Goodbye Spectrum Cable Internet, Hello AT&T Fiber

It was July 2000 when I got RoadRunner cable Internet from Time Warner Cable. For years, I had waited for high speed Internet in Milwaukee, WI being held hostage on a 56K modem dial-up service. ExecPC was “the” ISP for southeastern Wisconsin and around 1999/2000, they were offering ISDN 128K, but not DSL. I was actually posting about Internet service in Milwaukee around the year 2000 on news groups (USENET). It appears at the time the speeds were around 170KB/sec on RoadRunner. ExecPC ISDN was 16KB/sec. On 56K dial-up, the best speeds you could get were 7KB/sec. Today, I’m getting 46,250KB/sec, a 27,106% increase over what I had back in 2000. Going from 56K dial-up to Roadrunner in 2000 was a 2329% increase.

Knock on wood, I’ve had Roadrunner (now Spectrum) for 25 years and for the most part, it’s been pretty solid. I even remember the first modem I had: the Motorola SB3100. It had a max download of 38Mbps and upload of 10Mbps. However, I wasn’t getting 38Mbps, I was getting around 1.5Mbps. It appears I was paying $29.95 which went to $49.95 in 2001. Using Perplexity AI, it came up with this for the change in Internet speeds from Time Warner/Spectrum over time:

  • 2000: Road Runner launches widely with 1.5 Mbps as the standard speed 1.
  • 2003: Speed tiers increase to 2 Mbps, then 3 Mbps in some regions 2.
  • Mid-2000s: 5–10 Mbps becomes common as networks are upgraded 1.
  • 2011–2015: Major jumps, with 12–30 Mbps becoming standard, then 50 Mbps, and up to 300 Mbps in some markets 5.
  • 2016–2025: Gigabit service (1000 Mbps) becomes available in many areas as fiber and DOCSIS 3.1 roll out; national average speed surpasses 200 Mbps 4.

Recently, I’ve been paying $68/month for Spectrum cable Internet and was getting roughly 475Mbps. I was on a deal for 1 year and that deal was running out in June 2025. The price was going to go to $93/month! I called and asked for a new deal which they refused to do without bundling either TV or phone service. I did not want to do this. I even told them AT&T fiber was available in my area for $55/month and they did not care. Months earlier, I had gotten a “door hanger” that stated AT&T fiber was coming to my area.

I was reluctant going to AT&T as the device they provide, the BGW320, is a combination router/modem. I have my own router equipment, so this would involve trying to figure out how to disable or bypass their own router and using my own equipment. However, saving $38/extra per month was going to be worth the pain of trying to figure it out.

Off I went to order new Internet service from the AT&T website. The first issue is they do a credit check during the online ordering process and I have my credit frozen at the top 3 credit bureaus. This failed and dumped me into a chat window, so I closed out and unfroze my credit and re-ran through the online ordering process: this time it succeeded. I picked my schedule date and time (very nice AT&T!).

The install date came and I got a text from my installer. It was scheduled between 8AM to 10AM and the installer was here by 8:20AM. It took approximately 3 hours for them to install it. That included installing a new line from the telephone pole to my house, installing a new AT&T service box on the side of the house, drilling a bigger hole in the side of the house and feeding the line into the same jack that Spectrum was using.

They also sent in a “home advisor expert” which was a nice touch, explaining details of the service, billing, promotions and the Smart Home Manager mobile app.

In terms of bypassing the AT&T router portion: I’ll describe what I did so I could use my own router. The AT&T router defaults to 192.168.1.254, so go to this IP address in a web browser when you want to configure the AT&T equipment settings. I had done research before hand and it was recommended to put the AT&T equiment on its own subnet. My default subnet addressing for my home network is 192.168.1.x, so I decided to change the AT&T router/modem to 192.168.0.254 as not to conflict with my own network addressing. You can do this by going to 192.168.1.254, then click on Home Network>Subnets & DHCP. You will need to enter the device access code from the bottom of BGW320.

Change the settings to what I have listed below if you want to use your own router equipment:

Next, go to Firewall>IP Passthrough. I recommed having your router connected so you can pick off its MAC address from the list.

Turn off everything in the firewall and packet filter.

