names and the password age for those user accounts. This will allow you to use the ALockout.dll tool and other account lockout tools to set up the tools prior to the initial account lockout. You can also obtain a list of all local services and startup account information by using the ALoInfo.exe tool.


    You can use the AcctInfo.dll tool to add new property pages to user objects in the Active Directory Users and Computers MMC Snap-in. You can use these property pages to help isolate and troubleshoot account lockouts and to reset a users password on a domain controller in that user’s local site.


    You can use the EventCombMT.exe tool to gather specific events from event logs from several different computers into one central location. You can configure EventCombMT.exe to search for events and computers. Some specific search categories are built into the tool, such as account lockouts. Note that the account lockouts category is preconfigured to include events 529, 644, 675, 676, and 681.

    NLParse Because Netlogon log files may become more than 10 MB in size, you may want to parse the files for the information that you want to view. You can use the NLParse.exe tool to parse Netlogon log files for specific Netlogon return status codes.
    Alockout.txt log file (sample):

Continue reading

How to recover a “WiFi” password from a Windows PC.

Or, “I’ve forgotten my Wireless password and don’t know how to retrieve it from my Windows 7 PC.”

I didn’t either, until today.

The background was that a customer was trying to add an iPad to their home network, and wasn’t able to, because they forgot their WiFi password.  So they called up.

There are three ways I found to recover a WiFI password.

1. WirelessKeyView by NirSoft.
This utility works, but some anti-virus products report it as malware.  That is a bit of a put off for (less experienced) end users.

WirelessKeyiew has the advantage of working on Windows XP as well.

2. LastPass.
The LastPass password manager has a built-in WiFi password import tool.  It works very well, but the flaw with LastPass is that you need to convince your user to install it, which means getting the user to sign up for a free account.
Lastpass WiFi 

3. Use the built-in Windows “netsh” command.
From an administrator command line, type:
     netsh wlan export profile key=clear
and then press Enter.

Interface profile "GoldFish" is saved in file ".\Wireless Network Connection
-GoldFish.xml" successfully.

This will cause “Wireless profile file(s)” to be written to the current directory.  Here is the contents of the Wireless Network Connection file for my GoldFish WiFi network.

<?xml version="1.0"?>
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
                <keyMaterial>T-Man Colt 1911 These Boy Billards</keyMaterial>


My GoldFish WiFi is highlighted in blue above, between the <keyMaterial> fields.
ie. “T-Man Colt 1911 These Boy Billards”