Goodbye Spectrum Cable Internet, Hello AT&T Fiber

It was July 2000 when I got RoadRunner cable Internet from Time Warner Cable. For years, I had waited for high speed Internet in Milwaukee, WI being held hostage on a 56K modem dial-up service. ExecPC was “the” ISP for southeastern Wisconsin and around 1999/2000, they were offering ISDN 128K, but not DSL. I was actually posting about Internet service in Milwaukee around the year 2000 on news groups (USENET). It appears at the time the speeds were around 170KB/sec on RoadRunner. ExecPC ISDN was 16KB/sec. On 56K dial-up, the best speeds you could get were 7KB/sec. Today, I’m getting 46,250KB/sec, a 27,106% increase over what I had back in 2000. Going from 56K dial-up to Roadrunner in 2000 was a 2329% increase.

Knock on wood, I’ve had Roadrunner (now Spectrum) for 25 years and for the most part, it’s been pretty solid. I even remember the first modem I had: the Motorola SB3100. It had a max download of 38Mbps and upload of 10Mbps. However, I wasn’t getting 38Mbps, I was getting around 1.5Mbps. It appears I was paying $29.95 which went to $49.95 in 2001. Using Perplexity AI, it came up with this for the change in Internet speeds from Time Warner/Spectrum over time:

  • 2000: Road Runner launches widely with 1.5 Mbps as the standard speed 1.
  • 2003: Speed tiers increase to 2 Mbps, then 3 Mbps in some regions 2.
  • Mid-2000s: 5–10 Mbps becomes common as networks are upgraded 1.
  • 2011–2015: Major jumps, with 12–30 Mbps becoming standard, then 50 Mbps, and up to 300 Mbps in some markets 5.
  • 2016–2025: Gigabit service (1000 Mbps) becomes available in many areas as fiber and DOCSIS 3.1 roll out; national average speed surpasses 200 Mbps 4.

Recently, I’ve been paying $68/month for Spectrum cable Internet and was getting roughly 475Mbps. I was on a deal for 1 year and that deal was running out in June 2025. The price was going to go to $93/month! I called and asked for a new deal which they refused to do without bundling either TV or phone service. I did not want to do this. I even told them AT&T fiber was available in my area for $55/month and they did not care. Months earlier, I had gotten a “door hanger” that stated AT&T fiber was coming to my area.

I was reluctant going to AT&T as the device they provide, the BGW320, is a combination router/modem. I have my own router equipment, so this would involve trying to figure out how to disable or bypass their own router and using my own equipment. However, saving $38/extra per month was going to be worth the pain of trying to figure it out.

Off I went to order new Internet service from the AT&T website. The first issue is they do a credit check during the online ordering process and I have my credit frozen at the top 3 credit bureaus. This failed and dumped me into a chat window, so I closed out and unfroze my credit and re-ran through the online ordering process: this time it succeeded. I picked my schedule date and time (very nice AT&T!).

The install date came and I got a text from my installer. It was scheduled between 8AM to 10AM and the installer was here by 8:20AM. It took approximately 3 hours for them to install it. That included installing a new line from the telephone pole to my house, installing a new AT&T service box on the side of the house, drilling a bigger hole in the side of the house and feeding the line into the same jack that Spectrum was using.

They also sent in a “home advisor expert” which was a nice touch, explaining details of the service, billing, promotions and the Smart Home Manager mobile app.

In terms of bypassing the AT&T router portion: I’ll describe what I did so I could use my own router. The AT&T router defaults to 192.168.1.254, so go to this IP address in a web browser when you want to configure the AT&T equipment settings. I had done research before hand and it was recommended to put the AT&T equiment on its own subnet. My default subnet addressing for my home network is 192.168.1.x, so I decided to change the AT&T router/modem to 192.168.0.254 as not to conflict with my own network addressing. You can do this by going to 192.168.1.254, then click on Home Network>Subnets & DHCP. You will need to enter the device access code from the bottom of BGW320.

Change the settings to what I have listed below if you want to use your own router equipment:

Next, go to Firewall>IP Passthrough. I recommed having your router connected so you can pick off its MAC address from the list.

