--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621e76b2.1c69fb81.ba091.2961SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621e76b2.1c69fb81.ba091.2961SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configuration of the system. Now I'm curious as to "forced to allow..."
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGMVfXR%2BQumT3idoRTC5dqd%2B_BVAXFw7Q5P8ry1FP_7JMHTx1g%40mail.gmail.com .
If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
Did they change the admin password?
If not, then wow … it’s gotta be a doosey!
Physical possession …
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Ken Dibble
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621e82a6.1c69fb81.95366.8a57SMTPIN_ADDED_MISSING%40gmr-mx.google.com.
If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
Did they change the admin password?
If not, then wow … it’s gotta be a ddoosey!
Physical possession …
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Tuesday, March 1, 2022 13:32
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
This is Windows 7 Pro.
As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
Thanks.
Ken Dibble
www.stic-cil.org
At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configuration of the system. Now I'm curious as to "forced to allow..."
Sounds like a rootkit. Smells like a rootkit.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621e96e0.1c69fb81.d2b19.288aSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
If the police took away one of my laptops for even a minute, it would be an immediate wipe and reimage. You don’t know what they did, what they were looking for, and what they might come back looking for later if they did in fact put a rootkit or monitoring software on there.
Thanks,
Aaron O’Donnell
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Tuesday, March 1, 2022 2:07 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
This message was sent from outside the organization. Treat attachments, links and requests with caution. Be conscious of the information you share if you respond. |
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c86fb430259392d00%40smithcons.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB842365119542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c86fb430259392d00%40smithcons.com.
Curious what forced means.
It’s been a while since I had to know these things but a couple of things come to mind. Did they have a search warrant for the laptop? If not, the employee could have said no, go see legal. And a point of contention here is did they ask to look at the laptop. Normally, the owner of the laptop can give permission. But was the employee the owner or was it a company laptop? Some like this is for the lawyers.
If the police needed it for forensic evidence they would have took the laptop. I would wipe the drive and start clean.
Art DeKneef
Avanti Computers
Mesa, AZ
480-529-4430 Mobile
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAOvZKrNw86vNktKykSOYWEWBrLHgoFaanN5FLg%2BbtuHJJce_Sw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BYAPR04MB4968FC4B25BF1CE549C013CAF4029%40BYAPR04MB4968.namprd04.prod.outlook.com.
I’d dispose of the SSD using a slug from one of our 12Ga shotguns. It wouldn’t even go into recycling.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB842365119542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5NBN4n_ykXNeMLQ26XydZCc16bJkvotmdhaQuw82OOLw%40mail.gmail.com.
Curious what forced means.
It’s been a while since I had to know these things but a couple of things come to mind. Did they have a search warrant for the laptop? If not, the employee could have said no, go see legal. And a point of contention here is did they ask to look at the laptop. Normally, the owner of the laptop can give permission. But was the employee the owner or was it a company laptop? Some like this is for the lawyers.
If the police needed it for forensic evidence they would have took the laptop. I would wipe the drive and start clean.
Art DeKneef
Avanti Computers
Mesa, AZ
480-529-4430 Mobile
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Nathan Shelby
Sent: Tuesday, March 1, 2022 3:16 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
Agreed,
Hopefully this hasn't been connected back to your network and has been entirely air gapped...
Nothing should be preserved from the laptop other than a forensic image given to your legal department. Consider everything on the unit compromised.
Nathan Shelby
ntsh...@gmail.com
On Tue, Mar 1, 2022 at 2:13 PM ODONNELL Aaron M < Aaron.M....@odot.oregon.gov> wrote:
- If the police took away one of my laptops for even a minute, it would be an immediate wipe and reimage. You don’t know what they did, what they were looking for, and what they might come back looking for later if they did in fact put a rootkit or monitoring software on there.
- Thanks,
- Aaron O’Donnell
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Michael B. Smith
- Sent: Tuesday, March 1, 2022 2:07 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- This message was sent from outside the organization. Treat attachments, links and requests with caution. Be conscious of the information you share if you respond.
- Sounds like a rootkit. Smells like a rootkit.
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 4:58 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
- As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
- The police then took the machine into another room "for about five minutes", and then returned it to her.
- The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
- If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
- The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
- MalwareBytes and Avast Business Pro scans did not find anything remarkable.
- It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
- I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
- Thanks for any further thoughts. It sure is a doosey.
- Ken
- At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Did they change the admin password?
- If not, then wow … it’s gotta be a ddoosey! sey!
- Physical possession …
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configurattion of the system. Now I'm curious as to "forced to allow..."
Agreed,
Hopefully this hasn't been connected back to your network and has been entirely air gapped...
Nothing should be preserved from the laptop other than a forensic image given to your legal department. Consider everything on the unit compromised.
