Access Director 3.0 Released

The future of Windows is coming on July 29

To make your next Windows experience even better – We have just released the next version of Access Director.                                                                                               Using Access Director you will be able to secure your desktop, simple and easy!

– Run your desktop in a non-elevated user context
– Elevate only needed applications with a single click
– Elevate in your current user-context without affecting other unsecured applications like IE or Office

What’s in Access Director 3.0 ?

– Updates to support the next Windows experience (10)
– Support for integration modules
– Minor bug fixes

Get it from the Download Center

Direct Download Link

EasyBoot USB 1.1 has been released

Simpel, but very helpful tool to create Windows Boot or To-Go USB sticks

Download Link

It’s that simple, EasyBoot USB with 4 easy steps and you are ready to go.

  1. Insert USB stick
  2. Choose between the following types
    1. UEFI
    2. BIOS
    3. Windows To Go
  3. Browse to your ISO file
  4. Click Start

EasyBoot USB

The tool is pretty much self-explanatory

Do not hesitate to ping me with bugs, feature requests or ideas for new tools 🙂

 

 

 

Windows 10 – Windows Updates troubleshooting

If you experience problems with Windows Updates and need to debug on the actual process, WindowsUpdates.log has always been a good place to start……… but not on Windows 10

According to Microsoft these steps are relevant only for the January Tech Preview of Windows 10.

Windows Update uses Event Tracing for Windows (ETW) to generate diagnostic logs. This method improves performance and reduces disk space usage. However, the logs are not immediately readable as written. To decode the resulting ETL files and create a log that you can read, follow these steps.

  1. Download the public symbols by following the directions here. Install these symbols to a directory such as C:\symbols.
  2. Download the Tracefmt.exe tool by following the instructions here.
  3. Open a command prompt with administrative rights.
  4. Create a temporary folder, such as %systemdrive%\WULogs.
  5. Locate the directory that contains Tracefmt.exe, as downloaded and installed in step 2. Then, copy Tracefmt.exe to %systemdrive%\WULogs.
  6. Run the following commands at a command prompt, in the order presented:
    • cd /d %systemdrive%\WULogs
    • copy %windir%\Logs\WindowsUpdate\* %systemdrive%\WULogs\
    • tracefmt.exe -o windowsupate.log <each windows update log delimited by space> -r c:\Symbols

For example, the last line might resemble the following:

tracefmt.exe -o windowsupate.log Windowsupdate.103937.1.etl Windowsupdate.103937.10.etl -r c:\Symbols

Lucky for us, we don’t always need to dig deep – there is a deprecated logfile we can use for now (January Tech Preview) WindowsUpdate_AU_deprecated.log

Allowing non-Administrators to control Hyper-V

By default Hyper-V is configured such that only members of the administrators group can create and control virtual machines.  I am going to show you how to allow a non-administrative user to create and control virtual machines.

Hyper-V uses the new authorization management framework in Windows to allow you to configure what users can and cannot do with virtual machines.

Hyper-V can be configured to store it’s authorization configuration in Active Directory or in a local XML file.  After initial installation it will always be configured to use a local XML file located at \programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition.  To edit this file you will need to:

Open the Run dialog (launch it from the Start menu or press Windows Key + R).
Start mmc.exe
Open the File menu and select Add/Remove Snap-in…
From the Available snap-ins list select Authorization Manager.
Click Add > and then click OK.
Click on the new Authorization Manager node in the left panel.
Open the Action menu and select Open Authorization Store…
Choose XML file for the Select the authorization store type: option and then use the Browse… to open \programdata\Microsoft\Windows\Hyper-V\InitialStore.xml on the system partition (programdata is a hidden directory so you will need to type it in first).
Click OK.
Expand InitialStore.xml then Microsoft Hyper-V services then Role Assignments and finally select Administrator.
Open the Action menu and select Assign Users and Groups then From Windows and Active Directory…
Enter the name of the user that you want to be able to control Hyper-V and click OK.
Close the MMC window (you can save or discard your changes to Console 1 – this does not affect the authorization manager changes that you just made).

