You are here

Windows

How to extract the windows license key from a Lenovo T440p recovery CDs.

Not so frequently asked questions and stuff: 

ImageImage

Situation

You own a Lenovo T440p with Windows 7 preinstalled, but you have Windows 8 recovery CDs. Unfortunately, your laptop doesn't include a CD drive.

You'd like to extract the Windows License key from the CD and install your computer yourself with a custom image (I mean, who would use a preinstalled Windows image with Norton Security for anything serious).

Chapter 1: extract the key from the CD

Five CDs were provided by Lenovo:

  • (1) Windows 8 Recovery Media for Windows 8 Products (Disk 1 of 2)
  • (1) Windows 8 Recovery Media for Windows 8 Products (Disk 2 of 2)
  • (2) Operating System Recovery Disk Windows 8 Pro (OEM Activation 3.0 Required) (Disk 1 of 2)
  • (2) Operating System Recovery Disk Windows 8 Pro (OEM Activation 3.0 Required) (Disk 2 of 2)
  • (1) Windows 8 Recovery Media for Windows 8 Products (Disk 1 of 1)
  • Office pro 2013

My guess is that we'll find what we need in the largest file contained in the CDs, which should be a Windows installation image.

This file is: M8S4AUS.swm. This looks like a split WIM file.

Let's merge it and open it.

E:\RECOVERY>imagex /export /ref M8S4AUS*.swm M8S4AUS.swm 1 exported.wim "exported"

ImageX Tool for Windows
Copyright (C) Microsoft Corp. All rights reserved.
Version: 6.3.9600.16384

Exporting: [E:\RECOVERY\M8S4AUS.swm, 1] ->
           [E:\RECOVERY\exported.wim]
[ 100% ] Exporting progress

Successfully exported image #1.
Total elapsed time: 15 min 49 sec
imagex /MOUNT exported.wim 1 c:\truc

ImageX Tool for Windows
Copyright (C) Microsoft Corp. All rights reserved.
Version: 6.3.9600.16384
Mounting: [E:\RECOVERY\exported.wim, 1] -> [c:\truc]...
[ 100% ] Mounting progress
Successfully mounted image.
Total elapsed time: 42 sec

Let's see what's inside.

E:\RECOVERY>dir c:\truc

 Volume in drive C has no label.
 Volume Serial Number is 2E2F-1418

 Directory of c:\truc

2014-10-08  18:30              .
2014-10-08  18:30              ..
2012-07-26  09:33              PerfLogs
2013-03-25  23:07              Program Files
2013-03-25  23:07              Program Files (x86)
2013-03-26  15:02              SWWORK
2013-03-25  23:03              Users
2013-03-26  00:15              Windows
               0 File(s)              0 bytes
               8 Dir(s)  22,738,112,512 bytes free

Bingo! This definitely looks like a Windows image.

Download and start ProduKey. Open the Select Source window and Load the product keys from external Windows directory.

Image

Voilà, the associated Microsoft keys are extracted and displayed.

Image

Chapter 2: extract the key from the BIOS

Unfortunately, we did chapter 1 for nothing, since the key R3C2N-HT63Q-F4RKH-KPP3R-3667Q is a generic key called: Windows® 8 Default Product Keys to be used with OEM Activation 3.0.

This means that the real key is embedded inside the computer's BIOS.

Download RWEverything, click on ACPI, and go to tab MSDM.

Your key should be here.

Image

Enjoy your license.

How to use Wireshark on Windows to watch a remote UNIX system, using SSH

Not so frequently asked questions and stuff: 

Wireshark's pipe interface

Situation

You're using tcpdump on a UNIX box but you would like to use Wireshark for all its awesome features (gui, analysis, etc.) on your local Windows desktop computer.

Solution

Connect to your box using SSH and pipe the output of tcpdump into wireshark.

