Office 2010 to 2016 Migration Offscrub.vbs PowerPoint and OneNote INK errors

 

Problem with migrated Office 2010 > 2016 application crash:

Event related to PowerPoint 2016 crash, Event 1000, application crash

Name der fehlerhaften Anwendung: POWERPNT.EXE, Version: 16.0.4266.1001, Zeitstempel: 0x55ba161d

Name des fehlerhaften Moduls: ppcore.dll, Version: 16.0.4783.1000, Zeitstempel: 0x5bebb997

Ausnahmecode: 0xc0000005, Fehleroffset: 0x0077aaef

ID des fehlerhaften Prozesses: 0x2a18

Startzeit der fehlerhaften Anwendung: 0x01d4bc7c0b65e8b6

Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE

Pfad des fehlerhaften Moduls: C:\Program Files (x86)\Microsoft Office\Office16\ppcore.dll

 

Errors:

  • Micosoft Powerpoint funktioniert nicht mehr
  • Event Viewer 1000, POWERPNT.EXE
  • Tablet-Treiber sind nicht im System installiert

     

     

What/process/What changed:

On an Office 2010 upgraded Office 2016 > When you use Onenote.exe and draw things with PEN function or when you use PowerPoint an switch to Full screen Show Mode F5 plus you press "." (DOT) or key "B" for BLANK SCREEN you get a Crash Event 1000. (Black Box hangs)

Source of problem we found in Analyze:

OffScrub10.vbs

Name: OffScrub10.vbs

Author: Microsoft Customer Support Services

 

This is related to the official from Microsoft Deployed OFFICE Migration script Offscrub**.vbs which is often used to silent migrate to a new Office Version from 2010. It seems the only way to complete de-install an Office 2010 without any leftovers.

Offscrub10.vbs or offscrub15.vbs which is used to de-install the OLD Office 2010 fully before the new Office gets installed seems to be the source of the problem.

Offscrub leaves 32 or 64BIT Versions of certain DLL in COMMON folder standing while it removes another architect version. This happens as example when you migrate from W7 64BIT Office 2010 32BIT to W7 64BIT Office 2016 (In Place Update) but we have seen post also when you Upgrade from W7 to W10 plus corresponding office versions.

Remember that the Offscrub VBS script is an official tool and is also used on custom migration tools or setup from HP and DELL and is also contained on most Office CD/DVD/ISO Medias. On Certain OEM PC's you have preinstalled Office 2010 Click Once from the OEM integrator which gets de-installed when you buy a retail or Volume Licence version. This could happen there too.

Solution (FIX):

 

Replace the missing two DLL files OFFSCRUB removed. (See end of Post screenshots)

From an existing CLIENT (W7) with Office 2010 or Office 2016 (Manual installed NOT by OFFSCRUB touched) installation copy following two DLL to the CLIENT which has the problem:

"C:\Program Files (x86)\Common Files\microsoft shared\ink\rtscom.dll"

"C:\Program Files (x86)\Common Files\microsoft shared\ink\INKDIV.DLL"

Without reboot the Bug is gone. On a migrated system the mentioned DLL are there but in the "C:\Program Files\Common Files\microsoft shared\ink" path where Office 32BIT does not use them.

 

 

Error proof OneNote 2016:

This is the Error you may see in Office 2016 OneNote with the PEN/INK Function.

Tablet-Treiber sind nicht im System installiert.

Error proof PowerPoint 2016:

PowerPoint works after the F5, now press "." DOT for special functions or "B" for Blank Screen

How do I make a blank screen in PowerPoint?

1.Press B during the presentation. If you are using a recent version of PowerPoint, this shortcut should make your screen black. ...

2.Start the presentation. First, open your PowerPoint presentation. ...

3.Press the B key. ...

4.To return to the presentation, press the "B" key again.

 

 

PowerPoint Crash and calls dw20.exe Doctor Watson, Event 100, Application Crash

Analyze of problem with PROCMON64.exe from Systernals (MS)

Filter all you don't need

 

And now we see why people always THINK it's Mcafee when it's not. The IPS Filter from Mcafee ENS goes that deep. But this is not the source of the problem. Just keep in MIND that the virus protection has a HAND on file handling and is often thought to be the bad guy….

Here once again it's not the virus protection as in 95% of the cases we look at….

 

Migrated Office 2010 > Office 2016 with OFFSCRUB from Technet without the full OLD INK DLL and files:

Here we see the first files the function in PowerPoint want's to read BUT has not access to.

On the machine in the "c:\Program Files\Common Files\Microsoft Shared\ink\" Path you find the

rtscom.dll. On the machine "c:\Program Files (x86)\Common Files\Microsoft Shared\ink\" the rtscom.dll is missing (32/64BIT mess)

 

Here you see what happens

In PowerPoint when you press the "." DOT or "B" in full screen Mode F5 it does not find these DLL. Here is the error.

