Manually updating Microsoft Security Essentials from a UNC path

I haven’t seen anyone with this solution yet and I did get a request to post the how to.  A while back I posted on how to push out the Microsoft Security Essentials (MSE) software to any number of machines with a system startup script.  For IT shops on a budget this is a good solution.  Couple this with not having your users running as local administrators or power users, some decent group policies, possibly some firewall packet filtering or AV scanning of that data with a web filter and you’ll be pretty secure!

Depending on your OS (32 bit or 64) you’ll need to adjust these commands to include the proper paths.  For my examples they’re all done on a 32 bit machine so adjust accordingly.

The location of MSE is:

C:\Program Files\Microsoft Security Client\Antimalware

Doing a directory listing we find and notice the bolded files:

C:\Program Files\Microsoft Security Client\Antimalware>dir /B
Drivers
EN-US
IpsConsumer.dll
MpAsDesc.dll
MpClient.dll
MpCmdRun.exe
MpCommu.dll
mpevmsg.dll
MpOAv.dll
MpRTP.dll
MpSvc.dll
MpUtil.dll
MsMpCom.dll
MsMpEng.exe
MsMpLics.dll
NisIpsPlugin.dll
NisLog.dll
NisNetIP.dll
NisPerformanceProvider.dll
NisRes.dll
NisSrv.exe
NisWFP.dll

I’ve found that in the past just messing around with exe files by typing in (for example), mpcmdrun /? – you might find interesting things

Donig so with the command line version of MSE you see you can do all kinds of interesting commands, if you use a program to execute commands on remote machines you can even scan machines remotely!

The file usage is MpCmdRun.exe [command] [-options]

So if we want to do a signature update according to the command options we’d do this:

mpcmdrun -SignatureUpdate -UNC%storepath%

* Of course you must declare your store path as a UNC file path \\servername\share for example

Here’s the batch file I have:

@echo off
:: Setting system variables
set storepath=”\\server\share\distribute\Microsoft_Security_Essentials\updates”

if exist “%storepath%\mpavdlta.vdm” (goto execute)
echo Update package does not exist…
goto end
echo.

:execute
:: Executing package
echo Executing Microsoft Security Essentials Update…
echo.
:: %storepath%\%package%
mpcmdrun -SignatureUpdate -UNC%storepath%

:end

What this does is sets the store path variable, the store path where we will be storing our update.  When you download an update it seems that MSE looks for a file named “mpavdlta.vdm”.   You just have to point it at your UNC share and it automatically looks for that file, I found this out by trial and error!

* Copy the above script into a bat file and make that a user log on script so the user executes the update.  It’s doing the same thing as a user would who opens MSE and manually clicks the “update” button but if it’s a user logon script (preferably via group policy) then it’s a no brainer for the user and you’re telling MSE where to get the update from (NOT your WAN ).

So now; how do we get our “update server” to always have a fresh ready to go update?

You need to use wget for Windows and make a scheduled task on your server that uses wget to download the latest update to the update folder.  You’ll also need 7zip to unzip the package.

Here’s what I have for a script:

:: Here’s the KB on manually downloading the update:  http://support.microsoft.com/kb/971606

@echo off

echo Setting system variables…
echo.
set storepath=”\\server\share\distribute\Microsoft_Security_Essentials\updates”
set patch=mpam-fe.exe
set updateurl=http://download.microsoft.com/download/DefinitionUpdates

:: Mapping drive
echo Mapping x: drive temporarily…
echo.
net use x: %storepath%
echo.

:: Removing the old update file
echo Removing the old udpated file…
echo.
del /q %storepath%\%patch%
echo.

:: Downloading the update
echo Downloading the MSE update…
echo.
%storepath%\wget -P x: “%updateurl%/%patch%”
echo.

:: Unmapping drive
echo Unmapping x: drive…
echo.
net use x: /delete /yes
echo.

:: Unzipping package
echo Unzipping the update…
%storepath%\7za x %storepath%\%patch% -y -o”%storepath%”
echo.

We name some variables in case we ever change the paths then all the settings will be changed by just changing one line, we map a drive, I called it “x:”, you can call it whatever you want, we use wget to download the patch to the storepath, we unmap the drive…I think I had to use a mapped drive because weget didn’t like UNC paths , we then unzip the update to our “updates” directory.

This isn’t “fullproof” because I haven’t used this process in a while.  We had some machines (tablets) that went through a proxy server and we didn’t want to allow these tables any Internet except the specific SAAS (Software as a service) 3rd party vendor we were using.  So we made the server get the updates and each client to look at the server for updates.

