Wednesday, October 2, 2024

SentinelOne - Exclude Files from Scans

 



Excluding Files From S1 Scanning:

If you wish to exclude a file from being scanned by the SentinelOne agent you can exclude it by adding the file's SHA1 hash in the console.

Make sure the computer is in the correct site and or group before adding the exclusion. Exclusions propagate down from sites to groups.



How to Add a File to the Exclusion List:

For the file to be added to the exclusion list you need to either A. have the file trigger a warning in the console and then add it to the exclusion list or B. you can generate the SHA1 hash for the file and add that to the exclusion list.


Let's go with generating the SHA1 hash for the file in question:

1. Open PowerShell on the machine where the file exists and run the following command:

    a. Get-FileHash .\xcopy.exe -Algorithm SHA1

2. Here's the SHA1 hash of "xcopy.exe"

    a. C5BD7815ED18F7E3D1CE93CC47AECF58D908DCA8

3. Log in to the S1 console, expand the chevron in the upper left, find the site or group you want to apply the exclusion to and click on it.

4. Click on "Exclusions" in the top menu and make sure it's underlined in purple.



5. Click on "New Exclusion" in purple...



6. Click "Create Exclusion"...



7. It should default the selection to "Hash" at the top.

    Fill out the following form with the OS and the SHA1 hash from earlier. Give it a description so you know what it is. Click "Save" when done.



8. Using "xcopy.exe" as an example...



9. Once saved you can search for it by clicking once on the bar where I drew the 3 red dashes. It should be more obvious that this is where they hide the search options. I literally made a post on Reddit because I couldn't find it. This goes to show that UI developers aren't actual users of the software. Anyway, you'll find your newly created entry by the description if you entered one.



10. Changes should propagate down to the agent in a matter of seconds.



πŸ‘½

Wednesday, September 11, 2024

Windows 10/11 - Change Network Profile From Public to Private Using Powershell

 


Problem:

Cannot change the network connection profile from public to private from the GUI because the option does not exist in certain scenarios.



Solution:

1. Open PowerShell as Admin

2. Get-NetConnectionProfile to show all available network profiles (only shows enabled adapters).

3. Identify the Name of the network profile you wish to change.

4. Set-NetConnectionProfile -Name "nameofnetworkprofile" -NetworkCategory Private

5. or

6. Set-NetConnectionProfile -Name "nameofnetworkprofile" -NetworkCategory Public

7. Done




πŸ‘½

Thursday, August 29, 2024

Using Devcon to Clear Putty’s “Access Is Denied” Message Without a Reboot

Issue:

Occasionally, after connecting to a USB to UART bridge, you may encounter an "Access is denied" error when launching PuTTY after a successful previous session. Restarting Windows can temporarily resolve this issue, but the error tends to recur. I believe it's happening because the port is still being hung open despite the closing of PuTTY.

Interesting read:
https://stackoverflow.com/questions/20058542/is-it-possible-to-generate-a-deadlock-with-single-lock



Resolution:

Disabling and enabling the device in Device Manager doesn't seem to resolve the issue. However, you can fix it by running the following command in devcon, as long as you know the specific device you're targeting.

1. List all USB devices that are currently connected to the machine:

devcon.exe find *USB*



2. Identify the device you're looking to toggle:

USB\VID_10C4&PID_EA60\0001                                  : Silicon Labs CP210x USB to UART Bridge (COM3)


3. Make sure PuTTY is closed at this point!

4. Disable and enable the device using devcon.exe:

devcon.exe disable "USB\VID_10C4&PID_EA60*"
devcon.exe enable "USB\VID_10C4&PID_EA60*"

5. Open PuTTY and try connecting to COM3 again.




πŸ‘½

Wednesday, August 21, 2024

Debian - Reset Any User Password


Procedure:

1. Connect file system to another Debian machine

2. Mount file system and verify:
  1. lsblk (find sdx1 device)
  2. sudo mkdir /mnt/microsd
  3. sudo mount /dev/sdx1 /mnt/microsd
  4. ls /mnt/microsd
3. Open shadow file in nano
  1. sudo nano /mnt/microsd/etc/shadow
4. The file is /etc/shadow, there will be lines like:

user:asdfasdfasdf$$$$asdfasdfasdfsadfasdf::17178:0:98899:7:::

5. You must remove the fist field between : and :

user:THIS_IS_WHAT_WAS_REMOVED:17178:0:98899:7:::

6. Unmount the file system from the rescue machine.

  1. umount /mnt/microsd

7. Reconnect to target OS via serial.

8. Boot and login with root.

9. Change password with passwd.





πŸ‘½

Sunday, April 21, 2024

VMware vCenter Converter - Reclaim Unallocated Space in VM on Host Machine

 


Intro:

If you need to reclaim unallocated space in a VMware Workstation virtual machine then this article is for you. There's many reasons you may want to shrink the OS drive. You could have overallocated when the VM was created, you need to reclaim space on the host drive, etc.