Nathan Shelby
ntsh...@gmail.com
On Tue, Mar 1, 2022 at 2:13 PM ODONNELL Aaron M < Aaron.M....@odot.oregon.gov> wrote:
- If the police took away one of my laptops for even a minute, it would be an immediate wipe and reimage. You don’t know what they did, what they were looking for, and what they might come back looking for later if they did in fact put a rootkit or monitoring software on there.
- Â
- Â
- Â
- Thanks,
- Â
- Aaron O’Donnell
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Michael B. Smith
- Sent: Tuesday, March 1, 2022 2:07 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- This message was sent from outside the organization. Treat attachments, links and requests with caution. Be conscious of the information you share if you respond.
- Sounds like a rootkit. Smells like a rootkit.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 4:58 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
- As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
- The police then took the machine into another room "for about five minutes", and then returned it to her.
- The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
- If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
- The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
- MalwareBytes and Avast Business Pro scans did not find anything remarkable.
- It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
- I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
- Thanks for any further thoughts. It sure is a doosey.
- Ken
- At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Â
- Did they change the admin password?
- Â
- If not, then wow … it’s gotta be a ddoosey! sey!
- Â
- Physical possession …
- Â
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Â
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configurattion of the system. Now I'm curious as to "forrced to allow..."
I’d dispose of the SSD using a slug from one of our 12Ga shotguns. It wouldn’t even go into recycling.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of ODONNELL Aaron M
Sent: Tuesday, March 1, 2022 15:13
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
If the police took away one of my laptops for even a minute, it would be an immediate wipe and reimage. You don’t know what they did, what they were looking for, and what they might come back looking for later if they did in fact put a rootkit or monitoring software on there.
Thanks,
Aaron O’Donnell
From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Tuesday, March 1, 2022 2:07 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
This message was sent from outside the organization. Treat attachments, links and requests with caution. Be conscious of the information you share if you respond.
Sounds like a rootkit. Smells like a rootkit.
From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
Sent: Tuesday, March 1, 2022 4:58 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
The police then took the machine into another room "for about five minutes", and then returned it to her.
The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
MalwareBytes and Avast Business Pro scans did not find anything remarkable.
It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
Thanks for any further thoughts. It sure is a doosey.
Ken
At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Did they change the admin password?
- If not, then wow … it’s gotta be a ddoosey! sey!
- Physical possession …
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configurattion of the system. Now I'm curious as to "forced to allow..."
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c86fb430259392d00%40smithcons.com .
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CO6PR09MB842365119542224DBC299CBE95029%40CO6PR09MB8423.namprd09.prod.outlook.com .
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/768e885700954c8696d8c07e92572e08%40MPECSInc.Ca .
Concur. This should be in the toolbox, even though it's dated:
https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer
More of this kind of tool found here:
https://www.bleepingcomputer.com/download/windows/anti-rootkit/
On Tue, Mar 1, 2022 at 3:08 PM Michael B. Smith <mic...@smithcons.com> wrote:
- Sounds like a rootkit. Smells like a rootkit.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 4:58 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
- As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
- The police then took the machine into another room "for about five minutes", and then returned it to her.
- The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
- If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
- The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
- MalwareBytes and Avast Business Pro scans did not find anything remarkable.
- It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
- I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
- Thanks for any further thoughts. It sure is a doosey.
- Ken
- At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Â
- Did they change the admin password?
- Â
- If not, then wow … it’s gotta be a ddoosey! sey!
- Â
- Physical possession …
- Â
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Â
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they would change the configurattion of the system. Now I'm curious as to "forrced to allow..."
- --
- --
- To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8362ba51b7ed4e8c86fb430259392d00%40smithcons.com .
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce5NBN4n_ykXNeMLQ26XydZCc16bJkvotmdhaQuw82OOLw%40mail.gmail.com .
Quite honestly at the age of that machine I’d seriously consider replacement. Worst case at least throw in a new drive, preferably SSD.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
¯\_(ツ)_/¯
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621f948c.1c69fb81.d5dd2.55efSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621f948c.1c69fb81.d5dd2.55efSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
There are Intel SATA SSDs (DC 3500 series 3510, 3520) brand new in the bag for $50 on auction.
That’s where I’d go since it would give a performance boost to the unit thus giving it a lot more life.
We did that with Tecra Z50-A and -C series units that came back during refreshes and they are still going strong.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621f948c.1c69fb81.d5dd2.55efSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
I do not understand wipe. I would grab a brand new SSD drive for $50 and go. I would have no faith in a wiped hard drive. As others mentioned, not a lot of faith in the motherboard of that laptop.Â
On Wed, Mar 2, 2022, 11:00 AM Ken Dibble <ke...@stic-cil.org> wrote:
- At 05:22 PM 3/1/2022, Kurt Buff wrote:
- Concur. This should be in the toolbox, even though it's dated:
- https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer
- From that page: "There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries."