Turn off everything in the firewall and packet filter.

You’ll also want to turn off the WiFi radios:

If you did everything correctly, when you log into your own router equipment, you should see an Internet IP address that is not 192.168.x.x. If you see that, that means you are “double NATed” and you need to re-trace your steps. I figured this out pretty quick when I couldn’t ping my home network no-ip.com alias from HetrixTools monitoring. I had changed my MAC address in my own router months ago and wrote down the “real” MAC address of the router, not the MAC address the router was masquerading as. I again suggest connecting your router right away to the BGW3200 and picking it off the list instead of manually keying in a MAC address.

Of course, after I had this running perfectly for 48 hours, Sunday morning came along where I have my TP-LINK router restart itself at 3AM every week and then it was back to a 192.168.0.68 address for the Internet IP address (double NAT problem). I spent quite a bit of time restarting the AT&T router/modem and my own router and the TP-LINK would not get a WAN address. I disabled the DHCP server on AT&T’s router/modem and it did not like that at all! I couldn’t get to the web interface of the AT&T router/modem anymore, so I ended up doing a hard reset with the little red button on the back.

After the hard reset of the AT&T router/modem and re-configuring everything, the TP-LINK router again got the proper WAN address from the AT&T router/modem. Based on a few postings of other people having the same problem as myself: I changed the DHCP lease to 5 minutes on the AT&T router/modem (instead of one day). The next week, when my personal router restarted, it got the proper Internet IP address. If for some reason this does not work: another suggestion I saw was unplugging/replugging the Ethernet cable going to the AT&T equipment on the TP-LINK side to force it to get a new IP address from the AT&T router/modem.

You can actually log into the Smart Home Manager app and see the IP address of your router to check if it’s really the proper Internet IP address without having to log into router directly.

Another issue I found was AT&T was blocking port 25 outbound for SMTP. As an example: I use PingPlotter to monitor my home network and I just use the default port of 25 to send e-mails for its alerts. This stopped working after switching to AT&T. The solution was simple: change port 25 to 587 and then the e-mails started working again.

So far, AT&T’s Internet service has been fanastic. I now get 375/375 instead of Spectrum’s 450/20. This will come up handy for work when I have to transfer files between work systems using my own Internet’s upstream bandwidth.

  • Soli Deo Gloria

Case of the Non-Functioning Software Install Group Policy Object (GPO)

This one drove me a bit crazy I must admit. I had a GPO that would install an MSI file when scoped to a computer account. However, recently, it stopped working. When I ran rsop.msc and looked at the error tab, it kept stating “Software Installation did not complete policy processing because a system restart is required for the settings to be applied. Group Policy will attempt to apply the settings the next time the computer is restarted.”

Restarting the computer several times did nothing. Of course, I did what any normal IT person would do and I immediately consulted various AI chatbots. This lead me down many dead ends, the reason being this may be one of the worst errors I’ve ever seen. It had nothing to do with a pending restart. The problem? The GPO couldn’t find its source files.

This wasn’t reflected in the event logs or the RSOP error tab, it’s just a generic error that Microsoft decided to present when the software install piece of a GPO does not work. When I was working in GPMC on another server with an elevated account, the first thing I did was check the source path in the GPO and I could see the MSI file was there.

What I didn’t do right away is check the source path from a normal (non-elevated) user account. Once I did this, a bell rung in my head. Our security team found that the applications folder on our SCCM server was set with weak permissions, so the SCCM administrator restricted those permissions to elevated accounts and thus, my GPO was broken.

ChatGPT o3 came the closest finding the to the solution, in it’s third bullet point, it came up with

Use psexec ‑i ‑s cmd to open a SYSTEM shell and run dir \\server\share\package\app.msi. to resolve access issues

When the SYSTEM account is used by a GPO, the GPO will use the computer’s AD account (i.e. computername$) to reach the UNC path. ChatGPT is suggesting we use psexec with the -s option to force the computer into using its own AD account to access the UNC path and a failure to see the MSI file from this SYSTEM elevated session means we have some type of NTFS ACL problem on the source folder.

Rather than monkeying with the permissions of the original folder, I moved the source files to the NETLOGON share of the DCs. The files were relatively small, so I didn’t have to worry about the replication of the source folder between DCs.

