Month: July 2018

In a local admin profile—while the user is logged in as the local admin—I’m using this to pass a password into runas.exe, to automate a specific process. Make sure you compile this bit of code before using it in production.

Encoding currently leverages PowerShell’s char statement to cast a value to char-array.

Example:

$p1 = [char[]](65)
$p2 = [char[]](71)
$p3 = [char[]](68)

* I will be researching a more secure method of using runas.exe.

$wshell = New-Object -ComObject wscript.shell
$EncodedPW = "$p1$p7$p3$p2$p6$p4$p2$p1$p6$p7"

cmd /c ("start """" runas /u:administrator /netonly ""foo.exe"" ")

$wshell.AppActivate('MyAppWindow Title')
Sleep 1
$wshell.SendKeys('$EncodedPW')
$wshell.SendKeys('{ENTER}')

Notes

PowerShell Data Types

Windows 10

Group Policy Method

• Open GPedit.msc
• Navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> OneDrive.
• In the right pane, double click on policy named Prevent the usage of OneDrive for file storage.
• Select the Enabled radio button.
• Click OK when done.
• Run gpupdate /force.

Manual Method

• Terminate any process of OneDrive by running the following command

  taskkill /f /im OneDrive.exe

• Uninstall OneDrive app by running one of the following command
  32-bit

  %SystemRoot%\System32\OneDriveSetup.exe /uninstall

  64-bit

  %SystemRoot%\SysWOW64\OneDriveSetup.exe /uninstall

Cleaning and Removing OneDrive Remnants

rd "%UserProfile%\OneDrive" /Q /S
rd "%LocalAppData%\Microsoft\OneDrive" /Q /S
rd "%ProgramData%\Microsoft OneDrive" /Q /S
rd "C:\OneDriveTemp" /Q /S

• 32-bit
  • Browse to key: HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
  • Double-click value: System.IsPinnedToNameSpaceTree
  • Change to 0 and click OK
• 64-bit
  • Browse to key: HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
  • Double-click value: System.IsPinnedToNameSpaceTree
  • Change to 0 and click  OK
  • Browse to key: HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
  • Double-click value: System.IsPinnedToNameSpaceTree
  • Change to 0 and click OK

 Windows 7, Windows 8 and Windows 8.1

• Navigate to the following registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
• Right click on Windows and select New -> Key. Name the new key as OneDrive.
• WORD (32-bit) Value. Name the new value name as DisableFileSyncNGSC
• Set the data for DisableFileSyncNGSC registry value as 1.

This is how you would search a SQL DB looking for a specific element. Just change @SearchStrColumnValue = “%DoWhatYouWantToSearchFor%”.

DECLARE    @SearchStrTableName nvarchar(255), @SearchStrColumnName nvarchar(255), @SearchStrColumnValue nvarchar(255), @SearchStrInXML bit, @FullRowResult bit, @FullRowResultRows int
SET @SearchStrColumnValue = '%mail%' /* use LIKE syntax */
SET @FullRowResult = 1
SET @FullRowResultRows = 3
SET @SearchStrTableName = NULL /* NULL for all tables, uses LIKE syntax */
SET @SearchStrColumnName = NULL /* NULL for all columns, uses LIKE syntax */
SET @SearchStrInXML = 0 /* Searching XML data may be slow */

IF OBJECT_ID('tempdb..#Results') IS NOT NULL DROP TABLE #Results
CREATE TABLE #Results (TableName nvarchar(128), ColumnName nvarchar(128), ColumnValue nvarchar(max),ColumnType nvarchar(20))

SET NOCOUNT ON

DECLARE @TableName nvarchar(256) = '',@ColumnName nvarchar(128),@ColumnType nvarchar(20), @QuotedSearchStrColumnValue nvarchar(110), @QuotedSearchStrColumnName nvarchar(110)
SET @QuotedSearchStrColumnValue = QUOTENAME(@SearchStrColumnValue,'''')
DECLARE @ColumnNameTable TABLE (COLUMN_NAME nvarchar(128),DATA_TYPE nvarchar(20))

