tinyapps.org / blog

Showing all programs in Windows 8.1 #

In lieu of a third-party Start menu replacement like Classic Shell (along with its attendant risks), you can create a taskbar toolbar to display all programs in Windows 8.1:
  1. Add %ProgramData%\Microsoft\Windows\Start Menu\Programs and %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs to a new Library called "Programs"
  2. Right click the taskbar then click Toolbars > New toolbar...
  3. Enter %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Libraries\Programs.library-ms into the Folder: path and click "Select Folder"

That's it; now you've got a list of all programs easily accessible from the taskbar.


/windows | Oct 11, 2016

Automatically prompt for elevated permissions when running a batch script #

Add the script below to the beginning of your batch scripts to automatically request elevated permissions when run. It was written by Matt, who credits for inspiration a post by NIronwolf, which credits OpenELEC, who apparently does not host the original script any longer (this may be it: create_installstick.bat). As Winhelponline points out, simply add your instructions under the "START" label.
:: Automatically check & get admin rights V2
@echo off
ECHO =============================
ECHO Running Admin shell
ECHO =============================

setlocal DisableDelayedExpansion
set "batchPath=%~0"
for %%k in (%0) do set batchName=%%~nk
set "vbsGetPrivileges=%temp%\OEgetPriv_%batchName%.vbs"
setlocal EnableDelayedExpansion

if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges )

if '%1'=='ELEV' (echo ELEV & shift /1 & goto gotPrivileges)
ECHO **************************************
ECHO Invoking UAC for Privilege Escalation
ECHO **************************************

ECHO Set UAC = CreateObject^("Shell.Application"^) > "%vbsGetPrivileges%"
ECHO args = "ELEV " >> "%vbsGetPrivileges%"
ECHO For Each strArg in WScript.Arguments >> "%vbsGetPrivileges%"
ECHO args = args ^& strArg ^& " "  >> "%vbsGetPrivileges%"
ECHO Next >> "%vbsGetPrivileges%"
ECHO UAC.ShellExecute "!batchPath!", args, "", "runas", 1 >> "%vbsGetPrivileges%"
"%SystemRoot%\System32\WScript.exe" "%vbsGetPrivileges%" %*
exit /B

setlocal & pushd .
cd /d %~dp0
if '%1'=='ELEV' (del "%vbsGetPrivileges%" 1>nul 2>nul  &  shift /1)

REM Run shell as admin (example) - put here code as you like
ECHO %batchName% Arguments: %1 %2 %3 %4 %5 %6 %7 %8 %9
cmd /k

/windows | Sep 04, 2016

Recover Windows product key from BIOS / UEFI #

while booted via Windows installation media, then determine which version of Windows corresponds to the recovered key:
  1. Boot via Windows installation media (DVD, USB flash drive, etc)

  2. When the "Windows Setup" window appears, press Shift + F10 to open a command prompt

  3. Launch one of these tools from the command prompt to retrieve product key from BIOS / UEFI:

    1. Windows OEM Product Key Tool 1.1 - Purpose-built app; simply returns the product key

    2. FirmwareTablesView - Displays list of firmware tables; look for "MSDM" under Signature column or "Microsoft Software Licensing Table" under Description column

    3. RWEverything - Digs deep for a plethora of hardware details; head to ACPI > MSDM > Data.

  4. To identify which version of Windows the recovered product key corresponds to:

    1. Ultimate PID Checker - Works with product keys from XP through 8 (not 8.1); runs inside the Windows installation environment

    2. ShowKeyPlus - Works with product keys from Windows 7 through 10; does not run inside the Windows installation environment

For OEM computers still shipping with Windows 7 or 8.1 (slated to end on October 31, 2016), the firmware-embedded product key likely differs from the product key on the hard drive. Recover the latter with ProduKey.

For more information on embedded product keys, see Windows 10 Embedded Product Key Tool and Where is my Windows product key, and how can I tell that my Windows installation is genuine?

/windows | Sep 04, 2016

Booting Dell Venue 10 Pro 5055 from USB device #

  1. With the Venue turned off, hold the volume button down.
  2. Turn on the Venue
  3. When the BIOS / UEFI screen appears, let go of the volume button
  4. Tap "Boot" > "Secure Boot" > "Disabled"
  5. Tap "File Browser Add Boot Option" > select .efi file on a bootable FAT32-formatted device (e.g., tap "USB: DataTraveler 2.0" > "Select Media File" menu appears > tap "efi" > "boot" > "bootia32.efi") > "Input File Name" menu appears > enter desired name (e.g., "USBFlash") > tap Return > Ok
  6. Change "Boot Option Priorities" if desired, or simply reboot while holding the volume button up for the "Boot Options" menu.


