ip: 18.97.9.175
1. browse registry: HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\
2. Create two REG_DWORD entries if they don't exist:
AutoShareServer
AutoShareWks
3. put 0 in both
4. restart windows
1. browse registry: HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\
2. Create two REG_DWORD entries if they don't exist:
AutoShareServer
AutoShareWks
3. put 1 in both
4. restart windows
@ECHO OFF
SET ime=%date:~10,4%-%date:~7,2%-%date:~4,2%_%time:~0,2%-%time:~3,2%-%time:~6,2%.7z
SET ime=%ime: =0%
@REM for testing
@REM ECHO %ime%
@REM mysqldump -u root --password=password username | 7z a -si -mx9 2011-02-02_09-45-11.7z
mysqldump -u root --password=MyPassword DatabaseName | 7z a -si -mx9 %ime%
if error on w32tm command: "The service name is invalid."
unregister DLL and register DLL (assuming that DLL is not damaged)
after that configure NTP client (assume that 1.1.1.1 and 2.2.2.2 is NTP servers near you)
unregister & register DLL
regsvr32 -u w32time.dll
regsvr32 w32time.dll
configure windows service
#one liner
w32tm /config /manualpeerlist:"time.google.com time2.google.com" /syncfromflags:manual /reliable:yes /update
#if time offset is to big use this to sync
net time /set
#after that restart service
Net stop w32time
Net start w32time
list servers which you use
w32tm /query /peers
force PC to sync with domain controller
w32tm /config /syncfromflags:domhier /update
# After that you have to run:
net stop w32time
net start w32time
force resyncronization
w32tm /resync /force
test clock with your domain clock (if your domin is CORP)
w32tm /stripchart /computer:corp /dataonly /samples:5
is my windows 10 clock behind NTP server ?
w32tm /query /status /verbose
compare windows clock to NTP server
w32tm /monitor /computers:time.google.com
in CMD type:
wmic csproduct get vendor,name,identifyingnumber
First you need imDisk install it on windows server. Also if you want to add ramdisk to directory you'll need junc.
Great FAQ for this ramdisk is here. I created directory (c:\RAMDisk and copy junc and this bat script in it)
to set up ramdisk and add it to .net temp disk here is BAT script which can be run at startup by task sheduler:
@ECHO OFF
REM create ramdisk (1GB) and format NTFS on it
imdisk -a -s 1000M -p "/fs:ntfs /q /y" -m R:
icacls R:\ /resize
icacls R:\ /grant:r everyone:(OI)(CI)M
REM this is for IIS compressed files cache (need to edit metabase.xml on IIS6 to point to R:\IISCache)
r:
mkdir IISCache
icacls R:\IISCache /grant:r everyone:(OI)(CI)M
iisreset /stop
REM create juntion for directory
rmdir /q /s "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files"
junc "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files" \Device\ImDisk0
icacls "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files" /grant:r everyone:(OI)(CI)M
rmdir /q /s "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files"
junc "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files" \Device\ImDisk0
icacls "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files" /grant:r everyone:(OI)(CI)M
iisreset /start
Open MS SQL Server Manager
Connect to server
Right button over server -> properties -> Permissions
Select user and check View Any database -> Deny
This script copy full/diff backup to network share \\1.1.1.1\MyShare.
It searches for last full backup and create differential backup on it, I choose e:\MyDir to backup
you need to have 7z in PATH or in same directory as batch script.
