This post contains short notes / Tips for personal references, These are common task that we perform on daily basis in out IT slavery environment!
Regards
Syed Jahanzaib
Event Viewer Codes for various Login Sessions:
Dameware:
Event ID: 111
Description: When any remote user is connected to the system via DAMEWARE MINI REMOTE CONTROL applicaiton
Event ID: 112
Description: When any already connected remote user is disconnected
Windows RDP:
Event ID: 21,22,23,24,25
More Details can be found at Event Viewer > Applications & Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager — OPERATIONAL
You can make your customized scripting based on above Events đ
Find Reason/time of Windows Shutdown/Restart
To find out the reason
- Login to Windows
- Launch the Event Viewer (or type eventvwr in run)
- In the event viewer console expand Windows Logs
- Click System and in the right pane click Filter Current Log
In the Filter Current log box, use below EVENT ID’s number as the event ID. This will filter the events and you will see events only with mentioned ID’s
- Event ID 6005Â (alternate): âThe event log service was started.â This is synonymous to system startup.
- Event ID 6006Â (alternate): âThe event log service was stopped.â This is synonymous to system shutdown.
- Event ID 6008Â (alternate): “The previous system shutdown was unexpected.” Records that the system started after it was not shut down properly.
- Event ID 6009Â (alternate): Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.
- Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id.
- Event ID 1074Â (alternate): “The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z.” Indicates that an application or a user initiated a restart or shutdown.
- Event ID 1076Â (alternate): “The reason supplied by user X for the last unexpected shutdown of this computer is: Y.” Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.
Kernel-General
 with eventid 12
, which is typically the first eventid to be logged after a reboot/reset etc and shows the actual “system start time”, i.e.:Â “The operating system started at system time xxxxâ-xxâ-xxTxx:xx:xx.xxxxxxxxxZ.”POWERSHELL CMD to find reboot shutdown reasons
The proposed solution is a one-liner Powershell script:
Get-EventLog -LogName System |? {$_.EventID -in (6005,6006,6008,6009,1074,1076)} | ft TimeGenerated,EventId,Message -AutoSize âwrap
Domain joined Workstation Rename Error
Today When our IT Support personnel was trying to rename user computer name which was joined with the domain, got above error
To sort this issue we had to run this cmd (RUN AS ADMIN CMD)
net use * /d net stop workstation /y net start workstation
Afterwards the rename process went smoothly.
Windows 10 – Add / Disable,Enable Folder in Startup Menu
- Add program in Windows 10 startup folder
RUN shell:startup
now copy shortcut of your program in this folder, and it will run on windows startup
- To disable enable program at startup
Right click on TASK MANAGER / STARTUP
Powershell PSTerminalServices module
This module helped to see who is logged on remote pc via RDP with client ip/name
First download the module from here ….
then import it in powershell. make sure to run powershell RUN as admin.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned Get-Module -Name PSTerminalServices -ListAvailable Import-Module PSTerminalServices Get-Command -Module PSTerminalServices
# Gets all Active sessions from remote computer ‘comp1′, made from IP addresses that starts with ’10’.
Get-TSSession -ComputerName ZAIBPC
OR
Get-TSSession -ComputerName comp1 -Filter {$_.ClientIPAddress -like '10*' -AND $_.ConnectionState -eq 'Active'}
MORE COMMANDS
# Logs off all the active sessions from remote computer 'comp1', no confirmations Get-TSSession -ComputerName comp1 -State Active | Stop-TSSession âForce # Displays a message box inside all active sessions of computer name 'comp1'."} PS > $Message = "Importnat`n, the server is going down for maintenance in 10 minutes. Please save your work and logoff." PS > Get-TSSession -State Active -ComputerName comp1 | Send-TSMessage -Message $Message # Gets all processes connected to session id 0 from remote computer 'comp1'. PS>Get-TSSession -ID 0 -ComputerName comp1 | Get-TSProcess
Find UPTIME of remote PC
SystemInfo /s ZAIBPC | find "Boot Time:"
Check motherboard version
wmic baseboard get product,Manufacturer,version,serialnumber
PSTOOLS Related
.
