Category: Uncategorized

I know there are some issues with this and it should depend on some lag in replication times. To be really accurate you should be auditing these events and running this on your DC’s but for a quick and dirty option to get the times for a users on a specific server you can run the following script.

I got the base of this somewhere and had to alter it to do what i needed. I lost the initial location  in the process.  If you find it let me know so I can provide credit

function Get-LogonHistory {
$logons = Get-EventLog Security -AsBaseObject -InstanceId 4624,4647 |
Where-Object { ($_.InstanceId -eq 4647) `
-or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+2")) `
-or (($_.InstanceId -eq 4624) -and ($_.Message -match "Logon Type:\s+10")) }
$poweroffs = Get-EventLog System -AsBaseObject -InstanceId 41
$events = $logons + $poweroffs | Sort-Object TimeGenerated
if ($events) {
foreach($event in $events) {
# Parse logon data from the Event.
if ($event.InstanceId -eq 4624) {
# A user logged on.
$action = 'logon'
$event.Message -match "Logon Type:\s+(\d+)" | Out-Null
$logonTypeNum = $matches[1]
# Determine logon type.
if ($logonTypeNum -eq 2) {
$logonType = 'console'
} elseif ($logonTypeNum -eq 10) {
$logonType = 'remote'
} else {
$logonType = 'other'
}
# Determine user.
if ($event.message -match "New Logon:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
$user = $matches[1]
} else {
$index = $event.index
Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
}
} elseif ($event.InstanceId -eq 4647) {
# A user logged off.
$action = 'logoff'
$logonType = $null
# Determine user.
if ($event.message -match "Subject:\s*Security ID:\s*.*\s*Account Name:\s*(\w+)") {
$user = $matches[1]
} else {
$index = $event.index
Write-Warning "Unable to parse Security log Event. Malformed entry? Index: $index"
}
} elseif ($event.InstanceId -eq 41) {
# The computer crashed.
$action = 'logoff'
$logonType = $null
$user = '*'
}
# As long as we managed to parse the Event, print output.
if ($user=$username) {
$timeStamp = Get-Date $event.TimeGenerated
$output = New-Object -Type PSCustomObject
Add-Member -MemberType NoteProperty -Name 'UserName' -Value $user -InputObject $output
Add-Member -MemberType NoteProperty -Name 'ComputerName' -Value $env:computername -InputObject $output
Add-Member -MemberType NoteProperty -Name 'Action' -Value $action -InputObject $output
Add-Member -MemberType NoteProperty -Name 'LogonType' -Value $event.ReplacementStrings[8] -InputObject $output
Add-Member -MemberType NoteProperty -Name 'TimeStamp' -Value $timeStamp -InputObject $output
Add-Member -MemberType NoteProperty -Name 'IP' -Value $event.ReplacementStrings[18] -InputObject $output
Write-Output $output
$fulloutput += $output
}
}
} else {
Write-Host "No recent logon/logoff events."
}
$fulloutput | Export-Csv -Path .\logonlog.csv -Encoding ascii -NoTypeInformation
}
$username="administrator"
$fulloutput= @()
Get-LogonHistory

By now I expect by now everyone at one time or another received a call from technical support telling them there is something wrong with their computer.

They used to say they were from Microsoft openly but that ended when some of them got busted http://www.bbc.com/news/technology-26818745

Sadly the money to be made is significantly better than the penalties if you get caught.  Perhaps they will go to “The Special Hell”

I have been getting these calls off and on for a long time and have talked to them in the past. I have always been interested in knowing what they are trying to do from a technical level. The first time I tried the scammer talked to me like I had never touched a computer for about half an hour. Eventually I ran out of patience and told him that I knew what a windows key was and could he just tell me what program he wanted me to run. (trying to short cut the 5 minutes of instructions on how to get a run prompt). He said

“Ok what you need to run is F*@! you – Click”

So there was half an hour wasted I guess I will have to play dumb longer next time. Mostly I don’t have time so I just hang up and my wife just tells them she has a Mac and they leave her alone.

This morning I was between client and had some time when the call came in and I decided to give it another go. The call came in from 232-555-6985 this area code is from Sierra Leone, and I have talked to my telephone provider who says there is nothing that can be done because of the caller ID spoofing that they use. Personally I believe that this kind of spoofing needs to be fixed globally as part of the infrastructure but for now we just have to live with the fact that we can’t just block calls based on the caller id number.

Have you ever called for tech support? do you recall how hard you had to work to get someone to listed to you and get your issue fixed? The first thing to remember is that Microsoft and or tech support does not just call home computers users.