WHILE @TableName IS NOT NULL
BEGIN
SET @TableName =
(
SELECT MIN(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME))
FROM     INFORMATION_SCHEMA.TABLES
WHERE         TABLE_TYPE = 'BASE TABLE'
AND TABLE_NAME LIKE COALESCE(@SearchStrTableName,TABLE_NAME)
AND    QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME) > @TableName
AND    OBJECTPROPERTY(OBJECT_ID(QUOTENAME(TABLE_SCHEMA) + '.' + QUOTENAME(TABLE_NAME)), 'IsMSShipped') = 0
)
IF @TableName IS NOT NULL
BEGIN
DECLARE @sql VARCHAR(MAX)
SET @sql = 'SELECT QUOTENAME(COLUMN_NAME),DATA_TYPE
FROM     INFORMATION_SCHEMA.COLUMNS
WHERE         TABLE_SCHEMA    = PARSENAME(''' + @TableName + ''', 2)
AND    TABLE_NAME    = PARSENAME(''' + @TableName + ''', 1)
AND    DATA_TYPE IN (' + CASE WHEN ISNUMERIC(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(@SearchStrColumnValue,'%',''),'_',''),'[',''),']',''),'-','')) = 1 THEN '''tinyint'',''int'',''smallint'',''bigint'',''numeric'',''decimal'',''smallmoney'',''money'',' ELSE '' END + '''char'',''varchar'',''nchar'',''nvarchar'',''timestamp'',''uniqueidentifier''' + CASE @SearchStrInXML WHEN 1 THEN ',''xml''' ELSE '' END + ')
AND COLUMN_NAME LIKE COALESCE(' + CASE WHEN @SearchStrColumnName IS NULL THEN 'NULL' ELSE '''' + @SearchStrColumnName + '''' END  + ',COLUMN_NAME)'
INSERT INTO @ColumnNameTable
EXEC (@sql)
WHILE EXISTS (SELECT TOP 1 COLUMN_NAME FROM @ColumnNameTable)
BEGIN
PRINT @ColumnName
SELECT TOP 1 @ColumnName = COLUMN_NAME,@ColumnType = DATA_TYPE FROM @ColumnNameTable
SET @sql = 'SELECT ''' + @TableName + ''',''' + @ColumnName + ''',' + CASE @ColumnType WHEN 'xml' THEN 'LEFT(CAST(' + @ColumnName + ' AS nvarchar(MAX)), 4096),'''
WHEN 'timestamp' THEN 'master.dbo.fn_varbintohexstr('+ @ColumnName + '),'''
ELSE 'LEFT(' + @ColumnName + ', 4096),''' END + @ColumnType + '''
FROM ' + @TableName + ' (NOLOCK) ' +
' WHERE ' + CASE @ColumnType WHEN 'xml' THEN 'CAST(' + @ColumnName + ' AS nvarchar(MAX))'
WHEN 'timestamp' THEN 'master.dbo.fn_varbintohexstr('+ @ColumnName + ')'
ELSE @ColumnName END + ' LIKE ' + @QuotedSearchStrColumnValue
INSERT INTO #Results
EXEC(@sql)
IF @@ROWCOUNT > 0 IF @FullRowResult = 1
BEGIN
SET @sql = 'SELECT TOP ' + CAST(@FullRowResultRows AS VARCHAR(3)) + ' ''' + @TableName + ''' AS [TableFound],''' + @ColumnName + ''' AS [ColumnFound],''FullRow>'' AS [FullRow>],*' +
' FROM ' + @TableName + ' (NOLOCK) ' +
' WHERE ' + CASE @ColumnType WHEN 'xml' THEN 'CAST(' + @ColumnName + ' AS nvarchar(MAX))'
WHEN 'timestamp' THEN 'master.dbo.fn_varbintohexstr('+ @ColumnName + ')'
ELSE @ColumnName END + ' LIKE ' + @QuotedSearchStrColumnValue
EXEC(@sql)
END
DELETE FROM @ColumnNameTable WHERE COLUMN_NAME = @ColumnName
END
END
END
SET NOCOUNT OFF

SELECT TableName, ColumnName, ColumnValue, ColumnType, COUNT(*) AS Count FROM #Results
GROUP BY TableName, ColumnName, ColumnValue, ColumnType

Notes

SQL – Search for Table Name

This is how you would launch a Google app, or spreadsheet, or….even directly download an application. Make sure to replace the ID with the relative application, spreadsheet, download, etc.

