Akzium - Akzium_Blog

Remove Ghost Network Adapters in Windows

4/19/2025

Ghost adapters left behind by physical-to-virtual conversions have been an issue since the early days of virtualization. The Great VMWare Exodus has brought this issue back into the limelight as Broadcom customers begin to abandon VMware in favor of more customer-friendly Type 1 Hypervisor companies.

If you're preparing to migrate a VMware virtual machine over to, let's say a KVM-based Type-1 Hypervisor environment, there are several preparation steps that should be undertaken, the first of which will be to change the network adapter from a static IP addresss to a DHCP address, and to remove the VMware Tools. If you forget to remove VMware tools prior to conversion, the converted VM may not boot. If you forget to manipulate the network LAN adapter settings, you could end up with a "ghost" adapter, one that has entries in the Windows registry, but that does not show up in device manager. If you also forgot to change the static IP address to a DHCP address, the static IP could be "trapped" by the ghosted adapter and Windows will give you error messages saying another adapter already has that IP address.

Here's how to "reveal" those ghosted adapters so you can clean up the mess left behind by a hypervisor platform migration.

1. Launch a command prompt as administrator in the VM.
2. Run: set devmgr_show_nonpresent_devices=1 (press enter)
3. Launch Device Manager (devmgr.msc)
4. In Device Manager -> View select "Show Hidden Devices"
5. Scroll down to Network Devices and expand
6. Ghost adapters will be greyed out - right click and Uninstall
7. Select Action -> Scan for Hardware Changes to refresh device list
8. Repeat as necessary until all ghost adapters are removed

Windows OS Hub has a write-up on this process here: https://woshub.com/remove-hidden-ghost-network-adapter-windows/

Interworks has a blog post about the topic here:
https://interworks.com/blog/ijahanshahi/2014/08/21/removing-hidden-device-device-manager/

The official VMware-to-Proxmox conversion instructions are here:
https://pve.proxmox.com/wiki/Migrate_to_Proxmox_VE

Scale Computing has their own SC//Migrate toolkit to make VMware to Scale migrations easy:
https://www.scalecomputing.com/resources/sc-migrate-data-sheet

Windows Server Change Time Commandline

4/15/2025

Ever join a server to the domain and forgot to change the time zone beforehand, then the Time Zone GUI change options are greyed out? There's a way around that using either a command line option or via PowerShell.

Option1: Invoke CMD as administrator
tzutil /g (displays current time zone)
tzutil /l (displays all time zone options)
tzutil /s "Central Standard Time" (sets time zone)
tzutil /g (to verify change)

Option2: Invoke Powershell as administrator
Get-TimeZone
Get-Timezone -ListAvailable
Set-Timezone -Id "Central Standard Time"
Get-TimeZone

Add email aliases to personal Gmail accounts

4/14/2025

Creating email aliases for work emails is common, but did you know you can also create emails aliases for your (at)gmail(.)com email address using Gmail+ email aliases? Example: if your email is bobsmith(at)gmail you can create an alias email such as bobsmith+myamazonorders(at)gmail, use that alias for receiving emails and they will come to the inbox for your primary email account.

Here are the steps:
1. Log in to your personal gmail account in a browser
2. Go to the Settings gear icon at the top right
3. See all settings
4. Go to the Accounts and Import tab
5. Navigate down to Send Email As section
6. Click on Add another email address
7. The the email address box type your email addres and a + sign and whatever you want to add to it (ex: bobsmith+myamazonorders(at)gmail, but use the actual at sign. LinkedIn keeps trying to link when I attempt to use it in a post.
8. Make sure the "Treat as an alias" box is checked

Now you can use this alias email as a filter or in some cases to sign into a website that is having problems directing you do different sign-in functions using the same email address.

MailMeteor has a good write-up outlining the steps here: https://mailmeteor.com/blog/gmail-alias

Streak has a blog post about the process here: https://www.streak.com/post/gmail-plus-addressing-trick

*kudos to Streak for the cool graphic below this post.

Easy File Server Migrations

4/7/2025

The registry key that contains all of the shares and share permissions on a Windows file server is located: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
and the Security subkey. You can export this key set from your current file server, mount the shares data drive to a new server with an updated OS and import this registry key to restore all of the shares and their associated permissions. Since you've moved the data drive to the new server, all files retained their NTFS permissions. Also, this detach/re-attach process assumes you're not using DFS.