In the following example we have a hdd that's overallocated and we'd like to reclaim space on the host machine.

Keep about 20-40gb of buffer space if the VM you built was for a specific purpose and is not intended to grow. You'll need to use your judgement here. Length of time this VM will stay active compared to the size of future updates to Windows and your applications if applicable.

I.e., you over allocate the OS drive to 120gb. Install and update Windows 10, load all drivers and applications. Let's say this consumes 40gb. Leave yourself 20gb as a buffer. 120gb - 40gb - 20gb = 60gb.

Open Windows Disk Management and shrink the volume from 120gb to 60gb. Windows Disk Management deals in MB not GB so shrink by 61,440 MB (60 GB * 1,024 MB/GB = 61,440 MB).


How To:

Prerequisites for source vm:
  1. Power on your VM, open Windows Disk Management and shrink the C:\ drive down less 20gb.
  2. Shut down the machine when this is done. Do not suspend it!
========================================

1. First off sign up and grab a copy of VMware vCenter Converter here or here. The Broadcom acquisition will probably render these links invalid after May 2024.

  • The transition to Broadcom starts on Tuesday, April 30, 2024, at 5:00 p.m. (PDT)
  • Starting Sunday, May 5, 2024, at approximately 7:30 p.m. (PDT), VMware customers can access all support-related information, as well as downloads, product licenses, and active entitlements, on the Broadcom Support Portal.
2. You essentially want the client installation portion but install the client and server portions. You never know when you'll need them.

3. Open VMware vCenter Converter Standalone and connect to the local machine.

4. Click "Convert Machine".



5. Select the existing VMX file.



6. Select the destination folder for the converted VM. Make sure the folder exists prior to selecting it. This software will not automatically create a new folder.



7. Select "Data to copy" and notice in the example we're starting with a 120GB disk.



8. Select "Select volumes to copy".



9. Notice after the selection that only the actual used disk space will be used to create a new VMDK. In this case I took a guess when shrinking the volume and came up with 59.45gb of total disk space. The OS and applications only take up about 40gb.



10. Click "Finish" to queue the conversion. This can take some time depending on the size of the original VM. The conversion creates a new VMDK.





Conclusion:

I'm sure this can be done with VMware's command line tools, but when in a pinch this works well. It generates a new VMX and a new VMDK ready to go.




πŸ‘½

VMware - Boot VM to BIOS

 


Intro:

Following initialization, VMware virtual machines typically lack a default delay period for key presses to access the BIOS. Occasionally, it becomes necessary to access the virtual machine BIOS for reconfiguration purposes.


How To:

Edit the .VMX file of the vm in question and add one of the following options to the top line:

"bios.bootDelay" is a permanent option until removed from the .VMX file. It adds a delay to the initial POST screen, showing it for longer and giving you more time to access the BIOS setup, where xxxx is the number of milliseconds to show the POST screen. The maximum value for the boot delay is 10000 milliseconds or 10 seconds.

bios.bootDelay = "xxxx"

or
bios.forceSetupOnce = "TRUE"



Workstation 7.x and later:

To enter the BIOS setup for the guest operating system, click VM ➡ Power ➡ Power On to BIOS

Note: For newer Workstation versions, click VM ➡ Power ➡ Power On to Firmware


More Info:

For ESXi and Fusion check out the link below:





πŸ‘½

Friday, March 15, 2024

Microsoft Teams - How to Download a View-Only Teams Meeting Recorded Video

 

Intro:

I had asked for a video to be recorded with during an interaction with a vendor so I could reference it later. Upon receiving the email with the link I quickly realized you can't download it locally to save. There's another caveat:

According to this post (https://techcommunity.microsoft.com/t5/microsoft-teams-blog/how-to-manage-microsoft-teams-meeting-recording-auto-expiration/ba-p/3053035), new video recordings will automatically expire 60 days after they are recorded if no action is taken, except for A1 (education license) users who will receive a max 30-day default setting.

Since we have no clue what other admins have set as the default time expiration, we need a way to download a copy of the video to reference in the future asap. Microsoft presents the video as view-only and it cannot be downloaded.



