Thursday, December 8, 2016

Fresh Windows 7 install won't update

Fresh Windows 7 install won't update

If you have installed a fresh Windows 7  recently you might have run across an issue where it won't finish running Windows Update. It just hangs and runs and churns and seems to never finish. There is a resolution, and it was ultimately found at

Here is the resolution and break down of that forum update.

The Resolution

I won't go into why this doesn't work, or how MS screwed up, I will just put the fix here. 

  1. Install SP1 if you haven't, and restart.
  2. Install the latest windows update, use Method 2 where you just download and install the update, and restart.
  3. Install Update for Windows 7 for x64-based Systems (KB3102810), and restart.
  4. Last install IE 11, and restart. 

After all the restarts and the installs try and run Windows Update again.

NOTE it will still take what seems like for ever still, this is because it's downloading over 200 updates to your machine. 

Hope this helps. Let me know if this does or doesn't work, I would like to know and I am sure other will also. 

Wednesday, February 24, 2016

Quasi-Failover DHCP 2008 R2

I was given a client recently that was running out of IP addresses on their DHCP server. 

After some investigation I discovered that they had 2 DHCP server on the same AD and on the same network. Let say the network is, it had a subnet mask of No really it does have that subnet mask. Anyways, the 2 DHCP servers are giving out the same scope of - DHCP1 was giving an exclusion of - and DHCP2 had an exclusion of 192.168.170 - 254. Of course there were other exclusions for servers and printers but you get the point. 

After looking a little bit deeper I noticed that the DHCP1 server was not giving out any leases. This didn't make sense until I fully thought about what was happening here. 

The reason DHCP2 server was the only one giving out IP addresses is because it is, for lack of a better term, faster. The reason is because once a machine has made contact with a DHCP server, even if it’s out of addresses, it will NOT try a different DHCP server. It will keep  trying that same DHCP server for an address. This is why the DHCP1 is not giving out leases, its to slow to answer. 

So, since DHCP2 is always the fastest, it always replies first, even if its full. The one way of testing, and verifying, this is to turn off the DHCP2 services on DHCP2, momentarily, and do a request for an address from a device. Then look at DHCP1 to see if it gave out the address to that device. Of course we tested this and it worked as I expected. 

Doing an “ipconfig /release” and then an “ipconfig /renew” on a computer would give you the request needed for testing. I would not do this on a computer that already has an address that you need to use to turn the DHCP services back on, maybe do this on a temp PC.

So basically in this configuration there is a quasi-failover DHCP system in place. If DHCP2 is offline then DHCP1 would pick up and start handing out addresses. Of course this is not the best way to setup a failover DHCP environment, but, it kinda works. Here is the correct way:

I hope this helps someone in their endeavour of trying to figure out why a DHCP might not be giving out leases. 

New-MailboxExportRequest not recognized

If you go and try to use New-MailboxExportRequest and get "New-MailboxExportRequest' is not recognized as the name of a cmdlet.  That's because your user is not part of the ManagementRole.

To fix this run the below command in PowerShell from the Exchange server.

New-ManagementRoleAssignment -Role "Mailbox Import Export" -user UserName

UserName is the that you are using to run the command new-mailboxexportrequest.

Log out then log back in and you should be fine to to go.

Solution found at: 

Monday, February 8, 2016

Trojan-Downloader.Win32.VB.eql (Translated)


Translated from 

Technical details

This Trojan downloads without your knowledge on your computer other software. The program is a Windows application (PE EXE-file). Its size is 1509125 bytes.