So, step by step (assuming you're doing this in a virtual environment):
1) Create new VM with virtual HDD for OS
2) Install new OS, patch, update, etc. (Do not join to domain yet)
3) Export registry key from old file server
4) Copy registry key file to new file server
4) Unjoin old file server from domain
5) Change server name and IP address of old file server and shut down
6) Detach data volume virtual disk from old file server
7) Change server name and IP address of new file server to match old server and reboot sever
8) Join new file server to domain
9) Attach data drive virtual disk to new file server and mount with same drive letter as it had on the old file server
10) Import registry key from old file server
11) Reboot new file server

At this point your new file server has the data volume mounted from the old file server and the shares permissions have been imported. I'll make a separate post on some ways to consolidate the new VM data files with the old server data virtual disk into a single folder.

If you are migrating a physical file server to a virtual machine, or possibly migrating a VM-based file server to an new VM on a different platform, you can create a root shared folder on the target system, map a drive to the shared folder from the existing file server, and use a robocopy job to copy the data to the new server.

Example1: robocopy e:\rootshare r:\remoteshare /e /copy:datso /z /MT:128

Example 2: robocoy e:\rootshare r:\remoteshare /mir /z /MT:128 /LOG+:logfilename.log

After the copy job finishes and is validated, export the registry key that stores the share permissions data from the existing file server and then import the exported .reg file into the new file server's registry.

I recently had a customer's file server boot drive MBR record get irreparably corrupted. We mounted the boot volume to the new file server as a data disk, used the remote registry mount utility to mount the \Windows\System32\Config\SYSTEM registry file and export the shares registry key. When you use the remote mount utility you have to give it a temporary name. Thus, when you export the key the registry file header data has the temporary name in the (2) header paths instead of the correct header path names. We had to correct those using notepad to edit the .reg file two header data paths as follows before attempting to import the shares key into the new file server.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security]

Don't forget to change the notepad save settings to *.* to preserve the .reg file extension.

Link to all Robocopy Commands: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy

Windows 11 24H2 Bypass Microsoft Account Requirement

4/1/2025

Microsoft is removing the OOBE\BYPASSNRO.cmd command from the Windows 11 installer in yet another attempt at forcing every Windows 11 PC to have a Microsoft online account. The good news is that NeoWin is reporting that there's another workaround available.

1. Start Windows 11 Setup
Begin the Windows 11 Setup Process.
Select your region and keyboard layout.

2. Stop at the Secondary Keyboard Layout Screen
When you reach the Secondary Keyboard Layout screen, DO NOT click Skip.

3. Open the Developer Console
Press Ctrl + Shift + J to open the Developer Console.
Your screen will go dark and will appear with a prompt (indicated by a > symbol) at the top left of the screen.

4. Enter the Restart Command
Type the following command exactly as shown:
WinJS.Application.restart("ms-cxh://LOCALONLY")
Note: This command is case-sensitive. You can use Tab-completion to help:
After typing WinJS.A, press Tab to auto-complete Application.
After typing res, press Tab to auto-complete restart.

5. Exit the Developer Console
After entering the command, press Enter to execute it.
Press Escape to exit the Developer Console and return to the OOBE interface.
Note: If the Escape key doesn't close the Console, click anywhere on the screen to ensure the console is focused and then press the key again.

6. Local Account Setup
The Secondary Keyboard Layout screen will refresh, and a Windows 10-style local account setup screen will appear.
Enter your desired username, password, and security questions and click Next.

7. Complete the Setup
The Setup will go black and will then log you in to your newly created account. Allow Windows 11 a few moments to configure the user.
Continue with the remaining privacy setting prompts.
Once finished, you will have successfully created a local account in Windows 11.

Here's a link to the write-up on NeoWin: https://www.neowin.net/news/forget-bypassnro-a-new-internetaccount-bypass-during-windows-11-installs-already-exists/

Here's a fiery Reddit thread discussing the disappearance of the BypassNRO command from the Windows 11 installer ISO: https://www.reddit.com/r/pcmasterrace/comments/1jmgia4/microsoft_is_removing_the_bypassnro_command_which/

Use AWS EC2 VM and IIS to Share Files

3/27/2025

If you need to share large files over an internet connection, one easy way to do that is to spin up an Amazon AWS EC2 virtual server running Windows and the IIS Role and use the virtual directory feature in Microsoft IIS. The real key to ensuring that the files in the shared folder linked to the virtual directory default to "file -> download" when clicked on is to edit the MIME Types function. For each type of file in the virtual directory shared folder (e.g.: .ISO, .EXE, .MSI, .DOC, .PDF, .ZIP, .TGZ, etc.) change the MIME Type flag to file/download. Once you do this, when the user clicks on the file in the browser it will open the file download window. If you don't edit the MIME Type for each file extension that will be in your shared folder, when you click on the file you will get a 404 Error.