There does look like there are registry settings for changing WHERE MSE gets udpates from, the default is “MMPC”.  I haven’t tried tweaking the setting since the clients I was putting it on couldn’t get to the site, they’d just update on user logon from a UNC path.  Next shift of users = new update!

Again; the scripts worked for me but there could be some tweaking.

Download wget

Download 7-zip

Daily Full Zimbra Email Backup process

Zimbra is a rockin open source exchange (or as most call it “collaboration suite”) alternative to Microsoft Exchange.  It’s cheaper, just as functional, open source, no Microsoft Software is required, it’s cheaper;…did I mention it’s cheaper? 

I’m working on Zimbra Network Edition 7.x and it would seem that by default Zimbra backs up to: /opt/zimbra/backup

Going one folder level below that you find a folder call “sessions”, this is where the core data seems to be for zimbra (/opt/zimbra/backup/sessions).  Here Zimbra makes folders both “full” and “incremental”.  Your full folders will have a name of “full*”, the * meaning some variable by date like month day year (20110911.something).  To make a LONG story short for my requirements I simply needed to make 6 or 7 full backups (“daily” backups).  Here’s what I wanted:

Backups: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday and Sunday <- Full

* Although incremental backups are part of the default schema and they only do a full backup at the end of the week I find it much easier with respect to backups to do full backups in case you need to restore them you don’t need to “incrementally restore” your backup which saves me time!

My process:  Zimbra > Local backup to /opt/zimbra/backup/sessions > RSYNC to FreeNAS > RSYNC “daily” offsite

I could technically RSYNC from Zimbra offsite but I’d rather let FreeNAS do the heavy lifting so I don’t impact my production email server.

Great, we have a plan but how to implement it?  How do you accomplish the task of:

Renaming the full* folder by the current day?

Here’s how…

Create a shell script:

nano today.sh

Put these contents inside of that file:

#!/bin/sh
# Resource: http://en.wikipedia.org/wiki/Date_%28Unix%29
ZIMBRADATE=$(date +”%A”)
rm -r -f /opt/zimbra/backup/sessions/$ZIMBRADATE
mv /opt/zimbra/backup/sessions/full* /opt/zimbra/backup/sessions/$ZIMBRADATE
cp -r /opt/zimbra/backup/sessions/$ZIMBRADATE/* /opt/zimbra/backup/sessions/daily

* FYI – since I posted this I’ve modified this script SEVERAL times.  It’s because I kept forgetting full paths!  Works flawlessly now

Done!  What this does is creates a variable called ZIMBRADATE, the actual command “date +”%A” is a Linux command to display the date but make it show us the “Day” so it would show us “Thursday” if that was today or “Sunday”, which ever day is today when running the command.

So if you “echo $ZIMBRADATE” instead of “rm -r -f $ZIMBRADATE” you’ll see the output.  Once we get our variable which is today’s day (I’ll use Friday in my examples) the commands where you see the variable $ZIMBRADATE are actually “Friday”.  Just to clarify, I made the word $ZIMBRADATE up, you could use $CHEESEPUFFS or $WHOCARES – it’s an arbitrary thing what’s important is what comes after it “=$(date +”%A”), you can try using other commands to after a variable and if your code was LONG, doing repetitive tasks, etc you would definitely want to do that but for us we only need one.

rm -r -f $ZIMBRADATE becomes the command “rm -r -f Friday”.  We then “move” any folder name that the stock Zimbra backup made because that folder name always starts out with “full” to “Friday”, the “mv” command is “move” but you’re essentially “renaming it”.  Linux common sense isn’t necessarily my common sense but they might know better anyway :p.

Finally we “cp” or “copy” the Friday folder to “Daily” which gets overwritten with the current day’s data (Friday’s data).  All of that then sync’s to our backup server, the backup server then sync’s the daily folder offsite for safe keeping in case of a disaster.

