8thString: 08/01/2020

Sunday, August 23, 2020

How to fix The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests

I was trying to add Remote Desktop Licensing role to a server but it failed with WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.

One potential reason for the failure is because the Allow Remote Shell Access is disabled in local or domain policy. Start looking that the local policy by running gpedit.msc and navigate to Computer Configuration | Administrative Templates | Windows Components | Windows Remote Shell.

Inside Windows Remote Shell look for Allow Remote Shell Access, ensure this is set to Enabled or Not Configured.

If it is Not Configured in the local policy and adding the role is failing then it must be set from the domain policy. To edit domain policy, login to the Active Directory server and run gpmc.msc and edit either Default Domain Policy or Default Domain Controller Policy.

REF:4

How to determine when was the last time the machine was rebooted from exported System Windows Event log

Exported System Windows Event log provides a ton of useful information for digital forensics. One useful information that might be of importance is knowing when was the last time that the machine was (re)started.

To find when it was last (re)started, sort on the Date and Time column and then look for Source is Kernel-General and EventID is 12, see below for reference.

REF:3

Using Microsoft Log Parser for analysing log files

Date: 8/23/2020

Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®.

The application has not been updated since April 20, 2005 but it is still quite useful for analyzing log files. See link below for the download location

https://www.microsoft.com/en-us/download/details.aspx?id=24659

Example queries

Show me the latest 10 reboots of the local machine.

logparser "SELECT TOP 10 * FROM System WHERE (EventID = 12) AND (SourceName = 'Microsoft-Windows-Kernel-General') ORDER BY RecordNumber DESC" -i:EVT

Show me the latest 10 reboots of the local machine and save the result to a reboot.csv

logparser "SELECT TOP 10 * INTO C:/X/reboot.csv FROM System WHERE (EventID = 12) AND (SourceName = 'Microsoft-Windows-Kernel-General') ORDER BY RecordNumber DESC"

Show me the latest 10 reboots from a saved System event log and save the result to a CSV file

logparser "SELECT TOP 10 * INTO C:/X/reboot.csv FROM C:/X/system.evtx WHERE (EventID = 12) AND (SourceName = 'Microsoft-Windows-Kernel-General') ORDER BY RecordNumber DESC" -i:EVT

REF:2

How to determine the timezone from exported system Windows Event log

Loading exported Windows Event log using Event Viewer application will display the time based on local time. To determine the timezone of the log file look for Event ID 6013 from source/provider EventLog on the seventh data element, see below for reference.

Another thing to note is that you have to consider daylight savings time (DST). In the above example, the timezone is 360 Central Standard Time or UTC-6 but due to DST, instead of adding 360 minutes to the stored time, you have to use 300 or UTC-5.

REF:1

Wednesday, August 19, 2020

Run a task when specific event is logged in Windows Event Log

Running a task when a specific event is logged in Windows Event Log can be very useful when monitoring critical events. For example, you can run a task that sends out an email when an event is logged related to network interface is down. Of course, this will only be useful if the machine is multi-homed. Anyway, hopefully you get the idea.

Scenario:

Run a task when a message “Hello world” is logged to 8thstring log location and the source is 8thsource. It might make sense to see this blog for reference.

Steps:

Open Task Scheduler (taskschd.msc /s)
Create a task

Name it like TestRunTask

Under Triggers tab, select New...

In the New Trigger window, select On an event for Begin the task, then select Custom and finally click on New Event Filter...

In the New Event Filter window, select XML tab then enable Edit query manually

You can use the XML fragment below as reference

*[System[Provider[@Name='8thsource']]]

and

*[EventData[(Data='Hello world')]]

</Select>

</Query>

</QueryList>

In the Actions tab click on New...

In the New Action window, type notepad in Program/script: and click on OK

Finally, click on OK on the main dialog to save it.
To test this run the following in PowerShell - again, assuming you have done this.

Write-EventLog -LogName 8thstring -Source 8thSource -Message "Hello world" -EventId 0 -EntryType information

You should observe that a new instance of Notepad.exe runs on the current session.

Debugging COM server using CDB/WinDbg combination

This actually applies to any application but most applicable for COM/DCOM servers and Windows services.

For example, to debug Notepad application remotely or on another session add the following to the registry on the target computer.

c:\> reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe" /v debugger /t REG_SZ /d  "\"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe\" -server tcp:port=5500 -g -G" /f

When Notepad.exe is run it will automatically be attached to a debugger (cdb). To connect to the cdb session using WinDbg, do

c:\> "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" -remote tcp:server=localhost,port=5500

~ts

8thString