Forensic Pseudoscience

shell:::{A8A91A66-3A7D-4424-8D24-04E180695C7A}

• Local Security Policies:
  • Local Policy > Security Options:
    • Interactive logon:Do not require CTRL+ALT+DEL
    • Shutdown: Allow system to be shut down without having to log on
  • Account Policies > Password Policy:
    • Password must meet complexity requirements Properties
    • Minimum password age > 0
• gpedit.msc
  • Computer Configuration > Administrative Tool > System
    • Display Shutdown Event Tracker

@echo off
title Activate Windows 7 / 8 / 8.1 / 10 for FREE!&cls&echo =====================================&echo #Copyright: MSGuides.com&echo =====================================&echo.&echo #Supported products:&echo - Windows 7 Professional&echo - Windows 7 Professional N&echo - Windows 7 Professional E&echo - Windows 7 Enterprise&echo - Windows 7 Enterprise N&echo - Windows 7 Enterprise E&echo - Windows 8 Core&echo - Windows 8 Core Single Language&echo - Windows 8 Professional&echo - Windows 8 Professional N&echo - Windows 8 Professional WMC&echo - Windows 8 Enterprise&echo - Windows 8 Enterprise N&echo - Windows 8.1 Core&echo - Windows 8.1 Core N&echo - Windows 8.1 Core Single Language&echo - Windows 8.1 Professional&echo - Windows 8.1 Professional N&echo - Windows 8.1 Professional WMC&echo - Windows 8.1 Enterprise&echo - Windows 8.1 Enterprise N&echo - Windows 10 Home&echo - Windows 10 Home N&echo - Windows 10 Home Single Language&echo - Windows 10 Home Country Specific&echo - Windows 10 Professional&echo - Windows 10 Professional N&echo - Windows 10 Education N&echo - Windows 10 Education N&echo - Windows 10 Enterprise&echo - Windows 10 Enterprise N&echo - Windows 10 Enterprise LTSB&echo - Windows 10 Enterprise LTSB N&echo.&echo.&echo ====================================&echo Activating your Windows... & cscript //nologo c:\windows\system32\slmgr.vbs /ipk FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4 >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk MRPKT-YTG23-K7D7T-X2JMM-QY7MG >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk W82YF-2Q76Y-63HXB-FGJG9-GF7QX >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk YDRBP-3D83W-TY26F-D46B2-XCKRJ >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk C29WB-22CC8-VJ326-GHFJW-H9DH4 >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk BN3D2-R7TKB-3YPBD-8DRP2-27GG4 >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk 2WN2H-YGCQR-KFX6K-CD6TF-84YXQ >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk NG4HW-VH26C-733KW-K6F98-J8CK4 >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk XCVCF-2NXM9-723PB-MHCB7-2RYQQ >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk GNBB8-YVD74-QJHX6-27H4K-8QHDG >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk 32JNW-9KQ84-P47T8-D8GGY-CWCK7 >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk JMNMF-RHW7P-DMY6X-RF3DR-X2BQT >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk M9Q9P-WNJJT-6PXPY-DWX8H-6XWKK >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk 7B9N3-D94CG-YTVHR-QBPX3-RJP64 >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk BB6NG-PQ82V-VRDPW-8XVD2-V8P66 >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk GCRJD-8NW9H-F2CDX-CCM8D-9D6T9 >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk HMCNV-VVBFX-7HMBH-CTY9B-B4FXY >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk 789NJ-TQK6T-6XTH8-J39CJ-J8D3P >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q99 >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk 3KHY7-WNT83-DGQKR-F7HPR-844BM >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk PVMJN-6DFY6-9CCP6-7BKTT-D3WVR >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk W269N-WFGWX-YVC9B-4J6C9-T83GX >nul&cscript //nologo c:\windows\system32\slmgr.vbs /ipk MH37W-N47XK-V7XM9-C7227-GCQG9 >nul
echo ------------------------------------&echo.&echo.&set i=1
:server
if %i%==1 set KMS_Sev=kms7.MSGuides.com
if %i%==2 set KMS_Sev=kms8.MSGuides.com
if %i%==3 set KMS_Sev=kms9.MSGuides.com
if %i%==4 goto notsupported
cscript //nologo c:\windows\system32\slmgr.vbs /skms %KMS_Sev% >nul
cscript //nologo c:\windows\system32\slmgr.vbs /ato | find /i "successfully" && (echo.& echo ====================================== & echo. & choice /n /c YN /m "Would you like to visit my blog [Y,N]?" & if errorlevel 2 exit) || (echo The connection to the server failed! Trying to connect to another one... & echo Please wait... & echo. & echo. & set /a i+=1 & goto server)
explorer "http://MSGuides.com"&goto halt
:notsupported
echo ======================================&echo.&echo Sorry! Your version is not supported.
:halt
pause >nul