/windows | Sep 04, 2016

Windows 7 install error: "A required CD/DVD drive device driver is missing" #

While attempting to install Windows 7 on a Dell Optiplex 3040 Micro, the following error appeared:

A required CD/DVD drive device driver is missing. If you have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now.

Note: If the Windows installation media is in the CD/DVD drive, you can safely remove it for this step.

Browse | OK | Cancel

(As it turns out, the problem is caused by a missing USB 3.0 driver, so installing via USB floppy, CD/DVD, flash drive, etc was not possible.)

Browsing for a driver on the virtual X: drive returned:

No device drivers were found. Make sure that the installation media contains the correct drivers, and then click OK.

Reports online did not sound promising, e.g.: 'No device drivers were found' error when installing windows 7 on new computer "FINAL EDIT - If you're here for answers, while nothing here worked for me, that doesn't mean it won't work for you, so I suggest you try everything here if you can. What I ended up doing is giving up on windows 7 and instead installed windows 10.").

Coming up with a working solution took more time than anyone else should ever have to invest in this issue again. Here's what worked for me:

  1. Format a USB drive as NTFS. If necessary, use diskpart.exe:

    1. list disk

    2. select disk x, where x is the number assigned to your USB drive

    3. clean

    4. create partition primary

    5. select partition 1

    6. active

    7. format fs=ntfs quick

    8. assign

    9. exit

  2. Copy files and folders from Windows 7 ISO or DVD to USB drive

  3. Download Intel(R) USB 3.0 eXtensible Host Controller Driver and extract contents

  4. Download, install, and run NTLite

  5. Click "Add" > "Image folder" > select drive letter of USB drive (E: in the example that follows) > click "Select Folder"

  6. Under "Operating systems | install.wim", right click the version of Windows that corresponds to your license and then click "Load":

  7. Once loading has completed, click "Drivers" in the left-hand column:

  8. Click "Add" > "Folder with multiple drivers" > browse to the folder containing extracted driver(s) > click "Select Folder"

  9. Click "Apply" in left-hand column > click green "Process" button at top left > "Yes"

  10. When processing is complete, click "Source" in the left-hand column to return to the main window

  11. Repeat steps 6 through 10 for the two entries under "Boot/Setup | boot.wim" (in the screenshots above, they are "Microsoft Windows PE (x86)" and "Windows 7 Setup")

  12. If desired, make an ISO image of the USB drive (for burning to DVD-R, etc) by right clicking E: under "Image history" and then clicking "Create ISO"

  13. The USB drive or ISO image can now be used to install Windows 7 on the affected computer (see below for a list of all affected Dell models)



/windows | Aug 21, 2016

Stop ransomware process and dump memory to extract key #

Anti Ransom v3 "creates a random decoy folder with many useless random documents (Excel, PDF) and then it monitors the folder waiting for changes. When a change is detected, AntiRansom tries to identify which process is the responsible of such change and then stops it and dump the memory process (hopefully the key or password that is being used by the ransomware is inside)".

/windows | Jul 09, 2016

Extract passwords and more from memory #

mimikittenz "is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes".

Basic usage:

  1. Run Windows PowerShell as administrator
  2. cd to directory containing Invoke-mimikittenz.ps1 (e.g., Downloads)
  3. PS C:\Users\user\Downloads> Set-ExecutionPolicy RemoteSigned
  4. PS C:\Users\user\Downloads> Import-Module $pwd\Invoke-mimikittenz.ps1
  5. PS C:\Users\user\Downloads> Invoke-mimikittenz

Sample result:

PatternName       PatternMatch
-----------       ------------
Gmail             &Email=tinyapps@gmail.com&Passwd=PASSWORD_IN_PLAINTEXT&Persiste...

mimikittenz currently extracts the following credentials from memory:

See also:

/windows | Jul 08, 2016

Cloning a failing hard drive to a smaller drive #

Faced with a rapidly-worsening hard drive (and after backing up critical data), I hoped to clone the Windows install to a smaller drive (the only one on hand). Kanguru's Mobile Clone HD One-To-One Duplicator (KCLONE-1HD-MBC) has gotten me out of similar binds before, but cloning to smaller drives is not currently supported.

