How to recover file from Crypto locker or Ransomware using shadow copy

First list all the shadow copy you have using vssadmin list shadows command as below

C:\resources\dosdev\dosdev\x86>vssadmin list shadows

After you run the command if you have any shadow copy it will show the result as below, if you get the result similar to below then download a copy of dosdev.exe, just google ‘dosdev.exe download’ you will need that to mount the shadow copy as drive letter.

Contents of shadow copy set ID: {85e1a1e5-e6dd-4479-ab11-769930317777} Contained 1 shadow copies at creation time: 30/11/2015 7:00:04 AM Shadow Copy ID: {c152023d-6a53-46a5-ae90-eac06d7b1f0d} Original Volume: (S:)\\?\Volume{1d09abf5-50bb-4619-ae1a-582285e37e1f}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy62 Originating Machine: Service Machine: Provider: ‘Microsoft Software Shadow Copy provider 1.0’ Type: ClientAccessible Attributes: Persistent, Client-accessible, No auto release, No writers, Differential Contents of shadow copy set ID: {b1ceef12-fa9a-4aae-961a-1212df929c27}

I have underlined the time of shadow copy that I want to restore then copy the path of shadow copy. Navigate to directory where dosdeve.exe is and type dosdev v: then then paste the link you copied, see example below.

C:\resources\dosdev\dosdev\x86>dosdev v: \\?\GLOBALROOT\Device\HarddiskVolumeSha dowCopy62

You should get result as below

v:: The operation completed successfully.

then change the directory to V:

C:\resources\dosdev\dosdev\x86>dir v:
Volume in drive V is Studio1
Volume Serial Number is 18FA-38CD
Directory of V:\

now I have the shadowcopy as drive I can start robocopy, there are different robocopy command you can use 2 examples below, one copy everything other copy only the changes

V:\>robocopy “SKETCHUP VERSION 8″ S:\new /S /E /COPYALL /ZB /NP /MT:20 /R:3 / W:30 /LOG:”c:\resources\HR.log”

Log File : c:\resources\HR.log

V:\Studio 1\JOBS\STUDIO\SKYIT\Skyit Rainforest\05_SRR Ede Project\CREATIVE\3D>ro bocopy “SKETCHUP” S:\new /S /E /COPYALL /ZB /NP /MT:20 /R:3 /W:30 /LOG:”c:\resou rces\HR.log”

Log File : c:\resources\HR.log

There is bit more you can do with robocopy the files from your shadow copy.

One of my client had Crypto Locker virus with extension .zepto and encrypted number of different directory in shared drive. This is what I have done to recover, first logged on to the server did a search for *.zepto on the top level drive, in my case it was D:\ then I copied the search result to text file, it sound simple to copy search result to text file, if you haven’t done this before then how do you do it. You select the first line of search scroll to last line then ->hold shift and right click -> you get drop down menu select “Copy as Path” then you can open a notepad and paste.

now you have all the path in text file. using the dosdev process as above, I mounted the shadow copy that I want to copy from then run the robocopy command as below,

robocopy /e “V:\dfs\Data\SHARED\PROJECTS” “D:\dfs\Data\SHARED\PROJECTS” /log:c:\project.txt /tee

use this if you have access denied error

robocopy /e /ZB “V:\DFS\WaysOfWorking” “D:\DFS\WaysOfWorking” /log:c:\wayofworking.txt /tee

What this does is check all files and folder copy anything missing or different. I tried going to previous version in windows and browsing the copy then copy the file I needed but for this huge amount of data 10TB, didn’t wanted to do folder by folder also when it hit long file name or path then it stop copying, robocopy is the only way I found to be accurate.

Then I gone back to my search and deleted all the files that ware highlighted.

or you can use command prompt
c:\>del *.zepto /a /s

  • c:\>del *HELP_instructions.html /a /s

Mac’s and serial TTY’s (Using usb to serial adapter with MAC)


It’s not actually necessary to download an install extra software, as you can use the Mac OS X built in Terminal and screen. Screen lacks some features, but it does include VT100/ANSI terminal emulation, and can be extremely useful.

  1. Open an OS X terminal session (window)
  2. Find the right TTY device. Type: ls /dev/cu.*

With the USB-Serial adapter plugged in, you’ll get a list, including something like this:

$ ls /dev/cu.*
/dev/cu.Bluetooth-Modem		/dev/cu.iPhone-WirelessiAP
/dev/cu.Bluetooth-PDA-Sync	/dev/cu.usbserial

The 'man screen' page

  1. Then type: screen /dev/cu.usbserial 9600 (in this example).


    The 9600 at the end is the baud rate. You can use any standard rate,


    eg, 9600, or 19200 for a Sig Server!

