Another TechMentor done! (Orlando 2015)

TechMentor Orlando 2015 just sent me the feedback!

I think you should really consider putting Techmentor on your schedule if it's not there already! This time the event had double the amount of people compared to last year. Sessions were a bit more traditional 75 minute each. 

I presented four sessions so I kept my self busy :) Sessions were:

- Windows Internals Black Belt: Memory Management Thursday, November
- Windows Internals Black Belt: Security
- Windows 10 - The Important New Features
- Windows Internals Black Belt: Become a Troubleshooting Ninja

Some stats: (Average score by speakers at the conference in RED / My score in order listed above GREEN

1. Speaker Effectiveness: (1-5, 5=Excellent; 1=Poor)

a. Style and delivery 4.52  5.00, 4.97, 4.76, 4.94

b. Knowledge of subject 4.73 / 5.00, 4.97, 4.87, 4.94

c. Speaker open to my specific problems/questions 4.58 / 4.94, 4.93, 4.68, 4.85

2. Content Effectiveness: (1-5, 5=Excellent; 1=Poor)

a. Consistency with agenda description 4.60 / 5.00, 4.97, 4.79, 4.79

b. New information/update/clarification 4.52 / 5.00, 4.97, 4.79, 4.85

c. Met my expectations 4.43 / 5.00, 5.00, 4.74, 4.79

3. Your overall rating of this session: (1-5, 5=Excellent; 1=Poor) 4.49 / 5.00, 5.00, 4.79, 4.85

4. The level of the session was appropriate: (1. Yes 2. No) 1.05 / 1.00, 1.00, 1.00, 1.00

5. Would you recommend the session to others? (1. Yes 2. No) 1.08 / 1.00, 1.00, 1.03, 1.03

6. Did you feel this session was a product or corporate sales pitch? (1. Yes 2. No) 1.94 / 2.00, 2.00, 1.97, 1.91

 Sami is the best speaker. I have heard at TechMentor this year. He leaves me wanting more. You need to increase his track.
 Excellent session a lot of useful information covered.
 Great session. Should be longer sessions since there was a lot of information to cover.
 This presenter is awesome. Best presenter of the show easily !!!

 Sami is very good. He always has so much information, but needs more time.
 learned a lot! Extremely knowledgeable speaker. Very impressed with presentation!
 Absolutely great speaker! I learned so much very informative and entertaining.
 Very informative and well delivered presentation.
 Sami is the best speaker that I heard while here.
 Sami is top notch! The best information every time!
 very informative.
 Great presentation.
 Sami was awesome as expected.

 Great session, but needed a bigger room
 Presentation style is very appreciative. Kept me informed and wanting to know more. Applied real like
examples that I can relate to.
 Fantastic delivery.
 Most I have ever laughed while actually learning something.
 Great session very informative.
 Pragmatic big picture approach is a nice change.
 Good presentation on windows 10.
 Wonderful presentation style.
 "Best session so far
 Please Keep getting big names in the industry at this show"
 great presentation and engaging
 Learned about things that actually matter
 Great session.
 Sami is one of the greatest technical presenters I've ever seen. His presentations are always engaging and extremely informative.
 Hilarious!
 awesome presenter, kept the room going and interested from start to end.

 Damien was hilarious his delivery of Win10 new items made you laugh and curious at the same time. Great job Sami!
 Excellent content and presentation.
 Awesome content in this session.
 Sami is a great speaker. The topics discussed were very informative learned a lot and thoroughly enjoyed.
 Great speaker!
 Best speaker I ever heard.
 Sami has a fun and relaxed approach to highly technical material which makes the point very effectively.
 Very entertaining and full of information.
 Excellent class!
 One of the best so far.
 Fantastic session. Great speaker! I wish everybody I work with could experience this guy.
 Very funny speaker, relates well to his audience, humor and meaty system hacking stuff.
 wish we had more time.
 Well informed and leaving with knowledge I know I can used right away. Entertaining speaker. Always looking forward to attending his sessions.
 wish I had better screenshots or capture of demos. Sami is always a favorite. he needs a longer session.
 Great session!
 very engaging presentation. would definitely recommend the speaker and will look for his presentations in the future.
 Very good information.
 great session
 Wonderful session with great material.
 Not terrible. There have been worse and less useful sessions.
 There was not as much practical troubleshooting as I expected. The long segment about drivers seemed like a diversion.