Command

C:\Progra~2\Google\Chrome\Application\chrome.exe  https://docs.google.com/spreadsheets/d/1zxGXf1J0F2Z_Ek-U8zfXkZkaxwwT3lmrRSZhVjQnspI

Example

Launching Google Remote Control

C:\Progra~2\Google\Chrome\Application\chrome.exe  –profile-directory=Default –app-id=gbchcmhmhahfdphkhkmpfmihenigjmpp

Screenshot

This is useful for adjusting the location of message boxes, forms, or other GUI components on the screen. When the height is returned, you can move it along the Y-axis. To use this, add the variable in the Y-axis element of that GUI component.

Example

$sAnswer = InputBox(“Computer Name”, “Enter Computer name or IP address”,””, “”,-1,-1,Default,$screenHeight)

Code

$screenHeight = _Desktop_Height()
$screenHeight = $screenHeight/2-150; move it up and down here

Func _Desktop_Height()
    Switch $height = ""
        Case @DesktopWidth = 640 And @DesktopHeight = 480;     
            $height = "480"
        Case @DesktopWidth = 800 And @DesktopHeight = 480;     
            $height = "480"
        Case @DesktopWidth = 854 And @DesktopHeight = 480;  
            $height = "480"
        Case @DesktopWidth = 800 And @DesktopHeight = 600;  
            $height = "600"
        Case @DesktopWidth = 960 And @DesktopHeight = 540;  
            $height = "540"
        Case @DesktopWidth = 1024 And @DesktopHeight = 576; 
            $height = "576"
        Case @DesktopWidth = 1024 And @DesktopHeight = 600; 
            $height = "600"
        Case @DesktopWidth = 1024 And @DesktopHeight = 768; 
            $height = "768"
        Case @DesktopWidth = 1152 And @DesktopHeight = 864; 
            $height = "864"
        Case @DesktopWidth = 1280 And @DesktopHeight = 720; 
            $height = "720"
        Case @DesktopWidth = 1280 And @DesktopHeight = 768; 
            $height = "768"
        Case @DesktopWidth = 1280 And @DesktopHeight = 800; 
            $height = "800"
        Case @DesktopWidth = 1280 And @DesktopHeight = 960; 
            $height = "960"
        Case @DesktopWidth = 1280 And @DesktopHeight = 1024;
            $height = "1024"
        Case @DesktopWidth = 1360 And @DesktopHeight = 768; 
            $height = "768"
        Case @DesktopWidth = 1366 And @DesktopHeight = 768; 
            $height = "768"
        Case @DesktopWidth = 1440 And @DesktopHeight = 900; 
            $height = "900"
        Case @DesktopWidth = 1400 And @DesktopHeight = 1050;
            $height = "900"
        Case @DesktopWidth = 1600 And @DesktopHeight = 900; 
            $height = "900"
        Case @DesktopWidth = 1600 And @DesktopHeight = 1200;
            $height = "1200"
        Case @DesktopWidth = 1680 And @DesktopHeight = 1050;
            $height = "1050"
        Case @DesktopWidth = 1920 And @DesktopHeight = 1080;
            $height = "1080"
        Case @DesktopWidth = 1920 And @DesktopHeight = 1200;
            $height = "1200"
        Case @DesktopWidth = 1920 And @DesktopHeight = 1400;
            $height = "1400"
        Case @DesktopWidth = 2048 And @DesktopHeight = 1080;
            $height = "1080"
        Case @DesktopWidth = 2048 And @DesktopHeight = 1152;
            $height = "1152"
        Case @DesktopWidth = 2048 And @DesktopHeight = 1536;
            $height = "1536"
        Case @DesktopWidth = 2538 And @DesktopHeight = 1080;
            $height = "1080"
        Case @DesktopWidth = 2560 And @DesktopHeight = 1080;
            $height = "1080"
        Case @DesktopWidth = 2560 And @DesktopHeight = 1440;
            $height = "1440"
        Case @DesktopWidth = 2560 And @DesktopHeight = 1600;
            $height = "1600"
        Case @DesktopWidth = 2560 And @DesktopHeight = 2048;
            $height = "2048"
        Case @DesktopWidth = 2880 And @DesktopHeight = 900; 
            $height = "900"
        Case Else
            Return SetError(1, 0, $height)
    EndSwitch
    Return $height
EndFunc   ;==>_Desktop_Height

