Fix Dual Username on UAC

email me

One quite annoying UAC problem I’ve seen a few times is when UAC appears, there are two or double account names.

 

Run this from an admin prompt to remove the double UAC credentials that appear on the UAC dialog box:

Windows 7

REG.EXE DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}” /f

Windows 10

REG.EXE DELETE “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{4B2F0B15-CB86-40FD-8139-D8E4E5A4AEAD}” /f

 

Notes
Depending on the current operating system configuration and existing authentication mechanisms (e.g. biometric devices), other Windows Credential Providers may still be visible. The following is a list of default Windows 7 Credential Providers CLSIDs and can be used as a reference, to hide other Credential Providers using the group policy as well:

Windows 7

Credential Provider CLSID
GenericProvider  {25CBB996-92ED-457e-B28C-4774084BD562}
NPProvider  {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
VaultCredProvider  {503739d0-4c5e-4cfd-b3ba-d881334f0df2}
PasswordProvider  {6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
Password Provider\LogonPasswordReset  {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
Smartcard Credential Provider  {8bf9a910-a8ff-457f-999f-a5ca10b4a885}
Smartcard Pin Provider  {94596c7e-3744-41ce-893e-bbf09122f76a}
WinBio Credential Provider  {AC3AC249-E820-4343-A65B-377AC634DC09}
CertCredProvider  {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}


Windows 10

Credential Provider CLSID
Smartcard Reader Selection Provider {1b283861-754f-4022-ad47-a5eaaa618894}
Smartcard WinRT Provider {1ee7337f-85ac-45e2-a23c-37c753209769}
PicturePasswordLogonProvider {2135f72a-90b5-4ed3-a7f1-8bb705ac276a}
GenericProvider {25CBB996-92ED-457e-B28C-4774084BD562}
NPProvider {3dd6bec0-8193-4ffe-ae25-e08e39ea4063}
CngCredUICredentialProvider {600e7adb-da3e-41a4-9225-3c0399e88c0c}
PasswordProvider {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
PasswordProvider\LogonPasswordReset {8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
FaceCredentialProvider {8AF662BF-65A0-4D0A-A540-A338A999D36F}
Smartcard Credential Provider {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
Smartcard Pin Provider {94596c7e-3744-41ce-893e-bbf09122f76a}
WinBio Credential Provider {BEC09223-B018-416D-A0AC-523971B639F5}
IrisCredentialProvider {C885AA15-1764-4293-B82A-0586ADD46B35}
PINLogonProvider {cb82ea12-9f71-446d-89e1-8d0924e1256e}
NGC Credential Provider {D6886603-9D2F-4EB2-B667-1971041FA96B}
CertCredProvider {e74e57b0-6c6d-44d5-9cda-fb2df5ed7435}
WLIDCredentialProvider {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}

* these also apply to duplicate usernames on the logon screen

 

References

http://www.bdragon.com/lair/2011/06/windows-7-log-on-screen-show-your-user-profile-instead-of-fingerprint/

https://community.sophos.com/kb/en-us/114190

http://softwarefileprotection.com/how-to-hide-credential-providers-from-the-windows-logon-user-interface

 

tags: dual, duplicate, login screen, user screen, welcome screen

Disable Firewall Remotely

email me

How to remotely disable the firewall on a Windows machine.

psexec \\MACHINENAME -u administrator -p PASSWORD netsh advfirewall set allprofiles state off


Notes

netsh advfirewall set currentprofile state on

netsh advfirewall set currentprofile state off


netsh advfirewall set currentprofile state on

Domain network

Turn on Domain network firewall:
netsh advfirewall set domainprofile state on

Turn off domain network firewall:
netsh advfirewall set domainprofile state off

Private network

Turn on private network firewall:
netsh advfirewall set privateprofile state on

Turn off private network firewall:
netsh advfirewall set privateprofile state off


Public network

Turn on public network firewall:
netsh advfirewall set publicprofile state on

Turn off public network firewall:
netsh advfirewall set publicprofile state off

 

Configure for all networks

Turn on firewall for all networks:
netsh advfirewall set allprofiles state on

Turn off firewall for all networks:
netsh advfirewall set allprofiles state off

HP 840 G1 Driver Installation

email me

I was working on creating an image, and these were the drivers with silent options:

SP64652 – NETWORK CARD
setup -s

SP68390 – INTEL VIDEO
setup -s

SP69766 – USB 3.0
setup.exe -s

SP66055 – HP 3D DRIVEGUARD
this to get MSI: setup.exe /a /s /v”/qb TARGETDIR=c:\test\
this to install Msiexec /i “HP 3D Driveguard.msi” /qn Reboot=ReallySuppress
* I noticed the driver, .inf, and sys files still had to be injected into the WIM to work correctly.