Adding Local Account in remote workstation with PSTOOLS
If you are domain admin, and wanted to add local account in remote client workstation, then use pstools’s psexecÂ
psexec.exe \\target-pc net user /add USERNAMEÂ USERPASSWORD psexec.exe \\target-pc net net localgroup administrators USERNAME /add
# PSLOGGEDON COMMANDS
To check which user is logged on remote pc,
psloggedon \\remotepc
# PSEXEC COMMANDS
– To execute any command on remote pc like
psexec \\remtotepc ipconfig
OR update group policy on remote PC
PsExec.exe \\REMOTEPC -u DOMAIN\ADMINISTRATOR -p PASSWORD cmd "/c gpupdate /force"
- Check network configuration and find IP address only,
PsExec.exe \\REMOTEPC ipconfig|findstr /i "IPv4"
– To open COMMAND prompt of remote user
psexec \\remotepc cmd
-Interacting with the Logged On User on the Remote PC
psexec \\remotepc -d -i notepad
# PSINFO COMMANDS
Getting general info with disk info as well
psinfo -d \\remotepc
# PSLIST COMMANDS
pslist \\remotepc
# PSKILL COMMANDS
– Kill remote pc program
pskill \\remotepc notepad
to query time
net time \\REMOTEPC
To change time on remote pc with domain server agpinf05
PsExec.exe \\REMOTEPC -u DOMAIN\ADMIN -p PASS cmd "/c net time \\DC /set /y"
Change IP configuration of remote PC to obtain IP via DHCP
psexec \\REMOTEPC cmd ipconfig
Then note down the required interface name and issue following command,
- Check current Config
netsh interface ip show config
- EXPORT current settings
netsh -c interface dump > c:\location1.txt
- Set Manual IP
netsh interface ip set address name="Local Area Connection" static 192.168.0.100 255.255.255.0 192.168.0.1
- Change IP settings from STATIC to DHCP
netsh interface ip set address "Local Area Connection" dhcp
Batch file to change setting of network adapters to obtain IP from DHCP
Make sure to change adapter names to match your’s …
@echo off echo Setting IP Address to AUTO DHCP [Office DHCP Server by syed.jahanzaib]... netsh interface ip set address name="Local Area Connection" source=dhcp netsh interface ip set dns "Local Area Connection" source=dhcp netsh interface ip set address name="Wireless Network Connection" source=dhcp netsh interface ip set dns "Wireless Network Connection" source=dhcp echo Done....
Command to change IP via CMD
netsh interface ip set address name=âLocal Area Connectionâ static 192.168.0.1 255.255.255.0 192.168.0.254 netsh interface ip set dns name=âLocal Area Connectionâ static 192.168.0.250 netsh interface ip add dns name=âLocal Area Connectionâ 8.8.8.8 index=2
Check Remote PC OS version & other details by CMD
systeminfo /s \\REMOTEPCNAME # OR systeminfo /s \\REMOTEPCNAME|findstr /i "host OS "
Result:
C:\>systeminfo /s \\syed_jahanzaib Host Name: SYED_JAHANZAIB OS Name: Microsoft Windows 7 Professional OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: Syed Jahanzaib Registered Organization: Product ID: xxxxxx-005-xxxx-xxxx Original Install Date: 4/11/2017, 1:14:44 PM System Boot Time: 6/19/2018, 7:44:47 AM System Manufacturer: INTEL_ System Model: DH77KC__ System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 58 Stepping 9 GenuineIntel ~3392 Mhz BIOS Version: Intel Corp. KCH7710H.86A.0069.2012.0224.1825, 2/24/20 12 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC+05:00) Islamabad, Karachi Total Physical Memory: 8,090 MB Available Physical Memory: 2,450 MB Virtual Memory: Max Size: 16,178 MB Virtual Memory: Available: 10,455 MB Virtual Memory: In Use: 5,723 MB Page File Location(s): C:\pagefile.sys Domain: DOMAIN1 Logon Server: \\DOMAIN_DC Hotfix(s): 187 Hotfix(s) Installed. ........................... Network Card(s): 3 NIC(s) Installed. [01]: Intel(R) 82579V Gigabit Network Connection Connection Name: DOMAIN - LAN DHCP Enabled: No IP address(es) [01]: 192.168.100.100 [02]: 192.168.50.10 [03]: 192.168.8.23 [02]: VMware Virtual Ethernet Adapter for VMnet1 Connection Name: VMware Network Adapter VMnet1 DHCP Enabled: No IP address(es) [01]: 169.254.97.149 [02]: fe80::ad90:fdcb:3f81:6195 [03]: VMware Virtual Ethernet Adapter for VMnet8 Connection Name: VMware Network Adapter VMnet8 DHCP Enabled: No IP address(es) [01]: 169.254.80.235 [02]: fe80::5598:be9:b61d:50eb C:\>