-Soli Deo Gloria

Mass Restart Computers on Windows

I’ve been looking for a simple and free program to mass restart computers by a simple copy/paste and finally found it: RemoteRebootX! I was actually using a Powershell script where I could copy/paste in a list of computers and the script would hang about 1/3rd of the way into the list. Admin Assistant works good for restarting computers, however, you have to create a group first, then import the computers into the group, then you can restart them from the action menu. I just wanted to copy/paste my list and go.

I just typed my request into Grok AI about the best freeware restart tool and viola, it did the research and recommended RemoteRebootX. This tool also does other nifty stuff such as get uptime, free space, wake on lan, remote control over RDP, and it will allow you to create scheduled tasks on the remote computers.

Soli Deo Gloria

Portable Windows 95

Take a trip down memory lane: Windows 95 running in electron! Comes with Doom, Microsoft Plus! Pack and Microsoft Word for Windows 95 pre-installed. It’s even got Internet access! Somehow my blog works on Windows 95’s Internet Explorer!

Searching around on the Internet, I found this site: https://copy.sh/v86/. You can run all kinds of operating systems from this site: very cool! My blog doesn’t work on Windows 2000’s Internet Explorer, but it does on Windows 95’s Internet Explorer???

  • Soli Deo Gloria

When RunAs SYSTEM Isn’t Enough

I’ve written several times in the past about running under the SYSTEM account using the well known trick psexec -i -s cmd which runs cmd under SYSTEM, but what if you want to run as TrustedInstaller? More accurately, you can run as SYSTEM with the TrustedInstaller token. I happened to stumble across this trick when trying to delete the files in C:\Windows\WinSxS\Temp\PendingDeletes\ and it just wasn’t happening using the SYSTEM account alone. The program I used is SuperCMD. Just run SuperCMD.exe /TI /Run:cmd.exe using RunAs Administrator on cmd.exe and viola, you are SYSTEM running with the TrustedInstaller token!

Another program that can be used is NSUDO which is based on SuperCMD.

  • Soli Deo Gloria

Edgesuite.net Access Denied Error When Visiting Web sites

Buckle up, this is going to be an interesting one. A few weeks ago, I started getting errors like this visiting web sites like McDonalds, Costco, Meijer, Pick ‘n Save:

Access Denied
You don’t have permission to access “http://www.costco.com/?” on this server.

Reference #18.1371ca17.1714195696.247b9298

https://errors.edgesuite.net/18.1371ca17.1714195696.247b9298

Odd. I started looking around on the Internet which lead me to this thread on the Verizon FIOS site: https://community.verizon.com/t5/Fios-Internet-and-High-Speed/multiple-websites-quot-access-denied-quot-over-verizon-Fios/td-p/1746618

Reading through the thread, I found a post by smith6612 pointing to this link: https://www.akamai.com/us/en/clientrep-lookup/. I went and checked my IP address: it was listed as a web scrapper. These companies use Akamai as a CDN (Content Distribution Network) and according to the store IT support, my IP address was listed as a 10/10 or a very bad IP address in Akamai.

If I used a VPN, I could then access these sites just fine, because I was using a different IP address, but this is a not good long term solution. I attempted to contact Akamai to remove my IP address, but in so many terms, they told me to go pound sand as I was not their customer.

After contacting Spectrum technical support, they suggested a get a new cable modem which should give me a new IP address. I did so and….same IP address. ARGH! Anyways, I was already prepared with a plan B: it appears that if you change the MAC access of your router slightly, even by 1 character, Spectrum will see this as a new router and will give you a different IP address.

I changed the MAC address on the router and restarted the router and the cable modem: I was granted a new IP address! This new IP address was not blacklisted by Akamai.

The option to change a MAC address will vary by router model, but the TP-LINK AX5400 lets you change the MAC address in the router’s web GUI. The other option suggested by Spectrum was to leave the cable modem turned off for 24 hours (for the DHCP lease to expire) and then plug it back in, but that option may not be viable for many people unless you have some type of backup Internet option like a hotspot.