SP66901 – INTEL CHIPSET
setup.exe -s

SP66327 – WIRELESS NETWORK CARD
install\setup.exe -s

SP66854 – SMARTCARD REALTEK
setup.exe -s

SP65750 – BLUETOOTH
Win7\vs64\Setup.exe /qn REBOOT=ReallySuppress
MSI: Msiexec /i Intel Bluetooth.msi /qn /norestart

SP67047 – INTEL MANAGEMENT ENGINE
setup.exe -s

SP64626 – RAPID STORAGE
SetupRST.exe -s

SP66915 – HPPTV FINGERPRINTER
HPPTVFSSetup.exe /silent

Set Registry Key Permissions

email me

Managing Windows Registry with Scripting

Method 1 – SetACL.exe

referenced site

SetACL.exe -on “HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}” -ot reg -actn setowner -ownr n:Administrators

SetACL.exe -on “HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}” -ot reg -actn ace -ace “n:Administrators;p:full”

Method 2 – PowerShell

referenced site

$acl = Get-Acl HKLM:\SOFTWARE\ChangeThisKey
$rule = New-Object System.Security.AccessControl.RegistryAccessRule (“ComputerName\UserName”,”FullControl”,”Allow”)
$acl.SetAccessRule($rule)
$acl | Set-Acl -Path HKLM:\SOFTWARE\ChangeThisKey

Method 3 – Regini.exe

Referenced site

regini.exe -m \\remoteworkstation auoptions.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update “ConfigVer”= REG_DWORD 1 “AUOptions”= REG_DWORD 4 “ScheduledInstallDay”= REG_DWORD 0 “ScheduledInstallTime”= REG_DWORD 1

Method 4 – Subinacl.exe

referenced site

subinacl /subkeyreg “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList” /grant=Domain\GroupName=F

The valid permissions for a registry key using subinacl are

F : Full Control

R : Read

A : ReAd Control

Q : Query Value

S : Set Value

C : Create SubKey

E : Enumerate Subkeys

Y : NotifY

L : Create Link

D : Delete

W : Write DAC

O : Write Owner

Method 5 – VBScript

referenced site

cscript /nologo RegPerm.vbs ACTION=SHOW

TARGET=”SWYNKPC001\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows”

If you omit computer name entry in the target registry path, the script will set the permissions on the local system:

cscript /nologo RegPerm.vbs ACTION=SHOW
TARGET=”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows”

Setting permissions requires providing two additional parameters: ACCOUNT and PERM. Domain accounts need to be specified in the format DOMAIN\AccountName, e.g. SWYNK\MPolicht (for MPolicht account in the SWYNK domain). If the account is local, you can use the format COMPUTERNAME\AccountName or simply AccountName. PERM parameter can take one of the following values:

FULL
WRITE
READ
NOACCESS
“” (empty string)

FULL grants the account you specified with ACCOUNT parameter full control over the key. WRITE allows writing to the registry key by setting three individual permissions (KEY_SET_VALUE, KEY_CREATE_SUB_KEY, and READ_CONTROL). NOACCESS denies Full Control to the key, which effectively prevents any type of access. Finally, if PERM is set to an empty string , the account is removed from the list of Access Control Entries. Note, that removing the account from the list of ACEs is different from setting NOACCESS permissions. The latter will always prevent access for a given account, the former might still allow access if a group that account is a member of has some type of permissions granted.

The permissions set with the script will overwrite any of the existing permissions, but only for the account you specify. They will also be granted only to the key itself (and all of its values), but will not propagate to any of the subkeys. However, you can use the INH input parameter (which can be set to values YES or NO), which determines the permissions inheritance by all subkeys created afterwards. Setting INH to YES, will cause permissions set by the script on the top level key to be inherited by any new subkeys. Correspondingly, setting INH to NO (default) will ensure that permissions on any new subkeys will not contain the ACE set by the script. Note that the INH parameter only affects the entry for the single user account that you specified when running the script.

Here are a few examples of using the SET option:

cscript /nologo RegPerm.vbs ACTION=SET
TARGET=”SWYNKPC001\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows”
ACCOUNT=SWYNK\MPolicht PERM=FULL INH=NO
will grant the Full Control permissions for the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows key on the SWYNKPC001 computer to the SWYNK\MPolicht account and prevent inheritance.

cscript /nologo RegPerm.vbs ACTION=SET
TARGET=”SWYNKPC001\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows”
ACCOUNT=SWYNK\MPolicht PERM=READ
will change these permissions to Read (and maintain inheritance settings, since NO is the default)

cscript /nologo RegPerm.vbs ACTION=SET
TARGET=”SWYNKPC001\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows”
ACCOUNT=SWYNK\MPolicht PERM=
will remove entry for SWYNK\MPolicht account from the list of Access Control Entries.

NOTE: the script requires ADsSecurity.dll to be present and registered on the system from which the script is running. As mentioned before, this DLL is included in the ADSI 2.5 Software Development Kit (SDK) downloadable from the Microsoft Web site.

‘//////////////////////////////////////////////////////////////////////////
‘/// Name: RegPerm.vbs
‘/// Version: 1.0
‘/// Date: 09/01/02
‘/// Purpose: displaying and setting permissions on the registry keys
‘/// OS: Windows 2000, XP
‘/// Reqs: ADsSecurity.dll (registered)
‘/// Syntax: cscript /nologo RegPerm.vbs ACTION=SET TARGET=Registry_Key _
‘/// ACCOUNT=Domain\Account PERM=Read|Change|Full|NoAccess INH=YES|NO”
‘/// where ACTION is set to SHOW or SET (to display or set permissions)”
‘/// TARGET is full path to registry key (computer name is optional)
‘/// e.g. “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows”
‘/// if computer name is omitted, local system is used
‘/// ACCOUNT is user or group in DOMAIN\AccountName format
‘/// PERM specifies type of permissions to be set
‘/// INH determines permission inheritance (Yes or No)
‘//////////////////////////////////////////////////////////////////////////