One note here is that if using Chrome or Edge and you do NOT install an SSL certificate on the IIS server, it will flag the download as unsecure. If the "Keep" option isn't working properly, you can click on the download icon in the browser toolbar to close the download window and then click it again to re-open the download option window, click on the > to expand the download item prompt, which should give you the option to "Download Insecure File".

One way to restrict access to this publicly-facing IIS file hosting server is to use the AWS EC2 Security Groups - Inbound Rules to only allow HTTP access to the EC2 VM from specific public IP addresses. Once in place, only those public IPs on the Inbound - Allow rules list will have HTTP (port 80) access to the EC2 VM. **NOTE: Be sure to give YOUR public IP address HTTP Allow access for testing. The default rule allows RDP access, which should be edited to restrict access from only YOUR public IP address.**

**EDIT**: I took this "easy" file sharing up a notch by creating a self-signed SSL certificate using Git Bash, importing the certificate into IIS and also into my personal certificates store on my local PC, and binding SSL in IIS using the new self-signed certificate. Now I can access the site using HTTPS and the browser doesn't prompt the download as "insecure".
Launch Git Bash for Windows
$ winpty openssl genrsa -out awsserver.key 4096
$ winpty openssl req -key awsserver.key -out awsserver.csr
*answer prompts*
$ winpty openssl x509 -req -days 3650 -in awsserver.csr -signkey awsserver.key -out awsserver.crt
$ winpty openssl x509 -in awsserver.crt -text -noout (*this verifies certificate)
$ winpty openssl pkcs12 -export -out awsserver.pfx -inkey awsserver.key -in awsserver.crt
*this creates PFX file to import into IIS
** Don't forget to add a DNS entry, either into your local DNS server or your PC's hosts file (Windows/system32/drivers/etc)

Moving Windows Server 2022 Recovery Partition

3/13/2025

When doing a scratch install of Windows Server 2022, some brainiac at Microsoft thought it was a good idea to place the recovery partition at the end of the Disk 0 Volume. So, when you need to extend your "C" drive, you end up with the recovery partition blocking the way. Here are the steps to resolve this issue (and I'm assuming you've already added space to the virtual disk).

Step1: Remove Existing Recovery Partition
Run CMD as Administrator and execute the following command: reagentc /disable
C:\>reagentc /disable
Next, run DiskPart and execute the following commands:
diskpart
list disk
select disk 0 (or whatever happens to be the disk ID with the recovery partition)
list partition
select partition 4 (again, select the appropriate partition listed as the Recovery Partition)
list partition (ensure the recovery partition has a * beside it)
delete partition override (this deletes the recovery partition)
list partition (the recovery partition should now be deleted)

Step #2: Go into Computer Management and navigate to Disk Management

Right click on the "C" partition and select "extend" and click Next

Reduce the size of the extension by 1GB (see image below as example) to reserve space for the new recovery partition.

Finish task. Now, the "C" partition should be larger and there should be at least 1GB left at the end.

Step #3: Create a New Recovery Volume
Right-click on unallocated space
Choose Simple Volume
NTFS
No Drive Letter
Leave Partition Name Blank
Finish task.
Step #5: Return to CMD as Administrator and DiskPart
Run the following commands:
List Disk
Select Disk 0 (or other as appropriate)
List Partition
Select Partition 4 (this should be the new partition you just created in disk manager)
set id=de94bba4-06d1-4d40-a16a-bfd50179d6ac
gpt attributes=0x8000000000000001

Step #6: Exit DiskPart and Return to Administrative Command Prompt; Re-Enable Recovery Partition

C:\>reagentc /enable

Return to Computer Management->Disk Management

Partition should now show as Healthy (Recovery Partition)

Windows 11 Pro Sandbox

1/25/2025

Windows Sandbox is a lightweight virtual machine that allows users to run applications in isolation from the host operating system by creating a temporary, isolated instance of Windows that runs separately from the host machine. Sandbox was introduced in the Windows 10 update 1903 in May 2019. Since then Microsoft has (slowly) continued to enhance the feature set of the Sandbox environment. Recent updates to Windows 10/11 Sandbox include features like enhanced clipboard redirection, control over audio/video input, the ability to share folders with the host PC, and improved configuration options for managing the virtual hard disk (VHD) size and detachment, allowing for more flexibility in managing the Sandbox environment.

To script installations of apps when launching Windows Sandbox, you need to use the "LogonCommand" option in the Windows Sandbox configuration file, which allows you to specify a command or script that will run automatically when the Sandbox starts up; essentially, you create a script containing your installation commands and then point the LogonCommand to that script file which is mapped into the Sandbox as a shared folder.