Changing my router’s MAC address and getting a new IP address worked for 24 hours before I was banned again. Not sure why, I removed some extensions from Chrome and tried a new IP address.

It appears after 4 days of removing several Chrome extensions I wasn’t actively using, it’s finally resolved. I suspect it may have to due to 2 Chrome extensions I had loaded in the past: one called “DownloadThemAll!” and another called “Video Download Helper”. I had used DownloadThemAll! to download some audio files from a website (freely available on said website) several months ago. I didn’t want to click 60+ individual links to download them, I wanted to click once and do it batch mode style. My theory is one of the websites I visit was using Akamai’s CDN service saw these extensions loaded in my browser and just assumed I was a bad actor, even though I wasn’t actively using the tools on their website and added me to a naughty list, which was then shared to the rest of Akamai’s customers and thus I was blocked from many websites.

If you have any other helpful tips or interesting stories on this topic, feel free to leave those as comments and they will be approved depending on their quality.

-Soli Deo Gloria

In Search of the Perfect Android Podcast App

Recently, I subscribed to Club Twit (twit.tv), which includes ad free videos for their tech shows.  I loaded these shows up into Pocket Casts without any problems.  I, however, wanted to watch these on my computer full screen.  I blissfully logged into Pocket Casts on the web to see if I could play my podcasts there, then I was greeted with this message: that will be $40/year.  Are you kidding me?  They have a “deal” where the first year is $20, then year 2 and beyond is $40.

Podcast apps are just aggregators of RSS feeds and there’s no way I’m paying $40/year for the ability to watch videos hosted by a 3rd party.  Researching around, I found Bluestacks which can run Android apps on Windows and indeed, I could load Pocket Casts and have it go full screen without any problems and it would sync my progress of watching the show to my phone.  They even created an icon for Pocket Casts on my desktop, so all I had to do was click on the icon and it would auto-launch Bluestacks and Pocket Casts.

However, this $40 cash grab attempt left a bad taste in my mouth with Pocket Casts. In addition to that, I have issues with their playlist feature.  I can add 3 episodes of a podcast to the queue, but it never plays the last item in the playlist automatically.  So annoying when you are in the shower and not near the phone!

I decided to hunt around for a new podcast app.  Podcast Addict was highly recommended on Reddit, so I loaded it up.  It offered to restore my backup from the year 2011: yes, I had used this app in the past.  Apparently, it saves the app data in a secret backup location on your Google Drive that you can’t see.  Unfortunately, Podcast Addict doesn’t appear to sync between multiple devices, so I uninstalled it.

I then tried Podurama which looked very promising.  They offer syncing between devices and their free tier allows playing of your podcasts on their website.  Unfortunately, I could not get the syncing to work between my computer and phone, so I uninstalled that one as well.

I then stumbled onto Podcast Republic.  While they do not offer playing podcasts from a website, they do offer syncing between devices and right from the get go, they say it’s free.  I loaded it up into Bluestacks and I was able to sync my podcast progress to my phone.  Hooray!  The sync, however, does not seem to be “real-time”, but I was able to do it on demand from Settings>Account & syncing>Sync now.  The app has ads which were not obtrusive at all, just a small banner at the very bottom of the app.   I went ahead and paid the one time fee of $4 to remove the ads.

As an added bonus: I see they support streaming radio stations.  I listen to a radio station on iHeartRadio using their official app.  Unfortunately, they started putting ads on the screen in their app: annoying!   I went to radio-browser.info, found the streaming URL for the station I listen to and added it in Podcast Republic.  No more screen ads!

-Soli Deo Gloria

Reimaged Computers Can’t Register Their DNS record

This one took me a while to solve. The desktop guys kept coming to me stating when they re-imaged a computer, it either didn’t ping or it had the wrong IP address. I found out later they had changed their imaging methodology. Before re-imaging any computer, they first delete the computer account and then re-image it. I would guess that this netjoin hardening change is the reason.

When I went into DNS management, I could clearly see an “Account unknown” in the ACL of the DNS record, which makes sense, because the computer account registered the DNS record, but now that computer account didn’t exist anymore. Until the DNS record is scavenged or deleted manually, the newly imaged computer will be unable to update its own DNS record.

