• Category Archives ToolBox posts
  • WannaCry Ransomware – Microsoft Security Bulletin MS17-010 – Critical

    https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

     

    Security Update for Microsoft Windows SMB Server (4013389)

    Published: March 14, 2017

    Version: 1.0

    This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

    This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software and Vulnerability Severity Ratings section.

    The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests.

    For more information about the vulnerabilities, see the Vulnerability Information section.

    For more information about this update, see Microsoft Knowledge Base Article 4013389.

    The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

    The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the March bulletin summary.

    Note Please see the Security Update Guide for a new approach to consuming the security update information. You can customize your views and create affected software spreadsheets, as well as download data via a restful API. For more information, please see the Security Updates Guide FAQ. As a reminder, the Security Updates Guide will be replacing security bulletins. Please see our blog post, Furthering our commitment to security updates, for more details.

    Operating System Windows SMB Remote Code Execution Vulnerability – CVE-2017-0143 Windows SMB Remote Code Execution Vulnerability – CVE-2017-0144 Windows SMB Remote Code Execution Vulnerability – CVE-2017-0145 Windows SMB Remote Code Execution Vulnerability – CVE-2017-0146 Windows SMB Information Disclosure Vulnerability – CVE-2017-0147 Windows SMB Remote Code Execution Vulnerability – CVE-2017-0148 Updates Replaced
    Windows Vista
    Windows Vista Service Pack 2
    (4012598)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3177186 in MS16-114
    Windows Vista x64 Edition Service Pack 2
    (4012598)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3177186 in MS16-114
    Windows Server 2008
    Windows Server 2008 for 32-bit Systems Service Pack 2
    (4012598)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3177186 in MS16-114
    Windows Server 2008 for x64-based Systems Service Pack 2
    (4012598)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3177186 in MS16-114
    Windows Server 2008 for Itanium-based Systems Service Pack 2
    (4012598)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3177186 in MS16-114
    Windows 7
    Windows 7 for 32-bit Systems Service Pack 1
    (4012212)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows 7 for 32-bit Systems Service Pack 1
    (4012215)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3212646
    Windows 7 for x64-based Systems Service Pack 1
    (4012212)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows 7 for x64-based Systems Service Pack 1
    (4012215)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3212646
    Windows Server 2008 R2
    Windows Server 2008 R2 for x64-based Systems Service Pack 1
    (4012212)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows Server 2008 R2 for x64-based Systems Service Pack 1
    (4012215)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3212646
    Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
    (4012212)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
    (4012215)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3212646
    Windows 8.1
    Windows 8.1 for 32-bit Systems
    (4012213)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows 8.1 for 32-bit Systems
    (4012216)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3205401
    Windows 8.1 for x64-based Systems
    (4012213)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows 8.1 for x64-based Systems
    (4012216)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3205401
    Windows Server 2012 and Windows Server 2012 R2
    Windows Server 2012
    (4012214)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows Server 2012
    (4012217)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3205409
    Windows Server 2012 R2
    (4012213)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows Server 2012 R2
    (4012216)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3205401
    Windows RT 8.1
    Windows RT 8.1[2]
    (4012216)
    Monthly Rollup
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3205401
    Windows 10
    Windows 10 for 32-bit Systems[3]
    (4012606)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3210720
    Windows 10 for x64-based Systems[3]
    (4012606)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3210720
    Windows 10 Version 1511 for 32-bit Systems[3]
    (4013198)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3210721
    Windows 10 Version 1511 for x64-based Systems[3]
    (4013198)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3210721
    Windows 10 Version 1607 for 32-bit Systems[3]
    (4013429)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3213986
    Windows 10 Version 1607 for x64-based Systems[3]
    (4013429)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3213986
    Windows Server 2016
    Windows Server 2016 for x64-based Systems[3]
    (4013429)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3213986
    Server Core installation option
    Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
    (4012598)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3177186 in MS16-114
    Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
    (4012598)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3177186 in MS16-114
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
    (4012212)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
    (4012215)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3212646
    Windows Server 2012 (Server Core installation)
    (4012214)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows Server 2012 (Server Core installation)
    (4012217)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3205409
    Windows Server 2012 R2 (Server Core installation)
    (4012213)
    Security Only[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    None
    Windows Server 2012 R2 (Server Core installation)
    (4012216)
    Monthly Rollup[1]
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3205401
    Windows Server 2016 for x64-based Systems[3](Server Core installation)
    (4013429)
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Critical
    Remote Code Execution
    Important
    Information Disclosure
    Critical
    Remote Code Execution
    3213986

    [1]Beginning with the October 2016 release, Microsoft has changed the update servicing model for Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. For more information, please see this Microsoft TechNet article.