Solution:

  1. Open Chrome (or the browser of your choice) and load the page with the video that you want to download.
  2. Open page inspector (Ctrl + Shift + C).
  3. Click on the Network tab.
  4. Type "videomanifest" where it says “Filter URLs“.
  5. Press F5 to refresh the page.
  6. When the page reloads, copy the file URL. See below:




Next we'll use FFmpeg to download the video from the URL above:

ffmpeg -i "https://videomanifest_url" -codec copy output.mp4




πŸ‘½

Saturday, February 3, 2024

Fusion 360 - Use the Correct Face for Thread Placement on a Cylinder

 

Intro:

Placing threads on an extruded cylinder has one caveat when working in Fusion 360. When placing threads, it depends on what end of the cylinder face you pick when it's asking for the placement face. If you just click anywhere on the cylinder your thread placement will be wrong if you intend to apply an offset to the start or the ends of the threads.


Which End Do I Choose?

When applying threads to a cylinder, choose which end of the cylinder face (not the actual end faces of the cylinder) you want the threaded section to be on as seen below.



Choosing the left portion of the cylinder results in this. So far so good right? Not if you want to apply an offset to the start or end of the threads.



Watch what happens as soon as you uncheck "Full Length"...



The thread placement is now on the left half.

If we choose the right side initially, this is what happens after we uncheck "Full Length":




Conclusion:

To avoid having to go back and delete the feature and recreate, do it right from the beginning. In the below example we drag left on the blue handle and it carries the offset leftward.




πŸ‘½

Thursday, February 1, 2024

Convert ASF to MKV & Join Multiple MKV Files

Intro:

Dahua NVR systems export to DAV and ASF. A DAV file is a compressed and encrypted video file created by DVR365 or Dahua Technology's digital surveillance system. ASF files exported straight from the NVR cannot be fast forwarded during playback without significant artifacts occuring while viewing in VLC, etc. For compatibility we ultimately want an MKV container file for audio (if it exists) and video. We can speed playback up to our heart's content and without creating unwanted artifacts.


Procedure:

HandBrake:

Export ASF from NVR and rename files so you'll remember which order they go in.

Drag first ASF onto HandBrake v1.7.2 or greater

Select "NVR" profile. This is a custom profile keeping the source resolution the same, taking x264 and re-encoding it to x265 to save space. (format: mkv, dimensions: resolution limit = none, video: encoder x265, fps = same as source, constant framerate, advanced options = make blank, del subtitle track)

Save the file to a common location.

Click "Add to Queue" at the top.

Start Queue.

Drag file #2 onto HandBrake and repeat until all files have been converted from ASF to MKV.

Tuesday, January 16, 2024

Quickbooks - How to Regenerate a Damaged "entitlementdatastore.ecml" File

 

Intro:

If you need to wipe a QuickBooks installation of its registration data this article will help. You may also run into this issue if a Windows restore was done.


Fix:

1. Close QuickBooks and the Tool Hub if they are open.

2. Open the entitlement folder based on your QuickBooks version found in the chart below:

  • QuickBooks 2007 - C:\ProgramData\Intuit\Entitlement Client\v3

  • QuickBooks 2008 - C:\ProgramData\Intuit\Entitlement Client\v5
  • QuickBooks 2009 - C:\ProgramData\Intuit\Entitlement Client\v5

  • QuickBooks 2010 - C:\ProgramData\Intuit\Entitlement Client\v6.0
  • QuickBooks 2011 - C:\ProgramData\Intuit\Entitlement Client\v6.0
  • QuickBooks 2012 - C:\ProgramData\Intuit\Entitlement Client\v6.0

  • QuickBooks 2013 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2014 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2015 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2016 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2017 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2018 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2019 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2020 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2021 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2022 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2023 - C:\ProgramData\Intuit\Entitlement Client\v8
  • QuickBooks 2024 - C:\ProgramData\Intuit\Entitlement Client\v8

3. Delete or rename "EntitlementDataStore.ecml" to "EntitlementDataStore.ecml.old".

4. Open QuickBooks and load your company file.

5. File the instructions to register the application.



Conclusion:

You can either choose to rename or delete the entitlement file. It's encrypted either way so there's really no sense in hanging on to a bad copy of it if there's an issue. It's not like you can edit it directly.



πŸ‘½

Tuesday, January 9, 2024

QuickBooks 2024 - Fix Missing PDF Component

 


Intro:

This error seems to be one of many that Intuit doesn't care to fix. This applies to Windows 11 Pro and QuickBooks 2024 but I'm sure the issue exists with earlier versions loaded on Windows 11.

