Search This Blog

Wednesday, July 24, 2019

Recently I have ran across random file deletions and on terminal services on Windows 2012 R2+ servers. Typically this is automated A/V programs, pre-crypto programs being installed and blocked and even end users just hacking around. This is a great procedure to setup to track and be proactive on file manipulation on Terminal Server management for Windows Servers

File Access Auditing Event IDs

Once you configured above two settings, now you can see the actual events, to view the file access and file change events, follow the below steps.
1. Open the Run window, type the command eventvwr.msc, and click OK.

How to Track File Access, Modify and Delete Actions in Windows Folder
2. You can see the Event Viewer Management Console, expand the tree node Windows Logs and select Security.

Monitor File Access, File Modify and File Delete
3. Now, you can see lot of events in right-hand side window, but to track file access, we need to check only two event ids, 4656 and 4663. To filter only these two events, right-click on the Security node and click Filter Current Log.
4. Type the event ids 4656 and 4663 as comma separated values and click.

Monitor who accessed a file, who modified a file and who deleted a file
5. Now, result window lists only file access events, you can double-click on any event and check what type action made on the particular file.

Monitor who accessed a file, who modified a file and who deleted a file
4656: This is the first event logged when an user attempts to access the file, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the Event ID 4663).
4663: This event gives the info of what type actual operation is done by user on a file. it tells whether the file was created, modified, deleted, or it simply accessed,
4670: This event logged when user changes the permission of the file (security control list).  The event contains the information, who changed the permissions, old and new permissions.
Event 4663 - Delete File Event Source:

File Access Audit Event - 4663

Monday, July 15, 2019

WIndows 10 Prep - Disable First Run "hi" on Base Image




In the right panel, find the Show first sign-in animation value and double-click it. Set it to Disabled to prevent the animation from showing. Note that this will also prevent Windows from asking new Microsoft Account users to opt-in to various Microsoft services at first run.

Windows 10 Home users will have to use the Registry to hide the animation. Type regedit into the Start Menu to open the Registry Editor. Then browse to this value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Once you’ve opened the System folder, right-click on the right panel and choose New > DWORD (32-bit Value). Give it the name EnableFirstLogonAnimation, then double-click it to change its value. Make sure it’s set to 0 to hide the animation.

Done.....

Tuesday, July 9, 2019

VMware View Composer Error. Timeout waited (0) seconds error (6) Fix for Horizon View 7.0-7.4



So with Horizon View 7.0 and until Windows 10 1709 is fully support you will need this fix to resolve the "VMware View Composer Error. Timeout waited (0) seconds error (6)"
 

Open regedit and delete the “Security” subkey in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE

So, delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Security


Also, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE there should be an entry for “DependOnService” with a value of “RpcSs and vmware-viewcomposer-ga”, remove “vmware-viewcomposer-ga”.


Take new snapshot to base image and Recompose and you should be good.