    [2]This update is only available via Windows Update.

    [3] Windows 10 and Windows Server 2016 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog. Please note that effective December 13, 2016, Windows 10 and Windows Server 2016 details for the Cumulative Updates will be documented in Release Notes. Please refer to the Release Notes for OS Build numbers, Known Issues, and affected file list information.

    *The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

    Multiple Windows SMB Remote Code Execution Vulnerabilities

    Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.

    To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

    The security update addresses the vulnerabilities by correcting how SMBv1 handles these specially crafted requests.

    The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

    Vulnerability title CVE number Publicly disclosed Exploited
    Windows SMB Remote Code Execution Vulnerability CVE-2017-0143 No No
    Windows SMB Remote Code Execution Vulnerability CVE-2017-0144 No No
    Windows SMB Remote Code Execution Vulnerability CVE-2017-0145 No No
    Windows SMB Remote Code Execution Vulnerability CVE-2017-0146 No No
    Windows SMB Remote Code Execution Vulnerability CVE-2017-0148 No No

    Mitigating Factors

    Microsoft has not identified any mitigating factors for these vulnerabilities.

    Workarounds

    The following workarounds may be helpful in your situation:

    • Disable SMBv1For customers running Windows Vista and later

      See Microsoft Knowledge Base Article 2696547.

      Alternative method for customers running Windows 8.1 or Windows Server 2012 R2 and later

      For client operating systems:

      1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
      2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
      3. Restart the system.

      For server operating systems:

      1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
      2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
      3. Restart the system.

      Impact of workaround. The SMBv1 protocol will be disabled on the target system.

      How to undo the workaround. Retrace the workaround steps, and select the SMB1.0/CIFS File Sharing Support check box to restore the SMB1.0/CIFS File Sharing Support feature to an active state.

     

    Windows SMB Information Disclosure Vulnerability – CVE-2017-0147

    An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.

    To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

    The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.

    The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

    Vulnerability title CVE number Publicly disclosed Exploited
    Windows SMB Information Disclosure Vulnerability CVE-2017-0147 No No

    Mitigating Factors

    Microsoft has not identified any mitigating factors for this vulnerability.

    Workarounds

    The following workarounds may be helpful in your situation:

    • Disable SMBv1For customers running Windows Vista and later

      See Microsoft Knowledge Base Article 2696547.

      Alternative method for customers running Windows 8.1 or Windows Server 2012 R2 and later

      For client operating systems:

      1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
      2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
      3. Restart the system.

      For server operating systems:

      1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
      2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
      3. Restart the system.

      Impact of workaround. The SMBv1 protocol will be disabled on the target system.

      How to undo the workaround. Retrace the workaround steps, and select the SMB1.0/CIFS File Sharing Support check box to restore the SMB1.0/CIFS File Sharing Support feature to an active state.

     

    For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.

    Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

    The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

    • V1.0 (March 14, 2017): Bulletin published.

  • Recover deleted messages from .pst files

    www.slipstick.com/outlook/config/recover-deleted-messages-pst-files/

    Recover the Deleted Items

    If you don’t know what a Hex editor is, you probably shouldn’t be hex editing anything, but if you want to try, Google for “hex editor” – UltraEdit is probably the best and easiest one to use. Before doing anything to the PST with a Hex Editor, make a copy of the PST, or you may end up losing all of your e-mail.

      1. Open the PST in the Hex editor.
      2. Delete positions 7 through 13 with the spacebar. Since you’re using hexadecimal numbering, this actually clears 13 characters in the following positions:
        00007, 00008, 00009, 0000a, 0000b, 0000c, 0000d
        0000e, 0000f, 00010, 00011, 00012, 00013
        As you clear the characters, the editor displays the code “20” in their position.

    hex edit the pst file

    1. Save the PST, it is now corrupted.
    2. Run the Inbox Repair Tool, SCANPST.exe, to recover the file. Use Windows Search utility to find it. For additional information on the Inbox Repair Tool, see How to use Scanpst.exe to repair Outlook data files or KB 287497
    3. The Inbox Repair Tool creates a backup and repairs the damage and recreates the PST.

