Powershell, Retrieve DisplayName,DisplayVersion,Publisher from Registry or export.REG

by butsch 5. September 2023 18:43


You need and easy way to get an inventory list of software installed on a machine via Powershell. What we need for a list is:


We have two version of the scripts:

Version 1

Use regedit and export the HIVES into .REG Files. Copy to your admin machine an then parse the two files with the script. Use this where you are not allowded to run PS on Servers because of compliance (Signed/external source etc.)

Version 2

Directly access the Registry 32/64BIT Hive Uninstall info on local machine and generate an output.txt file.


Here is how to easily extract the most important information from a .REG export from the UNINSTALL Registry HIVE. We don't want to run the PS directly on the server or via the server because of compliance. So, you can export the Registry Hives from a server as a .REG file, transport them through valid methods to the management machine, and then generate a semicolon-separated list for Excel import.

At the bottom, you will find a version we made if you want to retrieve the info directly from the local machine and directly from the Registry Hives (Without the way over the .REG export) (32 and 64-bit Hives):



Version 1



# www.butsch.ch

# Version 1 Import from .REG File which was exported on machine/server

# V1.0, 03.09.2023, First Release



(Get-Content -Path 'C:\edv\00_modern_workplace\software.reg' -Raw) -split '\r?\n\r?\n' | ForEach-Object {

$UninstallInfo = $_ -split '\r?\n' | ForEach-Object {

$Line = $_ -split '='

if ($Line.Count -eq 2) {


Key = $Line[0].Trim()

Value = $Line[1].Trim()




$DisplayName = $UninstallInfo | Where-Object { $_.Key -eq '"DisplayName"' }

$DisplayVersion = $UninstallInfo | Where-Object { $_.Key -eq '"DisplayVersion"' }

$Publisher = $UninstallInfo | Where-Object { $_.Key -eq '"Publisher"' }

if ($DisplayName -and $DisplayVersion -and $Publisher) {

($DisplayName.Value), ($DisplayVersion.Value), ($Publisher.Value) -join ';'





Windows Registry Editor Version 5.00




[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Edge Update]

"DisplayName"="Microsoft Edge Update"







Here is the version which get the information direct from the local machine:


# www.butsch.ch

# Version 2 direct access from Registry Hives

# V1.0, 03.09.2023, First Release

# This PS will retrieve all information he can find about installed Software 32/64BIT Hives and write the data into a file output.txt

# -----------------------------------------------------------------------------------------------------------------------------------


# Define the Registry paths for both 32-bit and 64-bit programs

$registryPaths = @(





# Initialize an empty array to store the results

$results = @()


# Iterate through the Registry paths


foreach ($path in $registryPaths) {

# Get all subkeys (uninstall entries) under the Registry path

$uninstallKeys = Get-ChildItem -Path $path | Where-Object { $_.PSChildName -match '^{[A-F0-9-]+}' }


# Iterate through each uninstall entry

foreach ($key in $uninstallKeys) {

$properties = Get-ItemProperty -Path "$path\$($key.PSChildName)" -ErrorAction SilentlyContinue


if ($properties -ne $null) {

$entry = $properties.DisplayName

if ($properties.DisplayVersion) {

$entry += ";$($properties.DisplayVersion)"


if ($properties.Publisher) {

$entry += ";$($properties.Publisher)"


$results += $entry





# Output the results to a file

$results | Out-File -FilePath "output.txt"


# Display the results on the console (optional)








Scripting | Client Management | Scripting

Eventviewer, eventvwr.exe commandline filter XML query buildingm (Call and pre filter view with one line)

by butsch 28. July 2023 21:46


Event logs provide valuable insights into system operations, allowing IT professionals to monitor and troubleshoot potential issues. When dealing with Windows event logs, PowerShell is a powerful tool that enables event filtering, but it may not be everyone's preferred choice due to complexity and perceived security concerns. In this blog post, we will explore an alternative method - using the command-line filter of Event Viewer - to easily access Critical, Error, and Warning events from the Application log.

In this command, we construct an XML query that filters events based on severity levels:

Level=1 corresponds to Critical,

Level=2 corresponds to Error, and

Level=3 corresponds to Warning.

The command will open the Event Viewer and present the filtered results, saving valuable time for IT operations and support personnel.

eventvwr.exe /f:"<QueryList><Query Id='0' Path='Application'><Select Path='Application'>*[System[(Level=1 or Level=2 or Level=3)]]</Select></Query></QueryList>\"


Advantages of the Command-Line Filter:

Familiarity: Many seasoned IT professionals prefer using a simple command-line approach they are familiar with, making it easier to find and work with event logs efficiently.

Accessibility: The command-line filter is available on all modern Windows operating systems, eliminating compatibility concerns.

Trustworthy: Since the command-line tool is a built-in Windows feature, there are no worries about third-party dependencies or security issues.