You’ll also want to go into your cron tasks for “zimbra” and edit a line:

Login to your server

sudo -i

su – zimbra

crontab -e

There’s a section in the crontab that should look like this:
* Although I have a comment for my own use “My Edit…”

# Backups
#
# BACKUP BEGIN
# My Edit – Full backups 7 days a week
# 0 1 * * 6 /opt/zimbra/bin/zmbackup -f -a  all –mail-report
0 1 * * 0-6 /opt/zimbra/bin/zmbackup -f -a  all –mail-report
# My Edit – comment out incremental backups
# 0 1 * * 0-5 /opt/zimbra/bin/zmbackup -i  –mail-report
0 0 * * * /opt/zimbra/bin/zmbackup -del 1m –mail-report
# BACKUP END

Anything with a “#” is commented out and not read by the script so I kept the original line in there just in case. zmbackup is the Zimbra Backup command, you can type:  zmbackup –help for information on it but it’s pretty basic.  The above method of folder renaming isn’t possible with zmbackup, you have to run a second process like we’ve done to manipulate the default output of zmbackup.

Is anything ever perfect?  I forgot yet another thing and I’m updating this post.  You need to (as root) edit your cron to include the folder gymnastics we put in place with the above script.

As root then (sudo -i or if you’re in as the zimbra user type “exit” and go back to root) do a:  crontab -e, add this line to your root user crontab:

15 3 * * 0-6 bash /full/path/to/your/script/today.sh > /var/log/today.log

* I encourage you to name your script and log something different

Once you do that it’ll run at 3:15am every day, you might want to adjust that time too.   Seems by default my Zimbra backup gets done at a little after 1am.

Now you’re done, you’ve got static folders for every day of the week and one called “daily” which you can now copy offsite.  You’ll also want to make sure you have the accounts.xml from /opt/zimbra/backup.

Any comments are appreciated or if you have questions I’m always happy to help.

In my opinion Microsoft Security Essentials does a decent job for the price :p – they don’t just do spyware anymore, they also do malware and  antivirus!  For a smaller company (or even a larger one for that matter) looking to save money they can try using it rather than a more “corporate” package from the big vendors (Norton, McAfee, AVG, Panda, Avast, etc, etc, etc…the list goes on).  There might be just a few small problems; MSE doesn’t really have a central administration tool (or server) but that’s not a big deal with a small amount of work you can kind of make one or centrally manage it yourself.  It also doesn’t alert and administrator if it finds something, it only alerts the end user so expect a phone call from time to time.  Those are the biggest downfalls but depending on what you’re looking for or can tolerate it might work out for you.  I’ve distributed this on about 75 workstations and I haven’t really heard a peep from anyone.

Again though; it’s free and does a decent job so if you’re willing to ‘trust’ it and you’ve got other layers of protection (like not letting end users run as power user or local admin, local firewall, corporate firewall, strong passwords, encryption, etc, etc, etc) then your comfort level should be better (mine is).

So here’s the recipe for pushing out various version of MSE and configuring it with the options you want.  In our MSE batch of goodness you need these tools:

1. A Windows Domain (Could work without this but it’s helpful to have it)
2. Group Policy Know How (moderate)
3. Batch file skills (moderate)
4. A file share
5. 7-zip to extract the exe’s from M$
6. Install MSE so you can configure it then export your configuration via the registry

Download 7-zip and install it (link above)

Download MSE

Available Versions:

• Windows XP 32-bit
• Windows Vista/Windows 7 32-bit
• Windows Vista/Windows 7 64-bit

You should be downloading a file called:  mseinstall.exe <- Same name for all version but the packages are different

With 7-zip installed you should then be able to right click mseinstall.exe and extract the contents.

What I would do here is create a share folder “mse”, of course permissions are up to you but read only is fine for everyone, you could / should also make it a hidden share or ONLY a hidden share .  You can append a $ sign at the end of your share name like “mse$”, this way it won’t be browsable on your network.  You’ll have to know it’s there to find it (\\servername\mse$).  Copy your extracted folder to the mse share, maybe put an “xp” folder in the mse folder and then 7×32 and 7×64 folder to keep your versions straight if you need to deal with multiple versions.

For this example I downloaded the XP 32 bit version, I extracted it, I made my mse share with the appropriate subfolder named xp.

start > run > \\myserver\mse\xp or \\myserver\mse$\xp if you used a hidden share (recommended)

Folder contents are:

en-us <-Folder
x86 <- Folder
compappsconent.dll
epplauncher.exe
eppmanifest.dll
setup.ini
setupres.dll

* I just noticed this but in the setup.ini if you’re upgrading versions it looks like you can mark “ShowUpgradeEULA=true” to =false so you don’t have to agree to the EULA again

So what we’ve done so far is gather our ingredients, the tools and files we need to make our batch of goodness   We’ve downloaded and installed 7-zip, we’ve downloaded our versions of MSE and we’ve created our share then extracted the files to their respective folders.   Now it’s time to create out batch file that will:

1. Detect the OS
2. Detect the OS Architecture (32 or 64 bit)
3. Call the appropriate installer

In the \\servername\mse folder on your network create a batch file, I called mine push_mse.bat.  Then right click and ‘edit’ the file, it should open notepad.  For you sophisticated types you might like using notepad++, a favorite editing tool of mine because it highlights things in colors and has advanced search / replace filters.