  1. To quit the screen app, type CTRL-A, then CTRL-.

Type man screen in Terminal for further information on screen. (use ‘enter’ or ‘space’ to scroll, and ‘q’ to quit).

Running Microsoft Security Essentials on Server 2012

What to do

Here’s what needs to be done to get things up and running on Server 2012. First go here and download Security Essentials. Once downloaded right click on the (mseinstall.exe) executable en choose properties. Locate the ‘Compatibility’ tab and go to the ‘Compatibility mode’ section (see first screenshot below). Check “Run this program in compatibility mode for:” and select Windows 7 from the dropdown menu. Next, open up a command prompt and run it with administrative privileges. And finally ‘Browse’ to where you stored SE and run the (mseinstall.exe) executable with the additional /disableoslimit parameter. Below is a screenshot of how this will look.


Command Prompt

Outlook on a Mac Keeps asking for password

I have deleted/repaired keychain but nothing has worked.

It does save password for a few hours, but then forgets it.

For Exchange I had this problem and a few others – this is how I fixed it:

Take a note of exchange server settings in Outlook->Preference, select the account click advance.

Locate your account setup file here: ~/Library/Group Containers/xxxx.Office/Outlook/Outlook 15 Profiles/Main Profile/Data/Exchange Accounts/xx/
(the file will not have any extension)

Delete the file, then go back to outlook and type the exchange server setting. This worked for me.

How do you locate my account set up file? who may not be familiar with macs, this is what you do:

  1. Open outlook
  2. Change the server
  3. Quit outlook (as the auto discover can work at any time and you may lock the file in the wrong state)
  4. Click on Spotlight Search the hour glass in the top right hand corner
  5. Type in ~/Library/Group Containers/
  6. Go through the directories until you come to the last folder indicated above.
  7. The file will not have an extension but will end in “ExchangeAccount”
  8. Right click on the file
  9. Select “get Info”
  10. check the “Locked” box
  11. Open outlook

If you are prompted for a password, even though you know it is there and correct, maybe insert the server without the “https://” proceeding it, then repeat the steps above.

RSOP – Invalid Name Space

RSOP – Invalid Name Space

Recently had an issue where an entire site was not downloading domain policies. After a thorough search and different attempts to fix the issue below batch file fixed the issue:

Windows Management Instrumentation fails due to receiving an event or error concerning missing or failure to load WMI Provider, or Invalid WMI class, or WMI Invalid Namespace.

Below are some common errors indicating issues with a WMI Provider or Class:

  • Failed to initialize all required WMI classes
  • Win32_processor: WMI: Invalid namespace
  • Win32_WMISetting: WMI: Invalid namespace
  • Win32_OperatingSystem: WMI: Invalid namespace
  • WBEM_E_NOT_FOUND 0x80041002
  • WBEM_E_INVALID_CLASS 0x80041010

Scenario 1: WMI Invalid Namespace

First we want to take any scripts or programs out of the equation by using local built in tools. The two most common tools used to check wmi functionality is the WMI console (winmgmt.msc) and Wbemtest (Windows Management Instrumentation Tester).

Ensure the Namespace in question actually exist and functional.

  1. Go to start-run and type in wmimgmt.msc
  2. Right click on Local Wmi Control (Local)and select properties
  3. On the general tab, if there is any failures noted on that box, that indicates a core WMI issue and most likely with the Cimv2namespace.
  4. Click on the Security tab and expand Root folder. This is where you will see all of the namespace listed for WMI
  5. Find the namespace referenced in the error message you are getting
  6. If you find the namespace is missing, do the following,

7. Go to start-run and type in wbemtest

8. Click on the “Connect Button

9. In the Namespace Box type in the path to the namespace for which getting invalid namespace error for. This path would have the same look and feel of a Windows Directory, so just as you see the structure in wmimgmt.msc console on the Securitytab, so is how you will type in path



10. Click on the “Connect” button

11. Now all of the buttons should no longer be greyed out on the main wbemtest console page. Click on the “Enum Classes” button

12. Leave “Enter Superclass Name” blank and select “Recursive” then click OK. If you don’t get any error messages then you can access the name successfully without issue using built in Windows Management Instrumentation Tester