You’ll also want to turn off the WiFi radios:

If you did everything correctly, when you log into your own router equipment, you should see an Internet IP address that is not 192.168.x.x. If you see that, that means you are “double NATed” and you need to re-trace your steps. I figured this out pretty quick when I couldn’t ping my home network no-ip.com alias from HetrixTools monitoring. I had changed my MAC address in my own router months ago and wrote down the “real” MAC address of the router, not the MAC address the router was masquerading as. I again suggest connecting your router right away to the BGW3200 and picking it off the list instead of manually keying in a MAC address.

Of course, after I had this running perfectly for 48 hours, Sunday morning came along where I have my TP-LINK router restart itself at 3AM every week and then it was back to a 192.168.0.68 address for the Internet IP address (double NAT problem). I spent quite a bit of time restarting the AT&T router/modem and my own router and the TP-LINK would not get a WAN address. I disabled the DHCP server on AT&T’s router/modem and it did not like that at all! I couldn’t get to the web interface of the AT&T router/modem anymore, so I ended up doing a hard reset with the little red button on the back.

After the hard reset of the AT&T router/modem and re-configuring everything, the TP-LINK router again got the proper WAN address from the AT&T router/modem. Based on a few postings of other people having the same problem as myself: I changed the DHCP lease to 5 minutes on the AT&T router/modem (instead of one day). The next week, when my personal router restarted, it got the proper Internet IP address. If for some reason this does not work: another suggestion I saw was unplugging/replugging the Ethernet cable going to the AT&T equipment on the TP-LINK side to force it to get a new IP address from the AT&T router/modem.

You can actually log into the Smart Home Manager app and see the IP address of your router to check if it’s really the proper Internet IP address without having to log into router directly.

Another issue I found was AT&T was blocking port 25 outbound for SMTP. As an example: I use PingPlotter to monitor my home network and I just use the default port of 25 to send e-mails for its alerts. This stopped working after switching to AT&T. The solution was simple: change port 25 to 587 and then the e-mails started working again.

So far, AT&T’s Internet service has been fanastic. I now get 375/375 instead of Spectrum’s 450/20. This will come up handy for work when I have to transfer files between work systems using my own Internet’s upstream bandwidth.

  • Soli Deo Gloria

Case of the Non-Functioning Software Install Group Policy Object (GPO)

This one drove me a bit crazy I must admit. I had a GPO that would install an MSI file when scoped to a computer account. However, recently, it stopped working. When I ran rsop.msc and looked at the error tab, it kept stating “Software Installation did not complete policy processing because a system restart is required for the settings to be applied. Group Policy will attempt to apply the settings the next time the computer is restarted.”

Restarting the computer several times did nothing. Of course, I did what any normal IT person would do and I immediately consulted various AI chatbots. This lead me down many dead ends, the reason being this may be one of the worst errors I’ve ever seen. It had nothing to do with a pending restart. The problem? The GPO couldn’t find its source files.

This wasn’t reflected in the event logs or the RSOP error tab, it’s just a generic error that Microsoft decided to present when the software install piece of a GPO does not work. When I was working in GPMC on another server with an elevated account, the first thing I did was check the source path in the GPO and I could see the MSI file was there.

What I didn’t do right away is check the source path from a normal (non-elevated) user account. Once I did this, a bell rung in my head. Our security team found that the applications folder on our SCCM server was set with weak permissions, so the SCCM administrator restricted those permissions to elevated accounts and thus, my GPO was broken.

ChatGPT o3 came the closest finding the to the solution, in it’s third bullet point, it came up with

Use psexec ‑i ‑s cmd to open a SYSTEM shell and run dir \\server\share\package\app.msi. to resolve access issues

When the SYSTEM account is used by a GPO, the GPO will use the computer’s AD account (i.e. computername$) to reach the UNC path. ChatGPT is suggesting we use psexec with the -s option to force the computer into using its own AD account to access the UNC path and a failure to see the MSI file from this SYSTEM elevated session means we have some type of NTFS ACL problem on the source folder.

Rather than monkeying with the permissions of the original folder, I moved the source files to the NETLOGON share of the DCs. The files were relatively small, so I didn’t have to worry about the replication of the source folder between DCs.

-Soli Deo Gloria

Mass Restart Computers on Windows

I’ve been looking for a simple and free program to mass restart computers by a simple copy/paste and finally found it: RemoteRebootX! I was actually using a Powershell script where I could copy/paste in a list of computers and the script would hang about 1/3rd of the way into the list. Admin Assistant works good for restarting computers, however, you have to create a group first, then import the computers into the group, then you can restart them from the action menu. I just wanted to copy/paste my list and go.

