J Wolfgang Goerlich's thoughts on Information Security
The pack is not online -- Diskpart errors on some file systems

By wolfgang. 21 November 2009 06:38

VDS returns the following when you select a partition format that it does not recognize:

 

C:\> Diskpart

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> list part
DISKPART> select part (id)

Virtual Disk Service error:
The pack is not online.

 

The pack is not online error (VDS_E_PACK_OFFLINE 0x80042444L) is returned when Diskpart attempts to get the file system properties on, say, an ext3 or hfs+ file system. Diskpart works only with Fat and Ntfs file systems. If the goal is to delete the non-Microsoft partition, use the clean command.

 

DISKPART> list disk
DISKPART> select disk (id)

DISKPART> clean

Tags:

Systems Engineering | Troubleshooting

Use Diskpart to Create and Format Partitions

By wolfgang. 5 November 2009 02:24

To use the command line to bring a disk online, create a partition, and format it, run the following commands:

 C:\> Diskpart

DISKPART> list disk
DISKPART> select disk (id)
DISKPART> online disk (if the disk is not online)
DISKPART> attributes disk clear readonly
DISKPART> clean
DISKPART> convert mbr (or gpt)
DISKPART> create partition primary
DISKPART> select part 1
DISKPART> active (if this is the boot partition)
DISKPART> format fs=ntfs label=(name) quick
DISKPART> assign letter (letter)
DISKPART> list volume


The following are common errors displayed if you miss a step:

DISKPART> clean
DiskPart has encountered an error: The media is write protected.
See the System Event Log for more information.

Resolution: run "attributes disk clear readonly" before trying to clean the volume and create the partition.

DISKPART> convert mbr

Virtual Disk Service error:
The specified disk is not convertible. CDROMs and DVDs
are examples of disks that are not convertable.

Resolution: clear all data off the disk before converting by running the clean command.

DISKPART> create partition primary
Virtual Disk Service error:
There is not enough usable space for this operation.

Resolution: run "clean" before trying to create the partition.

DISKPART> format fs=ntfs quick
Virtual Disk Service error:
The volume is not online.

Resolution: online the disk, create the partition, and convert to mbr before formatting.


The following are common errors displayed if there is a hardware problem:

DISKPART> clean
DiskPart has encountered an error: The device is not ready.
See the System Event Log for more information.

Resolution: If the event log entry states "The driver detected a controller error on \Device", the problem is likely your storage controller on your mainboard. Check your hard drive connections and reload your storage conroller driver. If the event log entry states "VDS fails to write boot code on a disk during clean operation. Error code: 80070015@02070008", the hard drive itself has failed.


The following are common errors you may see if there is a hardware problem:

DISKPART> clean
DiskPart has encountered an error: The media is write protected.
See the System Event Log for more information.

Resolution: Running "attributes disk clear readonly", as mentioned above, is the first step. Next, the disk is may be locked by an active process, in which case a reboot generally clears the error.

If the disk is a USB flash drive, check that it does not have a write protect switch. The Imation Clip and the Kanguru Flash Blu II, for example, both have this feature and will cause the above error if protected. USB devices may also need a low-level format to reset the drive. In these cases, please see the manufacturer for such tools. (Patroit has such a tool here.)

If the disk is SAN attached storage, check that the LUN is not presented in a read-only state. Windows Server 2008 also has a condition were SAN storage is erroneously reported as read-only. See the Microsoft article 971436 for details and a hotfix.

Tags:

Troubleshooting

Excel Extension Hardening and Web Applications

By wolfgang. 11 August 2009 20:19

In the classic ASP days, there were a few ways to deliver content to the client in Excel. The more difficult way was to install Office XP/2003 on the web server. Then the ASP code would use COM to bind to Excel, CreateObject("Excel.Application"), and create the workbook and sheets programmatically. This was a bit of work and required a second, separate block of code that duplicated in Excel the code that created the web page report.

Now since the primary web page report was generally a table, an easier way to export to Excel was to send the same Html table. The ASP code would simply switch the content MIME type, Response.ContentType = "application/vnd.ms-excel". Some developers went the extra step to specify the file name and extension, Response.AddHeader "content-disposition", "attachment;filename=Output.xls". You could also do the same for a .csv file using "text/csv" and "attachment;filename=Output.csv. " This was cleaner and meant that essentially the same code created both the Excel and the web output.

The trick worked as follows: Internet Explorer opened the web page, the web server returned Excel’s MIME type, Internet Explorer passed the file onto Excel, Excel opened it and converted the Html to the columns and rows the person expected. That the file extension (*.xls) did not match the file content (Html) was not really a concern. Excel did its trick and the content was displayed.

