Blog Posts by mpace

Ask a question

K2000 Wifi + Third-Party Tools in KBE

If you plan on imaging devices that do not have an embedded NIC, you can use the following method to create a bootable USB that will boot to KBE and then connect to your WiFi network for imaging. The included script will also integrate any portable apps that you would like into the KBE. 

Disclaimer: This method is not supported by Dell KACE. Use at your own risk. Confirmed as working with K2000 v3.5.x. For 3.6 there may need to be some additional tweaks and I will update this post as needed changes are discovered.

Currently, this only works with winpe3.1 boot environments, and only connects to WPA/WPA2. If you have a method for winpe4/5 or 802.1x compatibility, feel free to share it in the comments section.

What you'll need:

A Windows 7 computer with the following
  • Windows AIK: http://www.microsoft.com/en-us/download/details.aspx?id=5753 
  • SP1 update to AIK: http://www.microsoft.com/en-us/download/details.aspx?id=5188 (copy the contents of this download into "C:\Program Files\Windows AIK\Tools\PETools")
BuildWiFiKBE files here

Extract the build files to your local system. Drivers (including K2 drivers and WLAN drivers) need to be placed in the Drivers\x86 or \Drivers\amd64 folder. Included with this package are the WinPE3 KACE Driver Packs for both 32 and 64-bit KBEs, mainly for the storage controller drivers. Feel free to delete what you don't need from the Driver Packs. You will most likely need to add your client device(s) WLAN driver files manually. 

Next, export the WiFi profile information from a Win 7 computer that is connected to the desired WLAN. From a command line, run: 
netsh wlan show profiles
Then run:
wlan export profile name=YOURWLANSSIDHERE folder=C:\Destination key=clear
Make sure the "folder" option is pointing to a directory that already exists.
Copy the WiFi profile xml file to Scripts\WLAN\Profiles that exists in the BuildWiFiKBE download.
Modify the Scripts\wificonnect.cmd to correspond to the correct WiFi profile info. Example:
:: Set WLAN info here set 
Add third party apps such as GImageX or Explorer++Portable to the KBE, add the necessary files to the root of Tools directory. FYI: Most of the portable apps out there that I have tried will only work in a 32-bit KBE.

To build the KBE, open a command prompt at the root of the BuildWiFiKBE directory and run:
buildkbe.cmd (x86 | amd64) WORKINGDIRECTORY
buildkbe.cmd amd64 C:\BuildWiFiKBE
The KBE files will be saved in the Media folder. Copy the files to a USB drive formatted with as FAT32.  Boot a device to the USB. It will automatically connect to the WiFi profile you included and then boot the the K2000 Main Menu. If you want the wim of the KBE, it is stored in the Temp directory of the BuildWiFiKBE folder as winpe.wim.

View comments (2)

Create a Bootable Encrypted USB Running Linux Mint 16

Have any interest in creating a LUKS encrypted, persistent OS that fits in your pocket? Then this post is for you.This tutorial will take you through installing a LUKS encrypted instance of Mint 16 on a USB drive.

Edit: be sure and check out vwhite's post on integrating LUKS NUKE into this kind of setup: http://www.itninja.com/blog/view/more-bootable-encrypted-usb-or-microsd-linux-distro-s-now-with-a-nuke-option

What you will need:

  • Latest Mint ISO
  • A USB drive to make a live mode Mint boot disk, or a CD to burn the Mint ISO
  • A USB 3.0 USB drive to make into the encrypted Mint partition

First, you need to get a USB drive that will run a lightweight operating system while remaining responsive for a realistic user experience. I am using the SanDisk Extreme USB 3.0 and have found the responsiveness to be quite good. Using HD_Speed I got a solid average read/write speed of 50 MB per second. I tried cheaper USB 3.0 drives but couldn't break 7 MB per second, which is really slow for hosting an OS and the performance was only slightly bearable.

Once you have a swift USB drive to host the Mint partition, you will want to grab the latest version of the Mint ISO: http://www.linuxmint.com/download.php. I went with 64-bit Cinnamon but the other choices are fine if you are particular. Once downloaded, either burn the ISO to a CD or download LiLi and create a bootable Mint Live USB. If not running Windows, you can find other methods for applying the ISO to a USB here: http://www.computersnyou.com/2803/2013/12/create-bootable-live-usb-linux-mint-16-petra-windows-linux-mac/


Linux Live (LiLi) USB Creator is a great open source program to create Linux USBs from within Windows.