PowerShell Approach:

Before diving into the command-line filter, let's quickly review the PowerShell method. By leveraging the Get-EventLog cmdlet, one can filter events based on severity levels and display them in PowerShell console. The script would look like this:

Get-EventLog -LogName "Application" -EntryType Error, Warning, Information | Where-Object { $_.EntryType -eq "Error" -or $_.EntryType -eq "Warning" -or $_.EntryType -eq "Information" }

But we want it commandline style because most people with long term expierence are used to that tool/console to find and work.

eventvwr.exe /h

What? ;-)


Ok let's try:

Go to XML tab

Cut and paste into notepad


<Query Id="0" Path="Application">

<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>





If you see this than all fine:


If you see this than you did not read 100% and checked all " > ' and the \ at the end or you try to

call together with /c:application (Channel) and Query (/f:)


Wrong sample:


Some Microsoft Links (One sample is wrong there and I did not understand what he tells at once and the eventvwr.exe /h is really nerdy? ;-)









Client Management | Deployment | Scripting

M365 | on-premise, Outlook.exe DEBUG logging for troubleshooting complete guide

by butsch 16. June 2023 07:00

Enhancing Outlook Debug Logging for Troubleshooting

Mike Butsch, www.butsch.ch

What we want to do and why

Outlook debug logging is a valuable tool for diagnosing and resolving issues within Microsoft Outlook. By enabling advanced logging, you gain deeper insights into the application's behavior, allowing for more effective troubleshooting. In this blog post, we will explore the process of enabling global and advanced logging for Outlook, along with additional steps to enhance the logging capabilities.

In conclusion, by enabling and leveraging Outlook debug logging, you can gain valuable insights into the behavior of Microsoft Outlook and efficiently troubleshoot any issues that may arise. Remember to exercise caution when modifying the Windows Registry and follow the necessary steps outlined in this blog post.

Some key points in this paper:

* Attention: Do not make user you analyzer Local Adminstrator

* How to make the KEY under another user Registry hive

* Your are admin or user how to generate the Registry Key

* How to find something or for what to search for in the Debug Logfiles you made:

* Analyze WPA and ETL files

* Outlook 2010 Debug Logfiles

* Outlook 2013 and Outlook 2016 Debug Logfiles

* What if you want to enable this for some computers automatic in your Windows Domain on-premise with GPO?



in addition to the steps mentioned in the documentation, there is an additional parameter that can be enabled to gather more detailed information. This parameter involves modifying a specific subkey in the Windows Registry. Please note that the following steps require careful attention to avoid unintended issues:

1. Launch the Windows Registry Editor by opening "regedit.exe".

2. Navigate to the following subkey path: "HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\xx.0\Outlook\Options\Shutdown".

3. In the specified subkey, create a new "DWORD (32-bit) Value" named "FastShutdownBehavior".

4. Double-click on the newly created "FastShutdownBehavior" value and set its value data to 2.


By following these steps, you will successfully create the DWORD (32-bit) value "FastShutdownBehavior" with a value of 2 in the Windows 10 Registry.


Attention: Do not make user you analyser Local Adminstrator, this will produce probleme related to Exchange, ActiveSync GPO and Azure sync (Infos not Synced back to local Domain from Azure for that user)



Note: If the user experiencing the issue does not have sufficient permissions to create the key, it is important not to grant them local admin privileges without addressing the "ADMINSholder" flag attribute. Granting local admin privileges without correcting the "ADMINSholder" flag may lead to further complications. Refer to these resources for more information on the "ADMINSholder" flag:

Attention: https://www.butsch.ch/post/Activesync-with-Exchange-2013-does-not-work-ADMINSHOLDER-Flag-(an-old-bad-friend) or https://www.butsch.ch/post/Exchange-Activesync-1053-Event-4003-Error-2007201020132016-Adminsholder

Again a sample why you should not make the user Local Admin to explain: Also be aware that if you are in M365 Azure Hybrid Mode those account with ADMINS Holder Flag Set wan't sync back or to Azure.


Target what we need for the USER who has the OUTLOOK.EXE Problem. That may be a different user than the LOGGED on s non domain joined machine.

How to set key for another user?


It's important to note that the user encountering the "OUTLOOK.EXE" problem may not be the same as the one logged on to the non-domain joined machine. Therefore, we need to set the key for the relevant user. Here is a brief explanation of how to set the key for another user:

1. Create a CMD shortcut on the desktop.

2. Right-click on the shortcut while holding down the SHIFT key and choose "Run as different user."

3. A command prompt (CMD.exe) will open.

4. Launch the Registry Editor (regedit.exe) from the command prompt.

5. Locate the appropriate registry hive for the user you want to debug in Outlook.


INFO: Why not make him local Admin again because most don't understand impact if not corrected afterwards! Please read carefull above IF you have that idea.


How to make the KEY under another user Registry hive Explanation #1


Solution you need to run regedit.exe under a seperate LOCAL ADMIN or Service account to have the permission to CREATE that missing key structure per user. Also keep in MIND that existing POLICY/GPO will overwrite the settings within 15-X minutes if you may have those set in Domain enviroment.

How to make a REGISTRY KEY under ANOTHER user hive

If the user experiencing the issue does not have sufficient permissions to create the registry key, it is important to take the following precautions:


1. Avoid granting the user local admin privileges without addressing the "ADMINSholder" flag attribute.

2. Granting local admin privileges without correcting the "ADMINSholder" flag can lead to additional complications and should be avoided.


To proceed with modifying the registry for the affected user:


1. Request access to the user's registry hive or have the affected user provide it to you.

2. Open the Windows Registry Editor ("regedit.exe").

3. In the Registry Editor, click on "HKEY_USERS" and then go to "File" -> "Load Hive."

4. Browse to the user's registry hive file (NTUSER.DAT) located in their profile folder (e.g., C:\Users\Username).

5. Enter a name (e.g., "UserHive") for the loaded hive.

6. Navigate to "UserHive\Software\Policies\Microsoft\Office\xx.0\Outlook\Options\Shutdown" in the loaded hive.

7. Create a new "DWORD (32-bit) Value" named "FastShutdownBehavior" and set its value to 2.

8. Unload the loaded hive by selecting the loaded hive ("UserHive") and clicking on "File" -> "Unload Hive."


By following these steps, you can modify the registry using the hive of the affected user, without granting them local admin privileges. Remember to exercise caution and address the "ADMINSholder" flag issue if encountered, as granting local admin privileges without correcting it can lead to further complications.