Here are the boot discs I tried in order and their results (for a similar list, see Windows won't boot (or boots only once) after SSD upgrade):
  1. Paragon Drive Copy 15 Professional - crashed
  2. Acronis True Image 2016 - crashed
  3. HDClone 6.1.5 Advanced Edition - produced a non-working clone with missing partitions
  4. Image for Windows 2.99-00 - produced a working clone!
I was happily surprised astounded that my version 2 license from 2008 was still valid for the current version (2.99-00), which was released as recently as February 25, 2016. Many thanks to TeraByte for a great product and the super-long term support!

/windows | Jun 16, 2016

Check Windows for spurious certs #

In light of malware and OEM CA shenanigans ("Who’s your Verisign?" - Malware faking digital signatures, Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish), be sure to check certificates regularly, especially immediately following acquisition or malware cleanup.

While you could comb through Certificate Manager (certmgr.msc), Sigcheck from Sysinternals speeds things up considerably. The following example is from a system with Superfish and Fiddler certs installed:
C:\>sigcheck.exe -tuv *

Sigcheck v2.51 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Listing valid certificates not rooted to the Microsoft Certificate Trust List:

        Cert Status:    Valid
        Valid Usage:    Server Auth
        Cert Issuer:    DO_NOT_TRUST_FiddlerRoot
        Serial Number:  99 77 7A 3E 64 63 19 9C 4D 6D 66 75 10 EF 0E B6
        Thumbprint:     31745D49A0C3386A1387A755217FD5C9701A9607
        Algorithm:      sha256RSA
        Valid from:     12:00 AM 6/14/2015
        Valid to:       11:59 PM 6/13/2026
        Cert Status:    Valid
        Valid Usage:    Server Auth
        Cert Issuer:    DO_NOT_TRUST_FiddlerRoot
        Serial Number:  99 77 7A 3E 64 63 19 9C 4D 6D 66 75 10 EF 0E B6
        Thumbprint:     31745D49A0C3386A1387A755217FD5C9701A9607
        Algorithm:      sha256RSA
        Valid from:     12:00 AM 6/14/2015
        Valid to:       11:59 PM 6/13/2026
   Superfish, Inc.
        Cert Status:    Valid
        Valid Usage:    All
        Cert Issuer:    Superfish, Inc.
        Serial Number:  00 D2 FC 13 87 A9 44 DC E7
        Thumbprint:     C864484869D41D2B0D32319C5A62F9315AAF2CBD
        Algorithm:      sha1RSA
        Valid from:     6:25 AM 5/12/2014
        Valid to:       6:25 AM 5/7/2034
        Cert Status:    Valid
        Valid Usage:    Server Auth
        Cert Issuer:    DO_NOT_TRUST_FiddlerRoot
        Serial Number:  99 77 7A 3E 64 63 19 9C 4D 6D 66 75 10 EF 0E B6
        Thumbprint:     31745D49A0C3386A1387A755217FD5C9701A9607
        Algorithm:      sha256RSA
        Valid from:     12:00 AM 6/14/2015
        Valid to:       11:59 PM 6/13/2026
From the documentation:
 -t[u][v] Dump contents of specified certificate store ('*' for all stores).
          Specify -tu to query the user store (machine store is the default).
          Append '-v' to have Sigcheck download the trusted Microsoft
          root certificate list and only output valid certificates not rooted to
          a certificate on that list. If the site is not accessible,
          authrootstl.cab or authroot.stl in the current directory are
          used instead, if present.

/windows | Jun 14, 2016

Block a specific program from accessing the Internet #

  1. Open Windows Firewall with Advanced Security (wf.msc)
  2. Click "Outbound Rules"
  3. Click "New Rule…​"
  4. Click "Program" > "Next"
  5. Click "This program path" > "Browse" > select program to block > "Next"
  6. Click "Block the connection" > "Next"
  7. Leave Domain, Private, and Public checked > "Next"
  8. Type desired name for rule and click "Finish"
If that seems too tedious, check out OneClickFirewall. It adds a context menu item to "Block Internet Access" and another to "Restore Internet Access", leveraging outbound rules in Windows Firewall with Advanced Security.

/windows | Jun 04, 2016

Subscribe or visit the archives