Option Explicit
‘On Error Resume Next

‘////////////////////////////////////////////////////
‘/// Constant Declarations

‘////////////////////////////////////////////////////
‘/// Access Control Entry Inheritance Flags
‘/// Allowed values for the IADsAccessControlEntry::AceFlags property.

const ADS_ACEFLAG_UNKNOWN = &h1

‘/// child objects will inherit ACE of current object
const ADS_ACEFLAG_INHERIT_ACE = &h2
‘/// prevents ACE inherited by the object from further propagation
const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &h4
‘/// indicates ACE used only for inheritance (it does not affect permissions
on object itself)
const ADS_ACEFLAG_INHERIT_ONLY_ACE = &h8
‘/// indicates that ACE was inherited
const ADS_ACEFLAG_INHERITED_ACE = &h10
‘/// indicates that inherit flags are valid (provides confirmation of valid
settings)
const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &h1f
‘/// for auditing success in system audit ACE
const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &h40
‘/// for auditing failure in system audit ACE
const ADS_ACEFLAG_FAILED_ACCESS = &h80

‘//////////////////////////////////////////////////
‘/// Access Control Entry Type Values
‘/// Allowed values for the IADsAccessContronEntry::AceType property.

const ADS_ACETYPE_ACCESS_ALLOWED = 0
const ADS_ACETYPE_ACCESS_DENIED = &h1
const ADS_ACETYPE_SYSTEM_AUDIT = &h2
const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5
const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &h6
const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &h7

‘//////////////////////////////////////////////////
‘/// Registry Permission Type Values

Const KEY_QUERY_VALUE = &H0001
Const KEY_SET_VALUE = &H0002
Const KEY_CREATE_SUB_KEY = &H0004
Const KEY_ENUMERATE_SUB_KEYS = &H0008
Const KEY_NOTIFY = &H0010
Const KEY_CREATE_LINK = &H0020
Const DELETE = &H00010000
Const READ_CONTROL = &H00020000
Const WRITE_DAC = &H00040000
Const WRITE_OWNER = &H00080000

Dim KEY_READ ‘access mask designating read access to registry key
Dim KEY_WRITE ‘access mask designating write access to registry key
Dim KEY_ALL_ACCESS ‘access mask designating full access to registry key

Dim iOffset ‘used for display only (left justifying displayed values)
Dim sAction ‘type of action to perform (show or set)
Dim sPermission ‘permission type (read, change, full, or no access)
Dim sAccount ‘user or group account for which permissions are set
Dim sTarget ‘string representing path to target registry key
Dim sInh ‘value representing inheritance behavior (1 yes, 0 no)

Dim oADSSecurity ‘object representing ADsSecurity class
Dim oTargetSD ‘object representing security descriptor of registry key
Dim oDACL ‘object representing Discretionary Access Control List

‘//////////////////////////////////////////////////
‘/// Set variables

‘/// KEY_READ is a combination of KEY_QUERY_VALUE,
‘ KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, and READ_CONTROL access.
KEY_READ = KEY_QUERY_VALUE + KEY_ENUMERATE_SUB_KEYS + KEY_NOTIFY +
READ_CONTROL

‘/// KEY_WRITE is a combination of KEY_SET_VALUE and KEY_CREATE_SUB_KEY
access.
KEY_WRITE = KEY_SET_VALUE + KEY_CREATE_SUB_KEY + READ_CONTROL

‘/// KEY_FULL_ACCESS is a combination of KEY_QUERY_VALUE, KEY_SET_VALUE,
‘ KEY_CREATE_SUB_KEY, KEY_ENUMERATE_SUB_KEYS, KEY_NOTIFY, KEY_CREATE_LINK,
‘ DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access.
KEY_ALL_ACCESS = KEY_QUERY_VALUE + KEY_SET_VALUE + KEY_CREATE_SUB_KEY + _
KEY_ENUMERATE_SUB_KEYS + KEY_NOTIFY + KEY_CREATE_LINK + _
DELETE + READ_CONTROL + WRITE_DAC + WRITE_OWNER

iOffset = 20

‘//////////////////////////////////////////////////
‘/// Retrieve script arguments

Call GetArguments(Wscript.Arguments, sAction, sTarget, sAccount,
sPermission, sInh)

Set oADSSecurity = CreateObject(“ADsSecurity”)
Set oTargetSD = oADsSecurity.GetSecurityDescriptor(“RGY://” & sTarget)
Set oDACL = oTargetSD.DiscretionaryACL

Select Case UCase(sAction)

Case “SHOW”
Call DisplayACLs()
Case “SET”
Call SetACLs(sAccount, sPermission, sInh)
Case Else
Call DisplayUsage(“ERROR: Incorrect ACTION type”)

End Select

Set oDACL = Nothing
Set oTargetSD = Nothing
Set oADsSecurity = Nothing

Wscript.Quit

‘///////////////////////////////////////////////////////////////////
‘/// Name: GetArguments
‘/// Purpose: Reading command line arguments
‘/// Input: oArgs WScript.Arguments collection
‘/// Output: sAction Action type (SET or SHOW)
‘/// sTarget Registry key
‘/// sAccount Account to set permissions for
‘/// sPermission Type of permissions to set
‘/// sInh Permission inheritance (1 yes, 0 no)
‘///////////////////////////////////////////////////////////////////