 At this point Sami is hands down the best speaker here. Highly recommend you continue to bring him back

The Explainables - Case #1

I've heard about so many cases that are left Unexplained that I decided to publish a series called "The Explainables". If I get a chance I try to get a session like this to Ignite as well.

In this series I'll post cases that my students send me that they have solved by using the skills they learned on my classes.

The first one is from Robert Danielsson. Thank you so much for sending this. I hope you feel good being able to solve a case like this especially seeing the forums and how many haven't been able to troubleshoot it - that is until you came along :)

Cheers,

Sami

The Case

OS Windows Server 2012 / 2012 R2

We had a customer that had Backups that failed all the time on a Webserver

The Error message was these:

Event Source : MSMQ

Event ID: 2227

Failed backups,Backup failed during event OnPrepareSnapshot. Error 0x80070003

Also in vssadmin list writers the MSMQ writer is in failing state with time-out error.

I have tried it all,
* Add new disk for VSS Storage
* Reregistred VSS dll's
* Sfc /scannow
* Checkdisk
* Took recording with procmon on a system that worked with similar configuration and compared it with the system that had problem with no luck.
* Vacuum cleaning the internet on solutions but still no luck.

Going through the procmon recording now that I know what caused the problem I see that I have 1 entry that is causing the problem, 1 entry out of 100 000 :(

So if you have the time, do this on a Windows Server 2012 / 2012 R2
1. Install IIS
2. Move Default Website to another disk
3. Install WindowsBackup
4. Install MSMQ with all options
5. Backup Server
6. Examine the Application Log, you will now have the MSMQ 2227 event.

If you don’t have the time read the solution here :)

https://social.technet.microsoft.com/Forums/scriptcenter/en-US/7f780daa-503e-47e0-96d2-946154455929/error-0x80070003-the-system-cannot-find-the-path-specified?forum=windowsbackup

(My post is at the bottom ; Rodani)

Wish you a merry Christmas and hopefully I will attend on your course (Step 2 troubleshooting) in Stockholm next year.

Windows Security seminar in Tallinn!

On Thursday I did a 30 minute webinar on Hacking Windows and how to prevent it. I LOVE doing this and because I never get to showcase everything I know about the topic I finally found a partner that will let me do what I love for a WHOLE DAY :)

Please read along and let me tell you what that day will be about and what you will learn and be able to take home with you.

http://koolitus.ee/blackbelt/

That's the link for my training on the 12th of February 2016. The Early-Bird price of 119€ will be available until the 20th of December 2015. There's also a group trip organized from Finland and if that interests you you can find out more here: http://www.winpros.fi/fi/?page_id=135

Now that NSA, Microsoft and Gartner have all stated that proactive security is a mandatory move for all companies and that keeping your end users to least privilege only - it's more than important that you see what I have to show you!

What I will go through as real life demonstrations:

• Make sure you understand that reactive security like Antivirus is not enough to protect you anymore next year
• How current malware works and how to fight against it
• Pass-The-Hash and Pass-The-Ticket attacks
• How to do this attack
• How to block it with Windows 10 or Windows 7
• How to correctly setup administrative accounts in a company
• Attacking API's and why Runas-tools are unsecure
• API Monitoring - Who to spy on API calls
• How to do Runas the real way
• How to get admin rights to a computer
• How to attack an un-encrypted machine
• How to attack a BitLocker protected machine
• How to configure encryption correctly
• How to get Domain Admin rights to a company
• How to protect against admin level elevation
• How to bypass BitLocker
• How to prevent it
• How to bypass UAC
• How to correctly use UAC and why it's mandatory
• How to abuse privileges
• How to steal any logged on users identity
• How to bypass all access control on files
• How to bypass company policies
• How to block Group Policy
• How to fight against blocking policies
• How to reach the principle of Least Privilege
• How I protect my computer and networks
• How to configure least privilege
• How to configure whitelisting

Can't wait to see many of you in Estonia! A beautiful and inexpensive city to enjoy!

