Tuesday, February 21, 2012

How to Uninstall Any Anti-Virus!


Embarrassingly enough this one comes from Microsoft itself, however it is amazingly useful:

Site for quickly gathering some technical statistics from users

http://supportdetails.com/

It’ll automatically tell you your OS, browser, IP, Flash version, etc. Might prove useful in some circumstances where gathering this data over the phone is unwieldy otherwise.

Credit to my co-worker Sean for showing me this

Windows 7 "Run as" + "Run as domain user from non-domain machine"!

I know that we all miss the Windows XP right click > run as trick...

Well to get that option in Windows 7, you simply have to Shift + Right Click and select “Run as different user”! (News to me, maybe some people already knew).


In addition if you have a need to run a program as a domain user from a non-domain computer, you can use the “runas” PowerShell command with the /netonly flag.

E.g. runas /netonly /user:domain\username

Cheers!

Windows DHCP running out of IPs and can't change scope?

Took a call tonight from a client regarding them being unable to get DHCP IP address throughout the day and learned something incredible about Windows DHCP in the process that was I didn’t learn when studying for the 640 exam.

Obviously increasing the DHCP scope would resolve this problem, but I didn’t have a good way of telling why their scope was set the way it was and what was using the excluded IPs nor did I want to add another subnet because I didn’t know what implications it would have.
My “Story”/Resolution notes:

Looked into the DHCP issue they were seeing. DHCP server was reporting only ~50 leases active. Checked the DHCP lease period and it was set to 6 hours, which seemed accurate as they would expire overnight and then free them up right? But they were still running out of IPs for some reason... I checked DHCP statistics and the DHCP scope was reporting only 14 leases open for leasing!?

Researched why this was occurring and found 2 registry values that explained it.

The DHCP Cleanup Interval (how often the DHCP server cleans up stale leases):
HKLM\System\CurrentControlSet\Services\
DHCPServer\Parameters\DatabaseCleanupInterval

The DHCP Grace period (how long after a lease expires that it is reserved to be renewed before being subject to DHCP cleanup):
HKLM\System\CurrentControlSet\Services\DHCPServer\ Parameters\LeaseExtension

The DatabaseCleanupInterval was/is set to 60 minutes by default will renew during that period if they are active on the network. (They become active within 60 minutes of inactivity, they can still renew their lease)

However, the LeaseExtension registry key was not present and I finally found out the default is 4 hours! This means that a client would get a lease that is good for 6 hours and if they don't renew it during that time they would get an additional 4 hours "grace" period before it would be deleted during clean up. Since clean up only occurs once an hour, if the client got the lease 1 minutes before that mark, it would actually give it another 59 minutes before it was cleaned up (essentially 5 hour grace period and 11 hours to renew their lease!).

After figuring this out I decreased the lease period to an 1 hour 30 minutes and set the grace period to 60 minutes. After restarting the DHCP service I instantly saw the DHCP scope go from 92% full to 35% full!

This does increase DHCP traffic on the network, however its resolves the issue of running out of IPs if you can’t increase DHCP scope.

TL DR:
DHCP lease = amount before the lease on your IP expires.
DHCP Clean up = interval at which DHCP removes stale leases.
Can be changed with HKLM\System\CurrentControlSet\Services\DHCPServer\Parameters\DatabaseCleanupInterval reg key (in minutes)

DHCP Grace Period = Amount of time AFTER DHCP lease expires before it is subject to DHCP clean up (default = 4 hours!)
Can be set by adding HKLM\System\CurrentControlSet\Services\DHCPServer\ Parameters\LeaseExtension DWORD reg key (in minutes)

Not sure if this was common knowledge or not, but thought it might be able to save at least one of us from going through the trouble I did tonight!

Tuesday, October 18, 2011

Deploy Adobe Flash over Existing Versions

2. Download appropriate MSI packages for newest version
3. Create GPO

Seems easy right? Except the MSI installer has issues overwriting the C:\WINDOWS\system32\Macromed\Flash\***.ocx file for versions of flash prior to 11. I searched high and low to resolve this issue and the only thing that I found that worked (and could be scaled) was running the Flash player uninstaller, which of course is only comes in the executable flavor.

My new plan was to create a startup script to run the uninstaller, but then I realized we would have flash player being uninstalled and reinstalled on every reboot - not very efficient use of resource.

