Category Archives: (P) Windows

Install and Run Windows 10 8 7 XP on Any Android Phone NO ROOT 2017

Click Here To Watch

Install and Run Windows 10 8 7 XP on Any Android Phone NO ROOT 2017

Links: https://goo.gl/YxhwfY

Updated Windows image Link: https://goo.gl/reOTw4

Mirror Link: https://goo.gl/gDtE55

More Mirrors: https://goo.gl/jyH4As https://goo.gl/gTQ5wb

New Updated Mirrors(April 25th 2017) https://goo.gl/YIIWud

New Updated Windows 10 Link x64 (Download Gandalf file) https://goo.gl/1cD90W

Windows 10 Link x86(Use Gandalf file) https://goo.gl/MqJ6pa

Application: Limbo https://goo.gl/YxhwfY

 

image file: https://goo.gl/5u8ixq

Windows 10 tip: Protect removable storage devices with BitLocker encryption

Do you use a USB flash drive, MicroSD card, or portable hard drive to keep backups of important files? Protect yourself by encrypting removable storage devices so your files can’t be accessed if the drive is lost or stolen.

 

humb drives, SD cards, and portable hard drives are tremendously convenient. They’re also tremendously risky.

If your removable drive is lost or stolen, whoever finds it has complete access to its contents, which might include confidential files and personal information.

To eliminate that risk, use the BitLocker To Go feature of Windows 10 Pro and Enterprise editions to encrypt the drive so that it can’t be read without a password.

After inserting the drive, open File Explorer, right-click the drive’s entry, and click Turn On BitLocker. That starts the BitLocker Drive Encryption wizard. Enter a password and save a recovery key so that you can regain access to the data if you forget that password. For removable drives, choose Compatible Mode (which allows you to open the drive even on older Windows PCs) and then finish the wizard.

The encrypted drive can be opened on any Windows PC, even one that’s running a non-business edition of Windows. Enter the password and choose the Automatically unlock on this PC option to avoid having to enter the password on a PC where you’re already signed in. If you lose the drive, whoever finds it will be unable to read its contents without the password or recovery key.

Remove Bitmessage Ransomware Permanently

Research on Bitmessage Ransomware

In case your Microsoft Office files, images, videos, audios, emails and databases are injected with an .1999, .bleep, or .ccc extension, it indicates that your computer has been infected with file-encrypting Ransomware such as TelsaCrypt, RSA-2048 or Bitmessage , which is destructive virus made by hacker for robbing money online. Similar to common ransomware, Bitmessage mainly sneaks into your system via spam email attachments. Such suspicious emails will disguise as normal email sent by your friends, families or from famous companies, and they usually contain a document, photo or video file needed you to download. As soon as you download the attachments and open it, your files will be ruined by Bitmessage within a sec. Most of your files are changed into weird name with .1999, .vvv, or .ccc extension, and you will see a unknown TXT file in the infected folders or a popup photo on your screen, which is used to show you the warning message asking you to pay ransom fees to buy the decryption key.

delete Bitmessage

Bitmessage is definitely an evil tool used by hacker to make money illegally. After it locks your files, it charge lots of money for recovering your files. Some people think that they can call the police or FBI to catch the hackers and get the files back, but unfortunately, no one can track these top hackers so far, because they use encrypted tunnel with fake name to contact the victims, and their accounts for receiving the money are Bitcoin account, thus they can rob your money without being punished.

Most of victims may choose to compromise and send the ransom fees to exchange their precious files but are you sure that these cyber criminal who created Bitmessage virus will recovere your files after you pay? Our research team found that there is no guarantee on such payment, lots of victims paid lots of money but still lost all files. Therefore, we suggest not to pay money to these hackers. It is a huge risk, not only on your money , but your private information such as banking accounts. Your credit cards and banking accounts may even be hacked by Bitmessage if you pay the ransom money.

In such a situation, the right things you need to do is: 1. Remove all malicious files, codes of Bitmessage and related threats from your system completely; 2. Restore your files with your back-up (if available), or use third party legitimate data recovery software to recover your files. In case you are a victims of Bitmessage ransomware, follow the guide below to cure your computer now and try your luck with the data recovery tools to save your files. We hope this tutorial will be helpful to you.

Bitmessage Removal Tutorial

First Method – Manually Remove Bitmessage (For Users with Expert Skills)

Second Method – Automatically Remove Bitmessage Quickly and Safely (Easy For All Computer Users)


First Method – Bitmessage Manual Removal

Step 1 – End Bitmessage process in Task Manager.

1. Press “Ctrl+ Shift + Esc” keys to call out Windows Task Manager
2. Click Processes > find Bitmessage process or suspicious processes and select End process.
remove Bitmessage virus

Step 2 – Uninstall Bitmessage and suspicious programs from Control Panel.

Windows 10 : Click Start Menu >> Click All Apps >> Find out Bitmessage and other unwanted programs, then right-click on it and select Uninstall:
get rid of Bitmessage

delete Bitmessage

Windows 8
  • Move the mouse to the lower-left corner of the screen and clicking the Start button;
  • Type “control panel” in search box and then click Control Panel.
  • Find Bitmessage and unwanted programs >> click Uninstall

Bitmessage removal

how do i remove Bitmessage
Win 7 / Vista / XP
  • Click Start button >> click Control Panel in Start Menu
  • Click Uninstall a program to open Programs and Features
  • Find Bitmessage and unwanted programs >> click Uninstall

 

how can i get rid of Bitmessage
how do i delete Bitmessage

Step 3 Remove Bitmessage related registry files in Registry.

  • Press Win + R keys together to open Run window
  • Type “regedit” and click OK
  • Find out all related registry files of Bitmessage:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWpm
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_LOCAL_Machine\Software\Classes\[adware name]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\random
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\random
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “CertificateRevocation” = ’0


(Note – This guide is only provided as an reference to help you get rid of Bitmessage ransomware to make your PC healthy and prevent new files being infected. We cannot promise that the recommended tools can recover every user’s files which have been encrypted by the most dangerous ransomware such as Bitmessage. Wish you with good luck!)

———————————————————————————
Tips on Prevent Virus and Malware Such as Bitmessage
If you want to keep your PC from all kinds viruses and malware active online, you need to always follow these rules while using your PC:
1. Always choose Custom Installation while installing freeware so that you can deselect unwanted options or cancel unauthorized change;
2. Always scan attachments in emails before you open it; never open any attachment or click links on emails which you do not know if it is safe;
3. Do not visit any porn website because most of porn websites embedded with malicious codes from cyber criminal;
4. Always scan torrent files and other files downloaded from third party website before you open them;
5. Never update any of your software from third party website; make sure the software update alert appearing on your screen is from official website;

6. Do not click ads (e.g. “Ads by “, “Ads brought by “, “Ads powered by “, etc. ) which do not belong to the websites you visit.

LaZagne – Password Recovery Tool For Windows & Linux

The LaZagne project is an open source password recovery tool used to retrieve passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases and so on). This tool has been developed for the purpose of finding these passwords for the most commonly-used software. At this moment, it supports 22 Programs on Microsoft Windows and 12 on a Linux/Unix-Like operating systems.

LaZagne - Password Recovery Tool For Windows & Linux

It supports a whole bunch of software including things like CoreFTP, Cyberduck, FileZilla, PuttyCM, WinSCP, Chrome, Firefox, IE, Opera, Jitsi, Pidgin, Outlook, Thunderbird, Tortoise, Wifi passwords and more.

