Kerpau!

The fix for this error condition is relatively simple. If your Exchange server has network interfaces on more than one network (perhaps a SAN or a dedicated backup network), it may be attempting to locate global catalog servers using the wrong network.

Event Source: MSExchangeDSAccess
Event Category: Topology
Event ID: 2103
Description: Process MAD.EXE. All Global Catalog Servers in use are not responding:

Go to Control Panel > Network Connections > Advanced > Connections and move the network interface that has access to your global catalog servers to the top of the list. No reboot or service restart is necessary. The Exchange server “checks in” with a global catalog server every 15 minutes so watch it for a while to get the warm fuzzy feeling of having saved the day yet again.

This error is the result of either Windows restricting access to a file downloaded from the Internet or a zip file that contains unexpected path separators. In case number one, go to the properties of the file and select Unblock. Your group policies may need to be adjusted for you to see this button. In case number two, the path separators may start with a leading backslash. If this is the case, download WinRAR and use the Extract without confirmation option to unpack the contents of the zip file.

The solution to this is to delete the FRMCACHE.DAT file located in the Documents and Settings\user.name\Local Settings\Application Data\Microsoft\FORMS folder. This fixed it for me on an Outlook 2003 system. I think it had something to do with some custom forms I had installed.

Here is a regular expression that works in SQL Server Management Studio. It will replace those bothersome blank lines that the query window picks up when pasting text from an HTML source.

^:b*$\n

Do a Find and Replace (or Ctrl-h)
Select Search hidden text
Select Use Regular expressions
Put ^:b*$\n in the Find what: box
Make sure Replace with: is blank
Click on the Replace All button

Today, I happened upon a customer’s Windows server that had a broken firewall. The firewall was not even enabled which explained why it was not working (duh). But when I went to enable it, the selection was grayed out! A check of the group policies revealed that a GPO was not controlling the setting. At this point it was clear that the server’s security had been compromised.

After a rootkit and antivirus scan came up clean I proceeded to get the firewall up and running until a replacement server could be brought online later that day. Here is the process I used to get it back online. Incidentally, I did these steps over a Remote Desktop connection and maintained connectivity (except for reboots) the entire time. I performed these steps on a Windows Server but I believe they will work for a Windows XP computer. Another error I have seen is “Due to an unidentified problem, Windows cannot display Windows Firewall settings.”

If you just want to re-enable the ability to turn on the firewall, delete the following registry keys.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

However, to re-install the Windows firewall, copy the following text into a Notepad document and name the file Sharedaccess.reg.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
“DependOnGroup”=hex(7):00,00
“DependOnService”=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
“Description”=”Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.”
“DisplayName”=”Windows Firewall/Internet Connection Sharing (ICS)”
“ErrorControl”=dword:00000001
“ImagePath”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
“ObjectName”=”LocalSystem”
“Start”=dword:00000002
“Type”=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
“Epoch”=dword:00002cd0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
“ServiceDll”=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019″

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=”%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019″

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
“ServiceUpgrade”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
“All”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
“0″=”Root\\LEGACY_SHAREDACCESS\\0000″
“Count”=dword:00000001
“NextInstance”=dword:00000001

Right-click Sharedaccess.reg and select merge.

Reboot the server.

Reset the firewall rules back to the default settings to get rid of any unwanted rules the attacker may have configured.

netsh reset firewall

Configure the firewall to allow approved network traffic such as Remote Deskop and Web connections.

Get rid of any unwanted Winsock Layered Service Providers (LSP).

netsh winsock reset catalog

Double-check to make sure Remote Desktop connections are allowed by the firewall.

Reboot

The server should still be considered “contaminated”, so get a fresh installation of Windows up and running as soon as possible to replace the current server.

I’ve been saving event log files for a long time. But doing this with Windows event logs has always been awkward. I have used third party solutions and self-written scripts but neither have been ideal. So here’s the latest solution I’m trying out. It’s simple, elegant and uses group policy. Event logs archiving with GPO

Every once in a while I go looking for these return codes and end up spending several minutes searching the Internet for them. Of course, this time I ended up finding them in the obvious place - the README for Robocopy. Here they are, for posterity.