I just typed my request into Grok AI about the best freeware restart tool and viola, it did the research and recommended RemoteRebootX. This tool also does other nifty stuff such as get uptime, free space, wake on lan, remote control over RDP, and it will allow you to create scheduled tasks on the remote computers.

Soli Deo Gloria

When RunAs SYSTEM Isn’t Enough

I’ve written several times in the past about running under the SYSTEM account using the well known trick psexec -i -s cmd which runs cmd under SYSTEM, but what if you want to run as TrustedInstaller? More accurately, you can run as SYSTEM with the TrustedInstaller token. I happened to stumble across this trick when trying to delete the files in C:\Windows\WinSxS\Temp\PendingDeletes\ and it just wasn’t happening using the SYSTEM account alone. The program I used is SuperCMD. Just run SuperCMD.exe /TI /Run:cmd.exe using RunAs Administrator on cmd.exe and viola, you are SYSTEM running with the TrustedInstaller token!

Another program that can be used is NSUDO which is based on SuperCMD.

  • Soli Deo Gloria

Edgesuite.net Access Denied Error When Visiting Web sites

Buckle up, this is going to be an interesting one. A few weeks ago, I started getting errors like this visiting web sites like McDonalds, Costco, Meijer, Pick ‘n Save:

Access Denied
You don’t have permission to access “http://www.costco.com/?” on this server.

Reference #18.1371ca17.1714195696.247b9298

https://errors.edgesuite.net/18.1371ca17.1714195696.247b9298

Odd. I started looking around on the Internet which lead me to this thread on the Verizon FIOS site: https://community.verizon.com/t5/Fios-Internet-and-High-Speed/multiple-websites-quot-access-denied-quot-over-verizon-Fios/td-p/1746618

Reading through the thread, I found a post by smith6612 pointing to this link: https://www.akamai.com/us/en/clientrep-lookup/. I went and checked my IP address: it was listed as a web scrapper. These companies use Akamai as a CDN (Content Distribution Network) and according to the store IT support, my IP address was listed as a 10/10 or a very bad IP address in Akamai.

If I used a VPN, I could then access these sites just fine, because I was using a different IP address, but this is a not good long term solution. I attempted to contact Akamai to remove my IP address, but in so many terms, they told me to go pound sand as I was not their customer.

After contacting Spectrum technical support, they suggested a get a new cable modem which should give me a new IP address. I did so and….same IP address. ARGH! Anyways, I was already prepared with a plan B: it appears that if you change the MAC access of your router slightly, even by 1 character, Spectrum will see this as a new router and will give you a different IP address.

I changed the MAC address on the router and restarted the router and the cable modem: I was granted a new IP address! This new IP address was not blacklisted by Akamai.

The option to change a MAC address will vary by router model, but the TP-LINK AX5400 lets you change the MAC address in the router’s web GUI. The other option suggested by Spectrum was to leave the cable modem turned off for 24 hours (for the DHCP lease to expire) and then plug it back in, but that option may not be viable for many people unless you have some type of backup Internet option like a hotspot.

Changing my router’s MAC address and getting a new IP address worked for 24 hours before I was banned again. Not sure why, I removed some extensions from Chrome and tried a new IP address.

It appears after 4 days of removing several Chrome extensions I wasn’t actively using, it’s finally resolved. I suspect it may have to due to 2 Chrome extensions I had loaded in the past: one called “DownloadThemAll!” and another called “Video Download Helper”. I had used DownloadThemAll! to download some audio files from a website (freely available on said website) several months ago. I didn’t want to click 60+ individual links to download them, I wanted to click once and do it batch mode style. My theory is one of the websites I visit was using Akamai’s CDN service saw these extensions loaded in my browser and just assumed I was a bad actor, even though I wasn’t actively using the tools on their website and added me to a naughty list, which was then shared to the rest of Akamai’s customers and thus I was blocked from many websites.

If you have any other helpful tips or interesting stories on this topic, feel free to leave those as comments and they will be approved depending on their quality.

-Soli Deo Gloria

Reimaged Computers Can’t Register Their DNS record

This one took me a while to solve. The desktop guys kept coming to me stating when they re-imaged a computer, it either didn’t ping or it had the wrong IP address. I found out later they had changed their imaging methodology. Before re-imaging any computer, they first delete the computer account and then re-image it. I would guess that this netjoin hardening change is the reason.