The user that you added will be able to completely control Hyper-V even if they are not an administrator on the physical computer.

Poweshell under the security context of another user (RunAs)

Recently i needed to run some powershell scripts under multiple security context’s – the main reason for this was my client’s strict delegation model.

We ended up with multiple service account with rights only to the needed systems (Its not such a bad thing!)

The result was this powershell script to change security context

$SPAccountName = “<username>”;
$AccountPassword = “<password>”;
$AccountPasswordAsSecureString = $AccountPassword | ConvertTo-SecureString -Force -AsPlainText
$credential = New-Object System.Management.Automation.PsCredential(“$env:userdomain\$SPAccountName”,$AccountPasswordAsSecureString)
$SvcAccSession = New-PSSession -Credential $credential;
Invoke-Command -Session $SvcAccSession -Script { Import-Module ActiveDirectory }
Invoke-Command -Session $SvcAccSession -Script { Get-AdGroupMember “Some-group”}

In the above example we just get the member of some application group – but really, you can do whatever you like.

If you need it to query a specific server you can use -Computername <servername> right after New-PSSession.

This method also came in rather handy when running service-side powershell execution invoked by a webservice.. but more on that later

 

Access Director 2.4.0.2 released!

It’s been some time since our last update, but here we go again

Access Director has been updated and released

This is a major upgrade, all previous versions should be uninstalled prior to installing the new versions

Short list of changes

  • Its now possbile to use localized balloon notification (or your own)
  • Language default is en-us
    • valid values are auto, or specific lananuge files e.g. de-de.lng (must reside in existing languages folder)
  • Localized menu options (remember du save lng files as unicode)
  • Registry modifications now resides in HKLMSoftwareNoLightPeopleAccess Director
  • as per request the MSI, and application itself is now signed
  • Removed the need for any registry keys needed for the service to start (will run with default values if no other is present
  • Updated Policy Prefences template included in zip file

Direct Download Link: http://tinyurl.com/mtc4pzo

let me know of bugs and feature requests 🙂 @MarcussenThomas

 

 

Advanced Installer

For many years I’ve been working with Wise Package Studio, the best tool ever for application repackaging projects. Since Wise Package Studio is End of life – announced in December 2011. Now seemed like a good time to find a new tool, Flexera Admin Studio seemed like the obvious choice, but is rather expensive (still a great tool)

In some cases Orca (http://www.technipages.com/download-orca-msi-editor) would get the job done, but still would take a long time

I remembered coming across Advanced Installer at TechEd NA, so decide to have a look at the tool

There is a free trial from the website and also a free version: http://www.advancedinstaller.com/download.html

Advanced Installer comes in multiple versions, I choose to test the Architect version, mainly because it had the following features highlighted

  • Repacker
  • App-V
  • SCCM
  • MSI Quick-Edit

My test of the product was a great success !

Today I will recommend this product to my customers looking to repackage or edit MSI’s, it has a nice and intuitive interface, much like Wise Package Studio had 😉

Have a look at some of the videos from Advanced Installer on YouTube: https://www.youtube.com/channel/UCIPx2SPC1K7_DoPdVeFHoNg

 

 

Admin Rights: The Root Of Many Vulnerabilities

A recent survey conducted by BeyondTrust (www.beyondtrust.com), a developer and marketer of least privilege management software, reveals that 92% of critical vulnerabilities reported by Microsoft could have been prevented simply by removing administrator rights from Windows users. Also, the survey points out, removing administrator rights helps companies protect themselves and their computers against 94% of Microsoft Office, 89% of Microsoft Internet Explorer, and 53% of Windows vulnerabilities. Given the prevalence of Microsoft software in today’s corporate environment, these numbers should give any administrator pause.