This could have been triggered during the initial QuickBooks install but isn't. Upon launching, QuickBooks complains that it doesn't have a PDF writer installed. This component is built into Windows so all we have to do it enable it and we're good to go.




Fix:

1. Right click on "Start" --> Run --> type "control" or "optionalfeatures" to be taken direct to step 4.

2. Select "Programs and Features".

3. Left hand side, click on "Turn Windows features on or off".



4. Enable "Microsoft Print to PDF" and "Microsoft XPS Document Writer" and hit "OK". Wait for the installer to complete and hit "Close".



5. Try launching QuickBooks again. The error should be gone.



Conclusion:

Pretty sure only Microsoft XPS document writer needs to be turned on to remove the error, however turning on "Print to PDF" isn't going to harm anything.



πŸ‘½

Thursday, January 4, 2024

QuickBooks Desktop 2024 - Fix Elevated Credentials Prompt for Standard Windows Users

 


Intro:

When a standard Windows user attempts to open the QuickBooks application, they are prompted with a QuickBooks generated error that states, "Administrator Permissions Needed" - "This action requires Windows administrator permissions". There's a UAC icon on the continue button. If you press "continue", the following appears:



If you press "No" here, QuickBooks opens, however when you try to open the .QBW (QuickBooks WorkBook) file, it prompts for elevated credentials again and the process repeats.




Problem:

The reason for this is because the "QuickBooks Company File Monitoring Service" is not running. The actual service name is "QBCFMonitorService".

I suspect this has to do with Multi-User Mode because it only occurs on computers that are running this mode of QuickBooks. It's only on the second computer. So the first computer opens QuickBooks and loads the QBW file. The second computer attempts to launch QuickBooks and it fails with the error above.




Fix:

The easy way to ensure this runs on the machine as directed is to create a Task in Windows that calls in a PowerShell script which checks to see if the service is running or not. It will restart the service if it's not running and write the event to a log file. If the service is already running, it will note this event in the log file as well and not attempt to restart the service.

If using an RMM you'll need someway to "Set-ExecutionPolicy" to "bypass" before the script runs or else it will fail. Putting "Sec-ExecutionPolicy" to "bypass" in the script will fail to set this option temporarily ultimately causing the script to fail.


PowerShell Script:

Save the PowerShell script below in the admin's Documents folder as: "C:\Users\Pat\Documents\scripts\QBCFMonitorService\QBCFMonitorService.ps1"

Replace XXXXXX with the account name.

*01.04.24 - Updated script to report time in 12 hour with AM/PM vs 24 hours. Changed "HH:mm:ss" to "hh:mm:ss tt" and added the "tt" to denote AM or PM. The lowercase "hh" denotes 12 hour and the uppercase "HH" denotes 24 hour.

# Set the service name
$serviceName = "QBCFMonitorService"
$logFilePath = "C:\Users\XXXXXX\Documents\Powershell Scripts\QBCFMonitorService\QBCFMonitorService.log"

# Check if the service is stopped
$serviceStatus = Get-Service -Name $serviceName

if ($serviceStatus.Status -eq 'Stopped') {
    # Restart the service
    Restart-Service -Name $serviceName
    $logMessage = "$(Get-Date -Format 'yyyy-MM-dd hh:mm:ss tt') - Service $serviceName restarted."
    Write-Host $logMessage
    Add-Content -Path $logFilePath -Value $logMessage
} else {
    $logMessage = "$(Get-Date -Format 'yyyy-MM-dd hh:mm:ss tt') - Service $serviceName is already running."
    Write-Host $logMessage
    Add-Content -Path $logFilePath -Value $logMessage
}

Task Scheduler:

(Create a new folder in Task Scheduler for stuff like this to differentiate from standard tasks.)


Create a "New Task" in Task Scheduler with the following settings marked in yellow:


General Tab:



Name:
  • Watchdog for QBCFMonitorService

Description:
  • Runs periodically. If QBCFMonitorService is not running it will restart it. This allows the user to open QB without needing elevated Windows credentials.

Triggers:



Action Tab:

Action:
  • Start a program
Program/Script:
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add arguments (optional):
  • -ExecutionPolicy Bypass -File "C:\Users\Pat\Documents\scripts\QBCFMonitorService\QBCFMonitorService.ps1"

Conditions:



Settings:




Test Task:

Stop the service manually then run the task, it should restart the service and add a line to the log file.


Notes:

Seems I'm not the only one with this issue:




πŸ‘½