I did some testing and found the registry keys for Flash Player 11 (11 was current version at time of writing this) were stored in a different key than previous versions. I created the below startup script to check for previous versions and then run uninstaller and we were all set!
setlocal

REM *********************************************************************
REM Environment customization begins here. Modify variables below.
REM *********************************************************************

REM Setting Adobe Flash Product Name
set ProductName=Adobe Flash Player Plugin

REM *********************************************************************
REM Deployment code begins here. Do not modify anything below this line.
REM *********************************************************************

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%ProductName%
if %errorlevel%==1 (goto UninstallFlash) else (goto End)

:UninstallFlash
start \\\NETLOGON\Files\AdobeFlash\uninstall_flash_player_32bit.exe -uninstall

REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
:End

Endlocal

Friday, August 12, 2011

Copy + Paste in cmd prompt!

If you use a lot of cmd prompt you have to know how annoying it is to not be able to use ctrl + c and ctrl + v to copy paste. Well if you have ever used unix/linux command line you know that in almost all of them you can highlight text with your mouse and paste with a right click – very useful and time saving.

Apparently you can do you the same in cmd prompt if you enable “QuickEdit” mode:

To enable QuickEdit mode:
1. Right-click the Command Prompt's title bar and go to Properties.
2. Under Edit Options, select QuickEdit Mode.
3. Paste text using the mouse right-click button.
This will also let you select text using the mouse and copy it to the clipboard from the Command Prompt by hitting Enter or right-clicking.

Windows 7 will save your QuickEdit mode preference, however if you are using an older OS version and want this to be the default behavior for the Command Prompt, use the Registry Editor (regedit.exe from Run), go to HKEY_CURRENT_USER \ Console and set the QuickEdit key's value data to 1. That should do the trick, permanently.

Source: http://www.techspot.com/guides/311-paste-cmd-using-ctrl-v/

Happy copy/pasting!

Thursday, July 7, 2011

Can't get SEP to install?

Just had the most frustrating/bizarre/nightmare SEP installation issue. Been working on it all night and FINALLY got it to work. Thought I’d share what finally got it to work for me.

It all started with user who had SEP installed, but virus definitions hadn’t been updated in a couple months. When I tried to run LiveUpdate it gave me errors. Uninstalled LiveUpdate and reinstalled and LiveUpdate still gave me same errors. Decided to remove SEP and re-install to try and fix and then SEP wouldn’t install!

All the errors I received along the way:

Eventvwr:

“The description for Event ID 101 from source AutomaticLiveUpdate Scheduler cannot be found”

“Product: Symantec Endpoint Protection -- Error 1606.Couldnot access network location %APPDATA%\.”

“LiveUpdate returned a non-critical error. Availablecontent updates may have failed to install.”

“Windows Installer installed the product. Product Name:Symantec Endpoint Protection. Product Version: 11.0.6300.803.Product Language: 1033. Manufacturer: Symantec Corporation.Installation success or error status: 1603.” (NOT a successM$)

“Product: Symantec Endpoint Protection -- SymantecEndpoint Protection has detected that there are pending systemchanges that require a reboot. Please reboot the system and rerunthe installation.”

“Failed to connect to server. Error: 0x800401F0”

SEPInst.log:

“Failed unregistering service.”

“serviceIsRunning: OpenService FAILED with error 1060” ( Original Live Update Error I think, can’t remember at this point)

Resolution:

All these steps may not be required, but I had already tried clean wipe several times and a lot of different Google’d steps and none in themselves worked so I did all of these before trying another install.

#1 (VERY IMPORTANT) Block any SEP install GPO for JUST the computer you are working on. If you don’t SEP will try to re-install on every reboot.

Deleted the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmcService\SymantecManagement Client

Deleted the following folders (if they exist):

C:\Program Files\Symantec

C:\Program Files\Symantec Antivirus

C:\Documents and Settings\All Users\ApplicationData\Symantec\LiveUpdate (Win XP)
C:\program data\symantec\liveupdate (Windows 7 or Windows Server2008)

C:\Program Files\Common Files\Symantec Shared

C:\Users\%username%\AppData\Local\Symantec

Ran this M$ FixIt

Removed Deny permissions for “Everyone” group on“C:\Users\All Users\Application Data” (Hint: have to dothrough advanced permissions) – Although this is just a junction point, I also saw errors saying Access Denied to that folder so Ifigured it wouldn’t hurt.

I then found this link which walks through the manual uninstall of SEP. Most of the stuff was already deleted by CleanWipe so it didn’t take much longer.

Finally after this I was rebooted, re-enabled SEP GPO forcomputer, did a “gpupdate /force”, rebooted again andcrossed my fingers and it worked!