Never run commands on your computer that have been provided to you by a stranger who calls you

The first thing they asked me to do as to run

ASSOC – This has been in windows systems for a very long time. It lets you see what programs run when a file with given extension is clicked on. Notes  Used without parameters, assoc displays a list of all the current file name extension associations. Near the bottom of the output is the following line. 

.zfsendtotarget=CLSID\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}

You are then told that CLSID is Computer Level Secirity IDentifier and he will then read you the code and you can confirm it. This way you know the call is legitimate and not one of the scams going on.

A CLSID is a globally unique identifier that identifies a COM class object, and is NOT unique and is the SAME on every computer (or at least close enough for the scammers)

next you are asked to run

eventvwr.exe – This shows you all the logs of what is going on in a windows system. If you are like me you spend a lot of time here but most people never look. The only thing you really need to know is that it is completely normal to have yellow and red icons here. I was asked if I knew what the events were and I said I did (I was getting tired of this game) I picked the top event in the and told him what it was.

Log Name: System
Source: Microsoft-Windows-Kernel-Processor-Power
Event ID: 37
Task Category: (7)
Level: Warning

The speed of processor 3 in group 0 is being limited by system firmware.

I told him that this was just power saving features of my laptop and was immediately corrected. I was told that this error message is proof that hackers are inside my computer trying to do bad things and it needs to be fixed right away.

The next command I was asked to run was

inf hacking files (actually I had to quickly look this up before I ran it, I really enjoyed putting the scammer on hold for 2 minutes to “take another call”)

What this command actually does is open your c:\windows\inf folder (the hacking files does nothing) this is a normal system folder that handles softeare and drivers (If you care details here)

I was asked to identify all the files there, and look for anything that ended PNF. I know these files are normal and part of windows installer but again I was told this is proof that my computer had been compromised.

At this point in the call he was clearly fishing for me to say something specific because for the next 15 minutes he went over these details again and again until I agreed that he was legitimate and my computer was infected by hackers. Saying things like “If you say so I believe you” was not good enough. When I finally said I was infected we moved on

(FINALLY THE GOOD BITS)

Now he asked me to run

iexplore support.me  – this will connect you to https://secure.logmeinrescue.com/Customer/Code.asp (Please don’t associate this scam with logmein hold your thoughts about these remote control companies until the end)

This is where the scammer is attempting to gain access to my computer (something I am not about to let happen) I was then asked for the 6 digit computer security code that came with my computer. Then I was scolded for not keeping such critical system documentation. (no emmy here but at least he tried to sell it as he read from the page he had) But wait fortunately I am in luck as he can generate me a new code as long as I promise not to loose it this time.

If I enter this code in the logmein website it would let then gain access to my computer.  Fortunately logmein appears to take this kind of abuse very seriously and you will notice a link just below where you key in you code “We take security seriously, Report Abuse”  so while I told him the download was running I was reporting his code in the background. This much of the call took about 40 minutes and now it was my turn to take up some of their time, they have decided they have a sucker on the line and don’t want to let me go.

I complained that the logmein application kept saying connecting but never finished. I was provided 2 different codes to try and downloaded the application multiple times , and then I was transferred and I knew they really didn’t want to let me off the phone.  For reference the entire call to this point was very noisy there were clearly dozens of calls going on in the background and the person I was talking to clearly had a significant challenge with english.  All of a sudden things are very different, the call is quiet and I am speaking (and hearing clearly) with someone with a slight Indian-Brtish accent? He is not reading from a script but is here to fix any technical issues to get me connected. I am provided another access code and I tell him I have another call and will be right back. This time I use my cell to call the 1800 number on the logmein abuse and someone answers right away, he explains they are working hard to prevent this abuse of their system and can report the access codes I have been given so they can be traced back and the account closed and blocked. He is very polite and thanks me for helping them prevent this abuse of their system.

Quickly I get back on the phone with the scammer and tell him this just is not working. Now he directs me to a new site.

showmypc.com

Now this site work differently as I have to install the software and give them a code (not the other way around) and there is no clear way to report abuse and nothing I can provide to showmypc.com to trace back (at least without letting the scammer connect to my pc) we are close to an hour now and I have no good answer for the scammer as to why I can’t provide the code so I hangup. I do manage to find a support chat and contact showmypc.com

John: Hi
John: How may I help you?
Scott: Just wondering what I can do to report fake support from india trying to use your software to to take control of my computer
John: We are already aware of that and we are trying to add features to avoid such issues.
Scott: is there anything I can get from them to get for you to catch them?
John: We have a lot of things but, they are using the free version which can’t be limited however, we will put a warning on our homepage as well.
Scott: I think that should be a top priority you are assisting in the abuse of a lot of people right now
John: Yes we will do that ASAP.

