tinyapps.org / blog


Windows keeps reverting to high contrast mode #

If Windows keeps changing back to high contrast mode despite repeated attempts to change in Control Panel > All Control Panel Items > Personalization and disabling all options under "Choose a High Contrast theme" in Control Panel > All Control Panel Items > Ease of Access Center > "Make the computer easier to see", head to the Lock Screen > Ease of Access icon at bottom left > and turn off High Contrast.

/windows | Mar 01, 2017

Batch remove all tiles from Windows 10 Start Menu #

Well, almost all tiles; the few that remain after running the script below (save as unpin.ps1 then right click and "Run with PowerShell") can be removed manually (right click tile > "Unpin from Start").

/windows | Feb 04, 2017

Cloning 1TB MBR system HDD to 4TB GPT SSD #

  1. Install 4TB SSD
  2. Change boot mode to UEFI and SATA operation to AHCI.* For example, on a typical Dell system:
  3. Boot from Acronis True Image 2016 disc (be sure to select entry under UEFI BOOT, not LEGACY BOOT)
  4. Clone 1TB MBR HDD to 4TB GPT SSD. MBR will be converted to GPT automatically on destination disk

Received "Failed to write data to disk" error at end of cloning process followed shortly by "Cloning succeeded".

On reboot, the following message appeared:

 

Windows Boot Manager

Windows failed to start. A recent hardware or software change might be the cause. To fix the problem:

1. Insert your Windows installation disc and restart your computer.
2. Choose your language settings, and then click "Next."
3. Click "Repair your computer."

If you do not have this disc, contact your system administrator or computer manufacturer for assistance.

File: \EFI\Microsoft\Boot\BCD

Status: OxcOOOOOOf

Info: An error occurred while attempting to read the boot configuration data.

ENTER=Continue ESC=Exit

 

  1. Booted from Windows 7 install disc (again, be sure to select device under UEFI BOOT, not LEGACY BOOT)
  2. Next > Repair your computer
  3. "Windows found problems with your computer's startup options. Do you want to apply repairs and restart your computer?"
  4. Before clicking "Repair and restart", clicked "View details", which revealed:
        The following startup options will be added:
        Name: Windows 7 Professional (recovered)
        Path: Windows
        Windows Device: Partition=D: (3815116 MB)

Windows booted normally from 4TB SSD.

* IDE/ATA was required in this account, which uses a method similar to Xcopy Windows to a new hard drive, but with ntfsclone (careful with syntax - the target is specified before the source, as explained in the man page:
Clone NTFS on /dev/hda1 to /dev/hdc1:
ntfsclone --overwrite /dev/hdc1 /dev/hda1
)
Destination disk is larger than 2 TB: If "My source disk is MBR and my OS supports UEFI" and "My system is UEFI-booted (Windows or Acronis Bootable Media)" then "partition style on your destination disk will be converted to GPT automatically. This disk may be used for booting in UEFI. Also, the entire disk space will be available."

/windows | Dec 03, 2016

Showing all programs in Windows 8.1 #

In lieu of a third-party Start menu replacement like Classic Shell (along with its attendant risks), you can create a taskbar toolbar to display all programs in Windows 8.1:
  1. Add %ProgramData%\Microsoft\Windows\Start Menu\Programs and %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs to a new Library called "Programs"
  2. Right click the taskbar then click Toolbars > New toolbar...
  3. Enter %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Libraries\Programs.library-ms into the Folder: path and click "Select Folder"

That's it; now you've got a list of all programs easily accessible from the taskbar.

