Paulie’s Technical Memoirs

Yesterday I advised a customer who is a remote VPN/Terminal Services user to upgrade to Vista SP1 in order to make "Terminal Services Easy Print" available.

After the installation of SP1 the user was not able access the corporate VPN.

When trying to connect Vista hangs at "Verifying username and password" and eventually shows an 828 error.  On the server side event 20209 was logged.

There is a discussion on the ZA forums as to where the blame lies for the problem but there does not seem to be a clear answer.

For the sake of simplicity, I have found that:

On Vista SP1 machines with version 7.1.248 of ZoneAlarm free installed PPTP VPN connections to Windows 2003 Based RRAS servers do not work.  Also note that disabling ZoneAlarm does not help.  Uninstalling the product solved the issue immediately.

Always a pain when you try to solve one problem and create another in the process.  On a positive note Terminal Services easy print in Windows 2008 worked really well once we got the user reconnected.

I have had several incidents this week of customer systems being infected by executables attached to e-mails appearing to be from UPS.

Looking around the blogs, these e-mails seem to be having a higher than normal infection rate. It is time consuming to get rid of and makes the infected machines unusable and creates a huge number of network connections.

The exact subject line of the email’s that have been received is:

UPS Tracking Number 5440074870

Attached to the e-mail is a zip file containing an executable which when executed installs "XP Security Center".

Much more information about the detail of the actual email can be found on the Trend Malware Blog.  The worrying thing about this e-mail is that both of the machines that it infected have their e-mail filtered by very well known external 3rd party mail systems, then have virus scanning on their own Exchange servers and finally on their desktop machines.  At the moment this e-mail is still slipping through the net.

This virus does a LOT of clever things to prevent you getting rid of it.  I noticed that when trying to run Autoruns from Sysinternals that it just would not work.  Renaming the autoruns executable allows it to run.  It also stops you being able to install/download Windows Defender, disables system restore, removes the system tools program group amongst other things.

Not a very sophisticated solution but for now I have edited the Exchange IMF custom weighting file on customer systems to ensure that messages with "UPS Tracking" in the subject line are never delivered to the recipients and definitely classed as spam. 

I had written a separate post on how to remove the virus manually, but at the moment I am still monitoring the infected machines to ensure they are completely clean.

I recently won a deal to provide a managed VPN solution for an existing customer. They have 8 branches around the country and these needed to be linked to the head offices based in Kent and Frankfurt.

The branches are spread all over the country, as far north as Glasgow and as far West as Swansea. Due to the distances involved it was not really feasible for me to install this system without assistance from a 3rd party.

Originally I had sub-contracted the entire job to an ISP who were very keen to take the deal on and seemed to know what they were doing. After a short while it was clear that they were not fit for the job and I had to pull their equipment out and cancel the order.

As a lot of time had been wasted dealing with the ISP, I really needed to get the system in place quickly and I needed to know that they guys who were going to be installing it knew what they were doing.

So, a quick post to the UKSBSG Yahoo group and within a couple of hours I had made contact with guys from all over the country who were keen to help me out and instantly understood what needed to be done. What a powerful resource!

All the appropriate hardware was ordered and dispatched to each depot. Because nearly all of the guys that had got in touch were very local they were able to drop in and do the work quickly. Within a couple of weeks of my initial post to the UKSBSG group the entire job was complete.

Not only was it complete but the whole thing went in without a hitch, all of the consultants that visited the branches were given high praise by the customer and they clearly all know their stuff.

The result is that by leveraging the SBSC community, a small company like mine can have the flexibility and responsiveness of a much larger firm and at a lower cost to the customer - everyone wins!

So I’d like to say a big thank you to everyone involved that helped me out:

Tim Long from Tigra Networks
Andy Parkes from IBIT Solutions
Mike Gelder from Redleg
Mike Tudor from No Nonsense IT
Billy from Agila Solutions
Dave from Manchester Computing

And also an honourable mention to suppliers Tekdata and Westcoast for providing consistently good service.

I am looking forward my next partnering opportunity, If any SBS’ers are reading that specialise in VOIP systems please get in touch

Today a customer started to get a lot of their e-mails bounced. In fact they could not even e-mail me to let me know about the problem as my own mail servers were rejecting their messages.

The reason for this was because their IP address had been listed on the CBL.

I had a poke around the server and everything seemed to be in good order; patched up to date, virus scanner had nothing interesting to report, netstat did not show any abnormal connections and Exchange queues seemed normal. So I assumed that the problem must be coming from one of the network PCs.

This customer has a dual nic SBS 2003 Standard edition server, not my preferred set-up, but the system had to be implemented in this way to fit in with existing infrastructure. It is not possible to see what traffic is passing through the NAT gateway on RRAS with the built in tools, but Microsoft Netmon 3.1 should be able to show up any strange network traffic. I installed it and ran the following filter:

Tcp.dstport == 25 and ipv4.Address != 192.168.200.1

192.168.200.1 is the IP address of the internet facing NIC on the SBS machine.