These functions are useful if you’re trying to attach a child window to a parent application you created. I used it to control an app…inside a GUI form. I like to think of it as taking any app…and forcing that app into a frame. I then added layered functions to the frame, thus extending the original application’s features.

Func _WinGetByPID($iPID, $iArray = 1) ; 0 Will Return 1 Base Array & 1 Will Return The First Window.
Local $aError[1] = [0], $aWinList, $sReturn
If IsString($iPID) Then
$iPID = ProcessExists($iPID)
EndIf
$aWinList = WinList()
For $A = 1 To $aWinList[0][0]
If WinGetProcess($aWinList[$A][1]) = $iPID And BitAND(WinGetState($aWinList[$A][1]), 2) Then
If $iArray Then
Return $aWinList[$A][1]
EndIf
$sReturn &= $aWinList[$A][1] & Chr(1)
EndIf
Next
If $sReturn Then
Return StringSplit(StringTrimRight($sReturn, 1), Chr(1))
EndIf
Return SetError(1, 0, $aError)
EndFunc ;==>_WinGetByPID

Func _SetParent($id_child, $h_parent)
If Not IsHWnd($h_parent) Then $h_parent = HWnd($h_parent)
If Not IsHWnd($id_child) Then $id_child = GUICtrlGetHandle($id_child)
If DllCall("user32.dll", "hwnd", "SetParent", "hwnd", $id_child, "hwnd", $h_parent) <> 0 Then
Return 1
Else
seterror(1)
Return 0
EndIf
EndFunc

This is a snippet from a larger program I created.

Screenshot

Code

#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>

; create gui
$hGUI = GUICreate("The Main Form", 388, 610, 5, 5 ,BitOR($WS_MINIMIZEBOX,$WS_CLIPCHILDREN))
$hButton1 = GUICtrlCreateButton("CLOSE", 260, 510, 100, 40)

; create menu
Local $idFilemenu1 = GUICtrlCreateMenu("&MyMenu")
Local $idFileitem1 = GUICtrlCreateMenuItem("DoThis1", $idFilemenu1)
Local $idFileitem2 = GUICtrlCreateMenuItem("DoThis2", $idFilemenu1)
Local $idFileitem3 = GUICtrlCreateMenuItem("DoThis3", $idFilemenu1)
GUICtrlCreateMenuItem("", $idFilemenu1, 4) ; Create a separator line

GUISetState(@SW_SHOW)
; scan for menu action
While 1
Switch GUIGetMsg()
Case $idFileitem1
Run("cmd /c DoThis1.exe", "", @SW_HIDE)
Case $idFileitem2
Run("cmd /c DoThis2.exe", "", @SW_HIDE)
Case $idFileitem3
Run("cmd /c DoThis3.exe", "", @SW_HIDE)
Case $hButton1
Run("cmd /c DoThisButton.exe", "", @SW_HIDE)
EndSwitch
WEnd

Do
Sleep(10)
Until GuiGetMsg() =-3

GUIDelete()
;.....

If you happen to use and like the SCCM Remote Control Viewer in the SCCM console, you’ll be happy to know…you don’t need SCCM to run it. That’s right—it’s an independent application. All you need to do is copy the files from Program Files\Microsoft Configuration Manager\AdminConsole\bin\i386 (the folder that contains the CmRcViewer.exe) and you’ll be in business.

I copied the above folder to a non-domain machine, non-work machine…ran the CmRcViewer.exe, entered some credentials, and I was able to remotely connect to work machines. No SCCM necessary.

The Files (copy the whole folder)

From my home machine

In SCCM, this is how you join the System and User tables.