Usage

Retrieve version

Launch all modules

Launch only a specific module

Launch only a specific software script

Write all passwords found into a file (-w options)

Use a file for dictionary attacks (used only when it’s necessary: mozilla masterpassword, system hahes, etc.). The file has to be a wordlist in cleartext (no rainbow), it has not been optimized to be fast but could useful for basic passwords.

Change verbosity mode (2 different levels)

You can download laZagne here:

Windows – laZagne-Windows.zip
Source – Source-1.1.zip

Elevating privileges by exploiting weak folder permissions

Securing machines is always an on-going process whether it is by locking down settings, blocking applications, disabling Windows Services, making sure user privileges are kept to a minimum and so on. If we don’t then users will end up installing non-standard software, making changes to the system, malware doing more damage once getting compromised, etc. This post is about weaknesses in folder permissions leading to elevation of privilege by using DLL hijacking vulnerabilities in Windows Services.

What is DLL hijacking?
A few years ago there was quite a bit of hype being able to load malicious DLLs remotely or locally from the current working directory. The Microsoft article [1] explains it clearly

“When an application dynamically loads a dynamic-link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories in a particular order. If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory. This is sometimes called a DLL preloading attack or a binary planting attack. If the system does not find a legitimate copy of the DLL before it searches the compromised directory, it loads the malicious DLL. If the application is running with administrator privileges, the attacker may succeed in local privilege elevation.”

So if an application loads a DLL just by its name it goes through the search order below (32bit OS) to find the library

  1. The directory from which the application loaded
  2. 32-bit System directory (C:\Windows\System32)
  3. 16-bit System directory (C:\Windows\System)
  4. Windows directory (C:\Windows)
  5. The current working directory (CWD)
  6. Directories in the PATH environment variable (system then user)

What are we exploiting?
The goal here is to get local admin rights on the machine. In order to achieve this we need three things to make this work

  • Windows DLL search order
  • DLL hijacking vulnerability
  • Weak folder permissions

Windows DLL search order
In Windows DLL search order the directories of the path environment variable are the last search it carries out starting with the system variable path and then the user variable path. Unless the application hasn’t used a fully qualified path name for its DLL it will try to find the DLL through the search order even with certain mitigations in place.

DLL hijacking vulnerability
A quick way to find DLL hijacking vulnerabilities is to start Process Monitor, setup the relevant filtering and carry out some actions. Here we will be exploiting Windows Services as a large number of services run on SYSTEM privileges, just by stopping and starting the services and observing the search patterns. Keep in mind that Services running under SYSTEM does not search through user path environment. After stopping and starting Services a number of vulnerabilities had been discovered.

One Windows Service being the “IKE and AuthIP IPsec Keying Modules” This service is not started and set to manual by default but might be started or set to Automatic by VPN clients, policies, other Services, etc. For someone trying to obtain local admin rights starting Process Monitor will not be possible with limited permissions so let’s go through the steps if we didn’t have rights. In this example the IKE service is used but it can be any service for software that you may not have direct access to and need to audit.

First let’s take note of the service executable through Windows Services (say services.msc via run command) checking to see if its status has started and running under localsystem.

Now checking in the registry to see if there are any service dlls being loaded by the service

We can copy these files (svchost.exe and IKEEXT.DLL) off to another machine to do our static analysis. After loading in IDA and simply searching for loadlibrary and jumping to the call will show what library is going to load. If a fully qualified path is not specified then we may be in luck. Here in IKEEXT.DLL LoadLibraryW will try to load “wlbsctrl.dll”

Note: It is not always as straight forward as in this example as the dll called might be using fully qualified path name but linked at compile time with another dll which will try to load this at load time which might be vulnerable due to being in another folder or not available.

Lastly we search for the library wlbsctrl.dll on the system to see if it exists and if so take note as to where it is located.

C:\>dir wlbsctrl.dll /s

In this case wlbsctrl.dll does not exist on the system so it will go through the entire search order.

Weak folder permissions
Now for the most important part “Weak folder permissions”. When new folders are created in the root it is writeable for all authenticated users by default. The “NT AUTHORITY\Authenticated Users:(I)(M)” gets added to the folder where M stands for modify access. So any application that gets installed on the root can be tampered with by a non-admin user. If binaries load with SYSTEM privileges from this folder it might just be a matter of replacing the binary with your own one.

It gets interesting when applications gets installed in the root and add its path to the system path environment. This now opens the attack surface for a large number of applications that may have DLL hijacking vulnerabilities. One scenario is software getting pushed onto machines, with the likes of Marimba, Landesk, etc. which use a Windows service running with system privileges to install the software. Since it runs with system privileges software pushed onto machines such as Perl, Python or Ruby it will add to the system path environment if adding the path had been set in the package along with being installed on the root as default. Or it could be an IT support personnel installs the software with their admin rights for the user. If a user installs manually (if possible) with non-admin rights then it may be added to user path environment and then exploitation would not be possible. We can use icacls.exe to check the permissions of the folder or by the folder properties security tab.

Pwning the box
From our previous sections what we know now are

  • Service “IKE and AuthIP IPsec Keying Modules” loads service dll IKEEXT.DLL
  • IKEEXT.DLL will try to load wlbsctrl.dll
  • OS with carry its search order to find wlbsctrl.dll
  • We have a writeable folder C:\Ruby200\bin which is in the search order

All we need to do now is drop our malicious crafted DLL wlbsctrl.dll in C:\Ruby200\bin, reboot the machine and it will carry out its action under SYSTEM privileges. Users requesting Ruby, Perl, etc. are probably developers and have rights anyway but there may be other software which gets installed on the root and adds to the system path where limited users might take advantage of and this where we need to do our assessment and make any changes before being deployed.

Testing folder paths
System path environment variable comes first and then user path environment variable. Running it in a medium integrity shell for an admin or non-admin user will give the same results.

Vulnerable Windows Services
Here are Windows Services that have been found to be vulnerable and could be exploited on Windows 7 (32/64)

IKE and AuthIP IPsec Keying Modules (IKEEXT)                     – wlbsctrl.dll
Windows Media Center Receiver Service (ehRecvr)               – ehETW.dll
Windows Media Center Scheduler Service (ehSched)             – ehETW.dll

The Windows Media Center Services startup type is set to manual and status not started and will only give us only Network service privileges so I cannot see it to being much use especially with its limited privileges. It can however be started temporarily via certain scheduled tasks.

schtasks.exe /run /I /TN “\Microsoft\Windows\Media Center\mcupdate”
schtasks.exe /run /I /TN “\Microsoft\Windows\Media Center\MediaCenterRecoveryTask”
schtasks.exe /run /I /TN “\Microsoft\Windows\Media Center\ActivateWindowsSearch”

A quick check on Windows XP has shown that these Services are vulnerable

Automatic Updates (wuauserv)                                                – ifsproxy.dll
Remote Desktop Help Session Manager (RDSessMgr)            – SalemHook.dll
Remote Access Connection Manager (RasMan)                      – ipbootp.dll
Windows Management Instrumentation (winmgmt)                 – wbemcore.dll

Other Services that might be installed are also vulnerable

Audio Service (STacSV)                                                    – SFFXComm.dll SFCOM.DLL
Intel(R) Rapid Storage Technology (IAStorDataMgrSvc)    – DriverSim.dll
Juniper Unified Network Service(JuniperAccessService)   – dsLogService.dll
Encase Enterprise Agent                                                    – SDDisk.dll

No dll hijacking vulnerabilities were found on a clean default installation of Windows 8 OS (64) so another good reason to start migrating to Windows 8.

