A Very Powerful Freeware File Manager

I recently stumbled upon Altap Salamander. At work, there is a folder with 13000+ sub-folders (don’t ask) I have to work with periodically. Using the built-in Windows file explorer won’t work due to the desktop.ini problem where all you see is a bunch of My Documents folders and not a list of username named folders. I frequently use XYplorer for file operations, however, it would lock-up if I went too deep into the folder structure. At that point, I would usually copy and paste the direct folder path into the native Windows file explorer while RDPed into a server to work around the lock-up issue.

The other issue with the native Windows file explorer is the refreshing view glitch. If Windows file explorer detects any change in the folder list it redraws the folder display view and re-enumerates the folder list starting at folder 1. What a pain!

This is where Altap Salamander comes in to help us. It appears it was a piece of freeware that was created in 1997, then it converted into commercial software and just recently was transitioned back to freeware as of July 2019. You can navigate to any UNC path by going to Commands>Change Directory. This file manager correctly displays and handles folders with large numbers of sub-folders. The software has interesting features including being able to calculate folder sizes,
batch file renamer, advanced file search (including filters on size and date), file type filter view and directory comparison just to name a few. I was able to go to another computer and run it from a remote UNC path, so the program appears to be fully portable and does not require admin installation.

This file manager also lets you see hidden folders that Windows file explorer will hide from you, as I explained in this 2006 blog post and yes, everything I wrote then still holds true today 13 years later (well, kind of, C:\documents and settings is now C:\users, but you get the point)

  • Soli Deo Gloria

System Center Orchestrator /Operations Manager 2016 & TLS 1.2

I deleted and re-wrote this blog post since the other one was out of date.  The backstory to this post starts back in July 2018 when we disabled TLS 1.0 across the whole organization.  Much fun ensued and we were running around trying to update the SQL native client and other software to get TLS 1.2 compliant.  One of the things that stopped working were the integration packs that we installed on System Center Orchestrator (SCORCH).  

I opened a premier support case with Microsoft and the first solution was to re-enable FIPS.  However, we later found out that enabling FIPS is really re-enabling TLS 1.0.  We left the registry entries that disabled TLS 1.0 and the ones that enabled FIPS.  The case was left open for Microsoft to figure out how to get TLS 1.2 working. The November 2018 security patches came out from Microsoft and the integration packs on SCORCH broke, AGAIN!  Another premier case was opened with Microsoft. 

After 2 hours of running Procmon and Wireshark, a solution was found.

Here are the steps you need to take:

On the SCORCH server:

1. Remove the SCOM console (If Any).
2. Uninstall SM and OM integration packs from control panel.
3. Reboot the server.
4. Un-deploy the existing SCOM IP from the designer/runbook servers.
5. Unregister the IP. 

6. Download and install the 
System Center 1801+ – Orchestrator Integration Packs (yes, even for SCORCH 2016!)
7.Re-register the IP and redeploy it (NOTE: Before re-registering the IPs again, make sure that the “Microsoft.EnterpriseManagement.Core.dll” and “Microsoft.EnterpriseManagement.OperationsManager.dll” are no longer present in either “c:\windows\assembly” or “c:\windows\microsoft.net\assembly\gac_msil”).

8. Re-install SCOM console (be sure to apply latest UR)

Add these registry entries to each SCOM server: 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /t REG_DWORD /d 00000001 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SchUseStrongCrypto" /t REG_DWORD /d 00000001 /f

Add these to each SCORCH server (management/runbook):

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /t REG_DWORD /d 00000001 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v "SystemDefaultTlsVersions" /t REG_DWORD /d 00000001 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /t REG_DWORD /d 00000001 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SystemDefaultTlsVersions" /t REG_DWORD /d 00000001 /f

Enjoy TLS 1.2 with SCORCH/SCOM.  Note you can check for TLS 1.2 communication by loading Wireshark on the SCORCH management server, then go into the IP pack for SCOM and do a test connection and look for TLS 1.2 in the log.

  • Soli Deo Gloria

Bypassing Choose Privacy Settings Screen – Windows 10

This was a fun one to track down.  When we did in-place upgrades on Windows 8.1 to Windows 10 1703, we never got this “Choose privacy settings for your device” screen.  However, going from 8.1 to 1803, this screen will appear once for the first user who logs in with local administrative rights (even though we define certain privacy settings through GPO):

Trying to track this down was hard, but I was inspired by this post on Reddit.

The first stab I tried was logging in as a regular user, running ProcMon and then trying to filter on the registry write operations, but even then, it was too much noise (60K+ events).  I then tried another approach.  When you click the Accept button, there’s a UAC prompt that comes up with a title of “User settings: OOBE”.  I made note of the word “OOBE” and cancelled it making changes. I ran Process Explorer as admin logged in as a regular user, then switched over to logging in as an administrator until I got the privacy screen, switched back to the regular user and then did a search for “OOBE” in the process list.  One of the processes that came up was svchost.exe and it had the following key open:

HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\Stats

I drilled around in this parent key and found this setting:

HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\PrivacyConsentStatus

Ah ha!  It was set to REG_DWORD 2, so I set it to 1 and tried logging in again as an administrator.  No prompt to set privacy settings!  I deleted the whole PrivacyConsentStatus key and the prompt still did not show up.  I went back and set PrivacyConsentStatus to 2, logged off and back on, privacy settings page showed back up, I clicked the Accept button on the privacy page and then went back to this registry key to see the results.  PrivacyConsentStatus was set back to 1 and a new entry called PrivacyConsentSID was created with a REG_SZ value with my user account SID.  I deleted PrivacyConsentSID and it seemed to have no effect on the system.