 

DEBUG, Crash Calls Doctor Watson dw20.exe

https://support.microsoft.com/en-ie/help/841477/description-of-the-windows-error-reporting-tool-dw20-exe

Sends Telemetry Crash data to Microsoft

These are the DLL's

 

 

Again for explanation:

Here you see the files which are in that Directory on a CLIENT with Office 2010

The red ones will get deleted by Offscrub10.vbs BUT Office 2016 still needs them.

 

 

We found following DLL in the Offscrub DEBUG Log where it does de-install Office 2010. Offscrub did remove/delete these two DLL from the migrated machines:

C:\Program Files (x86)\Common Files\microsoft shared\ink\rtscom.dll

C:\Program Files (x86)\Common Files\microsoft shared\ink\INKDIV.DLL

Other DLL Mentioned in Blogs which were often source for complex problems:

C:\Program Files (x86)\Common Files\microsoft shared\ink\tpcps.dll

C:\Program Files (x86)\Common Files\microsoft shared\ink\ATL.DLL

C:\Program Files (x86)\Common Files\microsoft shared\ink\InkObj.dll

Here you see the Logfile from Offscrub10.vbs as example. The script effectively deletes those two DLL and Office 2016 does install the other version (32/64) when doing the install after the Old 2010 was removed.

There are the files which get deleted through OFFSCRUB (Offiziell Microsoft) bei W7 64BIT

Except old hundreds Font Files as example under: 15:01:29: - Delete file: C:\Windows\Fonts\GLSNECB.TTF

15:01:29: - Delete file: C:\Windows\SysWOW64\MSCOMCTL.OCX

15:01:29: - Delete file: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPHPROXY.DLL

15:01:29: - Delete file: C:\Windows\SysWOW64\FM20ENU.DLL

15:01:29: - Delete file: C:\Program Files (x86)\Common Files\microsoft shared\ink\rtscom.dll

 

15:01:29: - Delete file: C:\Windows\SysWOW64\MSCOMCTL.OCX

15:01:29: - Delete file: C:\Program Files (x86)\Common Files\microsoft shared\VS7Debug\msdbg2.dll

15:01:29: - Delete file: C:\Program Files (x86)\Common Files\microsoft shared\ink\INKDIV.DLL

15:01:29: - Delete file: C:\Program Files (x86)\Common Files\System\Ole DB\resources\1031\OLAPUIR.RLL

15:01:29: - Delete file: C:\Program Files (x86)\Common Files\System\Ole DB\resources\1031\MSOLAP80.RLL

15:01:29: - Delete file: C:\Windows\SysWOW64\FM20DEU.DLL

15:01:30: - Delete file: C:\Program Files (x86)\Common Files\System\Ole DB\resources\1031\MSDMINE.RLL

15:01:30: - Delete file: C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\vslangproj2.olb

15:01:30: - Delete file: C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\vslangproj.olb

Solution (FIX):

Replace the missing two DLL files OFFSCRUB removed. (See end of Post screenshots)

From an existing CLIENT (W7) with Office 2010 or Office 2016 (Manual installed NOT by OFFSCRUB touched) installation copy following two DLL to the CLIENT which has the problem:

"C:\Program Files (x86)\Common Files\microsoft shared\ink\rtscom.dll"

"C:\Program Files (x86)\Common Files\microsoft shared\ink\INKDIV.DLL"

Without reboot the Bug is gone. On a migrated system the mentioned DLL are there but in the "C:\Program Files\Common Files\microsoft shared\ink" path where Office 32BIT does not use them.

 

Turn of Autodiscover warning box agree Outlook.exe with GPO

 

How to turn off Autodiscover Warning in Outlook 2010/2013/2016/2019

Warnung: Das Konto wurde fuer die Einstellung auf die Website umgeleitet

https://support.microsoft.com/en-us/help/2480582/how-to-suppress-the-autodiscover-redirect-warning-in-outlook

A little bit more explained than in the Microsoft KB and with a check THAT if you ONLY set the Registry key if the OFFICE Version is installed. During Migrations you could otherwise run into trouble if this key re-applies just the time you migrate to next office version.

We have:

Autodiscover.butsch.ch    (Exchange Server Autodiscover DNS entries)

mail.butsch.ch             (Exchange Server)

This is what we don't want and we talk about. NOT the Certificate Warning that it something else which should solved the correct way and understood.

See as example our entry for SPLIT DNS and Certs: http://www.butsch.ch/post/Exchange-200720102013-with-SPLIT-DNS-and-ONE-single-Certificate.aspx

 

Make a new GPO policy.