References:

/windows | Oct 11, 2016

Automatically prompt for elevated permissions when running a batch script #

Add the script below to the beginning of your batch scripts to automatically request elevated permissions when run. It was written by Matt, who credits for inspiration a post by NIronwolf, which credits OpenELEC, who apparently does not host the original script any longer (this may be it: create_installstick.bat). As Winhelponline points out, simply add your instructions under the "START" label.
::::::::::::::::::::::::::::::::::::::::::::
:: Automatically check & get admin rights V2
::::::::::::::::::::::::::::::::::::::::::::
@echo off
CLS
ECHO.
ECHO =============================
ECHO Running Admin shell
ECHO =============================

:init
setlocal DisableDelayedExpansion
set "batchPath=%~0"
for %%k in (%0) do set batchName=%%~nk
set "vbsGetPrivileges=%temp%\OEgetPriv_%batchName%.vbs"
setlocal EnableDelayedExpansion

:checkPrivileges
NET FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' ( goto gotPrivileges ) else ( goto getPrivileges )

:getPrivileges
if '%1'=='ELEV' (echo ELEV & shift /1 & goto gotPrivileges)
ECHO.
ECHO **************************************
ECHO Invoking UAC for Privilege Escalation
ECHO **************************************

ECHO Set UAC = CreateObject^("Shell.Application"^) > "%vbsGetPrivileges%"
ECHO args = "ELEV " >> "%vbsGetPrivileges%"
ECHO For Each strArg in WScript.Arguments >> "%vbsGetPrivileges%"
ECHO args = args ^& strArg ^& " "  >> "%vbsGetPrivileges%"
ECHO Next >> "%vbsGetPrivileges%"
ECHO UAC.ShellExecute "!batchPath!", args, "", "runas", 1 >> "%vbsGetPrivileges%"
"%SystemRoot%\System32\WScript.exe" "%vbsGetPrivileges%" %*
exit /B

:gotPrivileges
setlocal & pushd .
cd /d %~dp0
if '%1'=='ELEV' (del "%vbsGetPrivileges%" 1>nul 2>nul  &  shift /1)

::::::::::::::::::::::::::::
::START
::::::::::::::::::::::::::::
REM Run shell as admin (example) - put here code as you like
ECHO %batchName% Arguments: %1 %2 %3 %4 %5 %6 %7 %8 %9
cmd /k

/windows | Sep 04, 2016

Recover Windows product key from BIOS / UEFI #

while booted via Windows installation media, then determine which version of Windows corresponds to the recovered key:
  1. Boot via Windows installation media (DVD, USB flash drive, etc)

  2. When the "Windows Setup" window appears, press Shift + F10 to open a command prompt

  3. Launch one of these tools from the command prompt to retrieve product key from BIOS / UEFI:

    1. Windows OEM Product Key Tool 1.1 - Purpose-built app; simply returns the product key

    2. FirmwareTablesView - Displays list of firmware tables; look for "MSDM" under Signature column or "Microsoft Software Licensing Table" under Description column

    3. RWEverything - Digs deep for a plethora of hardware details; head to ACPI > MSDM > Data.

  4. To identify which version of Windows the recovered product key corresponds to:

    1. Ultimate PID Checker - Works with product keys from XP through 8 (not 8.1); runs inside the Windows installation environment

    2. ShowKeyPlus - Works with product keys from Windows 7 through 10; does not run inside the Windows installation environment

For OEM computers still shipping with Windows 7 or 8.1 (slated to end on October 31, 2016), the firmware-embedded product key likely differs from the product key on the hard drive. Recover the latter with ProduKey.

For more information on embedded product keys, see Windows 10 Embedded Product Key Tool and Where is my Windows product key, and how can I tell that my Windows installation is genuine?

/windows | Sep 04, 2016

Booting Dell Venue 10 Pro 5055 from USB device #

  1. With the Venue turned off, hold the volume button down.
  2. Turn on the Venue
  3. When the BIOS / UEFI screen appears, let go of the volume button
  4. Tap "Boot" > "Secure Boot" > "Disabled"
  5. Tap "File Browser Add Boot Option" > select .efi file on a bootable FAT32-formatted device (e.g., tap "USB: DataTraveler 2.0" > "Select Media File" menu appears > tap "efi" > "boot" > "bootia32.efi") > "Input File Name" menu appears > enter desired name (e.g., "USBFlash") > tap Return > Ok
  6. Change "Boot Option Priorities" if desired, or simply reboot while holding the volume button up for the "Boot Options" menu.