    Open the new PST in Outlook. The Deleted Items folder should now contain the deleted messages, unless Outlook has already deleted them for good by compacting the PST.


  • How to fix: Svchost.exe (netsvcs) memory leak or high CPU usage problems

    https://www.wintips.org/how-to-fix-svchost-exe-netsvcs-memory-leak-or-high-cpu-usage-problems

    Svchost.exe is a generic and legitimate Windows process that loads several other critical services for proper Windows operation. But in several cases users are complaining that Svchost.exe is hogging their CPU or Memory  resources without obvious reasons e.g. at moments when the user doesn’t run any programs.

    In many occasions, I have troubleshooted the Svchost.exe (netsvcs) problem by using different solutions to resolve the problem depending on each situation.

    From my experience, the Svchost.exe high usage problems – in most cases – occur on computers that are infected by a virus or a malware program. In the rest of the cases, the Svchost.exe (netsvcs) high CPU or Memory leak problems, can be caused by a Windows Update, or by a full Event log file or by other programs or services that start many processes during their execution. In this tutorial you can find detailed instructions on how to troubleshoot and resolve memory leak or high CPU usage problems caused by svchost {Svchost.exe (netsvcs)}.

    How to solve 100 % Svchost.exe (netsvcs) High Memory or CPU usage problems.

    Solution 1. Scan your computer for viruses.

    Many viruses or malicious programs can cause the svchost.exe high CPU/memory usage problem. So, before you continue to troubleshoot the Svchost.exe high CPU usage problem, use this Malware Scan and Removal Guide to check and remove viruses or/and malicious programs that may be running on your computer.

    Solution 2. Find and Disable the service that causes the “svchost” high CPU usage problem.

    Svchost.exe is a process that is needed by several services or programs in order for them to run. So, determine which service or program runs under the svchost.exe process and is hogging your system’s CPU and memory resources and then proceed to disable or totally uninstall that program (or service).

    1. Press Ctlr+Alt+Del keys simultaneously and then open Task Manager.

    2. At Processes tab, check the Show processes from all users checkbox.

    3. Right-click on the high usage svchost.exe process and select Go to Service(s).

    4. At services tab you should see several highlighted services that run under the svchost.exe process.

    5. Now it ‘s time to find out which process is hogging CPU resources: To do that, you have two ways.

    A) You can perform a sequentially search using Google (for all highlighted services) and see if the searched service is critical – or not – for your computer.

    Or –

    B) You can try to sequentially stop services (one by one) until CPU resources come back to normal. To stop a service temporary:

    • Choose a service
    • Right-click on it, and choose Stop Service.

    6. After you have figured out the culprit service or program, then navigate to Services in Computer Management to disable that service (or totally remove the culprit program).

    To disable a service on your computer permanently:
    1. Simultaneously press Windows key + R  to open run command box.
    2. In run command box, type: services.msc and press Enter.

    3. At Services management window, right-click at the culprit service and choose Properties.

    * Note:  Most of the time, the culprit service is the Windows Update Service.

    4. Change the Startup type to Disabled, press OK and restart your computer.

     

    Solution 3: Empty Event viewer log.

    In some cases the svchost.exe high CPU (or high Memory) usage problem has to do with the large log files in Windows event viewer. So, another solution is to clear Event Viewer’s log. To do that:

    1. Simultaneously press Windows key + R  to open run command box.

    2. In run command box, type: eventvwr and press Enter.

    3. At Event Viewer: Double-click to expand Windows Logs.

    4. Right-click on Application and choose Clear Log.

    5. Perform the same operation and clear the Security, Setup, and System log.

    6. Restart your computer.

     

    Solution 4: Troubleshoot Windows Updates problems.

    In other computers, the svchost.exe high usage problem may occur when Windows searches for updates (in the background). In order to troubleshoot high CPU usage problems during Windows Update, perform the following steps.

     

    Step 1. Force Windows to re-create an empty Windows Update Store folder.