Mitigation
There are a number of mitigations available to prevent this vulnerability to be exploited by using certain API’s, changing registry settings, applying updates, etc. it does start to get confusing as to what we are mitigating so hopefully this section will make it a bit clearer.

CWDIllegalInDllSearch
This update [2] at the time introduced a new registry entry CWDIllegalInDllSearch that allowed users to control the DLL search path algorithm. Tested on a fully patched Windows 7 machine this update is no longer required so it might have been later included in some security update. Once the patch is installed (if applicable) you will need to add the DWORD name CWDIllegalInDllSearch with a value in the registry key location

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

The value data can be 1, 2 or ffffffff. If the value name CWDIllegalInDllSearch does not exist or the value data is 0 then the machine will still be vulnerable to CWD attack. Please be aware that the value ffffffff could break certain applications. The search order is the same but this time if a malicious DLL is located in the current working directory the library is not loaded.

  1. The directory from which the application loaded
  2. 32-bit System directory (C:\Windows\System32)
  3. 16-bit System directory (C:\Windows\System)
  4. Windows directory (C:\Windows)
  5. The current working directory (CWD)            [ dlls not loaded ]
  6. Directories in the PATH environment variable (system then user)

 

SetDllDirectory
This function [3] removes the current working directory (CWD) from the search order when loading DLLs. For instance, the DLL search order after calling SetDllDirectory(“C:\\program files\\MyApp\\”) becomes:

  1. The directory from which the application loaded
  2. C:\program files\MyApp\                                    [ added ]
  3. 32-bit System directory (C:\Windows\System32)
  4. 16-bit System directory (C:\Windows\System)
  5. Windows directory (C:\Windows)
  6. The current working directory (CWD)              [ removed ]
  7. Directories in the PATH environment variable (system then user)

Passing an empty string to SetDllDirectory(“”) the current working directory (CWD) is removed from the search order

  1. The directory from which the application loaded
  2. 32-bit System directory (C:\Windows\System32)
  3. 16-bit System directory (C:\Windows\System)
  4. Windows directory (C:\Windows)
  5. The current working directory (CWD)             [ removed ]
  6. Directories in the PATH environment variable (system then user)

If this parameter is NULL, the function restores the default search order.

SafeDllSearchMode
Safe DLL search mode [4] is enabled by default. To disable this feature we can create a DWORD name SafeDllSearchMode with value 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

If SafeDllSearchMode is enabled, the search order is as follows:

  1. The directory from which the application loaded
  2. 32-bit System directory (C:\Windows\System32)
  3. 16-bit System directory (C:\Windows\System)
  4. Windows directory (C:\Windows)
  5. The current working directory (CWD)
  6. Directories in the PATH environment variable (system then user)

If SafeDllSearchMode is disabled, the search order is as follows:

  1. The directory from which the application loaded
  2. The current working directory (CWD)                   [ moved up the list ]
  3. 32-bit System directory (C:\Windows\System32)
  4. 16-bit System directory (C:\Windows\System)
  5. Windows directory (C:\Windows)
  6. Directories in the PATH environment variable (system then user)

Calling the SetDllDirectory(“”) or SetDllDirectory(“C:\\program files\\MyApp\\”) disables SafeDllSearchMode and uses the search order described for SetDllDirectory.

LoadLibraryEx function [5] takes another argument where a flag can be set to change the search order but I didnt get round to test it.

Mitigation for developers
For software developers there are a number of actions they can take

  • Use SetEnvironmentVariable(TEXT(“PATH”),NULL) API which removes the path environment variable from its search order
  • Change default installation folder to C:\Program Files
  • Use fully qualified path when loading DLLs, i.e. LoadLibrary(“C:\\program files\\MyApp\\mylibrary.dll”);
  • Use SetDllDirectory(“”) API removing the current working directory from the search order

Mitigation for IT professionals
For IT support professionals there are also a number of actions that can be taken

  • When packaging and deploying software via deployment tools such as Marimba, Landesk, etc. or manually  installing software change the installation folder to C:\Program Files
  • If software needs to be installed on the root check there are no binaries needing SYSTEM privileges
  • If SYSTEM privileges are required then change the ACL’s of the folder
  • Remove the path entry from the SYSTEM path variable if not needed

Conclusion
This post shows us how easily elevated privileges can be achieved with very little effort. Ultimately the solution is simple by just making sure all software gets installed in the C:\Program Files folder which will then inherent it’s more secure folder permissions. Malware could take advantage of this weakness not only to obtain system privileges but also to automatically load its malware making it that much harder to pinpoint its auto start entry points.

 

References
[1] http://msdn.microsoft.com/en-us/library/windows/desktop/ff919712(v=vs.85).aspx
[2] http://support.microsoft.com/kb/2264107
[3] http://msdn.microsoft.com/en-us/library/ms686203%28v=vs.85%29.aspx
[4] http://msdn.microsoft.com/en-us/library/ms682586%28v=vs.85%29.aspx
[5] http://msdn.microsoft.com/en-us/library/ms684179%28v=vs.85%29.aspx

How to Set up Multiple IP Addresses on – Windows

There are several ways to set up multiple IP addresses on a computer:

1. To have multiple network interface cards (NICs) on your computer and to assign a different IP address to each card.
2. To assign multiple IP addresses to a single NIC.
3. To combine 2 previous options: have multiple NICs with multiple IPs assigned to one or more of them.

By default, each network interface card (NIC) has its own unique IP address. However, you can assign multiple IP addresses to a single NIC.

How to assign multiple IP addresses to the same NIC

 

If you want to assign more than one IP address to a network card on Windows Vista, follow the steps below.

1. Choose Settings -> Network Connections on the Windows Start menu.
2. Right-click on the Local Area Connection, choose Properties.

3. Highlight Internet Protocol (TCP/IP), click Properties.

4. If you use DHCP, you should disable it: click Use the following IP address and enter IP address, Subnet mask and Default gateway.
5. Click Advanced… at the bottom.

6. Enter additional IP addresses: click the Add… button and enter a new IP address and Subnet mask.

If you use Windows XP, the whole procedure will be the same, except for the first steps:

Right-click on My Network Places, choose Properties.
Right-click on the Local Area Connection, choose Properties.

​How to secure Windows 10: The paranoid’s guide

That said, I think some people’s fears about Microsoft looking over your shoulder are over-the-top. And, I speak as someone who looks at Microsoft with a great deal of suspicion.

WINDOWS 10

What you need to realize is that Microsoft has made Windows 10 both a desktop and a cloud operating system. Adding cloud functionality means that when you run Windows 10 you’ll be sharing far more information with Microsoft and its partner customers than ever before.

For example, while Windows 10 doesn’t have a keylogger itdoes collect your keystrokes and voice to improve spell-checking and voice recognition. Before having a fit about this, keep in mind that every cloud-based software-as-a-service (SaaS) program does this to one degree or another. Google Docs, Apple’s Siri, Office 365, whatever — they all collect not just your final words but every keystroke and spoken syllable that went into making those words.

It’s another case with Wi-Fi Sense. You don’t need to be afraid that Wi-FI Sense will let any of your Skype, Outlook, or Hotmail contacts use your Wi-Fi network without your permission. Yes, Wi-Fi Sense is on by default, but take a closer look. It doesn’t permit anyone to use any of your Wi-FI networks without your specific permission.