Now boot a system to the Mint live USB. It's time to enable LUKS in Ubiquity, the Mint installer:

  1. Open Terminal and run
    sudo apt-get remove ubiquity
  2. Next run
    sudo apt-get update
  3. Finally, run
    sudo apt-get install ubiquity

Now it's time to plug in your USB 3.0 drive and install Mint to the drive with LUKS enabled:

  1. Plug in the USB drive and open Disks (Menu > Disks) to see where Mint has mounted the drive. Click on the thumb drive that you just plugged in (it should be listed under the Devices list in the Disk GUI). The drive details will be displayed on the right. Under the name of the drive you can find the mount point. For example, this 8 GB thumb drive is mounted at /dev/sdb:
  2. Now back in Terminal, start the Mint installer by running
    sudo ubiquity 
  3. Click through the installer until you get to Disk Setup. Here is where you want to choose "Guided - use entire disk and set up encrypted LVM". Define a password for the encrypted volume (you will need to enter this password any time you boot from the Mint USB). Make sure to select the volume mount point that you noted earlier in Disks, or you could end up wiping your local HDD instead of the USB.
  4. Click Install Now and set up the timezone, keyboard layout, and user info. Some people like to click the option to automatically login suppressing the user login prompt since a password must be entered to even get to the login prompt, but it is completely up to you.
  5. The installation will start. After it completes, you can reboot to the new USB instance of Mint and you should get a password prompt. Enter the password you configured for the encrypted volume and Mint will boot.

You now have a fully persistent and encrypted Mint OS running from a USB stick!



View comments (1)

Sysprep for Mac Images

Update: 10.11 "El Capitan" finally patched against code injection with the introduction of System Integrity Protection (SIM). Consequently, deleting/replacing User Template files will result in quite a few irreparable permissions issues when deploying an image. I would recommend using a tool like Outset (free) or utilizing OS X Server user profile configuration payloads to modify profile settings in 10.11 and beyond.

An article I wrote for the Dell KACE monthly inKpad newsletter addressed preparing an instance of OS X as a gold master image. The article is a little dated but the information is still accurate (at the time of this writing). However, there have been a few additions to my process with the latest versions of OS X that I would like to include. Without further ado, here is the "sysprep" process for OS X that I use with 10.9:

Although Macs are not nearly as finicky when it comes to capturing images and redeploying to other Mac hardware, that doesn’t mean we shouldn’t prepare our systems so that we are capturing the cleanest image possible. For the purposes of this guide we will use the term “sysprep" for Mac, although it is not actually a tool such as Microsoft Sysprep utility. Instead, it is a set of steps that will closely resemble the same thing Sysprep.exe does on a Windows system.

In Windows there’s a set of tools available that lets you build a reference computer with all the latest updates, pre-installed drivers, software, and your own configurations. Using sysprep.exe you can strip out all the bits that make it a uniquely identified computer, such as user profiles and associated passwords, unique computer SIDs and tokens, etcetera. At the end of this process you end up with a clean install of Windows that you can take an image of and deploy to other computers. The first time you boot a computer after sysprep.exe has been executed, the system goes through some basic setup routines and away you go. We’ve got several articles at www.kace.com on that process, but let’s take a look at the “Sysprep for Mac” process:

Create a default install of Mac OS X

When you get to the login screen for OS X, set up an account called ADMIN. If you already have a local admin account on the system, login with that account now and do the following:

  1. Install System Updates
  2. Install Company Required Software
  3. Create a new User account if a customized default account template is desired.
    1. Add a new user called DEFAULT. Make sure this is defined as an Administrator account. Set a simple password for this user, as this account will later be removed before capturing the system image.
  4. Log out and log in to the new DEFAULT account.
  5. Go through System Preferences and set everything the way you want it to be in your image after deployment.
  6. Start each app at least once, particularly if it has been downloaded from the Internet, and make sure they startup normally and with no warnings.

Profile Cleanup

  • Using Finder go to /Users/DEFAULT/Library/Caches and delete the contents. Make sure you empty the Trash. User Terminal for this portion if Finder doesn't let you delete the Caches:
    rm -Rvf /Users/DEFAULT/Library/Caches/
  • Run Keychain Access (Applications/Utilities), select “login” and delete the keychain (right click > Delete keychain "login").
  • Clear file histories (Apple menu -> Recent Items -> Clear Menu).