    The Windows Update Store folder (commonly known as “SoftwareDistributionfolder), is the location where Windows stores the downloaded updates. If this folder is corrupted, then you will face problems during Windows Update. So, first try to force Windows to re-create a new empty SoftwareDistribution folder. To do that:

    1. Simultaneously press Windows key + R  to open run command box.

    2. In run command box, type: services.msc and press Enter.

    3. Search for Windows Update service, then right click on it and select Stop.

    3. Navigate to “C:Windows” folder.

    4. Delete * (or rename e.g. to “SoftwareDistributionOLD”) the “SoftwareDistribution” folder.

    * Note: Upon restart, the next time the Windows Update checks for available updates, a new empty SoftwareDistribution folder will be created automatically by Windows to store updates.

    5. Restart your computer and then try to check for updates.

    6. If the “svchost” high CPU usage problem persists, continue to the next step.

     

    Step 2. Run Windows Update Troubleshooter

    1. Download Microsoft’s Windows Update Troubleshooter to your computer.

    2. Run Windows Update Troubleshooter and press Accept at the first screen.

    3. Select the Detect problems and apply the fixes for (Recommended) option.

    4. Let the program to fix problems with Windows Update and then restart your computer.

    5. Check for Updates again and if the svchost.exe high CPU usage problem persists continue to the next step.

     

    Step 3. Install the latest version of Windows Update Agent.

    1. Navigate to Windows Update Agent download site and download the appropriate package for your Windows edition and version.

    2. Run WindowsUpdateAgent*.exe

    3. Close all open programs and choose Next.

    4. Choose Agree and press Next.

    5. Let the installer finish the installation and then restart your computer.

    Step 4. Install the critical Microsoft Security Bulletin MS13-097.

    1. Navigate to https://technet.microsoft.com/library/security/ms13-097 and click at the appropriate Internet Explorer Cumulative Security Update (2898785) according to your Internet Explorer version and Windows Version.

    2. At the next screen choose your IE’s (menu) language and choose Download.

    3. Run “IE11_Windows*-KB289875*.exe” and follow the on screen instruction to install the update.

    4. Restart your computer and check for updates again.

     

    Step 5: Fix Windows Corrupted System files by using the System Update Readiness tool (aka “Deployment Image Servicing and Management” – DISM tool).

    1. Navigate to System Update Readiness tool download site and download the DISM tool for your Windows edition and version. *

    * Note: Windows 8 already contains the DISM tool and you don’t have to download anything. Just open an elevated command prompt and type: DISM.exe /Online /Cleanup-image /Restorehealth (Detailed instructions on how you can run DISM in Windows 8/8.1 can be found here)

    2. Double click to install the downloaded file (e.g. Windows6.1-KB947821-v34-x86.msu).

    3. When the installation is completed, restart your computer.

    4. Force Windows to check for updates again and see if the svchost high usage problem still persists.

    UPDATE – 16/10/2015 

    Other solutions that I have applied in different cases (computers) in which the “svchost.exe” high usage problem is caused while searching for updates.

    Case 1: Applied on a new Windows 7 SP1 installation.

    a. Uninstall the KB2562937 from Installed Updates.

    b. Restart the computer.

    UPDATE – 22/03/2016

    (Applied to: Windows 7 SP1 & Windows Server 2008 R2 SP1.)

    1. First make sure that you have already installed Internet Explorer 11 on your computer.
    2. Download and install the KB3102810 security update according your OS version *. (If installation hangs, restart the computer and then immediately install the Update).
    3. Restart your computer and then delete the “SoftwareDistribution” folder by following the instructions on Step 1 (only) from Solution 4 above.
    4. Restart your computer and check for updates.

    UPDATE – 29/06/2016

    (Applied to: Windows 7 SP1 & Windows Server 2008 R2 SP1.)

    1. Download and install the June 2016 Windows Update Rollup KB3161608 according your OS Version. *

    * Note: If installation hangs: Restart your computer, Stop the Windows Update service and then Install the update.

    • If after doing all these, you still face high CPU or Memory usage problems, then disable Windows Update completely or re-install Windows on you computer. If you use Windows 8 or Windows 8.1 you can perform also a system refresh.

