Create Task to Run with Highest Privileges

email me

on error resume next

Dim WshShell, strWinDir, strCmdLine, lngExitCode
Const OpenAsCurrentWindowIsOpened = 10, WaitForExit = True

Set WshShell = CreateObject("WScript.Shell")
strWinDir = WshShell.ExpandEnvironmentStrings("%WINDIR%")

strCmdLine = strWinDir & "\System32\SCHTASKS.exe /create /SC DAILY /TN ""My Script"" /TR """ & "c:\setup\setup.cmd"" /RL HIGHEST /RU ""NT AUTHORITY\SYSTEM"""

lngExitCode = WshShell.Run(strCmdLine, OpenAsCurrentWindowIsOpened, WaitForExit)

If lngExitCode = 0 Then
WScript.Echo "Success"
Else
WScript.Echo "Failed with error code " & CStr(lngExitCode)
End If

Remove Last Logged on User

email me

Registry

reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DontDisplayLastName /t REG_DWORD /d 1 /f


Or, GPO

1. Click on Start button, and type secpol.msc into Start Search box, and hit Enter to open the Local Security Policy Editor.

2. Navigate to Security Settings -> Local Policies -> Security Options.

3. In the right pane, double click on Interactive Logon: Do not display last user name.

4. Select and set the radio button of Enabled.

 

Notes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser

Windows – Hide User Account on Welcome Screen

email me

1.Open Regedit: Start > Run > Regedit
2.Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
3.On the left, right click on Winlogon, click New and click Key.
4.Type SpecialAccounts and Enter.
5.On the left, right click on SpecialAccounts, click New and click Key.
6.Type UserList and Enter.
7.In the right panel of UserList, right click on a empty area and click New then click DWORD (32bit) Value.
8.Here, type in the name of the user you want to hide, example: Administrator.
9.Right click on the user account name and click Modify.
10.To hide the user account type 0 and click OK.

Remember, you must do this for each user account you want to hide.

If you want to show the user account again, enter 1, instead of 0 at the last step.

Changed Last Logged on User

email me

Note, you can manually set the %myVar%, or dynamically pull the information. Originally, I used a specific reg key to return the username I wanted.

reg add “HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” /v LastLoggedOnUser /d “.\%myVar%” /f

reg add “HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI” /v LastLoggedOnSAMUser /d “%computername%\%myVar%” /f

BitLocker Phases

email me

The stages of BitLocker startup are as follows:

  • System integrity verification (if a TPM is present) Features of the computer and the Windows Boot Manager write values to the PCRs of the TPM as the boot process proceeds, including a measurement of the MBR executable code.
  • User authentication (optional) If user authentication is configured, the Windows Boot Manager collects a key from USB storage or a PIN from the user.
  • VMK retrieval The Windows Boot Manager requests that the TPM decrypt the VMK. If the hashes of the measurements written to the PCR match those taken when BitLocker was set up, the TPM will supply the VMK. If any measurement does not match the recorded value, the TPM does not supply the decryption key, and BitLocker gives the user the option to enter the recovery key.
  • Operating system startup At this point, the Windows Boot Manager has validated the system integrity and now has access to the VMK. The VMK must be passed to the operating system loader; however, the Windows Boot Manager must avoid passing it to a potentially malicious operating system loader and thus compromising the security of the VMK. To ensure that the operating system loader is valid, the Windows Boot Manager verifies that operating system loader executables match a set of requirements. The Windows Boot Manager also verifies that the boot configuration data (BCD) settings have not been modified. It does so by comparing them to a previously generated digital signature known as a message authenticity check (MAC). The BCD MAC is generated using the VMK, ensuring that it cannot be easily rewritten.After the operating system loader is started, Windows can use the VMK to decrypt the FVEK and then use the FVEK to decrypt the BitLocker-encrypted volume. With access to the unencrypted data on the volume, Windows loads normally.

Prior to transitioning to the operating system, the OS Loader ensures that it will hand off at most one key (VMK) to the operating system. Prior to handing off the key to the operating system, the following conditions must apply:

  • All features, up to and including BOOTMGR, must be correct. If they are not correct, the VMK will not be available.
  • The VMK must be correct to validate the MAC of the metadata. BOOTMGR verifies this MAC.
  • OS Loader must be the loader approved by metadata associated with the VMK. Verified by BOOTMGR.
  • BCD settings must be the settings approved by metadata associated with the VMK. Verified by BOOTMGR.
  • The VMK must correctly decrypt the FVEK stored in the validated metadata. Verified by BOOTMGR.
  • The FVEK must successfully decrypt data stored on the volume. An incorrect FVEK will result in invalid executable code or invalid data. In some cases, this is caught by code integrity.
    • The Master File Table (MFT) must be encrypted by the correct FVEK to access all files.
    • Phase 0 drivers, including Fvevol.sys, must be encrypted by the correct FVEK.
    • Registry must be encrypted by the correct FVEK.
    • Kernel and Hardware Abstraction Layer (HAL) must be encrypted by the correct FVEK.
    • Phase 1 features must be encrypted by the FVEK because Fvevol.sys (encrypted by the FVEK) will only decrypt using the same FVEK.
    • Phase 2 features must also be encrypted by the FVEK as stated in the previous entry.