Sub GetArguments(oArgs, sAction, sTarget, sAccount, sPermission, sInh)

Dim iCount

For iCount=0 To oArgs.Count – 1
Select Case UCase(Split(WScript.Arguments(iCount), “=”)(0))
Case “ACTION” sAction = Split(WScript.Arguments(iCount), “=”)(1)
Case “TARGET” sTarget = Split(WScript.Arguments(iCount), “=”)(1)
Case “ACCOUNT” sAccount = Split(WScript.Arguments(iCount), “=”)(1)
Case “PERM” sPermission = Split(WScript.Arguments(iCount), “=”)(1)
Case “INH” sInh = Split(WScript.Arguments(iCount), “=”)(1)
End Select
Next

If sAction = “” or sTarget = “” or (sAction = “SET” and (sTarget = “” or
sAccount = “”)) Then
Call DisplayUsage(“ERROR: Missing argument(s)”)
WScript.Quit
End If

end sub

‘///////////////////////////////////////////////////////////////////
‘/// Name: DisplayUsage
‘/// Purpose: Displaying usage of the script from the command line
‘/// Input: sHeader Header for Message Box
‘///////////////////////////////////////////////////////////////////

sub DisplayUsage(sHeader)

Dim sMsg

sMsg = “To display permissions on a registry key, run:”
sMsg = sMsg & VbCrLf & _
“cscript //nologo RegPerms.vbs ACTION=SHOW TARGET=Registry_Key”
sMsg = sMsg & VbCrLf & vbCrLf & “To set permissions on a registry key run:”
sMsg = sMsg & VbCrLf & _
“cscript //nologo RegPerms.vbs ACTION=SET TARGET=Registry_Key ” & _
“ACCOUNT=Domain\Account PERM=Read|Change|Full|NoAccess INH=YES|NO”
sMsg = sMsg & VbCrLf & vbCrLf & “Where:”
sMsg = sMsg & VbCrLf & String(7,” “) & “ACTION is set to SHOW or SET (to
display or set permissions, respectively)”
sMsg = sMsg & VbCrLf & String(7,” “) & “TARGET is full path to the registry
key (computer name is optional)”
sMsg = sMsg & VbCrLf & String(7,” “) & “e.g. ” &
“””Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows”””
sMsg = sMsg & VbCrLf & String(7,” “) & “ACCOUNT is user or group account in
the DOMAIN\AccountName format”
sMsg = sMsg & VbCrLf & String(7,” “) & “PERM specifies type of permissions
to be set”
sMsg = sMsg & VbCrLf & String(7,” “) & “INH determines permission
inheritance (Yes or No)”

Call MsgBox(sMsg, vbOKOnly, sHeader)

end sub

‘///////////////////////////////////////////////////////////////////
‘/// Name: SetACLs
‘/// Purpose: Setting Access Control List entry
‘/// Input: sAccount Account to set permissions for
‘/// sPermission Type of permissions to set
‘/// sInh Permission inheritance (yes or no)
‘///////////////////////////////////////////////////////////////////

Sub SetACLs(sAccount, sPermission, sInh)

Dim oACE

For Each oACE in oDACL
If UCase(oACE.Trustee) = UCase(sAccount) Then
oDACL.RemoveACE oACE
End if
Next

oTargetSD.DiscretionaryACL = oDACL
oADsSecurity.SetSecurityDescriptor oTargetSD

Set oACE = CreateObject(“AccessControlEntry”)
oACE.Trustee = sAccount

Select Case UCase(sPermission)
Case “FULL”
oACE.AccessMask = KEY_ALL_ACCESS
oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
Case “CHANGE”
oACE.AccessMask = KEY_WRITE
oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
Case “READ”
oACE.AccessMask = KEY_READ
oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
Case “NOACCESS”
oACE.AccessMask = KEY_ALL_ACCESS
oACE.AceType = ADS_ACETYPE_ACCESS_DENIED
Case “”
Exit Sub
Case Else
DisplayUsage(“ERROR: Incorrect Permission Type”)
End Select

If UCase(sInh) = “YES” Then
oACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
Else
oACE.AceFlags = ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE
End If

oDACL.AddAce oACE

Call ReorderDACL(oDACL)

oTargetSD.DiscretionaryACL = oDACL
oADsSecurity.SetSecurityDescriptor oTargetSD

End Sub

‘///////////////////////////////////////////////////////////////////
‘/// Name: ReorderDACL
‘/// Purpose: reordering the ACLs (per Q269159)
‘/// ACEs need to be ordered, since AddAce method does not take care of
it.
‘/// For Windows 2000 and later, ACEs should be arranged into two main
groups
‘/// – non-inherited
‘/// – inherited.
‘/// Non-inherited ACEs should be listed first, followed by the inherited
ones.
‘/// Within each group, ACEs are arranged in the following fashion:
‘/// – access-denied ACEs that apply to the object itself
‘/// – access-denied ACEs that apply to subobjects of the object
‘/// – access-allowed ACEs that apply to the object itself
‘/// – access-allowed ACEs that apply to subobjects of the object
‘/// Since the script does not affect inherited ACEs (but instead, it sets
‘/// permission directly on target object), they do not have to be
rearranged.
‘/// Only non-inherited ACEs are rearranged.
‘/// Input: oOrgDACL object representing discretionary access list for
registry key
‘///////////////////////////////////////////////////////////////////