Within a couple of minutes this filter showed all the machines on the network sending SMTP based traffic except for the SBS server itself. Fortunately there was only one. I took remote control of the machine and from the command line ran:

netstat -ano |find “:25″

The output of this command showed me the local processes which were attempting to communicate with other hosts on port 25 and gave me confirmation that this PC was definitely infected with some kind of mass mailing virus or worm. Killing the process listed by the netstat command stopped the mass mailer and gave some breathing space to find the cause of the problem.

Turns out the machine in question had its virus checker disabled. So I turned it back on and ran a full scan which turned up almost 6,000 files infected with W32/MyDoom.

Once the problem had been found it was easy to sort, but because I have so few customers with this set-up it had not occurred to me how little visibility you get over network traffic with the SBS 2003 standard edition tools.

The joys of travelling sales laptops

This is just a very quick script written in response to a question posted in one of the SBS yahoo groups.

It sends an e-mail to a specified recipient reminding them to change the backup tape in a server. The SBS backup system does this automatically, so this is meant for use on SBS servers using something other than the in-built SBS backup.

Installation is simply a case of extracting the contents of this zip file to a folder on your SBS server and then changing the variables at the top of the script to appropriate values for your environment.

Once done you can test interactively from a command line by running “cscript tapereminder.vbs” and once you are happy with the results setup a scheduled task to do the job daily.

As the number of servers that I am responsible for managing increases, it becomes more difficult to ensure that they are all patched up to date.

As most of the machines I manage are SBS boxes I thought that it would be nice to put something together which behaves in much the same way as the SBS generated e-mail alerts.

So, the result is a script which sends e-mail notifications to a specified address and gives details of which patches are available to be installed.  The administrator can choose which of the four patch levels will trigger an e-mail alert (Critical, Important, Moderate & Low).

If there are no outstanding patches at the appropriate alert levels to be installed then the script will quit without sending an e-mail.

The script is then run as a scheduled task every evening and I can quickly see if I have anything to action.  The report includes links to the relevant KB articles and further information made available by Microsoft.

The script only takes a couple of minutes to setup as there are only six settings at the top of the file…

Setting any of the following to 1 will generate trigger alerts for that particular update severity:

• AlertCritical
• AlertImportant
• AlertModerate 
• AlertLow
  
• EmailFrom - Specifies the e-mail address the report will be sent from.
• EmailTo - Specifies the e-mail address to send the reports to.

As shown above I have been running with AlertCritical/AlertImportant set to 1 and the other two set to 0. 

So, if you want to receive email alerts all you need to do is download this Zip file, extract the contents to a folder on your server and then edit the variables at the top of the script.  To perform a test run go into a command prompt and change directory to the location where you extracted the script and run:

cscript winupdates.vbs

With any luck you should get an e-mail soon after with the results.  If you find that it is not generating you an e-mail as expected, one reason may be that there are no patches available to install.  Bear in mind that not all items from Windows update will appear.  For example “Internet Explorer 7″ is not a patch and therefore will not be listed.

Running the script interactively as above will take a few moments while Windows Update(or WSUS if you have it installed) are checked for new updates. 

Once you have completed a successful test you can go ahead and setup a scheduled task.  Assuming an installation directory of “c:\scripts” the scheduled task command should look something like this:

C:\WINDOWS\system32\cscript.exe c:\scripts\winupdates.vbs

Also worth a mention that I have used this on standard(non-sbs) Windows servers and it works well.

Perhaps if enough people use this script, it will actually save as much time as it took to make it, but I doubt it.

Is the SBSC going to be killed? According to this post by Vlad it might.

But I don’t think it can be killed by Microsoft yet…

Right now, anyone can call up Microsoft for help, after paying £200 you are quickly connected to a support professional that specializes in the product you are calling about. It’s best to use this service first thing in the morning. You should then have enough time left in the day to explain the problem to someone who can’t speak English. In an emergency, when time is of the essence, don’t bother unless you have no other choice. This is the level of service that Microsoft applies to their absolutely business critical server software. What level of service will a frustrated end user receive when their desktop application won’t behave?

By contrast my customers can ring me and in most instances have their issues understood instantly and seen to soon after. Often a problem can be turned into a sales opportunity and everyone is happy. As customers grow they develop unique needs which cannot be mass produced.

The service level I offer has always made me feel safe, until last week…

My girlfriend and I went to watch the new Transformers movie at the cinema. The picture quality was terrible; it was obvious that something was wrong with the projector and the experience was comparable to watching a dodgy pirate movie. Afterwards I spoke to the manager, who accompanied us back to the screen where the credits were still rolling. She agreed the picture quality was terrible and refunded our money.

The cinema was near capacity but I was the only person complaining. The point is that people don’t really care about crappy service. It has become so normal these days that you almost don’t even notice it when it’s staring you in the face. Customers love to receive great service but most will accept poor service, especially if the price is right.

I think good customers will choose quality of service over price, I really hope so.

Luckily for me, my girlfriend has an amazing side profile. A sight for sore eyes after looking at blurred Megatron, who has been recreated by her in a rendition of a cheesy scene (It is Friday after all).

Just been reading Susan’s post in which she complains about IT professionals that disable UAC on Vista because it’s annoying.

