Syed Jahanzaib – Personal Blog to Share Knowledge !

June 19, 2018

Microsoft Products Short Notes – Personnel References

Filed under: Microsoft Related — Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 9:25 AM

This post contains short notes / Tips for personal references, These are common task that we perform on daily basis in out IT slavery environment!

Regards
Syed Jahanzaib

Event Viewer Codes for various Login Sessions:

Dameware:

Event ID: 111
Description: When any remote user is connected to the system via DAMEWARE MINI REMOTE CONTROL applicaiton

Event ID: 112
Description: When any already connected remote user is disconnected

Windows RDP:

Event ID: 21,22,23,24,25

More Details can be found at Event Viewer > Applications & Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager — OPERATIONAL

You can make your customized scripting based on above Events 🙂

 

Find Reason/time of Windows Shutdown/Restart

To find out the reason

  • Login to Windows
  • Launch the Event Viewer (or type eventvwr in run)
  • In the event viewer console expand Windows Logs
  • Click System and in the right pane click Filter Current Log

In the Filter Current log box, use below EVENT ID’s number as the event ID. This will filter the events and you will see events only with mentioned ID’s

  • Event ID 6005 (alternate): “The event log service was started.” This is synonymous to system startup.
  • Event ID 6006 (alternate): “The event log service was stopped.” This is synonymous to system shutdown.
  • Event ID 6008 (alternate): “The previous system shutdown was unexpected.” Records that the system started after it was not shut down properly.
  • Event ID 6009 (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
  • Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.
  • Event ID 1074 (alternate): “The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.” Indicates that an application or a user initiated a restart or shutdown.
  • Event ID 1076 (alternate): “The reason supplied by user X for the last unexpected shutdown of this computer is: Y.” Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.
To differentiate between power loss and a reboot due to bugcheck, look for combination of Event ID 41 (source: Microsoft-Windows-Kernel-Power) and Event ID 1001: (source: BugCheck). Former without the latter indicates power loss or reset. –
In the Includes/Excludes event ID’s input field in the Filter Current Log window, You can enter “6005, 6006, 6008, 6009, 6013, 1074, 1076” and it can give you helpful information all together.
You can also probably add Kernel-General with eventid 12, which is typically the first eventid to be logged after a reboot/reset etc and shows the actual “system start time”, i.e.: “The operating system started at system time xxxx‎-xx‎-xxTxx:xx:xx.xxxxxxxxxZ.”

POWERSHELL CMD to find reboot shutdown reasons

The proposed solution is a one-liner Powershell script:

Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize –wrap

Domain joined Workstation Rename Error

 

domain workstation rename error

Today When our IT Support personnel was trying to rename user computer name which was joined with the domain, got above error

To sort this issue we had to run this cmd (RUN AS ADMIN CMD)

net use * /d
net stop workstation /y
net start workstation

Afterwards the rename process went smoothly.

Windows 10 – Add / Disable,Enable Folder in Startup Menu

  • Add program in Windows 10 startup folder
RUN

shell:startup

now copy shortcut of your program in this folder, and it will run on windows startup

  • To disable enable program at startup

Right click on TASK MANAGER / STARTUP

Powershell PSTerminalServices module

This module helped to see who is logged on remote pc via RDP with client ip/name

First download the module from here ….

then import it in powershell. make sure to run powershell RUN as admin.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Get-Module -Name PSTerminalServices -ListAvailable
Import-Module PSTerminalServices
Get-Command -Module PSTerminalServices

# Gets all Active sessions from remote computer ‘comp1′, made from IP addresses that starts with ’10’.

Get-TSSession -ComputerName ZAIBPC

OR

Get-TSSession -ComputerName comp1 -Filter {$_.ClientIPAddress -like '10*' -AND $_.ConnectionState -eq 'Active'}

MORE COMMANDS

# Logs off all the active sessions from remote computer 'comp1', no confirmations
Get-TSSession -ComputerName comp1 -State Active | Stop-TSSession –Force

# Displays a message box inside all active sessions of computer name 'comp1'."}
PS > $Message = "Importnat`n, the server is going down for maintenance in 10 minutes. Please save your work and logoff."
PS > Get-TSSession -State Active -ComputerName comp1 | Send-TSMessage -Message $Message

# Gets all processes connected to session id 0 from remote computer 'comp1'.
PS>Get-TSSession -ID 0 -ComputerName comp1 | Get-TSProcess

Find UPTIME of remote PC

SystemInfo /s ZAIBPC | find "Boot Time:"

Check motherboard version

wmic baseboard get product,Manufacturer,version,serialnumber

PSTOOLS Related

.