Find the office version "SHORTY" the user has as exmaple "15.0", "16.0" etc.


Your are admin or user and how to generate the Registry Key Explanation #2


When troubleshooting Outlook issues for a specific user, there are two options to access the user's registry hive.

By following either of these options, you can access the user's registry hive and make necessary

modifications to troubleshoot the Outlook.exe problem. Remember to exercise caution and ensure you

have the appropriate permissions and authority to access the user's registry hive.



Option 1: User Logged On to the System


If the user experiencing the problem is currently logged on to the system, you can utilize the following method:


1. Open the Command Prompt (cmd.exe) with administrative privileges.

2. Execute the "regedit.exe" command using the "RUNAS" trick. This allows you to run the Registry Editor as a different user.

3. Skip to the next step if you can already see the user's registry hive in the Registry Editor. This occurs when the user is logged on to the system and you are accessing the Registry Editor using the "RUNAS" trick or a remote session, such as Dameware or another remote support tool.

Option 2: Administrator/IT Logged On


If you are logged on as an administrator or IT personnel and know the username of the user experiencing the Outlook.exe problem, follow these steps:


1. Launch the Registry Editor ("regedit.exe") with administrative privileges.

2. Click on "HKEY_USERS" in the Registry Editor.

3. Go to "File" -> "Load Hive" in the menu.

4. Browse to the user's registry hive file (NTUSER.DAT) located in their profile folder (e.g., C:\Users\Username).

5. Provide a name (e.g., "UserHive") for the loaded hive. This name will be used to identify the user's registry hive in the Registry Editor.




Once you have made the necessary changes to the registry, log off and log back on to apply the settings. Launch Outlook, and you should now see the logging in action. This allows you to identify any problematic areas or errors that may be occurring.

Check the key again under the HKCU > OK

Start Outlook, yes loggin active and you see warning

Check the things that don't work to produce logs. Click around and open things and other Calendar from OAB adressbook as example.

Check the logs generates



To gather relevant log files for troubleshooting purposes, you can focus on specific folders or actions that are not functioning as expected. These log files can be shared with Microsoft Support to assist in resolving the issue. To convert the log files (ETL format) into a more readable format, you can use the PowerShell command `tracerpt.exe FILENAME.ETL -lr`. You can then preview the converted files or open them using the Event Viewer (`eventvwr.exe`) to examine the events more closely.

Convert in Powershell to some TEXT/XML.

ETL > Event Viewer ;-) ???

You can then preview the converted files or open them using the Event Viewer (`eventvwr.exe`) to examine the events more closely.

Filter may help if there are any error?

How to find something or for what to search for in the Debug Logfiles you made:


When analyzing ETL or XML files for debug information related to free/busy functionality in Outlook, you can look for specific events and data related to free/busy operations. Here are some key points to consider:


1. Event ID: Look for events with specific event IDs that pertain to free/busy operations. These event IDs can vary depending on the version of Outlook and the specific scenario. Typically, you may find events with IDs such as 2000, 2007, or 2016, which are commonly associated with free/busy processing.

2. Provider Names: Look for events associated with providers or services related to free/busy functionality. These providers can include Autodiscover, Exchange Web Services (EWS), Availability Service, or any other components involved in free/busy data retrieval and processing.

3. Timestamps: Pay attention to the timestamps of the events and their sequencing. This can help you understand the flow and timing of free/busy operations. Look for patterns, delays, or any inconsistencies that might indicate potential issues.

4. Error Codes and Messages: Take note of any error codes or error messages associated with the free/busy events. These can provide valuable information about the nature of the problem or any specific errors encountered during free/busy processing.

5. Data Fields: Look for specific data fields or attributes that contain information related to free/busy functionality. These can include user identifiers, calendar data, availability status, or any other relevant data that helps in understanding the free/busy operations.

To locate this debug information within the ETL or XML file, search for the relevant event IDs, provider names, error codes, or specific data fields mentioned above. Use the search functionality in your text editor or XML viewer to locate and analyze the corresponding events. Additionally, you can filter the events based on the time range or other criteria to focus on the relevant information.

By carefully examining these events and data within the ETL or XML file, you can gain insights into the free/busy operations, identify any errors or delays, and troubleshoot any issues affecting the free/busy functionality in Outlook.


Analyze WPA and ETL files


Also read following KB on how to process the files further with WPA



If you are specifically working with ETL files generated from Outlook.exe debug mode the files are binary files containing event traces, and parsing them requires specific tools and techniques.

To analyze ETL files generated from Outlook.exe debug mode, you can use Microsoft Message Analyzer (MMA) or Windows Performance Analyzer (WPA), which are powerful tools for analyzing event traces. These tools allow you to load the ETL file and apply filters to extract specific information or errors related to Outlook.exe.

Here's a high-level overview of the steps involved in using Microsoft Message Analyzer to analyze Outlook.exe ETL files:

  1. Download and install Microsoft Message Analyzer from the Microsoft Download Center.


2. Launch Microsoft Message Analyzer.

3. Go to the "File" menu and select "New Session" to create a new session.

4. In the "New Session" window, click on the "Live Trace" tab.

5. Select the "Microsoft-Windows-Diagnostics-Performance" provider from the list.

6. Click on the "Capture" button to start capturing events.

7. Reproduce the issue or scenario for which you want to capture the event trace.

8. Once the desired events have been captured, click on the "Stop" button to stop capturing.

9. Go to the "File" menu and select "Save As" to save the captured events as an ETL file.

10. Open the saved ETL file in Microsoft Message Analyzer.

11. Use the filtering and analysis capabilities of Microsoft Message Analyzer to locate the specific errors or information related to free/busy or any other aspect of Outlook.exe.


