Archive

Archive for the ‘Microsoft’ Category

Disable mouse pointer shadow on 2012r2 server core.

March 16, 2015 Leave a comment

modify HKCU/Control/UserPreferencesMask to 90 04 03 80 10
log off and relogin.

Advertisements
Categories: Microsoft

70-680

August 20, 2010 Leave a comment
Updated at Jul 8th 2011.
Publish this log on Docs.google.com:
————————–

Windows 7 70-680

Chapter 14 Recovery and Backup

Lesson 1: Backup

Full backup is in .vhd format and foler/file backup is using .zip format.

Lesson 2: Recovery

Windows 7 Boot options

bootloader: BCD boot configuration data. the editing tool: bcdedit

bootloader feature:

boot manager: bootmgr.exe

operating system loader: winload.exe

resume loader : winresume.exe

BCD store:

stores BCD and boot option

Lesson 3: Recovering Files and Folders

shadow copy is not available for offline files and system files.

VSS volume shadow copy services.

CHAPTER 13 Monitoring and Performance

Lesson 1: Monitoring Systems

Performance monitor

Data Collector Sets

logman

Reliability monitor

Lesson 2: Configuring Performance settings

WMI

CHAPTER 12 Windows Update and Windows Internet Explorer

Lesson 1: Updating Windows 7
Lesson 2: Configuring Internet Explorer.

Smartscreen

InPrivate Mode

InPrivate Filtering        blocks third parties from tracking browsing session.

InPrivate Browsing    will not store data

Chapter 11 Bitlocker and Mobility options.

Lesson 1: Managing BitLocker

BitLocker: Full volume encryption and protection. Enterprise or Ultimate version of win7. protects from off-line attack. It prevent from data recovery and simplifies the disposal procedure. it protect the boot configuration. but it doesn’t protect the data when the computer is fully active.

BitLocker Modes: (whether have a TPM  and the security level) (TPM/ PIN/ Start up key)

with TPM (with or without PIN/ start up key) the computer is boot environment protected.

without TPM, it must have usb startup key, but have no boot environment protect.

Managing TPM chip,

the bitlocker stores the encryption key in the TPM chip.

use TPM management console, user can manage  TPM, store the recovery information to AD which used to clear TPM, reset TPM lockout, enable or disable TPM.

Config a Bitlocker DRA, Data recovery agents.

 a DRA can restore all volumes.

Step:

add DRA account to bitlocker drive encryption node. a DRA account is a user have special digital certification.

prove the unique identifiers to support DRA.

Lesson 2: Windows 7 Mobility

Four modes:

online mode

auto offline mode

manual offline mode

slow-link mode 64000 default

Transparent caching.

Chapter 10 DirectAccess and VPN Connections

Lesson 1: Managing DirectAccess

Traditional VPN: PPTP , L2TP/IPsec, SSTP. configuration manually or distributed by connection manager administration kit.

Direct Acess: always on, IPV6, IPSec, seamless VPN connection. configured by group policy.. use digital certification to authenticate with server. differents from traditional VPN:

1, connection is automatically and no need to logon.

2, bidirectional, same as LAN.

3, intranet resources are available.

Direct access procedure:

IPV6 public address- > using ipv6 public address

IPV4 public address -> 6to4 tunnel

IPV4 private address -> Teredo tunnel

connect cannot connecet to server due to firewall,but connect to internet. -> IP https

Requirement:

domain-joined, enterprise, Ultimate version.

computer account must be in a security group.

Configuration:

group policy

netsh command.

Configuring the DirectAccess server

requirement:

08r2 which is a member of domain,

two nics, one connected to intranet.

certification.

global security group.

dns server

procedure:

1, enable direct access by adding features,, remember to install group policy  management.

2, select which group is used for the direct access.

3, specifies which nic is intenal and which is external . this enables ipv6 for the external and specifies CA server and  IP-HTTPS certification.

4, specifies internal web site ( network location server to check if it’s in internal or external)

5, which resources are available.

Lesson 2: Remote Connections

Security:

PPTP< L2TP/IPSec <SSTP

PPTP: no need to access public key infrastructure (PKI). can use : MS-CHAP, MS-CHAP2, EAP, PEAP.  and only provide  data confidentiality but no data integrity or origin authentication.

L2TP/IPsec is using digital certification. when using under NAT , client and sever must support IP-NAT traversal.

SSTP use https 443 port.

IKEv2, new in windows 7.  use PEAP, EAP-MSCHAP v2. doesn’t support PAP, CHAP, MS-CHAP v2.  using udp 500, and is the default one when creating VPN connection in Win7.

