Some Notes on the Machines

Haven’t tried it yet, but frankly, this is rather extremely cool if you do Linux:

waydro.id/

NETBIOS is a very legacy protocol, security of it is very poor. Substantial performance gains by disabling it have been noticed, because when active it broadcasts to every single NIC on its LAN, creating NIC and switch contention. Also, a large proportion of security violation exploits use it, so disabling becomes a very good idea in general. The only exceptions occur when there are needs to do SMB sharing with very old machines, machines all long out of support. By default, it is still active on all current Microsoft Windows operating systems.

The following turns off NETBIOS over TCP/IP, for each NIC:

Get-CimInstance -ClassName 'Win32_NetworkAdapterConfiguration' | Where-Object -Property 'TcpipNetbiosOptions' -ne $null | Invoke-CimMethod -MethodName 'SetTcpipNetbios' -Arguments @{ 'TcpipNetbiosOptions' = [UInt32](2) }

And another to get rid of all WINS entries, if present (sorry, no CimInstance code yet):

Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" | Invoke-WmiMethod -Name SetWINSServer -ArgumentList @('','')

We can also script the uncheck of LMHOSTS lookups:

$nicall = [wmiclass]'Win32_NetworkAdapterConfiguration'
$nicall.enablewins($false,$false)

All together then:

Get-CimInstance -ClassName 'Win32_NetworkAdapterConfiguration' | Where-Object -Property 'TcpipNetbiosOptions' -ne $null | Invoke-CimMethod -MethodName 'SetTcpipNetbios' -Arguments @{ 'TcpipNetbiosOptions' = [UInt32](2) }

Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" | Invoke-WmiMethod -Name SetWINSServer -ArgumentList @('','')

$nicall = [wmiclass]'Win32_NetworkAdapterConfiguration'
$nicall.enablewins($false,$false)

If Microsoft DHCP is in use, DHCP can tell clients to do this:

learn.microsoft.com/en-us/troubleshoot/windows-server/networking/disable-netbios-tcp-ip-using-dhcp

Below is another script, to reenable the protocols, though it does not try to put back any WINS server IPs that may have been deleted, and it cannot override Microsoft DHCP:

Get-CimInstance -ClassName 'Win32_NetworkAdapterConfiguration' | Invoke-CimMethod -MethodName 'SetTcpipNetbios' -Arguments @{ 'TcpipNetbiosOptions' = 0 }

$DisableLMHosts_Class=Get-WmiObject -list Win32_NetworkAdapterConfiguration
$DisableLMHosts_Class.EnableWINS($true,$true)

It appears that there is a new standard of Microsoft Windows TCP/UDP port usage. Their doc is here:

learn.microsoft.com/en-us/troubleshoot/windows-client/networking/tcp-ip-port-exhaustion-troubleshooting

I landed there because I saw event log items 4227, tcpip, “TCP/IP failed to establish an outgoing connection because the selected local endpoint was recently used to connect to the same remote endpoint. This error typically occurs when outgoing connections are opened and closed at a high rate…”

I ran the diagnostic commands given on the Microsoft page, on my PC:

PowerShell 7.3.7
PS C:\Users\jonathanb> netsh int ipv4 show dynamicport tcp

Protocol tcp Dynamic Port Range
---------------------------------
Start Port      : 1024
Number of Ports : 31744

PS C:\Users\jonathanb> netsh int ipv4 show dynamicport udp

Protocol udp Dynamic Port Range
---------------------------------
Start Port      : 49152
Number of Ports : 16384

and learned to my surprise that though I was using the new standard for UDP, I was not for TCP. So I set it for TCP:

 PS C:\Users\jonathanb> netsh int ipv4 set dynamic tcp start=49152 num=16384
Ok.

PS C:\Users\jonathanb> netsh int ipv4 show dynamicport tcp

Protocol tcp Dynamic Port Range
---------------------------------
Start Port      : 49152
Number of Ports : 16384

This seems to stabilize networking nicely. Here are pastes for the diagnostic commands:

netsh int ipv4 show dynamicport tcp

netsh int ipv4 show dynamicport udp

And one for both set commands:

netsh int ipv4 set dynamic tcp start=49152 num=16384
netsh int ipv4 set dynamic udp start=49152 num=16384

The hidden NTFS “System Volume Information” folders on Windows machines, can build up and up and up in size. I’ve seen instances ranging from 20G to hundreds of gigabytes, and every time this occurs, the overall system slows down, and often slows down a whole lot. SpaceSniffer is my favorite method of identifying this situation, but there are many. The only preventative I have been able to identify so far, is here.