This PowerShell script can be leveraged for the cleanup of Microsoft Teams from target machines or users. It should be executed for every user on a targeted machine.

<#
.SYNOPSIS
This script allows you to uninstall the Microsoft Teams app and remove Teams directory for a user.
.DESCRIPTION
Use this script to clear the installed Microsoft Teams application. Run this PowerShell script for each user profile for which the Teams App was installed on a machine. After the PowerShell has executed on all user profiles, Teams can be redeployed.
#>

$TeamsPath = [System.IO.Path]::Combine($env:LOCALAPPDATA, 'Microsoft', 'Teams')
$TeamsUpdateExePath = [System.IO.Path]::Combine($env:LOCALAPPDATA, 'Microsoft', 'Teams', 'Update.exe')

try
{
    if (Test-Path -Path $TeamsUpdateExePath) {
        Write-Host "Uninstalling Teams process"

        # Uninstall app
        $proc = Start-Process -FilePath $TeamsUpdateExePath -ArgumentList "-uninstall -s" -PassThru
        $proc.WaitForExit()
    }
    if (Test-Path -Path $TeamsPath) {
        Write-Host "Deleting Teams directory"
        Remove-Item -Path $TeamsPath -Recurse
                    
    }
}
catch
{
    Write-Error -ErrorRecord $_
    exit /b 1
}

For those of you who may have recently installed security updates on Windows 10 workstations in the past few days, you may notice that you receive a peculiar error when trying to establish a remote desktop connection to a server that worked prior to installing the updates. The initial March 13, 2018, release updates the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms. The CVE-2018-0886 consists of installing the update on all eligible client and server operating systems and then using Group Policy or registry settings to configure the options on both clients and servers. Let’s take a look at Windows 10 RDP CredSSP encryption oracle remediation error fix.

Windows 10 RDP CredSSP Encryption Oracle Remediation Error Fix

Just a couple of days ago, the cumulative updates were released below for Windows 10 and Server 2016, etc.  These cumulative updates include the fix for the CredSSP encryption vulnerability.

May 8, 2018 – KB4103721 (OS Build 1803)
May 8, 2018 – KB4103727 (OS Build 1709)
May 8, 2018 – KB4103731 (OS Build 1703)
May 8, 2018 – KB4103723 (OS Build 1609 & Server 2016)

Once you have installed the patch on a “vulnerable” workstation and attempt to connect to an unpatched server, you will see the following error message that happens after you type in your password to authenticate to the RDP session.

CredSSP authentication error after installing May 8 2018 patch Windows 10

There is a local policy setting that is added with the installed security updates.  You can find this at Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> Encryption Oracle Remediation.  By default this is set to Not configured.

Windows 10 RDP CredSSP encryption oracle remediation error Fix

To Fix the issue as a workaround, set the policy to Enabled and set the Protection Level to Vulnerable.  ***Note*** – This is not recommended by Microsoft, as making sure both the client and server is patched is best practice.  However, setting the policy to Vulnerable allows your workstation to now connect to the remote desktop session that was previously blocked by the mitigation.

Settings contained in the Encryption Oracle Remediation Fix

CredSSP Encryption Oracle Remediation Policy Settings

There are three settings contained in the policy setting that can be enabled.

Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. Note: this setting should not be deployed until all remote hosts support the newest version.

Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.

Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.

CredSSP Encryption Oracle Remediation Registry Setting

Alternatively, you can set this policy setting via the registry and a reboot.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] “AllowEncryptionOracle”=dword:00000002

CredSSP Encryption Oracle Remediation Group Policy

These settings can be applied via a Group Policy Setting.  For a great walk through of how to do this, check out this post here: https://www.mcbsys.com/blog/2018/03/updating-the-credssp-group-policy/

Takeaways

Patching is becoming ever more important with security vulnerabilities that are present today.  Security is on the minds of everyone and it should be.  Compromised systems can lead to data loss and data leak.  Keeping up with Microsoft patches and having a routine schedule of patch application is essential for enterprise datacenters running Microsoft server operating systems.  By mitigating known vulnerabilities the attack surface is drastically reduced and attacks become more difficult for the would be attacker.

1.  Remove Office 365 license for Subscription based installs (not Shared Computer Licensing scenarios):

To remove the Office 365 license, you must run two cscript command lines. The command lines are:

        A. Run C:\program files (x86)\Microsoft office\office16>cscript ospp.vbs /dstatus

The above command line will generate a report of the currently installed/activated license. (See Below)

NOTE: You might see multiple licenses in the /dstatus report.

        B. Make note of value for “Last 5 characters of installed product key”

        C.  Run C:\program files (x86)\Microsoft office\office16>cscript ospp.vbs /unpkey:“Last 5 of installed product key” For example: C:\program files (x86)\Microsoft office\office16>cscript ospp.vbs /unpkey:WB222 (See Below) Repeat the step above if necessary until all keys are removed.

After running the /unpkey: command line you will see a “Product Key uninstall successful” message. You can now close the Command Prompt and move onto Step 2.

2. Remove cached identities in HKCU registry:

        A. In the Registry Editor navigate to HKCU\Software\Microsoft\Office\15.0 or 16.0\Common\Identity\Identities and remove all of the identities under \Identities.

NOTE: If using Shared Computer Licensing remove the above Identities from HKEYUsers\SID.

3. Remove the stored Credentials in the Credential Manager:

A. Open Control Panel > Credential Manager.  Remove all Windows credentials listed for Office15 or Office16.

       B. To remove the Credential Click on the Drop down arrow and choose Remove from Vault.(See Below)

Shared Computer Licensing scenarios you must remove the Token and identities listed below.
File Location  Appdata\local\Microsoft\Office\15.0 or 16.0\Licensing

4. Persisted locations that must be cleared

Credential Manager:

Appdata\Roaming\Microsoft\Credentials
Appdata\Local\Microsoft\Credentials
Appdata\Roaming\Microsoft\Protect
HKCU\Software\Microsoft\Protected Storage System Provider

Office 365 activation Tokens and Identity

Appdata\local\Microsoft\Office\15.0 or 16.0\Licensing
HKCU\Software\Microsoft\Office\15.0 or 16.0\Common\Identity
HKEYU\(The Users SID)\Software\Microsoft\Office\15.0 or 16.0\Common\Identity

The above steps will reset the activation state for Office 365(2013/2016). The activation flow after the locations are cleared will represent an initial activation.

Posted by mjwiech http://www.annoyances.org/exec/forum/winxp/1256278725

To whoever might be interested:

Without any apparent reason my Internet Explorer 8 running under WinXP SP3 started
to improperly show various pages. I quickly discovered that Javascript did not work.

Reinstalling IE8 did not help though, in my opinion, it should!

Long and extensive searching on the web did not help either. All tips how to (re)activate
Java Script [by changing security level in Internet Options and activating scripts]
did not work.

I went for total removal of IE8 and reinstalling it from scratch.
I failed:
– IE8 was not visible on Add/Remove Programs screen
– Directory Windows\IE8 where ‘spuninst.exe’ uninstaller is located was not present.
– Microsoft ‘fix it’ tool MicrosoftFixit50238.msi refused to remove IE8 because
it was blocked by some updates.