Once launched, the Trojan copies its body to the Windows system directory under the name "WINSP00L.EXE":
% System% \ WINSP00L.EXE
To start automatically each time you start the system, the Trojan adds a link to its executable file in the system registry:
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"WINSP00L" = "% System% \ WINSP00L.EXE"


Once launched, the Trojan extracts from its body to the catalog "E_4" in the temporary directory of the current user the following files:
% Temp% \ E_4 \ krnln.fnr - 1110016 bytes
% Temp% \ E_4 \ shell.fne - 61440 bytes
% Temp% \ E_4 \ eAPI.fne - 335872 bytes
% Temp% \ E_4 \ internet.fne - 196608 bytes
% Temp% \ E_4 \ spec.fne - 86016 bytes
% Temp% \ E_4 \ RegEx.fne - 167936 bytes
% Temp% \ E_4 \ dp1.fne - 126,976 bytes
% Temp% \ E_4 \ - 278528 bytes
Then copy them to the Windows system directory under the same name:
% System% \ krnln.fnr
% System% \ shell.fne
% System% \ eAPI.fne
% System% \ internet.fne
% System% \ spec.fne
% System% \ RegEx.fne
% System% \ dp1.fne
% System% \
In addition, it removes the Windows system directory files:
% System% \ ul.dll - 2404 bytes
% System% \ og.dll - 692 bytes
% System% \ og.edt - 512 bytes
After completing these steps, the Trojan accesses the following address:
http: //www.***** pn = M080410?
At the time of writing, this link was not working. The file is located on this link is stored in the temporary Internet files directory and launched for execution. Filename - random. And also drawn to the following address:
After that, remove the file from its body with a name composed of the current date and time, for example 20090929153554.exe and places it in the Windows system directory:
% System% \ 20090929153554.exe
This file has a size of 9216 bytes. 
The extracted file gets executed and then deleted. 
In addition, the Trojan spreads via removable media under the name "Recycled.exe". "Autorun.inf" file is also created to automatically run the Trojan file in the root directory of removable media.

Removal Instructions

If your PC was not protected by Antivirus and got infected with this malware, then remove it, proceed as follows:
  1. Using Task Manager to terminate the Trojan process:
  2. Delete the original Trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
  3. Delete the copy of the Trojan:
    % System% \ WINSP00L.EXE
  4. Remove files and directories created by the Trojan:
    % Temp% \ E_4 \ krnln.fnr
    % Temp% \ E_4 \ shell.fne
    % Temp% \ E_4 \ eAPI.fne
    % Temp% \ E_4 \ internet.fne
    % Temp% \ E_4 \ spec.fne
    % Temp% \ E_4 \ RegEx.fne
    % Temp% \ E_4 \ dp1.fne
    % Temp% \ E_4 \
    % Temp% \ E_4
    % System% \ krnln.fnya
    % System% \ shell.fne
    % System% \ eAPI.fne
    % System% \ internet.fne
    % System% \ spec.fne
    % System% \ RegEx.fne
    % System% \ dp1.fne
    % System% \
    % System% \ ul.dll
    % System% \ og.dll
    % System% \ og.edt
    Remove key registry :
    [HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
    "WINSP00L" = "% System% \ WINSP00L.EXE"
  5. Check removable media for files:
    In case of detection - remove them.
  6. Clear Temporary Internet Files directory, containing infected files ( How to delete infected files from Temporary Internet Files folder? ):
  7. And perform a full scan of your computer with Kaspersky Antivirus Update your antivirus databases ( download a trial version ).

Tuesday, February 2, 2016

Robocopy to the backup rescue

Robocopy to the backup rescue

So recently I had a client that had a SBS 2008 box that had a RAID issue. It had what known as a Punctured RAID , I will call it PR in this post. You can more on that here: The wonderful thing about a PR is they rear their ugly head till its too late. Well this client was too late.

The main reason I found out about this PR is that this clients Backup Exec kept failing. After fighting with the Backup Exec for over a week I finally found in the error logs something about this PR. This is what was making the Backup Exec fail. I could get into a lengthy discussion on this and at some point in time I might do that. 

Needless to  say because we couldn't use anything we threw at this server to back it up with out failing, and we tried a lot of options, I decided to use robocopy to try and keep at least a file level backup running for this server till we came up with a final solution for this issue. 