Cheers,

Sami

First impressions on the new Surface Book (and Windows 10 stuff)

Hi everyone!

I've now used the SurfaceBook for a little more than a week and I think it's time to write down some first impressions of using this for my work. As you might know my work mainly involves speaking to audiences and delivering training, and A LOT of travelling.

I can't help by first saying that I spend some time yesterday with the new iPad PRO at the local Apple Store. I honestly have no use for that device although I use an iPad in the living room with my family. Compared to Surface Pro 4 or especially the Book it just seems to lack in every aspect. It's VERY big and I just don't like the keyboard.. It just felt like something that wasn't really thought through..

Another thing that I was very pleased with was the actual change from my old computer to the new SurfaceBook. I was amazed on the amount of time it took me to really dump the old laptop. I'm used to working a day or two to get my own computer up and running exactly like I want it to. I can make my customers deploy computers in a matter of minutes but I've never enjoyed that experience on my own devices. Me and my wife are my company so I hope you give me some slack on this matter. This time everything was different and to my surprise I was totally migrated in two hours! How is this possible? Here's a short list:

• Microsoft devices have a limited amount of bloatware
• The change from Windows 10 Pro to Enterprise only requires the product key for enterprise and a few minutes to process
• All my data is in the cloud
• My Intune installs my needed software
• Office migrates most of the settings automatically
• UE-V migrates rest of my settings

Now for the first week with my SurfaceBook. This list of experiences is in no particular order but just as they happened to me and I took note of them. This also only applies to my profession only and I don't really test the GPU stuff that much. But here we go:

1. I started instantly with a course to teach in the Netherlands. The most important thing here is the fact that I could ditch two devices and replace them with the Book. I used to have a Surface 3 just for drawing mid presentations and my Fujitsu S904 to run everything, I loved the fact I could again travel with one device only through the security checks etc. On the flight I just unplugged the keyboard so I could use it while taking off and landing.
2. The battery seems to make through around 8 hours for me. The bad thing is that my old Surface 3 could be charged with micro-USB but this really didn't bother me as much as I first thought it might. I anyway needed a charger for my laptop already before this. The only minor thing that had to get instantly is a longer radio power cord. It's maybe two feet at max and I find myself all the time out of reach of an outlet.
3. I took the SurfaceDock with me and I have to say it's the nicest dock I've had. Just plugging in the power plug and nothing else, seems slick and works very well.
4. The first thing to note is that I instantly needed to take into use my old USB3 Hub + Ethernet. That is something I'm not too happy about. My Fujitsu was fine with no additional adapters but the Books two USB3 ports just isn't enough for me. And the Ethernet - Well I couldn't live without it. Luckily it's just one device: http://us.macally.com/products/U3HUBGBA
5. At this point I have to say that the Pen is AWESOME!! Nothing to add just perfect for me! And no charging it - I love it! And it snaps to the screen for storage - Nice! Some programs still need some training from my side for me to be fluent in using the pen in my trainings with just one device.
6. Before the noon of the first day my display adapter had crashed a few times. It's not noticeable like it was in Windows 8.1 as there's no black screen - not even for a second. But this bugs me and I hope to get a new Firmware upgrade or a driver soon.
7. I had to take the US keyboard.. For me there are two things that piss me off with it. 1. The lack of <>| button next to the Z key compared to the Nordic keyboard I normally use. 2. The different placement of the '-key and Enter. Writing PowerShell is hard for me - as if it wasn't hard enough with the Nordic keyboard already.
8. I loved my Fujitsu for the fact it had a full size VGA and HDMI. These are after all the most important things in my profession. So in the morning the first thing on top of the USB3+Ethernet adapter was to plug in this: http://www.startech.com/AV/Displayport-Converters/Mini-DisplayPort-to-VGA-DVI-HDMI-Adapter~MDP2VGDVHD Luckily it has never failed me unlike the "HDMI to something". My trust in DisplayPort in these cases is many time greater that towards any other connectors.
9. The touchpad is good compared to many. I do have some trouble in learning at what point exactly does it believe I'm clicking a button.. A bit too big an area is reserved for the buttons from the lower part of the pad - in my opinion.
10. I'm currently preparing for my tomorrows TechMentor session on Windows 10 and I can't wait to get to show my new demo on Windows Hello without an external camera. This is awesome on a laptop! I would still like to have fingerprint reader as well but I've quickly learned to live without it as well. I actually already ordered this for demos as well: http://www.amazon.com/gp/product/B00W4C17ZY?psc=1&redirect=true&ref_=oh_aui_detailpage_o00_s00
11. Next thing I figured I'm missing was the 4G WAN I had built-in before with the Fujitsu. I'll survive but it would be a nice add in. I lost the Wifi for some reason and that's when I figured this was missing.
12. After teaching my normal life continued by hitting the gym of the hotel. The hinge and the mechanism keep me wondering time after time how they pulled it off. It's awesome but I have to say it has failed once already showing this message to me:
    
