Hard Drive appears full; shouldn’t be

Occasionally I’ll come across a drive using a disproportionate amount of space considering its content.  Sure, Office uses more disk space than you expect, and nobody really remembers where that DVD rip ended up.  But when your drive appears 99% full out of nowhere, it’s time to do a little digging and figure out what went wrong.

Today my 250GB system drive was 99% full.  I could CTRL-A the visible folders and see about 70GB of used space.  Similarly, if I CTRL-A with hidden folders shown, I will have about 82GB used.  WinDirStat doesn’t shine any light on this; it’s telling me I have 82GB used on this drive.

Next step,  CHKDSK from elevated command prompt.  Reboot, CHKDSK runs, no errors.  Same 99% disk usage.

CCleaner doesn’t find any temp files, downloaded files, Windows update files, or internet cache to delete.  Nor does Windows Disk Cleanup.

Now I’m getting concerned: there are no hidden files, no temp files, nothing I can see that is using up that extra 130GB of space on my drive.  I decide to do what I know not to do:  run Disk Defrag.

Every SysAdmin  and  every PC enthusiast knows not to defrag an SSD.  The wear-leveling technology dictates that there is no advantage to sequential storage, no benefit to consolidating your data on contiguous blocks.  But I’ve tried almost everything, and I like visual applications.

Disk Defrag instantly shows me what I should have known:  I have a Recovery folder on the root of C:\ with no attributes.  I can’t view it in Explorer

access denied

and changing the attributes doesn’t help


access denied

This was a folder I use when recovering or undeleting data from external drives.  I know how deep this folder goes (hundreds of characters) and I’ve had no luck using subst to map this folder to a letter drive.

So, another third party tool to the rescue:  Unlocker!  Be sure to download from MajorGeeks or FileHippo and be careful to avoid the PUPs it may be bundled with.

Unlocker has a command line option and here are the switches:


I just CD to c:\ and type

c:\program files\unlocker\unlocker.exe c:\recovery -D

and wait a few minutes for the delete the folder and its contents.  Now c:\ drive has almost 50% free space and all is well.


Getting and Setting Hostname and IP address in Server 2012

First things first:  your server needs a name and a static IP address.

Setting the hostname in Server 2012 is easy enough (just use the command prompt or Powershell, this only takes a second!)

To set the IP address:

netsh interface ip set address name = "Ethernet" static

This uses the netsh command to give your default Ethernet connection a name (“Ethernet”), specify the address type (always static for servers) and then the address, subnet mask and gateway.

To set the hostname:

netdom renamecomputer %computername% /newname <NewName>

Here, use the netdom command to give your server a meaningful name according to your naming convention.  The syntax is netdom renamecomputer  <currentComputerName>  /newname <newName> .  Use the system variable %computername% if you don’t want to attempt replicating Windows’ default naming schema for new servers; this is usually a strange random string of characters.


To confirm your settings “stuck”, check them out with ipconfig and hostname:



Enabling Remote Desktop Connection in Server 2012

Installing Windows Server 2012 can be simple enough, especially if you are experimenting with a virtual machine.

After renaming the machine and getting it connected to the network, how do you enable RDP?  As with many features in the new Windows family, there are at least 3 ways to get RDP enabled on your new Server 2012 installation.  As with any administrative task, make sure you are logged on as an administrative user to make these changes.

First, my favorite approach:  either hit Win+R to summon the Run prompt, then type “sysdm.cpl” or “SystemPropertiesRemote” and click “OK”.  Alternatively, you can type either into Powershell or command prompt.

Click the “Remote” tab (you will already be here if you chose “SystemPropertiesRemote”)

Click “Allow remote connections to this computer”

You will be presented with a firewall warning, click OK:

For your testing environment, it is probably safe to uncheck the “Allow connections only from computers running Remote Desktop with Network Level authentication”, but if you’re only using Windows 7 computers to connect to this server, it is safe to leave it checked.

Click OK, and your Windows Server 2012 installation is RDP-enabled.

2. Command Line
None of the above will help you if you’ve chosen either a minimal or Core installation Sad smile

Luckily, there is a single line that turns on RDP in Server 2012 Full or core editions:

cscript scregedit.wsf /ar 0


That’s it.  To view your RDP settings, use cscript scregedit.wsf /ar /v and to turn off RDP, type cscript scregedit.wsf /ar 1.