13. To test further, let’s see if we can access some classes.

make the following into a batch file

net stop winmgmt
cd c:\windows\system32\wbem
rd /S /Q repository
regsvr32 /s %systemroot%\system32\scecli.dll
regsvr32 /s %systemroot%\system32\userenv.dll
mofcomp cimwin32.mof
mofcomp cimwin32.mfl
mofcomp rsop.mof
mofcomp rsop.mflfor /f %%s in (‘dir /b /s *.dll’) do regsvr32 /s %%s
for /f %%s in (‘dir /b *.mof’) do mofcomp %%s
for /f %%s in (‘dir /b *.mfl’) do mofcomp %%smofcomp exwmi.mof
mofcomp -n:root\cimv2\applications\exchange wbemcons.mof
mofcomp -n:root\cimv2\applications\exchange smtpcons.mof

mofcomp exmgmt.mof

After running this re-run the GPUPDATE /force

Transfer Files Between Physical and Virtual Host on Hyper-V

Hyper-V users, there isn’t an easy way like what VMware is offering, however the following 5 ways should solve your problems.

Network File Sharing – Share files on a network like you usually do… 

1. On the virtual machine, create a folder on Desktop or any directory you preferred and give it a name.
2. Right click folder and select “Properties”
3. Select “Sharing” tab and click “Advanced Sharing…”
4. Tick “Share this folder” and select “Permissions”.
5. Give “Everyone” permissions like it shown on below picture.

6. Select OK to finish the sharing process.
7. Now what you need to do is, go back to your physical machine and access the shared folder by typing the “\computernameshared folder”.
8. Once you are on it and simply copy files over to the shared drive and it will start appearing on the virtual machine’s shared folder.

Remote Desktop map drive

1. Enable the Remote Desktop service on the virtual machine Server 2012 or other Windows OS, just make sure the Remote Desktop Service it is enabled so it can accept the service from client machine.
2. On Windows Server 2012 R2 to enabled Remote Desktop Service, go to “Server Manager” -> select “Local Server” from the left hand side menu.

3. Enable Remote Desktop by click on it, select “Allow remote connections to this computer” and un-tick the Recommended setting.

4. Now restart the virtual machine Server 2012.
5. Once the virtual machine Server 2012 is back and running, connect to the VM Server 2012 using Remote Desktop Connection.

6. On Remote Desktop Connection windows click “Local Resources”, under “Local devices and resources” tab click on “More”, expand “Drives” list and tick the drive you wanted to map.

7. Click OK and connect! Now see what you have on “My computer”!

8. Drag any files to the local drive on your PC and those files will appear on the Cloud VM server mapped drive.

Hyper-V USB offline

1. Make sure you have plugged the USB drive you are going to use to the computer.
2. Go to Start-> Control Panel -> Administrative Tools -> Computer Management
3. Select “Disk Management” from the left hand side menu
4. Right click the USB Drive and select “Offline”


5. Go to Hyper-V Manager and shutdown the running virtual machine
6. Right click the virtual machine and select “Settings”.
7. Select “SCSI Controller” and click “Add” a hard drive

8. Now select “Physical hard disk:” the USB drive you have just took offline on Disk Management.


9. Click “Apply” and OK to finish.
10. Start up the virtual machine and you should have the USB drive appeared on “My Computer”.

Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2

As you may be aware, support for both Windows Server 2003 and 2003 R2 is coming to end on July 14th 2015. With this in mind, IT professionals are in midst of planning migration. This guide will provide steps on migrating AD CS from Windows Server 2003 to Windows Server 2012 R2.

In this demonstration I am using following setup.

Server Name Operating System Server Roles
canitpro-casrv.canitpro.local Windows Server 2003 R2 Enterprise x86 AD CS ( Enterprise Certificate Authority )
CANITPRO-DC2K12.canitpro.local Windows Server 2012 R2 x64

Step 1: Backup Windows Server 2003 certificate authority database and its configuration

1. Log in to Windows 2003 Server as member of local administrator group

2. Go to Start > Administrative Tools > Certificate Authority


3. Right Click on Server Node > All Tasks > Backup CA


4. Then it will open the “Certification Authority Backup Wizard” and click “Next” to continue


5. In next window click on check boxes to select options as highlighted and click on “Browse” to provide the backup file path location where it will save the backup file. Then click on “Next” to continue


6. Then it will ask to provide a password to protect private key and CA certificate file. Once provided the password click on next to continue


7. In next window it will provide the confirmation and click on “Finish” to complete the process

Step 2: Backup CA Registry Settings

1. Click Start > Run and then type regedit and click “Ok”


2. Then expand the key in following pathHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCertSvc

3. Right click on “Configuration” key and click on “Export”


4. In next window select the path you need to save the backup file and provide a name for it. Then click on save to complete the backup


Now we have the backup of the CA and move these files to the new windows 2012 R2 server.