Please note that analyzing ETL files can be a complex task, and familiarity with Microsoft Message Analyzer or similar tools is recommended for effective analysis. The steps provided above are a general guideline, and the exact steps may vary based on the version of Microsoft Message Analyzer or other tools you are using.

Remember to always exercise caution when analyzing ETL files and ensure you have the necessary permissions to access and analyze the files.


What if you want to enable this for some computers automatic in your Windows Domain on-premise with GPO?


Be carefull with the GPO. The Debug Mode of Outlook will generate 50MB+ Files maybe per minute. That is

why we want to target that Policy to a ADS-Group with Computer accounts. If you are unsure hot wo do that leave it and do it manual.

In addition to enabling Outlook debug logging using Group Policy Objects (GPO), you can further refine the application of the GPO by creating an Active Directory security group and assigning the GPO only to computers that are members of that group. This allows you to control which computers have the debug logging enabled. Here's how you can do it:

Step 2: Add Computers to the Security Group:

1. Locate the computers that you want to enable Outlook debug logging for.

2. Select the desired computers, right-click, and choose "Add to a group" or "Add to a security group" (depending on your Active Directory administrative tools).

3. Search for and select the "Outlook Debug Users" security group you created in Step 1.

4. Click "OK" to add the selected computers to the security group.

Step 3: Assigning the GPO to the Security Group:

1. Return to the Group Policy Management Console.

2. Right-click on the GPO that configures the Outlook debug logging settings and select "Properties".

3. In the "Properties" window, navigate to the "Security" tab.

4. Click the "Add" button to add a new permission entry.

5. In the "Select User, Computer, or Group" dialog box, enter the name of the security group ("Outlook Debug Users") and click "OK".

6. Back in the "Properties" window, select the added security group from the permission entries list.

7. Under the "Permissions for [Group Name]" section, check the "Read" and "Apply Group Policy" checkboxes.

8. Click "OK" to save the changes.

By following these steps, you have created an Active Directory security group, added the desired computers to that group, and assigned the GPO to the security group. This ensures that the Outlook debug logging settings will only be applied to computers that are members of the specified security group, allowing you to control the scope of the debug logging feature.


Some links regarding this:

Outlook Debug Logging


MS Learn:



Logfiles reference for different Outlook version:

Note The log files are created in multiple folders. These folders vary, depending on the version of Outlook that you're running.

Outlook 2010 Debug Logfiles

Log files in the %temp% folder

File name

Outlook RPC log


AutoDiscover log


Outlook/SharePoint synchronization logs

.htm and .xml files


Log files in the %temp%\OlkAS folder

File name

Availability Service, OOF, and Meeting Suggestion log files

date-time -AS.log

Protection Rules log files

date-time -PB4S.log

Unified messaging log files

date-time -UM.log

Unified Messaging configuration log files

date-time .UMCFG.log


Log files in the %temp%\OlkCalLogs folder

File name

Outlook calendar log files


Log files in the folder

%temp%\Outlook Logging

File name

Outlook advanced ETW log


MailTips log


OOF log


Transport log file


Outlook profile logs


SMTP log files


POP3 log files


IMAP log files


HTTP DAV log files


Outlook Hotmail Connector log files


Outlook Sharing Engine log files

SharingEngine date.log

Outlook-Windows Desktop Search indexing log files

data file name.log

Outlook first-run process log file


Outlook 2013 and Outlook 2016 Debug Logfiles

Log files in the %temp% folder

File name

Outlook/SharePoint synchronization logs

.htm and .xml files

Log files in the %temp%\EASLogFiles

File name

EAS logs for Hotmail accounts

.bin and .xml folders

Log files in the %temp%\OlkCalLogs folder

File name

Outlook calendar log files

OlkCalLog_date_time .etl

Log files in the folder

%temp%\Outlook Logging

File name

Advanced ETW log


Transport log file


Outlook profile logs



SMTP log files 

Note The log files are only logged in Outlook 2016 and earlier versions.


POP3 log files

Note The log files are only logged in Outlook 2016 and earlier versions.


IMAP log files

Note The log files are only logged in Outlook 2016 and earlier versions.


Outlook Sharing Engine log files

SharingEngine date.log

Outlook-Windows Desktop Search indexing log files

data file name.log

Outlook first-run process log file


Note You can sort by Date modified to find the files that were created most recently.



Client Management | Microsoft Exchange | Exchange 2016 | Exchange 2019 | M365/AZURE

Starting march 2023, Microsoft EDGE will be the new Adobe Reader and Acrobat if you Opt IN

by butsch 14. February 2023 16:12


Starting march 2023, Microsoft EDGE will be the new Adobe Reader and Acrobat if you Opt IN


I just found some Information while searching for more Infos about the 02/2023 Windows Updates/Patches. This is interesting because we mostly do AutoUpdates for Defender and EDGE Updates while we analyse and test all other monthly CUMU updates per customer and then approved them in some schema from small to big customers.

This has worked great over the last few months where other companies had problems who just auto approve Updates.

Adobe is the company with the most PDF patents for advanced features in PDF files. All the free solution offer just a part of that or pay licence fees to Adobe, as we understood to date.

Starting in March, Auto Approved EDGE updates will include the Adobe Reader Engine in MS Edge, and it seems that the Adobe Acrobat (Writer) license will also be available via Edge. This eliminates the eternal discussion about the safest way to open PDFs from the web/email (not in Chrome with the Adobe Extension) and whether to use Reader, Acrobat (Writer), or the browser. If It's all the same and takes away the issue.