13. When I got to the gym I only took the screen/tablet with me. The size of the screen is crazy! It's thin so it fits on the treadmill very nicely and it's amazing to look at. The screen is actually so nice that I felt bad carrying it in my sweaty hands when returning to my room. The BIGGEST smile I must have had when I placed the tablet on the treadmill and it just said "Hello Sami Laiho - Welcome!" The Windows Hello feature works in this scenario - better than anything I've had :)
14. Talking to family on Skype I can say that the Mic, Camera and Loudspeakers are the best I've had in a long time.
15. The amount of people approaching me in different places just to ask if they can take a look at the Book, and many of them being Apple users, I have to say I've never been as proud to carry a Windows laptop than I am now - Finally Microsoft is Cool!

Anyway it's easy to end by saying it's hands down my favorite Windows device ever!

Cheers,

Sami

Adminizer still beats LAPS

Microsoft nowadays offers a free Local Admin Password Solution to randomize the passwords on computers and save them to Active Directory. So why am I still selling my Adminizer and even more important why do people still keep buying it? 

Here’s a short list of why:

1. Adminizer not only randomizes your local passwords but makes them onetime as well. LAPS only randomizes the passwords. Half the security and no way to give temporary access.
2. Adminizer works without Active Directory so Workgroups, BYOD, CYOD, Azure AD joined Windows 10 etc. are easy to manage as well. LAPS requires AD.
3. Adminizer works totally offline. LAPS will not change the password of a computer if it can’t reach AD or GPO’s don’t work for some reason.

 

Of course you should test both so here are the required links:

• Adminizer:
• Video Intro
• Download: http://www.adminize.com/download.html
• LAPS:
• Video: https://channel9.msdn.com/Events/Ignite/2015/BRK2334
• Download: https://www.microsoft.com/en-us/download/details.aspx?id=46899

 

Cheers,

Sami

Hugely successful TechMentor!

I can’t help sharing this with you as in TechMentor Redmond 2015 I had in my opinion the most fun Security session I’ve ever had. I enjoyed it so much that I’m still excited about it As I try to always share my tips on presentation skills as well as technical stuff I will once more say that the most important thing in winning Best-in-Show awards at conferences is YOUR OWN EXCITEMENT ON WHAT YOU ARE TALKING ABOUT!

My motto: Teach what you love and love what you teach or at least learn to fool yourself into believing that you love what you teach.

So how did it go? AWESOME! I had 40 people that filled in the evals which is great as there was about 400 people attending and Ignite had 23000 attending I got about 100 evals returned there.

