Admin Notes
Quick references for system administration
Updated 19 Apr 2025
SCCM - Client Troubleshooting
Update failing at end, error 0x8???????:
Search %windir$\Logs\CBS\CBS.log for "failed" to find missing prereq
patches.
Run sfc /scannow
WUAHandler.log is showing group policy error 0x80004005:
Check if C:\Windows\System32\GroupPolicy\Machine\Registry.pol is more
than a few days old. Run:
net stop ccmexec
remove-item registry.pol
gpupdate /force
net start ccmexec
Windows patches not downloading
net stop wuauserv
remove-item "$env:windir\SoftwareDistribution" -recurse
net start wuauserv
try installing patches again
Software stuck installing:
Get-WMIObject -namespace "ROOT\CCM\SoftmgmtAgent" -Query "SELECT * from CCM_TSExecutionRequest" | Remove-WMIObject; restart-service ccmexec
Reinstall client:
ccmsetup /uninstall
delete CCM contents
delete ccmsetup contents
./ccmsetup
Failed to download:
Check CAS.log for "The number of discovered DPs (Including Branch DP and
Multicast) is 0."
SCCM - Logs
Main log folder: C:\Windows\CCM\logs
To view installing apps:
appdiscovery.log
appenforce.log
Error code 0x800702e4 - Insufficient permissions to install. Deployment is
most likely install for user instead of install for system.
To view installing updates: UpdatesDeployment.log
Local client advertisement syncing: CAS.log
View task sequence and package installs: execmgr.log
SCCM - Reports
Compliance 5 - Specific Computer:
Status of a specific task sequence deployment for a specific computer
View computers that have/need a windows update:
Compliance 8 - Computers in a specific compliance state for an update
View time/status of an application deployment:
Application Compliance
Hardware 01A - Summary of computers in a specific collection
Add Remove Programs
SCCM - MP List
http://<SERVER>/sms_mp/.sms_aut?mplist
http://<SERVER>/sms_mp/.sms_aut?mpcert
invoke-webrequest -uri "http://..."
SCCM - PXE Boot Steps
Need ports for
| DHCP | 67, 68 |
| TFTP | 69 |
| BINL | 4011 |
| 0. | If a DHCP helper pointing to the PXE server is not set on the
client's switch, or if the server and client are separated by a DMZ, then no
traffic will reach the PXE server. |
| 1. | Msg type 1. The client starts PXE and sends a DHCPDISCOVER
UDP broadcast. The broadcast includes a list of parameter requests for server
and network information, and includes the client architecture.
SCCM Server checks if device is in database here. |
| 2. | Msg type 2. The DHCP and PXE servers both respond to the
DHCPDISCOVER broadcast with a DHCPOFFER packet containing their information.
|
| 3. | Msg type 3. The client sends a DHCPREQUEST packet selecting
which server it wants to use.
Server checks for advertisements available to system. |
| 4. | Msg type 5. The client sends a DHCPASK packet requesting an
NBP file to boot with. Usually wdsmgfw.efi.
TFTP is used to download the NBP file to a ramdisk, and is then booted. If the
download fails randomly when downloading, it's usually network connectivity
problems. |
| 5. | The client uses the NBP to boot into WinPE. The console can
be accessed with F8. Client logs are stored in
X:\Windows\Temp\SMSTS\SMSTS.log. |
Windows - Install Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
McAfee
If the tray icon is missing, run
& "C:\Program Files\McAfee\Agent\x86\UpdaterUI.exe"
Uninstalling. Requires a special removal tool.
.\McAfeeEndpointProductRemoval.exe --accepteula --VSE --HIPS --DLP
.\McAfeeEndpointProductRemoval.exe --accepteula --ALL
Running explorer.exe causes a McAfee installer to start.
Logs:
| HIPS | C:\ProgramData\McAfee\Host Intrusion Prevention\HipShield.log |
Windows - Delete Profiles
Control Panel -> System -> Advanced System Settings -> User Profiles
Manually:
Delete the folder in C:\Users
Delete the registry entry in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Base 64 Encoding
certutil -encode file.bin file.txt
certutil -decode file.txt file.bin
Windows - CredSSP Encryption Oracle
Set the following registry and restart. Change back when done.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Policies\CredSSP\Parameters
AllowEncryptionOracle DWORD 2
Windows - Move Mouse with Keyboard
Turn on mouse keys:
Hit Left-Alt + Left-Shift + NUM-Lock. Otherwise, Win+R -> control panel. Tab
to Ease of Access -> Mouse Settings -> Use Numeric Keypad -> Hit Spacebar.
If in a VM, disable mouse integration.
To move the mouse with numpad:
Movement Clicking
Up+left : 7 Select left button : /
Up : 8 Select both buttons: *
Up+Rgith : 9 Select right button: -
Left : 4 Click selected button: 5
Right : 6 Drag: 0
Down+Left : 1 Drop: .
Down : 2
Down+Right: 3
Windows - Group Policy
Get the policy being applied to windows
gpresult /h report.html
If random processes like updates aren't working. Delete:
C:\Windows\System32\GroupPolicy\registry.pol
Powershell - Repair Updates
Stop windows update service: net stop wuauserv
Rename C:\Windows\SoftwareDistribution
Go to HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate and
check WUServer and WUStatusServer.