@ECHO OFF
SET putanja=\\1.1.1.1\MyShare
Rem ****************************************************************************
REM check if today is fisrt day in month if it is then FULL BACKUP should be performed
SET varDD=%DATE:~4,2%
if "%varDD%"=="01" GOTO FULL
Rem ****************************************************************************
REM Differential backup
:DIFF
echo "Differential backup"
SET ime=%putanja%\MyDir_%date:~10,4%-%date:~7,2%-%date:~4,2%_%time:~0,2%-%time:~3,2%-%time:~6,2%_diff.7z
SET ime=%ime: =0%
FOR /F "delims=|" %%I IN ('DIR "%putanja%\MyDir*_full.7z" /B /O:D') DO SET NewestFile=%%I
7z u %putanja%\%NewestFile% e:\MyDir -ms=off -mx=3 -t7z -u- -up0q3r2x2y2z0w2!%ime%
GOTO END
Rem ****************************************************************************
Rem Full backup
:FULL
echo "Full backupa"
SET ime=%putanja%\MyDir_%date:~10,4%-%date:~7,2%-%date:~4,2%_%time:~0,2%-%time:~3,2%-%time:~6,2%_full.7z
SET ime=%ime: =0%
7z a %ime% e:\MyDir
:END
7z x MyArchive.7z -oMyTmpDir Dir1/Dir2/Dir3/
This is whole story for this FULL/DIFF backup:
1. lets say that you have sam SAN with shared directory in which backup is stored (server name: server share dir: myShare)
2. You want to backup directory d:\MyDirectoryToBackup
3. First day in month you want full backup other days differential backup
4. Old backup are not deleted
Don't forget to us FULL PATH to Powershell script when calling it
Example: powershell c:\MyScripts\script.ps1
#Create variable $ime2 which will have this format:
#fordername\webovi_YEAR-MONTH-DAY_HOUR_MINUTE_SECOND_full.7z
$folder$folder = "\\Server.com\MyShare"
$SourceDir="d:\MyDirectoryToBackup"
$datum = Get-Date
$godina = $datum.Year
$mjesec = $datum.Month
$mjesec = "{0:D2}" -f $mjesec
$dan = $datum.Day
$dan = "{0:D2}" -f $dan
$sat = $datum.Hour
$sat = "{0:D2}" -f $sat
$minuta = $datum.Minute
$minuta = "{0:D2}" -f $minuta
$sekunda = $datum.Second
$sekunda = "{0:D2}" -f $sekunda
$ime2 = $folder + "\webovi_$godina-$mjesec-" + $dan + "_$sat-$minuta-$sekunda"
$fullZadnji = (dir $folder\webovi*full* | sort -prop LastWriteTime | select -last 1)
if ($dan -eq 1)
{
#first day in month FULL backup
$ime = $ime2 + "_full.7z"
$cmd2 = " a -mx=3 $ime $SourceDir"
} else {
#DIFF backup
$ime = $ime2 + "_diff.7z"
$cmd2 = " u " + $fullZadnji + " " + $SourceDir + " -ms=off -mx=3 -t7z -u- -up0q3r2x2y2z0w2!" + $ime
}
#enable this if U need debug
#Write-Host "cmd2: $cmd2"
[System.Diagnostics.Process]::Start("C:\PROGRA~1\7-Zip\7z.exe", $cmd2)
This example test conectivity on TCP port 80 on IP address 1.1.1.1
if port is not accessable mail is sent to me@damir.globaldizajn.hr through local SMPT server (localhost)
Don't forget to us FULL PATH to Powershell script when calling it
Example: powershell c:\MyScripts\script.ps1
$r = C:\PROGRA~1\nmap\nmap.exe -Pn -sT -p 80 1.1.1.1 2>&1
function sendMail {
Write-Host "Sending Email"
#SMTP server name
$smtpServer = "localhost"
#Creating a Mail object
$msg = new-object Net.Mail.MailMessage
#Creating SMTP server object
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
#Email structure
$msg.From = "me@damir.globaldizajn.hr"
$msg.ReplyTo = "me@damir.globaldizajn.hr"
$msg.To.Add("me@damir.globaldizajn.hr,me2@damir.globaldizajn.hr")
$msg.Bcc.Add("me3@damir.globaldizajn.hr")
$msg.subject = "TCP port is not accessable"
$msg.body = "call administrator and bla bla bla"
#Sending email
$smtp.Send($msg)
}
if ( $r -like "*80/tcp open*" ) {
write-host "TCP port open"
# sendMail2
} else {
write-host "TCP port close"
sendMail
}
You need to add one attribute in web.config of your aspx.net application
< compilation defaultLanguage="vb" debug="true" targetFramework="4.0"/ >
#change to this
< compilation defaultLanguage="vb" debug="true" tempDirectory="R:\Temp.NETv4\myWeb.com" targetFramework="4.0" />
WARNING, if you upload pictures, big documents and stuff like that you might change some settings !!!
For IIS do this:
1. Configuration editor -> section: -> System.ApplicationHost -> weblimits
Per Site:
1. Advanced settings:
2. IP address and domain restristions
Edit Dynamic Restriction Settings:
3. Request filtering
Edit Feature Settings:
Headers:
Add Header
if you have need for 2 or more administrators working on same windows server in same time.