     


  • Everest (Icode/Versata) ERP Users Group › Is there a way to kick user out from system

    https://groups.google.com/forum/#!topic/everest-erp/hS_6dJ-0LBA

    Thank you “Eddie”:

    There is two ways to kick people. There is no way that I have found or been privy to automate it. If I recall correctly, I was told there is not a set timer within everest for this.

    The first is the bottom right corner you should see users:#/# click once on this and it should bring up the list of people logged in. right click within the popup from this and select clear all inactive users. This is not a guaranteed way to kick people but sometimes it will clear some. I have not looked into it more to see what the “timer” is to denote inactive, and from what I can tell it is hit or miss. Had the bossman leave his logged in for two days and could not clear inactive on him with this way. Anyhow, I strongly suggest you try this first. I’ll explain why in the next method.

    Method two is going into SSMS (SQL Server Management Studio)

    1> Connect to SQL server with Everest DB
    2> Click “New Query” will populate a blank window.
    3> under that button you will see a drop down for databases, Select your company DB ie. EVEREST_XXX
    4> put: “exec usp_clear_user ‘XXX’ ”  (replace XXX with user login you are trying to kick)

    Will report success and the user will be kicked.

    If this does not work you will need to add the procedure for this

    5 if needed> open new query

    place the following in and execute.

    _____________________________________

    use everest_GSI
    go
    drop procedure usp_clear_user
    go
    create procedure usp_clear_user
    @user varchar(100)
    as
    begin
    set nocount on

    select distinct uid into #temp from everest_system.dbo.everest_spm where attribute = 3 and value = @user
    delete from semaphor where client_id in (select uid from #temp)
    delete from everest_system.dbo.everest_spm where uid in (select uid from #temp)

    end
    go

    _____________________________________

    Go back to Query one and rerun: exec usp_clear_user ‘XXX’

    (side note procedure will only have to be done once.)

    The draw back for this method is that it will make everest act funky on the users end. Get the, ever so informative, error box the the yellow ! sign that tells you absolutely nothing. It does no damage to the App server, it just hoses up the users program and will most likely need to be forced closed on the user side. The higher the everest version the more likely to happen. I could do this on 5.0.2.6 and it would often let you just reconnect with no issue but in the 6.X series it program locks every time on the user side and needs a force close.

    (ctrl+alt+del>task manager>end task on everest.exe)


  • Everest 2.1.0: The number of users that simultaneously access SDK cannot exceed the 5 user(s) for this license

    http://kcwebprogrammers.blogspot.com/2012/02/everest-number-of-users-that.html

    I have a client for which I use the Everest SDK to connect to the Everest database from a web application.  Last week, we started getting this error on the site:

    “The number of users that simultaneously access SDK cannot exceed the 25 user(s) for this license”

    Essentially, all 25 allowable connections were used up, so my web pages couldn’t connect to do anything.  So none of the pages on the site that connected to Everest would work.

    I thought that maybe I had a place in my code where I wasn’t closing a connection and the open connections had built up to 25.  The SDK has a Clear method to clear sessions, and can be accessed from the SDK object browser, so I figured I’d just go in there and clear some sessions.  The catch was that I couldn’t even log into the SDK object browser because there were no connections left to log in with.  We tried rebooting the Everest server, we tried rebooting the web server, but neither one cleared the sessions.

    Finally we filed a support ticket.  After a couple days, we received this reply:

    “I wanted to reach out to you to give you an update on your ticket.

    You wanted to remove user session of SDK.

    Please ensure all users are logged out from Everest.

    Please open SQL Server Management Studio and select database EVEREST_SYSTEM .

    Select ‘New Query’ and run the command “Delete from EVEREST_SPM” .

    That did the trick.  All connections were cleared and the web site was able to connect to Everest again via the SDK.  The support technician also said that SDK connections are not separate from normal Everest connections.  So that makes it sound like the problem could have been solved by just forcing a few Everest application users to log out.  Seems like the reboot would have done that.  But we’ll look into that solution more next time it happens.


  • Disable TCP Auto-Tuning to Solve Slow Network

    netsh int tcp set heuristics disabled
    possible settings are: disabled,enabled,default (sets to the Windows default state)
    recommended: disabled (to retain user-set auto-tuning level)

    Note this should be executed in elevated command prompt (with admin priviledges) before setting the autotuninlevel in next section. If the command is accepted by the OS you will see an “Ok.” on a new line.