Step 3: Uninstall CA Service from Windows Server 2003

Now we have the backup files ready and before configure certificate services in new Windows Server 2012 r2, we can uninstall the CA services from windows 2003 server. To do that need to follow following steps.

1. Click on Start > Control Panel > Add or Remove Programs

2. Then click on “Add/Remove Windows Components” button

3. In next window remove the tick in “Certificate Services” and click on next to continue

4. Once its completed the process it will give the confirmation and click on “Finish”

With it we done with Windows Server 2003 CA services and next step to get the Windows Server 2012 CA services install and configure.

Step 4: Install Windows Server 2012 R2 Certificate Services

1. Log in to Windows Server 2012 as Domain Administrator or member of local administrator group

2. Go to Server Manager > Add roles and features

3. It will open up “Add roles and feature” wizard and click on next to continue

4. Then next window select “Role-based or Feature-based installation” and click next to continue

5. From the server selections keep the default selection and click on next to continue

6. In next window click on tick box to select “Active Directory Certificate Services” and it will pop up with window to acknowledge about required features need to be added. Click on add features to add them

7. Then in features section will let it run with default. Click next to continue

8. In next window, it will give brief description about AD CS. Click next to continue

9. Then it will give option to select roles services. I have selected Certificate Authority and Certification Authority Web Enrollment. Click next to continue

10. Since Certification Authority Web Enrollment selected it will required IIS. So next window it will give brief description about IIS

11. Then in next window it gives option to add IIS role services. I will leave it default and click next to continue

12. Next window will give confirmation about service install and click on “Install” to start the installation process

13. Once installation completes you can close the wizard.

Step 5: Configure AD CS

In this step will look in to configuration and restoring the backup we created.

1. Log in to server as Enterprise Administrator

2. Go to Server Manager > AD CS

3. In right hand panel it will show message as following screenshot and click on “More”

4. It will open up window and click on “Configure Active Directory Certificate Service ……”

5. It will open role configuration wizard, it gives option to change the credential, in here I already log in as Enterprise administrator so I will leave the default and click next to continue

6. In next window it asking which service you like to configure. Select “Certification Authority”, “Certification Authority Web Enrollment” options and click next to continue

7. It will be Enterprise CA so in next window select the Enterprise CA as the setup type and click next to continue

8. Next window select “Root CA” as the CA type and click next to continue

9. The next option is very important on the configuration. If its new installation we will only need to create new private key. But since it’s a migration process we already made a backup of private key. So in here select the options as highlighted in screenshot. Then click on next to continue

10. In next window click on “Import” button

11. In here it will give option to select the key we backup during the backup process from windows 2003 server. Brows and select the key from the backup we made and provide the password we used for protection. Then click ok

12. Then it will import the key successfully and in window select the imported certificate and click next to continue

13. Next window we can define certificate database path. In here I will leave it default and click next to continue

14. Then in next window it will provide the configuration confirmation and click on configure to proceed with the process

15. Once its completed click on close to exit from the configuration wizard

Step 6: Restore CA Backup

Now it’s comes to the most important part of the process which is to restore the CA backup we made from Windows Server 2003.

1. Go To Server Manager > Tools > Certification Authority

2. Then right click on server node > All Tasks > Restore CA

3. Then it will ask if it’s okay to stop the certificate service in order to proceed. Click ok

4. It will open up Certification Authority Restore Wizard, click next to continue

5. In next window brows the folder where we stored backup and select it. Then also select the options as I did in below. Later click next to continue

6. Next window give option to enter the password we used to protect private key during the backup process. Once its enter click next to continue

7. In next window click “Finish” to complete the import process

8. Once its completed system will ask if it’s okay to start the certificate service again. Please proceed with it to bring service back online

Step 7: Restore Registry info

During the CA backup process we also backup registry key. It’s time to restore it. To do it open the folder which contains the backup reg key. Then double click on the key.

1. Then click yes to proceed with registry key restore

2. Once completed it will give confirmation about the restore

Step 8: Reissue Certificate Templates

We have done with the migration process and now it’s time to reissue the certificates. I had template setup in windows 2003 environment called “PC Certificate” which will issue the certificates to the domain computers. Let’s see how I can reissue them.