In our batch file start by typing in or copy and pasting in this text with edits to match your environment:

****

@echo off

:: This is a comment – this will install MSE

echo Finding your Windows Version
:: Error = 0 for true
:: Error = 1 for false

:: This version number = Windows XP
ver | findstr/C:”Version 5.1.2600″
if %errorlevel% EQU 0 goto XP

:: This version number = Windows 7
ver | findstr/C:”Version 6.1.7601″
if %errorlevel% EQU 0 goto arch

:XP
:: Checking to see if the MSE folder exists, if it doesn’t then it’s not installed
if  exist “%ProgramFiles%\Microsoft Security Client” goto end
\\servername\mse\xp\x86\setup.exe /s /runwgacheck /o
reg import \\servername\mse\windows_security_essentials_default_settings.reg
goto end

:arch
:: Detecting 32 bit or 64 bit
wmic OS get OSArchitecture | findstr /C:”32-bit”
IF %ERRORLEVEL% EQU 0 goto 7-32
IF %ERRORLEVEL% GTR 0 goto 7_64

:7-32
:: Checking to see if the MSE folder exists, if it doesn’t then it’s not installed
if exist “%ProgramFiles%\Microsoft Security Client” goto end
\\servername\mse\7×32\x86\setup.exe /s /runwgacheck /o
reg import \\servername\mse\windows_security_essentials_default_settings.reg
goto end

:7-64
:: Checking to see if the MSE folder exists, if it doesn’t then it’s not installed
if  exist “%ProgramFiles%\Microsoft Security Client” goto end
\\servername\mse\7×64\amd64\setup.exe /s /runwgacheck /o
reg import \\servername\mse\windows_security_essentials_default_settings.reg
goto end

:end

****

I think that’s about right, the above is untested really, it’s similar to what I’m using but mine is much messier :p.  What you can do to see your errors is comment out the “@echo off” section and it’ll print every line on the screen, then end your script with a pause or put a bunch of pause statements in the script, I often do that to “step through” a program and when I’m done I get rid of all the pausing.  You can also “echo %errorlevel%” to see the output / result.

The ‘cherry on top’ are the settings.  You’ll notice above I’ve got a registry import for the settings.  To get these you’ll need to install MSE, configure it in the settings then export your settings from the registry to a reg file.  The settings seem to be the same from 32 bit to 64 bit and they have the same registry entry options.

start (or Windows Button how lame!) > regedit > OK or enter if you’re on Vista or 7.  This will open the registry editing tool, navigate down to:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware

I have only exported things like my Exclusions list / paths, the scan settings like allowing pause located under “Scan” and not joining of SpyNet under “SpyNet”.  Here’s a sample of my registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths]
“%programfiles%\\someprogramfilderhere”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Scan]
“AllowPause”=dword:00000001
“DisableCatchupQuickScan”=dword:00000001
“DisableCatchupFullScan”=dword:00000001
“CheckForSignaturesBeforeRunningScan”=dword:00000001
“QuickScanInterval”=dword:00000000
“ScheduleDay”=dword:00000000
“AvgCPULoadFactor”=dword:0000000a
“ScheduleTime”=dword:0000021c
“DisableRemovableDriveScanning”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\SpyNet]
“SpyNetReporting”=dword:00000000

You could probably export the entire “Microsoft Antimalware” hive and call it good too .  You’ll notice things like “ScheduleTime” – it’s a bit cryptic so if you want to adjust all the scanning times (mine is at noon I think) you can make the change on your local machine, check that key for the change then update your registry file.  Now what you want to do (and I’m not going to go into the how) is make a system startup group policy and point your new batch file in the system startup for PC’s in your organization.  You can do it many ways.  Something I’ve done in the past is have one system batch file that runs at startup and I tweak it for installs or settings like this.  Then you don’t have to create more group policies and have a plethora of batch files out there.  You just edit the one file and you’re good to go; that us…unless you need specialized settings for various departments or people.