When I went into DNS management, I could clearly see an “Account unknown” in the ACL of the DNS record, which makes sense, because the computer account registered the DNS record, but now that computer account didn’t exist anymore. Until the DNS record is scavenged or deleted manually, the newly imaged computer will be unable to update its own DNS record.

This led me down a path of many dead ends. I wrote a script to compare DHCP leases to DNS records. However, I soon found out that DHCP is not always correct either for the current IP address. If someone moves from location to location, the last DHCP lease is the one you want to use. I then looked into making DHCP the owner and updater of all dynamic DNS records, but this too caused issues such as duplicate DNS records.

I then looked at trying to find any DNS records with “Account unknown” in the ACL, but the script ended up too complex and just didn’t work. It was back to basics: I only cared about recently deleted computer accounts, so why not just look for recently deleted computer accounts and then delete the DNS records for those accounts?

That’s exactly what dns_orphan_fix.ps1 does. It looks back 60 minutes for any deleted computer accounts and then attempts to delete the DNS records for those accounts. I run this in the task scheduler every 30 minutes, so that does mean that DNS records will get deleted twice, but I shouldn’t miss any deleted computer accounts this way. There is a “$dryrun” option that you can flip to $true just to make sure this script will operate the way you think it will operate in your environment before setting it to $false to actually delete DNS records.

  • Soli Deo Gloria

Adding .NET Framework 3.5 – Error Code 0x800f0954

Here we go again: another server, another error. Why can’t things just work properly? Had a consultant e-mail me they couldn’t load .NET Framework 3.5 on Windows Server 2019. “Easy peasy lemon squeezy” I thought. Well, of course, it wasn’t that easy. Attempts to load this feature ended up with error code 0x800f0954. What in the hades is error code 0x800f0954?

Time to hit the Google and wow, there’s a bunch of random articles on this error code. I already had a hunch this had something to do with WSUS. We use SCCM in our environment and SCCM sets the WSUS server in the client registry to a WSUS server without any binaries, an empty WSUS server if you will. I usually fix that by deleting the whole registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU. The SCCM client will recreate this key periodically. Unfortunately, this did not work. Where to look? Our old friend C:\windows\logs\cbs\cbs.log and we find:

2023-11-01 13:12:37, Info CBS External EvaluateApplicability, package: Package_8_for_KB5031005~31bf3856ad364e35~amd64~~10.0.4069.1, package applicable State: Installed, highest update applicable state: Installed, resulting applicable state:Installed
2023-11-01 13:12:37, Info CBS External EvaluateApplicability, package: Package_for_DotNetRollup~31bf3856ad364e35~amd64~~10.0.4069.1, package applicable State: Installed, highest update applicable state: Installed, resulting applicable state:Installed
2023-11-01 13:12:37, Info CBS DLWD: Expecting search returns 1 update, actual:0 [HRESULT = 0x800f0954 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT_WSUS]
2023-11-01 13:12:37, Info CBS DWLD:Failed to do Windows update search [HRESULT = 0x800f0954 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT_WSUS]
2023-11-01 13:12:37, Info CBS FC: WindowsUpdateDownloadFromUUP returns. [0x800F0954]
2023-11-01 13:12:37, Error CBS FC: CFCAcquirerWUClient::Download(136): Result = 0x800F0954
2023-11-01 13:12:37, Error CBS FC: CFCAcquirerWrapper::Execute(147): Result = 0x800F0954
2023-11-01 13:12:37, Info CBS Exec: Failed to download FOD from WU, retry onece. [HRESULT = 0x800f0954 - CBS_E_INVALID_WINDOWS_UPDATE_COUNT_WSUS]

It IS a WSUS problem, but why didn’t deleting the WindowsUpdate registry key help? Well, it appears the WindowsUpdate service only reads this registry key when it starts and if you change or delete this key after it’s running you have to restart the service so it takes note of the new changes. Oh, I like the misspelling of “retry onece” in the logs.

It also didn’t matter if I tried to point Powershell or DISM directly to the binaries in the SxS folder, it wasn’t having anything of that without being able to reach out to Windows Update. Odd.