DCHP Related ! [Tested with W2008]
DHCP is running on windows 2008 server, IP is 192.168.0.1
#DCHP BACKUP netsh dhcp server 192.168.0.1 dump > c:\dhcpoutput.txt all #DHCP DELETE OLD SCOPE netsh dhcp server delete scope 192.168.0.0 dhcpfullforce #DHCP IMPORT [Disable DHCP Service before import] netsh dhcp server import c:\tools\dhcpoutput all #DHCP DISABLE netsh dhcp server 192.168.0.1 scope 192.168.0.0 set state 0
Disable Internet Explorer Proxy via CMD
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
Clear cache in windows
ipconfig /flushdns net stop dnscache net start dnscache
Event ID
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j
Excel 2010 showing Blank Sheet
in Excel 2010 , When you open any excel sheet,( any particular, either yours or sent to you by some one else , it appears blank sheet
This may also occur if your computer’s screen resolution is higher than that of the person who last saved the workbook.
In Excel 2010, go to the View tab.
Select the ‘Arrange All’ button, then choose to Cascade.
OR
Excel 2010
opening blank sheets
ctrl+shift and open file
or its related with MACRO, run macro
Display printers list installed on Remote PC
Get-WMIObject Win32_Printer -ComputerName REMOTE_PC_NAME
CHECK OS COMPUTER OF REMOTE COMPUTER
Get-WmiObject Win32_OperatingSystem -ComputerName "YOURPCNAME" | Select PSComputerName, Caption, OSArchitecture, Version, BuildNumber | FL
GET LIST OF INSTALLED PRODUCTS ON REMOTE PC
POWERSHELL
Get-WmiObject -Class Win32_Product -Computer MYPCNAME
Display Motherboard model via CMD
- To find Board number of local pc wmic baseboard get product,Manufacturer,version,serialnumber - To find Board number of remote pc wmic /node:"remotepc" baseboard get product,Manufacturer,version,serialnumber - To find remote pc Architechture liek 32bit or 64bit wmic /node:"remotepc" os get osarchitecture
Adding Static Routes in Windows via CMD
Adding route for single host
route -p ADD 10.1.1.12 MASK 255.255.255.255 101.11.11.4 METRIC 1 IF 11
Notes:
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
To make a static route persistent, you can either enter route add commands in a batch file that is run during system startup or use the -p option when adding routes.
Routes added by using the -p option are stored in the registry under the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\PersistentRoutes
Windows 7 Temporary profile Issue:
There is no script engine for file extension .vbs
When we upgraded from win7 to windows 10/2012, our domain welcome logon script stopped working, with above error, to sort it we copied welcome vb script to domain logon folder and used this …
cscript //e:vbscript c:\path\to\script.vbs
Convert bootable USB in ISO file
The instructions for USB to .iso are as follows (for a Windows 7 installation for example):
- Install ImgBurn. You can even get a portable version of it, just search for it.
- Plug the bootable USB into the computer
- Start ImgBurn.
- Click on the âCreate image file from files / foldersâ button on the home menu.
- In âSourcesâ browse to the USB drive.
- In âDestinationâ choose where to save the final .iso image.
- Go to the âAdvancedâ tab on the right and then âBootable Diskâ.
- Check the box âMake Bootable Imageâ and then, in the âBoot imageâ box browse to file âetfsboot.comâ that is in the USB stick found in the folder âbootâ.
- In the field âDeveloper IDâ put âMicrosoft Corporationâ and enter â07C0â in the âLoad Segmentâ field.