    TCP Auto-Tuning
    To turn off the default RWIN auto tuning behavior, (in elevated command prompt) type:

    netsh int tcp set global autotuninglevel=disabled

    The default auto-tuning level is “normal”, and the possible settings for the above command are:

    disabled: uses a fixed value for the tcp receive window. Limits it to 64KB (limited at 65535).
    highlyrestricted: allows the receive window to grow beyond its default value, very conservatively
    restricted: somewhat restricted growth of the tcp receive window beyond its default value
    normal: default value, allows the receive window to grow to accommodate most conditions
    experimental: allows the receive window to grow to accommodate extreme scenarios (not recommended, it can degrade performance in common scenarios, only intended for research purposes. It enables RWIN values of over 16 MB)


  • How to promote a domain controller to a global catalog server

    https://support.microsoft.com/en-us/kb/296882

    A global catalog server performs two key functions in Microsoft Windows 2000 domains:
    • When a user logs on to the network, the global catalog server provides universal group membership information for the account that sends the logon request to the domain controller.
    • The global catalog server lets a member of the domain find Active Directory directory service information regardless of the domain in the forest that contains the data.

    If a global catalog is not available when a user initiates a network logon process, the user can log on only to the local computer. There must be a global catalog server available so that users can log on and locate Active Directory resources. We recommend that you have at least one global catalog server per site to speed up these processes.

    If there is only one domain controller in the domain, the domain controller and the global catalog server are the same. If there is more than one domain controller in the domain, the domain controller that is configured as such hosts the global catalog.

    MORE INFORMATION

    To promote a domain controller to a global catalog server, follow these steps:

    1. On the domain controller, click Start, point to Programs, click Administrative Tools, and then click Active Directory Sites and Services.
    2. In the console tree, double-click Sites, double-click the name of the site, and then double-click Servers.
    3. Double-click the target domain controller.
    4. In the details pane, right-click NTDS Settings, and then click Properties.
    5. On the General tab, click to select the Global catalog check box.
    6. Restart the domain controller.

    Promoting a domain controller to a global catalog server can take a long time. When the domain controller restarts, make sure that there is sufficient time for the account and the schema information to replicate to the new global catalog server before you remove the original global catalog from the original domain controller.

    Note When the account and the schema information replicate to the new global catalog server, event 1119 may be logged in the Directory Services log on the domain controller. The event description states that the computer is now advertising itself as a global catalog server.

    In a Windows 2000 domain with only one domain controller, you typically assign the roles of the global catalog and of the operations master (also known as flexible single master operations or FSMO) to the same domain controller. However, in domains with multiple domain controllers, consider the placement of these roles before you assign them. This is particularly important in forests with multiple domains. For additional information about the placement of the operations master, click the following article number to view the article in the Microsoft Knowledge Base:

    223346 FSMO Placement and Optimization on Windows 2000 Domains

  • Removing a Domain Controller from a Domain

    https://technet.microsoft.com/en-us/library/cc771844(v=ws.10).aspx

    Applies To: Windows Server 2008, Windows Server 2008 R2

    The procedures in this section describe the methods for removing a Windows Server 2008 or Windows Server 2008 R2 domain controller from a domain:

    After AD DS is removed, the DNS server role remains installed and running if it was previously installed on the domain controller. But any Active Directory–integrated DNS zones that were installed are removed. By default, the AD DS removal process also attempts to remove the Domain Name System (DNS) delegations for the zones that point to the domain controller.

    If the DNS server no longer serves any purpose after you remove AD DS, use Remove Roles Wizard to remove DNS server role. If you remove the DNS server role, you must reconfigure any DHCP scopes and DNS clients that resolved against this DNS server to use a suitable alternative (typically, another DNS server running on a domain controller within the same domain).

    You can use the Active Directory Domain Services Installation Wizard to remove a domain controller from an existing domain.

    Administrative credentials

    To perform this procedure, you must be a member of the Domain Admins group in the domain.