The last point is particularly important, and it is true only if the data on the volume is entirely encrypted. In other words, a volume in which encryption is paused halfway through is not secure.

How BitLocker Encrypts Data

email me

BitLocker encrypts entire volumes. The contents of the volumes can be decrypted only by someone with access to the decryption key, known as the Full Volume Encryption Key (FVEK). Windows 7 actually stores the FVEK in the volume metadata; this is not a problem because the FVEK itself is encrypted using the Volume Master Key (VMK).

Both the FVEK and the VMK are 256 bits. The FVEK always uses AES encryption to protect the volume. By editing the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose Drive Encryption Method And Cipher Strength Group Policy setting, you can set the specific AES encryption strength to one of four values:

  • AES 128 bit with Diffuser (this is the default setting)
  • AES 256 bit with Diffuser (this is the strongest setting, but using it might negatively affect performance)
  • AES 128 bit
  • AES 256 bit

More Info For more information about the encryption algorithms used and the use of diffusers, read “AES-CBC + Elephant Diffuser: A Disk Encryption Algorithm for Windows Vista,” at http://download.microsoft.com/download/0/2/3/0238acaf-d3bf-4a6d-b3d6-0a0be4bbb36e/BitLockerCipher200608.pdf.

Windows Vista and Windows 7 encrypt and decrypt disk sectors on the fly as data is read and written (as long as it has access to the FVEK) using the FVE Filter Driver (Fvevol.sys). As shown in Figure below, the FVE Filter Driver, like all filter drivers, resides between the file system (which expects to receive the unencrypted contents of files) and the volume manager (which provides access to the volume). Therefore, applications and users are not aware of encryption when everything is functioning normally.

Encrypting and decrypting data do affect performance. While reading from and writing to a BitLocker-encrypted volume, some processor time will be consumed by the cryptographic operations performed by BitLocker. The actual impact depends on several factors, including caching mechanisms, hard drive speed, and processor performance. However, Microsoft has put great effort into implementing an efficient AES engine so that the performance impact on modern computers is minimal.

How to Manage BitLocker from the Command Line

email me

To manage BitLocker from an elevated command prompt or from a remote computer, use the Manage-bde.exe tool.

This is how you delete/remove the TPM Protector.

manage-bde -protectors -get c:
copy the TPM ID {xxxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxx} to the clipboard
manage-bde -protectors -delete c: -id {paste TPM ID from clipboard}

* to delete any other protector, just copy that ID

The following example demonstrates how to view the status.

manage-bde -status

BitLocker Drive Encryption:
Configuration Tool
Copyright (C) Microsoft Corporation.
All rights reserved.

Disk volumes that can be protected
with BitLocker Drive Encryption:
Volume C: []
[OS Volume]

    Size: 		74.37 GB
    BitLocker Version:	Windows 7
    Conversion Status: 	Fully Encrypted
    Percentage Encrypted: 100%
    Encryption Method: 	AES 128 with Diffuser
    Protection Status: 	Protection On
    Lock Status: 	Unlocked
    Identification Field: None
    Key Protectors:
	TPM
	Numerical Password

Run the following command to enable BitLocker on the C drive, store the recovery key on the Y drive, and generate a random recovery password.

manage-bde -on C: -RecoveryKey Y: -RecoveryPassword

BitLocker Drive Encryption: Configuration Tool version 6.1.7100
Copyright (C) Microsoft Corporation. All rights reserved.

Volume C: []
[OS Volume]
Key Protectors Added:
    Saved to directory Y:\

    External Key:
      ID: {7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC}
      External Key File Name:
	7B7E1BD1-E579-4F6A-8B9C-AEB626FE08CC.BEK

    Numerical Password:
      ID: {75A76E33-740E-41C4-BD41-48BDB08FE755}
      Password:
	460559-421212-096877-553201-389444-471801-362252-086284

    TPM:
      ID: {E6164F0E-8F85-4649-B6BD-77090D49DE0E}

ACTIONS REQUIRED:

    1. Save this numerical recovery password in a secure location away from
    your computer:

    460559-421212-096877-553201-389444-471801-362252-086284

    To prevent data loss, save this password immediately. This password helps
    ensure that you can unlock the encrypted volume.

    2. Insert a USB flash drive with an external key file into the computer.

    3. Restart the computer to run a hardware test.
    (Type "shutdown /?" for command line instructions.)

    4. Type "manage-bde -status" to check if the hardware test succeeded.

NOTE: Encryption will begin after the hardware test succeeds.