LOCKING DOWN WINDOWS 10

Still don’t trust these new “features?” I can’t blame you. This is not the Windows you’ve known and used for years. This is a Windows that exists both on your PC and in Microsoft’s cloud. Here’s how to lock down Windows 10 and make it more of a PC-centric operating system.

First, head to Settings/Privacy. There you will find no fewer than 13–count ’em, 13–different privacy settings screens. The major settings are under the ‘General’ screen. The other screens are concerned with which apps can and can’t access your calendar, camera, messages, microphone and so on.

On the General screen, you’ll see your Advertising ID. This is your unique ID number. Think of it as being like a web cookie and you won’t be far wrong. It’s used to identify you to Windows apps advertisers. So, for instance, if you’re a big Dallas Cowboy fan, you can count on seeing ads for Cowboys gear. Microsoft claims it doesn’t link this ID with your name, email address, or other personal information.

If you’re still concerned about keylogging, head to Privacy/Speech, inking & typing. Think long and hard about whether to use Microsoft’s “Getting to know me” improvements. Steve Hoffenberg, VDC Research‘s Director of IoT & Embedded Technology worries, for instance, that these Windows 10’s “features” violate Health Insurance Portability and Accountability Act (HIPAA) privacy requirements. If his fears are valid, this means medical offices and health insurance companies should turn off this Windows 10 setting.

I doubt he’s right, but I’m no lawyer. Even so, were I working with transactions that fall underSarbanes- Oxley (SOX), Gramm-Leach-Bliley (GLB), or HIPAA, I’d turn off this feature, and its related setting, “Windows 10 Input Personalization.” Better safe than sorry.

Be aware, however, that if you turn off the “Getting to know me,” this will also disable both dictation and Windows 10’s voice-activated assistant Cortana,

Next, you’ll want to use “Manage my Microsoft advertising and other personalization info” to decide on whether you want advertisers to show you ads based on your browsing history and interests. Better still, skip that page and head directly to Microsoft personalized ad preferences and opt out of everything. Advertisers already know far too much about me as it is.

If you rely on using OneDrive in the cloud, where it belongs, Windows 10 isn’t ready for you.

  • h each setting even if you don’t think they’ll matter. By default, each and every privacy setting is set to give Microsoft and friends the maximum possible access. This is not a good thing.

Moving on: Head to the Location settings and turn them off. While your PC probably doesn’t have a GPS like your smartphone, you’d be amazed at how accurately your location can be pinned down using Wi-Fi access points and IP address. I’ve never been comfortable with letting anyone track me and I turn location off on every device I own except when I need GPS directions.

If you turn off location services, though, you won’t be able to fully use Cortana. That’s annoying because Cortana is one of Windows 10’s best features. It’s helpful to just ask your computer a question and get useful, personalized answers. But like its older relatives, Siri and Google Now, for Cortana to show to its best advantage it needs access to an enormous amount of personal data. For instance, Cortana must have locations services on. Cortana also watches pretty much everything you write, say and do on your PC. For example, it keeps track of your flights by detecting “tracking info, such as flights, in messages on my device.”

That’s both incredibly handy and incredibly creepy. If you find it more disturbing than useful, head to Cortana’s settings, under Cortana and Search, and turn off everything there that doesn’t pass the smell test. Cortana will be less useful, but you’ll get more privacy.

Still not private enough for you? Then don’t use Windows 10, Chrome OS, iOS, Android, or any other system that’s tied closely into the cloud. Instead, use Linux as your desktop operating system. By default, Linux is the only mainstream operating system that still relies primarily on true desktop apps.

Not ready for such a radical move? Well, actually, it’s not that radical. If you can use Windows, trust me, you can use Linux distributions such as Ubuntu 15.04 or Mint 17.2.

Otherwise, get busy locking down Windows 10. Good luck.

Troubleshooting and repairing Windows 10 problems

Given the diversity of hardware and software in the Windows ecosystem, I would be shocked if the Anniversary Update to Windows 10, version 1607, were truly problem-free. And sure enough, the latest round of updates comes with its own litany of complaints.

 

My experience confirms that this issue is sporadic; I have multiple systems configured with system files on an SSD and data on a separate drive and have not experienced any freezing issues.

Other issues with the Anniversary Update can, unfortunately, be traced directly back to Redmond. An issue that causes some webcams to stop working after a minute or so, for example, is the result of a design decision by Microsoft engineers, who apparently didn’t talk to customers before disabling some widely used codecs.

Another problem affects the PowerShell Desired State Configuration feature. (Contrary to some headlines, it doesn’t “break PowerShell.”) That issue was caused by Microsoft shipping an update package that was missing a crucial file. A replacement patch should be available this week.

As part of the research for my book Windows 10 Inside Out(the second edition is coming out this fall), I’ve spent a lot of time on official and unofficial support forums and talking to fellow support professionals who are in the trenches with businesses. I have also received a fair number of reader emails and have gone through some remote troubleshooting with a handful of readers.

My impression, based on 25 years of Windows troubleshooting experience, is that this release of Windows is above average in terms of reliability. But it’s far from perfect, and Microsoft still has some serious work to do to get its update process under control.

If you’d prefer not to deal with update-related issues, you can and probably should wait to install the Anniversary Update. Based on experience with the initial Windows 10 launch (build 10240) and the version 1511 release, most issues that arose after the initial release in the first 60 days were resolved. That’s the Windows 10 telemetry feature working as expected.

To delay the installation of the Anniversary Update, follow the instructions in this post. Note that you must be running Windows 10 Pro or Enterprise edition to do so. If you have a system running Windows 10 Home, you can currently upgrade to Pro using a product key from Windows 7 Professional or Ultimate or Windows 8/8.1 Pro. (Note that the option to upgrade using product keys from earlier editions might stop working at some future point, so I recommend that you do so sooner rather than later.)

Go to Settings > Update & Security > Activation, click Change Product Key, and type or paste the key. The upgrade takes only a few minutes

In the remainder of this post, I want to share some other tools, tips, and techniques I use for troubleshooting problems with Windows 10. I’ve used these tactics with desktop PCs, notebooks, hybrids, and tablets, and in most cases they’ve allowed me to find and fix the underlying problem.

 

Most of what’s in this list is time-tested stuff, using tools that been evolving since the early days of Windows. There are some very cool new tools in Windows 10, though, which are worth finding.

Occasionally, the return on your troubleshooting investment simply isn’t worth it. Rather than spend hours trying to track down some weird bug or software interaction, I use Windows 10’s Reset option to perform the equivalent of a clean install. The process is quick and extremely robust, and the results allow you to get back to work much faster than the old-school “clean install from a Windows DVD” option. If you’ve already installed version 1607, this reset will give you a clean copy of 1607. To go back to the previous version, you’ll need to use installation media you created before August 2, 2016.

COMMON PROBLEMS

I’m assuming you’ve managed to upgrade and activate Windows 10 properly. Having cleared those hurdles, here are the most common problems people are likely to experience.