This led me down a path of many dead ends. I wrote a script to compare DHCP leases to DNS records. However, I soon found out that DHCP is not always correct either for the current IP address. If someone moves from location to location, the last DHCP lease is the one you want to use. I then looked into making DHCP the owner and updater of all dynamic DNS records, but this too caused issues such as duplicate DNS records.

I then looked at trying to find any DNS records with “Account unknown” in the ACL, but the script ended up too complex and just didn’t work. It was back to basics: I only cared about recently deleted computer accounts, so why not just look for recently deleted computer accounts and then delete the DNS records for those accounts?

That’s exactly what dns_orphan_fix.ps1 does. It looks back 60 minutes for any deleted computer accounts and then attempts to delete the DNS records for those accounts. I run this in the task scheduler every 30 minutes, so that does mean that DNS records will get deleted twice, but I shouldn’t miss any deleted computer accounts this way. There is a “$dryrun” option that you can flip to $true just to make sure this script will operate the way you think it will operate in your environment before setting it to $false to actually delete DNS records.

  • Soli Deo Gloria

Adding .NET Framework 3.5 – Error Code 0x800f0954

Here we go again: another server, another error. Why can’t things just work properly? Had a consultant e-mail me they couldn’t load .NET Framework 3.5 on Windows Server 2019. “Easy peasy lemon squeezy” I thought. Well, of course, it wasn’t that easy. Attempts to load this feature ended up with error code 0x800f0954. What in the hades is error code 0x800f0954?

Time to hit the Google and wow, there’s a bunch of random articles on this error code. I already had a hunch this had something to do with WSUS. We use SCCM in our environment and SCCM sets the WSUS server in the client registry to a WSUS server without any binaries, an empty WSUS server if you will. I usually fix that by deleting the whole registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU. The SCCM client will recreate this key periodically. Unfortunately, this did not work. Where to look? Our old friend C:\windows\logs\cbs\cbs.log and we find:

2023-11-01 13:12:37, Info CBS External EvaluateApplicability, package: Package_8_for_KB5031005~31bf3856ad364e35~amd64~~10.0.4069.1, package applicable State: Installed, highest update applicable state: Installed, resulting applicable state:Installed
2023-11-01 13:12:37, Info CBS External EvaluateApplicability, package: Package_for_DotNetRollup~31bf3856ad364e35~amd64~~10.0.4069.1, package applicable State: Installed, highest update applicable state: Installed, resulting applicable state:Installed
2023-11-01 13:12:37, Info CBS DLWD: Expecting search returns 1 update, actual:0 [HRESULT = 0x800f0954 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT_WSUS]
2023-11-01 13:12:37, Info CBS DWLD:Failed to do Windows update search [HRESULT = 0x800f0954 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT_WSUS]
2023-11-01 13:12:37, Info CBS FC: WindowsUpdateDownloadFromUUP returns. [0x800F0954]
2023-11-01 13:12:37, Error CBS FC: CFCAcquirerWUClient::Download(136): Result = 0x800F0954
2023-11-01 13:12:37, Error CBS FC: CFCAcquirerWrapper::Execute(147): Result = 0x800F0954
2023-11-01 13:12:37, Info CBS Exec: Failed to download FOD from WU, retry onece. [HRESULT = 0x800f0954 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT_WSUS]

It IS a WSUS problem, but why didn’t deleting the WindowsUpdate registry key help? Well, it appears the WindowsUpdate service only reads this registry key when it starts and if you change or delete this key after it’s running you have to restart the service so it takes note of the new changes. Oh, I like the misspelling of “retry onece” in the logs.

It also didn’t matter if I tried to point Powershell or DISM directly to the binaries in the SxS folder, it wasn’t having anything of that without being able to reach out to Windows Update. Odd.

What’s so frustrating is that I cannot find this error code in any lookup tool such as helpmsg or cmtrace. It’s not documented anywhere I can find. If the program had spit out the whole error message instead of just some random hex code, I could have saved 30 minutes of my life doing something really important, like fixing someone’s Office 365 mailbox that they deleted all of the e-mails out of (oof).

  • Soli Deo Gloria