Sub ReorderDACL(oDACL)

Dim oNewDACL ‘object used to temporarily store DACL (during ordering)
Dim oInheritedDACL ‘object representing list of all Inherited ACEs
Dim oDenyDACL ‘object representing list of non-Inherited Deny ACEs
Dim oDenyObjDACL ‘object representing list of non-Inherited Deny Object
ACEs
Dim oAllowDACL ‘object representing list of non-Inherited Allow ACEs
Dim oAllowObjDACL ‘object representing list of non-Inherited Allow Object
ACEs

Dim oACE ‘object representing ACE (used for enumeration)

‘//////////////////////////////////////////////////
‘/// Create Access Control List objects

Set oNewDACL = CreateObject(“AccessControlList”)
Set oInheritedDACL = CreateObject(“AccessControlList”)
Set oAllowDACL = CreateObject(“AccessControlList”)
Set oDenyDACL = CreateObject(“AccessControlList”)
Set oDenyObjDACL = CreateObject(“AccessControlList”)
Set oAllowObjDACL = CreateObject(“AccessControlList”)

‘//////////////////////////////////////////////////
‘/// Add individual ACEs into each of the lists
‘/// based on the ACE Flags and ACE Type values

For Each oACE In oDACL
If ((oACE.AceFlags AND ADS_ACEFLAG_INHERITED_ACE) =
ADS_ACEFLAG_INHERITED_ACE) Then

‘//////////////////////////////////////////////////
‘/// as explained, no sorting is needed for Inherited ACEs, they are simply
‘/// added to the list and retrieved at the end of the sub in the same
order
oInheritedDACL.AddAce oACE

Else

‘//////////////////////////////////////////////////
‘/// non-Inherited ACEs need to be placed in their respective list to be
re-ordered

Select Case oACE.AceType
Case ADS_ACETYPE_ACCESS_ALLOWED
oAllowDACL.AddAce oACE
Case ADS_ACETYPE_ACCESS_DENIED
oDenyDACL.AddAce oACE
Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
oAllowObjDACL.AddAce oACE
Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
oDenyObjDACL.AddAce oACE

End Select
End If
Next

‘//////////////////////////////////////////////////
‘/// Recreate the Access Control List following the appropriate order
‘/// – non-Inherited Deny ACEs
‘/// – non-Inherited Allow ACEs
‘/// – Inherited ACEs

For Each oACE In oDenyDACL
oNewDACL.AddAce oACE
Next
For Each oACE In oDenyObjDACL
oNewDACL.AddAce oACE
Next
For Each oACE In oAllowDACL
oNewDACL.AddAce oACE
Next
For Each oACE In oAllowObjDACL
oNewDACL.AddAce oACE
Next
For Each oACE In oInheritedDACL
oNewDACL.AddAce oACE
Next

Set oInheritedDACL = Nothing
Set oDenyDACL = Nothing
Set oAllowDACL = Nothing
Set oDenyObjDACL = Nothing
Set oAllowObjDACL = Nothing

‘//////////////////////////////////////////////////
‘/// Set appropriate DACL revision level

oNewDACL.AclRevision = oDACL.AclRevision

‘//////////////////////////////////////////////////
‘/// Reset the original DACL
Set oDACL = Nothing
Set oDACL = oNewDACL

end Sub

‘///////////////////////////////////////////////////////////////////
‘/// Name: DisplayACLs
‘/// Purpose: Displaying Access Control List entries
‘///////////////////////////////////////////////////////////////////

Sub DisplayACLs()

Dim oACE ‘object representing individual ACE
Dim sMsg, sAccessMask ‘strings containing message to be displayed
Dim hAccessMask ‘number representing Access Mask value

WScript.Echo “Permissions on ” & sTarget

For Each oACE in oDACL
sMsg = vbCrLf & “Trustee:” & String(iOffset – Len(“Trustee:”), Chr(32)) &
_
oACE.Trustee & vbCrLf
sMsg = sMsg & “ACE Type:” & String(iOffset – Len(“ACE Type:”), Chr(32))
Select Case oACE.AceType
Case ADS_ACETYPE_ACCESS_ALLOWED
‘Implicit Allow ACE
sMsg = sMsg & “ACCESS_ALLOWED”
Case ADS_ACETYPE_ACCESS_DENIED
‘Implicit Deny ACE
sMsg = sMsg & “ACCESS_DENIED”
Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
‘Object Allowed ACE
sMsg = sMsg & “ACCESS_ALLOWED_OBJECT”
Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
‘Object Deny ACE
sMsg = sMsg & “ACCESS_DENIED_OBJECT”
End Select
Wscript.Echo sMsg

