In a PowerShell script I needed to sort a hash table by byte value (not alphabetically, lowercase parameters will be listed after uppercase ones). An example for this requirement is the Amazon Product Advertising API.

Consider the following hashtable as an example:

If we use the Sort-Object to order the list (note that we need to use the GetEnumerator method):

We will get the following result:

If you use the -CaseSensitive switch the resulting order will remain the same.

Read the rest of this entry »

To get the best performance out of Virtual Desktops it is essential that the power configuration in the system BIOS and the HyperVisor are configured for maximum performance.

Many people have blogged about the importance of these settings like, Andrew Wood, Helge Klein and Didier Van Hoye. So I will not go into details again.

But how do you check from a Virtual Machine if you are actually running at full clock speed or not?

I have written a PowerShell script to do just that (requires at least PowerShell v3).

Here are some screenshots:

Running with "High Performance profile":

Running with "Balanced" power profile:

Read the rest of this entry »

In a SCOM Management Pack Custom Properties can be used for Alert Description and Notification as described in this blog by Kevin Holman.

In my case I wanted to add the Display Name and the Performance Counter Value in a Performance Threshold Monitor. In XML it would look this this:

But how to add these parameters when using the System Center 2012 Visual Studio Authoring Extensions?

Read the rest of this entry »

I am currently implementing Sophos UTM and I quite like this solution. It is free up for home usage and can easily be installed on a hypervisor.

I wanted to scan encrypted traffic (ssl) as well so I activated the "Decrypt and scan" option:

When testing this on one of my iPad’s I noticed that the App Store didn’t work properly anymore.

When I tried to update applications I got the following error: "Cannot connect to iTunes Store". Additionally when I searched for Apps the search would return no results.

Read the rest of this entry »

Today I encounterd what seems to be a bug in the System Center 2012 Visual Studio Authoring Extensions. I wanted to define a Performance Collection Rule that reads out the percentage of free memory from an SNMP device.

Since the device returns only the percentage of used memory I needed to use the ComputedPerfProvider provider to substract the used memory percentage from 100.

I could of course report used memory instead of free memory but I wanted the resulst to appear in the default SCOM Performance View, which only lists Free Memory:

Read the rest of this entry »

I am currently working on a Management Pack for SCOM and I have studies a few examples on adding processor and memory counters.

These examples all reference a Management Pack named "System.NetworkManagement.Monitoring.mp" but this Management Pack is not bundled with the System Center 2012 Visual Studio Authoring Extensions.

Read the rest of this entry »

I am currently working on a Management Pack for System Center Operations Manager (aka SCOM). I am using the System Center 2012 Visual Studio Authoring Extensions and during build of my project I suddenly got the following error: “MSB4018: The “MergeFragments” task failed unexpectedly“:

I searched on this error message but wasn’t able to find anything helpful. In order to get more detailed output from MSBuild I changed the MSBuild project build output verbosity. To do this go to the Tools menu in Visual Studio and select Options. Navigate to the “Build and Run” node under “Projects and Solutions” and set both options to “Diagnostic”:

Read the rest of this entry »

Aaron Parker was talking about the uninstall guid in his session “Hands off my Golden Image Redux” at Citrix Synergy.

I remembered that I had written a small PowerShell script to read out the uninstall GUID from an MSI file. This way you do not need to actually install the software to determine the uninstall GUID.

How does that work?

There is a logical relation between the MSI Product Code property and the install guid. In this example I’ve taken install_flash_player_11.8.800.174_active_x.msi as an example.

The Uninstall key is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A2E504D3D31C0D5409F28F3FDD565AD9

The interesting part of it is the GUID:

A2E504D3D31C0D5409F28F3FDD565AD9

If we look into the MSI properties with (Super)Orca we see:

If we compare those GUIDS:

Uninstal    {A2E504D3-D31C-0D54-09F2-8F3FDD565AD9}

Product Code{3D405E2A-C13D-45D0-902F-F8F3DD65A59D}

We can see that we need to apply the following logic:

· First 8 bytes must be swapped right to left

· Next 4 bytes (skipping the hyphen) also swapped right to left

· Next 4 bytes (skipping the hyphen) also swapped right to left

· Next 4 bytes (skipping the hyphen) also swapped right to left

· Last 12 bytes must be byte swapped per byte (F8 -> 8F, F3 -> 3F etc).