Screenshot

Code

SELECT * FROM  SMS_R_System INNER JOIN SMS_R_User ON SMS_R_User.Username = SMS_R_System.LastLogonUserName

Notes

Add SMS_G_System_COMPUTER_SYSTEM

SELECT DISTINCT SMS_G_System_COMPUTER_SYSTEM.Model, SMS_R_System.Name,SMS_R_User.displayName, SMS_R_User.UserName, SMS_R_User.Mail, SMS_R_User.employeeID FROM  SMS_R_System inner join SMS_R_User ON SMS_R_User.Username= SMS_R_System.LastLogonUserName INNER JOIN SMS_G_System_COMPUTER_SYSTEM ON SMS_G_System_COMPUTER_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_R_System.LastLogonUserName = SMS_R_System.LastLogonUserName

Run Query in SQL

SELECT
v_R_System.Name0, v_R_System.Operating_System_Name_and0, v_R_User.User_Name0,v_R_User.displayName0,v_R_User.Mail0, v_GS_COMPUTER_SYSTEM.Model0, v_R_User.employeeID0
FROM
v_R_System
INNER JOIN
v_R_User ON v_R_User.User_Name0 = v_R_System.User_Name0
INNER JOIN
v_GS_COMPUTER_SYSTEM ON v_GS_COMPUTER_SYSTEM.ResourceID = v_R_System.ResourceId

Or this to include nulls

SELECT
v_R_System.Name0, v_R_System.Operating_System_Name_and0, v_R_User.User_Name0,v_R_User.displayName0,v_R_User.Mail0, v_GS_COMPUTER_SYSTEM.Model0, v_R_User.employeeID0
FROM
v_R_System
LEFT JOIN
v_R_User ON v_R_User.User_Name0 = v_R_System.User_Name0
INNER JOIN
v_GS_COMPUTER_SYSTEM ON v_GS_COMPUTER_SYSTEM.ResourceID = v_R_System.ResourceId

net stop dwmrcs

regsvr32 /u /s C:\Windows\DWRCS\DWRCSh.dll

regsvr32 /u /s C:\Windows\DWRCS\DWRCSE.dll

regsvr32 /u /s C:\Windows\DWRCS\DWRCSET.dll

regsvr32 /u /s C:\Windows\DWRCS\DWRCSI.dll

regsvr32 /u /s C:\Windows\DWRCSDWRCRSS.dll

regsvr32 /u /s C:\Windows\DWRCS\DWRCK.dll

regsvr32 /u /s C:\Windows\DWRCS\DWRCWXL.dll

C:\Windows\DWRCS\dwrcs.exe -remove

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\DameWare Development” /f /reg:64

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “DameWare MRC Agent” /f /reg:64

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemRoot%/System32/DamewareDisp.dll” /f /reg:64

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemRoot%/System32/drivers/DamewareMini.sys” /f /reg:64

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules” /v {69FDD839-6B1D-4D7A-9313-2D1E5E31F900} /f /reg:64

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemRoot%/System32/DamewareDisp.dll” /f /reg:64

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemRoot%/System32/drivers/DamewareMini.sys” /f /reg:64

reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsFirewall\FirewallRules” /v {69FDD839-6B1D-4D7A-9313-2D1E5E31F900} /f /reg:64

del “C:\Windows\DWRCS\*.*” /s /q

Notes

1. Stop your DameWare Remote Support service.
2. Delete the following folders:
   • C:\Program Files (x86)\SolarWinds\DameWare Remote Support
   • C:\ProgramData\SolarWinds
   • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SolarWinds\DameWare Remote Support
   • C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\SolarWinds\DameWare Remote Support
   • C:\Users\All Users\SolarWinds
   • C:\Users\Administrator\AppData\Roaming\DameWare Development
3. Delete the following icons:
   • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\DRS.lnk
   • C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\DRS.lnk
   • C:\Users\Public\Desktop\DameWare Mini Remote Control.lnk
   • C:\Users\Public\Desktop\DameWare Remote Support.lnk
4. Delete the following Registry keys:
   This key is unique for every version of the installation. To find it, search for the DisplayName key containing DameWare Remote Support value. See the following example:
   • HKEY_CLASSES_ROOT\dwrcc – This key removes any custom protocols handled.
   • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{2189e608-cfee-4ae7-8d17-529bf84c192e} – This key removes the application from the Programs and Features list.