Lastly, when the installation ‘kicks off’ there’s a bit of a pause or lul, it might take a few minutes to “do something” and for you to notice the Security Essentials little blue home logo in the system tray, the icon will probably be orange but it will shortly turn to blue after it updates which our command above on the install tells it to do .

There’s also a process I have to do an “update server” so all your clients don’t go out to the net for updates but rather they get updates from your local share.  I’m not going to post it here unless someone wants that process too.

All in all it’s been smooth and I’ve had no complaints.  It’s also saved the company a few thousand dollars in licensing fees to one of the big AV companies.

I posted a while back about detecting Windows Operating System Versions – I had some help and inspiration from another site / blogger.  At the time I was only working with 32 bit versions of Windows but now 64 bit versions have been rolling in the door

Reference for the command I use (wmic OS get OSArchitecture) is here at Petri.co.

Time to adjust my batch file to detect architecture type.  So without further adieu…

Those unfamiliar with batch files here’s a small legend of my code:

:: <- The double colon means a comment, you can also say ‘rem’ to remark out the line but the :: seems cleaner to me

@echo off <- That turns off showing text / commands on the screen and will only show things you ‘echo’

* In troubleshooting I often ‘echo’ my error levels so I know what the result is, you’ll see that below

********

@echo off

:arch
echo.
echo Finding your processor architecture…
systeminfo | findstr /C:”Microsoft Windows 7 Professional”
echo.

:: Here’s some echo’ing going on so I can see the errorlevels, uncomment to see them
:: If it’s “Microsoft Windows 7 Professional” errorlevel = 0 for a true!
:: If it’s not “Microsoft Windows 7 Professional” errorlevel = 1 for a false!
:: echo Errorlevel is…
:: echo.
:: echo %errorlevel%

IF %ERRORLEVEL% EQU 0 goto ArchDetect
IF %ERRORLEVEL% EQU 1 goto XP
::If it’s not Windows 7 (in my environment it’s 32 bit XP so  it moves on to the :XP section below
:: If it’s Windows 7 it goes to it goes to :ArchDetect

:ArchDetect

:: Get OS Architecture type of Windows 7 Pro
wmic OS get OSArchitecture | findstr /C:”32-bit”
:: echo Errorlevel is…
:: echo.
echo %errorlevel%
IF %ERRORLEVEL% EQU 0 goto 7
IF %ERRORLEVEL% GTR 0 goto 7_64

:7
echo.
echo You’ve got 32 bit Windows 7
echo You’d put your batch file commands for 7-x32 here…
goto end

:7_64
echo.
echo You’ve got 64 bit Windows 7
echo You’d put your batch file commands for 7-x64 here…
goto end

:XP
echo.
echo You’ve got Windows XP
echo You’d put your batch file commands for XP here…
goto end

:end
pause
********

So put all that code into a file called something.bat <- Name it whatever you want as long as the file extension is .bat.  You can double click it or run it from the command line and see what it does

Here’s my output when I run it from a command prompt on my current machine:

C:\temp\>c:\temp\findst2.bat

Finding your processor architecture…
OS Name:                   Microsoft Windows 7 Professional

32-bit
0

You’ve got 32 bit Windows 7
You’d put your batch file commands for 7-x32 here…
Press any key to continue . . .

I was getting a few odd rsync backup issues that I banged my head against for a good…mmmmmm, 4 hours maybe.  It was perplexing only because the errors (to me) were cryptic.  I’m posting this because I didn’t seem to find any clear resolution on other sites.  I also can’t stand when someone posts an error only to later post an “Oh I figured it out” or “Oh I fixed it” WITHOUT leaving any clue as to HOW they fixed it.

First – lets download a cool chmod utility that shows you in a meaningful visual way how chmod works and what it all means:  Classical Web Designs

* That tool was quite helpful in figuring out what chmod number I had by comparing the ‘chmod string’ it also outputs.

Here goes:

RSYNC error:  rsync: change_dir#1 failed: Permission denied (13)

* This usually means the directory on your server has the wrong permissions.  Note that on FreeNAS the default permissions seem to be 755 or rwxr-xr-x.  To fix simply run this command ‘chmod 755 whateverfolder’.  You can also run ‘chmod -R 755 whateverfolder’ keep in mind though that I wouldn’t just yet because this will recurs through your folder tree and if it’s only the top level folder having problems you might overwrite sub folder permissions unintentionally.