It is annoying, very annoying. If left enabled most will quickly learn the reflex of just clicking continue instantly every time their work is disturbed, when the time comes that it could have protected you will be so fed up with it that the opportunity will pass you by.

What I don’t understand is who UAC is designed for…

- IT professionals have a sound knowledge of the effect the application/task is going to have on the system before they execute it and do not need UAC, which is probably why they complain its annoying and disable it.

- Regular users are presented with a scary looking prompt and given no guidance by Vista as to whether or not they should really continue. They are left at this point, stranded by the operating system and have to take their chances. 99 times out of 100 it will probably be safe to press continue and they will not give the prompt the respect it deserves in future. The operating system needs to be able to protect itself from harm without depending on wise choices by the user.

Part of the problem is that administrative prompts and administrator rights within Windows environments are not just used for administration, they are a requirement for every day usage. The line is much clearer on Unix based systems, administrative users are for that very purpose and regular users go for weeks or months without needing elevated rights.

UAC isn’t just annoying, it is a patch for poor design which it is not going to fix.

A customer going through a large infrastructure migration had a requirement to update the connection string/data source of several thousand Excel workbooks. Not only did these workbooks contain many worksheets, but also database driven pivot tables. They asked me if I could put something together which could do this for them.

After some invesitgation it seemed that many people have had this problem in the past, but nobody had a solid solution, especially one easy enough for end users to work with.

It turns out that the connection string is embedded into the document and this Microsoft KB atricle had some example code on how to update this information in a pivot table within Excel 2003.

As it would not be practical to use to code in the KB article on so many documents, I used the example as a starting point to create a tool which could update many documents as a batch process(but equally could be used on a single document).

This utility will search a filesytem for .xls(Excel 97-2003 format) files starting at a specifed folder and either show or replace the entire connection string or, a substring of the existing connection string.

The idea behind the two replacement modes is that sometimes only one detail might have changed, such as authentication information, or the IP Address/hostname of a database server. In other instances your environment might have changed significantly enough that you need to replace the whole thing.

when you execute the utility it will output various bits of information about the documents and the data connections that they contain, whether or not updates have been applied or skipped.

If you leave the “Connection string to replace” field empty it will run in display only mode. In this mode the connection strings found will be displayed and no changes will be applied. The output can be used as a basis for your real replacement run.

I have not personally tested or used this tool extensivly, but it has been used in production by my customer to change several thousand documents without issue. My advice would be to copy several documents into a folder to get the hang of how it works before running it for real.

Because my customer paid me to develop this tool it would be somewhat unfair of me to give it away exactly as they received it. I have therefore limited the number of documents which can be changed in one go to 100. This is particilary useful for users of Excel 2003(and prior) as there is no interface for changing the connection string at all.

Here is the download link.

Update: I spent far longer than it is worth trying to get this app to work within Vista with UAC enabled, but I just don’t know enough about how visual basic and user account control work together. If anyone out there does know how and would like to help me, please get in touch!

The ISMTPOnArrival_OnArrival event sink in Exchange 2003 can be used to trigger code to perform various tasks. I have recently used this method to strip attachments from messages and then FTP them to a remote machine, based on the message subject and recipient.

In this, more basic example the entire message is saved to the filesystem in .eml format to a folder specified within a variable. The script could be made much more elaborate with the addition of a couple of arrays to specify multiple subjects/locations. The idea is that you could setup a system where e-mails can be automatically filed without having to depend on user intevention and avoiding the requirement for 3rd party software.

This can be implemented by following the example from this Microsoft Knowlegbase article. The file referred to in the article called SMTPREG.VBS can be found here on MSDN. Instead of the SMTPMsgCheck.vbs file referenced in the article create a file called SMTPSubjectCheck.vbs and insert the following code(you will also need to modify the registration batch file accordingly) :

<SCRIPT LANGUAGE="VBScript">
Sub IEventIsCacheable_IsCacheable()
	'To implement the interface, and return S_OK implicitly
End Sub

Sub ISMTPOnArrival_OnArrival(ByVal Msg, EventStatus )
	Dim Pos, SubjectToFind, SaveFolder, MsgStream

	SubjectToFind="Project1"
	SaveFolder="c:\"

	Pos=InStr(1,Msg.Subject,SubjectToFind,1)

	if Pos <> 0 then
		set MSGStream= Msg.Getstream
		SaveFile=SaveFolder & Msg.Senton & "-" & msg.subject & ".eml"
		SaveFile=Replace(SaveFile, "/", "_")
		SaveFile=Replace(SaveFile, " ", "_")
		SaveFile=Replace(SaveFile, ":", "_",3)
		MsgStream.SaveToFile savefile,2
		MsgStream.Close
		Set MsgStream = Nothing
	End if
End Sub
</SCRIPT>

In this example the script is looking for a subject line that contains the text “project1″(not case sensitive) and saving it to the root of c:

I have attached a zip file to the blog post with all the required files in one zip file, just be cautious of using it if you already have event sinks registered(drop the files into c:\eventsink).
subjectcheck.zip