jueves, 28 de diciembre de 2023

Searching shutdown logs

Linux

grep -iva ': starting\|kernel: .*: Power Button\|watching system buttons\|Stopped Cleaning Up\|Started Crash recovery kernel' /var/log/messages /var/log/syslog /var/log/apcupsd* | grep -iw 'recover[a-z]*\|power[a-z]*\|shut[a-z ]*down\|rsyslogd\|ups'


Windows

Event IDDescription
41The system has rebooted without cleanly shutting down first.
1074The system has been shutdown properly by a user or process.
1076Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause.
6005The Event Log service was started. Indicates the system startup.
6006The Event Log service was stopped. Indicates the proper system shutdown.
6008The previous system shutdown was unexpected.
6009The operating system version detected at the system startup.
6013The system uptime in seconds.

PS C:\> Get-EventLog System -Newest 10000 | `
        Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | `
        Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrapdasd

References



en No hay comentarios:
Etiquetas:

jueves, 21 de diciembre de 2023

Remove credentials from SYSTEM context via credential manager

  1. Download PsExec and copy to %WINDIR%\system32
  2. run: rundll32 keymgr.dll,KRShowKeyMgr
Remove items.

Related to EventID 14 

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
...
Event ID:      14
....
Description:
The password stored in Credential Manager is invalid. This might be caused by the user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential Email removed for privacy.
...

en No hay comentarios:
Etiquetas:

lunes, 4 de diciembre de 2023

Rename AD Domain name

  1.  rendom /list
  2. notepad Domainlist.xml 
  3. (edit file and save)
  4. rendom /showforest (show changes)
  5. rendom /upload 
  6. rendom /prepare
  7. rendom /execute
  8. Domain controllers restarts themselves
  9. Workstations and servers must be rebooted twice to change their names
  10. Rename manually domains controllers 
    • netdom computername DC01.dominio.com /add:DC01:newdomain.com 
    • netdom computername DC01.dominio.com /makeprimary:DC01:newdomain.com 
  11. Reboot domain controllers to apply changes
  12. gpfixup /olddns:dominio.com /newdns:newdomain.com
  13. rendom /clean
  14. rendom /end

Create a new zone for the domain name:
  • Create whatever the domain name is called, nedomain.local or newdomain.com (whatever the new AD DNS domain name is).
  • Make the zone AD integrated.
  • For the replication scope select the center button (To all DNS servers running on domain controllers in the domain), and allow Secure and Unsecure Updates.

Then create the _msdcs zone:

  • Create an _msdcs.newdomain.local or _msdcs.newdomain.com zone (as above, whatever the new AD DNS domain name is.
  • Make the zone AD integrated.
  • For replication scope, select the top button (To all DNS servers running on domain controllers in the forest), and allow Secure and Unsecure updates.

Then either restart the DC, or run the following (which is my usual option):

  • ipconfig /registerdns
  • Net stop netlogon
  • net start netlogon

en No hay comentarios:
Etiquetas: ,

viernes, 6 de octubre de 2023

Increase the number of threads available for Microsoft 365 Apps

 Microsoft 365 Apps that are deployed to multi-session environments are limited to two threads for multithreaded recalculation (MTR) and worker thread pools. 

  1. Open Registry Editor.

  2. Locate the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

  3. If the IdealConcurrencyValueOverride entry doesn't exist, right-click the subkey, select New > DWORD (32-bit) Value, and then enter IdealConcurrencyValueOverride as the name of the entry.

    Note: By default, the IdealConcurrencyValueOverride entry doesn't exist, and Microsoft 365 Apps is limited to using two threads.

  4. Right-click IdealConcurrencyValueOverride, and select Modify.

  5. In the Value data field, enter a number between 2 and 512 to specify the number of threads, and then select OK.

en No hay comentarios:

viernes, 14 de abril de 2023

Remote MMC

Remote registry

 runas /netonly /user:x.y.z.w\user regedit

Regedit connec other computer


Similar for MMC

en No hay comentarios:
Etiquetas:

viernes, 10 de febrero de 2023

TLS PROTOCOLS and Cipher ( to resolve ssl provider error 0 connecting to SQLServer)

Enabled and Disabled SSL/TLS versions are under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

There is a Client and Server sub-key for each version of SSL/TLS, with Enabled and Disabled values, e.g.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001

*** Please note that any non-zero value is take for TRUE. However, 1 is generally preferred over FFFFFFFF (or –1).

You can check the Functions value under following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002


References:

0710 SSL Errors after Upgrading to TLS 1.2 · microsoft/CSS_SQL_Networking_Tools Wiki · GitHub

An existing connection was forcibly closed (OS error 10054) - SQL Server | Microsoft Learn


en No hay comentarios:
Etiquetas: , ,

martes, 7 de febrero de 2023

arreglar 0xc000000e después de clonado de disco en Windows 10

  1.  Comprobar el secureboot
  2.  Probar el autorepair del inicio
  3.  Reparar el volumen EFI
    • diskpart
    • list volume
    • select volume=n (donde n es el system reserved donde está la UEFI
    • assign letter=g (o otra que no esté en uso)
    • salimos
    • bcdboot c:\windows /s g: /f UEFI (c:\windows o donde esté en widows, o la partición con la etiqueta "Boot")
    • Probar
  4. intentar con sfc /scannow
Comandos útiles:


Localizar el disco asisgnada a la partición de windows

bcedit /enum |find "device"


Una vez la unidad usar sfc /Scannow /OFFBOOTDIR=c:\ /OFFWINDIR=c:\windows (cambair c por la que hayamos encontrado antes)



5.En una consoa de recuperación intentar los típicos

bootrec /fixmbr

bootrec /fixboot

bootrec /scanos

bootrec /rebuildbcd


Sino va podemos intentar

bcdedit /set {bootmgr} device boot

bcdedit /set {default} device boot

bcdedit /set {default} osdevice boot

bcdedit /set {default} device partition=c:

bcdedit /set {default} osdevice partition=c:

bcdedit /set {default} path \windows\system32\winload.efi


en No hay comentarios:
Etiquetas:

miércoles, 1 de febrero de 2023

Connect Exchange Online from powershell - Conectar a Exchange Online desde powershell 

Install-Module -Name ExchangeOnlineManagement
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName x@x.com
en No hay comentarios:
Etiquetas: , ,
Suscribirse a: Entradas (Atom)

L2TP Ipsec Windows to Mikrotik eror 789

 Add this to registry REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d...