Jump to content

kapcreations

Members
  • Posts

    15
  • Joined

  • Last visited

Reputation

0 Neutral
  1. I feel for those that are not technical, or lack some programming. Our environment is Windows 7 Enterprise with Bitlocker. Needless to say it was a momumental task getting into safe mode for 150 PCs as each one required the bitlocker key. In the end we had to reimage about 25 machines. This is the only way I was able to get the tool to work as intended on the machines that did not need to be reimaged. It required quite a bit of hacking. ---- Log in a local administrator Exit mbam open cmd "as administrator" c:\YourPathToFile\fixtool.exe /quarantine -list > result.txt result.txt will now have a list of all items in the text file (including an unnerving number of duplicates). Use whatever method to parse this down. I used visual studio, but there are other means to do so. For me, wrote a console application which essentially did: '----------------------------- Public Sub parselist2() Dim strResultFile As String = Environment.CurrentDirectory & "\result.txt" Dim lines As String() = IO.File.ReadAllLines(strResultFile) lines = lines.Distinct().ToArray() Dim strResultFile2 As String = Environment.CurrentDirectory & "\result2.txt" IO.File.WriteAllLines(strResultFile2, lines) End Sub '----------------------------- This took the contents of result.txt, and copied just the distinct values into result2.txt. I am sure you could use excel if you wanted to touch these manually. We used PsExec. So now I have a text file with unique values. Opened file in Excel, did data->columns using "\" as the separator. Played in Excel until I had the list whittled down to just the distinct folder names. Copied to notepad, new file. Downloaded a copy of Elevate.exe from: http://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/ Put this is the same directory as the Fix provided by MWB. Created .vbs file to take ownership of subfolders within c:\windows\WinSXS, and the parent folder of c:\windows\SysWow64 and c:\windows\System32. Don't forget to remove these permissions when you are all done. '---------------------------- 'SetACL.vbs '---------------------------- Set args = Wscript.Arguments 'Grant the user permissions Dim oShell Set oShell = WScript.CreateObject ("WScript.Shell") oShell.run "Cacls.exe """& args(0) & """ /E /C /G YOURLOCALADMINACCOUNT:F" Set oShell = Nothing '------------------------------- 'End Script '------------------------------- '---------------------------- 'RemoveACL.vbs '---------------------------- Set args = Wscript.Arguments Dim oShell2 Set oShell2 = WScript.CreateObject ("WScript.Shell") oShell2.run "Cacls.exe """& args(0) & """ /E /C /R YOURLOCALADMINACCOUNT" Set oShell2 = Nothing '------------------------------- 'End Script '------------------------------- Your file of folder locations where the quarantined files are to be restored now need to have permissions applied to them to get them to accept the release from quarantine. Take your document with the unique folder names (ensure you do not have a trailing "\"), wrap in quotes, and add the SetACL in the front of each line. For example, a valid line would look like: SetACL.vbs "C:\Windows\winsxs\amd64_1394.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_beafdf583b909e3f" So now we have the command needed to batch this out, and we have a means to elevate our batch files. === Ensure you are logged in as a local administrator 1) right-click on cmd.exe and "run as administrator" you now have an elevated cmd.exe prompt 2) within the window, type: runas /user:YOURLOCALADMINACCOUNT cmd.exe <enter> You now will have an elevated cmd.exe running under the context of YOURLOCALADMINACCOUNT I tried various scenarios, and this 1-2 combination was the ONLY way I could get the tool to work. ==== Once open, rightclick and copy your entire list of commands, and paste into this cmd.exe You will probably have many entries that look like: elevate.exe SetACL.vbs "C:\Windows\winsxs\amd64_1394.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_beafdf583b909e3f" elevate.exe SetACL.vbs "C:\Windows\system32" elevate.exe SetACL.vbs "C:\Windows\SysWOW64" elevate.exe SetACL.vbs "C:\Windows\winsxs\somefolderA" elevate.exe SetACL.vbs "C:\Windows\winsxs\somefolderB" etc As you paste the list, they will execute one-by-one. You have now set the affected folders so that YOURLOCALADMINACCOUNT can write to them. Now, within that same cmd.exe that is elevated, and running under the context of YOURLOCALADMINACCOUNT, execute the "RunThis.bat" The .bat file is terribly inefficient due to all the duplicates in the quarantine. For 2000 entries plan on this process taking 3-4 hours. The process could be sped up if the script was more efficient, because it essentially runs (with 2000 entries) 8000 times, at 2 seconds per step, when it could really just be something like 20 unique entries X 4 = 80 times. You will find that this will actually restore the files to the directories. Reboot, test, and it should work (or at least did for my organization). Don't forget to go back and remove the ACLs that you applied earlier. Just change up your methodology so that RemoveACL.vbs replaces the SetACL.vbs.