PowerShell

#Set Logfile

$logfile = "$env:systemdrive\Temp\DW-remove.log"
#Set Service List

$ServiceList = "DWMRCS",
"DNTUS26"
#Set Registry Path

$RegPathList = "HKLM:\Software\DameWare Development"
#MSI Code List
$MSICodeList =
"{385FED21-85D3-401E-8B8A-38140333FAC8}", #x64 installer
"{9F660272-3D31-47CE-BEB6-7A065B8901A5}" #x32 installer
#List of Files to search for
$FindFileList =
"DWRCS.EXE", #Dameware remote control service
"DNTUS26.EXE" #Dameware utility service
#Parent folder to delete if it exists.
$FindFolder =
"DWRCS" #Known location of Dameware files; also known to reside in the system32 folder but we don't want to delete system32 #Define Functions
Function
GetTimeDate {

$Month = Get-Date -Format MM
$Day = Get-Date -Format dd
$Year = Get-Date -Format yyyy
$Hour = Get-Date -Format hh
$Minute = Get-Date -Format mm
$Seconds = Get-Date -Format ss
$SecondsF = Get-Date -Format fff

$TimeDate = ($Month + "-" + $Day + "-" + $Year + "_" + $Hour + ":" + $Minute + ":" + $Seconds + "." + $SecondsF)Return $TimeDate }
Function
OutLog {
((
GetTimeDate) + " " + $LogBuffer) | out-file -FilePath $logfile -Append
{

switch -Wildcard ($LogBuffer)"Error*" {

write-host ((GetTimeDate) + " " + $LogBuffer) -ForegroundColor Red }

"Warning*" {

write-host ((GetTimeDate) + " " + $LogBuffer) -ForegroundColor Yellow }

Default {

}
}
}
write-host ((GetTimeDate) + " " + $LogBuffer) Function
{

{

{

filedelete($folder)foreach ($filename in $CompanionFileList) if (Test-Path ($folder.DirectoryName + "\" + $filename))$LogBuffer = ($folder.DirectoryName + "\" + $filename) + " was found."
outlog
$LogBuffer = "Deleting " + ($folder.DirectoryName + "\" + $filename) + "."
outlog
Remove-Item ($folder.DirectoryName + "\" + $filename) -ErrorAction SilentlyContinue
{

if (Test-Path ($folder.DirectoryName + "\" + $filename))$LogBuffer = "Error: " + $folder.DirectoryName + "\" + $filename + " was not deleted."
outlog }

{

else $LogBuffer = ($folder.DirectoryName + "\" + $filename) + " was successfully deleted."
outlog }
}

else {

$LogBuffer = "Warning: " + ($folder.DirectoryName + "\" + $filename) + " was not found."
outlog }
}
}
Function
{

{

{

FolderDelete($folder)if ($folder.DirectoryName -like "*" + $FindFolder)if (remove-item $folder.DirectoryName -recurse -force -ErrorAction SilentlyContinue)$LogBuffer = ($folder.DirectoryName) + " was successfully deleted."
outlog }

{

else $LogBuffer = "Error: " + ($folder.DirectoryName) + " was not successfully deleted."
outlog }
}
}
Function
FindFile {

{

foreach ($FindFile in $FindFileList)$LogBuffer = "Searching for " + $FindFile + "."
outlog
$files = Get-ChildItem -path $env:systemroot -Filter $FindFile -Recurse -ErrorAction SilentlyContinue
{

if ($files -eq $null)$LogBuffer = "Warning: "+ $FindFile + " was not found."
outlog }

else {

$LogBuffer = "Found " + $FindFile + " in " + $Files.DirectoryNameoutlog
{

}
}
}
}
foreach ($folder in $files) filedelete($folder)folderdelete($folder) Function
MSIx {

{

foreach ($MSICode in $MSICodeList)$LogBuffer = "Executing MSI Uninstall string: MSIEXEC.EXE /X" + $MSICode + " /QN /NORESTART"
outlog