What’s so frustrating is that I cannot find this error code in any lookup tool such as helpmsg or cmtrace. It’s not documented anywhere I can find. If the program had spit out the whole error message instead of just some random hex code, I could have saved 30 minutes of my life doing something really important, like fixing someone’s Office 365 mailbox that they deleted all of the e-mails out of (oof).

  • Soli Deo Gloria

Get an Extra Month of Internet Service on the Calyx Institute Network

If you use my referral link, you can get an extra month of Internet service on the Calyx Institute network and I get an extra month of Internet service as well.

They use the T-Mobile network and your hotspot will have unlimited data.

Your mileage will vary based on location, but I get around 250Mbps using the hotspot. If you work from home, I highly suggest having a backup Internet option in case your main Internet goes out.

  • Soli Deo Gloria

ERROR_SXS_ASSEMBLY_MISSING Chaos

Tried to add IIS and MSMQ features to a server. Kept getting a 0x80073701 error: missing assembly file. Off to C:\windows\logs\cbs.log we go:

2023-09-06 07:02:33, Error CSI 00000009 (F) STATUS_SXS_ASSEMBLY_MISSING #2625634# from CCSDirectTransaction::OperateEnding at index 0 of 1 operations, disposition 2[gle=0xd015000c]
2023-09-06 07:02:33, Error CSI 0000000a (F) HRESULT_FROM_WIN32(ERROR_SXS_ASSEMBLY_MISSING) #2625476# from Windows::ServicingAPI::CCSITransaction::ICSITransaction_PinDeployment(Flags = 0, a = dbbb65b179c955b3c0186aa84fa6e087, version 10.0.17763.3165, arch amd64, nonSxS, pkt {l:8 b:31bf3856ad364e35}, cb = (null), s = (null), rid = 'Package_4455_for_KB5022286~31bf3856ad364e35~amd64~~10.0.1.7.5022286-8227_neutral', rah = (null), manpath = (null), catpath = (null), ed = 0, disp = 0)[gle=0x80073701]

On Google, I found this post, but I will save you the time: downloading said update, expanding it to a CAB file and then adding the CAB file via DISM did absolutely nothing to fix the problem. Neither did running SFC /scannow or dism /online /cleanup-image /restorehealth.

The fix is to remove the keys referencing the bad KB from the registry under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages, then try re-adding the roles from Server Manager. I suggest using Baretail to watch C:\windows\logs\cbs.log while you are doing this to see if additional errors come back up (you may need to do this fix for multiple KBs. In my case, I would fix one and another KB would pop up).

Before running this script, run regedit using the psexec -s -i cmd trick to run under the SYSTEM account, then go to HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages, right-click on Packages and grant SYSTEM full control. Trying to adjust permissions and take ownership of the registry keys within the script was a nightmare, so I went back to basics by removing that logic and just set permissions manually using the registry editor.

You’ll need to run the Powershell script under the same SYSTEM trick above to avoid any permission issues removing the keys:

# Define the root path to search in
$rootPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages"

# Get all child items (keys) under the root path
$keys = Get-ChildItem -Path $rootPath

# Filter the keys based on the presence of the desired values in the name
$filteredKeys = $keys | Where-Object { $_.Name -like '*KB5022286*' -or $_.Name -like '*KB5027222*' }

# Loop through each matching key and remove it
$filteredKeys | ForEach-Object {
    # Extract the key's path
    $keyPath = $_.Name -replace 'HKEY_LOCAL_MACHINE', 'HKLM:'

    # Remove the key
    Remove-Item -Path $keyPath -Recurse -Force
}

Write-Output "Operation completed."

Now for the “root cause analysis”, a buzz word we love to throw around in IT: it appears that someone completely cleared out the contents of C:\Windows\SoftwareDistribution on the server and DISM couldn’t find the source files anymore for these KBs. However, there were other KBs pointed to this folder (which was empty) and they worked just fine? Perhaps these specific KBs actually updated the core IIS files within the OS and that’s why DISM was querying them during the IIS/MSMQ role add?

Perhaps a better solution is to copy the SoftwareDistribution folder from a server running the same server OS where the downloads are not cleared from the folder. Not sure if the GUIDs would match up between the two different servers, but might be worth trying the next time this comes up. If you should try this route yourself, you’ll need to temporarily disable and stop the Windows Update service on both servers as it likes to lock files in this folder.

If you were also curious: Windows Update keeps working just fine after the procedure of removing bad KBs from HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages.

  • Soli Deo Gloria