  • Nonresponsive shell. Windows 10 has a completely different shell than prior versions. The Explorer.exe process is still at its core, but there are a few additional components as well that make the “modern experience” possible. If you click the Start button and nothing happens, or if the entire taskbar refuses to respond to interaction, open Task Manager (press Ctrl+Shift+Escape), find Windows Explorer in the task list, and click the Restart button.
task-manager-restart-explorer.png
  • Performance issues There’s nothing more frustrating than weird, unexplained slowdowns and hangs. For those times, use Task Manager’s Performance tab and Resource Monitor to figure out which process is causing problems. In the first few hours or days after a major update, it’s normal to see some background activity caused by indexing and backup.
  • Microsoft Edge Microsoft’s new browser is greatly improved since the initial release in 2015. The biggest change is support for extensions, although the current list of available extensions is still limited. One change I recommend making is disabling Flash support, which you can do from the Settings menu (click View Advanced Settings, then slide Use Adobe Flash Player to the Off position.) If Edge doesn’t work well on the sites you use most often, replace it with a different default browser.
  • OneDrive issues The OneDrive sync utility is also greatly improved from the initial release. The new universal sync client now supports OneDrive for Business, for example, although the promised support for placeholders still hasn’t arrived.
  • Store issues In the first few months after the initial release of Windows 10, I heard multiple complaints from people unable to access apps in the Windows Store. Most of those issues were on Microsoft’s end and have been fixed by updates. If you’re still experiencing issues, you might be able to fix things with the Wsreset command, which (as you might guess from the name) resets the Windows Store.
  • Issues with individual apps The new Universal Windows apps themselves can occasionally experience problems, such as apps that refuse to open or that crash with no explanation, either in the middle of a task or shortly after opening. I am hearing fewer reports of this type of issue lately, perhaps because of updates that fixed the underlying problem. For third-party apps, uninstalling and reinstalling the app sometimes works.

Some global fixes are worth mentioning here as well.

Even for brand-new hardware, it’s worth checking for BIOS and firmware updates. Over the past year, I have seen BIOS updates work miracles on systems that were experiencing frustrating problems after the Windows 10 upgrade. It’s worth checking with the manufacturer to see if a firmware update is available for your PC. If your BIOS date is before July 2015 and a newer version is available, this is a must.

Ideally, that’s a check you want to make before upgrading.

Another troubleshooting step that’s often worth the extra effort is to create a new user account expressly for troubleshooting purposes. If a Windows feature or an app is acting up under your existing account and it runs properly under the new account, you know that the problem is in that account profile, which means a full reset isn’t necessary.

If basic troubleshooting doesn’t work, I strongly recommend the Reset option, which does the equivalent of a clean install without the hassles associated with that option in earlier Windows versions. I’ve seen this option turn troublesome systems into well-behaved PCs, and the process of restoring apps and data is relatively quick, especially if your primary storage is in the cloud.

And there’s always the option to roll back to your previous OS and wait for a few months. Troubleshooting is all well and good, but sometimes being productive means allowing someone else to be the pioneer.

A word of warning: The Anniversary Edition allows you to roll back for 10 days after the upgrade. That’s a change from the previous release, which kept the earlier build around for 30 days. After the upgrade is complete, be sure to test all your hardware and third-party software before that deadline expires.

Windows PowerShell: Scripting Crash Course

More of you are getting used to Windows PowerShell and realizing its advantages. With that in mind, this month’s column is going to be a long one. This is a lightning overview of Windows PowerShell scripting, including how to build parameterized scripts. Over the next few months, I’ll focus on specific topics that build on this foundation.

If you’re not used to running Windows PowerShell commands in the console, you might find this too advanced, but try to plow through anyway. You should have a thorough understanding of Windows PowerShell security features. You should already know about execution policy, and know what setting you’re using. If you don’t already know the difference between “RemoteSigned” and “AllSigned,” and why one might be better than the other, you might not be ready for the following material.

 

You should also know how to execute scripts in the shell, and should recall that you always have to provide a path and filename in order to execute a script. Finally, you should also know the difference between running a script in the Integrated Scripting Environment (ISE) and the console. In the ISE, scripts run in the global scope. In the normal shell console, scripts get their own scope. I’ll review scope, but you should already have an idea of what it means and what it does.

Try to follow along as you read this column. Try the examples. If you type (or copy and paste) the script examples into the Windows PowerShell ISE starting on line 1, then your line numbers will correspond with the line numbers in the descriptions.

Windows PowerShell Script Files

A Windows PowerShell script file is nothing more than a plain-text file that has a .PS1 filename extension. The “1” doesn’t refer to the version of Windows PowerShell, but rather the version of the language engine. Windows PowerShell version 1 and 2 both use language engine version 1. That’s why both versions of the shell are installed into a v1.0 folder under \Windows\System32\WindowsPowerShell.

A Windows PowerShell script isn’t exactly like a command-line batch file, and running a script isn’t precisely the same as running the same commands yourself in the same sequence. For example, open a console window and run the following, pressing Enter after each line (remember not to type the line numbers):

  1. Get-Service
  2. Get-Process

Now type those exact same lines into a script file, or the ISE script editing pane, and run the script. You’ll get different-looking results. Each time you hit Enter in Windows PowerShell, you start a new pipeline. Whatever commands you typed are run in that single pipeline. At the end of the pipeline, Windows PowerShell converts its contents into a text display. When you run the two commands in the normal console, you’ve done so in two distinct pipelines.

Windows PowerShell was able to construct a unique display for each set of output. When entered into a script, however, both commands ran in the same pipeline. The Windows PowerShell formatting system isn’t sophisticated enough to construct the same unique output for two different sets of results. Try running this in the console:

  1. Get-Service;Get-Process

Those results should look the same as they did when you ran the script containing those two commands. In this case, both commands ran in a single pipeline. That’s what happened when you ran the script.

The practical upshot of all this is that a script should produce only one kind of output. It’s a bad idea, due in large part to the limitations of the formatting system. There are other considerations, as well. You don’t want a script dumping several different kinds of things into the pipeline at the same time.

Focus on that as a rule for everything we’ll cover. A script should generate one, and only one, type of output. The only exception would be if it’s a script being used as a repository for multiple functions. In that case, each function should generate one, and only one, type of output.

Variables

Think of variables as a box. You can put one or more things, even dissimilar things, into this box. The box has a name, and in Windows PowerShell that name can include almost anything. “Var” can be a variable name, as can “{my variable}”. In that second example, the curly brackets enclose a variable name that contains spaces, which is pretty ugly. As a good practice, stick with variable names that include letters, numbers and underscores.

Using a variable’s name references the entire “box.” If you want to reference the contents of the box, add a dollar sign: $var. You’ll often see Windows PowerShell variables preceded with the dollar sign because the whole point of using one is to get at the contents. It’s important to remember, however, that the dollar sign isn’t part of the variable name. It’s just a cue to tell Windows PowerShell that you want the contents, rather than the box itself. For example:

  1. $var = ‘hello’
  2. $number = 1
  3. $numbers = 1,2,3,4,5,6,7,8,9

Those examples show you how to place items into a variable using the assignment operator (=). That last example creates an array, because Windows PowerShell interprets all comma-separated lists as an array, or collection, of items. The first example assigns a string object, with the characters in the string contained within quotation marks.

There’s one aspect of Windows PowerShell that can confuse newcomers. Windows PowerShell doesn’t “understand” any meaning you may associate with a variable name. A variable like $computername doesn’t “tell” the shell that the variable will contain a computer name.

Similarly, $numbers doesn’t “tell” the shell that a variable will contain more than one number. The shell doesn’t care if you use a plural variable name. The statement

  1. $numbers = 1

is equally valid to the shell, as is

  1. $numbers = ‘fred.’

When a variable does contain multiple values, however, you can use a special syntax to access just a single one of them. You would use $numbers[0] as the first item, $numbers[1] is the second, $numbers[-1] is the last, $numbers[-2] is the second-last and so on.