Acrobat Writer updates were often delayed because they were 170-500MB in size and didn't transfer quickly via Intunes or on-premise deployment to laptops. So one product was sometimes the older.

In addition, there was always the point who to fix with what to open .PDF. Adobe spent a lot of work in in Reader manuals and explanation for Enduser. Most of the times one single user in an enterprise want's it in another way and because he from QA changes the open with procedure via IT for all employee. Often because their Quality solution or add-on did not work with the Edge PDF engine.

Adobe and Microsoft have a new partnership to integrate the Adobe Reader Engine into the MS EDGE browser, as well as Adobe Sign (which is the digital signature) for MS Cloud things mentioned.

Eventually, Adobe Reader will disappear and MS software should then direct the Edge to display PDFs. No one knows what will happen to Chrome.exe. Google and Amazon are heavy against the Azure Cloud and the new licensing model for Microsoft server OS (As we understood it would be more expensive to run MS Server outside of Azure...)






Genau so was will man wohl verhindern:



 Some extracted info which seems interesting for us:

How do I use the advanced Adobe Acrobat PDF features in Microsoft Edge?

Activating the advanced features with the Adobe Acrobat PDF extension in Microsoft Edge requires a paid Adobe Acrobat subscription. To activate the features, in the PDF view in Microsoft Edge, navigate to the top right corner of the window and click the button with messaging to try the advanced features. From there follow the prompts best suiting your needs to complete the transaction. If you already have a paid Adobe Acrobat subscription, you can sign into your existing account to use the advanced features at no additional cost.


Can general users opt out of using Adobe Acrobat PDF capabilities in Microsoft Edge?


General users will be unable to revert to using the legacy PDF engine in Microsoft Edge after the Adobe Acrobat PDF engine launches.



How will this affect commercial organizations?

 When rollout begins in March 2023, there will be no changes to managed Windows devices in organizations unless you choose to opt in. Users on unmanaged Windows devices will see an unobtrusive Adobe brand mark in the bottom corner of their PDF view. These users will also see an option to try the advanced features, such as converting PDFs, combining files, editing text and images. If an organization chooses to opt in, users on managed devices will see the same changes. The built-in Microsoft Edge PDF solution with the Adobe Acrobat PDF engine will have full feature parity with the legacy Microsoft Edge PDF solution. No functionality will be lost.



Client Management | Hotfixes / Updates | M365/AZURE | WSUS

M365/Power Automate/Flow: PA is in wrong language as example German/Deutsch Syntax GO TO missing, change language

by butsch 4. February 2023 18:10


Some braindumps from trying to learn new M365 things. Automation of Blender with Power Automate Desktop. I have long experience in AUTOIT but wanted to try the MS solution for once.


If you Install Power Automate desktop the Menu, content and also the Commands are in the primary APP language you have under your Regional settings.

So even if you have a W10/W11 in UK/EN but Preferred Languages for APP and Websites set to another language it will be displayed in those settings.

Currently that makes it almost impossible to search anything smart on google or in TechNet because 90% of the content and help is in English.

There are also commands that you have to guess in Germans like "Go to" for Jumps. There are other commands in German which are so misleading compared to the English syntax.



Then because OCR sometimes works and next time we open the app NOT (Same Resolution, maximized Window) we tried a trick where we check OCR first in a loop.

Like in old basic days we will use GO TO but had a problem not finding the syntax in the German version of PA. After we switched the language we also found out

That the LABEL handling simply does not work?


The GO TO command related to Label seems a bit strange anyway buggy? Deleted label, made label new, Select GO TO the label does not appear there.



Delay, lag in Power Automate


Above Solution: 5 minutes later without saving, reload or any change the label appeared in the selection list?

The Power Automate Desktop is CLOUD based. If this works like its right it's impossible to professional use it because of lag and delay.

That is the same delay we have seen in M365 Portal. But for coding if you have such delay it makes it impossible to use.


We also had the case a few days where during a UI Windows Selection with only 4 APPS open the W10 normal 100% stable crashed complete.

The only solution was to reboot the client you could not even hung up process with taskmgr.exe or remote debug.

Clearly all changes to the Power Automate script (2 hrs of works) where lost because you can ONLY save the connect to the cloud and it does not auto save.











How to backup Power Automate Content Local


Select ALL, COPY and Paste all into an Text Editor like notepad.exe


You don't have any of the data local



M365/AZURE | Scripting | Client Management

August 08/2022 Patch KB5012170 Update for Secure Boot DBX problem 0x800f0922

by butsch 15. August 2022 16:11

August 08/2022 Patch KB5012170 Update for Secure Boot DBX problem 0x800f0922

Problem: You can't install August 2022 Update KB5012170 on some systems under certain condition where Secure Boot is enbled and not latest BIOS/UEFI Firmware . You will receive an Error 0x800f0922

Error: Package KB5015730 failed to be changed to the Installed state. Status: 0x800f0922.

The patch does a revert



System which is not affected


The updates fixes some secure boot problems as example:

CVE-2022-34301 | Eurosoft Boot Loader Bypass

CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass

CVE-2022-34303 | Crypto Pro Boot Loader Bypass


Microsoft main link:

KB5012170: Security update for Secure Boot DBX: August 9, 2022 (microsoft.com)


What does the KB describe:

Describes the problem that certain firmware/Bios and GPO Settings should not patch KB5012170. The KB is very hard to dunerstand. We try to help a little. Please keep in mind that you can't update firmware without checking compatiblity on Laptops for docking station and maybe other things. In enterprise you can't can't just update laptop firmware over night and hope all is fine like microsoft thinks they can do with their M365/Azure solution and Autopolit clients. ;-)


Keypoint / problem:

If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.