Knowing that we can make life easier with PowerShell:

[posh]function Get-Property ($Object, $PropertyName, [object[]]$ArgumentList)

{

return $Object.GetType().InvokeMember($PropertyName, ‘Public, Instance, GetProperty’, $null, $Object, $ArgumentList)

}

function Invoke-Method ($Object, $MethodName, $ArgumentList)

{

return $Object.GetType().InvokeMember($MethodName, ‘Public, Instance, InvokeMethod’, $null, $Object, $ArgumentList)

}

function GetMsiProductCode([string]$path)

{

$msiOpenDatabaseModeReadOnly = 0

$Installer = New-Object -ComObject WindowsInstaller.Installer

$Database = Invoke-Method $Installer OpenDatabase @($path, $msiOpenDatabaseModeReadOnly)

$View = Invoke-Method $Database OpenView @(“SELECT Value FROM Property WHERE Property=’ProductCode'”)

Invoke-Method $View Execute | Out-Null

$Record = Invoke-Method $View Fetch

if ($Record)

{

Write-Output (Get-Property $Record StringData 1)

}

}

cls

$path = “c:\Users\rweijnen\Desktop\install_flash_player_11.8.800.174_active_x.msi”

$item = “” | Select-Object Path, ProductCode, UninstallGuid, UninstallRegistry

$item.Path = $path

$item.ProductCode = (GetMsiProductCode $item.Path)

$DestGuid = ([regex]::Matches($item.ProductCode.Substring(1,8),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

$DestGuid += ([regex]::Matches($item.ProductCode.Substring(10,4),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

$DestGuid += ([regex]::Matches($item.ProductCode.Substring(15,4),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

$DestGuid += ([regex]::Matches($item.ProductCode.Substring(20,2),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

$DestGuid += ([regex]::Matches($item.ProductCode.Substring(22,2),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

for ($i=25 ; $i -lt 37 ; $i = $i + 2)

{

$DestGuid += ([regex]::Matches($item.ProductCode.Substring($i,2),’.’,’RightToLeft’) | ForEach {$_.value}) -join ”

}

$item.UninstallGuid = “{” + ([Guid]$DestGuid).ToString().ToUpper() + “}”

$item.UninstallRegistry = “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\{0}” -f $DestGuid

$item | Format-List

Sample output:

Path              : c:\Users\rweijnen\Desktop\install_flash_player_11.8.800.174_active_x.msi

ProductCode       : {3D405E2A-C13D-45D0-902F-F8F3DD65A59D}

UninstallGuid     : {A2E504D3-D31C-0D54-09F2-8F3FDD565AD9}

UninstallRegistry : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A2E504D3D31C0D5409F28F3FDD565AD9

[/posh]

Benjamin Delpy the author of the well known mimikatz toolkit has released a very cool extension to WinDbg today.

In summary the extension can extract Windows passwords from memory dumps, hibernation files and Virtual Machine .vmem files (paging, snapshots).

Especially the ability to extract passwords from .vmem files was very interesting. So I decided to to test this out, so let’s see how it works!

Read the rest of this entry »

I will be presenting a session at E2EVC in Rome next weekend.

Recently I published an article on my blog that shows how to run an executable of choice when the Citrix Receiver exits.

In this session I will show you how to find such undocumented features in applications step by step. Using this example we will open the Citrix Receiver in Ida Pro and disassemble it.

Using public resources such as the Citrix Public Symbol Server we can analyze, understand and finally make the code more readable.

I will try to make this session not an “enter the matrix one” but one that could be considered as an intro into using Ida Pro for reverse engineering and app compat fixing.

Hope to see you all in Rome, my session is scheduled Friday November 1 from 18.30 – 19.15. There will be room for questions so feel free to take your own Crapplication™ and ask about it after the session.

See you in Rome!