So this is the script I ended up making. I ran this as a nightly scheduled task with System user privileges. 

I know the script is kinda hacky and could be written better and more efficiently but it has a lot going on in it and I wanted to share. 

So basically it stops some services, robocopys files to an external drive then starts the services back up. 

With the mir option in the robocopy it made the copy very fast every night because it only grabbed what had been modified.

I used "net stop" and "net start" for some of the services.
I also used Powershell command Stop-Service  and Start-Services to start/start other services.

I broke out the main directories in the c: drive so that i could log what was happening in each directory when the robocopy ran.
In the robocopy sections I used the options:
/MIR :: MIRror a directory tree (equivalent to /E plus /PURGE).
/XJD :: eXclude Junction points for Directories.
/R:n :: number of Retries on failed copies: default 1 million.
/W:n :: Wait time between retries: default is 30 seconds.
/TEE :: output to console window, as well as the log file
/LOG:file :: output status to LOG file (overwrite existing log).

net stop msexchangeadtopology /y
net stop msftesql-exchange /y
net stop msexchangeis /y
net stop msexchangesa /y
net stop iisadmin /y

PowerShell.exe -Command "Stop-Service *sql* -Force"

robocopy "c:\Boot"  "F:\Backuprobocopy\Boot" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyBoot.log"
robocopy "c:\dell"  "F:\Backuprobocopy\dell" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopydell.log"
robocopy "c:\drivers"  "F:\Backuprobocopy\drivers" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopydrivers.log"
robocopy "c:\ExchangeSetupLogs"  "F:\Backuprobocopy\ExchangeSetupLogs" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyExchangeSetupLogs.log"
robocopy "c:\inetpub"  "F:\Backuprobocopy\inetpub" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyinetpub.log"
robocopy "c:\OpenManage"  "F:\Backuprobocopy\OpenManage" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyOpenManage.log"
robocopy "c:\PerfLogs"  "F:\Backuprobocopy\PerfLogs" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyPerfLogs.log"
robocopy "c:\Program Files"  "F:\Backuprobocopy\Program Files" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgram Files.log"
robocopy "c:\Program Files (x86)"  "F:\Backuprobocopy\Program Files (x86)" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgram Files (x86).log"
robocopy "c:\ProgramData"  "F:\Backuprobocopy\ProgramData" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgramData.log"
robocopy "c:\Scripts"  "F:\Backuprobocopy\Scripts" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyScripts.log"
robocopy "c:\Shared Data"  "F:\Backuprobocopy\Shared Data" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyShared Data.log"
robocopy "c:\Users"  "F:\Backuprobocopy\Users" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyUsers.log"
robocopy "c:\Windows"  "F:\Backuprobocopy\Windows" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyWindows.log"
rem robocopy "c:\WSUS"  "F:\Backuprobocopy\WSUS" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyWSUS.log"

net start msexchangeadtopology /y
net start msftesql-exchange /y
net start msexchangeis /y
net start msexchangesa /y
net start iisadmin /y

PowerShell.exe -Command "Start-Service -name """MSsql*""" " 

PowerShell.exe -Command "Start-Service -name """MSExchange*""" "

PowerShell.exe -Command "Start-Service -name """BackupExec*""" "

Thursday, January 14, 2016

Get Exchange Server Database Size and Mailbox Size

Get Exchange Server Database Size and Mailbox Size

This is something you would be simple, and it is, if you know the commands. Unfortunately if you have an Exchange 2007 it is different than a 2010. 

In my environment I have both so my script decides which it is and spits out the report for 2007 or 2010. 

One of the reasons I am writing this is to DRILL into my head that these scripts MUST be run as administrator, not run by an administrator.. I mean Right Click the powershell and "Run As Administrator". If you do not run as administrator your database will return 0. Yes it returns 0. 

So.. here is the script. Enjoy. 