"c:\Program Files (x86)\PuTTY\plink.exe" -ssh root@my-unix-box.example.com "tcpdump -w - -s 65535 [tcpdump condition] " | "c:\Program Files\Wireshark\wireshark.exe" -i -

plink is bundled with putty, but you can download it separatly.

How to create a rar file with every file matching a pattern (including subdirectories) on Windows

Not so frequently asked questions and stuff: 

Creating the rar file

How to create a rar file with any file matching a pattern (including subdirectories) on Windows.

forfiles /s /m wallet.dat /c "cmd /c echo @relpath" | "c:\Program Files\WinRAR\Rar.exe" a -dh -rr524288 wallets.rar @

RAR 4.20   Copyright (c) 1993-2012 Alexander Roshal   9 Jun 2012
Registered to zewaren

Updating archive wallets.rar

Updating  .\Alphacoin\wallet.dat                                      OK
Updating  .\AmericanCoin\wallet.dat                                   OK
Updating  .\AndroidsToken\wallet.dat                                  OK
Updating  .\Betacoin\wallet.dat                                       OK
Updating  .\Bitcoin\wallet.dat                                        OK
Updating  .\Colossuscoin\wallet.dat                                   OK
Updating  .\digitalcoin\wallet.dat                                    OK
Updating  .\eMark\wallet.dat                                          OK
Updating  .\Fastcoin\wallet.dat                                       OK
Updating  .\Feathercoin\wallet.dat                                    OK
Updating  .\Florincoin\wallet.dat                                     OK
Updating  .\Franko\wallet.dat                                         OK
Updating  .\Gridcoin\wallet.dat                                       OK
Updating  .\IncaKoin\wallet.dat                                       OK
Updating  .\Litecoin\wallet.dat                                       OK
Updating  .\Luckycoin\wallet.dat                                      OK
Updating  .\Namecoin\wallet.dat                                       OK
Updating  .\NetCoin\wallet.dat                                        OK
Updating  .\NovaCoin\wallet.dat                                       OK
Updating  .\Ocoin\wallet.dat                                          OK
Updating  .\Phoenixcoin\wallet.dat                                    OK
Updating  .\PPCoin\wallet.dat                                         OK
Updating  .\Primecoin\wallet.dat                                      OK
Updating  .\Protoshares\wallet.dat                                    OK
Updating  .\Redcoin\wallet.dat                                        OK
Updating  .\RoyalCoin\wallet.dat                                      OK
Updating  .\Terracoin\wallet.dat                                      OK
Updating  .\Worldcoin\wallet.dat                                      OK
Updating  .\YaCoin\wallet.dat                                         OK
Updating  .\Sexcoin\wallet.dat                                        OK
Done

This example will find any file named wallet.dat and include it in the rar file. You can use wildchars in the pattern.

This will preserve the directory structure.

-dh allows you to add files that are in use by another process.

-rr524288 adds a recovery record to the archive, with the maximum number of sectors (never too cautious).

Checking the rar file

"c:\Program Files\WinRAR\Rar.exe" vb wallets.rar
Alphacoin\wallet.dat
AmericanCoin\wallet.dat
AndroidsToken\wallet.dat
Betacoin\wallet.dat
Bitcoin\wallet.dat
Colossuscoin\wallet.dat
digitalcoin\wallet.dat
eMark\wallet.dat
Fastcoin\wallet.dat
Feathercoin\wallet.dat
Florincoin\wallet.dat
Franko\wallet.dat
Gridcoin\wallet.dat
IncaKoin\wallet.dat
Litecoin\wallet.dat
Luckycoin\wallet.dat
Namecoin\wallet.dat
NetCoin\wallet.dat
NovaCoin\wallet.dat
Ocoin\wallet.dat
Phoenixcoin\wallet.dat
PPCoin\wallet.dat
Primecoin\wallet.dat
Protoshares\wallet.dat
Redcoin\wallet.dat
RoyalCoin\wallet.dat
Terracoin\wallet.dat
Worldcoin\wallet.dat
YaCoin\wallet.dat
Sexcoin\wallet.dat

Image

How to change the icon, version or another resource of Windows executables built with PAR::Packer

Not so frequently asked questions and stuff: 

Situation

You're using PAR::Packer to create a nice Windows executable out of one of your perl script.