Quotation Marks

As a best practice, use single quotes to delimit a variable unless you have a specific reason to do otherwise. There are three specific instances where you would want to use double quotes.

The first is when you need to insert a variable’s contents into a string. Within double quotes only, Windows PowerShell will look for the $, and will assume that everything after the $, up to the first character that’s illegal in a variable name, is a variable name. The contents of that variable will replace the variable name and the $:

  1. $name = ‘Don’
  2. $prompt = “My name is $name”

The $prompt will now contain “My name is Don” because $name will be replaced with the variable contents. This is a great trick for joining strings together without having to concatenate them.

Within double quotes, Windows PowerShell will also look for its escape character, the backtick or grave accent, and act accordingly. Here are a couple of examples:

  1. $debug = “`$computer contains $computer”
  2. $head = “Column`tColumn`tColumn”

In the first example, the first $ is being “escaped.” That removes its special meaning as a variable accessor. If $computer contained ‘SERVER,’ then $debug would contain “$computer contains SERVER.”

In the second example, `t represents a horizontal tab character, so Windows PowerShell will place a tab between each Column. You can read about other special escape characters in the shell’sabout_escape_characters help topic.

Finally, use double quotes when a string needs to contain single quotes:

  1. $filter1 = “name=’BITS'”
  2. $computer = ‘BITS’
  3. $filter2 = “name=’$computer'”

In this example, the literal string is name=’BITS.’ The double quotes contain the whole thing. Both $filter1 and $filter2 end up containing exactly the same thing, but $filter2 gets there by using the variable-replacement trick of double quotes. Note that only the outermost set of quotes actually matters. The single quotes within the string don’t matter to Windows PowerShell. Those single quotes are just literal characters. Windows PowerShell doesn’t interpret them.

Object Members and Variables

Everything in Windows PowerShell is an object. Even a simple string such as “name” is an object, of the type System.String. You can pipe any object to Get-Member to see its type name (that is, the kind of object it is) as well as its members, which includes its properties and methods:

  1. $var = ‘Hello’
  2. $var | Get-Member

Use a period after a variable name to tell the shell, “I don’t want to access the entire object within this variable. I want to access just one of its properties or methods.” After the period, provide the property or method name.

Method names are always followed by a set of parentheses. Some methods accept input arguments, and those go within the parentheses in a comma-separated list. Other methods require no arguments, and so the parentheses are empty, but don’t forget the parentheses:

  1. $svc = Get-Service
  2. $svc[0].name
  3. $name = $svc[1].name
  4. $name.length
  5. $name.ToUpper()

Notice line two. It starts by accessing the first item in the $svc variable. The period means, “I don’t want that entire object. I just want a property or method.” This accesses just the name property. Line five illustrates how to access a method, by providing its name after a period, followed by parentheses.

A period is normally an illegal character within a variable name, because the period means we want to access a property or method. That means line two in the following example won’t work the way you might expect:

  1. $service = ‘bits’
  2. $name = “Service is $service.ToUpper()”
  3. $upper = $name.ToUpper()
  4. $name = “Service is $upper”

On line two, $name will contain “Service is BITS.ToUpper()” whereas on line four $name will contain ”Service is BITS.”

Parentheses

Aside from their use with object methods, parentheses also act as an order-of-execution marker for Windows PowerShell, just like in algebra. In other words, parentheses tell the shell to “execute this first.” The entire parenthetical expression is replaced by whatever that expression produces. Here’s a mind-bending couple of examples:

  1. $name = (Get-Service)[0].name
  2. Get-Service -computerName (Get-Content names.txt)

On line one, $name will contain the name of the first service on the system. Reading this takes a bit of effort. Start with the parenthetical expression. That’s what Windows PowerShell will start with as well. The “Get-Service” resolves to a collection, or array, of services. The [0] accesses the first item in an array, so that will be the first service. Because it’s followed by a period, we know we’re accessing a property or method of that service, rather than the entire service object. Finally, we pull out just the name of the service.

On line two, the parenthetical expression is reading the contents of a text file. Assuming the file contains one computer name per line, “Get-Content”” will return an array of computer names. Those are fed to the “–computerName” parameter of “Get-Service.” In this case, the shell can feed any parenthetical expression that returns an array of strings to the
“–computerName” parameter, because the parameter is designed to accept arrays of strings.

Scope

Scope is a programming concept that acts as a containerization system. Things like variables, aliases, PSDrives and other Windows PowerShell elements are all stored in a scope. The shell maintains a hierarchy of scopes, and has a set of rules that determine how scopes can interact and share information with each other.

The shell itself is a single scope, called the global scope. When you run a script, it constructs a new scope and the script runs within that. Anything created by the script, such as a new variable, is stored within the script’s scope. It isn’t accessible by the top-level shell.

When the script finishes running, its scope is discarded, and anything created within that scope disappears. For example, create a script that contains the following (don’t forget to not type the line numbers), and then run that script from the console window:

  1. New-PSDrive -PSProviderFileSystem -Root C:\ -Name Sys
  2. Dir SYS:

After running the script, manually run “Dir SYS:” and you should see an error. That’s because the SYS: drive was created in the script. Once the script was done, everything it created was discarded. The SYS: drive no longer exists. Not everything in the shell is scoped. Items such as modules are handled globally at all times. A script can load a module and the module will remain loaded after the script is done.

If a scope tries to access something that wasn’t created within that scope, then Windows PowerShell looks to the next-higher scope (the “parent” scope). That’s why the Dir alias worked in that script you just entered. Although Dir didn’t exist in the script’s scope, it did exist in the next-higher scope: the global scope. A scope is free to create an item that has the same name as an item from a higher-level scope, though. Here’s another script to try:

  1. Dir
  2. New-Alias Dir Get-Alias
  3. Dir

That may look weird, but the first time it ran “Dir,” it didn’t exist in the script’s scope. It used the higher-level Dir alias. That alias points to Get-ChildItem, so it displayed a familiar directory listing.

Then, the script creates a new alias named Dir. This points to Get-Alias. That’s what was run the second time. None of this affected the top-level Dir alias. Try running Dir in the shell after running the previous script, and you’ll still get a directory listing.

Scope can be especially confusing when it comes to variables. As a rule, a given scope should never access out-of-scope items, especially variables. There’s a syntax for doing so, such as using $global:var to forcibly access the global scope’s $var variable, but that’s a bad practice except under very specific circumstances.

Windows PowerShell Scripting Language

Windows PowerShell contains a very simplified scripting language of less than two dozen keywords. That’s a stark contrast to a full programming language such as VBScript, which contains almost 300 keywords.

Simplified though it may be, the Windows PowerShell language is more than sufficient to do the job. I’ll review its major scripting constructs now, although you can always get more help on these by reading the appropriate “about” topic within the shell. For example, help about_switchcontains information on the Switch construct, while help about_if contains information on the If construct. Run help about* for a list of all “about” topics.

The If Construct

This is the Windows PowerShell main decision-making construct. In its full form, it looks like this:

  1. If ($this -eq $that) {
  2. # commands
  3. } elseif ($those -ne $them) {
  4. # commands
  5. } elseif ($we -gt $they) {
  6. # commands
  7. } else {
  8. # commands
  9. }

The “If” keyword is a mandatory part of this construct. A parenthetical expression follows that must evaluate to either True or False. Windows PowerShell will always interpret zero as False, and any nonzero value as True.