Set DoNotConnectToWindowsUpdateInternetLocations DWORD 1
In AU: UseWUServer DWORD 1
Delete C:\Windows\System32\GroupPolicy\registry.pol
Start windows update service
Powershell - Remote Execute
May require enabling PSRemoting and allowing port 5986.
Get-Service -Computer $comp -Name WinRM | Start-Service
Enter-PSSession -Computer $comp
Execute through CIM sessions.
$computer = ""
$localcmd = "'hello' > C:\Windows\Temp\remote_test.txt"
$dcom = New-CimSessionOption 1
$session = New-CimSession -ComputerName $computer -SessionOption $dcom -EA SilentlyContinue
if ($null -eq $session) {Write-Host "Failed to connect CIM" ; exit}
$cimParams = @{
CimSession = $session
ClassName = "Win32_Process"
MethodName = "Create"
Arguments = @{CommandLine = $localCmd}
ErrorAction = "SilentlyContinue"
}
$proc = Invoke-CimMethod @cimParams
if ($null -eq $proc -or $proc.ReturnValue) {Write-Warning "Failed to execute CIM" ; exit}
Get-Process -ComputerName $computer -id $proc.ProcessId
Windows - Recover Local Admin
| 1. | Begin to PXE boot the system, but stop when you see the WinPE
screen. |
| 2. | Press F8 to bring up the command prompt. |
| 3. | Enter diskpart to bring up the diskpart prompt, then
enter list vol to see the drives on the system. Note the letter of the
volume labeled "Windows". We'll assume it's letter "C". Enter exit.
|
| 4. | We'll modify the registry to get a local command prompt.
Enter:
reg load HKLM\TMPSYS C:\Windows\System32\config\SYSTEM
reg add HKLM\TMPSYS\Setup /v cmdline /d cmd.exe /t REG_SZ /f
reg add HKLM\TMPSYS\Setup /v SetupType /d 2 /t REG_DWORD /f
reg unload HKLM\TMPSYS
|
| 5. | Enter C:\Windows\System32\shutdown.exe /r /f to
reboot. |
| 6. | When the system starts up, you should see a command prompt.
Avoid clicking anywhere on the screen as the command prompt will disappear.
Enter
net user tmpadmin * /add
net localgroup administrators tmpadmin /add
|
| 7. | Undo the registry changes we've made with the following
commands:
reg add HKLM\SYSTEM\Setup /v cmdline /d "" /t REG_SZ /f
reg add HKLM\SYSTEM\Setup /v SetupType /d 0 /t REG_DWORD /f
|
| 8. | Enter exit to reboot. |
| 9. | You should see the login screen and be able to login with
.\tmpadmin. |
Windows - .Net Security
This setting can cause any signed executable to fail to run. 0x23c00
allows most things.
In HKLM and S-1-5-18 (system account):
Path : Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\
Key : Software Publishing
Name : State
Type : DWORD
Value: 0x23c00
Powershell - Launching
If scripts have been disabled.
powershell -executionpolicy unrestricted -file script.ps1
Launch Powershell From .bat
@echo off
Powershell.exe -ExecutionPolicy Unrestricted -File "%~dp0script.ps1" %*
echo /b %ERRORLEVEL%
Re-Execute sript as 64-bit process
if ($pshome -like "*SysWow64*") {
& (join-path ($pshome -replace "SysWow64","sysnative") Powershell.exe)`
-File ($script:MyInvocation.MyCommand.Path) @($script:args); exit
}
Powershell - Remotely Reboot
Restart-Computer -ComputerName $name -force -EA Stop
If stuck rebooting:
gwmi Win32_Process -ComputerName $name | %{if ($_.ProcessName -eq "logonui.exe") {$_.Terminate()}}
Powershell - Event Logs
Get-EventLog -LogName System | ?{$_.TimeGenerated -gt [DateTime]::Now.AddDays(-1)} | ft TimeGenerated,EventId,Message -AutoSize -Wrap
Powershell - Searching
Find an executable. Must have ".exe" or PS will try to run the "where-object"
command.
where.exe SOMEEXE.exe
Search file contents
get-childitem -path "*.txt" -Recurse | Select-String -Pattern "hello"
gci "*" -Recurse | %{Select-String -path $_.fullname -pattern "^hello"}
Powershell - Parallel
workflow parallelping {
param($computers)
foreach -parallel ($comp in $computers) {
Test-Connection $comp -Count 2 -EA SilentlyContinue -WA SilentlyContinue
}
}
parallelping @(0..255 | %{"10.10.10.$_"})
Powershell - AD Without RSAT
Open a basic AD query window
C:\Windows\System32\rundll32.exe dsquery.dll OpenQueryWindow
List basic properties
net user USERNAME /domain
net group GROUPNAME /domain
Searching with ADSystemInfo.
$sysinfo=New-Object -ComObject "ADSystemInfo"
$dn=$sysinfo.GetType().InvokeMember("ComputerName","GetProperty",$null,$sysinfo,$null)
$compobj=[adsi]"LDAP://$dn"
$compobj.name
Searching large numbers with adsisearcher.