However, the --info and --icon switch aren't working. You might also want to embed some other resource into your executable.

Trying the usual methods

exe_update.pl

exe_update --icon=jambon.ico jambon.exe

exe_update does not work with PAR::Packer executable. It will destroy your file.

ResHacker

ResHacker.exe -modify       "jambon.exe", "jambon.exe", "jambon.ico", ICONGROUP, WINEXE, 0
ResHacker.exe -delete       "jambon.exe", "jambon.exe", versioninfo,1,
ResHacker.exe -addoverwrite "jambon.exe", "jambon.exe", "jambon\version_info.res", versioninfo,1,

ResHacker will edit the resource of your file correctly. However, the executable will error when launching since its signature has changed. This is not acceptable.

Where the icon and version comes from

When built statically, a pp compiled executable is made of data stored in Static.pm, which is made from Static.in and boot.exe. This boot.exe file is the one that contains the final resources.

The resources used to build this file are located in cpan\build\PAR-Packer-1.015-?????\myldr\winres. Modifying these files and rebuilding boot.exe will allow you to change your final executable resources.

The ugly solution that works

Before packing your perl script, rebuild boot.exe with your custom information.

This can easily be automated using a makefile, like this one:

PERL_DIR = C:\StupidPrograms\strawberryperl\perl
PAR_PACKER_SRC = C:\StupidPrograms\strawberryperl\cpan\build\PAR-Packer-1.015-2TLZDS

all:
   copy /Y medias\jambon.ico $(PAR_PACKER_SRC)\myldr\winres\pp.ico
 copy /Y medias\jambon.rc $(PAR_PACKER_SRC)\myldr\winres\pp.rc
   del $(PAR_PACKER_SRC)\myldr\ppresource.coff
   cd /D $(PAR_PACKER_SRC)\myldr\ && perl Makefile.PL
    cd /D $(PAR_PACKER_SRC)\myldr\ && dmake boot.exe
  cd /D $(PAR_PACKER_SRC)\myldr\ && dmake Static.pm
 attrib -R $(PERL_DIR)\site\lib\PAR\StrippedPARL\Static.pm
  copy /Y $(PAR_PACKER_SRC)\myldr\Static.pm $(PERL_DIR)\site\lib\PAR\StrippedPARL\Static.pm

    pp -o jambon.exe -f PodStrip -f Bleach -f Obfuscate --compress=9 jambon.pl

Your perl installation might be different than mine, so you'll want to adapt the scripts.

This solution is quite ugly, but it does work.

How to restart dwm.exe on Windows 8 because it take too much memory

Not so frequently asked questions and stuff: 

Situation

If you're like me, you seldom restart your desktop computers.

When using Windows 8, I noticed that after a few weeks, the Desktop Window Manager process (C:\Windows\System32\dwm.exe) was taking over a gigabyte of memory. I like my memory, but not when it's used to create memory leaks.

Solution

Kill it with fire.

Using Process Explorer

  1. Start Process Explorer as administrator.
  2. Kill explorer.exe.
  3. Suspend winlogon.exe.
  4. Kill dwm.exe.
  5. Resume winlogon.exe.
  6. Start explorer.exe.

Using command line

taskkill /IM explorer.exe /F
pssuspend.exe winlogon.exe
taskkill /IM dwm.exe /F
pssuspend.exe -r winlogon.exe
dwm.exe
explorer.exe

Do NOT do this when logged in remotely using remote desktop.

OLE: How to be sure Excel recalculates your cells after you did things to them

Not so frequently asked questions and stuff: 

Situation

If you edit cells in VBA/OLE, you might want to have the whole workbook recalculated, so that you can extract data from it. This is especially true if your cells include cross-sheet formulas.