Adding Local Account in remote workstation with PSTOOLS

If you are domain admin, and wanted to add local account in remote client workstation, then use pstools’s psexec 

psexec.exe \\target-pc net user /add USERNAME  USERPASSWORD
psexec.exe \\target-pc net net localgroup administrators USERNAME /add

# PSLOGGEDON COMMANDS
To check which user is logged on remote pc,

psloggedon \\remotepc

# PSEXEC COMMANDS

– To execute any command on remote pc like

psexec \\remtotepc ipconfig

OR update group policy on remote PC

PsExec.exe \\REMOTEPC -u DOMAIN\ADMINISTRATOR -p PASSWORD cmd "/c gpupdate /force"
  • Check network configuration and find IP address only,
PsExec.exe \\REMOTEPC ipconfig|findstr /i "IPv4"

– To open COMMAND prompt of remote user

psexec \\remotepc cmd

-Interacting with the Logged On User on the Remote PC

psexec \\remotepc -d -i notepad

# PSINFO COMMANDS
Getting general info with disk info as well

psinfo -d \\remotepc

# PSLIST COMMANDS

pslist \\remotepc

# PSKILL COMMANDS
– Kill remote pc program

pskill \\remotepc notepad

to query time

net time \\REMOTEPC

To change time on remote pc with domain server agpinf05

PsExec.exe \\REMOTEPC -u DOMAIN\ADMIN -p PASS cmd "/c net time \\DC /set /y"

Change IP configuration of remote PC to obtain IP via DHCP

psexec \\REMOTEPC cmd
ipconfig

Then note down the required interface name and issue following command,

  • Check current Config
netsh interface ip show config
  • EXPORT current settings
netsh -c interface dump > c:\location1.txt
  • Set Manual IP
netsh interface ip set address name="Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.1
  • Change IP settings from STATIC to DHCP
netsh interface ip set address "Local Area Connection" dhcp

Batch file to change setting of network adapters to obtain IP from DHCP

Make sure to change adapter names to match your’s …

@echo off
echo Setting IP Address to AUTO DHCP [Office DHCP Server by syed.jahanzaib]...
netsh interface ip set address name="Local Area Connection" source=dhcp
netsh interface ip set dns "Local Area Connection" source=dhcp
netsh interface ip set address name="Wireless Network Connection" source=dhcp
netsh interface ip set dns "Wireless Network Connection" source=dhcp
echo Done....

Command to change IP via CMD

netsh interface ip set address name=”Local Area Connection” static 192.168.0.1 255.255.255.0 192.168.0.254
netsh interface ip set dns name=”Local Area Connection” static 192.168.0.250
netsh interface ip add dns name=”Local Area Connection” 8.8.8.8 index=2

Check Remote PC OS version & other details by CMD

systeminfo /s \\REMOTEPCNAME
# OR
systeminfo /s \\REMOTEPCNAME|findstr /i "host OS "

Result:

C:\>systeminfo /s \\syed_jahanzaib

Host Name: SYED_JAHANZAIB
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Syed Jahanzaib
Registered Organization:
Product ID: xxxxxx-005-xxxx-xxxx
Original Install Date: 4/11/2017, 1:14:44 PM
System Boot Time: 6/19/2018, 7:44:47 AM
System Manufacturer: INTEL_
System Model: DH77KC__
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 58 Stepping 9 GenuineIntel ~3392 Mhz
BIOS Version: Intel Corp. KCH7710H.86A.0069.2012.0224.1825, 2/24/20
12
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+05:00) Islamabad, Karachi
Total Physical Memory: 8,090 MB
Available Physical Memory: 2,450 MB
Virtual Memory: Max Size: 16,178 MB
Virtual Memory: Available: 10,455 MB
Virtual Memory: In Use: 5,723 MB
Page File Location(s): C:\pagefile.sys
Domain: DOMAIN1
Logon Server: \\DOMAIN_DC
Hotfix(s): 187 Hotfix(s) Installed.
...........................
Network Card(s): 3 NIC(s) Installed.
[01]: Intel(R) 82579V Gigabit Network Connection
Connection Name: DOMAIN - LAN
DHCP Enabled: No
IP address(es)
[01]: 192.168.100.100
[02]: 192.168.50.10
[03]: 192.168.8.23
[02]: VMware Virtual Ethernet Adapter for VMnet1
Connection Name: VMware Network Adapter VMnet1
DHCP Enabled: No
IP address(es)
[01]: 169.254.97.149
[02]: fe80::ad90:fdcb:3f81:6195
[03]: VMware Virtual Ethernet Adapter for VMnet8
Connection Name: VMware Network Adapter VMnet8
DHCP Enabled: No
IP address(es)
[01]: 169.254.80.235
[02]: fe80::5598:be9:b61d:50eb

