Akzium - Akzium_Blog

Moving Windows Server 2022 Recovery Partition

3/13/2025

When doing a scratch install of Windows Server 2022, some brainiac at Microsoft thought it was a good idea to place the recovery partition at the end of the Disk 0 Volume. So, when you need to extend your "C" drive, you end up with the recovery partition blocking the way. Here are the steps to resolve this issue (and I'm assuming you've already added space to the virtual disk).

Step1: Remove Existing Recovery Partition
Run CMD as Administrator and execute the following command: reagentc /disable
C:\>reagentc /disable
Next, run DiskPart and execute the following commands:
diskpart
list disk
select disk 0 (or whatever happens to be the disk ID with the recovery partition)
list partition
select partition 4 (again, select the appropriate partition listed as the Recovery Partition)
list partition (ensure the recovery partition has a * beside it)
delete partition override (this deletes the recovery partition)
list partition (the recovery partition should now be deleted)

Step #2: Go into Computer Management and navigate to Disk Management

Right click on the "C" partition and select "extend" and click Next

Reduce the size of the extension by 1GB (see image below as example) to reserve space for the new recovery partition.

Finish task. Now, the "C" partition should be larger and there should be at least 1GB left at the end.

Step #3: Create a New Recovery Volume
Right-click on unallocated space
Choose Simple Volume
NTFS
No Drive Letter
Leave Partition Name Blank
Finish task.
Step #5: Return to CMD as Administrator and DiskPart
Run the following commands:
List Disk
Select Disk 0 (or other as appropriate)
List Partition
Select Partition 4 (this should be the new partition you just created in disk manager)
set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac
gpt attributes=0x8000000000000001

Step #6: Exit DiskPart and Return to Administrative Command Prompt; Re-Enable Recovery Partition

C:\>reagentc /enable

Return to Computer Management->Disk Management

Partition should now show as Healthy (Recovery Partition)

Windows 11 Pro Sandbox

1/25/2025

Windows Sandbox is a lightweight virtual machine that allows users to run applications in isolation from the host operating system by creating a temporary, isolated instance of Windows that runs separately from the host machine. Sandbox was introduced in the Windows 10 update 1903 in May 2019. Since then Microsoft has (slowly) continued to enhance the feature set of the Sandbox environment. Recent updates to Windows 10/11 Sandbox include features like enhanced clipboard redirection, control over audio/video input, the ability to share folders with the host PC, and improved configuration options for managing the virtual hard disk (VHD) size and detachment, allowing for more flexibility in managing the Sandbox environment.

To script installations of apps when launching Windows Sandbox, you need to use the "LogonCommand" option in the Windows Sandbox configuration file, which allows you to specify a command or script that will run automatically when the Sandbox starts up; essentially, you create a script containing your installation commands and then point the LogonCommand to that script file which is mapped into the Sandbox as a shared folder.

Create a script:
Write a PowerShell or batch script that includes the installation commands for the software you want to automatically install in the Sandbox.

Map the script folder:
In your Windows Sandbox configuration file, use the "MappedFolders" option to specify the folder on your host machine where your installation script is located, allowing the Sandbox to access it.

Set the LogonCommand:
Within the configuration file, use the "LogonCommand" tag to point to the path of your installation script within the mapped folder.

"MappedFolders":
This section specifies that the "C:\Users\YourUser\Scripts" folder on the host machine will be accessible within the Sandbox.

"LogonCommand":
This line sets the command that will run when the Sandbox starts, which in this case is the "InstallApps.ps1" script located in the mapped folder.

Example (using PowerShell):
Script (named "InstallApps.ps1"):

Code

Start-Process -FilePath "C:\path\to\installer.exe" -ArgumentList "/silent", "/norestart"

# Add more installation commands for other applications as needed

*note: The sandbox runs with a limited user account ("WDAGUtilityAccount"), so ensure your scripts have appropriate permissions to install software.

Also, you cannot directly link an AD Group Policy Object (GPO) to the Sandbox itself because it is a temporary, isolated environment that does not join the domain; however, you can configure the Sandbox using a configuration file (.wsb) to apply specific settings that mimic certain group policy behaviors. There are also limited Local Group Policy settings available in: "Computer Configuration" > "Administrative Templates" > "Windows Components" > "Windows Sandbox".