Erstellen neue GPO:

Software\Microsoft\Office\14.0\Outlook\AutoDiscover\RedirectServers (Office 2010)

Software\Microsoft\Office\15.0\Outlook\AutoDiscover\RedirectServers (Office 2013)

Software\Microsoft\Office\16.0\Outlook\AutoDiscover\RedirectServers (Office 2016)

 

 

Office 97 - 7.0

Office 98 - 8.0

Office 2000 - 9.0

Office XP - 10.0

Office 2003 - 11.0

Office 2007 - 12.0

Office 2010 - 14.0 (sic!)

Office 2013 - 15.0

Office 2016 - 16.0

Office 2019 - 16.0 (sic!)

 

Recovery Software Testdisk, Photorec, Recuva NTFS, NAS

If you need to recover Files from defective Media try these. Keep in Mind that most Ransomware does OVERWRITE Files Encrypted WHERE the Original File is.

R-Studio and Recuva where mentioned in some Ransomware Blogs in 2019 where it's said that you can't recover even if you would have a recovery tool in place for the Decryption.

Some advert for Ransomware (At least you know which is the best recovery software…..)

We just wanted to mention some tools we often work with.

 

R-Studio

Recommended as example to reover data from different NAS Disk like Netgear, QNAP etc.

Different version mostly LINUX Based ISO boot disk.

https://www.r-studio.com/

Recuva (Free Version and Pro Version)

https://www.ccleaner.com/recuva

TESTDISK + PHOTOREC Small CLI based tools (Freeware/Opensource)

With this excellent software you can low level scan partitions (Will take hours) and restore found file to a separate media.

https://www.cgsecurity.org/wiki/TestDisk

https://www.cgsecurity.org/wiki/TestDisk_Download

https://www.cgsecurity.org/wiki/PhotoRec

 

 

A Microsoft MSDN Blog solution:

https://gallery.technet.microsoft.com/Free-Data-Recovery-Tool-to-69e0edd3

Some other tools in that direction:

https://gparted.org/livecd.php

https://www.runtime.org/data-recovery-software.htm

 

Domains with .CH (Switzerland) extension active spreading Locky Ransomware in 2016/2017

Domains with .CH (Switzerland) extension active spreading Locky Ransomware in 2016/2017.

We would like to state that the provider almost can't do anything if the infect is with a hosting website and the customer has access via FTP and the customers client gets targeted. If they have a key logger or snigger on the client running and the user connects via FTP or portal they have access to the website. Often management solutions which providers offer to their customer have exploits too or people run unsecure blogs and users are able to post to that blog and inject code. Most providers with expensive IPS and IP-reputation Firewall will block access to those websites as soon as someone knows that they spread new variants. However only if someone reports the infection or the Antivirus send info back to P2P/Cloud as sample GTI Network from Mcafee.

80% of below samples did not infect via the Main domain thus as example www.sample.ch and mostly by some random string www.sample.ch/rtzdiiU64z which then leads to the malware dump code. We think the first init still has happened by E-Mail Spam which then leads to the specific URL.

The risk that a URL reputation Firewall will block such Domains is slighter lower so they have more success. Also the human Enduser factor plays a role if you see a URL from your own country which sounds normal.

List pulled from www.abuse.ch in 01/2019

Check out the website it offers extreme good lists of such things.

 

 

W10, Ivanti DSM Enteo Frontrange BALOON Meldungen fuer User abstellen

Der DSM Client zeigt outofthebox relativ viele Meldungen an (Rechts unten im TRAY) welche der User nicht sehen will. Die passiert z.B. bei einer Site

Änderung wenn ein Laptop von einem LAN ans WIFI genommen wird usw. Man kann die Meldungen auf zwei Arten konfigurieren.

 

  1. Mit einen KONFIGURATIONPAKET
  2. Direkt per Registry

 

VIA REGISTRY wie immer man dies dann setzt (UE-Software, REG ADD, Enteo, Batch, PS usw.)

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\NetSupport\NetInstall\BalloonNotifications\

Die Keys sind selbsterklärend. Die Variablen/Name dazu bekommt man aus der Enteo Package Konsole. Im Configratuon

z.B. den Wert P_NiInst32DeferredPackageFound nach diesem dann in der Registry Suchen OHNE das P_ am Anfang also z.B. "NiInst32DeferredPackageFound"

 

Mit einem Konfigurationspaket

Im Package muss man leider ALLE Werte gemäss Rückfrage an IVANTI Support mit angeben resp. setzen oder deaktiviereb.

Es gibt also keine OPTION AN/AB/SO-LASSEN (Nicht ändern) wie bei einer z.B. GPO.

Die Werte welche Baloon zeigen sollen muss der Haken drin sein.

Geht man davon aus das man mit einen Messagebox.exe den User frägt JA/NEIN und alle Software per AUTOINSTALLER kommt dann schlagen wir vor alles abzustellen ausser die beiden ersten Optionen.