Get a head start removing Admin Rights – by using Access Director from Curago – its FREE

Application repackaging – Active Setup & Windows Installer Repair

If you repackage or deploy applications you need to know about Active Setup and Windows Installer Repair

The best methods are documented first, but also other alternative ways.

Method I

Active Setup Method:

This is one of the best practices in MSI Packaging which uses the native Active Setup behavior of Windows and Windows Installer HKCU keys repair techniques.

One should follow these specific steps while using this method:

  1. Make sure all HKCU keys in the MSI Package that we are creating are under structured component names like CurrentUser, CurrentUser1, etc.
  2. The Package author should be able to judge and set the key path for that Component properly.
  3. As per Microsoft Component guidelines, make sure the components containing HKCU keys are as few in count as possible, for example only one component (CurrentUser) with all HKCU keys with best key path set is the best practice.
  4. Create the following registry keys under the main hive:
  1. HKLMSoftwareMicrosoftActive SetupInstalled Components{GUID of the MSI}
  2. ComponentID=PackageName_ComponentName
  3. StubPath=[SystemFolder]msiexec.exe /fu {Product Code of the MSI} /q
  4. Version=ProductVersion

The principle of Active Setup behavior is when a new user logs on for the first time, then the Active Setup will perform a checksum between HKLMSoftwareMicrosoftActive SetupInstalled Components{GUID of the MSI} and HKCUSoftwareMicrosoftActive SetupInstalled Components{GUID of the MSI}; and if the GUID is not present under HKCU, then it performs all actions which are under that main hive (StubPath, Version) and populates the GUID under HKCU. The main Advantage of Active Setup is it performs an action only once per User with the Checksum behavior by matching the entries under HKLM and HKCU.

Method II

Active Setup Method:

This method can be used for both MSIs and Non-MSIs

Create a silent SMS script or Wise Script (for eg:-Script.exe) which will create the needed HKCU registry entries for the application. Then place that EXE in the Application [INSTALLDIR] in your MSI Pkg or Executable binary memory.

Then create the following additional registry entries in the MSI Package or within the Script whichever is applicable:

HKLMSoftwareMicrosoftActive SetupInstalled Components{GUID or AppName}

ComponentID=PackageName_ComponentName

StubPath=”[INSTALLDIR]Script.exe”

Version=ProductVersion

 

The Active Setup performs the regular checksum (comparison of entries under) HKLM and HKCU and if the respective unique GUID or AppName is not present under HKCU hive, then it will perform all actions (StubPath, Version) and populates the GUID or AppName under HKCU hive too. This is only once per user — for the first time — to populate HKCU hive.

Method I and method II use the Active Setup feature, and One should understand the advantages of one over the other. Method I requires source resiliency to populate HKCU keys, where as method II does not require this as the Script.exe does everything.

Method I and method II can be used in any scenarios like if Advertised entry points are present or NOT present.

Method III

Windows Installer repair method

Typically the body of the script will be;

Check for the existence of a Flag key under
HKCUSoftwareCompany NameApplications{ProductName][productversion]
Installed=True

If the key exists then quit else initiate the Windows Installer repair to populate HKCU keys:

Msiexec /fu {Product Code of the MSI} /q

 

And edit and create registry key (Basically a Flag Key which can be any key which your firm adopts)
HKCUSoftwareXYZ*Applications{ProductName][productversion]
Installed=True
End
* XYZ= Name of the organization Company
And keep this script exe in HKLMSoftwareMicrosoftWindowsCurrentVersionRun.

One should keep in mind that the /p switch can also be used to repair files (populate) user-specific data (Profile data) with the following syntax:

Msiexec /fup {Product Code Of the MSI) /q

 

Method IV

Silent empty exe with valid shortcut:

Create a silent empty exe and its Advertised shortcut and place both of them in the Application [INSTALLDIR]. And use them as entry points to trigger healing to populate HKCU keys.