sAccessMask = “”
hAccessMask = 0

If (oACE.AccessMask AND KEY_QUERY_VALUE) Then
sAccessMask = String(iOffset, Chr(32)) & “KEY_QUERY_VALUE” & vbCrLf
hAccessMask = hAccessMask + KEY_QUERY_VALUE
End If
If (oACE.AccessMask AND KEY_SET_VALUE) Then
sAccessMask = sAccessMask & String(iOffset, Chr(32)) & “KEY_SET_VALUE” &
vbCrLf
hAccessMask = hAccessMask + KEY_SET_VALUE
End If
If (oACE.AccessMask AND KEY_CREATE_SUB_KEY) Then
sAccessMask = sAccessMask & String(iOffset, Chr(32)) &
“KEY_CREATE_SUB_KEY” & vbCrLf
hAccessMask = hAccessMask + KEY_CREATE_SUB_KEY
End If
If (oACE.AccessMask AND KEY_ENUMERATE_SUB_KEYS) Then
sAccessMask = sAccessMask & String(iOffset, Chr(32)) &
“KEY_ENUMERATE_SUB_KEYS” & vbCrLf
hAccessMask = hAccessMask + KEY_ENUMERATE_SUB_KEYS
End If
If (oACE.AccessMask AND KEY_NOTIFY) Then
sAccessMask = sAccessMask & String(iOffset, Chr(32)) & “FILE_WRITE_EA” &
vbCrLf
hAccessMask = hAccessMask + KEY_NOTIFY
End If
If (oACE.AccessMask AND KEY_CREATE_LINK) Then
sAccessMask = sAccessMask & String(iOffset, Chr(32)) & “KEY_CREATE_LINK”
& vbCrLf
hAccessMask = hAccessMask + KEY_CREATE_LINK
End If
If (oACE.AccessMask AND DELETE) Then
sAccessMask = sAccessMask & String(iOffset, Chr(32)) & “DELETE” & vbCrLf
hAccessMask = hAccessMask + DELETE
End If
If (oACE.AccessMask AND READ_CONTROL) Then
sAccessMask = sAccessMask & String(iOffset, Chr(32)) & “READ_CONTROL” &
vbCrLf
hAccessMask = hAccessMask + READ_CONTROL
End If
If (oACE.AccessMask AND WRITE_DAC) Then
sAccessMask = sAccessMask & String(iOffset, Chr(32)) & “WRITE_DAC” &
vbCrLf
hAccessMask = hAccessMask + WRITE_DAC
End If
If (oACE.AccessMask AND WRITE_OWNER) Then
sAccessMask = sAccessMask & String(iOffset, Chr(32)) & “WRITE_OWNER” &
vbCrLf
hAccessMask = hAccessMask + WRITE_OWNER
End If

sMsg = “ACE Permissions:” & String(iOffset – Len(“ACE Permissions:”),
Chr(32))
Select Case hAccessMask
Case KEY_ALL_ACCESS Wscript.Echo sMsg & “FULL CONTROL”
Case KEY_WRITE Wscript.Echo sMsg & “WRITE”
Case KEY_READ Wscript.Echo sMsg & “READ”
Case Else WScript.Echo sMsg & oACE.AccessMask
WScript.Echo sAccessMask
End Select

sMsg = “ACE Flags:” & String(iOffset – Len(“ACE Flags:”), Chr(32))
If (oACE.AceFlags AND ADS_ACEFLAG_INHERIT_ACE) Then
WScript.Echo sMsg & “ADS_ACEFLAG_INHERIT_ACE”
End If
If (oACE.AceFlags AND ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE) Then
WScript.Echo sMsg & “ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE”
End If
If (oACE.AceFlags AND ADS_ACEFLAG_INHERIT_ONLY_ACE) Then
WScript.Echo sMsg & “ADS_ACEFLAG_INHERIT_ONLY_ACE”
End If
If (oACE.AceFlags AND ADS_ACEFLAG_INHERITED_ACE) Then
WScript.Echo sMsg & “ADS_ACEFLAG_INHERITED_ACE”
End If
If (oACE.AceFlags AND ADS_ACEFLAG_VALID_INHERIT_FLAGS) Then
WScript.Echo sMsg & “ADS_ACEFLAG_VALID_INHERIT_FLAGS”
End If
If (oACE.AceFlags AND ADS_ACEFLAG_SUCCESSFUL_ACCESS) Then
WScript.Echo sMsg & “ADS_ACEFLAG_SUCCESSFUL_ACCESS”
End If
If (oACE.AceFlags AND ADS_ACEFLAG_FAILED_ACCESS) Then
WScript.Echo sMsg & “ADS_ACEFLAG_FAILED_ACCESS”
End If
If (oACE.AceFlags AND ADS_ACEFLAG_UNKNOWN) Then
WScript.Echo sMsg & “ADS_ACEFLAG_UNKNOWN”
End If
Next
End Sub

Inject or Delete Drivers from WIM

  1. At an elevated command prompt, type:
    Dism /Get-ImageInfo /ImageFile:C:\test\images\install.wim
    

     

    An Index or Name value is required for most operations that specify a WIM file (which can be obtained from Get-ImageInfo). For a VHD file, you must specify /Index:1. The Name from the output will be added to the below command…in the Windows Version Type. You cannot use /Index and /Name at the same time.

