How To Check What Files Are In Use On A Remote Windows Computer

This one had me stumped for a while, and I even asked on Twitter with a large amount of replies (thanks everyone who did!) but none that I could get to work, or that weren’t overly complicated requiring the compiling of code.

It’s easy locally to find out what files are open, and here’s a great article covering several free ways: https://www.winhelponline.com/blog/find-process-locked-file-openfiles-utility/

None of those worked remotely for me in a Windows 10 environment – but I thought Handle from the SysInternals Suite would be the best bet. Running locally, it did exactly what I wanted – a giant list of every file open, and say what process had it open (like WinWord.exe).

Using PSExec with Handle however, causes it to forever wait for something. On the remote PC, it definitely launches handle.exe and handle64.exe, but they have no activity. I thought it might be the EULA prompt getting stuck somewhere, but there’s a registry setting that will autoaccept that prompt, and putting that in place didn’t help (but I did check locally and it was skipping the EULA agree prompt. Thanks to this blog post explaining the reg key required https://peter.hahndorf.eu/blog/post/2010/03/07/WorkAroundSysinternalsLicensePopups which was:

reg.exe ADD HKCU\Software\Sysinternals /v EulaAccepted /t REG_DWORD /d 1 /f

I added this to the remote machine under both the user logged on to the remote device, and the user I was connecting as, with no luck.

After a bunch of Googling and trying solutions, I ended up finding this thread on stackoverflow. One of the answers with 0 votes (which can be easily overlooked) was a PowerShell script, invoking the command remotely, from a user called A.D – thank you A.D!

I’ve barely modified it for my purposes, but if this helps you please go vote his post up on stackoverflow (I did but don’t have enough rep for it to show):

$computerName = 'computername'
 $stringtoCheck = 'test' # String you want to search for, can be blank by removing text between '' quotes
 $pathtoHandle = 'c:\temp\handle.exe' #location of handle.exe on the remote server.
 Invoke-command -ComputerName $computerName -Scriptblock {
     param(
     [string]$handles,
     [string]$stringToCheck
     )
      "$handles /accepteula $stringToCheck" | Invoke-Expression 
     } -ArgumentList $pathtoHandle,$stringtoCheck

The script requires handle.exe to be on the remote computer under C:\Temp, and that of course you have admin rights to the remote PC with the account this script is being run. Beyond that, it’ll show back all open files that match the variable set in $stringtocheck across any of the results – it could be the path, the process that has the file open etc.

Why would you want to do this remotely at all? You might be troubleshooting something to do with open files and not want to interrupt the user. You might have a reason to see what files the user has open, or maybe it’s a locked PC and the user left.

Hope this helps others as it was a much harder task to accomplish than I assumed.

Converting a user mailbox to shared in Exchange Online Hybrid

This is a useful process a lot of companies follow when an employee departs: Instead of deleting the mailbox, or continue to leave the mailbox in place and pay for licensing, it’s possible to instead set it as a shared mailbox and keep the data there for free.

There are some catches to this, such as the maximum amount of data is 50gb. You also can’t delete the user’s account, but it can be disabled and moved.

Setting the mailbox from User to Shared in Exchange Online is easy (from docs.microsoft.com):

In the admin center, go to the Users > Active users page.

Choose the user whose mailbox you want to convert.

In the right pane, choose Mail. Under More actions, choose Convert to shared mailbox.

…but there’s two tricks I’ve found when doing this in a hybrid environment. First, docs.microsoft.com says to update the status of the mailbox for Exchange On-Premises:

If this shared mailbox is in a hybrid environment, we strongly recommend (almost require!) that you move the user mailbox back to on-premises, convert the user mailbox to a shared mailbox, and then move the shared mailbox back to the cloud.

That’s a tedious process to do just to make it shared. As they point out, you can change some AD attributes locally to get around this, but there’s still some scenarios where it might get set back as a user, have no license, and end up getting deleted.

This other article on support.microsoft.com however, mentions the main way of getting around this: by setting the account’s msExchRemoteRecipientType and msExchRemoteRecipientTypeDetails attributes to the corresponding values that would match it’s state in Exchange Online:

Set-ADUser -Identity ((Get-Recipient PrimarySmtpAddress).samaccountname) -Replace @{msExchRemoteRecipientType=100;msExchRecipientTypeDetails=34359738368}

This 1 line command will set the attributes correctly, you can check via PowerShell or the Exchange Management Console to see that the mailbox will now show as ‘Shared’.