Shortly after I receive an email from showmypc.com

Hi Scott.

We saw your recent chat, just wanted to let you we currently have an active warning on our home page.
Any time a user tries to download the software, he see a big red active warning message, and also after they try to use the are shown a warning.
http://showmypc.com/faq/warning.html?hmnu=1

And in addition, we have an case filed with FBI for investigating this.

If you have something concrete to add we will be happy to take information from you to block. We constantly block users who we detect are trying to abuse our system.

Now what they say is true but I you don’t see the warning until after you go to click on showmypc

They say they constantly block users but at the same time told me in the chat it couldn’t be limited.

I have been through this with showmypc.com and although they say they are all over it it doesn’t feel that way to me. make your own decision.

I think remote support tools are a good thing, even if I feel that showmypc.com doesn’t take this as seriously as I would like them to.

Bottom line don’t waste your time, hangup and move on.

It has been far too long since my last post.

Lately I have been working on some operational tasks that include a log of data gathering. I am using powershell and sql for this and thus the next few posts are likely to move in this direction.

One of the first few things I found was a complete lack of a Split function in SQL. I have instances where I receive a delimited string from an external process and need to handle it for use in SQL.

I found the following function using XML and am reposting it here for future reference.  Thanks to http://blog.codelab.co.nz/2009/07/29/split-function-for-t-sql-using-xml/ for the code.

You simply call the function with 2 strings, the seperator and the string you want to split, and out pops a one column table with your results in each row.

select * from split (‘~’,’Strange things are~a foot at the circle-K‘)

RESULTS

val
Strange things are
a foot at the circle-K

CREATE FUNCTION [dbo].[Split](@sep VARCHAR(32), @s VARCHAR(MAX))

RETURNS @t  TABLE

(val VARCHAR(MAX))

AS

BEGIN

DECLARE @xml XML

SET @XML =N'<root><r>’+REPLACE(@s, @sep,'</r><r>’)+'</r></root>’

INSERTINTO @t(val)

SELECT r.value(‘.’,’VARCHAR(MAX)’)as Item

FROM @xml.nodes(‘//root/r’)AS RECORDS(r)

RETURN

END

Issue:

Lately I have started getting multiple emails for a specific alert.

They all end something like this “Notification subscription ID generating this message: {5EAC6B2E-CA6B-8E0C-25C2-FD1C08AE7E47}” and I think to myself, would it have been so hard to put the friendly name in the email?

So I start looking for information on this GUID. I find that subscriptions are stored in a special management pack called  Microsoft.SystemCenter.Notifications.Internal, so I find and export this management pack and start having a look. Sure enough near the bopttom I can see friendly names of my subscriptions and the subscribers near the top but strangely a search for the GUID has no hits.  Before I really dig into this further I find another option.

Typically I prefer SQL queries becasue this is what I have done most over the years,

select * from managementpack where mpname=’Microsoft.SystemCenter.Notifications.Internal’

this will find me the management pack and in the column MPXML we find the whole XML of the management pack, but it’s not in a datatype that easily provides for xml queries so again I am off in another direction.  As a side note this appears to be an easy way to get the XML without having to export and unseal. I can’t stress enough I would never alter the XML here but it’s a easy way to get a quick look.

The Solution :

Powershell has been on my list to learn better now for a very long time, that really needs to change because of things like this.

Get-NotificationSubscription -id 5EAC6B2E-CA6B-8E0C-25C2-FD1C08AE7E47

Results

Configuration     : Microsoft.EnterpriseManagement.Administration.AlertChangedSubscriptionConfiguration
Name              : Subscription94b48623_87c2_4d90_b55e_b9b242d1b0be
DisplayName       : GE UPS Sungle Phase
Description       :
Actions           : {DefaultSmtpAction}
ToRecipients      : {Distribution List }
CcRecipients      : {}
BccRecipients     : {}
Enabled           : True
Id                : 5eac6b2e-ca6b-8e0c-25c2-fd1c08ae7e47
ManagementGroup   : A01
ManagementGroupId : 1d07457d-e935-7145-628e-22efb9d7fe5e

Now we have the friendly name of the subscriptions.

You can also use powershell to enable, disable or delete subscriptions as well but I didn’t look into that too much.

Now that I know what subscriptions are sending the alerts I can start working on removing the duplicates.