So what does that mean if you don't have a post doc in IT?

Check if yout are affected with and have PCR7 active

You can find out the status of your UEFI / PCR7 / Bitlocker Setup with MSINFO32.exe (Elevated) or/and by running a DOS or PS command.


Some sample dumps and how to find out:


Affected product which has PCR7 mode shown:

Dell computer Precision 5530, Windows 10 21H2

msinfo32.exe commandline


Sicherer Startzustand    Ein    

PCR7-Konfiguration    Gebunden

DOS: manage-bde -protectors -get c:



Automate checking client for PCR7:


You may use a) Your software Deployment b) PSEXEC from systernals c) Do not use GPO to deploy software if you are not 100% fireproof with scripting

With psexec:

PsExec - Windows Sysinternals | Microsoft Docs


psexec -s \\computer001 c:\windows\system32\manage-bde.exe -protectors -get c:

PsExec v2.4 - Execute processes remotely

Copyright (C) 2001-2022 Mark Russinovich

Sysinternals - www.sysinternals.com



BitLocker-Laufwerkverschlüsselung: Konfigurationstool, Version 10.0.19041

Copyright (C) 2013 Microsoft Corporation. Alle Rechte vorbehalten.


Volume "C:" [Windows]

Alle Schlüsselschutzvorrichtungen


Numerisches Kennwort:

ID: {6E770EF9-56D2-430D-81SAFE82-0E9A555D3D8A9}





ID: {9BE23A51-4A8B-4649-98SAFEDE-FAD6FB7165B9}


7, 11

(Verwendet den sicheren Start für die Integritätsüberprüfung)


c:\windows\system32\manage-bde.exe exited on pen10nb014 with error code 0.


Auotmate the msinfo32.exe with psexec

psexec -s \\computer001 C:\windows\system32\msinfo32.exe /nfo c:\edv\00_report\computer.txt /report c:\edv\00_report\computer_re.txt

Description of Microsoft System Information (Msinfo32.exe) Tool


Systeminformationsbericht erstellt am: 08/15/22 13:51:16

Systemname: SBBCARW10EL0145



Element    Wert    

Betriebsystemname    Microsoft Windows 10 Enterprise    

Version    10.0.19042 Build 19042    

Weitere Betriebsystembeschreibung     Nicht verfügbar    

Betriebsystemhersteller    Microsoft Corporation    

Systemname    PEN10NB014    

Systemhersteller    Dell Inc.    

Systemmodell    Precision 5530    

Systemtyp    x64-basierter PC    

System-SKU    087D    

Prozessor    Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz, 2904 MHz, 6 Kern(e), 12 logische(r) Prozessor(en)    

BIOS-Version/-Datum    Dell Inc. 1.12.0, 27.06.2019    

SMBIOS-Version    3.1    

Version des eingebetteten Controllers    255.255    

BIOS-Modus    UEFI    

BaseBoard-Hersteller    Dell Inc.    

BaseBoard-Produkt    0FP2W2    

BaseBoard-Version    A00    

Plattformrolle    Mobil    

Sicherer Startzustand    Ein    

PCR7-Konfiguration    Gebunden    


Other samples not affected:

An HP Elitedesk 800 G3 (Older) with a NON UEFI BIOS

Binding not possible becauee older machine and NOT UEFI BIOS (Legacy used) because of better Deployment OS reasons.

DOS: manage-bde -protectors -get c:







Some newer Home system from HP Elitedesk with UEFI no Bitlocker GO or Bitlocker active (Out of the box enduser system)


manage-bde -protectors -get c:

Below you see under PCR7 that you did NOT run msinfo32 under "Administrative/Elevated" it says "Elevation required to view".

Here is msinfo32.exe with run as admin, PCR7 would be possible but is not activated


You can see in this specfic machine where PCR7 "Binding Possible" is shown there is not Bitlocker. That's why withou the Fimrware Update which was offered by HP this was the patch has installed.




  1. Check that you have the latest Bios/Firmware
  2. Check if you have PCR7 enabled like mentioned above

If not possible > as example because your docking station is not comaptible with latest firmware

To workaround this issue, do one of the following before you deploy this update

On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:


Manage-bde –Protectors –Disable C: -RebootCount 1


Then, deploy the update and restart the device to resume the BitLocker protection.


On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:


Manage-bde –Protectors –Disable C: -RebootCount 3    


Then, deploy the update and restart the device to resume the BitLocker protection.


Some further links and infos regarding the path:

ADV200011 - Security Update Guide - Microsoft - Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Troubleshoot the TPM (Windows) - Windows security | Microsoft Docs

R730xd, BitLocker, Secure Boot, PCR7 issue - Dell Community


Windows Server shows PCR7 configuration as "Binding not possible" - Windows Server | Microsoft Docs

In this scenario, when you run msinfo32 to check the PCR7 Configuration, it's displayed as Binding not possible.

Windows Server shows PCR7 configuration as "Binding not possible"

Article, 02/24/2022


This article introduces the Binding not possible issue in msinfo32 and the cause of the issue. This applies to both Windows clients and Windows Server.


PCR7 Configuration in msinfo32

Consider the following scenario:


Windows Server is installed on a secure boot-enabled platform.

You enable Trusted Platform Module (TPM) 2.0 in Unified Extensible Firmware Interface (UEFI).

You turn on BitLocker.

You install chipset drivers and update the latest Microsoft Monthly Rollup.

You also run tpm.msc to make sure that the TPM status is fine. The status displays The TPM is ready for use.