Can’t add Workstation to Server 2012 or Server 2008 Domain

I’ve run into this a handful of times:  new server, new workstation, new domain.  No existing accounts for the workstation in AD, pings and traceroute resolve OK.  I have valid credentials.  I even get the authentication prompt when I try to add the workstation to the new domain… but the workstation just won’t join to the new Server domain I’ve created.

image  image image

The workstation can locate the domain controller (this is why you actually see the authentication prompt) but can’t resolve the domain.  What could be wrong?  DNS.

While there are other workarounds, I’ve found this to be the simplest: add your domain controller as the only static DNS server.

In the system tray, right-click the network icon and select “Network and Sharing Center” (the left-click doesn’t work the way it did in Windows 7)

Click “Change adapter settings”


Right-click your Ethernet adapter, click “Properties”


Click “Internet Protocol Version 4” then “Properties” (or double-click it)


If you have network connection and you can resolve your AD server, leave “Obtain an IP Address Automatically” selected.
On to DNS settings:  my AD server is at, so I enter that and hit “OK”.


Now try adding the machine to the domain using the above steps, and…


Reboot and log in to your domain.

Unified… with Windows Live Essentials

imageI know it’s uncool to appreciate Microsoft products.  From the advent of Windows 95 to the Supreme Court hearings to the (rightfully) dismal reception of Windows Me, Microsoft has had a hard time coming out from under the crushing stigma of being one of the world’s largest software companies.  The fashionable trend, of course, is to be an adoring follower of anything and everything Apple.  To go full-on geek hipster you’ll have to skip right over Linux and go to BSD, but I digress.

But it’s hard to imagine a product like SongSmith being anything less than an ingenious, visionary quantum leap in artistic computing – had Apple thought of it first.  Nobody considers Automatic Updates (now Windows Update) a beloved sentry of stability, security and performance, but Apple’s Software Update seems to get a pass for its own time-wasting annoyance.  When a new version of Windows is released, you can hear the collective exasperated sigh as users contemplate new drivers, program compatibility issues and, of course, the learning curve.  By contrast, an Apple “upgrade” is waited on with bated breath by the Applerati as if each line of code were personally tapped out and hand-delivered by God himself.

So let’s give the big, evil monolith some credit.  Windows Media Player is vastly improved since version 9.  Windows 7 is to Windows Vista what Windows XP was to Windows Me*.  The performance and driver support in 7 pretty much took the steam out of Apple’s “It Just Works” campaign – at the expense of a few more gigabytes of drive space, of course – and that’s a fair exchange for being able to upgrade any piece of hardware in your computer at any time, with hundreds of vendors and thousands of products to choose from.   

And on to Windows Live Essentials.  Here is a package of lean, focused, stable and FREE applications I can (and do) use.  Microsoft wised up after 15 years of jamming nearly every type of application into the default installation of its flagship OS and made Windows 7 the first version of Windows to have less included software than its predecessor.  With Windows 7, the end user can choose to install (or not install) the Messenger, Live Writer, Skydrive and Movie Maker apps.  For 99% of what I use it for, Photo Gallery is 99% as good as Picasa. Live Mail is prettier and more stable than Outlook Express. Movie Maker is as good as PowerDirector Express for simple video editing and transition effects. I don’t care for the enormous window of the new Messenger, so I rarely use it.  Windows Live Essentials does have a facebook page, and I “like” it.

There isn’t a whole lot of innovation in these basic apps: they are what they are, basic apps.  They aren’t cutting-edge, professional software but they are seamlessly integrated and perfectly compatible with more than 90% of the computers sold today (that is, Windows computers).  And for what they are, Windows Live Essentials offers a whole lot… for free!

* Windows 8… meh.  Let’s see what happens with the inevitable, magical SP2.

Recover NT4 filesystem after NTOSKRNL.EXE error

Our voicemail system died after what may have been a power blip.  Black screen, “ntoskrnl.exe not found”.


