Wednesday, November 30, 2022

Windows 10 - OneDrive - The Tag Present in the Reparse Point Buffer Is Invalid

 


Intro:

Came across this error while scanning for QuickBook QBW files on a customers computer.

The error read: "Cannot access folder: The tag present in the reparse point buffer is invalid." when trying to access the folder directly from explorer.

The folder itself showed up as zero bytes and was inaccessible. Initially I saw this error while running the below PS script:

Get-ChildItem -Path "C:\Users\" -Filter *.qbw -r


Solution:

The solution is actually really funny because in all the times I've seen it "prescribed", it didn't work for XYZ.

chkdsk c: /r /f
"C:" is the drive you want to scan

"/r" - Locates bad sectors and recovers readable information (implies /F, when /scan not specified).

"/f" - Fixes errors on the disk.


Conclusion:

About 25 minutes later and the folder was accessible from both Powershell and Explorer. Surprisingly the files in the folder weren't corrupt.



πŸ‘½

Wednesday, November 16, 2022

Windows 10 - Custom Website Blocking per User via Task Scheduler Without Group Policy

 


Intro:

I have a customer that needs the ability to create individual firewall rules per Windows user without using external software. They do not have enough computers to warrant a domain setup so group policies are out the window.

I looked into doing this with Google Chrome but from what I can tell you cannot do this with Chrome Enterprise via policies. These ADMX policies apply to the computer and not per user since a domain does not exist. I don't really care to use EDGE in this case because this customer requires the ability to load older pages and I have setup IE Tab for Chrome to take care of this. I honestly haven't looked into this with Firefox as it is not installed in this environment.

I chose to do this via Task Scheduler making live edits to the Windows "hosts" file every time a user logs in. This is pretty efficient. If you can think of a better way to do this, let me know in the comments.


Solution:

Ok so what we need to do is create a batch file for each user we want to limit. We then need to place these batch files in a folder somewhere that is accessible to Task Scheduler. It can be hidden to stop users from prying. Next we need to create the event in Task Scheduler so that it runs the batch file upon logon of said user.

*From what I've tested we will need to create a batch file for every single user on the machine. We will be making live automated edits via a batch file as the SYSTEM user to the hosts file when a limited user logs in and we will use another batch file to wipe the hosts file clean when a non-limited user logs in. Kinda crude at the moment until I get time to expand on this. 

**There is no checking of the limited users batch file to see if duplications have occured. This would only happen if the user logged in, then out, then in again, with no non-limited users logging in inbetween.

*Need to come back and check whether or not locked sessions with multiple users will be affected (spelling?).


Creating the batch files:

Create custom batch files (for limited users):

1. Make sure you're an admin.

2. Open Explorer and create a new folder called, "batch files" (come up with something more creative for your environment.

3. Right click on the new folder --> Properties --> Select "Hidden" --> Ok.

4. Create a new text file inside this folder with a file name identifying the user and change the extension of the file to ".bat".

5. Right click on the file --> Edit. This should open it in Notepad.

6. Enter the following string into the batch file and save it. You can add as many lines as you want that start with "echo" and the site you wish to block. In this example, "facebook.com" will be blocked. Replace, "facebook.com" with whatever site you want to block and leave everything else alone.

In this example "fb.com" redirects in the browser to "facebook.com" so blocking the main FQDN will work without needing to block, "fb.com". Most web browsers will come back and say the site has been blocked once it's in play.

@echo off
set hostspath=%windir%\System32\drivers\etc\hosts
echo 127.0.0.1 www.facebook.com >> %hostspath%
echo 127.0.0.1 facebook.com >> %hostspath%
exit

Revert changes to hosts file (for non-limited users):

1. Create another batch file in the same hidden folder called, "Revert hosts file to default.bat" and copy the following contents into the file and save it:

copy "c:\batch files\hosts" "C:\Windows\System32\Drivers\Etc\"
2. Create a file named, "hosts" in the same folder and copy the following contents into the file and save it.

*Below is a copy of what the original Windows 10 hosts file contains:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

Create the tasks (limited users):

We need to create the tasks for limited users first then non-limited users second so we don't get confused. Remember if you have a domain, go the Group Policy route. This is only for really small office setups and one off custom website blocks.

1. Windows Key + S --> Task Scheduler

2. Click on Task Scheduler Library on the left and create a new folder, called, "Custom Tasks".

3. Right click on this new folder and select, "Create Task".

4. Copy the following settings into the General Tab:

  • Name: user1 - Add Host File Modifications
  • When running the task, user the following user: SYSTEM
    • Change User or Group
    • Type in, "system".
    • Hit, "Check Names".
    • "system" turns into "SYSTEM"
    • Press Ok.
  • Run with highest privileges: YES

5. Copy the following settings into the Triggers Tab:
  • New
  • Begin the Task: At log on
  • Specific User:
    • Change User or Group
    • Type in, "user1".
    • Hit, "Check Names".
    • "user1" turns into "computername\user1"
    • Press Ok.
6. Copy the following settings into the Actions Tab:
  • New
  • Start a program
  • Browse --> Select, "user1.bat"
  • Press Ok.
7. Leave everything unchecked in the Conditions Tab.

8. Make sure only the following are selected in the Settings Tab:
  • Allow task to be run on demand.
  • Stop the task if it runs longer than 1 hour.
  • If the running task does not end when requested, force it to stop.
  • Do not start a new a new instance.
9. If different users need different blocking rules then go back and create the exact same task (different task name obviously) for all the users you want to limit and select their appropriate batch file. You can also export the task, copy and edit the XML file to potentially speed things up. Then import the task into the Custom Tasks folder in Task Scheduler.