Here's the link to the Microsoft Learn article on Sandbox:https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file

IBM FlashSystem Firmware Updates

1/23/2025

Updating the controller firmware on the IBM FlashSystem 5XXX and 7XXX systems has one known issue that doesn't seem to have been resolved by IBM: when using the GUI to upload the firmware file, the transfer rate is ridiculously SLOW. It can take over 30 minutes, sometimes over an hour, to upload a 800Mb file. The good news? There's a simple workaround for this problem.

First, you still need to download the appropriate Test Utility and Firmware Update Package from IBM FixCentral.

Then, you navigate to Settings->System->Update page.

Download and install the Putty SSH/Telnet application. Open a CMD prompt and navigate to the directory where Putty is installed (usually: C:\Program Files\Putty). Copy the Firmware Update file into the Putty folder.

At the C:\Program Files\Putty> command prompt, type in the following:

pscp software_upgrade_file_name superuser@cluster_ip_address:/home/admin/update
*you will then be prompted for the superuser password

You can repeat this for uploading the Test Utility File as well.

Note: Keep in mind that AFTER you run the upgrade utility, the FlashSystem will remove the update files. If for some reason the update files are not automatically removed, you can SSH to the system using Putty and type:

cleardumps -prefix /home/admin/update

This will clear the upate folder file cache.

To upgrade the Disk Drive firmware, navigate to Pools->Internal Disks. Left-click on one of the disks, go to Actions menu, select Upgrade. This will open the Disk Firmware Upgrade window similar to the controller firmware menu. From here you can select the Test Utility and Drive Firmware files. The Test Utility will run and report on any problems or concerns. If no errors are reported, click NEXT and the firmware update will process. Firmware updates take 5 to 10 minutes per disk. If you want to upgrade firmware for multiple disks, left-click the first drive and then either use Shift and Left-Click to highlight a continuous set of disks or Control Left-Click to only select specific disks. Go to Actions menu and proceed with the same steps as for one disk.

If the disk firmware upload process is SLOW (and it typically is), use Putty pscp.exe as per the above instructions for the firmware update process to upload the files which usually only takes a few seconds.

From the list of internal drives you can right-click on a drive, and go to Properties to view the current firmware version.

Windows Local Hosts File DNS Lookup

12/31/2024

Microsoft Windows will always check the local Windows\System32\drivers\etc\HOSTS file by default before consulting the DNS cache. The DNS cache simply stores previously resolved domain names and their corresponding IP addresses for faster access, but if a matching entry is found in the hosts file, the cache is ignored.

It is possible via GPO to change the DNS lookup order, or DISABLE the local Windows hosts file DNS resolver function: Group Policy, Computer Configuration > Administrative Templates > Network > DNS Client and enable the policy "Turn off Multicast Name Resolution" which effectively prevents the computer from using the local hosts file for name resolution. This also disables LLMNR (Link-Local Multicast Name Resolution), which is a Microsoft endpoint security recommendation.

For those not familiar with editing the hosts file, PhoenixNAP has a nice write-up here:
https://phoenixnap.com/kb/windows-hosts-file

Disable Windows Quick Assist and Windows Share Experiences

12/7/2024

Here's a "how to" on disabling Windows Quick Assist and Windows Shared Experiences. Windows Quick Assist has become a go-to tool for malware actors to gain remote access to a social-engineering-scammed user's PC without having to do any sort of software installation. Quick Assist is enabled by default on both Windows 10 and Windows 11 PCs and allows a remote user to access your PC in local administrator mode. Windows Shared Experiences can be used by hackers for lateral movement once a PC has been infected with malware.

To Disable Quick Assist:
1) Create Firewall Rule to block C:\Windows\System32\quickassist.exe from internet access.
2) To disable Windows Quick Assist in Group Policy, navigate to "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security" and then set the policy "Restrict Remote Assistance to authorized users" to "Enabled"
3) In Group Policy editor go to: Computer Configuration > Administrative Templates > System > Remote Assistance > Configure Solicited Remote Assistance (set to disabled)
4) Change the registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "fAllowToGetHelp"=dword:00000000

For Windows Shared Experiences:
1) In Group Policy: Computer Configuration>Administrative Templates>System>Group Policy>Continue Experience On This Device (set to disabled)

2) In the registry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
dword: "EnableCdp"=0

Here's a link to the Microsoft Learn article about Quick Assist: https://lnkd.in/eQ5STV86

Here's a Microsoft Support post about Shared Experiences: https://lnkd.in/ehRW-guV

Multiple Gateway Routes in Windows OS

11/21/2024

There can only be ONE (1) DEFAULT GATEWAY in Windows, but there can be MULTIPLE network gateways via the Windows ROUTE command.