In this scenario, when you run msinfo32 to check the PCR7 Configuration, it's displayed as Binding not possible.




Client Management | Deployment | Hotfixes / Updates | Microsoft SCCM/MEM/MDT | WSUS

WSUS Server crash Event ID 7053,12072,12052,12042,12012,13042 (Related to memory short)

by butsch 28. July 2022 17:09


Event ID 7053,12072,12052,12042,12012,13042 on WSUS Server


Unable to open WSUS MMC or connect with Script/PS/Tools to the WSUS database. On Clients or Server your see an error when this happens because, the WSUS APP Pool on IIS is down.

What is the problem?

If this happens you will after a reboot of the server loose most of the APPROVAL or DENY on your WSUS backwards for years.


Mostly 90% related to RAM memory the WSUS has and the Application POOL WSUS itself or you run out of space on your WSUS content drive.



In the past months, all long-time, running WSUS Server no matter on which OS they run seem to crash more often they did before. We first long time watched and thought this was related sporadic too:


  • Multi usage of MMC Console (Several users checking WSUS)
  • Space on D: drive (With all the Feature Update you are up to 1 Terra soon)
  • Script, which we had running to maintain WSUS or best Clean up WSUS automatic after it, crashed again (Deny 12'000 Patches…)
  • We also assumed it is caused by a mix of WID (Windows Intern DB/Different Version of SQL Express or STD > we updated some mixed used WSUS + EPO 5.10 to sql 2017)
  • As always maybe AV Solutions, which pinpoint. But we use Mcafee ENS Endpoint with many Exceptions and it never blocked SQL or WID when configured right and not by beginners

None of that seemed the source of the problem.

It looks like the crashed are more often to memory handling of IIS Application Pools and total memory the HOST (VM) has.

Here are the errors we did see:

Event ID 7053, Application

The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists,


Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.


System.NullReferenceException -- Object reference not set to an instance of an object.


Source: Microsoft.UpdateServices.UI.SnapIn


Stack Trace: at Microsoft.UpdateServices.UI.SnapIn.Scope.ServerSummaryScopeNode.ResetScopeNode()


Event ID 12072/12052/12042/12012/13042, Application, Windows Server Update Services

The Server Synchronization Web Service is not working.

The WSUS content directory is not accessible.

System.Net.WebException: The remote server returned an error: (503) Server Unavailable.

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.UpdateServices.Internal.HealthMonitoring.HmtWebServices.CheckContentDirWebAccess(EventLoggingType type, HealthEventLogger logger)

The DSS Authentication Web Service is not working.

Self-update is not working.

The Reporting Web Service is not working.

The API Remoting Web Service is not working.


Event ID 10016, SYSTEM, DistributedCOM




  1. Give the HOST on ESX/Hypervisor more memory. You could trace for hours to find out how much or you be smart and give it 16-20 GB RAM. It depends on history of WSUS (Like running for 5 years, amount of clients or patches, how you clean up the WSUS with Tools or scripts via SQL query).
  2. Open IIS, Application Pools, WSUSPOOL, Advanced Settings, Change the "Private Memory Limit KB" to something under your ESX Memory you gave. (In our example the IIS APP process runs around 14GB RAM and we gave the Server 18GB)
  3. Reboot and all works again



You can now see how much Memory the IIS APP poll is consuming on a larger WSUS with a lot of history over years (Lot of WID/SQL data…)





Client Management | Hotfixes / Updates | WSUS

Mcafee ENS 10.7 June 2022 new Exclude EXPLOIT Rules by Active Directory user or group

by butsch 28. July 2022 17:01


Mcafee posted a fixed version of the 10.7 june 20202 release. Hidden in the release notes you will find an important detail.

You can now EXCLUDE Signature/Exploit/IPS rules FOR certain Active Directory users or group by SID.

This is like a WMI filter for GPO Grou Policy to drill down more granular and to target Exclusion more effectiv.

A main problem until now is the exclusion with MD5 checksum wiuld be the safest and usefull. However if you

Have slerf updating software (Like a RAPID 7 Agent) you have changing MD5 Checksum.

That's no problem if you have an enterprise and Mcafee TIE-Server and ATD Sandbox which automatic sess

That there are older version of the Agent in history and checks several other things and then aproves the file for running or not.


For Exlcusion this will help to limit an Exlcusion for a certain file (Whout the MD5) to limit the exclusion to a certain user group or single user.


If "financetoolstupidcoder.exe" does hit 20 Exploit rules because it was so crappy coded then you can exclude all the Signature based rules

For the single user with the SID 5654654634338998888 (Your CFO who gives IT money). ;-)


We would like to point out that mcafee has the large solution with ATD (TIE-Server, ATD-Sandbox) which allows you to controll

EXE wiht MD5 but in SBS or even a 1000+ shop you sometimes simply can't handle a strict change and release managment.


This will help us all a lot.







Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME | Client Management

Enteo V6.X Master Referenz Paket (Screensaver/Locked/User Fragen), Version 1.1 vom 10.10.2010

by butsch 18. March 2022 00:02

Enteo V6.X Master Referenz Paket (Screensaver/Locked/User Fragen), Version 1.1 vom 10.10.2010

Alle Binaries sowie ein Export des Projektes von Enteo V6.2 sind unter dieser URL zu finden:





Was macht das Paket?

Dieses universelle Referenz Paket soll zeigen wie man in einer reellen Deployment Umgebung auf das Environment und die User eingehen kann.