- Enter â4â in the âSectors To Loadâ field if your etfsboot.com file is 2K is size, enter â8â if itâs 4K. In other words, x = size of etfsboot.com in bytes / 512.
- Click âBuildâ and youâre done!
Credits:Â https://mindthebandgap.wordpress.com/2013/03/13/how-to-convert-bootable-usb-into-an-iso-file/
Reboot / Shutdown – Remote Workstation from Domain Admin PC
shutdown /r /t 60 /m \\REMOTE-PC /c "YOU PC WILL REBOOT AFTER 1 MINUTE..."
shutdown /r /f 60 /m \\REMOTE-PC /c "YOU PC WILL REBOOT AFTER 1 MINUTE..."
60 is seconds, you can up n down this value as per your requiremnts
.NET Framework 3.5 error code 0x800F081F on Windows 10.
To solve it, use following.
Dism /online /enable-feature /featurename:NetFx3 /All /Source:D:\sources\sxs /LimitAccess
In above command make sure to change the path D:\sources\sxs
to your windows 10 dvd / usb location. Basically You have to provide the Windows installation DVD/USB path so that it can copy the required files for .net
Get Installed Printer list from remote workstation using PS cmd
Get-WmiObject win32_printer -ComputerName "REMOTE_PC_NAME"
Disable Internet Explorer (chrome) Proxy via CMD
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
Check System Info & HOTFIXES / Windows Updates
Windows Built In cmd’s to query for System information & windows updates list
wmic qfe | find â982802â systeminfo > c:\updates.txt
PowerShell:
get-hotfix To search for a specific hotfix get-hotfix | out-string -stream | select-string "KB977236"
Find windows version remotely
systeminfo /s 10.1.1.2 | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version"
Get computer hardware details
wmic computersystem get model,name,manufacturer,systemtype wmic csproduct get name wmic bios get serialnumber wmic csproduct get name
FOLDER’s Related CMD’s
To delete all folders starting with 1
Direct CMD run command
for /d %i in (1*) do rd /s/q "%i"
CMD to be used in BATCH file
for /d %%i in (1*) do rd /s/q "%%i"
To count folders numbers
dir /a:-d /s /b "C:\Users\MYNAME\AppData\Local\Temp" | find /c ":"
Windows Patches List
wmic qfe list
Search particular Patch
wmic qfe | find "4013389"
Powershell:
get-hotfix
DHCP related CMD’s
########### DHCP COMMANDS ############## # Search user by mac IP ADdress Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -IPAddress 10.11.17.70 # Get all leases from DHCP Server Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 -AllLeases # Get particular information only for in all leases Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 | select-object IPAddress,ClientId,HostName,Description # Search user by MAC Address Get-DhcpServerv4Lease -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 -EA SilentlyContinue -ClientId fa-52-78-b8-ef-d8 Get-DhcpServerv4Scope -ComputerName 10.11.11.5 | Get-DhcpServerv4Lease -EA SilentlyContinue -ClientId 3c-52-82-59-87-76 Get-DhcpServerv4Scope | foreach {Get-DhcpServerv4Lease -computername $env:YOURDC -allleases -ScopeId ($_.ScopeId) as [string] } | ? clientid -match '00-04-f2-f' #Get FREE IP Addressess details Get-DhcpServerv4FreeIPAddress -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 # ADD IP Reservation IN DHCP VIA CMD Add-DhcpServerv4Reservation -ComputerName 10.11.11.5 -ScopeId 10.0.0.0 -IPAddress 10.11.14.235 -ClientId 54-ee-75-e8-ad-18 -Description "temp.guest" -Name "temp.guest" # ADD GATEWAY for reserved IP IN DHCP VIA CMD Set-DhcpServerv4OptionValue -ComputerName 10.11.11.5 -ReservedIP 10.11.14.235 -Router 10.11.11.6
Change Windows Remote Desktop (RDP) Default Port to other value
First check what is current port
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber"
Now to change it use below code , Ensur eyou are opening powershell CMD as RUN AS ADMINISTRATOR
$portvalue = 44440 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value $portvalue
Now you can access the remote PC RDP like 192.168.0.1:44440
Regard’s
Syed Jahanzaib