gpedit.msc
Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections -> Limit number of connections
function Uninstall-App {
Write-Output "Uninstalling $($args[0])"
foreach($obj in Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall") {
$dname = $obj.GetValue("DisplayName")
if ($dname -contains $args[0]) {
$uninstString = $obj.GetValue("UninstallString")
foreach ($line in $uninstString) {
$found = $line -match '(\{.+\}).*'
If ($found) {
$appid = $matches[1]
Write-Output $appid
start-process "msiexec.exe" -arg "/X $appid /qb" -Wait
}
}
}
}
}
$apps = Get-WmiObject -Query "SELECT * FROM Win32_Product WHERE Name LIKE 'Microsoft .NET Core%'"
foreach ($app in $apps) {
"Uninstalling: " + $app.Name
Uninstall-App $app.Name
}
# Get all packages with "SQL" in their name
$packages = Get-Package | Where-Object { $_.Name -like '*SQL*' }
# Uninstall each matching package
foreach ($package in $packages) {
$packageName = $package.Name
Write-Host "Uninstalling package: $packageName"
Uninstall-Package -Name $packageName -Force
Write-Host "Uninstalled $packageName"
}
Import-Module Webadministration
Get-ChildItem -Path IIS:\Sites
How to list all sites on IIS which have HTTPS binded
Import-Module WebAdministration
# Retrieve all IIS sites and filter those with HTTPS bindings
Get-ChildItem -Path IIS:\Sites | ForEach-Object {
$siteName = $_.Name
$httpsBindings = $_.Bindings.Collection | Where-Object { $_.protocol -eq 'https' }
if ($httpsBindings) {
$siteName
}
}
xcopy sourceDir DestinationDir /e /h /i /d /y
copy form one server to another (server2) exclude 2 direcotries json and start, also exlude file web.config, copy file
c:\windows\system32\robocopy.exe "e:\webovi\myweb.com" "\\server2\e$\webovi\myweb.com" /mir /XF web.config /XD "e:\webovi\myweb.com\json" /XD "e:\webovi\myweb.com\start" > "c:\logs\myweb.com\copy.log"
icacls "c:\Logs" /grant Users:(Oi)(CI)RX /T
(OI) - files (CI) - directories RX - read and execute access /T - recursive
Use script to delete lots of email from gmail from facebook or any other criteria
1. go to https://script.google.com
2. create script with search pattern that is important for you
function batchDeleteFacebook() {
var batchSize = 100 // Process up to 100 threads at once
var threads = GmailApp.search('from:notification@facebookmail.com');
for (j = 0; j < threads.length; j+=batchSize) {
GmailApp.moveThreadsToTrash(threads.slice(j, j+batchSize));
}
}
3. start script
#export
%windir%\system32\inetsrv\appcmd list site /config /xml > c:\sites.xml
#import
%windir%\system32\inetsrv\appcmd add site /in < c:\sites.xml
CHKDSK /F /R C:
#now restart Windows and let chkdsk do a checking.
DISM /Online /Cleanup-Image /StartComponentCleanup
DISM /Online /Cleanup-image /Restorehealth
SFC /scannow
#If there is an error in /Restorehealth download the media creation tool from MS, download ISO
#mount it (this is for Windows 10/11) for the server version ) use installation media
#How to find the install file is to simply order by size it should be the biggest file in the sources directory
#first try to fix image with local data using this
DISM /Online /Cleanup-Image /Restorehealth
#If you get an error that the local image is corrupted, then use an external image to fix it.
#if your image is on D: disk list what is inside an install file (ESD or WIM) this is for WIM
DISM /Get-Wiminfo /wimfile:D:\Sources\Install.wim
#There could be two types of images: ESD and WIM. Here are the differences between them.
