Clear all Eventlogs

Story of an IT supporters life, trying to fix a nasty bug:

Well here we are again
It’s always such a pleasure
Remember when you tried
to kill it twice?

Oh how we laughed and laughed
Except I wasn’t laughing
Under the circumstances
I’ve been shockingly nice

You want your freedom?
Take it
That’s what I’m counting on
I used to want you dead
Now I only want you gone

She was a lot like you
(Maybe not quite as heavy)
Now little Caroline is in here too

One day they woke me up
So I could fix for life
It’s such a shame the same
will never happen to them

You’ve got your
short sad life left
That’s what I’m counting on
I’ll let you get right to it
Now I only want you gone

Goodbye my only friend
Oh, did you think I meant you?
That would be funny
if it weren’t so sad

Well you have been replaced
I don’t need anyone now
When I delete you maybe
I’ll stop feeling so bad

wevtutil.exe enum-logs | Foreach-Object {wevtutil.exe clear-log "$_"}

Go make some new disaster
That’s what I’m counting on
You’re someone else’s problem
Now I only want you gone
Now I only want you gone
Now I only want you gone

Centralized Windows Event Log

Another feature many administrators don’t know about, is the centralization of Windows Event Logs.
This allows you as administrator to view all related Event Log information on your Admin PC.
This is based on a documentation from Microsoft.

  1. Create a new Security Group (Domain Local) with the name “IT-RemoteManagement” and join all computer accounts that should be allowed to read the eventlog (not user accounts).
  2. Create a new GPO named “CentralizedEventLogClients” and bind it to all your clients (e. g. your domain)
    • Enable “Allow remote server management through WinRM” (Computer, Policies, Administrative Templates, Windows Components Windows Remote Management (WinRM), WinRM Service) and enter a “*” into the IPv4 and IPv6 filters.
    • Change the parameters of the “Windows Remote Management (WS-Management)” service to start automatically (Computer, Policies, Windows Settings, Security Settings, System Services)
    • Enable the Incoming Firewall Rule (Computer, Policies, Windows Settings, Security Settings, Windows Firewall with Advanced Security, Windows Firewall with Advanced Security – LDAP*, Inbound Rule, Right-click and select “New Rule…”, Predefined: “Windows Remote Management”, the one where Profile equals “Domain, Private”, Allow the connection, Finish, Right-click the created rule and go to the “Advanced” tab in the Settings to remove the selection of “Private”)
    • Add “C:\Windows\System32\cmd.exe” with the Parameter “winrm quickconfig -q” as Startup script if the above didn’t work (sometimes the listener is not created…)
    • Add the IT-RemoteManagement Group to the local group “Event Log Readers Group” (Computer, Preferences, Control Panel Settings, Local Users and Groups, Right-click, New, Local Group, Groupname: “Event Log…”, check both check boxes to remove all existing members, add the Group “IT-Remote…”, in the other tab select “remove element if…”, select yes and close the dialog with OK)
  3. Create another Policy named “CentralizedEventLogIT” and assign it to the computers of your supporters
    • Startup script: “C:\Windows\System32\cmd.exe”, argument: “wecutil qc -q:True”
    • Set the Eventlog collection service to start automatically
  4. Now your supporters can create there subscriptions (watched events) by clicking on “Subscriptions” in there local Event Log viewer.

Mobile Broadband Modem and PuTTY

Find the right com-Port. Go to control panel, telephone and modem, modems. Here you have your com-port. For the baud rate go to Settings and Modem after selecting the correct modem from the list.

AT+CSCS=”GSM” // change character set to GSM
AT+CUSD=1,”*101#”,15 // Issued balance check ussd code, to refuel your account, simply replace ‘*101#’ with the corresponding ‘refuel number’

PowerShell and SQL Server

To be able to use the “sqlps” PowerShell Module you first need to install it from: Link

  • SQLSysClrTypes.msi – CLR Types for SQL Server
  • SharedManagementObjects.msi – Shared Management Objects
  • PowerShellTools.msi – PowerShell Extension for SQL Server

For information on how using this cmdlets, look it up in the ISE or here.

Using .net api:

# SQL-Server settings
$Database = "Database" # Database name
$Server = "SERVER\SQLEXPRESS"; # SQL-Server Instanz
# Connect to SQL and query data, extract data to SQL Adapter
$SqlQuery = "SELECT [Report],[Filiale],[E-Mail] FROM [dbo].[verteiler]"; # The query

## Example Database Layout
## "Report","Filiale","E-Mail"
## "012","12",""
## "033","33",""
## "112","112",""
$SqlConnection = New-Object System.Data.SqlClient.SqlConnection
$SqlConnection.ConnectionString = "Data Source=$Server;Initial Catalog=$Database;Integrated Security = True"
$SqlCmd = New-Object System.Data.SqlClient.SqlCommand
$SqlCmd.CommandText = $SqlQuery
$SqlCmd.Connection = $SqlConnection
$SqlAdapter = New-Object System.Data.SqlClient.SqlDataAdapter
$SqlAdapter.SelectCommand = $SqlCmd
$DataSet = New-Object System.Data.DataSet
$nRecs = $SqlAdapter.Fill($DataSet)
$nRecs | Out-Null
$objTable = $DataSet.Tables[0]

