Wednesday, 11 August 2010

I suspect I have a virus, what should I do first?

Viruses are very common, if you suspect of a file, the first thing you should do is to send it to Virustotal and have a report of multiple antivirus scans. This can be done either by uploading it to www.virustotal.com or by sending it by email to scan@virustotal.com with the word SCAN in the subject field. According to the scan results you should report that file to your antivirus producer so he can integrate that virus in their definitions.

Check services running under user accounts

How to check if service is running under a different user account on all computers?

Using Lansweeper, I only had to make this report:
SELECT     TOP (1000000) tblcomputers.Computername, tblcomputers.ComputerUnique, tblcomputers.Domain, tblServices.Caption AS ServiceDescription, 
tblServices.Lastchanged, tblServices.Startname
FROM tblServices INNER JOIN
tblcomputers ON tblServices.Computername = tblcomputers.Computername INNER JOIN
tblComputersystem ON tblcomputers.Computername = tblComputersystem.Computername
WHERE (tblServices.Startname <> 'LocalSystem') AND (tblServices.Startname <> 'NT AUTHORITY\LocalService') AND
(tblServices.Startname <> 'NT AUTHORITY\NetworkService')
ORDER BY tblcomputers.Computer

Tuesday, 10 August 2010

Nircmd - when you need batch stuff on remote computers

Nircmd is quite an handy utility, it saves me a lot of work when I need something changed on my site computers.
A sample that shows the flexibility of this great and freeware tool:
- Detect and repair of MS Office is not working since I had a change of the server where Microsoft Office sources where used to install Office, or I want to add a new path (the installer can work with multiple source definitions):
nircmd elevatecmd remote \\hostname_of_computer regsetval sz "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\9040110900063D11C8EF10054038389C\SourceList\Net" "2" "\\new_server\O2003pro3\source"

explanation:

elevatecmd - used to ensure you run the command with administrator rights
remote - run the command remotelly on \\hostname_of_computer
regsetval - set the registry value
sz - the value type is string
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\9040110900063D11C8EF10054038389C\SourceList\Net" - key in registry

    "2" - value name in registry
    "\\new_server\O2003pro3\source" - value data in registry

    If you need to apply that same fix on multiple remote computers, you can do it like this:
    nircmd elevatecmd multiremote "c:\hostnames.txt" sz "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\9040110900063D11C8EF10054038389C\SourceList\Net" "2" "\\new_server\O2003pro3\source"


    The file c:\hostnames.txt must contain host names of the computers where you want this "fix" to be installed (line by line).

    (more to come)