VPN Authentication Protocols

two different authentication protocols.

1, password based

2, certification-based

auto reconnection. using IKEv2, only 08r2 support IKEv2.

NAP Remediation

NAP is a technology in Windows Server 2008 that restricts network access based on an assessment of a client computer’s health. apples to Lan , VPN, RD, Direct access.

Remote desktop gateway. and remoteapp, remoteapp is much like the application that citrix published.

Chapter 9 Authentication and Account Control

Lesson 1: Managing User Account Control

UAC:

privilege elevation

admin approval mode

secure desktop

Group policy securty about UAC.

use local group policy editor or local security policy console to import and export the settings.

secpol.msc

Lesson 2: Windows 7 Authentication and Authorization

Credential Manager

credential manager stores username and password of the network resources ( file server, web server, terminal services servers) at Windows Value. Windows Value can be backup and restored from another win7. and Credential manager can be used to backup some digital certifications. but can not backup EFS.

Using Runas to Run Programs as Another User

Runas /savecred /profile|noprofile  /user:computername\user name “application.exe /option”

Smart Cards

Windows 7 support PIV ( issued by NIST, National institute of Standards and Technology.)  no need for other software. It can get driver from build in or windows update.

Resolving Authentication Issues

when lost password, there’re two ways to restore the password:

1, using password reset disk

2, reset user’s password by user who have administrator access. when reset user’s password, the user loses all access to  his EFS-encrypted files, personal certification and Value stored  password.

Managing Certificates

CM can’t used to backup EFS certifications, but other three tools can:

certificates console (certmgr.msc)

Manage File Encryption  certification tools.

cipher.exe cipher /x  filename.pfx

Chapter 8 BranchCache and Resource Sharing.

Lesson 1: Sharing Resources

Home group.

Lesson 2: Folder and File Access

icacls

copy files and folders: permission will inherit  destination folder permission.

move files and folder: with in the same volume, remain the same but between different volume, will inherit destination folder permission.

Audit.

EFS (encrypting file system)

recovery

recovery agent: cipher.exe /r:recoveryagent, use this agent to decrypt files that wrere encrypted bofore a recovery agent certifcate was specified.

recoveryagent.cer : certification as the recovery agent

recoveryagent.pfx : this is recovery agent’s private key.

Lesson 3: Managing BranchCache

hosted cache mode

Distributed cache mode.

select the mode and configuring the firewall.

firewall:

content retrieval: (http) used by hosted or distributed

peer-discovery (WSD, udp port 3702) used by distributed.

hosted cache client )(https-out, tcp port 443) , hosted cached mode.

configure the firewall when you configure branchcache using group policy, if it’s configured by netsh command, the firewall configuration will be done automatically.

also another mode (local), it can be set by netsh, this mode, the client will store a copy at local but didn’t share with other.

Configuring File and web servers running windows 08r2.

Add feature: branchcache

add rule: file system with branchcache.

and edit group policy.

Chapter 7 Firewall

Lesson 1: Managing Windows Firewall

Win7 have two firewall works together: windows firewall and windows firewall with advanced security.

windows firewall: based on application or service. and not based on inbound and outbound.(inbound and outbound is the same theory)

WFAS:based on ports, protocol, address and authorization. based on inbound and outbound.

win7 firewall has only basic rules that allow traffic, but deny all other traffic. but winxp block incoming traffic but do not block outgoing traffic.

win7 use stealth and which cannot disabled. ( stealth block external hosts from performing operating system fingerprinting., os figerprinting can get to knwo which os the host is running on.)

boot time filtering.

NLA (network location awareness)

Lesson 2: Windows 7 Remote Management

Remote desktop

remote assistance

windows powershell

windows remote shell

Remote assistance with win7 doesn’t have voice client (which is shipped with windows xp).

windows Remote management service.

Winrs

winrm quickconfig

from the managemnt computer to manage client: winrm set winrm/config/client @{TrustedHosts=” “}

winrs -r:host command

chcp to list the code and chcp code to change the code.

windows power shell

powershell

icm host {powershell command}

Chapter 6 IPV6

IPV6 Address Types

Unicast

global=ipv4 public address

link-local=ipv4 apipa

site-local=ipv4 private address.

special

Multicast

Anycast

global: the format prefix always is 001, (start with 2, or 3, usually 2).

link-local: FP: 1111 1110 10, (fe80, then 54 zeros.) communicating with neighbouring nodes in the same link.

site-local: FP: fec0

Special Addresses

the unspecified address   ::

the loopback address.      ::1

Multicast start with ff

anycast assinged to routers.

Advantages of IPV6

automatic address configuration/IPSec mandatory/Real-time data delivery, payload encryption doesn’t affect Qos/routing table reduced/header size reduced, not compatible with ipv4/not using arp, using ND (icmpv6 ).

Address reslotion in ipv6

ND resolves ipv6 address with mac address, as unicast have MAC in it.

Use DNS for hostname and ip address , link-local not stored at dns. AAAA record.

with no dns p2p environment, use peer name resolution protocol. PNRP

IPV4-IPV6 compatibility.

IPV4-compatible address    0:0:0:0:0:0:w.x.y.z, dual-stack nodes. (have a ipv4 and also a ipv6 address)

IPV4-mapped address    0:0:0:0:0:ffff:w.x.y.z    ipv4 only node to an ipv6 node.

6to4 adderss    start with 2002    connect to ipv6 internet using existing ipv4

teredo address    start with 2001.

Intra-site automatic tunneling addressing protocol. ISATAP. isatap identifier 0:5efe.

Chapter 5 Managing Applications

Lesson 1: Application Compatibility

Program Compatibility Troubleshooter

solved most of the problem automatically.

for exe only , not for msi installation file.

build in compatibility modes and options.

ACT: application compatibility toolkit.

application compatibility manager.

Internet Explorer Compatibility Test Tool

Compatibility Administrator

Setup Analysis Tool

check  the installtion file.

Standard User Analyzer

test for application for user issue.

Application Compatibility Diagnostics Policies

Windows XP Mode for Windows 7

professional enterprise , ultimate all can have xp mode.

Lesson 2: Managing AppLocker and Software Restriction Policies

Group policy -> Software Restriction Policies    ->restrict the execution of application,.
->AppLocker                                      ->restrict the execution of application, installers and scripts.

software restriction policies:

can be used on winxp, windows vista and any win7 edition.

specific rules overrides others

no wizard, only manual setting.

specific order:hash/ certification/ path /zone /default

applocker

but applocker only used on win7  enterprise or ultimate.

block overrides allow rules.

relies upon the Application Identity Service being active

applocker can use user or group to assign policy and can identify future versions.

Chapter 4 Device and Disks

Lesson 1  Managing Device Drivers and Devices

to open devise manager:

mmc devmgmt.msc

remote DM get a read only DM.

Staging drviers.

1, find drivers, from devicepath-> windows udpate > then ask for drive cd.

2, check if user have permission to place drive to drive store.,( checking for certification and permission)

3, user loged in to the computer can install the driver without any prompts.

system information tool msinfo32

pnputil -a -i *.inf to add and install the driver.

Driver Verifier Monitor command-line tool

Driver Signing and Digital Certificates

user cannot install drivers that didn’t signed even the driver is staged.

administrator can assign the driver a self-signed (organization CA server) certification.

sign the driver package with the certification and put the certification to the client. -> stage the driver in the protected driver store.

to deploy the certification to client computer you can use Group policy.

The high-level procedure to sign a device driver is as follows:

1. Create a digital certificate for signing. You do this on the Certificates console on the

Certificate Server (CA). You can also use the MakeCert utility.

2. Add the certificate to the Trusted Root CA Certification Authorities store. This is a

copy-and-paste operation that you perform in the Certificates Console, from which

you can access the Trusted Root CA Certification Authorities store.

3. Add the certificate to the Trusted Publishers store. You can do this also in the

Certificates

snap-in.

4. Sign the device driver package with the certificate. To do this, you prepare the driver

package .inf file, create a catalog file for the driver package, and sign the catalog file

by using the Signtool utility.

dxdiag tool can check whether the device driver WHQL signed (only check the drivers that associate with directx).

use File Signature Verification Tool to check other signature.  sigverif

Lesson 2: Managing Disks

win7 support install system on external usb disk and boot form it.

MBR/GPT, extend or shark partition. Raid

Disk management:

disk cleanup (system files need administrator credentials).

defragment, the tools can defrag hard disk , external disk, usb flash disk, VHD. but only as NTFS file system and nor network drive.

command tools: defrag /c /e /a /x /t /u /h /m /v

disk error check and repair.

Changing Disk Type and Partition Style

MBR GPT , Basic and Dynamic

GPT: more than 4 partition and can handle disks large than 2TB. (but cannot used in usb dsik)

Basic: use  MS-DOS-Style MBR partition table to store primary and logical partition.

Dynamic: use LDM  (local disk manager) database to store partition/volume infomation. ( type, offset, membership and drive letter).

convert basic/dynamic/gpt/mbr

move disk to another computer,

basic: get next available letter,

dynamic: use the old letter, if no old letter, not assign a letter. and use next available after the old letter if conflict.

simple volume/ spanned volume/ striped volume /mirrored volume /striped volume with parity.

Chapter 3 Deploying System image

Lesson 1, Managing a System Image Before Deployment

get info

dism /get-wiminfo /wimfile:w:\myimage.wim

imagex /info w:\myimage.wim

mount & umount

dism /mount-wim /wimfile:w:\myimage.wim [/readonly] /index:1 /mountdir:c:\mymountedimages

imagex /mountrw w:\myimage.wim 1 c:\mountedimages

dism /umount-wim c:\mountedimages

imagex /umount c:\mountedimages

DISM:

getting information about mounted wim images

dism /get-mountedwiminfo

scratch direcotry

dism /image:c:\mountedimages /scratchdir:c:\workingfiles

commit/save

dism /commit-wim /mountdir:c:\mountedimages

cleanup

dism /cleanup-wim

remount orphaned image/ retrieve

dism /remount-wim /mountdir:c:\mountedimages

working with an online image

dism /online /get-drivers [/all]

Servicing drivers, applications,patches,packages and fetures

dism /image:path_to_image_direcotry [get-drivers | /get-driverinfo | /add-driver | /remove-driver]

(add-driver:c:\folder\driver.inf or folder, [recurse])

x64 bit must use signed drivers, user /forceunsigned to update unsigned driver.

application and application path

dism /image:path_to_directory [/check-apppatch | /get-apppatchinfo: | /get-apppatches | /get-appinfo | /get-apps ]

list msi applications and msp application patchs. [check the application for dedicate files | get detail information about installed app patchs | list app patche | list detail information about .msi installed application | get list of installed .msi application]

Operating system packages. only for .cab packages.

dism /image:path_to_ image_directory [/get-packages | /get-packageinfo | /add-package |

/remove-package ] [/get-features | /get-featureinfo | /enable-feature | /disable-feature ]

For an online (running) operating system, you can use the following operating system

package-servicing options:

dism /online [/Get-Packages | /Get-PackageInfo | /Add-Package | /Remove-Package]

[/Get-Features | /Get-FeatureInfo | /Enable-Feature | /Disable-Feature]

intgernational setting.

dism /image:path_to_offline /get-intl

Service PE images.

Chapter 2

Lesson 1, Capturing System Images

Creating a Reference Image

1, SIM load .wim and create auto answer file. copy the file to UFD root folder. name it as autounattend.xml. and then install the system

2, Sysprep

c:\windows\system32\sysprep\sysprep.exe /oobe /generalize /shutdown

insert pe iso

e:\imagex.exe /capture C: d:\installationimage.wim “my Win7 Install” /compress fast /verify

Apply wim to a hard drive

boot to PE, mount network folder and apply

e:\image /apply d:\myimage.wim 1 c:

Initialize boot configuration data

if you’re booting from PE, the system set the x: as the default system partition, you run bcdboot c:\windows will get error :” Failure when attempting to copy boot files’ You should specify the target partition.

bcdboot c:\windows /s c:

remove BCD data

bcdedit /delete {guid}

Distributing image to many computers:

WDS windows deployment service

1, install image (for install, source)

2, boot image (boot for install )

3, capture image (boot for capture)

4, discover image (boot for non-pxe to discover WDS server)

MDT 2010

Lesson 2: Managing VHD.

VHD only worked at Ultimate and Enterprise version and VHD only host Enterprise and Ultimate.

1, create VHD using Disk management or  diskpart.

Diskpart create VHD files.

diskpart

create vdisk file=e:\win7.vhd maximum=20000

select vdisk file=e:\win7.vhd

attach vdisk

create partition primary

assign letter=v

format quick label=Windows7

exit

2, attach VHD  and detach VHD

3, install system on VHD

4, boot from VHD

convert  wim file to VHD

WIM2VHD:

This need AIK installed.

download wim2vhd tools from Microsoft. put in to AIK pe tools folder

cscript wim2vhd.wsf /wim:C:\mystuff\custom.wim /sku:1 /VHD:C:\mycustom.vhd /size 20000

sku means the number of the image.

It will create new vhd files. will not use previous vhd files.