{

{

$Exit = (start-process -FilePath "MSIEXEC.EXE" -argumentlist "/X$MSICode /QN /NORESTART" -wait -passthru).ExitCodeSwitch($Exit)"1603" $LogBuffer = "MSI Result Code was: " + $Exit + " Error: Fatal error during uninstallation. Application not removed."
outlog }

"1605" {

$LogBuffer = "Warning: MSI Result Code was: " + $Exit + " Application is not installed."
outlog }

"0" {

$LogBuffer = "Warning: MSI Result code was: " + $Exit + " Application successfully uninstalled."
outlog
MSISuccessHandler }

Default {

$LogBuffer = "Error: MSI Result Code was: " + $Exit
outlog }
}
}
}
$LogBuffer
= "It looks like PowerShell." outlog
Function
DeleteService {

{

{

foreach ($ServiceName in $Servicelist)if (Get-Service -Name $ServiceName -ErrorAction SilentlyContinue)$ServName = Get-Service -Name $ServiceName
$LogBuffer = "The service '" + $ServName.DisplayName + "' was found."
outlog
$LogBuffer = "Stopping service: '" + $ServName.DisplayName + "'"
outlog
Set-Service $ServName.Name -Status Stopped

$ServiceStatus = Get-Service -Name $ServName.Name$LogBuffer = "The Service: '" + $ServName.DisplayName + "' is " + $ServiceStatus.Status + "."
outlog
$LogBuffer = "Deleting the service '" + $ServName.DisplayName + "'."
outlog

$null = (Get-WmiObject win32_service | where {$_.Name -Like $ServName.Name}).delete()sleep -Seconds 49244925

{

if (Get-Service -Name $ServName.Name -ErrorAction SilentlyContinue)$LogBuffer = "Error: The service: '" + $ServName.DisplayName + "' was not deleted."
}

outlog else {

$LogBuffer = "The service: '" + $ServName.DisplayName + "' was successfully deleted."
outlog }
}

else {

$LogBuffer = "Warning: The service: '" + $ServiceName + "' was not found."
outlog }
}
}
Function
RegClean {

{

{

foreach ($RegPath in $RegPathList)if (Test-Path $RegPath)$LogBuffer = $RegPath + " was found in the registry."
outlog
$LogBuffer = "Deleting " + $RegPath + "."
outlog
Remove-Item $RegPath -Recurse -Force
{

if (Test-Path $RegPath)$LogBuffer = "Error: " + $RegPath + " was not deleted from the registry."
outlog }

else {

$LogBuffer = $RegPath + " was successfully deleted from the registry."
outlog }
}

else {

$LogBuffer = "Warning: " + $RegPath + " was not found in the registry."
outlog }
}
}
Function
StartLog {

$LogBuffer = "----====Logging started====----"
outlog }
Function
StopLog {

$LogBuffer = "----====Logging stopped====----"
outlog }
Function
MSISuccessHandler {

{

if ($Exit -eq "0")$LogBuffer = "Warning: MSI uninstall was successful. Remainder of script is probably not necessary."
outlog }
}
#Do all the things
StartLog
MSIx
DeleteService
FindFile
RegClean
StopLog

A POODLE attack is an exploit that takes advantage of the way some browsers deal with encryption. POODLE (Padding Oracle On Downgraded Legacy Encryption) is the name of the vulnerability that enables the exploit.

Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Microsoft is announcing that with the release of security update 3038314 on April 14, 2015 SSL 3.0 is disabled by default in Internet Explorer 11. Microsoft is also announcing that SSL 3.0 will be disabled across Microsoft online services over the coming months. We recommend customers migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2.

Mitigating Factors

• The attacker must make several hundred HTTPS requests before the attack could be successful.
• TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Recommendation

Disable SSL 3.0.

Solution – Issue command

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings” /v SecureProtocols /t REG_DWORD /d 2688

The reg mod is the same as making the following change to the local group policy:

• Browse to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support
• Change Turn off Encryption Support setting to “Enabled”
• Under Options, change the Secure Protocol combinations setting to “Use TLS 1.0, TLS 1.1, and TLS 1.2”

Notes

https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3009008