* Interpreting the error, ‘change_dir’ means that rsync can’t navigate through your remote server directory tree

RSYNC error:  rsync: cannot stat destination “/somefolder/somewhere/there”: Input/output error (5)

RSYNC error:   rsync: ERROR: cannot stat destination : Permission denied (13)

* This usually means that rsync can’t WRITE to the destination folder so for example, “/somefolder/somewhere/there”.  Again this is a permissions issue and you should check the “there” folder permissions and work your way up.  Apparently when rsync ‘stats’ your stuff it’s shorthand for writing a temp file in that directory to facilitate the transfer.  I don’t pretend to know the nuts and bolts of how it woks but notice this to diagnose the issue.

“destination” – this isn’t your source :p

cd /somefolder/somewhere/there

ls -la

If you don’t see “rwxr-xr-x” or “youruser:guest” or depending on your system you might see “root:root” you should visit our old buddy chmod again and simply do a:  chmod 755 there or chmod 755 /somefolder/somewhere/there.  FYI on FreeNAS it’s ‘youruser:guest’, I also recently realized you could do a “chown -r youruser:guest /somefolder/somewhere/there” and that fixes permissions allowing the ownership to go from root:root to the afore mentioned.  I think this is preferred to chmod’ing.

RSYNC error:  rsync: recv_generator: failed to stat “somefolder/somewhere/there”: Input/output error (5)

* This usually mean that rsync can’t write to the directory in your SOURCE folder.  For example if you use cygwin on a Windows machine and you’re backing up c:\temp ” cygwin ‘/cygdrive/c/temp’” then go into that directory in cygwin and check your permissions.

cd /cygdrive/c/temp

ls -la

you might see an owner of ????????? or something that doesn’t look right.  In my case the user I was using to run rsync and backup directories didn’t own the directory and couldn’t write files to the root of that directory (I think rsync calls it a ‘manifest’ (list of files to xfer)).  So I then looked at the permissions on the Windows side of life and retried the xfer.

What it looked like:

drwx——+ 1 administrator  Domain Users 0 Jun  3  2010 Folder1
d———+ 1 ????????       Domain Users 0 May 12 23:11 Folder2

Success!

Moral of the story it would seem with RSYNC is that permissions are everything and if you get some type of error it’s usually because rsync can’t hook onto a file or directory with the user you’re running it as.  Let me know if this helped you because I spent 4 hours of my life to save you 3 hours and 45 minutes of yours :p



Batch file to find Windows Version (XP or 7)

I had a need to find which version of Windows I’d be running a script against to install a version specific app (Windows Security Essentials).  My version ONLY detects XP or 7, I used a few sites that gave me the idea on how to make the batch file.

Here:

http://www.computerhope.com/if.htm

http://www.windows-commandline.com/2009/01/find-windows-os-version-from-command.html

Here’s my batch file:  find_winver_xp_or_7_ver.bat

Note that I only needed to know which version XP or 7 so I didn’t care about Vista, 2000, etc and I didn’t care (at least not yet) if it’s 64 bit vs 32 bit since all the stuff I’m currently using this for is 32 bit :p

Let me know if this helps you – one person on the second link said he needed to have the same script but I think he neglected to post it anywhere…what’s up with that (Music from Saturday Night Live Song Play Now – “What’s up wit dat, what’s up wit dat…”)?

I can post my longer batch file if anyone’s interested that uninstalls Windows Defender, installs Windows Security Essentials and imports some Windows Security Essentials settings.



Installing GPLI without OCSNG

GLPI is an open source help desk software.  I like it, I use it and I think it’s the best thing going.  If you add an OCSNG agent to it you can install that on client workstations (Linux or Windows and maybe a MAC!) to gather data about your workstations.  It’s quite useful in an organization.  I’m using it in a broader sense with multiple customers so I don’t particularly need the OCSNG ability but it is NICE to have for some shops.  JumpBox has a wonderful implementation all wrapped up and ready to go if you’re interested in it although for some it might be cost prohibitive.  They do have nice features for backing up, upgrading and restoring so you get what you pay for :p.