The problems began when attackers used the same trick to send malformed files thru Internet Explorer to Excel. Several security hotfixes addressed the various malformed spreadsheets (MS07-015, MS07-023, MS07-025, MS07-044, MS08-016, MS08-043, MS08-057, MS08-074). These all addressed the various ways Excel could be compromised by files with content other than well-formed Excel, but of course did nothing to prevent malformed Excel content in the first place.

To address this point, Excel 2007 introduced the concept of Extension Hardening.  Extension Hardening does checks ahead of time to ensure that the file content matches the extension and, if applicable, the MIME type. The upside of Extension Hardening is that it blocks one vector for malformed Excel content attacks. The downside is that it also breaks the classic ASP method of Excel reporting.

Further, there is no granularity in the setting. Extension Hardening cannot be turned off for some websites or content sources, and on for others. It can only be disabled, enabled with a prompt, or enabled with blocking. Extension Hardening can be controlled during installation by the Office Deployment files, or afterwards by group policy or editing the registry.

Registry:

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security]
"ExtensionHardening"=dword:00000000

Possible value settings: Allow different (dword:00000000); Allow different, but warn (dword:00000001); Always match file type (dword:00000002). If the 
ExtensionHardening value is not present, Excel defaults to Allow different, but warn.

Group Policy Administrative Template (Excel12.adm):

Node: Microsoft Office Excel 2007 \ Excel Options \ Security
Setting: Force file extension to match file type
Possible values when enabled: Allow different (dword:00000000); Allow different, but warn (dword:00000001); Always match file type (dword:00000002).

Microsoft Office Deployment:

Node: Microsoft Office Excel 2007 \ Excel Options \ Security
Setting: Force file extension to match file type
Possible values when enabled: Allow different (dword:00000000); Allow different, but warn (dword:00000001); Always match file type (dword:00000002).

Implications of the Setting:

1. When set to allow different, Excel 2007 behaves like Excel 2003 and opens files from the web with Html content and application/vnd.ms-excel MIME type.

2. The following dialog box will display for web content when Extension Hardening is set to allow different, but warn:

The file you are trying to open, 'filename.xls', is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now?

3. The following dialog box will display for web content when Extension Hardening is set to always match file type:

Excel cannot open the file 'filename.xls' because the file format for the file extension is not valid. Verify that the file has not been corrupted and that the file extension matches the format of the file.

(In the warning dialog, you can press Ctrl-Shift-I to display the error code 101590 in the lower-right corner.)

For more information:

Microsoft Article 199841, How To Display ASP Results Using Excel in IE with MIME Types
http://support.microsoft.com/kb/199841

Microsoft Article 317719, How To Export Data in a DataGrid on an ASP . NET WebForm to Microsoft Excel
http://support.microsoft.com/kb/317719

Microsoft Article 948615, When you open a file in Excel 2007, you receive a warning that the file format differs from the format that the file name extension 
specifies
http://support.microsoft.com/kb/948615

 

 

Tags:

IIS | Security | Troubleshooting

Domain controller holds the last replica

By wolfgang. 3 April 2009 14:42

Error when demoting an Active Directory domain controller: This domain controller holds the last replica of the following application directory partitions: DC=MSTAPI,DC=yourdomain,DC=com

Active Directory has the following partitions: Application partition, Configuration partition, Domain partition, and Schema partition. The Application partition is used to store data from Active Directory-integrated software. This error indicates that an Application partition exists on this DC. There are two possibilities: this is the last DC in the domain or it is not.

If this is the last DC in the domain, and the domain information is no longer needed, then it is safe to delete the replica.

If this is not the last DC and you require the Application partition, you must remove the DC from the Application partition’s replica set. Use ADSIEdit and consult Microsoft’s help to perform this operation.

Tags:

Troubleshooting | Active Directory

Troubleshooting Active Directory replication

By wolfgang. 3 April 2009 13:11

Some tips on troubleshooting Active Directory replication:

You may notice that objects in the directory are not the same across all domain controllers, or that people and computers are not receiving their group policy settings, or that the SYSVOL share is not synchronized across the domain. These are symptoms of replication failures.

To troubleshoot replication failures, begin with the basics. Are all the replication links up? Are all the domain controllers synchronized to the same date and time? Then, run Dcdiag.exe to get status of the domain controllers. Run Netdiag.exe to get a report on the network connectivity. Address any issues that these utilities find. Then run Repadmin.exe and validate the connections, site links, and queues. Once everything is validated, run Repadmin.exe and force a synchronization of AD objects. To synchronize group policy settings and the SYSVOL, use Ntfrsutil.exe to troubleshoot and re-replicate the files.