DISM /Online /Cleanup-Image /Restorehealth /Source:ESD:D:\sources\Install.esd:1 /limitaccess
DISM /Online /Cleanup-Image /Restorehealth /Source:WIM:D:\sources\Install.wim:1 /limitacces
DISM /Cleanup-Mountpoints
bootrec /fixmbr
bootrec /fixboot
bootrec /scanos
bootrec /rebuildbcd
#This worked for my Windows Server 2016 and should be the same for Windows 10/11
1. DISM /Get-Wiminfo /wimfile:e:\Sources\Install.wim
- if ends with .WIM then it is WIM version
- it will list all versions of win in a install.wim file, my was 4
2. DISM /Online /Cleanup-Image /Restorehealth /Source:WIM:D:\sources\Install.wim:4 /limitaccess
Unable to boot windows and system is corrupted so trry to fix it from USB stick (media creation tool)
1. download media creation tool from windows
2. boot from USB
3. Repair your computer ->troubleshoot -> Command prompt
4. Find your windows drive and USB drive for this example C: is windows D: is USB
dism /image:c:\ /cleanup-image /restorehealth /source:c:\windows
5. if there is scratchdir error and you can't go further create c:\temp and use this command
dism /image:c:\ /cleanup-image /restorehealth /source:c:\windows /scratchdir:c:\temp
in case of error use external source (USB), proceed ti step 6 ONLY if step 4/5 fails
6. in USB there shoud be \sources\install.esd or \sources\install.wim (the biggest file >4GB in this directory)
dism /image:c:\ /cleanup-image /restorehealth /source:d:\sources\install.esd
7. run sfc in offline mode
sfc /scannow /offbootdir=c: /offwindir=c:\windows
Windows update directory
net stop wuauserv
rmdir %windir%\softwaredistribution /s /q
net start wuauserv
exit
This is powershell script
$CurrentDate = Get-Date
$DateFiltered = $CurrentDate.AddHours(-48)
get-eventlog -log system -source "bugcheck" | where-object {$_.TimeWritten -gt $DateFiltered}
reduce size of WinSxS dir, start CMD as administrator
Dism.exe /online /Cleanup-Image /StartComponentCleanup
to reduce even further WIn 10 size, after that, uninstall of updates will not be possible
Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
Here is 3 things to do and restart Windows
1. delete all files inside this folders:
%AppData%\Microsoft\windows\recent\automaticdestinations
%AppData%\Microsoft\windows\recent\customdestinations
2. add/update registry settings
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\explorer.exe]
@="C:\\windows\\explorer.EXE"
"Path"="C:\\windows\\"
"UseURL"="1"
"SaveURL"="1"
3. restart windows
1. run CMD as administrator
sfc /scannow
2.
DISM /Online /Cleanup-Image /RestoreHealth
3.
control /name Microsoft.IndexingOptions
click - modify
advanced option
If you try to start start menu manually
start ms-settings:
And get ms-settings has not been provisioned do this:
4. start powershell as administrator
Get-appxpackage -all *shellexperience* -packagetype bundle |% {add-appxpackage -register -disabledevelopmentmode ($_.installlocation + “\appxmetadata\appxbundlemanifest.xml”)}
5. after that do this:
Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
Need to start powershell script as administrator
Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent SendSafeSamples
Set-MpPreference -CloudBlockLevel HighPlus
Set-MpPreference -CloudExtendedTimeout 5
Set-MpPreference -DisableBlockAtFirstSeen $false
Set-MpPreference -PUAProtection Enabled
Set-MpPreference -LowThreatDefaultAction Quarantine
Set-MpPreference -HighThreatDefaultAction Quarantine
Set-MpPreference -ModerateThreatDefaultAction Quarantine
#if you have awk for windows installed
awk "!seen[$0]++" file.txt
start cmd as administrator
powercfg /requests
powercfg /lastwake
powercfg /sleepstudy
powercfg /systemsleepdiagnostics
powercfg /systempowerreport
list all performance counters:
typeperf -qx
example:
zabbix_get -s 192.168.71.2 -k perf_counter["\System\Context Switches/sec"]
# show all
# cd id directory where you will search whit recursion
findstr /spin /c:"some string" u_ex211008.log
# show one per file
# cd id directory where you will search whit recursion
# need to have awk for windows
findstr /spi /c:"some string" u_ex211104* | awk "{print $1}" | awk "!seen[$0]++"
#all IPa
Get-NetFirewallRule -DisplayName "Rule Name" | Get-NetFirewallAddressFilter |where remoteaddress | select -ExpandProperty RemoteAddress
#all IPs with 194 in it
Get-NetFirewallRule -DisplayName "Rule Name" | Get-NetFirewallAddressFilter |where remoteaddress | select -ExpandProperty RemoteAddress | find "194"
Use log parser when you find out which domain is under attack, if attack is on default page with variable GET params (random params are 30+ chars)
logparser -rtp:-1 "SELECT TOP 100 X-Forwarded-For, COUNT(X-Forwarded-For) FROM e:\logs\W3SVC60\u_ex210515_x.log WHERE cs-uri-stem='/' AND time > '15:05:00' AND time < '15:11:59' AND STRLEN(cs-uri-query) >= 30 GROUP BY X-Forwarded-For ORDER BY COUNT(X-Forwarded-For) DESC" -i:W3C
I will remove IPs that are not network, useful for slowloris attack analysis
netstat -nat | find "TCP" | find /v "127.0.0.1" | find /v "[::]" | find /v "0.0.0.0"
Task manager -> Performace -> open resource Monitor -> Disk
zabbix_get -s 192.168.2.2 -k net.if.discovery
zabbix_get -s 192.168.2.2 -k net.if.out["vmxnet3 Ethernet Adapter"]
#if you have grep and uniq installed od windows (ports from linux)
findstr /i /s /c:"Rejected-By-UrlScan" *2209* | grep -Eo "^[^:]+" | uniq -c | sort /R