This is a Nortel CallPilot NT4 Workstation system on a Nortel Meridian rack.  Essentially, it’s a motherboard and CPU with a parallel IDE hard drive mounted on the chassis.  Knowing this particular error from the past, I thought I could repair it with Windows NT Setup repair option.  I had three very big problems:

1. This is a Windows NT4 system, so the chance of outside help was slim to none. 

2. There is no CD drive and no way to connect one.

3. This system does not have USB either, and USB boot support in a system this old was not a hopeful proposition.  The only peripheral is a SCSI tape drive for the voicemail backups. 

We do have backups of the voicemail system on tape, but no extra parallel drives to clone this one (for a backup of the original system) and of course no time to rebuild it (system setup takes 6-8 hrs according to our fabulous Nortel tech).  I pulled the drive from the blade and connected it to my laptop with an external reader and power supply.  We found a Windows NT4 CD in the archives.  Maybe we can fix this manually?


Here’s what the first partition on the system looked like:


See anything missing?  This should be the Windows partition, but there’s no Windows directory (or Win4, or NT4, or WINNT).  Hopefully there’s a clue somewhere in that OSSetup.log file


… and there is!  This is the OS drive.  The WINNT folder is missing, along with all its subfolders.

Running a chkdsk on the drive resulted in a handful of the dreaded found000x.chk files which, as we all know, may or may not contain anything useful.  With an entire Windows directory missing, I’m betting there is something useful in there.

Out of an abundance of caution I’m setting up a NT4 VM to confirm the folder hierarchy is what I remember it to be.

The setup process offers some hope (the default Windows directory name is “WINNT”).


Enjoy some LOL at the simple CD key (remember, this is years before “Product Activation”)


Here’s what the WINNT folder should look like.  I’m looking for folders named Config, Profiles, system, and system32. 


Back to the drive.  I searched for the ntoskrnl.exe file we know is supposed to be in a \system32 folder. 

NTOSKRNL.exe is there, but hidden in a .chk folder


Right-click and open file location, you can browse .chk folders this way in Windows 7.


… and it looks like “found.000\dir0001.chk\” is actually the System32\ folder.  I made a WINNT folder on the drive and a \system32\ folder inside that.


found.000\dir0000.chk\Profiles is the c:\winnt\Profiles folder, so I moved that as well.


found.000\dir0000.chk is the remainder of the contents of the WINNT folder.  Moved it to the WINNT folder.


Cross my fingers and plug it all back in.  It boots!  We don’t see the ntoskrnl.exe error anymore, but we see that a rather important folder is missing.  Herp a derp, I didn’t recover the Windows registry… the Config folder is empty.


Back to my desk with the drive.  I searched for a file called SECURITY (or DEFAULT, or SAM).  It turns out found.000\dir0002.chk\ is the system32\config folder.  May as well replace that too.


I replaced the drive, plugged it into the Meridian rack and… we have Windows!  CallPilot starts up, voicemail is back.  This system will be backing up to disk from now on.

Thanks to Dylan for finding the NT4 CD and reminding me that IDE drives require power.  Thanks to Danny for finding the Administrator password and for moral support!

Hope you enjoyed the read.

That Damned Whistler Bootkit

mbrcheckWorse than a 404 error or a “Wireless Network Not Found” notification, more horrifying than any Trojan or worm (short of CryptoLocker); more confounding and infuriating than any popup ad, reappearing toolbar or spyware… your computer has a problem.  It’s infected with something, and it’s a bootkit.

“What’s a bootkit?  You mean rootkit, right?”  No, it’s a bootkit, and here’s the difference:  a rootkit is subversive, usually malicious, code designed to evade detection and removal.  Typically, a rootkit will entrench itself in the Windows registry or attach itself to the Windows or Linux kernel. Modern rootkits can steal passwords and files, make your computer a spam-bot or transparently log your keystrokes.  There are legitimate uses for rootkits, but most these are “legitimate” in the same way flamethrowers are “legal” in most states. Rootkits are detected and removed by most consumer-grade antivirus and antispyware programs; free removal tools include Malwarebytes’ Anti-Malware and AVG Anti-Rootkit Free. 

A bootkit is similar in deed but exceedingly more difficult to detect and remove.   A bootkit resides on the master boot record of your hard drive, executing code before any user is logged in and before your antivirus is active.  These processes are invisible to your operating system and antivirus, and can be executed with administrative permissions on any NT-based machine, even in safe mode, even on 64-bit machines.  Scary, huh?