Things to try

How to synchronize users and groups from Active Directory (including passwords) to virtually anything

Not so frequently asked questions and stuff: 

The situation

You have an Active Directory server with users and groups. You would like those to be synchronized with something else, be it a sql database, an openldap server, a text file, a samba passdb file, etc.

What you need

To achieve this, you will need:

  • Roles installed on your AD Server: Identity Management for Unix (including password synchronization and administration tools).
    Roles needed to achieve password synchronization
  • A script to fetch the users and the groups from AD using the LDAP protocol.
  • A script that will act as an SSO daemon to be able to synchronize passwords as well. (see http://support.microsoft.com/kb/324542 for more information on the subject). With this, you won't be able to extract the passwords currently stored in the AD server, but you will be notified of any change.

Download, install and configure pSSOd

pSSOd is a collection of perl scripts that provide the synchronization we want.

You can find the scripts on github at: https://github.com/ZeWaren/pSSOd.

In this example, the following hosts are involved:

  • 192.168.42.10: Windows Server 2008 R2.
  • 192.168.42.20: Debian Squeeze.

Configure password synchronization on the Windows host

  • Configure the properties of Password Synchronization
    Image
  • Add an UNIX computer and configure its properties.
    Password Synchronization Host properties
    Image
  • Configure and run perlsync

    Configure and run perlsync.pl to fetch everything you need except the passwords.

    Configure:

use constant LDAP_HOST => "192.168.42.10";
use constant LDAP_USER => "aduser\@grandopen.zwm.fr";
use constant LDAP_PASSWORD => "abcd1234___";
use constant LDAP_BASE => "DC=grandopen,DC=zwm,DC=fr";

Run:

root@debiantest:~# perl perlsync.pl
$VAR1 = {
          'CN=User One,CN=Users,DC=grandopen,DC=zwm,DC=fr' => {
                                                                'name' => 'User One',
                                                                'accountname' => 'uone'
                                                              },
          'CN=Guest,CN=Users,DC=grandopen,DC=zwm,DC=fr' => {
                                                             'name' => 'Guest',
                                                             'accountname' => 'Guest'
                                                           },
          'CN=AD User,CN=Users,DC=grandopen,DC=zwm,DC=fr' => {
                                                               'name' => 'AD User',
                                                               'accountname' => 'aduser'
                                                             },
[...]
        };
$VAR1 = {
          'Even Users' => {
                            'users' => [
                                         'usix',
                                         'ufour',
                                         'utwo'
                                       ],
                            'description' => 'Users that have an even id'
                          },
          'Group two' => {
                           'users' => [
                                        'usix',
                                        'ufive',
                                        'ufour'
                                      ],
                           'description' => 'This is the second group'
                         },
[...]
        };

Configure and start perlssod

Configure and start perlssod.pl in order to be notified of any password change.

Configure:

use constant SSOD_SECRET => "8MRQH_Pa62637f3fG]3T";
use constant SSOD_TCP_HOST => "192.168.42.20";
use constant SSOD_TCP_PORT => 6677;
use constant SSOD_DEBUG_MODE => 0;

Be sure to allow TCP connections between the two hosts, on port 6677.

Watch /var/log/pssod.log to know what is happening.

root@debiantest:/var/log# tail -f pssod.log
2012/09/11 15:52:59 INFO Starting pSSOd.
2012/09/11 15:53:19 INFO Calling callback with user ufour.
2012/09/11 15:53:19 INFO Inside callback with user ufour and password abcd1234$!!.

Complete the scripts

If everything works correctly, you now have a way to fetch the users and groups from the AD server, and a way to be notified of any password change.

You can now complete perlssod.pl and perlsync.pl to store the information where you need it.