Tags:

Troubleshooting | Active Directory

Hyper-V Disk Issues

By wolfgang. 16 October 2008 18:17

I am seeing an odd issue with Hyper-V vms on pass-thru disks. Say an event occurs on the storage array that causes the disks on the Hyper-V server go offline momentarily. They can be brought back online afterwards. Hyper-V then loses the handle on the disk. There are four broad categories of symptoms that then occur:

1) Very broadly speaking, if the disk contains server-specific information such as a paging file, then the server behaves erratically when it goes offline.

2) If the disk in question goes offline and it contains the vm definition files (.bin, .vsv), then the vm disappears from the Hyper-V console.

3) If the disk goes offline and it contains vm disks (.vhd), then the vm in question crashes.

4) If the disk is directly mapped to a vm as a host resource, then the vm is shutdown. Sometimes the state is saved. The settings show that the physical disk cannot be found. The vm’s saved state has to be deleted and then the physical disks reselected in the vm settings dialog.

I am still troubleshooting. More details to follow.

Tags:

Troubleshooting | Hyper-V | Virtualization

SSRS reports work on the server but not on the clients

By wolfgang. 1 May 2008 22:16

Symptom: reports work from the server. They do not work from client machines. "An error has occurred during report processing. (rsProcessingAborted). Cannot create a connection to data source 'MyData'. (rsErrorOpeningConnection). For more information about this error navigate to the report server on the local server machine, or enable remote errors."

Step 1: Set the server as trusted for delegation

  • Active Directory Users and Computers
  • Right-click SSRS Server, Properties
  • Delegation tab
  • (o) Trust this computer for delegation to any service (Kerberos only)

Step 2: Enable the service account to impersonate

  • Check the service account
  • Microsoft SQL Server 2005 > Configuration Tools > Reporting Services Configuration
  • Windows Service Identity
  • Web Service Identity
  • SSRS is generally running under Network Service (NT Authority\NetworkService)
  • Set the permissions
  • Administrative Tools > Local Security Policy
  • Add Network Service to: Act as part of the operating system; Impersonate a client after authentication 

 Step 3: Add the service principal name (SPN) for web services

  •  Install Support Tools
  • List the active SPN
  • CD C:\Program Files\Support Tools
  • Setspn -L SSRSServer
  • If HTTP SPNs do not exist, add them.
  • Setspn -A HTTP/SSRSServer SSRSServer
  • Setspn -A HTTP/ssrsserver.mydomain.com SSRSServer

 Step 4: Add the service principal name (SPN) for databases

  •  Check the service account
  • Check to see what service is running "SQL Server (Instance)"
  • Microsoft SQL Server 2005 > Configuration Tools > SQL Server Configuration Manager
  • SQL Server 2005 Network Configuration
  • Protocols for Instance: TCP/IP
  • Scroll to the bottom, IPALL
  • TCP Dynamic Ports: 3418
  • setspn -L DOMAIN\serviceaccount
  • If MSSQL SPNs do not exist, add them
  • setspn -A MSSQLsvc/SSRSServer:port DOMAIN\serviceaccount
  • setspn -A MSSQLsvc/ssrsserver.mydomain.com DOMAIN\serviceaccount

 Step 5: Modify the Data Sources

  • http://ssrsserver.mydomain.com/Reports
  • Data Sources
  • Edit the data source
  • Connection string: Data Source=ssrsserver\instance;Initial Catalog=MyDBname;Integrated Security=SSPI
  • (o) Windows integrated security

From the desktop, open SQL Server Management Studio. Create a new connection

  • Server type: Reporting Services
  • Server name: http://ssrsserver.mydomain.com/ReportServer
  • Authentication: Windows Authentication
  • Click Connect and it will now open up reporting services.

Tags:

Troubleshooting

XenServer hangs on Himem.sys when booting DOS

By wolfgang. 12 March 2008 04:12

I am testing out XenServer for server virtualization, and Acronis for physical-to-virtual conversions. When booting on the Acronis restore CD, the vm displays:

cirrus-compatible VGA is detected
Processor 1: Xen(R) Virtual CPU
XS Virtual IDE Controller  Hard Drive (16384MB)
Unknown device
Unknown device
XS Virtual ATAPI-4  CD-Rom/DVD-Rom

Boot device: CD-Rom - success.
Starting Caldera DR-DOS...
HIMEM.SYS: Cannot control address line A20.