If you need to have access to two separate networks via two different network adapters the Windows OS network adapter settings GUI will give an ERROR message if you attempt to set a default gateway on the second adapter. Why? Well, there can only be one "default" gateway. However, you CAN have multiple networks each with their own individual gateway setting. The "default" gateway is the one used LAST by Windows, i.e. if all other gateways fail, use this "default gateway". The trick to setting this up properly is the use of the Windows ROUTE command. You must open an elevated command prompt to run this command via Run As Administrator.

*note: I've used , in stead of . in the IP addresses so that browsers won't create hyperlinks. Substitute . for , in replicating the commands.

Example:
ROUTE PRINT
this gives you the current status of all routes on your system

ROUTE ADD 192,168,1,0 MASK 255,255,255,0 192,168,1,99
this command will add 192,168,1,99 as the gateway for the 192,168,1,0/24 network

ROUTE -p ADD 192,168,1,0 MASK 255,255,255,0 192,168,1,99
by adding the -p this makes the added route PERSISTENT, meaning it will survive a system reboot

ROUTE DELETE 192,168,1,0
this will delete the added route for the 192,168,1,0 network along with its associated gateway

The order of route processing is determined by the METRIC value assigned to the route, with lower value numbers being processed before higher value numbers. If you want your newly added route to be processed before other routes, change the route metrics to manually determine route order processing.

Windows 11 Bypass Internet Setup Requirement

11/20/2024

If you're setting up a new Windows 11 Pro PC and get stuck at the "Internet Connection Required to Continue" screen, there's a work-around for that. Microsoft is attempting to force you to set up a Microsoft account for the PC. If you don't want to tie your PC to a Microsoft account, here's what you do next:
1) At the connect to a network screen, hit Shift-F10 which will take you to a command prompt.
2) Within the C:\Windows\System32 folder there is a subfolder named OOBE, the Out Of the Box Experience. In the OOBE folder there is a command named ByPassNRO.cmd. So, once you hit Shift-F10, you will land at a C:\Windows\System32> prompt. Type in OOBE\ByPassNRO

This will initiate an OOBE setup change and reboot the PC. Now, when you get to the "connect to a network" screen, you'll have the option at the bottom of the screen: "I don't have internet". Select this option. The next screen will present the option: "Continue with Limited Setup", which is Microsoft-speak for "we're still attempting to gaslight you into connecting this PC to a Microsoft account". You will then be able to create a local administrator-equivalent user account, set a password, and answer the three password-recovery question prompts. After you work your way through the Privacy Settings screen and hit next a few times you'll be able to log into your not-internet-connected Windows 11 PC with a local administrator user account.

To block future attempts at forcing a Microsoft Account link, navigate to group policy section: Computer Configuration > Windows Settings > Security Settings > Local Polices > Security Options. Double-click "Accounts: Block Microsoft accounts" Select "Users can't add or log on with Microsoft accounts" Click OK.

Here's a great write-up on the PureInfoTech blog site with Step-by-Step instructions and screen shots if you need more a more detailed breakdown: https://pureinfotech.com/bypass-internet-connection-install-windows-11/

Endpoint Security: Disable Windows Script Host (WSH)

10/27/2024

Numerous email spam and phishing campaigns are pushing a number of crypto-ransomware families (and backdoors) via .zip file attachments. And such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Script Host.

Do yourself a favor and edit your end user PC's Windows Registry to disable WSH.

Here’s the key (folder).

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings

Create a new DWORD value named “Enabled” and set the value data to “0”.
*see image below*

And then, if you click on a .js file, you’ll see this message: "Windows Script Host access is diabled on this machine. Contact your administrator for details."

Credits to the F-Secure Blog for the details on this vulnerability.