There are a few fairly accurate ways I’ve come across in detecting bootkit activity without a utility (this assumes, of course, that you have already resolved the mouse chatter, screen flicker, pop-ups and browser redirects): 

  • Random music or internet commercials play – and iexplore.exe respawns in Task Manager without a parent window. 
  • Network connections intermittently lock up for a few seconds at a time, booting network users from network drives, applications or printers.
  • Blue- or black-screen startups even though your antivirus, antimalware and Scandisk reveal no errors; Event Viewer logs are a dead end; your errors seem tied to power supply, video or network drivers and you’re sure your hardware is fine.
  • After your antivirus does remove a stubborn infection, your machine fails to boot with messages such as “Missing Operating System” or “Primary Boot Drive Not Detected”.

So how do you remove a bootkit?  There are some third-party utilities to detect and remove bootkits, but I’ve had mixed success with them.  MBRCheck is very effective in detecting an infected MBR, but when you need to write a new MBR the most straightforward method is the command prompt:  You need to write yourself a new MBR.

How to write yourself a new MBR in XP, Vista or 7… coming soon.

Office 2013 Start Screen, Themes and that Weird “Smooth Text” Feature

Office 2013 is what we’d call a “productivity” application.  Which leads me to wonder why Microsoft keeps sticking these road bumps in the way of… you know, getting productive.

One of my least favorite features is the first thing you see when you open an Office 2013 application – the start screen.  Never mind that Word takes an additional 5-10 seconds to load now (find a copy of Office 2003 if you don’t believe me – there is absolutely no lag time, it starts instantly).  Your first view is the insulting “Start Screen”, a continuous reminder that Microsoft really cares “what do you want to do today?”


Let’s get rid of it.






Open a blank document, then hit File –> Options










And there it is, plain as day.  Uncheck “Show the Start screen when this application starts”.

This also works with Excel and other Office applications.


While we’re in here, let’s get rid of that ridiculous theme and do something about that horribly washed out look of this program (whoever thought light gray on white was a good contrast scheme should be taken out and shot).

Those silly decorations are good for nothing.  The minimalist window resize buttons are hard enough to see as it is.

Choose “No Background” and “Dark Gray” for the Office Theme.


I sure wish Microsoft had more options for themes.  I’ve never had so many uninstall requests as the month my company rolled out Office 2013 – all because of the color scheme.


Last, let’s talk about that weird animated-typing thing.  It used to be that your cursor would progress to the next space as soon as you typed a character.  Not anymore!  Microsoft is sure you want the cursor to smoothly drag across the page as you type, in direct contrast to the action of typing a single character on a keyboard.

This, unfortunately, is a Windows setting. 

  • Go to your system properties (Windows Key + R, type “sysdm.cpl”
  • Go to the Advanced tab and click “Settings” under Performance
  • Click “Custom” to change individual settings, and uncheck “Animate controls and elements inside windows”

OK your way out of System Properties.


You’ll have to log off and back on for the settings to take effect, but now your cursor will advance one space with each keystroke as it used to.

NACHA “ACH Transaction Canceled” Email… Fraud!

Here’s one from the vault:  I used to regularly receive emails with the ominous subject line “ACH transfer rejected”:

The ACH transfer (ID: 2010xxxxxxxxxx), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

Canceled transfer
Transaction ID: 2010xxxxxxxxxx
Rejection Reason: See details in the report below
Transaction Report: report_20102828938591.pdf.exe (self-extracting archive, Adobe PDF)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
2011 NACHA – The Electronic Payments Association

Nw, my first indications that these emails might not be completely legit were the default font (it showed up in Times New Roman) and an email address showing up in the Sender’s name field (as opposed to the name of a person or department).  Another indication was the double file extension on the transaction report (.pdf.exe). 

I decided to do a little research.  First, my bank account had no activity at all for the previous three days, and in fact no payment had been initiated or rejected.  I was safe.  But wait… what is this “NACHA”, and why haven’t I ever heard of this ELECTRONIC PAYMENTS ASSOCIATION?