C:\>

DCHP Related ! [Tested with W2008]

DHCP is running on windows 2008 server, IP is 192.168.0.1


#DCHP BACKUP
netsh dhcp server 192.168.0.1 dump > c:\dhcpoutput.txt all

#DHCP DELETE OLD SCOPE
netsh dhcp server delete scope 192.168.0.0 dhcpfullforce

#DHCP IMPORT
[Disable DHCP Service before import]
netsh dhcp server import c:\tools\dhcpoutput all

#DHCP DISABLE
netsh dhcp server 192.168.0.1 scope 192.168.0.0 set state 0

Disable Internet Explorer Proxy via CMD

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

Clear cache in windows

ipconfig /flushdns
net stop dnscache
net start dnscache

Event ID

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j

Excel 2010 showing Blank Sheet

in Excel 2010 , When you open any excel sheet,( any particular, either yours or sent to you by some one else , it appears blank sheet

This may also occur if your computer’s screen resolution is higher than that of the person who last saved the workbook.

In Excel 2010, go to the View tab.

Select the ‘Arrange All’ button, then choose to Cascade.

OR

Excel 2010
opening blank sheets

ctrl+shift and open file
or its related with MACRO, run macro

Display printers list installed on Remote PC

Get-WMIObject Win32_Printer -ComputerName REMOTE_PC_NAME

CHECK OS COMPUTER OF REMOTE COMPUTER

Get-WmiObject Win32_OperatingSystem -ComputerName "YOURPCNAME" | Select PSComputerName, Caption, OSArchitecture, Version, BuildNumber | FL

GET LIST OF INSTALLED PRODUCTS ON REMOTE PC

POWERSHELL

Get-WmiObject -Class Win32_Product -Computer MYPCNAME

Display Motherboard model via CMD

- To find Board number of local pc
wmic baseboard get product,Manufacturer,version,serialnumber

- To find Board number of remote pc
wmic /node:"remotepc" baseboard get product,Manufacturer,version,serialnumber

- To find remote pc Architechture liek 32bit or 64bit
wmic /node:"remotepc" os get osarchitecture

Adding Static Routes in Windows via CMD

Adding route for single host

route -p ADD 10.1.1.12 MASK 255.255.255.255 101.11.11.4 METRIC 1 IF 11

Notes:

To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

To make a static route persistent, you can either enter route add commands in a batch file that is run during system startup or use the -p option when adding routes.

Routes added by using the -p option are stored in the registry under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\PersistentRoutes

Windows 7 Temporary profile Issue:

How to Fix Temporary Profile in Windows 7/ 8.1/10

There is no script engine for file extension .vbs

When we upgraded from win7 to windows 10/2012, our domain welcome logon script stopped working, with above error, to sort it we copied welcome vb script to domain logon folder and used this …

cscript //e:vbscript c:\path\to\script.vbs

Convert bootable USB in ISO file

The instructions for USB to .iso are as follows (for a Windows 7 installation for example):

  1. Install ImgBurn. You can even get a portable version of it, just search for it.
  2. Plug the bootable USB into the computer
  3. Start ImgBurn.
  4. Click on the “Create image file from files / folders” button on the home menu.
  5. In “Sources” browse to the USB drive.
  6. In “Destination” choose where to save the final .iso image.
  7. Go to the “Advanced” tab on the right and then “Bootable Disk”.
  8. Check the box “Make Bootable Image” and then, in the “Boot image” box browse to file “etfsboot.com” that is in the USB stick found in the folder “boot”.
  9. In the field “Developer ID” put “Microsoft Corporation” and enter “07C0” in the “Load Segment” field.
  10. Enter ‘4’ in the ‘Sectors To Load’ field if your etfsboot.com file is 2K is size, enter ‘8’ if it’s 4K. In other words, x = size of etfsboot.com in bytes / 512.
  11. Click “Build” and you’re done!