Create a script:
Write a PowerShell or batch script that includes the installation commands for the software you want to automatically install in the Sandbox.

Map the script folder:
In your Windows Sandbox configuration file, use the "MappedFolders" option to specify the folder on your host machine where your installation script is located, allowing the Sandbox to access it.

Set the LogonCommand:
Within the configuration file, use the "LogonCommand" tag to point to the path of your installation script within the mapped folder.

"MappedFolders":
This section specifies that the "C:\Users\YourUser\Scripts" folder on the host machine will be accessible within the Sandbox.

"LogonCommand":
This line sets the command that will run when the Sandbox starts, which in this case is the "InstallApps.ps1" script located in the mapped folder.

Example (using PowerShell):
Script (named "InstallApps.ps1"):

Code

Start-Process -FilePath "C:\path\to\installer.exe" -ArgumentList "/silent", "/norestart"

# Add more installation commands for other applications as needed

*note: The sandbox runs with a limited user account ("WDAGUtilityAccount"), so ensure your scripts have appropriate permissions to install software.

Also, you cannot directly link an AD Group Policy Object (GPO) to the Sandbox itself because it is a temporary, isolated environment that does not join the domain; however, you can configure the Sandbox using a configuration file (.wsb) to apply specific settings that mimic certain group policy behaviors. There are also limited Local Group Policy settings available in: "Computer Configuration" > "Administrative Templates" > "Windows Components" > "Windows Sandbox".

Here's the link to the Microsoft Learn article on Sandbox:https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file

IBM FlashSystem Firmware Updates

1/23/2025

Updating the controller firmware on the IBM FlashSystem 5XXX and 7XXX systems has one known issue that doesn't seem to have been resolved by IBM: when using the GUI to upload the firmware file, the transfer rate is ridiculously SLOW. It can take over 30 minutes, sometimes over an hour, to upload a 800Mb file. The good news? There's a simple workaround for this problem.

First, you still need to download the appropriate Test Utility and Firmware Update Package from IBM FixCentral.

Then, you navigate to Settings->System->Update page.

Download and install the Putty SSH/Telnet application. Open a CMD prompt and navigate to the directory where Putty is installed (usually: C:\Program Files\Putty). Copy the Firmware Update file into the Putty folder.

At the C:\Program Files\Putty> command prompt, type in the following:

pscp software_upgrade_file_name superuser@cluster_ip_address:/home/admin/update
*you will then be prompted for the superuser password

You can repeat this for uploading the Test Utility File as well.

Note: Keep in mind that AFTER you run the upgrade utility, the FlashSystem will remove the update files. If for some reason the update files are not automatically removed, you can SSH to the system using Putty and type:

cleardumps -prefix /home/admin/update

This will clear the upate folder file cache.

To upgrade the Disk Drive firmware, navigate to Pools->Internal Disks. Left-click on one of the disks, go to Actions menu, select Upgrade. This will open the Disk Firmware Upgrade window similar to the controller firmware menu. From here you can select the Test Utility and Drive Firmware files. The Test Utility will run and report on any problems or concerns. If no errors are reported, click NEXT and the firmware update will process. Firmware updates take 5 to 10 minutes per disk. If you want to upgrade firmware for multiple disks, left-click the first drive and then either use Shift and Left-Click to highlight a continuous set of disks or Control Left-Click to only select specific disks. Go to Actions menu and proceed with the same steps as for one disk.

If the disk firmware upload process is SLOW (and it typically is), use Putty pscp.exe as per the above instructions for the firmware update process to upload the files which usually only takes a few seconds.

From the list of internal drives you can right-click on a drive, and go to Properties to view the current firmware version.

Windows Local Hosts File DNS Lookup

12/31/2024

Microsoft Windows will always check the local Windows\System32\drivers\etc\HOSTS file by default before consulting the DNS cache. The DNS cache simply stores previously resolved domain names and their corresponding IP addresses for faster access, but if a matching entry is found in the hosts file, the cache is ignored.

It is possible via GPO to change the DNS lookup order, or DISABLE the local Windows hosts file DNS resolver function: Group Policy, Computer Configuration > Administrative Templates > Network > DNS Client and enable the policy "Turn off Multicast Name Resolution" which effectively prevents the computer from using the local hosts file for name resolution. This also disables LLMNR (Link-Local Multicast Name Resolution), which is a Microsoft endpoint security recommendation.

For those not familiar with editing the hosts file, PhoenixNAP has a nice write-up here:
https://phoenixnap.com/kb/windows-hosts-file