Get-MailboxStatistics -Server $env:computername | Select DisplayName, ItemCount, TotalItemSize | Sort-Object TotalItemSize -Descending | Export-CSV C:\temp\MBSizes.csv

$TheVersion = Get-ExchangeServer | select *

if ($TheVersion.AdminDisplayVersion.major -like "14"){$version14 = "yes"

       Get-MailboxDatabase -Status | select ServerName,Name,DatabaseSize | Export-CSV C:\temp\DBSize.csv
else {
       Get-MailboxDatabase | foreach-object {add-member -inputobject $_ -membertype noteproperty -name mailboxdbsizeinGB -value ([math]::Round(([int64](get-wmiobject cim_datafile -computername $_.server -filter ('name=''' + $_.edbfilepath.pathname.replace("\","\\") + '''')).filesize / 1GB),2)) -passthru} |  Sort-Object mailboxdbsizeinGB -Descending | select identity,mailboxdbsizeinGB | Export-CSV -NoTypeInformation C:\temp\DBSize.csv

Friday, October 16, 2015

Download MP3s with Powershell

So I found a site with some MP3s that I wanted but didn't want to download but didn't want to right click.. Save as.. blah blah.. so after some searching and modifing some scripts i made this.

Change the 2 variables $theurl ; the website URL, and $storagedir ; the place you want to store them and watch it go. It has some thing built into it that takes care of url variables, direct url, and some url encoding issues. I tried to comment it as much as I could.

# =================================================================================
# =                                                                               =
# =                       Variables to change. Begin                              =
# =                                                                               =
# =================================================================================

$theurl = ""
$storagedir = "C:\source\mp3\FullMetal"

# =================================================================================
# =                                                                               =
# =                      Variables to change. End                                 =
# =                                                                               =
# =================================================================================

$response = Invoke-WebRequest -Uri $theurl  -UseBasicParsing -Verbose
$links = $response.Links
$imgurlinks = @()
$webclient = New-Object System.Net.WebClient

Write-Output "-------------------------------------------------------------------------"
Write-Output "-------------------------------------------------------------------------"


Write-Output "-------------------------------------------------------------------------"
Write-Output "-------------------------------------------------------------------------"

md $storagedir -ErrorAction SilentlyContinue

ForEach ($link in $links){ #loop through all the hrefs on the page with a ForEach

    $href = $link.href #put the href to Variable.

    if ($href -like "*.mp3" ) { #Look for only mp3's hrefs
        $filename = $href.Split("/")[-1]
        #Write-Output "Href: " $href
        #Write-Output "FileName: " $filename
        if ($filename -like "*?*"){ #does the filename have a query?
            $filename2 = $filename.Split("?")[0] #make the filename2 the filename without any queries
        } #End If
            $filename2 = $filename #since no queries were found just make the filename2 the name of the orginal filename
        } # End Else

        if($href -contains "http://"){ #does the href have a direct path to the file? if not lets try and add in the orignating url to it so it can find it.
            $newhref = $href #No need to mess with the href.. just pass it to the newhref and move along.
        } #End http:// if
            $newhref = $theurl + "\" + $href #put together theUrl and the Href to make a path to try.
        } #End http:// else

        $newFile = $filename2.Replace("%20","-") # Replace %20 url encoded spaces with an Underscore for the new mp3 file.
        $newFile = $newFile.Replace("&","-and-") # Replace & url encoded spaces with an "-and-" for the new mp3 file.
        $newFile = $newFile.Replace("---","-") # Replace & url encoded spaces with an "-and-" for the new mp3 file.

        $newFile = "$storagedir\$newFile" #put together the path and the file of where to put the file when downloaded.

        $newhref = $newhref.Replace("&","&")

        Write-Output "Href Location: " $newhref
        Write-Output "Download Location: " $newFile

        $webclient.DownloadFile($newhref,$newFile) #download the file using the href and the file we just put together above.

    } #end MP3 If.
} #end ForEach

explorer $storagedir #open the output folder