NACHA is in fact a real association responsible for maintaining backbone of the ACH network.  You’ve seen this initialism on your bank statement if you’ve ever used your debit card anywhere.  It stands for “Automated Clearing House”, where banks get together and settle their balances with each other.  However, NACHA will not send you an email in the event of a transaction failure because NACHA doesn’t handle individual ACH transactions at all (that’s your bank’s job).  A warning regarding this phishing scam was posted on the NACHA site as early as February of 2010. 

So to be safe, never click a link in an email if you don’t know or don’t trust the sender – especially if the email has anything to do with your identity, money or passwords.  And if you receive an email from NACHA notifying you of a canceled or rejected transaction, just delete it and share this info with your friends!

Which Security Suite Should You Use?

I’m regularly asked by clients which security suite is best, and which antivirus will “guarantee” against virus or spyware infection.  The first question has no single correct answer; the second has no answer.

Computer viruses existed well before the ubiquitous World Wide Web we know today; before Google, AOL and even Microsoft.  Before high-speed Internet was commonplace, viruses could travel from PC to PC via floppy disks or CD-ROMs (we called this “sneakernet”).  Some viruses could be avoided by simply not booting your computer on a particular day (Michelangelo virus), while others could be detected and removed with simple tools such as Microsoft’s MSAV (included with MS-DOS until version 6.22).

Today your computer is constantly at some risk of virus, malware or spyware infection, URL redirects, and drive-by downloads.  But your computer isn’t at risk for every virus and every drive-by download. Windows Vista and later versions incorporate User Account Control, which can halt the system and warn you before running an unknown executable.  Acrobat Reader, Flash and Shockwave regularly find themselves at the top of the list of “most vulnerable software” titles along with Java – so if you don’t use them, the DDOS and remote-control exploits won’t apply to you. If you do use them, keep them patched and updated!

These risks, however real, exist at varying levels. Your PC’s risk is best measured by your own activities. In an office setting where machines are regularly updated and monitored and casual web browsing is discouraged or outright forbidden, the risks of any type of infection are very low. Office intranets are typically not a fertile breeding ground for malware. Households with teenage computer users or compulsive file sharers, on the other hand, may experience a higher incidence of hijackers, viruses and other sorts of malware.

Keep in mind, security is a moving target.  Symantec, McAfee, Kaspersky and Microsoft are constantly releasing updates and definitions to keep their subscribers protected.  But the techniques employed by writers of these malicious programs are changing as well.  And even as new variants of Zafi, NetSky and MyDoom are released, the old versions continue to make their rounds, ostensibly hoping for an unpatched, unprotected computer to infect.

Protection levels are not absolutes and they are not universal.  More protection means lowered usability and diminished performance.  Software firewalls and on-access virus scanners are very demanding on your CPU and RAM, but that’s part of the tradeoff.  You should never surrender a reasonable level of security for performance.  If your PC has become unbearably sluggish due to its security suite, it’s time for a part upgrade or a new PC.

Here is what I look for when determining an ideal protection suite for an individual machine:

  • What is this user doing on his / her computer?  What is the environment?  (Corporate office = low risk)
  • Will this machine spend most of its uptime editing locally stored  Word documents and checking email in a browser? (Boring activities = lower risks)
  • How many people will use this machine?  (More users = higher risks)
  • Is this machine running a fairly modern operating system?  (Windows 7 = pretty good, Windows XP = not so great)
  • Is this machine regularly updated and patched (Flash, Java, Adobe Reader, etc.)?
  • Does this computer have a history of virus infections and OS reinstalls? Trends are trends.
  • Does this computer have an unusually large library of uncategorized media named in all lower-case letters?

For a low-risk machine, I feel reasonably safe recommending Microsoft’s Security Essentials or Avast! Essential and Windows’ own Advanced Firewall.  For a machine with multiple users or some history of infection or hijacks, I still can’t comfortably recommend purchasing a retail version of any security software since your dollars will not buy you a guarantee against virus or malware infections.  Corporate installations require a high degree of customizability, centralized management and reporting, so corporate products exist in a different universe from their retail counterparts.

To further lock down your computer, take steps to immunize against compromised DNS servers and drive-by downloads by using SecureDNS or ThreatFire.

For every machine, keep a local copy of Combofix, Spybot Search & Destroy and Malwarebytes’ Anti-Malware available just in case.