- Hm. Not considering forensic preservation issues, I looked briefly at the domain user's Documents folder from the local admin account (unlike Win 10, I can do that in Win 7--and IMO it's stupid not to let me do it in Win 10 without jumping through a lot of hoops). I found a few dozen files beginning with ~, which were leftover from various crashes of various office and PDF sessions at various times over the past few years. I was going to delete them en masse. So I multi-selected them in File Explorer--and the machine locked up tight and hard. I had to kill it with the power button. More grist for the rootkit mill?
- Beyond that, I would be unable resolve any non-rootkit-related discrepancies that tool found, so I am now leaning toward wiping the machine.
- Thanks.
- Ken Dibble
- www.stic-cil.org
- More of this kind of tool found here:
- On Tue, Mar 1, 2022 at 3:08 PM Michael B. Smith <mic...@smithcons.com> wrote:
- Sounds like a rootkit. Smells like a rootkit.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 4:58 PM
- Subject: RE: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- Yes, the machine will not boot from ANY location until the VeraCrypt password is entered.
- As I understand it, the police asked the user for the passwords for VeraCrypt and for her AD standard user account, and she supplied them.
- The police then took the machine into another room "for about five minutes", and then returned it to her.
- The user does not know the PWD for local admin, so she could not have given that to them. That password has not been reset; I used it to log in (yeah yeah LAPS and so forth, but not right now, please....)
- If they already somehow got into the local admin account, why would they then need to run that command in that account? And if they didn't get into the local admin account, how could that command have been left sitting in the "Run ..." dialog drop-down for that account?
- The machine is frightfully slow, almost to the point of unusability. I cannot imagine that if it had been running that slowly before this event that the user would not have complained about it. I also cannot imagine that the cops could have done very much with it in five minutes if it was running like this when they got it.
- MalwareBytes and Avast Business Pro scans did not find anything remarkable.
- It has Windows 7 Pro 32-bit, with 6 GB of RAM, but Windows reports that only about 2.6 GB is "usable". I find that odd; usually such a machine will report about 3.5 GB usable RAM. The Performance tab in Task Manager shows it with 2532 for physical memory and consistently using about 1.5 GB, with CPU usage fluctuating vastly on a defrag task (which is taking forever). I ran MEMDIAG on it and it didn't find any errors though. CHKDSK /f will not run. It lets me tell it to reboot and run it, but then it doesn't run on reboot. I don't imagine that VeraCrypt is interfering with it; it didn't block MEMDIAG, which has a similar modality.
- I would hate to have to give it back to her in this state. I would also hate to have to upgrade it to Win 10 with only 6 GB of RAM, but that might be an option.
- Thanks for any further thoughts. It sure is a doosey.
- Ken
- At 04:03 PM 3/1/2022, you wrote:
- If they have access to the encryption password when they boot from a separate flash drive they can pretty much do anything they want.
- Â
- Did they change the admin password?
- Â
- If not, then wow … it’s gotta be a be a ddoosey! sey!
- Â
- Physical possession …
- Â
- Philip Elder MCTS
- Senior Technical Architect
- Microsoft High Availability MVP
- E-mail: Phili...@mpecsinc.ca
- Phone: +1 (780) 458-2028
- Web: www.mpecsinc.com
- Blog: blog.mpecsinc.com
- Twitter: Twitter.com/MPECSInc
- Skype: MPECSInc.
- Â
- Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Ken Dibble
- Sent: Tuesday, March 1, 2022 13:32
- Subject: Re: [ntsysadmin] What does 'control userpasswords2' do and why?
- Â
- This is Windows 7 Pro.
- As described, a person would first have to supply a separate password to VeraCrypt, before the OS could even boot.
- The command was leftover in the "Run..." dialog dropdown in the local admin account. How could anybody access that dialog without first logging into the account? How could anybody run that command without having access to that dialog?
- Thanks.
- Ken Dibble
- www.stic-cil.org
- At 03:15 PM 3/1/2022, you wrote:
- this allows you to boot directly to your desktop, bypassing the Windows User logon. Strange that they woulld change the configurattion of the system. Now I'm curious as to "forrced to allow..."
- --
- To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621f948c.1c69fb81.d5dd2.55efSMTPIN_ADDED_MISSING%40gmr-mx.google.com .
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CALOTwGa9p4CJum9zdsDcT2AT163MoNYmoH_dK9H3SDWaqRtfGg%40mail.gmail.com .
There was a time where the thought of swapping out an HDD for an SSD and adding or swapping memory modules was approached with much trepidation.
A Greek Puzzle they were.
And I agree, there are so many great videos on how to disassemble machines now that it’s fairly easy to get a handle on it.
Philip Elder MCTS
Senior Technical Architect
Microsoft High Availability MVP
E-mail: Phili...@mpecsinc.ca
Phone: +1 (780) 458-2028
Web: www.mpecsinc.com
Blog: blog.mpecsinc.com
Twitter: Twitter.com/MPECSInc
Skype: MPECSInc.
Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/621fb8c7.1c69fb81.61d73.4b17SMTPIN_ADDED_MISSING%40gmr-mx.google.com.