Optional: Shell Scripting Examples

#Set Machine Name Back to Generic
/usr/sbin/scutil --set ComputerName "Master_Image“
/usr/sbin/scutil --set LocalHostName "Master_Image“ #Delete Swapfiles
rm /private/var/vm/swapfile* #Clean Up Global Caches and Temp Data
rm -rf /Library/Caches/*
rm -rf /System/Library/Caches/*
rm -rf /Users/Shared/*
rm -f /private/etc/ssh_host* #Resolves Duplicate Computer Name When Binding to Open Directory or Active Directory
#This portion no longer works in 10.9. I will check for filename changes and update this script.
/usr/sbin/systemkeychain -k /Library/Keychains/System.keychain -C –f rm -rf /var/db/krb5kdc
/usr/bin/defaults delete
/System/Library/LaunchDaemons/com.apple.configureLocalKDC Disabled #Cleanup Root Home Dir
rm -rf /private/var/root/Desktop/*
rm -rf /private/var/root/Documents/*
rm -rf /private/var/root/Downloads/*
rm -rf /private/var/root/Library/Caches/*
rm -rf /private/var/root/Library/Recent\ Servers/*
rm -rf /private/var/root/Library/Logs/*
rm -rf /private/var/root/Library/Keychains/*
rm -rf /private/var/root/Library/Preferences/ByHost/*
rm -f /private/var/root/Library/Preferences/com.apple.recentitems.plist
rm -rf /private/var/root/Public/Drop\ Box/*


Set Up System-wide Default User Account

  1. Restart the computer and log in as ADMIN.
  2. Run Terminal (Applications/Utilities) and type “sudo -s” and enter your password for ADMIN when prompted.
  3. Clear out the existing system-wide default account:
rm -rf /System/Library/User\ Template/English.lproj/*

Copy your new default account to the system default account:

cp -R /Users/DEFAULT/ /System/Library/User\ Template/English.lproj

NOTE: At this point, you’ve now got the start of a system-wide default user profile – this is what gets used every time a new user is created on the system, including the first user when you go through the Apple Welcome process on a new computer.

Type “exit” to get out of the root shell and then close Terminal and reboot the computer.

Log in again as ADMIN.

Disk Cleanup

Run Disk Utility (Applications/Utilities), select the hard drive and, under the First Aid tab, run “Repair Disk Permissions“. If you got things right to this point you’ll see a whole stack of information where this fixes permissions for the system-wide default user profile you’ve just copied. If you miss this step, permissions issues may get in the way when you create a new user later. Once you’re done, close Disk Utility.

You can now delete your DEFAULT account, as you won’t need it any further. From System Preferences -> Users and Groups, delete the DEFAULT account.

Enable Automatic Login

Configuring the admin account to automatically log in will assist in automating the PostInstall task phase after the image has been deployed. Use the following command as a postinstall shell script to disable the automatic login (thanks to Corey Serrins for this tip):

sudo defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser

Optional: Enable the root account

  1. From System Preferences choose Users & Groups.
  2. Click the lock to make changes and enter an admin password for the machine.
  3. Click Login Options.
  4. Click the Join button next to Network Account Server.
  5. Click the Open Directory Utility button.
  6. Click the lock to modify system configuration and enter an admin password for the machine.
  7. Click the Edit dropdown menu in the upper-left corner of the screen and select Enable Root User.
  8. Define the root account password and then click OK.
The root account has access complete global access for the entire system and should be used with caution. Read more about the root account here: http://www.linfo.org/root.html

Optional: Reseal Apple Setup Wizard

This will "reseal" the OS X installation. This will launch the interactive Apple Setup Wizard the next time the system is booted (read: when an image is deployed). Do not follow this step unless you want an interactive setup after you deploy the image.

Run Terminal (Applications/Utilities) and type “sudo -s” and enter your password for ADMIN when prompted.

rm -rf /var/db/.AppleSetupDone
shutdown -h now

Create Your Disk Image

At this point, you’ve got a computer that’s turned off and is ready to start as a new computer with no existing users but all your configurations and software installs ready to go. Now just NetBoot to your K2000 and capture your image using K-Image or Native (DMG) capture; we support both.