Sources:

/windows | Sep 04, 2016

Windows 7 install error: "A required CD/DVD drive device driver is missing" #

While attempting to install Windows 7 on a Dell Optiplex 3040 Micro, the following error appeared:

A required CD/DVD drive device driver is missing. If you have a driver floppy disk, CD, DVD, or USB flash drive, please insert it now.

Note: If the Windows installation media is in the CD/DVD drive, you can safely remove it for this step.

Browse | OK | Cancel

(As it turns out, the problem is caused by a missing USB 3.0 driver, so installing via USB floppy, CD/DVD, flash drive, etc was not possible.)

Browsing for a driver on the virtual X: drive returned:

No device drivers were found. Make sure that the installation media contains the correct drivers, and then click OK.

Reports online did not sound promising, e.g.: 'No device drivers were found' error when installing windows 7 on new computer "FINAL EDIT - If you're here for answers, while nothing here worked for me, that doesn't mean it won't work for you, so I suggest you try everything here if you can. What I ended up doing is giving up on windows 7 and instead installed windows 10.").

Coming up with a working solution took more time than anyone else should ever have to invest in this issue again. Here's what worked for me:

  1. Format a USB drive as NTFS. If necessary, use diskpart.exe:

    1. list disk

    2. select disk x, where x is the number assigned to your USB drive

    3. clean

    4. create partition primary

    5. select partition 1

    6. active

    7. format fs=ntfs quick

    8. assign

    9. exit

  2. Copy files and folders from Windows 7 ISO or DVD to USB drive

  3. Download Intel(R) USB 3.0 eXtensible Host Controller Driver and extract contents

  4. Download, install, and run NTLite

  5. Click "Add" > "Image folder" > select drive letter of USB drive (E: in the example that follows) > click "Select Folder"

  6. Under "Operating systems | install.wim", right click the version of Windows that corresponds to your license and then click "Load":

  7. Once loading has completed, click "Drivers" in the left-hand column:

  8. Click "Add" > "Folder with multiple drivers" > browse to the folder containing extracted driver(s) > click "Select Folder"

  9. Click "Apply" in left-hand column > click green "Process" button at top left > "Yes"

  10. When processing is complete, click "Source" in the left-hand column to return to the main window

  11. Repeat steps 6 through 10 for the two entries under "Boot/Setup | boot.wim" (in the screenshots above, they are "Microsoft Windows PE (x86)" and "Windows 7 Setup")

  12. If desired, make an ISO image of the USB drive (for burning to DVD-R, etc) by right clicking E: under "Image history" and then clicking "Create ISO"

  13. The USB drive or ISO image can now be used to install Windows 7 on the affected computer (see below for a list of all affected Dell models)

Notes

Updates

/windows | Aug 21, 2016

Stop ransomware process and dump memory to extract key #

Anti Ransom v3 "creates a random decoy folder with many useless random documents (Excel, PDF) and then it monitors the folder waiting for changes. When a change is detected, AntiRansom tries to identify which process is the responsible of such change and then stops it and dump the memory process (hopefully the key or password that is being used by the ransomware is inside)".

/windows | Jul 09, 2016

Extract passwords and more from memory #

mimikittenz "is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes".

Basic usage:

  1. Run Windows PowerShell as administrator
  2. cd to directory containing Invoke-mimikittenz.ps1 (e.g., Downloads)
  3. PS C:\Users\user\Downloads> Set-ExecutionPolicy RemoteSigned
  4. PS C:\Users\user\Downloads> Import-Module $pwd\Invoke-mimikittenz.ps1
  5. PS C:\Users\user\Downloads> Invoke-mimikittenz

Sample result:

PatternName       PatternMatch
-----------       ------------
Gmail             &Email=tinyapps@gmail.com&Passwd=PASSWORD_IN_PLAINTEXT&Persiste...

mimikittenz currently extracts the following credentials from memory:

See also:

/windows | Jul 08, 2016


Subscribe or visit the archives