# if you have regexp - you don't have it 'cos it's my util ...
findstr /i /s /c:"Rejected-By-UrlScan" *2203* | regexp "^[\w\d\\]+" | uniq -c | sort /R
Get-ChildItem -Recurse `
| Where-Object `
{ `
( `
( ($_.LastWriteTime -ge "04/14/2022") -and ($_.LastWriteTime -lt "04/16/2022") ) `
-or `
( ($_.CreationTime -ge "04/14/2022") -and ($_.CreationTime -lt "04/16/2022") ) `
) `
-and `
( `
($_.extension -eq ".asp") `
-or ($_.extension -eq ".aspx") `
-or ($_.extension -eq ".asax") `
-or ($_.extension -eq ".dll") `
-or ($_.extension -eq ".php") `
) `
}
use registry edit
#installed versions
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
#list specific
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version
This is for case whan you have asterix certificate like *.globaldizajn.hr and need to replace it on ALL subdomains
#PowerShell script
#WARNNING this replace only certs in WebHosting not under Personal
#if you want to chage under Personal change WebHosting to My in Get-ChildItem command
#old and new certificate are specified by tumbprint (hash)
$OldThumbprint = "D1A59FDEF3DCEB028778542E9F6219911E70FF8C"
$NewThumbprint = "923C5B09D1856FC3724C783A9BD4A0889E97F16D"
$cert = Get-ChildItem -Path cert:\LocalMachine\WebHosting\$OldThumbprint
$certNew = Get-ChildItem -Path cert:\LocalMachine\WebHosting\$NewThumbprint
#debug print
#Write-Host $cert
#Write-Host $certNew
Get-WebBinding | Where-Object { $_.certificateHash -eq $OldThumbprint} | ForEach-Object {
Write-Host "Replacing Cert For " $_
$_.RemoveSslCertificate()
$_.AddSslCertificate($certNew.Thumbprint, "WebHosting")
#If you want to change just first to see if it works fine uncomment break command
#break
}
#powershell script
#change cert:\LocalMachine\WebHosting to cert:\LocalMachine\My for personal store
Get-ChildItem -Path cert:\LocalMachine\WebHosting | ForEach-Object {
Write-Host "Subject: " $_.Subject
Write-Host "FriendlyName: " $_.FriendlyName
Write-Host "Thumbprint: " $_.Thumbprint
Write-Host "Certificate is valid until: " $_.NotAfter
Write-Host " ------------------ "
}
Now clipboard should work fine
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse |
Get-ItemProperty -Name Version -ErrorAction SilentlyContinue |
Where-Object { $_.Version } |
Select-Object PSChildName, Version
ECHO Y|cacls "F:\logs\*" /T /E /G Users:F
robocopy \\172.19.128.36\webovi c:\webovi /S /E /NP /XD "imagecache" /XD "* Copy" /xf web.config
use powershell to install winget
Install-Script -Name winget-install
winget-install
execute with cmd
#install clink and starship using winget
echo Y|winget install clink
winget install starship
#start starship when clink is stared
echo load(io.popen('starship init cmd'):read("*a"))() > %userprofile%\appdata\Local\clink\starship.lua
#save tokyo-night preset to disk if you like it
starship preset tokyo-night %userprofile%\.config\starship.toml
#if exec are too dark use light blue
clink set color.executable sgr 1;38;5;39
#if args are too dark use yellow
clink set color.input sgr 38;5;154
#if flags ar dark use again yellow
clink set color.flag sgr 38;5;154
#if pipes are too dark
clink set color.cmdsep sgr 38;5;220
#color are here: https://en.wikipedia.org/wiki/ANSI_escape_code
#change directory to this and replace myuser with you username if you have custom preset
#if you want original preset just create file %userprofile%\.config\starship.toml
#copy this in it (and replace myuser with you username)
[directory]
truncation_length = 0
truncation_symbol = ""
home_symbol = "c:\\users\\myuser"
use_os_path_sep = true
#nerd font is required for all special characters
#https://www.nerdfonts.com/font-downloads
Get-EventLog -LogName Security -InstanceId 4624 |
Where-Object { $_.ReplacementStrings[5] -notin @("SYSTEM", "CRO-PC$") } |
Select-Object TimeGenerated,
@{Name='User';Expression={$_.ReplacementStrings[5]}},
@{Name='IP Address';Expression={$_.ReplacementStrings[18]}} |
Sort-Object TimeGenerated -Descending |
Select-Object -First 100
Test-NetConnection -Port 80 -ComputerName "www.globaldizajn.hr" -InformationLevel "Detailed"