 

Some stats: (Average score by speakers at the conference in RED / My score in GREEN

1. Speaker Effectiveness: (1-5, 5=Excellent; 1=Poor)

a. Style and delivery 4.57 / 4.88

b. Knowledge of subject 4.87 / 5.00

c. Speaker open to my specific problems/questions 4.66 / 4.74

2. Content Effectiveness: (1-5, 5=Excellent; 1=Poor)

a. Consistency with agenda description 4.71 / 4.95

b. New information/update/clarification 4.67 / 4.88

c. Met my expectations 4.50 / 4.98

3. Your overall rating of this session: (1-5, 5=Excellent; 1=Poor) 4.56 / 4.95

4. The level of the session was appropriate: (1. Yes 2. No) 1.03 / 1.00

5. Would you recommend the session to others? (1. Yes 2. No) 1.06 / 1.00

6. Did you feel this session was a product or corporate sales pitch? (1. Yes 2. No) 1.86 / 1.97

 

Unedited comments:

• Sami is a great speaker, and I'm very impressed by his knowledge and delivery of the content.
• Always entertaining, informative, and eye opening!
• Was fun and educational!
• Excellent speaker ‐ highly knowledgeable.
• Very interesting, knowledgeable, relevant to my job, will save me time, make auditing easier and security
  setting more secure and less vulnerable. Excellent!
• More time to go over even more; want more.
• Great information!
• Awesome!! And insightful!!
• This could have been an all‐day session ‐ three hours was not enough. Excellent info.
• Best presenter at the conference.
• Sami was my favorite speaker at TechMentor. He taught very well, was very entertaining, and very
  informative. I will be taking back a lot of value to my company from what he taught me about Windows OS
  Internals and Security.
• Great!
• Captivated from start to finish. Sami delivered a homerun of a session. Knock out demos, engaging dialogue
  and lots of audience interaction. Even things going wrong were turned into opportunities to learn. #Amazing!
• This was the best class all week. Sami did a fantastic job.
• I as appreciated the many examples on how to make things more secure and also what to look for and what
  not to do.
• Definitely one of the best sessions so far. Sami's ability to show real time examples makes this session
  extremely valuable.
• Great job. Great advice.
• great examples. I learned a lot.
• The energy that Sami has and his depth of knowledge was amazing. I would watch his presentations any day.
• Great information provided.
• The best session! Fun and very informative! I wish I would have recorded the session.
• Great session
• Great job.
• Again, subject matter perhaps better in shorter chunks.

“EFS” on FAT drives in Windows 10

Doesn’t this look weird to you?

It sure looks like there’s an encrypted file on a FAT volume, doesn’t it? EFS has always been said to be a file system service available only to the NTFS volumes…

Well now it gets interesting ‘cause EFS requires alternate data streams for the metadata and only NTFS supports ADS. If we take a _really_ close look at that file it actually isn’t EFS encrypted although it looks and behaves like one. It’s actually an encrypted PFILE and Enterprise Data Protection takes care of storing required metadata. The file system has been changed to present it like an EFS-file to the rest of the OS.

How to install full version of Teamviewer on someone elses computer so that it works with UAC

I get this question so often that I decided to document it. The problem is that if you ask someone to start a Teamviewer Quick Support –version it won’t work with UAC. You need to get Teamviewer installed on the computer as a service to work with UAC. This isn’t always straightforward so I’ll show here my version on how to do it with a few gotchas to look at.

1. You first ask your friend/customer to download Teamviewer QS from for example:

http://download.teamviewer.com/download/version_7x/TeamViewerQS.exe

2. Ask them to Run it and allow elevation

3. Ask them to tell you the ID and Password

4. Connect to the computer and upgrade to the full version

5. Choose the proper version, NOT THE QS-version!

6. Reconnect to the computer – the ID and Password stay the same as for the QS-version

7. Configure Unattended access

8. The one thing that I always do after this because UAC is still not usually really working at this phase is to restart the Teamviewer service

9. Once more reconnect and now you have Full Control with UAC working properly