After you run the command, restart the computer with the recovery key connected to complete the hardware test. After the computer restarts, BitLocker will begin encrypting the disk.

Run the following command to disable BitLocker on the C drive.

manage-bde -off C:
or this 
manage-bde.exe –protectors –disable C:

BitLocker Drive Encryption: Configuration Tool
Copyright (C) Microsoft Corporation. All rights reserved.

Decryption is now in progress.

You can also use the Manage-bde.exe script to specify a startup key and a recovery key, which can allow a single key to be used on multiple computers. This is useful if a single user has multiple computers, such as a user with both a Tablet PC computer and a desktop computer. It can also be useful in lab environments, where several users might share several different computers. Note, however, that a single compromised startup key or recovery key will require all computers with the same key to be rekeyed.

For detailed information about using Manage-bde.exe, run manage-bde.exe -? from a command prompt.

MAC – DMG Files

email me

Building DMG Images

On Mac OS X, applications are usually distributed using disk images (DMGs). These images are mounted as a separate volume, and it often suffices to drag the application out of the image into your Applications folder. A nice extra feature of these disk images is that their look can be customized, just as every other folder under Mac OS X.

This document explains how such DMG files with a customized look can be built. Moreover, a Makefile is provided such that, once a template look is created for a DMG, the process of building a DMG file from a set of files can be fully automated.

Creating the template

First, we’ll start by specifying how our disk image should look when it is mounted (and opened). If you don’t need a fancy look, you can skip this section; the Makefile provided at the end of the page will automatically create a default template if you don’t create one yourself.

  1. Using Disk Utility (which comes with Mac OS X), create a new disk image, and call it template.dmg. Select a size which is more than enough to store the contents you plan to put in the final DMG. The Encryption and Format settings (None and r/w respectively) should be left untouched. Then, create your image by clicking Create.
  2. Open the newly created image.
  3. From the View menu of Finder, choose Show View Options You can now customize the way your folder will look. Be careful, don’t forget to select This window only, such that your changes will only apply to the current folder. Using the View menu, you can change the looks of the window even further. Also note that, if you choose a background picture, the picture file must reside in the image itself. It is common to create a (hidden) directory .background in the root dir of the image, dropping the background picture there, and then selecting it as a background. Use Cmd-Shift-G in combination with the full path (e.g. /Volumes/MyDisk/.background) to open the hidden directory in Finder and copy your picture there (or, alternatively, use Terminal). The Select button in the View menu seems to open the .background dir by default if it exists. If not, also use Cmd-Shift-G.
  4. Drag all the files you want in your image into the volume, and place them exactly where you want to. Assign icons to the files by control- clicking on the icons, and using the Show Info dialog. Note that the actual contents of the files in the template does not matter if you are planning to use the automatic build way; they will be overwritten anyway. Hence, you will get the most compact template if all your files are empty.
  5. Customize the icon of the disk image in the same way as the other icons, only this time by control-clicking on the disk image icon on the desktop.
  6. Eject the disk image.
  7. Since the template.dmg file will be quite big, you probably want to compress it using bzip2. This is not strictly necessary, but if you created an initial disk size of 40M, using bzip2 you can reduce this to only 1M.

If all went well, you should now have a template.dmg(.bz2) which, when you open it, has a custom icon on the desktop, and looks exactly how you would like the final disk image to be. Now all we need to do is fill it up with the right files.

Manually building the final DMG

The easiest (but least efficient) way to create a final DMG is by doing it by hand. If you want to do this manually, I assume that you dragged the exact files you want the image to contain in the previous section. All you have to do then is:

  1. Open Disk Utility
  2. Select the image you created in the previous step
  3. Select Convert… from the Images menu
  4. Enter the name you want your final image to get
  5. Select Compressed as your Image Format
  6. Click Save

That’s it, your final DMG should be ready for distribution.

Automatically building the final DMG

Using the template we just created, we can now automatically build a DMG with the actual files. All you need to do is download this Makefile, modify the values on the top of the file, and run make. Alternatively, you can include the Makefile from within another Makefile after setting the proper values, as is illustrated in the example of the fancy-dmg package (also available from the Git repository)

The values that can be modified are:

  • NAME: The name of your application. This name will appear as the volume name of your disk image.
  • VERSION: The version number of your package. This is used in the filename of the final disk image.
  • SOURCE_DIR: The directory where the files you want in your disk image reside.
  • SOURCE_FILES: The names of the files (without the directory prefix) you want in your source image.
  • TEMPLATE_DMG: The name of the template DMG file (without the .bz2 extension if it was compressed)

Note that you don’t really need a template.dmg. If the Makefile can’t find one, it will create its own, default disk image.