The return code from Robocopy is a bit map, defined as follows:

Hex Bit Value Decimal Value Meaning If Set
0×10 16 Serious error. Robocopy did not copy any files. This is either a usage error or an error due to insufficient access privileges on the source or destination directories.
0×08 8 Some files or directories could not be copied (copy errors occurred and the retry limit was exceeded). Check these errors further.
0×04 4 Some Mismatched files or directories were detected. Examine the output log. Housekeeping is probably necessary.
0×02 2 Some Extra files or directories were detected. Examine the output log. Some housekeeping may be needed.
0×01 1 One or more files were copied successfully (that is, new files have arrived).
0×00 0 No errors occurred, and no copying was done. The source and destination directory trees are completely synchronized.

You can use this information in a batch file to report the most serious anomalies, as follows:

if errorlevel 16 echo ***FATAL ERROR*** & goto end
if errorlevel 8 echo **FAILED COPIES** & goto end
if errorlevel 4 echo *MISMATCHES* & goto end
if errorlevel 2 echo EXTRA FILES & goto end
if errorlevel 1 echo Copy successful & goto end
if errorlevel 0 echo –no change– & goto end
:end

Alternatively, full details of the return code could be reported as follows:

if errorlevel 16 echo ***FATAL ERROR*** & goto end
if errorlevel 15 echo FAIL MISM XTRA COPY & goto end
if errorlevel 14 echo FAIL MISM XTRA & goto end
if errorlevel 13 echo FAIL MISM COPY & goto end
if errorlevel 12 echo FAIL MISM & goto end
if errorlevel 11 echo FAIL XTRA COPY & goto end
if errorlevel 10 echo FAIL XTRA & goto end
if errorlevel 9 echo FAIL COPY & goto end
if errorlevel 8 echo FAIL & goto end
if errorlevel 7 echo MISM XTRA COPY & goto end
if errorlevel 6 echo MISM XTRA & goto end
if errorlevel 5 echo MISM COPY & goto end
if errorlevel 4 echo MISM & goto end
if errorlevel 3 echo XTRA COPY & goto end
if errorlevel 2 echo XTRA & goto end
if errorlevel 1 echo COPY & goto end
if errorlevel 0 echo –no change– & goto end
:end

So Windows Server Service Pack 2 is out now. One of the new features it includes is Asynchronous UI. It sounds intriguing but what is it?

If you are creating a Microsoft® Windows® Forms application, and have an object with methods that may take some time to execute, you may want to consider writing an asynchronous API. Say, for instance, you have an object that downloads large files from a remote location. Without an asynchronous API, a client’s UI would freeze for the duration of the call. With an asynchronous UI, the client’s UI would not freeze. You could even construct the asynchronous API in such as way as to give progress updates to the caller, and give the client the opportunity cancel the call. Few situations are as frustrating as a frozen UI that can only be cancelled by resorting to Task Manager.

Programmers will have to write this into their applications but it sounds promising.

A quick note on the Windows Server 2003 SP2. I did a fresh install of an x64 server and ran the Service Pack 2 update. After rebooting, I ran Windows Updates and it turns out that KB931836 is not included in the service pack. It’s not a big deal to me but I did find it interesting and thought I would share.

For Windows, this is way more difficult than it should be. Unix/Linux solved this problem solved many, many years ago. The fact that Microsoft still hasn’t solved it is amazing to me. Fortunately, there are some third party products to help out the everyday, hardworking Windows sysadmin.

RunAs Professional
RunAs Professional is a substitute for Microsoft’s command runas.
RunAs Professional solves the problem that normal runas does not support the commandline parameter password.

RUNADMINBAT
Create a batch file (for example a logon script) for users. The batch file contains commands that require administrative privileges. Five steps to use the “runas” function from Windows 2000 and Windows XP pro with “runadminbat” in your scripts. No additional installation on your clients is necessary.

Encrypted RunAs
Encrypted RunAs is a small utility that is designed to make the job of Administrators a little easier, it can be used to run applications or software installations with access rights a standard user does not have.

TqcRunas
The power of RUNAS made scriptable, easy and secure.

NetExec
NetExec is a multisession extension for Windows NT and Windows 2000. Using NetExec it is possible to log on to a system with multiple accounts at the same time. So you can work with more than one user account simultaneously and switch between them without logging off and on.

CPAU
Command line tool for starting process in alternate security context. Basically this is a runas replacement. Also allows you to create job files and encode the id, password, and command line in a file so it can be used by normal users.