  2. launch cmd.exe as administrator within the cmd window, browse to the location of the unzipped 1.08 download type RunThis.bat Once complete, there will be a new file in the directory called errors.txt (if you have any files that cannot be restored)
  3. It would also be helpful to print to screen the pass # and count # out of count total #. At least helpful for those fixing PCs with 1000+ entries.
  4. Once you have run the 1.08 tool, you will get an output of each file that needs to be restored, and the location needed. At our company, all of our PCs are on the same image, so I am copying/pasting the file from a known good computer to the affected computer. For the WinSXS folder, you will have to add your user with full control to the affected folder. I do an advanced security permission, add in the user, set to full, copy the file over, and then remove the permission.
  5. Can you please update the tool so that it traverses the log more efficiently? We need the tool to skip the duplicates in the files.txt generated by the .bat file. This will allow us to resolve incidents much faster.
  6. It would be helpful if version 1.08 were updated with a minor enhancement. The file list used to release files from Quarntine can contain hundreds of duplicates, causing for a much longer run-time to go through the process. It would be helpful if that text file of quarantined files was whittled down to unique values.
  7. We've been working directly with support to modify the exe's tonight. Our scenario is different than home users in that we have 500 machines to touch. We are using PowerShell to identify which machines are affected where possible. Once remediation occurs, we want a log file that can be audited so that our ISD can proactively reach out to specific users in the morning. It looks like we have 30 machines that are down hard and 100 machines or so that are in some state of recoverability. We are hitting these targeted machines first, but have some challenges as PsExec does not work. Version mbam-repair-1.00.0.1000 worked for many files, but not all. Did not restore winsxs files. Version mbam-repair-1.01.0.1000 restored more files, but did not leave a log of sucess/fail Version mbam-repair-1.02.0.1000 attempts to write to a log, but there is an error in the logic, and it writes an empty log
  8. version "mbam-repair-1.02.0.1000" writes an empty log file and is not working as intended.
  9. From post 28, you can run: fixtook /quarantine -list copy/paste to Excel and reduce duplicates. My company is working on a PowerShell script to identify which machines need to be hit. The script is very slow, but looks at every machine to see if there was a quarantined file today. With that list we then know which machines need to be touched, and have the tool run.
  10. @MikeRepairsComputers, check post #28. This is working for us, but we would like to see a revision that will write a log file stating success/failure of the release from quarantine.
  11. We have tested the revised tool which handled WinSXS restores. We would like the log file to confirm success/failure of restoration of files.
  12. There is a way to restore the files in WinSXS folders that are not automatically restoring. Support is working on an update to the Fix tool.
  13. It restores all files except for anything in the winsxs folder. Those files cannot be re-copied back in.
  14. We have followed the suggestions above. We have been able to release some files from the quarantine, but many files are not able to be released. We click on the release all button, the screen refreshes, and the files remain in the quarantien. Somehow we need to redploy the missing files. It would be helpful if we could script out the current encrypted quarantine to a readable list so we can determine which files to recover from a master image, and automate from there.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.