Optional tasks for first boot after image deployment:

#Disable Time Machine prompt when plugging in an external drive
defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true

#Configure Finder to always open directories in Column view
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.finder "AlwaysOpenWindowsInColumnView" -bool true

#Place the Screen Sharing app in the Applications directory for easier access:
ln -s /System/Library/CoreServices/Screen\ Sharing.app /Applications/Utilities/Screen\ Sharing.app

#Display system info on the login screen when clicking on the time:
defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo HostName

#Turn SSH on
systemsetup -setremotelogin on

#Remove iCloud login prompt when logging into the desktop
for USER_TEMPLATE in "/System/Library/User Template"/*
defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool TRUE
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
    defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}"

For more excellent first boot scripting ideas, check out Rich Trouton's initialsetup script: https://github.com/rtrouton/rtrouton_scripts/blob/80536983b6bbb19eb9a9960290714408017bad01/rtrouton_scripts/first_boot/10.9/initialsetup.sh

View comments (6)

Using Win Toolkit to Inject Microsoft Patches into a Windows 7+ Deployment

Win Toolkit is a program much like RT7Lite that allows the customization of a Windows deployment by adding in different bits and pieces to the install.wim located on a Windows 7 or above installation disk or ISO. Win Toolkit is free and is available here (you will have to register for a free account): http://www.wincert.net/forum/files/file/5-win-toolkit/

In this post I'd like to show how to slipstream Microsoft update installers into the install.wim so that your Windows deployments don't take hours downloading and installing patches after the initial deployment process. For this tutorial you will need Win Toolkit (download link above) and a Windows 7 or above installation disk or ISO. I prefer the ISO as it is easier to work with. I would also recommend following this tutorial from a Windows 7 or 8 computer. If you are running XP or Vista you will need to download the DISM installer and dotNET 3.5 in order for Win Toolkit to work.

The first thing we need to do is get an updated listing of available Microsoft updates. This is done in the Main tab by clicking the Update Catalog button:

Select which OS patch listing you would like to view by selecting the appropriate operating system from the Type drop down menu. In this tutorial I will be downloading updates for Windows 7 x64:

Note: "McRip" is the name of the user from the Win Toolkit community that has offered to host MS patch catalogs on their server.

Recommended and Optional updates will be displayed by their KB number. If you are uncertain of what a particular update is you can search the KB number on TechNet and find more info. Once you have selected the updates you would like to include in your deployment and selected a location for them to be stored, click the Download button on the lower left corner of the UI to initiate the download from Microsoft's file servers. Depending on how many updates were selected, this can take up to a couple of hours before it finishes.

Protip: Right-click on the Name header to select or deselect all patches.

Once the download process is complete, close the Update Catalog window to go back to the main menu. This time we are going to click on the All-In-One Integrator button to modify the Windows 7 deployment.

At this point you will want to extract your Windows 7 ISO file if you have not done so. If using Windows physical installation media, copy the contents to a local disk so that the files can be modified. Now click Browse > Browse for WIM and select the WIM located at ...\sources\install.wim

Note: If the WIM you selected does not have SP1 installed, Win Toolkit will ask if you would like to download a Microsft Refresh ISO of the selected OS type that includes SP1.

Select the OS install that you would like to modify and then click the Select button in the lower right corner of the UI:

Unless you have downloaded a Preset configuration (this tutorial assumes you are new to Win Toolkit and that no preset was downloaded) click Continue (No Preset). Then click the Updates + Languages button to choose which updates to integrate into the source media's installation WIM file. Click the green '+' symbol on the left side of the UI to browse to and select update packages that were downloaded previously.

Note: Some downloaded updates will be in a folder named "Not integratable to Offline image". Patch files in that folder cannot be deployed using the process outlined here.

Once all of the patches you would like to have integrated have been added, click the Start button in the upper right corner of the UI to initiate the rebuild process of the install.wim. Once the process has completed, navigate back to the main menu of Win Toolkit and click the ISO Maker button to compile your modified installation media into an ISO file. Done!

Win Toolkit can also add or remove Windows features to make installation faster and more customized. Feel free to explore the available options and also check out the Win Toolkit community.