Example scripts

Some example scripts are provided in the syncs_and_callbacks folder of pSSOd, to store the information into:

  • A SQL database (MySQL, Postgres, SQLite and whatever DBI supports)
  • Some htpasswd and htgroups files

Also, you can obviously build you own scripts depending on your needs.

How to allow non-administrator users to use RDP on a domain controller

Not so frequently asked questions and stuff: 

Situation

Your Windows Server 2008 is now a domain controller. Since you installed that role, you can't access the server through RDP/TSE.

Allow the users to use the service

If you are a non-administor user, you need to be authorized to use the service.

  • Run gpedit.msc
  • Browse to Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment
  • Edit "Allow log on through terminal services"
  • Run gpupdate /force

gpedit_domaincontroller_remotedesktop

Log-in with the right FQDN

Prior to installing your domain controller, you could login using only your username.

Now, when connecting, use the format user@f.q.d.n.example.net, or you won't be able to login.

Image

Things you might try to restore your windows networking after malware cleaning.

Not so frequently asked questions and stuff: 

Introduction

Here is the situation: you removed a malware manually since any anti malware could not do anything beyond detecting the corrupted files. In the process, you deleted some infected system files, including some which were part of the networking stack.

Symptoms

  • You can ping both local and internet IPs, so this mean ICMP and your hardware is working.
  • You cannot open any TCP/UDP connection (they all fail instantly (i.e. no timeout)).
  • DHCP does not work either.

Things you might try

Check that your LSP stack is correct and not damaged

Run LSP-Fix

Resetting the networking stack

> netsh int ip reset reset.log
> netsh winsock reset catalog

Restoring any missing or corrupted system files

> sfc /scannow

Checking that the AFD service is started

> sc qc afd
> sc query afd

If AFD is not started, check that its service definition and its device exist in the registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"DisplayName"="AFD"
"Description"="Environnement de prise en charge de réseau AFD"
"Group"="TDI"
"ImagePath"="\\SystemRoot\\System32\\drivers\\afd.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum]
"0"="Root\\LEGACY_AFD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000]
"Service"="AFD"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="AFD"
"Capabilities"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AFD\0000\Control]
"ActiveService"="AFD"

Also, be sure to have a correct version of afd.sys in your system32/drivers/ folder.

Checking that other important services are started

Read the instructions at: http://www.smartestcomputing.us.com/topic/49542-cant-start-windows-firewall%3B-windows-firewall-service-missing-fix/

[Attached].

Run WinSockXPFix (XP Only)

Download and run WinSockXPFix.

Reset Internet Settings

Reset all the settings to default.

  • Control Panel -> Internet Options
  • Advanced tab
  • Reset Internet Explorer

Check connection settings and remove any proxy.

  • Control Panel -> Internet Options
  • Connections -> LAN Settings
  • Check all params

How to kill javaw.exe

Not so frequently asked questions and stuff: 

The situation

You have some java processes running on your system but you can't stop or kill them. You tried using the task manager and sysinternals' process explorer.

The solution

Find the PID of your java process

C:\>jps -l -v
3100 sun.tools.jps.Jps -Dapplication.home=C:\Program Files\Java\jdk1.6.0_24 -Xms 8m
2904 C:\Program -Xms40m -Xmx256m -XX:MaxPermSize=96m -DXPCOM.RUNTIME=C:\Program
Files\Texas Instruments\ccsv4\DebugServer\win32 -Dxpcom.bridge.executeOnDedicate
dThread=yes -Dorg.eclipse.swt.browser.XULRunnerPath=C:\Program Files\Texas Instrument\ccsv4\DebugServer\win32 -Dosgi.instance.area.default=file:/C:/Documents and Settings/SomeUser/Mes documents/workspace/

Here we want to kill the nasty eclipse process 2904.

Use taskkill.

C:\>taskkill /F /PID 2904
Opération réussie : le processus avec PID 2904 a été terminé.

If you don't use option /F, the command will still execute successfully but nothing will happen.

Pages

Subscribe to Windows