Windows PowerShell also recognizes the built-in variables $True and $False as representing those Boolean values. If the expression in parentheses works out to True, then the commands in the following set of curly brackets will execute. If the expression is False, then the commands won’t execute. That’s really all you need for a valid If construct.

You can go a bit further by providing one or more “ElseIf” sections. These work the same way as the If construct. They get their own parenthetical expression. If it’s True, the commands within the following curly brackets will execute. If not, they won’t.

You can wrap up with an Else block, which will execute if none of the preceding blocks execute. Only the block associated with the first True expression will execute. For example, if $this did not equal $that, and $those did not equal $them, then the commands on line four would execute—and nothing else. Windows PowerShell won’t even evaluate the second elseif expression on line five.

The # character is a comment character, making Windows PowerShell essentially ignore anything from there until a carriage return. Also notice the care with which those constructs were formatted. You might also see formatting like this from some folks:

  1. if ($those -eq $these)
  2. {
  3. #commands
  4. }

It doesn’t matter where you place the curly brackets. However, what does matter is that you be consistent in your placement so your scripts are easier to read. It’s also important to indent, to the exact same level, every line within the curly brackets.

The Windows PowerShell ISE lets you use the Tab key for that purpose, and it defaults to a four-character indent. Indenting your code is a core best practice. If you don’t, you’ll have a tough time properly matching opening and closing curly brackets in complex scripts. Also, all of the other Windows PowerShell kids will make fun of you. Consider this poorly formatted script:

  1. function mine {
  2. if ($this -eq $that){
  3. get-service
  4. }}

That’s a lot harder to read, debug, troubleshoot and maintain. While the space after the closing parentheses isn’t necessary, it does make your script easier to read. The indented code isn’t necessary, but it makes your script easier to follow. Consider this instead:

  1. function mine {
  2. if ($this -eq $that){
  3. get-service
  4. }
  5. }

Placing a single closing curly bracket on a line by itself isn’t required by the shell, but it’s appreciated by human eyes. Be a neat formatter, and you’ll have fewer problems in your scripts.

The Do While Construct

This is a looping construct in Windows PowerShell. It’s designed to repeat a block of commands as long as some condition is True, or until a condition becomes True. Here’s the basic usage:

  1. Do {
  2. # commands
  3. } While ($this -eq $that)

In this variation of the construct, the commands within the curly brackets will always execute at least once. The While condition isn’t evaluated until after the first execution. You can move the While, in which case the commands will only execute if the condition is True in the first place:

  1. While (Test-Path $path) {
  2. # commands
  3. }

Notice the second example doesn’t use a comparison operator such as -eq. That’s because the Test-Path cmdlet happens to return True or False to begin with. There’s no need to compare that to True or False in order for the expression to work.

The parenthetical expression used with these scripting constructs merely needs to simplify down to True or False. If you’re using a command such as Test-Path, which always returns True or False, that’s all you need. As always, there’s an “about” topic in the shell that demonstrates other ways to use this construct.

The ForEach Construct

This construct is similar in operation to the ForEach-Object cmdlet. It differs only in its syntax. The purpose of ForEach is to take an array (or collection, which in Windows PowerShell is the same as an array) and enumerate the objects in the array so you can work with one at a time:

  1. $services = Get-Service
  2. ForEach ($service in $services) {
  3. $service.Stop()
  4. }

It’s easy for newcomers to overthink this construct. Keep in mind that the plural English word “services” doesn’t mean anything to Windows PowerShell. That variable name is used to remind us it contains one or more services. Just because it’s plural doesn’t make the shell behave in a special fashion.

The “in” keyword on line two is part of the ForEach syntax. The $service variable is made up. It could easily have

been $fred or $coffee and it would have worked in just the same way.

Windows PowerShell will repeat the construct’s commands—the ones contained within curly brackets—one time for each object in the second variable ($services). Each time, it will take a single object from the second variable ($services) and place it in the first variable ($service).

Within this construct, use the first variable ($service) to work with an individual object. On line three, the period indicates “I don’t want to work with the entire object, just one of its members—the Stop method.”

There are times when using ForEach is inevitable and desirable. However, if you have a bit of programming or scripting experience, you can sometimes leap to using ForEach when it isn’t the best approach. The previous example isn’t a good reason to use ForEach. Wouldn’t this be easier:

  1. Get-Service | Stop-Service

The point here is to evaluate your use of ForEach. Make sure it’s the only way to accomplish the task at hand. Here are some instances where ForEach is probably the only way to go:

  • When you need to execute a method against a bunch of objects and there’s no cmdlet that performs the equivalent action.
  • When you have a bunch of objects and need to perform several consecutive actions against each.
  • When you have an action that can only be performed against one object at a time, but your script may be working with one or more objects, and you have no way of knowing in advance.

Other Constructs

Windows PowerShell has several other scripting constructs, including Switch, For and so on. These are all documented in “about” help topics within the shell. Sometimes, you can use the constructs covered here to replace those other constructs. For example, you can replace Switch with an If construct that uses multiple ElseIf sections. You can replace For with ForEach, or even with the ForEach-Object cmdlet. For example, having a loop that executes exactly 10 times:

  1. 1..10 | ForEach-Object -process {
  2. # code here will repeat 10 times
  3. # use $_ to access the current iteration
  4. # number
  5. }

It’s up to you to select the best construct to get the job done. If you’re browsing the Internet for scripts, be prepared to run across any and all variations.

Functions

A function is a special kind of construct used to contain a group of related commands that perform a single, specific task. Generally speaking, you can take any Windows PowerShell script and “wrap” it within a function:

  1. function Mine {
  2. Get-Service
  3. Get-Process
  4. }
  5. Mine

This defines a new function called “Mine.” That basically turns Mine into a command, meaning you can run the function simply by entering its name. That’s what line five does. It runs the function.

Functions are typically contained within a script file. A single script can contain multiple functions. Functions can themselves even contain other functions.

However, functions are scoped items. That means you can only use a function within the same scope in which it was created. If you put a function into a script, and then run that script, the function will only be available within the script and only for the duration of the script. When the script finishes running, the function—like everything else in the script’s scope—goes away. Here’s one example:

  1. function One {
  2. function Two {
  3. Dir
  4. }
  5. Two
  6. }
  7. One
  8. Two

Suppose you enter this into a single script file and run that script. Line seven executes the function One, which starts on line one. Line five executes a function named Two, which starts on line two. So the result will be a directory listing, which is on line three inside function Two.

However, the next line to execute will be line eight, and that will result in an error. The script doesn’t contain a function named Two. Function Two is buried within function One. As a result, that exists within the function One scope. Only other things within function One can see Two. Attempting to call Two from anyplace else will result in an error.

Adding Parameters to a Script

It’s rare to create a script that’s intended to do exactly the same thing every time it runs. More frequently, you’ll have scripts that contain some kind of variable data or variable behavior. You can accommodate these variations with parameters.

Parameters are defined in a special way at the top of the script. You can precede this definition with comments, but it must otherwise be the first executable lines of code within the script. Within the parameter definition area, each parameter is separated from the next by a comma. In keeping with the idea of neat formatting, it helps to place each parameter on a line of its own. Here is an example:

  1. param (
  2. [string]$computername,
  3. [string]$logfile,
  4. [int]$attemptcount = 5
  5. )

This example defines three parameters. Within the script, these are simply used like any other variable. You’ll notice that on line four, I assigned a default value to the $attemptcount parameter. The default will be overridden by any input parameter, but will be used if the script is run without that parameter being specified.