The other problem I’ve seen is if a mailbox is Unified Messaging (UM) Enabled, and converted to Shared. You’d think that it would either just lose it’s UM status, or let you configure the UM settings after the fact; but neither are correct. If it’s holding onto an extension number as part of UM, even in it’s Shared Mailbox state it will continue to hold it, and block any other account from using the extension in the future.

To get around this issue, the account will need to both be changed back to a user account from shared, and given a license that supports UM. If you try to disable UM on the account with either of these requirements, you’ll see an error like these:

User testuser@domain.com is already disabled for Unified Messaging.

License validation error: the action ‘Disable-UMMailbox’, ‘Identity’, can’t be performed on the user ‘Test User’ with license ‘BPOS_S_Standard’.

With all of the above, changing a user to a departed mailbox in a hybrid environment with Unified Messaging should be:

  1. Disable Unified Messaging on the user
  2. Set the attributes of the AD account as shared
  3. Set the Exchange Online mailbox as shared

It should work well if you do things in the right order, but it’s easy to not be aware of this and get things into a mess.

I’ve come across another blog that goes into some of this http://jetzemellema.blogspot.com/2016/02/convert-user-mailbox-to-shared-in.html but I haven’t needed to change the license status, but it’s worth mentioning in case there’s a scenario you hit where you do.

Outlook has Blank Emails in the PersonMetadata Folder

If you use the Outlook client and have a mailbox located in Exchange Online, you might discover mystery blank emails located in a folder called ‘PersonMetadata’. They’re unread, with a blank from/to/subject field and no contents visible, with a size of 2KB. Trying to open them results in opening a blank new email.

They don’t turn up in a normal Outlook search, but will show if you create a Search Folder, and you’ll see a lot of them. The folder itself is hidden by default, and you could use MFCMapi to see the folder in someone’s mailbox.

According to this Microsoft Support article, they’re objects used for Outlook Customer Manager, which actually sounds like a pretty useful set of features around tracking customer relationships and sharing contacts.

I logged a case with Microsoft to try and find out more, and see if this could be disabled. I was told that Outlook Customer Manager is actually enabled in all tenants and mailboxes, regardless if the feature is being used or even ‘on’. There are some forums talking about turning this feature off, but the licensing option is only in some tenants (from what I can tell, Business customers) and not an option at all for Enterprise customers. Too bad if you don’t want this feature!

It’s also recommended by support to not delete these items – and more will just turn up anyway don’t waste your time doing that.

There is also possibly a future patch to Outlook to hide these results, but at the time of writing it was only stated as a possibility with no confirmation or ETA.

I did work out a workaround though – adding an extra filter to the Search Folder:

  • Find the Search Folder in Outlook and right click > ‘Customize this search folder’
  • Click the Criteria button.
  • Click the ‘Advanced’ tab and from the ‘Field’ dropdown menu, choose ‘Frequently-used fields’ and then ‘To’.
  • Type ‘@’ into the Value field and press the ‘Add to List’ button.

Your screen should look like this, and press OK. Because the empty looking mail objects have no To or From field, but any normal email will have to have an ‘@’ in the email address, the results you now see for the Search Folder won’t include the blank objects.

For those who use Search Folders, this is a reasonable workaround but let’s hope it gets fixed properly.

Cyber Security Essential Eight and Microsoft

I wrote a 2 part piece on Australia’s Cyber Security Essential Eight and Microsoft over at 24x7ITConnection. Here’s Part 1 and Part 2, where I covered what the Essential Eight are, why they’re a risk, and where Microsoft can help in both a on-premises sense as well as cloud.

I don’t normally cross post from here what I write on other areas, but I put a fair bit of effort into writing this up, and thought it was worth resharing. Regardless if you’re Australian or not, our government actually has practical recommendations on what you should be looking at to harden your IT environment.

If you haven’t looked at these before, see how many of the eight you can tick off. If you can’t tick all eight, then I encourage you to work towards those gaps. Here’s what the eight areas are:

Application whitelisting

Patching applications

Office macros

Harden user applications

Restricting administrative privilege

Patching operating systems

Multi-factor authentication

Backup daily

All pretty obvious, but getting these perfect is still a very big undertaking. We’re seeing more and more security breaches in all different ways, so please don’t think of these items as ‘something to worry about later’!

A Guide to Cryptocurrency Terms

A Guide to Cryptocurrency Terms

The financial industry uses a lot of jargon that is quite difficult for people new to the topic to comprehend. The cryptocurrency industry is no different, as it mixes tech talk with investing terms, which can make studying its markets even more challenging.