Reference: http://www.ubuntugeek.com/glpi-it-and-asset-managemet-software.html

* Most of the commands I use are from ubuntugeek.com however a few are different because they didn’t work for me or some of the config in the tutorial is ‘off’, I think this will help others so I posted it

sudo -i

apt-get install openssh-server

ifconfig –> ssh to your server IP or hostname :p

login, sudo -i

aptitude install apache2

aptitude install libapache2-mod-php5 php5-cli php5-common php5-cgi

apt-get install mysql-server php5-mysql

MySQL Root User Password: mysupersecretpw <– Come up with your own
* I like using a site I found to help me and I usually truncate them: http://www.onlinepasswordgenerator.com

apt-get install php5-imap

mkdir /var/ftp

cd /var/ftp

* I had a difficult time doing the wget thing with an error that read: “Unable to establish SSL connection“.

wget https://forge.indepnet.net/attachments/download/837/glpi-0.78.4.tar.gz

So – to get around this download it with a web browser and sftp it to your server :p – if it worked for you skp to the tar xzvf *.gz command

cd /home/%yourlocaluserhere% <– Where I sftp’d my file to

mv *.gz /var/ftp

cd /var/ftp

tar xzvf *.gz

* Hopefully the wildcard isn’t throwing you off, if you have more than one .gz file in the directory it might unzip them all :p  You might need to specify the actual entire file name then like ‘mv glpi-0.78.4.tar.gz’

cd glpi

mv * /var/www <– Moves all files and folders indiscriminately to the /var/www folder

cd /var/www

mv index.html /var/ftp <– We do this or we get the “It Works!” HTML instead of GLPI’s php file :p

chown -R www-data:www-data config/ files/

Do an ‘ls -l’ to confirm the change of ownership occured for giggles :p

nano /etc/php5/apache2/php.ini

Scroll ALL THE WAY TO THE BOTTTOM and type in:

;**************************************************
;My comment here, adding PHP with MySQL extension *

extension=mysql.so
; *
;**************************************************

* Note all you really need above is the ‘extension=mysql.so’, I got cute with the other stuff

Hitting ‘ctrl alt x’ gets you the exit prompt from nano

Restart apache2:

/etc/init.d/apache2 restart

Now open a web browser and browse here: http://youripofyourserverhere

When you get to the setup with these options this is what I have:

Mysql server : localhost
Mysql user : root
Mysql password : mysupersecretpw <– The one you picked before in the MySQL setup

* You can create a special user to run this thing but I wouldn’t unless
you’re extremely paranoid. I believe by ‘default’ mysql is ONLY
accessible via localhost thus minimizing your security footprint
but ‘best practice’ (if there is such a thing) you wouldn’t want to
run this thing with the root account EVEN THOUGH it’s not the same
password as your ACTUAL root account on your server!

* Moreover, if I were to make an account to run it other than root
I’d make one that’s super funky like:
‘wurSt*tiCS6||{}+=445&YYIBv885422..;,@~1′ <– Hard to guess eh? :p and I’d then make an equally hard password!

* If you need to know how to do that let me know and I can post it but for now I won’t bother because I’m lazy.

Click the ‘Mysql’ radio button

When successful you should get a thing that says:

Default logins / passwords are:

glpi/glpi for the administrator account
tech/tech for the technician account
normal/normal for the normal account
post-only/postonly for the postonly account

You can delete or modify these accounts as well as the initial data.

You’re done – now you want to login with glpi/glpi and change passwords for each account, create new accounts, setup email checking, auto responders, and the works!  If you’re doing this on a virtual machine you might want to make a full backup real quick, tweak things the way you want, test and if it doesn’t  work out blow it away and restore your VM.



I have a process I worked out on Ubuntu 9 and 10 that gets VNC4 working with initd and GDM (Gnome Display Manager).  You know what I discovered though thanks to a poster on a forum?  They mentioned using FreeNX!  I tried it and LOVE LOVE LOVE it.  It works over ssh and you can resume your sessions.  Here’s how to install it, this is pretty much taken from the reference below but it’s worth posting here since I use my own site from time to time for notes and how to’s (or how I did’s :p).    Thanks k. de Jong for posting the how to and ayenack for the reference to the tutorial!

Reference:  https://help.ubuntu.com/community/FreeNX & http://ubuntuforums.org/archive/index.php/t-1490075.html

Installing the FreeNX server on Ubuntu Karmic (9.10) or Ubuntu Lucid (10.04) or Ubuntu Maverick Meerkat (10.10)

Open your terminal / command prompt

Applications->Accessories-> Terminal

Years ago (maybe 7 or better) I found a cool utility with a small footprint for testing bandwidth.  You could expose this to the WAN if you wanted to and let others test their bandwidth against yours which is what Rutgers seems to be doing but don’t abuse them or you’ll be whacked!

I also downloaded iperf from their website and at the time of posting this supposedly you could get it from iperf’s homepage but it doesn’t seem to be working for me.  You might also have luck at Sourceforge.