Be the first to comment

Malware Hunting with Sysinternals Tools

Speaker: the illustrious Mark Russinovich

Today malware is everywhere. Sysinternals has been tackling malware detection and remediation for over a decade now. Currently good malware removal skills are essential for the IT professional, as all four major anti-virus engines detect less than 40% of threats. Source: CAMP: Content-Agnostic Malware Protection

A common day example of malware: the fake antivirus. This is an example of "found threats" on a new Windows install:

...and the quick removal process with Sysinternals Autoruns:

Old (2005) techniques for malware detection and remediation

  • Disconnect form network - stop malware from downloading more malware or extracting data
  • Identify malicious processes and drivers
  • Terminate identified processes
  • Identify and delete malware autostarts
  • Delete malware files
  • Reboot and repeat steps above

Be pragmatic about malware removal. If you can have confidence that you have identified and cleaned the malware, don't resort to wiping the system. 

Suspicious files are those that have no...

  • Processes that have no name
  • icon
  • no description or company name
  • unsigned 
  • live in Windows or User profile
  • are packed
  • include stragne URLs
  • have open TCP/IP connections
  • host suspicious DLLs or services

Process Explorer is "Super Task Manager"

Process View color key:

Blue = special kind of processes with same security as Process Explorer
Pink = hosting Windows services
White = unfiltered
Dark purple = packed/encrypted (suspicious) malware using obfuscation techniques that loads itself into memory but stays packed to dodge AV
Right click > search online
Right click > autostart path in registry
rundll32.exe process is created from Control Panel processes
Lots of malware hides itself in rundll32.exe


Almost all MS code and third party codes digitally signed. Can be verified via Process Explorer (verified signers). If signature is missing that is a red flag. CRL = Certificate Revocation List is pinged to see if certs have been revoked due to malware using those certs

Sigcheck.exe -s (recursive) -e (show extensions) -u (show only unsigned) *

GAC_32 is expected to be hit with malware due to unsigned images living there

String tab > memory button = shows string mapped into RAM. Look for suspicious URLs in the strings

DLL view (ctrl + D). listdlls -u * = dump all unsigned DLLs from all processes 

Terminating Malicious Processes

Buddy System. If one process goes down another will be started. The solution is to suspend them all. Active processes are now asleep.

Stop the autostarts. Autoruns by Sysinternals scans all files configured to autostart or load on the system. Verify code and signatures. Red images show up without valid digital signatures. White is third-party signed. Yellow are orphans. Jump to Entry for registry autostart location or Jump to File Location. Uncheck the autorun to disable it. This tool can also scan targeted remote systems (from boot environment). Also shows Timestamp of last modified date.  autorunsc.exe command line tool (print out in CSV format to scan corporate networks). Try not to do things you can't undo. 

Tracing malware activity

When in doubt, run Process Monitor!

Double Click on process > Process tab

Filtering is a key technique for procmon to focus only on what you want. Right click on row > include, exclude, etc. Click on Filtering icon for more complex filtering.Catergory = write only shows modification activity (malware will show here most likely).

Process Tree sees everything, including those processes living between the refresh rate of Process Explorer.

Real world analysis and cleaning

Winwebsec Scareware - skinned with many different aliases 

Keeps putting itself into RunOnce registry key when the malware is shut down. ProcMon enable boot logging to see what the malware is doing during system startup and shutdown to see that happening. 

Boot into safe mode to clean (booting win8 into safe mode is incredibly difficult. use a win7 usb key (or a k2000!))

Law enforcement scare ware (child porn found on system and law enforcement is after you! FBI asking for MoneyPak payment)

Lockscreen.CT - system hijack until you pay for the key

Process Explorer and autoruns shows us what it's doing. No signature, all in Russian, sitting in Run registry key. 

Fix: To clean this you must boot into Safe Mode w/ Command Prompt (this version skips auto runs). Do not use vanilla Safe Mode or Safe Mode w/ Networking.

Case of the runaway GPU

Vicenor - family of trojans 

GPU fan has been hijacked and GPU fan is running at 99% activity. Process Explorer has GPU column to see usage. Can see what files are using that GPU percentage. 

Malware was a bitcoin miner using the victim's system GPU for mining. 

Fix: Use Process Explorer to look at what that malware is doing and the bitcoin account it's uploading to

Case of unexplained FTP connection

Exchange server was making unusual outbound FTP connections. Process Monitor trace saw FTP connections.

Fix: Take File System and Registry info out of the trace to just see Network traffic


Be the first to comment
Showing 1 - 5 of 13 results

Top Contributors

Talk About Cloud Computing