Friday, March 20, 2015

Installing Internet Explorer 11 and prerequisites via SCCM deployable script with only one reboot.

My customer needed some help deploying IE 11 out to a bunch of Windows 7 32-bit machines, but they only have one maintenance window for rebooting per month.  They didn't want the machines going out to the internet to get the prerequisites, so they were stuck at a bit of a quandry.

I found several references on how to do this; some were .vbs scripts, some powershell, some as batch files, but all seemed to be missing one or more pieces of useful data.  Most of those used the IEAK, and I had no luck at all making a silent internet-less installer with it.

Here is my solution.  It deploys all of the IE 11 Prerequisites, IE 11, and the December 2014 Cumulative update with just one reboot at the end.

I've included links in the script so you can download the patches, and an explanation of how to get the .CAB files out of the .msu and out of the IE installer executable.

@echo off

REM Each of the KB download links is a .MSU file.  To use this script, you must extract the .cab file from the MSU.
REM This can be extracted with 7-zip or the built-in Windows' Expand command.
REM Example: expand Windows6.1-KB2888049-x86.msu /f:*.cab c:\pathtoexpandto

REM This script expects all of the .cab files to be in the same folder with the batch file.

set InstallerPath=%~dp0
set Logfile=c:\windows\temp\IE11-Dism.log

C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

REM The file was extracted from your IE11-Windows6.1-x86-en-us.exe with the command
REM IE11-Windows6.1-x86-en-us.exe /x:C:\pathtoexpandto
REM This can be downloaded from
C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

REM This is the December 2014 IE CUMULATIVE UPDATE
REM It should be replaced by the most recent approved CU at time of packaging.
REM Downloaded from
REM Extracted with expand IE11-Windows6.1-KB3008923-x86.msu -f:*.cab c:\pathtoexpandto
C:\Windows\system32\dism /online /add-package /packagepath:%InstallerPath%\ /quiet /norestart

REM The customer wanted SCCM to handle the post-installation reboot.  If you want this script to reboot the machine, uncomment the next line.
REM C:\Windows\System32\shutdown.exe /r /t 300 /d p:4:2 /c "Your system will restart automatically in 5 minutes to complete a software installation."


The batch file can be downloaded from here: Install-Ie11.bat

Wednesday, March 11, 2015

Securing Stickykeys and the Ease of Access Center

One way a system can be compromised if the attackers have physical access to the machines is to use the "StickyKeys vulnerability".  This isn't really a vulnerability, just an inherent weakness of having malicious users be able to change files on your disks.

The best way to prevent this is to prevent access to the disks.  Enable Bitlocker drive encryption.  If the user can't read the disk they can't replace the .exe's.  Fixed.

If you can't do this, you can at least prevent the executables from running.  To do this, create a software restriction policy that denies the following files.
  • %windir%\system32\Narrator.exe  (Narrator)
  • %windir%\system32\osk.exe  (On Screen Keyboard)
  • %windir%\system32\Magnify.exe (Magnifier file)
  • %windir%\system32\sethc.exe (StickyKeys and MouseKeys)
  • %windir%\system32\utilman.exe (Ease of Access Center)
Note:  Blocking utilman.exe, the last one, also disables the accessibility button on the login screen.

That is this guy:

Finally, you can also remove permissions to these files.  Know that any malicious user worth her salt with access to replace the files can trivially re-permission them as well.  The following backs up the permissions of the files with ICACLS, then takes ownership and sets Deny eXecute on all of the files.