Credits: https://mindthebandgap.wordpress.com/2013/03/13/how-to-convert-bootable-usb-into-an-iso-file/

Reboot / Shutdown – Remote Workstation from Domain Admin PC

shutdown /r /t 60 /m \\REMOTE-PC /c "YOU PC WILL REBOOT AFTER 1 MINUTE..."
shutdown /r /f 60 /m \\REMOTE-PC /c "YOU PC WILL REBOOT AFTER 1 MINUTE..."

60 is seconds, you can up n down this value as per your requiremnts

.NET Framework 3.5 error code 0x800F081F on Windows 10.

net error.png

To solve it, use following.

Dism /online /enable-feature /featurename:NetFx3 /All /Source:D:\sources\sxs /LimitAccess

In above command make sure to change the path D:\sources\sxs to your windows 10 dvd / usb location. Basically You have to provide the Windows installation DVD/USB path so that it can copy the required files for .net

Get Installed Printer list from remote workstation using PS cmd

Get-WmiObject win32_printer -ComputerName "REMOTE_PC_NAME"

Disable Internet Explorer (chrome) Proxy via CMD

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

Check System Info & HOTFIXES / Windows Updates

Windows Built In cmd’s to query for System information & windows updates list


wmic qfe | find “982802”
systeminfo > c:\updates.txt

PowerShell:


get-hotfix
To search for a specific hotfix
get-hotfix | out-string -stream | select-string "KB977236"

Find windows version remotely

systeminfo /s 10.1.1.2 | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version"

Get computer hardware details

wmic computersystem get model,name,manufacturer,systemtype

wmic csproduct get name

wmic bios get serialnumber

wmic csproduct get name

FOLDER’s Related CMD’s

To delete all folders starting with 1

Direct CMD run command

for /d %i in (1*) do rd /s/q "%i"

CMD to be used in BATCH file

for /d %%i in (1*) do rd /s/q "%%i"

To count folders numbers

dir /a:-d /s /b "C:\Users\MYNAME\AppData\Local\Temp" | find /c ":"

Windows Patches List

wmic qfe list

Search particular Patch

wmic qfe | find "4013389"

Powershell:

get-hotfix

DHCP related CMD’s


########### DHCP COMMANDS ##############

# Search user by mac IP ADdress
Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -IPAddress 10.11.17.70

# Get all leases from DHCP Server
Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -ScopeId 10.0.0.0
Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 -AllLeases

# Get particular information only for in all leases
Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 | select-object IPAddress,ClientId,HostName,Description

# Search user by MAC Address
Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 -EA SilentlyContinue -ClientId fa-52-78-b8-ef-d8
Get-DhcpServerv4Scope -ComputerName 10.11.11.5 | Get-DhcpServerv4Lease -EA SilentlyContinue -ClientId 3c-52-82-59-87-76
Get-DhcpServerv4Scope | foreach {Get-DhcpServerv4Lease -computername $env:YOURDC -allleases -ScopeId ($_.ScopeId) as [string] } | ? clientid -match '00-04-f2-f'

#Get FREE IP Addressess details
Get-DhcpServerv4FreeIPAddress -ComputerName 10.11.11.5 -ScopeId 10.0.0.0

# ADD IP Reservation IN DHCP VIA CMD
Add-DhcpServerv4Reservation -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 -IPAddress 10.11.14.235 -ClientId 54-ee-75-e8-ad-18 -Description "temp.guest" -Name "temp.guest"
# ADD GATEWAY for reserved IP IN DHCP VIA CMD
Set-DhcpServerv4OptionValue -ComputerName 10.11.11.5 -ReservedIP 10.11.14.235 -Router 10.11.11.6

Change Windows Remote Desktop (RDP) Default Port to other value

First check what is current port


Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber"

Now to change it use below code , Ensur eyou are opening powershell CMD as RUN AS ADMINISTRATOR


$portvalue = 44440

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue

Now you can access the remote PC RDP like 192.168.0.1:44440

Regard’s
Syed Jahanzaib