Skip to main content

Posts

Showing posts from August, 2020

How to fix The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests

How to fix The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests I was trying to add Remote Desktop Licensing role to a server but it failed with WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.   One potential reason for the failure is because the Allow Remote Shell Access is disabled in local or domain policy. Start looking that the local policy by running gpedit.msc and navigate to Computer Configuration | Administrative Templates | Windows Components | Windows Remote Shell . Inside Windows Remote Shell look for Allow Remote Shell Access , ensure this is set to Enabled or Not Configured .  If it is Not Configured in the local policy and adding the role is failing then it must be set from the domain policy. To edit domain policy, login to the Active Directory server and run gpmc.msc and edit either Default Domain Policy or Default Domain Control

How to determine when was the last time the machine was rebooted from exported System Windows Event log

How to determine when was the last time the machine was rebooted from exported System Windows Event log Exported System Windows Event log provides a ton of useful information for digital forensics. One useful information that might be of importance is knowing when was the last time that the machine was (re)started.  To find when it was last (re)started, sort on the Date and Time column and then look for Source is Kernel-General and EventID is 12 , see below for reference. REF:3

Using Microsoft Log Parser for analysing log files

Using Microsoft Log Parser for analysing log files Date: 8/23/2020 Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®. The application has not been updated since April 20, 2005 but it is still quite useful for analyzing log files. See link below for the download location https://www.microsoft.com/en-us/download/details.aspx?id=24659 Example queries Show me the latest 10 reboots of the local machine.  logparser "SELECT TOP 10 * FROM System WHERE (EventID = 12) AND (SourceName = 'Microsoft-Windows-Kernel-General') ORDER BY RecordNumber DESC" -i:EVT Show me the latest 10 reboots of the local machine and save the result to a reboot.csv logparser "SELECT TOP 10 * INTO C:/X/reboot.csv FROM System WHERE (EventID = 12) AND (SourceName = 'Micro

How to determine the timezone from exported system Windows Event log

Loading exported Windows Event log using Event Viewer application will display the time based on local time. To determine the timezone of the log file look for Event ID 6013 from source/provider EventLog on the seventh data element, see below for reference. Another thing to note is that you have to consider daylight savings time (DST). In the above example, the timezone is 360 Central Standard Time or UTC-6 but due to DST, instead of adding 360 minutes to the stored time, you have to use 300 or UTC-5.  REF:1

Run a task when specific event is logged in Windows Event Log

Running a task when a specific event is logged in Windows Event Log can be very useful when monitoring critical events. For example, you can run a task that sends out an email when an event is logged related to network interface is down. Of course, this will only be useful if the machine is multi-homed. Anyway, hopefully you get the idea.  Scenario: Run a task when a message “Hello world” is logged to 8thstring log location and the source is 8thsource . It might make sense to see this blog for reference.  Steps: Open Task Scheduler ( taskschd.msc /s ) Create a task Name it like TestRunTask Under Triggers tab, select New... In the New Trigger window, select On an event for Begin the task , then select Custom and finally click on New Event Filter... In the New Event Filter window, select XML tab then enable Edit query manually You can use the XML fragment below as reference < QueryList >   < Query Id = "0" Path = "8thstring" >     < Select Path

Debugging COM server using CDB/WinDbg combination

This actually applies to any application but most applicable for COM/DCOM servers and Windows services.  For example, to debug Notepad application remotely or on another session add the following to the registry on the target computer.  c:\> reg.exe ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe" /v debugger /t REG_SZ /d "\"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe\" -server tcp:port=5500 -g -G" /f  When Notepad.exe is run it will automatically be attached to a debugger (cdb). To connect to the cdb session using WinDbg, do  c:\> "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" -remote tcp:server=localhost,port=5500 ~ts