Caldera DR-DOS 7.03
Copyright (c) 1976, 1998 Caldera, Inc. All rights reserved.

It then hangs with the processor consuming 100% of the resources. I notice the same behavior when booting from a DOS 6.22 disk with Himem.sys loading, even if I specify /a20control:off.  I found an article from Microsoft that describes the problem. Submitted it to Acronis to get a fix. They wrote back “We have confirmed this behavior with the Xen Virtualization platform with the DR process. Right now it has been logged as a defect in our bugtracker. Right now I do not have an ETA on this being resolved.”

 The "Unable to control A20 Line" error message
http://support.microsoft.com/kb/73713

There are two workarounds for this problem:

Add the /M:x switch to the HIMEM.SYS line in the CONFIG.SYS file, where x is number from the valid range of 1-14 and 16, and then restart your computer. For example: DEVICE=C:\DOS\HIMEM.SYS /M:1

Upgrade your computer's BIOS or contact your computer vendor for help with the modification of your CMOS settings. You may need to disable a FastGate (or similar) option.

The A20 line is the start of the first 64K of extended memory, known as the high memory area (HMA). The HIMEM.SYS device driver must control the A20 line to manage extended memory. The HIMEM.SYS driver reports the error if it incorrectly identifies the extended memory handling mechanism of the computer or if the handling method of the computer's BIOS is unknown.

Tags:

Troubleshooting | Virtualization

100% Processor Utilization on Windows Backup

By wolfgang. 17 January 2008 14:05

Here is an odd one for you. I was backing up my notebook today ahead of Dell's replacing the mainboard. My notebook computer would not launch Ntbackup. The process spikes the cpu to 100% and then hangs. I let it sit as long as thirty minutes and the process never releases.

I did some research. See that this problem is fixed with Windows 2003 SP2 (which I have). Reinstall SP2. Reboot. Reapply latest hotfixes and reboot. Retry, same. Did the file actually get updated? Change directory to i386, which contains a slipstreamed SP2 version of Windows 2003. The file is exactly the same.

I run Filemon and open Ntbackup. See that it is getting stuck on website.zip. This is a malformed zip file that Shabbir sent me a few weeks ago. End task on Ntbackup. Delete the zip file and clear the trash. Re-open ntbackup. click the Backup tab. It works properly now. Got it!

Tags:

Troubleshooting

Celebrating ten years of watching my back

By wolfgang. 8 April 2007 07:08

♫ It was ten years ago today, Monkey.B taught the Wolf to play. We've been going in and out of style. But we're guaranteed to raise a smile... ♫

Ten years ago, my company's -- and our client's -- computers were infected with the Monkey.B virus. I suppose you could say it was my first incident reponse experience. It took us a little over three weeks to clean the mess up. The incident sparked in me the desire to a) learn as much as I could about malware; b) learn as much as I could about computer security; and c) never again let this happen to a client. From that day on, I have considered security a functional requirement of every project. It was a tough lesson.

But, it set me on the right path, so thank you Sgt. Pepper.

jwg

A couple tokens from the situation ...

Newsgroups: comp.virus
From: wolfgang a goerlich <trancev2.7@juno.com>
Date: 1997/04/08
Subject: Unknown boot virus (PC)

I'm at my wits end with this one. On accessing the a: drive, characters of both the file names and the files themselves are randomly replaced. I run McAfee, and it reported no virus activity. I then replaced the floppy, yet the corruption of files continued. I was also having problems with Win95, so I attempted to reinstall it from the CD-ROM. However, it got past the initial hardware scan, then reported  a boot virus and locked up. So I borrowed a copy of Dr Solomons, but it also reported no viruses. Finally, in desperation, I reformatted the drive. Only now, the format command reports there is a virus, and quits. Also, the same floppy drive corruption continues. Anyone have any ideas of what I could try next? I even replaced the hard drive, but my other one was also infected.

I'm completely baffled.

Wolfgang Goerlich

Newsgroups: comp.virus
From: Wolfgang A Goerlich <trancev2.7@juno.com>
Date: 1997/04/17
Subject: Unknown Boot Virus - Last Words (PC)

> I'm not sure as to what your a: drive is doing, but as for your boot
> sector "virus", go and turn off boot sector virus checking in your BIOS.
> That will solve your hard drive problems anyway...

Thank you. It turned out that we did have a undetectable boot virus (which we removed using F-Prot). However, the BIOS virus checking was still giving us errors. After reading this, we turned it off and everything has been running smoothly since.

Thanks again

Wolfgang

Tags:

Security | Troubleshooting

    Log in