Bei vielen Software Deployment fehlen diese Optionen obwohl Sie an sich Grundbausteine einer Software Verteilung sind. Dieses Beispiel soll einen

Anstoss in die richtige Richtung und als Ersatz für eine ein fehlendes Beispiel von Enteo dienen. Zielpublikum:

Desktop Engineer mit mehreren Jahren Deployment Erfahrung und Basis Kenntnissen in Enteo. Enteo Quer‐Einsteiger z.B. von SMS, SCCM,

Altiris oder z.B. Highsystem. Nicht geeignet für Supporter, welchen man aus Unwissenheit die Software Verteilung mal Testweise übergibt.

Finger weg und zurück an den IT‐Chef geben und bitten, dass er das Kapitel ITIL‐Risk Management und Recovery besser durchliest;‐)

Pflichtenheft an das Master Paket: Das Paket soll folgendes erfüllen….

    Abfragen ob der Screensaver aktiv ist > Denn dann wollen wir nicht installieren

    Ermitteln ob der Client gelockt ist > Denn dann wollen wir nicht installieren

    Es soll Abfragen ob ein User gerade arbeitet und angemeldet ist (Ev. Geht es nur dann?)

    Soll wissen wie es Enteo seitig kommt (Serviceinstaller oder Autoinstaller)

    Soll den User Fragen ob Sie das Update wollen oder man möchte diese nur laufen lassen, wenn jemand angemeldet ist (z.B. Green‐IT‐Oeko Shop ohne WOL und mit Stromleisten!)





Service‐ oder Autoinstaller?

Spielt doch keine Rolle?


Kommt das Paket via Enteo Serviceinstaller dann können keine Meldungen an den User gemacht werden. Der

Autoinstaller ist nichts anderes als NIAGNT32.EXE.

Der Enteo Autoinstaller. Nur dieser zeigt mögliche POPUPS durch msgboxt.exe. Kommt etwas mit dem Serviceinstaller im Hintergrund und eben als Service ist nicht zu sehen.


 Das Master Paket wird anhand eines Beispiels erklärt. In diesem Falls das Deployment von Adobe Flash vom September 2010.

Das Paket macht eine Migration des Flash Players auf die aktuelle Version. Desktop Deployment und IT ist Migration und Wandel.

Frisch installieren kann jeder und ist einfach! Darum wird in einer Präsentation nie eine Migration von Flash Player sonder immer nur eine frische Installation gezeigt.

Im Package Folder haben wir folgende Binary Files. Alle kann man bei uns downloaden.

PSKILL.EXE, Systernals Process Kill von Microsoft um WinWord, IE zu killen.

MSGBOXT.EXE, Gibt eine Meldung inkl. Menu für den User aus. Suchen Sie nach "Frank Scholer" im Enteo Forum um dies zu finden.

Locked.exe, Ist ein AutoIT Script das kontrolliert ob der PC/Client gesperrt ist. Quelle Google. Gibt 0/1 zurück. Es gibt auch c++ oder Skript Varianten.


Directory EXTERN$ im Enteo Project Folder

Das sind die Files des Master Paketes


Was macht Ihr mit der ID‐Nummer?


Diese wird im Script verwendet:


In den Logfiles oder zum feststellen ob eine Software vorhanden ist arbeiten wir mit einer ID. Wir verlassen uns nicht auf Enteo Mechanismen sonder machen einfach ein Directory (Flag) und prüfen dies dann später. Besteht das Directory ist die Software installiert.



Dies wird z.B. hier verwendet:


Einzelne Teile des Enteo Skriptes erklärt:


Hier kontrolliere ich mit "locked.exe" ob der Client gelockt/gesperrt ist. Da wir z.B. für eine Flash/Adobe Reader Upgrade offene Apps (Internet Explorer)

zumachen müssen soll dies NICHT passieren wenn der User Weg von seinem PC ist (CTRL‐ALT‐DEL gemacht).

Mit dem Enteo Befehl ExitPROCEX; "UNDONE" verlassen wir das Script. Das "UNDONE" sieht man dann z.B. bei den Policies in der Enteo Konsole.

Der Vorgang wiederholt sich einfach beim nächsten Enteo Intervall oder Start der Maschine spätestens wieder.

Hier wird dem Enteo Admin gezeigt was mit dem Paket passierte oder wie der User reagierte (Ja/Nein/Timeout). Dies entspricht dem Text den ich dem Enteo Befehl

ExitPROXEC übergebe.








Client Management | Deployment | Ivanti Frontrange Enteo | Scripting | W10 | WMI

SYNTAX ERROR: Fun with Powershell commands copied from Blogs or KB-solutions

by butsch 12. February 2022 02:37

 SYNTAX ERROR: Fun with Powershell commands copied from Blogs or KB-solutions



We often see that the "-symbol or the minus-symbol are malformed and it looks normal in notepad.exe or the PS-console. The "-symbol effect can be devastation because you may have other objects you handle with identical short names in complex commands.

Worst case: "room 140 left wing Barcelona" and he targets room then etc.

Several times we have seen such effects with Powershell if we copy PS commands direct and don't use the copy-code function that good blog platforms or even KB-platforms on Intranet should support.


Here is a sample:

You just see red. First you think the command is not there anymore in this version whatever. Then you think maybe the wrong shell 32/64? Or elevated. The you type it manual and it works ;-)

If you copy the two commands to NOTEPAD.EXE as it opens all looks fine.

You can see in WinWord already that there MUST be a difference (They are not exact the same horizontal length) ;-)

TO really see: If you open the two commands in Notepadd+ or any advanced editor.




Euro? Germany? So someone from European Union made the Blog (Not UK not Swiss/Switzerland/Suisse) no? ;-) A double minus or triple minus?








Client Management

Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: