407 error in Java with Forcepoint

I had a Java app pointing at a Forcepoint (formerly known as Websense) proxy server. The proxy server wasn’t working, and the app was giving me a 407 error.

We had Websense set to require NTLM authorization, but it turns out Java won’t do NTLM, so the Java traffic wasn’t even showing up in the monitor.

My workaround was to have users open a browser, then go to any web page immediately before opening the app. By letting the browser authenticate for it, the Java app worked thanks to Websense having the credentials cached.

If you want, you can launch the applet with a batch file that uses IEcapt to hit any web page, then starts the applet.

Microsoft looks back at MS08-067

The most infamous Microsoft patch of all time, in security circles at least, is MS08-067. As the name suggests, it was the 67th security update that Microsoft released in 2008. Less obviously, it fixed a huge problem in a file called netapi32.dll. Of course, 2008 was a long time ago in computing circles, but not far enough. I still hear stories about production servers that are missing MS08-067.

Last week, Microsoft took a look back at MS08-067, sharing some of its own war stories, including how they uncovered the vulnerability, developed a fix, and deployed it quickly. It’s unclear who besides Microsoft knew about the problem at the time, but one must assume others were aware of it and using it. They certainly were after the fall of 2008.

Read more

CMD.EXE and its shellshock-like qualities

“So did you know there’s a Windows version of Shellshock?” a coworker asked the other day.

“What, Cygwin’s bash?” I asked.

“No, in CMD.EXE.”

I thought for a second, back to some really nasty batch files I’ve seen that do goofy stuff with variables and parenthesis and other reserved characters. Suddenly it made sense. Those cryptic batch files are exploiting the command interpreter to do things that shouldn’t be done. Then I smiled.

Read more

Revisiting Microsoft/Sysinternals Du as a batch file

My tips for using Sysinternals’ Du.exe were well received last week, and my former coworker Charlie mentioned a GUI tool called Windirstat that I had completely forgotten about. For the command-line averse, it’s an incredibly useful tool.

But there’s one thing that Du.exe does that makes the CLI worthwhile. It will output to CSV files for further analysis. Here’s the trick.

DU -L 1 -Q -C \\SERVERNAME\C$\ >> servers.csv

Sub in the name of your server for servername. You have to have admin rights on the server to run this, of course.

For even more power, run this in a batch file containing multiple commands to query multiple servers, say, in your runup to Patch Tuesday. Open the file in your favorite spreadsheet, sort on Directory Size, and you can find candidates for cleanup.

Read more

Solving the Windows 0x13d error, aka the 317 error, and watch for the scams

Yesterday when performing a routine server inventory, I received a Windows 317 error, aka a Windows 0x13d error, when I tried to view some directories remotely from a batch file.

The exact text of the error message: The system cannot find message text for message number 0x13d in the message file for System.

If you’ve received a 0x13d error and you’re wondering what it means, it seems to be an unhealthy system’s way of saying “file not found.” In my case that’s what it appeared to be. If the lack of a human-readable error message bothers you, I found two possible culprits: One is system hardening–perhaps you’ve applied the recommendations from CIS, USGCB/NIST, or the DISA STIGs to the system–or the more likely culprit, services not running that need to be. Start with some very routine maintenance. Check the remote machine to make sure all the services that are set to start automatically are indeed running, and you might want to think about rebooting.

In case you need legitimate details, pay http://msdn.microsoft.com/en-us/library/windows/desktop/ms681382%28v=vs.85%29.aspx a visit.

When researching the error code, I found an interesting scam—tons of sketchy web sites, some that did a decent job of impersonating Microsoft, offer programs to fix the issue. Microsoft doesn’t offer downloadable fix-its for error messages like this because these are the kinds of problems that require some human intelligence to resolve.

Read more

Fixing “invalid global switch” errors in WMIC queries containing dashes

I use WMIC a lot to gather data in my job. Querying computers that have dashes (a.k.a. the minus sign, the “-” character) in the names cause an error message that says “invalid global switch.” Microsoft operating systems use the dash as a reserved character to indicate command options.

Here’s how to get rid of the WMIC invalid global switch problem.

Read more

The Phoenix Project: A must-read book for anyone who aspires to IT leadership

After a bad day at work last week, I went home and ordered The Phoenix Project (or here it is on Amazon), started reading it, and felt better. Like Office Space, but there’s more to learn from it.

Phoenix is more realistic. Every problem every shop I’ve ever worked in is in that shop, plus some I’ve (luckily) only heard about. But unlike Office Space, it has solutions beyond burning the building down. Read more

How to clear your print queue from the command line or a batch file

Here’s an old, old, but still useful tip that works on all NT-based versions of Windows (including XP and 7). Longtime reader Jim couldn’t find it here anymore, and I can’t either, so I’ll repost it for posterity. This is how to clear your print queue from the command line.

Open a command prompt, and issue these three commands:

net stop spooler
del /q c:\windows\system32\spool\printers\*
net start spooler

If you keep your printers folder open, you’ll see your stuck print jobs disappear, like magic.

If you’ve moved your print spooler to a ramdisk, like I recommend, substitute that directory for c:\windows\system32\spool\printers in the second line.

When you have a print job that’s stuck and keeping you from using your printer, this trick will get rid of it more reliably than any other method. It’s also much less infuriating than right-clicking on a hung print job and then waiting 15 minutes for it to finally disappear. If you find yourself doing this a lot, you might want to save it as a batch file and keep it someplace handy.

I’ve collected most of my scripting resources in a single post about scripting Windows sysadmin tasks.

Have a busload of servers? Need to know what version of Windows they’re all running?

Every once in a great while, I have to answer a question like what version of Windows a range of servers is running. If the number of servers is very small, you can just connect to them with a Terminal Services client and note what comes up. But sometimes that’s impractical. Right now I’m working someplace that has 8,000 servers, more or less. I’m not going to check 8,000 servers manually. I’m just not.

Here’s a more elegant, much faster way to go about getting that information.

Read more