Terminal Services Licensing problem

Hi,

today I faced an issue with Terminal Server Licensing problem. It was not possible to start its service.

It failed with:

The following error occurred:Can’t initialize Cryptographic – error code 5

An error occurred during the Terminal Services license server initialization phase

The terminal Services licensing service terminated with service-specific error 3221295105 (0xC0011001)

After googling a bit I found out that it is about permissions to folder

C:\Users\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys (in my case it was windows 2008, for windows 2003 path is different)

So it was necessary to grant read permissions for “Network Service” account to this folder and files inside. Unfortunately inheritance is broken for files inside of folder and I did not had any permissions for them. I used “takeown” tool to get necessary permissions

takeown /F “C:\Users\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys” /A /R /D Y

/F specifies folder or file

/A key sets owner to be local administrators group, ofc you need to be a member of this group

/R is necessary to operate on files and subfolders of specified directory

/D Y used to disable popup warnings

Afterwards I navigated to “MachineKeys” folder properties > “Security” tab > “Advanced” button > “Edit” button > “Add” button. Type “Network Service” as service name. Choose permissions as specified on picture and make sure “Apply to” is set to be same as on a picture below.

Screenshot_2

Now you will be able to launch Terminal Server Licensing service without any troubles. Files for this service are located under C:\Windows\system32\LServer, so if you need backup it is enough to copy this folder.

Good luck!

Can’t initialize Cryptographic #3221295105 #0xC0011001 #Terminal Services licensing service #Cryptographic – error code 5

Advertisements

Search for files encrypted by Crypto Virus

Hey!

Today I will talk about crypto viruses. This is one of the ugliest virus types. Our company much suffers from them. Antiviruses just let them do their work until we get all files encrypted. It is not a big deal, since we have backups. But first we need to identify on what to restore.

You can find vocabularies of file extensions that crypto viruses used in the past. For now they go smarter and file extension for encrypted files is just 6 random letters.

For a long time I was searching for the script that can identify for me such encrypted files, but found nothing. So I decided to make my own script. Here are the requirements I had:

  1. It should work quick. Users have network disks mapped, and storage there can be 20-30 TB of data, so search can take very long time
  2. It should handle unicode symbols in files names
  3. It should handle double file extensions, like document.doc.ba or some others
  4. It should support long file names

As result I got Powershell script

You will need to change 4 first strings to your data. №1 is the path where you want to do a search for encrypted files. №2 is to save temporary file. №3 is your file with scan results №4 is how many days ago do you think virus encrypted the files

$PathToCheck = “\\server\folder”                                          #where to search for encrypted files
$LogFilePath = “C:\Installation\group_scan.txt”              #temporary file which fill collect all file names from specified sourse
$ResultsOutput = “C:\Installation\res.txt”                          #File with results of scanning
$EncryptedFilesAge = “3”                                                          #Search only for files created less then X days ago
$EncryptedFilesAge =”/MAXAGE:” + $EncryptedFilesAge
$params = New-Object System.Collections.Arraylist
$params.AddRange(@(“/L”,”*.*”,”/S”,”/NJH”,”/BYTES”,”/FP”,”/NC”,”/NDL”,”/TS”,”/XJ”,”/R:0″,”/NP”,”/W:0″,”/NJH”,”/NJS”,”/NS”,”$EncryptedFilesAge”,”/MT:128″,”/UNILOG:$LogFilePath”)) #Parameters for Robocopy execution
write-host @(Get-Date)
& robocopy $PathToCheck NULL $params #execute robocopy, just logging, nothing will be copied/removed/moved/renamed
write-host @(Get-Date)
(Select-String -Path $LogFilePath -Pattern “[.]+([a-zA-Z]{6})+$” -Encoding Default | select “Line”).Line |  Format-Table -Wrap -HideTableHeaders | Out-File $ResultsOutput -Encoding Default #Filter file names by “.” + 6 random letters + end of string
write-host @(Get-Date)

Script is using robocopy to handle long file names, unicode symbols and processing speed. Unfortunately last 2 options appeared only for robocopy for windows 2012R2 (maybe 2012 also). So script is designed to work on windows 2012R2.

Script does full scan of 1.82TB of data during 12minutes

But if you know that virus encrypted files just few days ago (parameter #4) then same amount of data it scans less then 1 minute!!!

Here are some improvements that can be done:

  1. Add support of multiple sources
  2. Send results by mail
  3. Handle exceptions
  4. Add some logic to display only root folders that need to be restored, but not all the files
  5. Improve file mask to search only for file with duplicate extensions, like document.docx.asdjkl
  6. Add possibility for script user to add mask by himself, cause extension and principles on how crypto virus works might be changed

If you have any questions pls reach me on iurii.iashchenko@gmail.com

#CryptoVirus #Crypto Virus #6 random characters extension #powershell #robocopy #windows 2012

Long File Names and AccessEnum

Hi guys! (I can hardly believe any girls reading us)

Today I want to talk you about handling of long file names in windows. Those of you who have windows 10 or windows 2016 can safely ignore this article, these 2 windows do not have any troubles with long file names.

As you might know maximum file length in windows is 260 symbols. However in many cases users create rather longer names using network disks or whatever they do)

Recently I got a task to scan 20Tb of users data and find out where everyone or domain users groups have full permissions. I found a perfect free program that fit to my needs, it is AccessEnum from sysinternals. When I started to scan disks it appeared that some files or folders displayed as “???”. I checked them in windows and it appeared that their path length overcome 260 symbols. Peoples are lazy, so I did not want to write any custom scripts to get my job done and started to look for workarounds. At this time I found an article about Windows API. I’ve been working as IT engineer for 10+ years but never heard about this. If you are too bored with Windows API article I can tell you in short that Windows can handle path by 32767 characters it depends just how to ask it.

Here comes magic combination \\?\

For some reasons search engines do not give any results when you try to search for \\?\ combination, but it is  there.

So when you type \\?\C:\temp application will have no problems to handle long file names. For UNC path you can use \\?\UNC\ preffix.

When I tried to use \\?\ preffix for AccessEnum application it no longer had any troubles with long file names

Screenshot_1

Please consider that not all windows applications might undersdand \\?\ suffixes, but it always worth to give it a try!

#Long File Names # AccessEnum #Windows API #\\?\ #\\?\UNC\