Windows privilege escalation guide

Ryan McFarland writes on his blog: “Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start to filter through what is normal and what isn’t. It eventually becomes easier to know what to look for rather than digging through everything hoping to find that needle in the haystack. Hopefully this guide will provide a good foundation to build upon and get you started.”

Read More

Windows Server 2016 on Hyper-V stuck at stopping

… and the guest server VM won’t reboot

If a Windows Server 2016 guest VM on Hyper-V hangs while stopping after Windows Updates, it might be caused by the recovery debug information type set. Especially when you have moved the Windows PageFile to a different partition/VHDX.

Microsoft Support article KB307973 states:

You can configure the actions that Windows takes when a system error (also referred to as a bug check, system crash, fatal system error, or stop error) occurs. You can configure the following actions:
Write an event to the System log.

To take advantage of the dump file feature, your paging file must be on the boot volume. If you have moved the paging file to another volume, you must move it back to the boot volume before you use this feature.

Meaning, you must have a page file on the boot volume for automatic memory dump to work (this is on by default). So turn this option off if you don’t have a page file on your boot volume (set it to none). This fixed my reboot issues.

Reset the type of debugging information written to the log file.

The (none) option does not record any information in a memory dump file. To specify that you do not want Windows to record information in a memory dump file by modifying the registry, set the CrashDumpEnabled DWORD value to 0. For example, type the following information at a command prompt, and then press ENTER:

wmic recoveros set DebugInfoType = 0

This is only an issue if the PageFile is on a different VHDX. Here is a Microsoft forum references:

If necessary, kill TrustedInstaller.exe if the server is hung during reboot working on updates using Sysinternals Suite:

c:\path\to\pskill.exe \\servername TrustedInstaller.exe

List all SPNs used in your Active Directory

There are a lot of hints & tips out there for troubleshooting SPNs, or Service Principal Names. Listing duplicate SPNs is fairly easy, just use setspn -X on your command-line and you’ll find out. But how do you find out which SPNs are used for which users and computers are used for this?

Read More

WsusPool keeps crashing: stops again and again

Sometimes you find your WSUS server keeps crashing over and over again. WSUS is unavailable and/or the WSUS management console hangs. When you start to investigate as to why Windows Server Update Services crashes, you’ll notice the following error message being logged in the HTTPErr log files:

Read More

How to detect ethernet network speed in Windows

Ideal for Windows Server Core or Nano: Detect the ethernet network speed using PowerShell or WMI is ideal for Windows Server Core or Nano. If you ever need to lookup the speed of your ethernet network card in Windows on the command-line, use one of the following WMIC commands on your PowerShell prompt:

Read More

25 New SQLServer PowerShell cmdlets

Ayo Olubeko of the SQL Server Blog writes in the SQL PowerShell: July 2016 update. The July update for SSMS includes the first substantial improvement in SQL PowerShell in many years. We owe a lot of thanks for this effort to the great collaboration with our community. We have several new CMDLETs to share with you, but firstly, there is a very important change we had to make to be able to ship monthly updates to the SQL PowerShell component.

Read More

16 queries, 0.169 seconds running PHP version 7.2.7