It will automatically make the vhd bootable with bcdboot command

But will not add the vhd to boot menu. I should be done by using bcdedit command

bcdedit /copy {current} /d “name”

bcdedit /set {guid} device vhd=[drive letter:]\vhd.file

bcdedit /set {guid} osdevice vhd=[drive letter:]\vhd.file

bcdedit /set <guid> detecthal on

/size, this option is used to set the vhd file size,

/disktype: Sets the kind of vhd disk type:

  • dynamic : (defaul)The file only uses the space it needs. Note: When booting from a dynamic file the file grows to full size(40GB if size is not set). So remember to have enough free disk space.
  • static : The file gets a fixed size(40GB is size is not set).

should set size, or the default size will be 40GB, the partition free space must bigger than 40G, or you will get blue screen. called BSOD, blue screen of death.

Offline Virtual Machine Servicing Tool to update VHD.

Install:

install SCVMM (Microsoft System Center Virtual Machine Manager (SCVMM) 2007 or SCVMM 2008)

Deploy VHD using WDS

WDS is a server role of 2008 or 2008r2

add image and export image to online disk and VHD. for offline use offline Virtual machine servicing tools

WDS for online

Offiline SCVMM for offline.

Chapter 1

Lesson 3:Managing user profiles:

Windows Easy transfer, 3 ways to migrating files. Do the configuration while migrate.

1) usb or extral hard disk

2, network

3, cable

to migrate current user, can run this tool with current account

to migrate other users, need to login with administration accounts.

USMT 4.0 (part of WAIK). large number of users than Easy transfer. can’t not direct side-by-side. Do the configuration before the migrate.

1, MigApp.xml rules of application settings.

2, MigUser.xml user profile,user data

3, MigDocs.xml user documents.

4, config.xml, exclude features.

and also can set a custom files.

ScanState on source. /i:migapp.xml /i:miguser.xml /configu:config.xml

add /efs:copyraw switch  if user has EFS files.

/genmigxml This option specifies that the ScanState command should use the document finder to create and export an .xml file that defines how to migrate all of the files on the computer on which the ScanState command is running.

ACT and Application shim

application shim is a custom application compatibility fixes that made by user.
run Sdbinst to run the shim every time to use the application.

Stage a driver

pnputil -a -i *.inf

License status

slmgr.vbs /dli

Transfer Profile

Easy Transfer:
Easy transfer cable/Network/External drive
Config while doing transfer

USMT:
external drive
make configuration file prior transfer
scanstaet/loadstate
Migapp- application setting
Miguser- my documents
MigDoc -other documents, user documents
config -exclude features.

scanstate/loadstate /i:mig***.xml /config:config.xml /efs:copyraw|skip…

EFS

BitLocker Encrypting File System (EFS)
BitLocker encrypts all personal and system files on the operating system drive, fixed data drives, and removable data drives. EFS encrypts personal files and folders one-by-one and doesn’t encrypt the entire contents of a drive.
BitLocker does not depend on the individual user accounts associated with files. BitLocker is either on or off, for all users or groups. EFS encrypts files based on the user account associated with it. If a computer has multiple users or groups, each of them can encrypt their own files independently.
BitLocker uses the Trusted Platform Module (TPM), a special microchip in many computers that supports advanced security features to encrypt the operating system drive. EFS does not require or use any special hardware.
You must be an administrator to turn BitLocker encryption on or off on the drive that Windows is installed on and on fixed data drives. You do not have to be an administrator to use EFS.

EFS: files or folder.
files to multi users:
folder to user.
cipher to backup and create recovery agent.

winrm

Remote Management
winrm
must have IIS service started.

Disk

1, Create Partition on Basic and Volume on Dynamic disk.

Deploy

DISM
use dism to mount wim
dism /mount-wim /wimfile:d:\myimage.wim /index:1 /mountdir:d:\wim
check the mounted wim info
dism /get-mountedwiminfo
set scratch dir(temp working dir)
dism /image:d:\wim /scratchdir:d:\working
this will get a 1639 error, it can’t set temp dir to a global status, you must use it with other actions.
add drivers
dism /image:d:\wim /add-driver /driver:d:\working\*.inf
add packages
dism /image:d:\wim /add-package /packagepath:d:\working\package.cab
save the change
dism /commit-wim /mountdir:d:\wim

to support WSH windows scripting host, to use dism in WINPE.
use /set-edition to upgrade to higher edition.

MDT
install MDT on server or win7, it need AIK installed.
make a deployment share and update it, it will create boot iso media.
use the media to boot target computers.
next  and get a ‘Specify credentials for connecting to network shares’ window, use localhost domain and administrator username.
get error message. stack at here.

AIK tools:
sysprep     prepare system
imagex      capture image
USMT        transfer profile
DISM        modify image file
SIM            create answer file

MDT: deploy image

Categories: Microsoft