I have addressed topics like this before in my ‘Cryptocurrency Trading’ article, and touched on a few key terms you should know. In order to expand your understanding of terminology a little further, here are some more common cryptocurrency terms that I’ve come across and thought needed defining:

 

Address

A cryptocurrency address is the same as a person’s home address; it’s the “location” where a person can receive or send cryptocurrency from. The only difference with a digital address is that its string of letters and numbers are unique to each cryptocurrency holder, functioning like an ID.

 

Altcoin

Altcoin refers to cryptocurrencies other than Bitcoin. Alternative cryptocurrencies like Ethereum or Dash are altcoins that people can mine and invest in.

 

Arbitrage

This refers to investors taking advantage of a price difference of the same cryptocurrency on two different exchanges. This is possible because there are a lot of online cryptocurrency exchanges in the world that offer digital funds at different prices.

 

Bearish / Bullish

A bearish cryptocurrency market refers to one with a sluggish demand for digital assets, which tends to drive prices down. A bullish market, on the other hand, is the opposite of a slump. When investors are bullish on a cryptocurrency, its prices usually go up.

 

Bots

A bot is a program that lets people use pre-programmed commands for trading cryptocurrencies. This is similar to the trading software used by Forex traders. Bots can be programmed to protect investors from accumulating high losses by stopping trading when the capital drops by a significant amount.

 

Block

A block is similar to a notebook page, and it is used for the purpose of writing and storing data.

 

Blockchain

Blockchain is the technology that powers cryptocurrencies. It is the framework used for creating digital ledgers involving transactions. A blockchain is basically a network of people and computers all working together in order to produce cryptocurrencies.

 

Block reward

This refers to the reward given to people for solving difficult mathematical equations related to mining cryptocurrency. The block reward is different for every cryptocurrency. For instance, the block reward is currently at 12.5 coins per block mined on the Bitcoin network, and the next halving event takes place in May 2020. This will bring down the block reward to 6.25 coins.

 

Correction

A price correction happens whenever a cryptocurrency experiences an all-time high. Assets get “corrected” whenever a price spike happens because investors sell their holdings when the value of the coins gets high enough for trading.

 

Hard Fork

A hard fork is a change of the rules to a digital currency’s blockchain. FXCM explains that it is a “permanent change in the rules of a digital currencies blockchain”, particularly in mining, which requires the support of the majority of people using the network. A hard fork usually happens when developers find a solution to recurring bugs or weaknesses from the old blockchain.

 

Hash Rate

A hash rate refers to the length that it takes for a computer to discover a block, as well as the time required for solving mathematical equations for mining.

 

ICO

An initial coin offering (ICO) is a new cryptocurrency being offered by fledgling entrepreneurs who are hoping to get funding from venture capitalists. The entrepreneurs will pre-sell their new cryptocurrency to venture capitalists before they go public.

 

Mining

Mining is the process of solving mathematical equations on a certain block. Once the equation gets solved, cryptocurrencies come out as the reward.

 

Mining Rig

This is a computer, or a set of computers, designed for processing blockchains. They are made up of several expensive graphic cards that speed up the mining process of cryptocurrencies.

 

P2P

P2P means “Person to Person,” which is a method of sending and receiving cryptocurrencies without the need of an intermediary. P2P transfers are what make cryptocurrency transactions cheaper and more direct than sending money abroad through a bank.

 

Smart Contract

A smart contract is an agreement between two parties stored on the blockchain, and is much more secure than paper contracts. Smart contracts can also be used to define benchmarks that must be met before payment can be made.

 

Soft Forks

Soft forks are updates to an existing network. The updates are implemented on the same network, unlike hard forks that affect a completely different block.

 

Tokenization

People usually send unencrypted files over the internet. Attaching a word document on an e-mail or sending pictures via Messenger are usually unencrypted methods of sending files. Tokenization is the act of encrypting data by turning them into a string of random letters and numbers. All data sent between wallets are tokenized on the blockchain, making cryptocurrencies virtually tamper-proof.

 

Wallet

Bitcoins need to be stored in a wallet for easier access and to keep them secure. There are two types of wallets: software-based and physical wallets. Software-based wallets are online wallets that collect data on a person’s cryptocurrency holdings. An offline wallet, on the other hand, can store data on cryptocurrencies in the same way that a DVD can store computer files.

Hopefully these terms help make more sense of the cryptocurrency world!