**If you have multiple users and wish to block ex. 5 users from going to facebook.com then you can just add their logon to the Triggers Tab. Remember to add a description to show which task action does what so you can keep track of what task does what.


Creating the Tasks in Task Scheduler:

Create the tasks (non-limited users):

*This is identical to the steps above however you'll be selecting the users that are not limited, the task will have a different name, and changing the action to run the batch file to restore the default hosts file.


1. Windows Key + S --> Task Scheduler

2. Right click on this new folder and select, "Create Task".

3. Copy the following settings into the General Tab:

  • Name: Restore Default hosts File
  • When running the task, user the following user: SYSTEM
    • Change User or Group
    • Type in, "system".
    • Hit, "Check Names".
    • "system" turns into "SYSTEM"
    • Press Ok.
  • Run with highest privileges: YES

4. Copy the following settings into the Triggers Tab:
  • New
  • Begin the Task: At log on
  • Specific User:
    • Change User or Group
    • Type in, "user2".
    • Hit, "Check Names".
    • "user1" turns into "computername\user2"
  • Press Ok.
5. Copy the following settings into the Actions Tab:
  • New
  • Start a program
  • Browse --> Select, "Revert hosts file to default.bat"
  • Press Ok.
6. Leave everything unchecked in the Conditions Tab.

7. Make sure only the following are selected in the Settings Tab:
  • Allow task to be run on demand.
  • Stop the task if it runs longer than 1 hour.
  • If the running task does not end when requested, force it to stop.
  • Do not start a new a new instance.
8. If different users need different blocking rules then go back and create the exact same task (different task name obviously) for all the users you want to limit and select their appropriate batch file. You can also export the task, copy and edit the XML file to potentially speed things up. Then import the task into the Custom Tasks folder in Task Scheduler.

**If you have multiple users that you want no hosts file restriction on then you can just add their logon to the Triggers Tab. Remember to add a description to show which task action does what so you can keep track of what task does what.


Testing:

Make sure you login as the users you just created the tasks for and make sure it works before rolling this out.


Conclusion:

This is a pain in the ass way to delegate control but it works in a pinch if management is too cheap to buy Windows Server or if the office is super small and doesn't really warrant a domain.



πŸ‘½

Windows 10 - How to Hide User Accounts From the Sign-in Screen

 


Intro:

Windows 10 by default shows account names on the login screen. There are instances in which you wish to hide these names from this screen but not disable these accounts.

One such instance may be that you don't have enough computers and or devices to warrant a domain setup but you need to give the printer access to a local machine to save its scans to via the network (not USB).

In this instance the printer requires a networked location to save the scans to as well as a username and password to access said location. It's not wise to give it the username and password for your user because if the printer has an exploit and you're an admin user, well I bet you can guess what happens next.

The best way to approach this is to create a standard user that only has access to that networked folder and nothing else. Read and write permissions are fine (provided you're backing up that location elsewhere), else setup that user with write credentials only (unless the printer bitches about read access).

Once that user is created, Windows 10 by default will show that new user on the sign in screen. It's best not to proactively divulge potential users on the system to guests who can walk up and see the screen. Especially if your "printer" user is using the password of "printer".

Fortunately you can hide any name you want from the Windows sign in screen.

*Be advised I've only tested this in Windows 10 Pro and Enterprise.

*Make sure you're using an admin account to do this or you will not be able to make changes to the registry!


Solution:

Identify the username you wish to hide:

1. Open a command prompt and type:

net user
Find the username in the list and make note of it (Windows usernames are not case sensitive however Microsoft Active Directory is case aware).


For this example we'll target "user1".


Adding User Into Registry and Making New Keys:

1. Right click Start --> Run --> regedit.exe --> Ok --> Yes on UAC prompt.

2. Either browse to the following location or copy/paste it into the bar under the menu buttons at the top and hit Enter:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
3. On the key (yellow folder) to the left labeled, "WinLogon", right click it and click New --> Key.


4. Name the new key "SpecialAccounts" and press Enter when done.


5. Right click on the newly created "SpecialAccounts" key and create another key called, "UserList".



6. Right click on "UserList" or in the empty white space on the right and create a new DWORD (32-bit) Value.


7. Replace, "New Value #1" with the user name you noted in the beginning, ie "user1". Do not include the quotes.



8. There's two values this new DWORD value can have. 0 or 1. A value of 0 means the username will not be displayed on the sign in screen. A value of 1 means it will be shown. The base must be hexadecimal and not decimal.



9. The changes take effect once you've logged off your current user.


You can see the difference below:

value of 0

value of 1



Solution (short):

1. CMD --> net user --> make note of user name.

2. Regedit (as admin).

3. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon".

4. Select key, "Winlogon" create new key named, "SpecialAccounts".

5. Select key, "SpecialAccounts" create new key named, "UserList".

6. Create new 32-bit dword value for each username you wish to hide.

7. Value of 0 hides user from sign in screen / Value of 1 shows user on sign in screen.

8. Log off and verify.


Conclusion:

As you can see in the above example it works. This tutorial only hides the user from the sign in screen.

If you wish to disable users this can be done by Right clicking Start --> Computer Management --> Local Users and Groups --> Users, select user, right click, Properties --> select "Account is Disabled" --> Ok.

*If you wish to come back to the same key in "regedit" when reopening it, close regedit prior to logging off.



πŸ‘½