* Update:  It seems that iperfs homepage is dead, the Rutgers team no longer has the Windows IPerf download on their server and Sourceforge only has the source and no Windows Binary.  FORTUNATELY FOR YOU I still have the Windows Binary of IPerf I downloaded when the link did work from Rutgers, it’s the older 1.7 version BUT it still works and might help you out.

Download it here:  Link to iperf-1.7.0-win32.exe

If anyone else has a link to the 2.x Windows binary feel free to share, I don’t feel compelled to compile it myself but maybe I’ll get around to it, we’ll see :p

To use it you need to make sure that port 5001 is open (unless you specify another port), you can adjust that with the port command to use a different port.  By the way, this is all for Windows users.  I haven’t used it on Linux but maybe the commands port over 1 for 1?

Basic commands for iperf:

Get command line help with iperf:  iperf –help

Makes an iperf ‘server’ clients will connect to:  iperf -s

You’ll see this output:

Server listening on TCP port 5001
TCP window size: 8.00 KByte (default)

* Also note the default listen port is 5001 with this command

Makes an iperf server listen on port 80:  iperf -s -p 80

To end the program use control C like you typically would in windows to break a batch file or command line action.

There are many more options for iperf that I haven’t used like making it a daemon (service) with the -D option, changing how it reports transfer bandwidth in Mb, KB or MB’s, you can create an output interval, etc.  It’s a nice tool to use!

On the other PC (the client) you simply type this command to connect:

iperf -c yourserver

* You can type in an IP, a host name or ‘localhost’ like I did for my test.

My output for localhost was:

[1900] local 127.0.0.1 port 5001 connected with 127.0.0.1 port 4194
[ ID] Interval       Transfer     Bandwidth
[1900]  0.0-10.0 sec  2.39 GBytes  2.05 Gbits/sec



Kudos to you Mr. Sharepoint migrator man (or person), commands in your pocket and you shoot from the hip.  I was working on migrating a Sharpoint Portal Server, version 3.0 to a new server (from a physical box to a VM and I didn’t want to do a full P2V).  This was the last piece of the pie to get migrated off the machine and I’ve been putting it off knowing it would probably be a pain.  It certainly was a pain but then I bumped into this post on Experts Exchange -> Here <- The final piece of the pie was there, the ‘restore’ piece…I couldn’t be happier!

The processes I had done (By the way, this is a 64 bit server, Server 2003 R2, SP2):

1. Install IIS (default)
2. Install ASP.NET 2.0 (use command:  C:\WINDOWS\microsoft.net\Framework64\v2.0.50727>aspnet_regiis.exe -i)
3. Allow ASP.NET 2.0 to ‘run’ in the security profile (IIS Snapin > Your Server > Web Service Extensions > select the ASP.NET 2.x.xwhatever version it is and select ‘Allow’)
4. Run ‘sharepoint.exe’ <- 64 bit version
5. Install your ‘application template core’ command (repeat with other apps you’re using, example might be ‘HelpDesk.wsp’, etc:
   1. stsadm -o addsolution -filename <file_path>\ApplicationTemplateCore.wsp
   2. stsadm -o deploysolution -name ApplicationTemplateCore.wsp -allowgacdeployment
6. On your OLD sharepoint portal server run this command to ‘back it up’:
   1. stsadm -o backup -url http://youroldserver -filename C:\YourFile.bak
   2. stsadm -o restore -url http://yournewserver -filename C:\YourFile.bak

Now:  Victory happy dance!  Thanks to jorge_toriz on Experts Exchange I avoided a TON of headache, anguish, curling up into a ball and crying myself to sleep, etc.  I didn’t even have to reboot!

Total life saver.  Thanks be to you oh great one jorge_toriz…kudos!

* Note:  If you can add to this please post it and I’ll update my post.  I didn’t include every detail of the process but if you can manage these general steps without much hand holding you’re golden

** Note:   I bumped into that post because I couldn’t use the built in Sharepoint Backup and Restore function because it was continually bombing out on the search portion even after deleting the sites, databases, contents, etc it just wouldn’t work.  I was getting this error:  “Object WSS_Search_New Servernamehere(previous name: WSS_Search_OldServernamehere) failed in event OnRestore. For more information, see the error log located in the backup directory.”

*** Note:  One last thing, if stsadm isn’t ‘working’ for you; you need to migrate to “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\BIN>” via the command line.

Let me know if this helps anyone because it sure saved me, I can’t keep saying it enough.  This tip was so great I’d PayPal him a donation for the help!