Capsa Network Analyzer Tool

10/16/2024

In 2010 Riverbed acquired Cace Technologies. One of the greatest products in the Cace portfolio was the Cascade Pilot network analyzer which was a GUI built on top of nPcap and Wireshark. It eventually became rebranded as Riverbed Cascade Pilot, and then Riverbed Steelcentral Packet Analyzer. Cace offered a "personal edition" of the product for small IT shops and network technicians that was around $395 (if I remember correctly). Riverbed continued to offer this for a while as Cascade Pilot PE and then in 2020, it was shelved. Thus began my quest for an affordable, portable network analysis tool to replace Pilot PE. I recently stumbled across Colasoft's CAPSA Portable Network Analyzer tool. After some initial testing in the lab, it has become a new tool in our network analysis toolbox to quickly identify network bandwidth hogs, detect illicit network traffic as well as help locate malware RATs. Colasoft offers a free, limited-function version of the software and a 30-day trial of the Enterprise version, which at $1295 may be 3x what we used to pay for Pilot PE, but it's a great replacement for a product that never should have been shelved by Riverbed.

CIDR Rules for Private IP Address Ranges

10/6/2024

As more and more devices are connected to internal networks including PCs, printers, barcode scanners, IoT sensors, and the like, IP address saturation and management becomes more unwieldy. Some basic networking rules that can give us more options for internal network scalability include thoughful selection of private IP address schemes and creative use of CIDR IP Subnetting.

For example: If you use 192.168.1.0/24 as your base network IP scheme (BTW, you should NEVER do this) your subnet mask for a /24 network is 255.255.255.0, which gives you access to IP addresses from 192.168.1.1 to 192.168.1.254, or 254 IP addresses to assign to network devices. So, what to do if your number of network devices exceed 254? One option is to implement VLANs, which requires a Layer-3 device to manage VLAN routing. When you are scaling out to thousands of devices, nobody wants to manage hundreds of VLANs. Now, don't get me wrong, network segmentation using VLANs is a basic network security necessity, but limiting yourself to 254 IPs per VLAN in a large environment is foolish (at best), and borderline masochistic (at worst). So, what is a network manager to do? Go back to the basics of using CIDR Subnet Masking in your favor.

Let's consider for a moment the use of 255.255.255.0 and the alternatives to this default network mask. The table above outlines the initial thirteen CIDR options for subnetting. Notice that a /21 CIDR of 255.255.248.0 would give you 2048 IP addresses with 2,046 of those being usable. That's 8X more IP addresses that can be assigned in a single VLAN.
Here's an example for more clarity: If I have a 192.168.1.0 network (again, a TERRIBLE idea. Please never do this.) and I change my subnet mask from 255.255.255.0 to 255.255.254.0, I gain the use of IP addresses in the 192.168.0.0 and 192.168.1.0 ranges, or a total of 512 IPs with 510 of those being usable. But wait, why did that subnet change go to the LEFT of the IP range instead of the RIGHT of the range, ie 192.168.0.0 instead of 192.168.2.0. Well, as in everything else networking, there are RULES. I won't go into the depths of those here, but save yourself some time and always use a subnet calculator to verify the net effect of a subnet mask change. In this case, if I wanted to use 192.168.2.0 addresses in addition to my 192.168.1.0 addresses, I'd need to use a subnet mask of 255.255.252.0, which gives me access to 192.168.0.0 thru 192.168.3.255, or four octets (1,024) of IP address ranges. Notice there is no 255.255.253.0 option - remember, I said there are RULES.

One major caveat here: Be careful when planning your IP subnet ranges for multiple locations to ensure that your subnet masking for one location doesn't overlap a subnet range for a second location. For example, if you have a 192.168.9.0 network with 255.255.252.0 mask, your range is 192.168.8.0 through 192.168.11.255, with your 9.x network falling in the middle of that subnet range. Once again, there are CIDR RULES. A second location would not be able to use a 192.168.11.0 network with a 255.255.255.0 mask and still be able to properly route traffic to your 192.168.9.0/22 network.

So, as a brief reminder to us all, don't neglect the simplicity of using subnet masking to expand your range of usable IP addresses, but take care in selecting your masking option so as to not break your routing rules.