What I had to do?
1. Create a restore point
2. Try to carefully remove IE8 manually. I would probably mess up the system.

Creating restore point did not work either! I got a blank screen.

Back to Google search… and BINGO! There was an answer:

I had to reregister two DLL-libraries:

regsvr32 jscript.dll
regsvr32 vbscript.dll

Using a pretty nifty trick you can reset a forgotten Mac password without a Mac OS X installer CD/DVD. The steps may seem a little intimidating at first but I assure you it’s easy if you follow them exactly, here is exactly how to do this in three stages:

Stage 1) Boot into Single User Mode and remove a setup file

• Restart the Mac holding down the Command+S keys, this will take you into Single User Mode and it’s Terminal interface
• You’ll need to check the filesystem first:
  fsck -fy
• Next, you must mount the root drive as writeable so that changes will save:
  mount -uw /
• Now, type the following command exactly, followed by the enter key:
  rm /var/db/.applesetupdone
• After removing the applesetupdone file, you need to reboot, type ‘reboot’ and hit enter

Stage 2) Create a New User Account upon System Boot

You aren’t finished, but the hard part is now over – no more command lines, you’ll now be in the familiar Mac OS X GUI to finish the password reset process. In this step we just create a new user account as if you just got a new Mac:

• Upon reboot, you will be presented with the traditional “Welcome Wizard” startup screen just like when you first get a Mac
• Follow the welcome wizard and create a new user account – making the account name different from the account whose password you want to recover
• Continue on and boot into Mac OS X with this newly created user account, this new user account is an Administrator and has administrative access

Stage 3) Reset the Forgot Password via System Preferences

You are almost done, now you just need to reset the forgotten user account password using the Accounts control panel:

• Once you are booted into Mac OS X, click on the Apple logo and then navigate down to “System Preferences”
• Click on the “Accounts” icon in System Preferences
• Click on the Lock icon in the lower left corner of the “Accounts” preference window and enter the newly created user credentials, this enables you to change other user accounts and reset other users passwords
• On the left side user panel, select the user account containing the forgotten password
• With the user of the forgotten password account selected, click on the “Reset Password” button
• Enter a new password for that user, be sure to include a meaningful hint so you don’t forget it again!
• Close System Preferences and reboot the Mac
• You can now login to the previously inaccessible user account using the newly reset password! All user files and settings are maintained as before the password was forgotten

Optional: If you’d like, you can delete the temporary account you created to reset the users password. This is wise for security purposes.

Here’s how this works: by deleting the .applesetupdone file, you are telling Mac OS X to re-run the setup wizard, which by default creates a new user account with Administrative abilities, which can then reset the forgotten password of any other user on the Mac. This is a great trick and excellent troubleshooting technique if you don’t have a Mac OS X installer CD/DVD laying around, which is pretty much the norm as many people tend to lose or misplace the installer disks that come with their computers. I have used this exact method multiple times to restore various Macs with forgotten/lost passwords.

Play seed hd 27

在現時眾多民用的雲端儲存供應商之中，發展得最積極的一位非Dropbox莫屬。雖然為每名註冊用戶提供的免費儲存空間只有2GB，對高用量的使用者來講不足。幸好官方有很多方法來助大家提升免費空間的容量，除了不同類型的帳號號、和其他廠商合作外，其中推薦計劃更是最有效升空間的方法。

官方剛於網站Blog上公佈，由即日起，免費用戶每推薦一位朋友使用Dropbox，雙方都可獲得的免費空間由原本的250MB提升一倍至500MB，上限也由原來的8GB提升至16GB。而付費的Pro用戶更可獲1GB至上限的32GB。

要邀請朋友的方法可以是經Email、Facebook、Twitter或上討論區等。只要登入後按此連結就可以獲得你自己的推薦連結，再把連結發給朋友即可。例如筆者的推薦連結為：http://db.tt/FNXknuZ3，如果你還沒有Dropbox帳號的話，只要透過這條連結申請帳號的話，你和筆者的Dropbox免費空間都會免費提升500MB，直至16GB的上限為止。