Here are several ways in which the script might be run, assuming I saved it as Test.ps1:

  1. ./test -computername SERVER
  2. ./test -comp SERVER -log err.txt -attempt 2
  3. ./test SERVER err.txt 2
  4. ./test SERVER 2
  5. ./test -log err.txt -attempt 2 -comp SERVER

The script accepts parameters pretty much like any cmdlet. Variable names are used as the parameter names, specified with the usual dash that precedes all parameter names in Windows PowerShell. Here’s a breakdown of how it works:

  • On line one, I’m only specifying one of the parameters—$logfile will thus be empty, and $attemptcount will contain 5, its default.
  • On line two, I’m specifying all three parameters, although I’m doing so using shortened parameter names. As with cmdlets, you only need to type enough of the parameter name for Windows PowerShell to know which one you’re talking about.
  • Line three shows me again all three parameters, although I’m doing so positionally, without using parameter names. As long as I remember to provide values in the exact order in which the parameters are listed in the script, this will work fine.
  • Line four shows what happens if you’re not careful. Here, $computername will contain ‘SERVER’ and $logfile will contain 2, while $attemptcount will contain 5. That’s probably not what I intended. When you don’t use parameter names, it’s harder to be flexible. It’s also more difficult for someone else to decode what you meant, which makes it harder for them to troubleshoot any problems.
  • Line five is a better example. Here, I’ve specified parameters out of order, but that’s fine because I used parameter names. As a general rule, I always use parameter names for the greatest degree of flexibility. I don’t need to remember the order in which they came.
Advanced Scripts

Windows PowerShell supports a technique for specifying additional information about parameters. This lets you declare a parameter as mandatory, accepting input from the pipeline and so forth. This technique is called Cmdlet Binding.

It doesn’t change the way the script uses parameters. It simply gives the shell a bit more information about the parameters. You’ll find this technique more commonly used in a function, but the syntax is valid within a script as well. Here’s a simple example:

  1. [CmdletBinding()]
  2. param (
  3. [Parameter(Mandatory=$True)]
  4. [string]$computername,
  5. [Parameter(Mandatory=$True)]
  6. [string]$logfile,
  7. [int]$attemptcount = 5
  8. )

All I added was the [CmdletBinding()] instruction as the first executable line of code within the script. It’s okay for comments to precede this, but nothing else. I also added a [Parameter()] instruction to two of my parameters. Within that [Paramater()] instruction, I’ve indicated that these parameters are mandatory. Now, if someone tries to run the script without specifying these parameters, Windows PowerShell will prompt them for the information.

Notice that the last parameter doesn’t have any special instructions, and all three parameters still appear in a comma-separated list (meaning the first two parameters are followed by commas). There are a ton of other instructions you can specify for a parameter, which you can read about in theabout_functions_advanced_parameters help topic.

This was a whirlwind review of some key Windows PowerShell scripting-related concepts. I hope you’ve learned a thing or two. Being able to build parameterized scripts is especially useful, because you can make scripts that look and behave like Windows PowerShell native cmdlets.

Junkware Removal Tool DLL Hijacking

JRT.exe (see <https://en.malwarebytes.com/junkwareremovaltool/>)

1. is vulnerable to DLL hijacking:
   see <https://cwe.mitre.org/data/definitions/426.html>
   and <https://cwe.mitre.org/data/definitions/427.html> for
   these WELL-KNOWN and WELL-DOCUMENTED beginner's errors;

2. creates an unsafe directory "%TEMP%\jrt":
   see <https://cwe.mitre.org/data/definitions/377.html>
   and <https://cwe.mitre.org/data/definitions/379.html> for
   these WELL-KNOWN and WELL-DOCUMENTED beginner's errors!

An attacker can exploit these vulnerabilities to gain
arbitrary code execution WITH escalation of privilege.


Ad 1.:
~~~~~~

Applications which are offered as downloads to unsuspecting users
will typically be saved into the users "Downloads" directory ...
which is but a digital minefield: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134>

On a fully patched Windows 7 SP1, JRT.exe loads and executes the
following DLLs from its "application directory" (which usually
happens to be the users "Downloads" directory):
    UXTheme.dll, DWMAPI.dll, PropSys.dll, NTMARTA.dll, Version.dll,
    Secur32.dll

On other versions of Windows this list varies slightly, but JRT.exe
ALWAYS loads some DLLs from its "application directory".


Due to its embedded application manifest which specifies
"requireAdministrator", JRT.exe runs with administrative privileges:
all DLLs it loads and executes run with administrative privileges
too, resulting in arbitrary code execution WITH elevation of
privilege.

If an attacker is able to place the DLLs named above per "drive-by
download" in the users "Downloads" directory this becomes a remote
code execution WITH elevation of privilege.


Proof of concept:
~~~~~~~~~~~~~~~~~

1. download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   and save it as UXTheme.dll, DWMAPI.dll, PropSys.dll, NTMARTA.dll,
   Version.dll, Secur32.dll in your "Downloads" directory;

2. download <https://downloads.malwarebytes.com/file/jrt/> and
   save it in your "Downloads" directory;

3. start the downloaded JRT.exe and notice the message boxes
   displayed from the DLLs planted in step 1.

PWNED!


Ad 2.:
~~~~~~

Upon execution JRT.exe creates the directory "%TEMP%\jrt", extracts
its payload into it and starts Windows' command processor (with
administrative privileges too) to run the extracted batch script
"%TEMP%\jrt\get.bat".

The directory "%TEMP%\jrt" inherits the NTFS permissions of its
parent "%TEMP%", allowing FULL access for the respective user
account.

In the "protected" alias UAC-controlled administrator account
created during Windows setup, "%TEMP%\jrt" is writable without
administrative privileges: the unprivileged user (or any process
running without elevation under this user account) can watch for
the creation of this directory and then (over)write any file
(for example FIND.COM, REG.COM, NET.COM, PING.COM, FC.COM,
FINDSTR.COM, TASKLIST.COM, SORT.COM, SCHTASKS.COM, WGET.DAT,
UNIQ.DAT, SED.DAT, GREP.DAT, NIRCMD.DAT, SHORTCUT.DAT, or the
DLLs which the *.DAT load from their "application directory")
again gaining elavation of privilege.


Proof of concept:
~~~~~~~~~~~~~~~~~

1. download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
   and save it in your "Downloads" directory;

2. create the following batch script in an arbitrary directory:

--- POC.CMD ---
:WAIT
@If Not Exist "%TEMP%\jrt" Goto :WAIT

For %%! In (FIND REG NET PING FC FINDSTR TASKLIST SORT
 SCHTASKS) Do @Copy "%USERPROFILE%\Downloads\SENTINEL.EXE" "%TEMP%\jrt\%%!.COM"
--- EOF ---

3. download <https://downloads.malwarebytes.com/file/jrt/> and
   save it in your "Downloads" directory;

4. start the batch script POC.CMD;

5. start the downloaded JRT.exe and notice the message boxes
   displayed from the *.COM.

PWNED!


Mitigations:
~~~~~~~~~~~~

* Don't use executable installers!

* Don't use crapware which runs executables from unsafe
  directories like %TEMP%!

* Add an ACE "(D;OIIO;WP;;;WD)" to the ACL of "%TEMP%"; use
  <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to
  decode it to "deny execution of files in this directory for
  everyone, inheritable to all files in all subdirectories".


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-08-06    vulnerability report sent to vendor

              NO RESPONSE

2016-08-15    report published