1. Open the Certification Authority Snap-in

2. Right click on Certificate Templates Folder > New > Certificate Template to Reissue

3. From the certificate templates list click on the appropriate certificate template and click ok

Step 9: Test the CA

In here I already had certificate template setup for the PC and set it to auto enroll. For the testing purposes I have setup windows 8 pc called demo1 and added it to canitpro.local domain. Once it’s loaded first time in server I open certification authority snap in and once I expanded the “Issued Certificate” section I can clearly see the new certificate it issued for the PC.


So this confirms the migration is successful.

Outlook 2016 autodiscover broken, but works for 2013 and 2007

If you try to deploy Office 2016 (specifically Outlook 2016) and connect it to an existing Office 365 account for email or Exchange 2016, autodiscover will probably give you fits. It just does not work reliably, and in many cases will not work at all. it just hangs and never completes.

The fix below work for us:


Unable to create snapshot: VMname/VMname.vmx already exists

Error: Unable to create snapshot: Operation failed because file already exists or Cannot complete the operation because the file or folder [DatastoreName] VMname/VMname.vmx already exists
when trying to VMotion you get Error: Migrate virtual machine MY-DC A general system error occurred: Source detected that destination failed to resume.

  • ESX/ESXi/vCenter Server 4.0 vSphere Client, shows an error similar to:

    Cannot complete the operation because the file or folder [DatastoreName] VMname/VMname.vmx already exists

  • ESX/ESXi/vCenter Server 4.1 vSphere Client, shows an error similar to:

    Cannot complete the operation because the file or folder <unspecified filename> already exists


This issue occurs when VMware ESX or ESXi tried to create a new vDiskname-delta.vmdk redolog file, but the generated filename already exists. This can occur if the -delta.vmdk redolog file does not have an associated descriptor file.

Every virtual disk is composed of two files, a flat or delta file containing the actual data and a descriptor file containing geometry and topology information. For example, vDiskname.vmdk and vDiskname-flat.vmdk or vDiskname-delta.vmdk. For more information, see Understanding virtual machine snapshots in VMware ESX (1015180).

When creating a snapshot, the host uses the lowest file number that is not in use by the chain of snapshots and does not exist on the directory. The host calculates this by checking through the descriptor files.

When the host tries to create the snapshot, it first creates the new descriptor file, then creates the associated -delta.vmdk file. If the host detects that a -delta.vmdk file with that name already exists the snapshot operation fails and the virtual machine reverts to its previous state.

To resolve this issue, locate and manually rename or move the -delta.vmdk file that does not have an associated descriptor file.
To locate and manually rename or move the -delta.vmdk file that does not have an associated descriptor file:
  1. Connect to the ESX or ESXi host using the vSphere Client.
  2. Locate the affected virtual machine in the Inventory.
  3. Determine which datastore(s) the virtual machine is stored on.
  4. Open the Datastore Browser.
  5. Navigate to the working directory containing the virtual machine configuration files. For more information, see Creating snapshots in a different location than default virtual machine directory (1002929).
  6. Confirm that remnant redolog delta.vmdk files from previous snapshots exist. For example:
    • The virtual machine is currently pointed to vmname-000001.vmdk.
    • vmname-000001.vmdk’s parent is the virtual machine base disk, vmname.vmdk.
    • A file named vmname-000002-delta.vmdk exists in the virtual machine directory.
    • A file named vmname-000002-delta.vmdk~ exists in the virtual machine directory.
    • The .vmx file does not reference the file named vmname-000002-delta.vmdk.
    • The .vmsd file does not reference the file named vmname-000002-delta.vmdk.
  7. Rename or move the remnant file aside. For example, move the file vmname-000002-delta.vmdk into a backup directory.
  8. Retry the Create Snapshot operation, it should complete successfully.
  • If the memory state is captured for a snapshot, a .vmsn file is created before the new .vmdk files. If the snapshot operation fails unexpectedly, the process halts and the .vmsn file is left behind. The .vmsn files can be safely removed if the virtual machine has no snapshots. If there are any snapshots, look in the .vmsd file to identify which .vmsn files are referenced by the virtual machine and remove the rest.
  • You may encounter such issue when you delete the descriptor file by browsing the datastore (assuming those are snapshot disk files and delta files are not visible) of a Virtual machine whose Snapshot/s  is/are not visible through Snapshot Manager.