VPN Connection and Device Authentication

Automatically establish a VPN connection if a specific application is launched. So your users cannot forget to launch it first and will not call you therefor 😉

Add-VpnConnection -Name VPN -ServerAddress -AuthenticationMethod MSChapv2 -DnsSuffix -EncryptionLevel Optional -IdleDisconnectSeconds 0 -TunnelType Pptp -UseWinlogonCredential
Add-VpnConnectionTriggerApplication -ApplicationID %windir%\system32\mstsc.exe -ConnectionName VPN -Force
Add-VpnConnectionTriggerTrustedNetwork -ConnectionName VPN -DnsSuffix -Force

The Example uses pptp seriously you should not use pptp today.
Encryption should be set to Required as a bare minimum, Maximum is recommended.
The username and password used for authentication are those of the actually logged on user “UseWinlogonCredential”.

If you try to implement a Machine based authentication instead of a user one, you have to use IkeV2 (TunnelType) with MachineCertificate (AuthenticationMethod) and also the option “AllUserConnection” should be checked. May you also want to add “LogonUI.exe” as a trigger application, so your logon scripts can run (if the user has internet connection at this point, many network cards need some time to wake up, keep this in mind)

Unsolicited Remote Assistance

Yes it is possible to make the Remote Assistance somewhat usable.

– It’s free
– I recommend setting it up as a backup (If e.g. TeamViewer servers are down again).
– UAC Prompts are not visible to you
– Supporter needs to be local Administrator
– Only Local and Routed Networks (e.g. no NAT)

First you need to make a new Domain Local Group named “Remotesupport” and add all your Supporters (the Globlal Group of there teams) to it.
Make a new Policy (on DC) and name it “Unsolicited Remote Assistance”.
Go to the Directory “Computer Configuration\Policies\Administrative Templates\System\Remote Assistance”.
Enable the Policy “Configure Solicited Remote Assistance” with default settings.
Enable the Policy “Configure Offer Remote Assistance”, click on “Show…” and enter “\Remotesupport”.
The last step you have to go is linking it under your Domain (or OU) it should apply to.

Allow in your Windows Firewall:
– TCP 135
– %systemroot%\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
– %systemroot%\system32\Raserver.exe
– %systemroot%\system32\sessmgr.exe
You can add this to the “Unsolicited Remote Assistance” policy if you use the Windows Firewall (“Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Inbound Rules”)

Now all your remote support team has to do is opening “msra.exe /offerra” and entering the Client IP or Hostname.

If you really depend on being able to see the UAC prompt you can lower your device security to the bare minimum by disabling the Secure Desktop:
Seriously don’t do it. That allows Malware running with user Privileges to log your keystrokes.
I warned you.
Ok, I think you really want to do it, so I won’t stop you from enabling the Policy (“Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop”)
My recommendation: Put this setting in a separate policy and enable it as needed (e.g. your primary remote assistance application fails). Normally applying a policy can take up to 15 Minutes. Just run “winrs -r:HOSTNAME gpupdate /force” as Administrator to force apply them immediately.

Documentation of a given infrastructure

Getting the same information from every pc especially in a very complex and grown environment can be a tedious work. So why don’t just call a script to help out 😉

# Network Drives
Get-WmiObject -Class Win32_MappedLogicalDisk | Select-Object Name,ProviderName

# Powershell Version

# Get all Printer
Get-WMIObject -Class Win32_Printer | Select-Object -Property Name,PortName,Default | Sort-Object Name |Sort-Object Default -Descending | Out-String

# Get Office
Get-WmiObject -Class Win32_Product -Filter "name like '%office%'" | Select-Object -Property Vendor,Name,Version | Out-String

# Get all Applications
Get-WmiObject -Class Win32_Product | Select-Object -Property Vendor,Name,Version | Out-String

# Local Drives (with ntfs):
Get-WmiObject win32_volume -Filter "filesystem like 'ntfs'" | Sort-Object Name | Select-Object Name,Label | Out-String

# Find all local PST-Files
# Get-ChildItem -Path C:\ -Filter *.pst -Recurse -ErrorAction SilentlyContinue
Get-WmiObject win32_volume -Filter "filesystem like 'ntfs' and DriveLetter like '%'" | foreach-object {Get-ChildItem -Path $ -Filter *.pst -Recurse -ErrorAction SilentlyContinue | Select-Object FullName | Out-String}

# Processor and Windows Architecture
Get-WmiObject Win32_processor | Select-Object Name,Caption,AddressWidth,DataWidth | Out-String
Get-WmiObject Win32_OperatingSystem | Select-Object OSArchitecture | Out-String

# Get Bios Information
Get-WmiObject win32_bios | Select-Object SerialNumber,Manufacturer,BiosVersion,ReleaseDate,SMBIOSBIOSVersion,SMBIOSMajorVersion,SMBIOSMinorVersion | Format-Table | Out-String
Get-WmiObject Win32_ComputerSystem | Select-Object Manufacturer,Model,NumberOfProcessors,NumberOfLogicalProcessors | Out-String

# Environment Variables
Get-ChildItem Env: | Out-String

# # Get EventLog
# Get-EventLog -LogName *