  2. Mount the offline Windows image. For example, type:
    Dism /Mount-Image /ImageFile:C:\test\images\install.wim /Name:"Windows Version Type" /MountDir:C:\test\offline
    
  3. Add a specific driver to the image. For example, type:
    Dism /Image:C:\test\offline /Add-Driver /Driver:C:\drivers\mydriver.inf
    


    NOTE: You’ll use the /Recurse option for most driver packages
    Multiple drivers can be added on one command line if you specify a folder instead of an .inf file. To install all of the drivers in a folder and all its subfolders use the /recurse option. For example,

    Dism /Image:C:\test\offline /Add-Driver /Driver:c:\drivers /Recurse
    

    To install an unsigned driver, use /ForceUnsigned to override the requirement that drivers installed on X64-based computers must have a digital signature. For example,

    Dism /Image:C:\test\offline /Add-Driver /Driver:C:\drivers\mydriver.inf /ForceUnsigned
    
  4. Review the list of third-party driver (.inf) files in the Windows image. Drivers added to the Windows image are named Oem*.inf. This is to guarantee unique naming for new drivers added to the computer. For example, the files MyDriver1.inf and MyDriver2.inf are renamed Oem0.inf and Oem1.inf. For example, type:
    Dism /Image:C:\test\offline /Get-Drivers 
    
    
  5. Commit the changes and unmount the image. For example, type:
    Dism /Unmount-Image /MountDir:C:\test\offline /Commit
    
  1. At an elevated command prompt, locate the Windows ADK servicing folder, and type the following command to retrieve the name or index number for the image that you want to modify.
    Dism /Get-ImageInfo /ImageFile:C:\test\images\install.wim
    

    An index or name value is required for most operations that specify a WIM file. For a VHD file, you must specify /Index:1.

  2. Mount the offline Windows image. For example, type:
    Dism /Mount-Image /ImageFile:C:\test\images\install.wim /Name:"Windows 7 HomeBasic" /MountDir:C:\test\offline
    
  3. Remove a specific driver from the image. Multiple drivers can be removed on one command line. For example, type:
    Dism /Image:C:\test\offline /Remove-Driver /Driver:OEM1.inf /Driver:OEM2.inf
    
    Warning
    Removing a boot-critical driver package can make the offline Windows image unbootable. For more information, see DISM Driver Servicing Command-Line Options.
  4. Commit the changes and unmount the image. For example, type:
    Dism /Unmount-Image /MountDir:C:\test\offline /Commit
    

 


To add drivers to an offline Windows image by using an unattended answer file

  1. Locate the device driver .inf files that you intend to install on the Windows image.
    Note
    All drivers in the directory and subdirectories that are referenced in the answer file are added to the image. You should manage the answer file and these directories carefully to address concerns about increasing the size of the image with unnecessary driver packages.
  2. Use Windows System Image Manager (Windows SIM) to create an answer file that contains the paths to the device drivers that you intend to install.
  3. Add the Microsoft-Windows-PnpCustomizationsNonWinPE component to your answer file in the offlineServicing configuration pass.
  4. Expand the Microsoft-Windows-PnpCustomizationsNonWinPE node in the answer file. Right-click DevicePaths, and then select Insert New PathAndCredentials.A new PathAndCredentials list item appears.
  5. For each location that you intend to access, add a separate PathAndCredentials list item.
  6. In the Microsoft-Windows-PnpCustomizationsNonWinPE component, specify the path to the device driver and the credentials that are used to access the file, if the file is on a network share.
    Note
    You can include multiple device driver paths by adding multiple PathAndCredentials list items. If you add multiple list items, you must increment the value of Key for each path. For example, you can add two separate driver paths where the value of Key for the first path is equal to 1 and the value of Key for the second path is equal to 2.
  7. Save the answer file and exit Windows SIM. The answer file must resemble the following sample.
    <?xml version="1.0" ?><unattend xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State">
      <settings pass="offlineServicing">
         <component name="Microsoft-Windows-PnpCustomizationsNonWinPE" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
            <DriverPaths>
               <PathAndCredentials wcm:keyValue="1">
                  <Path>\\networkshare\share\drivers</Path>
                  <Credentials>
                     <Domain>Fabrikam</Domain>
                     <Username>MyUserName</Username>
                     <Password>MyPassword</Password>
                  </Credentials>
               </PathAndCredentials>
            </DriverPaths>
         </component>
      </settings>
    </unattend>
    
  8. Mount the Windows image that you intend to install the drivers to by using DISM. For example, type:
    Dism /Mount-Image /ImageFile:C:\test\images\install.wim /Index:1 /MountDir:C:\test\offline
    

    An index or name value is required for most operations that specify a WIM file. For a VHD file, you must specify /Index:1.

  9. Use DISM to apply the answer file to the mounted Windows image. For example, type:
    DISM /Image:C:\test\offline /Apply-Unattend:C:\test\answerfiles\myunattend.xml
    

    For more information about how to apply an answer file, see DISM Unattended Servicing Command-Line Options.

    The .inf files referenced in the path in the answer file are added to the Windows image.