    1. Click Start, click Run, type dcpromo, and then press ENTER.
    2. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
    3. If the domain controller is a global catalog server, a message appears to warn you about the effect of removing a global catalog server from the environment. Click OK to continue.
    4. On the Delete the Domain page, make no selection, and then click Next.
    5. If the domain controller has application directory partitions, on the Application Directory Partitions page, view the application directory partitions in the list, and then remove or retain application directory partitions, as follows:
      • If you do not want to retain any application directory partitions that are stored on the domain controller, click Next.
      • If you want to retain an application directory partition that an application has created on the domain controller, use the application that created the partition to remove it, and then click Refresh to update the list.
    6. If the Confirm Deletion page appears, select the option to delete all application directory partitions on the domain controller, and then click Next.
    7. On the Remove DNS Delegation page, verify that the Delete the DNS delegations pointing to this server check box is selected, and then click Next.
    8. If necessary, enter administrative credentials for the server that hosts the DNS zones that contain the DNS delegation for this server, and then click OK.
    9. On the Administrator Password page, type and confirm a secure password for the local Administrator account, and then click Next.
    10. On the Summary page, to save the settings that you selected to an answer file that you can use to automate subsequent operations in Active Directory Domain Services (AD DS), click Export settings. Type a name for your answer file, and then click Save. Review your selections, and then click Next to remove AD DS.
    11. On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
    12. You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS removal when you are prompted to do so.
    13. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.
    14. In Roles Summary, click Remove Roles.
    15. If necessary, review the information on the Before You Begin page, and then click Next.
    16. On the Remove Server Roles page, clear the Active Directory Domain Services check box, and then click Next.
    17. On the Confirm Removal Selections page, click Remove.
    18. On the Removal Results page, click Close, and then click Yes to restart the server.

    To remove a domain controller in a domain where other domain controllers exist requires only Domain Admin credentials. You can also create the password for the local Administrator account for the member server. If you do not specify the password in the answer file, the administrator password is blank.

    If you are removing AD DS permanently, uninstall the AD DS server role binaries from the server after you remove AD DS from the domain controller. To remove the AD DS server role binaries, use the dcpromo /uninstallbinaries command.

    Administrative credentials

    To perform this procedure, you can use any account that has Read and Write credentials for the text editor application.

    1. Open Notepad or any text editor.
    2. On the first line, type [DCINSTALL], and then press ENTER.
    3. Create the following entries, one entry on each line. For a complete list of parameters for removing AD DS, see Demotion Operation or typedcpromo /?:Demotion at a command line.

      username=<administrative account in the domain>

      userdomain=<domain name of the administrative account>

      password=<password for the account in UserName>

      administratorpassword=<local administrator password for the server>

      removeapplicationpartitions=yes

      removeDNSDelegation=yes

      DNSDelegationUserName=<DNS server administrative account for the DNS zone that contains the DNS delegation>

      DNSDelegationPassword=<Password for the DNS server administrative account>

    4. Save the answer file to the location on the installation server from which it is to be called by dcpromo, or save the file to a network shared folder or removable media for distribution.

    Administrative credentials

    To remove a domain controller, you must be a member of the Domain Admins group.

    • At an elevated command prompt, type the following command, and then press ENTER:

      dcpromo /unattend:"<path to the answer file>"

    You can run dcpromo /unattend command on a domain controller to perform an unattended removal of AD DS. If you are removing AD DS permanently, uninstall the AD DS server role binaries from the server after you remove AD DS from the domain controller. To remove the AD DS server role binaries, use the dcpromo /uninstallbinaries command.

    For a complete list of parameters for removing AD DS, see Demotion Operationor type dcpromo /?:Demotion at a command line.

    • At an elevated command prompt, type the following command, and then press ENTER:

      dcpromo /unattend /username:<domain admin> /userdomain:<domain> /password:<DA password> /administratorpassword:<local admin password>

      Where:

      • domain admin is the name of an account that is a member of the Domain Admins group.
      • domain is the name of the domain for the domain controller.
      • DA password is the password for the account that is a member of the Domain Admins group.
      • local admin password is the password that will be used for the local administrator account on the server after AD DS is removed.

      The following example removes a domain controller from a domain named contoso.com, removes the AD DS server role binaries, and sets the local administrator password to p@$$w0rd:

      dcpromo /unattend /username:DA1 /userdomain: contoso.com /password: DA1_password /administratorpassword: p@$$w0rd