$search=[adsisearcher]""
$search.SearchRoot="LDAP://DC=site,DC=com"
$search.filter="(&(objectClass=computer)(Name=SERVER*))"
$search.PageSize=1000
$comps=$search.FindAll()
Move OU
$comp=[adsi]"LDAP://$dn"
$ou=[adsi]"LDAP://OU=hello,DC=com"
$comp.psbase.moveTo($ou)
Add user to group
$user = [adsi]([adsisearcher]"samaccountname=USERNAME").FindOne().path
$group = [adsi]([adsisearcher]"samaccountname=GROUPNAME").FindOne().path
$group.Add($user.ADSPath)
Searching with adsisearcher.
([adsisearcher]"samaccountname=$($env:USERNAME)").FindOne().Properties
([adsisearcher]"objectClass=computer").FindAll().Properties
Powershell - Excel
$scriptpath=(Split-Path $script:MyInvocation.MyCommand.Path)
$outpath="$scriptpath\file.xlsx"
$excel=New-Object -ComObject excel.application
$book=$excel.Workbooks.Add()
$sheet=$book.Worksheets.Item(1)
for ($r=0;$r -lt 15;$r++) {
for ($c=0;$c -lt 10;$c++) {
$sheet.Cells.Item($r+1,$c+1)=$r+$c
}
}
$book.SaveAs($outpath)
$excel.Workbooks.Close()
Tenable - Security Center
10902 - Admins Group List
19506 - Nessus Info
20811 - Installed Software
24270 - System Details (WMI)
24272 - WMI Net Info
24274 - USB Devices
34096 - BIOS info
35730 - USB History
55472 - Device Hostname
63080 - Mounted Devices
66350 - WiFi Network History
83265 - LAPS
72684 - Enumerate Users
Cisco - Switches
When in doubt, use sh run to see what commands have been used.
ACLs can filter RIP.
A GSE tunnel IP needs to be exempted from itself.
Configuration:
conf t
copy run start
do show int status
shut/no shut
show arp
show ip route <IP> to see where packets will go
show ip int brief
show int status
show mac address-table
switchport access vlan 10
DHCP:
clear ip dhcp pool <pool> binding *
show ip dhcp [binding | conflict | pool]
Bash - Conditional Tests
Denote with [[ ... ]].
Need whitespace between brackets and contents.
x="hello"
if [[ $x == "hello" ]] ; then echo "$x equal" ; fi
[[ $x == "hello" ]] && echo "$x equal"
[[ ! $x == "hello" ]] && echo "$x not equal"
| String | < > == != |
| Integer | -gt -lt ... |
| Regex | = =~ |
| Condition | && || |
Bash - Arithmetic
Denote with $(( ... )).
Numbers with leading 0's are considered octal.
let and (( ... )) evaluate their constants as arithmetic.
x=17+23 ; echo $x #17+23
let x=17+23 ; echo $x #40
x=$((17+23)) ; echo $x #40
(( x += 5 )) ; echo $x #45
if (( x > 10 )) ; then echo "$x > 10" ; fi
Evaluate in string: echo "$(( x + 5 ))" #45
Strip zeros: x=$((10$x))
Bash - Functions
frombase() { echo "$(( $1#$2 ))"; }
frombase 16 ff #255
Bash - Loops
for (( i=0, j=0; i<100; i++ )); do echo $i ; done
Bash - Searching
Recursively search files for the string "debug"
grep -R "debug" ./
Find all mp3 or ogg files
find ~ -name "*.mp3" -o -name "*.ogg"
Alternate
IFS=$'\n'; for filename in $(find .); do if [[ $filename =~ \.(mp3|ogg) ]]; then echo "$filename"; fi; done
Bash splits inputs by newlines and whitespace. To only split on newline, set
IFS=$'\n'.
To extract a variable from a string
email="alec.dee@gmail.com"
res=$(echo $email | sed 's/\(.*\)@.*/\1/')
echo $res #alec.dee
Linux - File Access Policy
systemctl stop fapolicyd
Log everything fapolicy is doing. Still stops applications.
fapolicyd --debug 2> fapolicy_debug.txt
Only log things that get denied.
fapolicyd --debug-deny 2> fapolicy_debug.txt
Allow applications to run but log deny rules.
fapolicyd --debug-deny --permissive 2> fapolicy_debug.txt
List rules
fapolicyd-cli --list
Modify fapolicy rules
vi /etc/fapolicyd/fapolicyd.conf
/etc/fapolicyd/fapolicyd.trust
systemctl restart fapolicyd
Default log location
/var/log/fapolicyd-access.log
Linux - Firewall
Allow traffic but log denied packets.
vi /etc/firewalld/firewalld.conf
Set: LogDenied=all
systemctl restart firewalld.service
Default log location:
/var/log/firewalld
View denied packets: journalctl -x -e
Open a port
sudo firewall-cmd --zone=public --add-port=80/tcp
List ports and services
sudo firewall-cmd --list-services
sudo firewall-cmd --list-ports