But here we are discussing cleanup. If you have SentinelOne (S1) installed on this machine, you need to know that S1 considers deletion of volume shadows to be very bad actor behavior. This is because it often is a way that cryptolockers and others delete last-known-good checkpoints. S1 will not let you clear SVI, unless you disable it first, and it will complain very loudly if you try. Instructions for disabling S1, are at the end of this article. There may well be other security tools which will behave similarly, and need similar interaction beforehand.

General cleanup steps:

1. This command usually gets all of them: wmic shadowcopy delete /nointeractive
2. Very rarely, this will get a few more: vssadmin delete shadows /all
3. And even more rarely on a server only, the above two don’t get it done, and this is needed:
   
   diskshadow
   then within diskshadow’s command line: delete shadows all
   

Any of these can take a while, especially if SVI is big, e.g., more than 20-30 gigabytes. It can get huge occasionally, hundreds of gigabytes. I recently saw 1,022 shadow copies deleted (the first and third methods tell you the count) from one server.

Special case cleanup steps

Special cases do occur. Here are steps which can help a lot.

• Sometimes the steps above quit in the middle. Start them over again. Often they’ll complete.
• If the above does not completely solve the situation (if the SVI folder is still huge), do vssadmin resize shadowstorage for the relevant drive(s) (try /? for syntax…), first to 10%, then back to whatever it was. Sometimes Windows will do a lot of steady cleanup for you, sometimes over hours of time. You’ll see it by watching File Explorer.
• Run CHKDSK /F at reboot. Then start from the beginning :-)

To disable SentinelOne:

1. First get the Passphrase for the machine, from the S1 console. It’s under Actions, you can choose Show Passphrase. Do be aware that your S1 admin may receive a notice that you have asked for this.
2. cd "C:\Program Files\SentinelOne\Sentinel*"
3. Please put the actual passphrase in, and the quotes are necessary:
   .\sentinelctl.exe unload -slam -k "<passphrase>"

Then, and only then, will the cleanup commands above work.

To reenable S1:

4. .\sentinelctl.exe load -slam

If you should need to reenable S1 and your command prompt is not where you need it, here’s a paste:

cd "C:\Program Files\SentinelOne\Sentinel*"
.\sentinelctl.exe load -slam

This tool:

privazer.com/en/

has privacy-related cleanup as its first purpose, but it does a more thorough cleanup of many parts of the Windows filesystem than I’ve seen anywhere else, including $MFT, $LogFile, and USN entries to name just three. It really has to be seen to be believed and understood, it gives you lists of what it did and they are extraordinary. It is not an OS optimizer, but it’s such a good cleaner that it will free up resources very significantly towards performance and issue elimination.

One thing good to do while running it, is to uncheck “Traces in free space”. This item is great for trace removal of all sorts, but it’s not needed when the goal is just general system upkeep, and it does take a long time.

You can definitely use the machine while cleanup is running, but probably should set process priority to “Low”, there’s a clicklink for this near the bottom, middle-left.

You’ve installed it and removed it, and need to reinstall, the reinstall fails. Here are items:

• If there are files named RAVDG.TMP and/or RAVPA.TMP in %WINDIR%, the uninstall is still running. Reboot and check again.
• Make sure folder Panda Security does not exist under %ProgramData% or %ProgramFiles(x86)%.
• Delete everything in %TEMP%.
• Reinstall.

A new needs page has been put up. Major changes. If you have a strict firewall, try opening all of these up. IPv6 is listed within the required sections, not clear how much that is true.

learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

A nice tool:

entra.microsoft.com/#view/Microsoft_AAD_IAM/SignInEventsV3Blade?Microsoft_AAD_IAM_legacyAADRedirect=true

Highly recommended by the indefatigable Bruce Blackman:

www.geeksforgeeks.org/how-to-create-a-forensic-image-with-ftk-imager/

Remove 365 accounts from “Access Work and School”, then run these:

dsregcmd /cleanupaccounts

dsregcmd /debug /leave

from administrative CMD, and also from SYSTEM (more on this soon, paexec/psexec can help), then reboot, then remove from Access Work and School if still there, then try your login.