REM Backup old permissions.
ICACLS %windir%\system32\Narrator.exe /save %windir%\system32\Narrator.exe.aclfile
ICACLS %windir%\system32\osk.exe /save %windir%\system32\osk.exe.aclfile
ICACLS %windir%\system32\Magnify.exe /save %windir%\system32\Magnify.exe.aclfile
ICACLS %windir%\system32\sethc.exe /save %windir%\system32\sethc.exe.aclfile
ICACLS %windir%\system32\utilman.exe /save %windir%\system32\utilman.exe.aclfile

REM Take ownership of the files.
TAKEOWN /F %windir%\system32\Narrator.exe /A
TAKEOWN /F %windir%\system32\osk.exe /A
TAKEOWN /F %windir%\system32\Magnify.exe /A
TAKEOWN /F %windir%\system32\sethc.exe /A
TAKEOWN /F %windir%\system32\utilman.exe /A

REM Deny execute permissions to the Everyone group.
ICACLS %windir%\system32\Narrator.exe /deny *S-1-1-0:(X)
ICACLS %windir%\system32\osk.exe /deny *S-1-1-0:(X)
ICACLS %windir%\system32\Magnify.exe /deny *S-1-1-0:(X)
ICACLS %windir%\system32\sethc.exe /deny *S-1-1-0:(X)
ICACLS %windir%\system32\utilman.exe /deny *S-1-1-0:(X)


Tuesday, March 10, 2015

Quickie: How big is this User's picture in Active Directory?

How big is this User's picture in Active Directory?

PowerShell would be happy to tell you.
(Get-AdUser JoeUser -properties thumbnailPhoto).thumbnailPhoto.count


Monday, March 9, 2015

New Helicopter Excitement: Century 600 and lesson learned

Mr. B got a new (to him) helicopter on Saturday, a Century Products 600.  It's been on consignment at the hobby shop for several months for a steal price of $350 RTF.  It's a Nitro helicopter, his first.

We got it home and fabricated a starter adapter for it so we could start it with a cordless drill.  That was pretty cool.  I'll do a post on it when we've proven it a bit more.

As an aside here I should mention that helicopters of this size are quite dangerous.  The rotor disk is over a meter in diameter and has serious inertia.  There is dangerous amounts of energy there.  Searching the internet for RC Helicopter Injury had given us both our share of respect for this guy.
So, it was time to start it up.  Ready to fly.  We're both really excited, though we do have a bit of gruesome internet picture induced trepidation.  Did I mention how huge this heli is?  And that it's full of highly flammable fuel?  And the super-fast-and-heavy-rotors?

Immediately after starting we hit a serious problem.  The rotor head was trying to spin up to full speed, despite the presence of my body parts.  Throttle lock does nothing.  Throttle cut button does nothing.  3-D mode switch off.  Moving throttle lever does nothing.  Crepes!

I was holding the rotor head -hard- to keep it from spinning up and there was no way for me to let go without getting hit by the blades.  I was finally able to get it shut down and we did a post-mortem.

The throttle channel on the radio was reversed.  Hitting the throttle-cut switch nailed it to 100%, not 0%.  Unfortunately we figured it after seriously damaging the clutch.  Damaging in this case means melted into non-existence.  Whoops.  No-one was hurt so I can't complain.  It could have gone a lot worse.  I'm going to get him a new clutch this week.

There were some great quotes from today.
Mr. B: "It's okay, this is a lot smaller crash than we expected."

(Holding some ambiguous ribbon-like strips of melted plastic that look like no known helicopter part) Me: "I'm sure the guy at the hobby shop will be able to smell the part number off of these."

(B Holding a bottle of transparent green 15% Cool Power Heli Fuel)
"Mom, this Kool-Aid tastes funny."

B: "Why do these Ni-Cads take so long to charge?!"
Me: "Because they store energy as a second order chemical reaction that's driven backwards by the electrons flowing from the transformer."
B: "Stupid Chemistry!"

B: "Ellie was so excited when my Heli started she almost went to pieces!"

Lesson Learned: Check the throttle throw on the radio every time.  Everything else can be tested on the ground with the engine running, but a reversed throttle gets scary really fast.  We're going to mark the throttle closed direction on the engine and add it to our pre-flight check.

Lesson Learned: Define an Emergency Engine Stop procedure in case of Radio Failure.  Trying to improvise this in full adrenaline dump fight-or-flight mode is a bad idea.

My cooked-at-the-last-second e-stop procedure was to one-handed unplug the receiver battery connector and then manually move the throttle lever to the off position.  I do not love this, and am considering adding a fuel shutoff valve instead.  I would appreciate any opinions on this idea.