The fix is simple: copy the following into a REG file and then fire it towards the end of OSD

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE]
"PrivacyConsentStatus"=dword:00000001
  • Soli Deo Gloria

Get Any Edition of Windows 10 Without Access to VLSC

This is a neat little trick I found on the Internet.  If you don’t have access to VLSC and still need to get access to the Enterprise or Education editions of Windows 10, you can use the Media Creation Tool to download them.

Run the following.

MediaCreationTool1803.exe /Eula Accept /Retail /MediaArch x64 /MediaEdition Enterprise

<insert valid Win 10 KMS>.  You can find generic KMS keys here: https://docs.microsoft.com/en-us/windows-server/get-started/kmsclientkeys

Now you can extract the image you want out of the ESD file as a WIM file.  Number 3 is currently the Enterprise SKU:

dism /Get-WimInfo /WimFile:install.esd

dism /export-image /SourceImageFile:install.esd /SourceIndex:3 
/DestinationImageFile:install.wim /Compress:max /CheckIntegrity

Remove pid.txt under sources and check licensing status of machine with the following command after installing the OS:

slmgr /dli

– Soli Deo Gloria

Reset the State of Software Center

I recently had to pull Firefox out of Software Center and then made a new Firefox application.  Both the old Firefox and the new Firefox were listed on a particular machine even though I had retired and deleted the old Firefox application.  No matter what I did, the old software persisted!  After some reading: it appears that SCCM tracks Software Center events in WMI.  Even if you remove and reinstall the SCCM client, the “ghost software” remains.  I was able to finally clear off the software icon by doing a complete policy reset using the following WMIC command on the client and then waiting:

WMIC /Namespace:\\root\ccm path SMS_Client CALL ResetPolicy 1 /NOINTERACTIVE

  • Soli Deo Gloria

A Tale of Two Site Codes

This was an interesting problem.  We are cutting over clients to a new SCCM server with a new site code.  Around 100 clients kept going back to the old site code.  Peeking in LocationServices.log, it kept saying “Group Policy Registration set site code”.  Say what?  We don’t have any GPO like that.

After doing some Googling, I stumbled on this article: https://henkhoogendoorn.blogspot.com/search/label/GPRequestedSiteAssignmentCode and sure enough: GPSiteAssignmentCode was defined!  Someone in the past had made a GPO setting the site code, nuked it, but unfortunately it tattooed the computers forever leaving the old site code.

Solution?  PSEXEC, a list of computers in computers.txt, Notepad++ (to trim trailing spaces) and reg delete:

reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\SMS /f

Then you can do something like psexec @computers.txt -c ccm.bat where ccm.bat holds your ccmsetup command line.

  • Soli Deo Gloria

Bomb Out Task Sequence if Laptop is Not Connected to Ethernet

You would think this would be an easy thing to do in Powershell, but I couldn’t find anything. This WMI code will look for an active Ethernet connection and return errorlevel 0 if it finds an active Ethernet connection and 1 if it does not:

wmic.exe nic where "NetConnectionStatus=2" get NetConnectionID | find "Ethernet"

This has to be put into a batch file and then fired as part of the task sequence.

Why do this?  Well, we want to push Windows 10 through Software Center, however, we don’t want user’s with laptops doing this over the WiFi network.

  • Soli Deo Gloria

 

Your System Administrator has blocked this Program

This was an interesting one.  I was converting some computers over from an older domain to a new one and was getting this logged in as a non-admin user when trying to change the domain membership:

Attempts to do a runas on Command Prompt ended up with this even more bizarre error message:

At first I thought it was the OS being corrupted on the computer, but I encountered this error on more and more computers.  If I logged in as a user with administrator rights, everything worked fine.

After digging for a while, I figured this had to be a UAC policy as we don’t use AppLocker.

The issue: https://msdn.microsoft.com/en-us/library/cc232762.aspx

ConsentPromptBehaviorUser

Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value: “ConsentPromptBehaviorUser”

0x00000000
This option SHOULD be set to ensure that any operation that requires elevation of privilege will fail as a standard user.

0x00000001
This option SHOULD be set to ensure that a standard user that needs to perform an operation that requires elevation of privilege will be prompted for an administrative user name and password. If the user enters valid credentials, the operation will continue with the applicable privilege.

The previous IT staff (who are no longer here) had set a policy disabling UAC elevation.  Doing so causes all kinds of crazy error messages like this one.  Why would they do that?  Well, the one guess I can come up with is that they didn’t want help desk calls from people encountering a UAC prompt. Of course, this also interferes with any IT staff attempting to do any work as all attempts to elevate to admin are blocked.

Some users had admin rights and some didn’t…the ones that didn’t were the ones where this issue was popping up on.  Thankfully, this policy isn’t set in the new domain.

  • Soli Deo Gloria

0x80004005: An error occurred while retrieving policy for this computer

Started a new job recently and one of the techs was having a problem imaging a laptop with a recently replaced motherboard.  We would PXE boot the laptop and then WinPE would bomb out in 10 seconds stating “0x80004005: An error occurred while retrieving policy for this computer”.

Nothing interesting was found on the SCCM side, however when I finally found the SMSTS.LOG in X:\Windows\temp\SMSTSLOG, I didn’t even have to open the file to figure out the problem: it was dated 2016!  Yup: it was a date and time issue.  If your computer skews too far from the current date and time, SCCM won’t talk to your computer.

You can use the commands date and time within cmd (hit the F8 key…you did enable this functionality, right?) to set the correct date and time.

  • Soli Deo Gloria