  10. Review the list of third-party driver (.inf) files in the Windows image. Drivers added to the Windows image are named Oem*.inf. This is to guarantee that all new drivers that are added to the computer are uniquely named. For example, the files MyDriver1.inf and MyDriver2.inf are renamed Oem0.inf and Oem1.inf.For example, type:
    Dism /Image:C:\test\offline /Get-Drivers 
    
    
  11. Unmount the .wim file and commit the changes. For example, type:
    Dism /Unmount-Image /MountDir:C:\test\offline /Commit

Advisories, bulletins & notices for HP EliteBook Folio 9470m Notebook PC

Attempting to install the Intel USB 3.0 drivers results in BSOD: install
* if it still blue screens, copy the files manually to their respective folders

Advisories, bulletins & notices

TITLE
01 HP USB Stylish Keyboard Unresponsive When Connected to HP USB 3.0 Port Replicator
02 USB Mouse Does Not Wake Computer When an External USB Hub is Between Mouse and Docking Station
03 HP Notebook PC AC Power Cord Safety Recall and Replacement Program Announced August 26, 2014
04 Battery Loses Charge When Computer Hibernates
05 HP Notebook PC AC Power Cord Safety Recall and Replacement Program Announced August 26, 2014
06 System BIOS Update F.50 for select EliteBooks, ProBooks and HP mt40 Mobile Thin Client
07 Computer Does Not Have Cloned Display With 2013 UltraSlim Docking Station
08 Applications Do Not Finish Downloading From Microsoft Store When Using WWAN or WLAN Connection
09 Monitor Flickers, Flashes, or Displays White Banding on Screen
10 *** STOP in PsMain *** Error on Red Screen After Installing Check Point Full Disk Encryption Software
11 HP Z Display Z23i, Z27i and Z30i Do Not Wake Up When Using Display Port Connection to HP 2013 Ultra-Slim Docking Station
12 Stop Error on a Blue Screen After Downloading Driver Updates and Connecting the Computer to an UltraSlim Docking Station
13 Computer Takes A Long Time to Load ProtectTools or the Operating System After Login
14 Intermittent Cooling Fan Error During POST
15 System BIOS Update F.48 for Folio 9470m
16 Fan Runs Continuously While On AC Power
17 Log on Issue With HP ProtectTools After Upgrading to Microsoft Windows 8 Pro
18 The Computer Does Not Automatically Switch Between the LAN/WLAN Connections in Microsoft Windows 8 and 8.1
19 The Notebook is Abnormally Slow After Being Left On for Several Days
20 System BIOS Update F.47 for 9470m
21 Application Windows Do Not Snap to Fit the External Monitors When Using the HP 2013 Ultraslim Docking Station With Both DP Ports.
22 Smartcard Reader Does not Transmit Data Via HBCI Cards in CT-API Mode
23 Black Screen Occurs After Hibernation in Notebooks With a DRAM Larger Than 16GB
24 System Cannot Enter Into Standby Mode With Standby Set to Auto in DC Mode
25 Language Interface Packs Not Available
26 Operating System Does Not Install in RAID Mode
27 WWAN Not Configured in HP Connection Manager After Resuming From a Sleep or Hibernate State
28 System BIOS Update F.46 for HP EliteBook Folio 9470m
29 Computer Does Not Power on if the AC Adapter Is Removed When the Computer Is Shutting Down or Entering Standby Mode
30 Unable to Reinstall Microsoft Windows 7 When RAID Is Enabled
31 Drive Encryption Pre-Boot Authentication Appears After F11 Recovery
32 Computer Does Not Have an Operating System Installed
33 Solid State Hard Drive Stops Responding or Takes a Long Time to Come Out of Standby Mode
34 Windows Media Player Loses Audio When Switching Display Modes During Playback
35 The 3D Bubbles Screen Saver Lags on Extended Displays
36 Error 0xc0aab120 Is Displayed and the Computer Cannot Make a Recovery Disk
37 Unable to Use Triple Display Configuration
38 No Login Screen Appears When Resuming From Sleep Mode After Docking The Computer
39 Popping or Stuttering Sounds During Startup
40 Microsoft Windows XP WebClient Service Remains in the Stopped State
41 The SD Card Does Not Refresh When Inserted at the Drive Encryption Pre-Boot Screen
42 System BIOS Update F.44 for 9470m
43 The Computer Attempts to Boot From the Network Instead of the HDD
44 HPCM Displays Ethernet (Wired LAN) Connected Without Ethernet Cable Plugged In
45 Error Code -1 Appears After Installing a Driver Package
46 Unable to Update From the HP System Software Manager (SSM)
47 System BIOS Update F.43 for 9470m
48 Duplicate Icons Are Displayed in the Disk Manager
49 WWAN Module Remains Off After Upgrading to Windows 8
50 Hotspot Failure After Removing the WLAN Driver
51 External USB WWAN Modem Module Is Not Recognized by Microsoft Windows
52 WWAN Modules Are Disconnected When Making a Broadband Connection Through a VPN
53 SoftPaq 56963 Installation Does Not Work
54 WiDi Adapter Disabled and Yellow Exclamation Point Appears Beside USB Host Controller After WiDi Software Installation
55 Connection Manager Becomes Unresponsive, Restarts, or Displays a “Searching for Network” Message When Connected to Network
56 Windows 8 Native Mobile Broadband Connection Manager Does Not Have PAP/CHAP Options in Authentication Menu
57 System BIOS Update F.40 for 9470m
58 HP Hotkey Support Does Not Appear in HP Support Assistant or in Swsetup Folder
59 System BIOS Update F.32 for 9470m
60 Cannot Enroll Fingerprint in HP Client Security After F11 Recovery
61 IEEE 1394 HDD Becomes Inaccessible in Windows
62 HP LightScribe Optical Disk Drive Transition
63 Correct Switches for Automating Driver Installation