Introduction:

Event logs provide valuable insights into system operations, allowing IT professionals to monitor and troubleshoot potential issues. When dealing with Windows event logs, PowerShell is a powerful tool that enables event filtering, but it may not be everyone's preferred choice due to complexity and perceived security concerns. In this blog post, we will explore an alternative method - using the command-line filter of Event Viewer - to easily access Critical, Error, and Warning events from the Application log.

Advantages of the Command-Line Filter:

Familiarity: Many seasoned IT professionals prefer using a simple command-line approach they are familiar with, making it easier to find and work with event logs efficiently.

Accessibility: The command-line filter is available on all modern Windows operating systems, eliminating compatibility concerns.

Trustworthy: Since the command-line tool is a built-in Windows feature, there are no worries about third-party dependencies or security issues.

PowerShell Approach:

Before diving into the command-line filter, let's quickly review the PowerShell method. By leveraging the Get-EventLog cmdlet, one can filter events based on severity levels and display them in PowerShell console. The script would look like this:

Get-EventLog -LogName "Application" -EntryType Error, Warning, Information | Where-Object { $_.EntryType -eq "Error" -or $_.EntryType -eq "Warning" -or $_.EntryType -eq "Information" }

But we want it commandline style because most people with long term expierence are used to that tool/console to find and work.

eventvwr.exe /h

What? ;-)

Ok let's try:

Go to XML tab

Cut and paste into notepad

<QueryList>

<Query Id="0" Path="Application">

<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>

</Query>

</QueryList>

If you see this than all fine:

If you see this than you did not read 100% and checked all " > ' and the \ at the end or you try to

call together with /c:application (Channel) and Query (/f:)

Wrong sample:

Some Microsoft Links (One sample is wrong there and I did not understand what he tells at once and the eventvwr.exe /h is really nerdy? ;-)

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761

August 08/2022 Patch KB5012170 Update for Secure Boot DBX problem 0x800f0922

Problem: You can't install August 2022 Update KB5012170 on some systems under certain condition where Secure Boot is enbled and not latest BIOS/UEFI Firmware . You will receive an Error 0x800f0922

Error: Package KB5015730 failed to be changed to the Installed state. Status: 0x800f0922.

The patch does a revert

System which is not affected

The updates fixes some secure boot problems as example:

CVE-2022-34301 | Eurosoft Boot Loader Bypass

CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass

CVE-2022-34303 | Crypto Pro Boot Loader Bypass

Microsoft main link:

KB5012170: Security update for Secure Boot DBX: August 9, 2022 (microsoft.com)

https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15

What does the KB describe:

Describes the problem that certain firmware/Bios and GPO Settings should not patch KB5012170. The KB is very hard to dunerstand. We try to help a little. Please keep in mind that you can't update firmware without checking compatiblity on Laptops for docking station and maybe other things. In enterprise you can't can't just update laptop firmware over night and hope all is fine like microsoft thinks they can do with their M365/Azure solution and Autopolit clients. ;-)

So what does that mean if you don't have a post doc in IT?

Check if yout are affected with and have PCR7 active

You can find out the status of your UEFI / PCR7 / Bitlocker Setup with MSINFO32.exe (Elevated) or/and by running a DOS or PS command.

Some sample dumps and how to find out:

Affected product which has PCR7 mode shown:

Dell computer Precision 5530, Windows 10 21H2

msinfo32.exe commandline

shows:

Sicherer Startzustand    Ein    

PCR7-Konfiguration    Gebunden

DOS: manage-bde -protectors -get c:

Shows:

Automate checking client for PCR7:

You may use a) Your software Deployment b) PSEXEC from systernals c) Do not use GPO to deploy software if you are not 100% fireproof with scripting

With psexec:

PsExec - Windows Sysinternals | Microsoft Docs

Auotmate the msinfo32.exe with psexec

psexec -s \\computer001 C:\windows\system32\msinfo32.exe /nfo c:\edv\00_report\computer.txt /report c:\edv\00_report\computer_re.txt

Description of Microsoft System Information (Msinfo32.exe) Tool

Other samples not affected:

An HP Elitedesk 800 G3 (Older) with a NON UEFI BIOS

Binding not possible becauee older machine and NOT UEFI BIOS (Legacy used) because of better Deployment OS reasons.

DOS: manage-bde -protectors -get c:

PS:

Msinfo32.exe

Some newer Home system from HP Elitedesk with UEFI no Bitlocker GO or Bitlocker active (Out of the box enduser system)

BINDING POSSIBLE

manage-bde -protectors -get c:

Below you see under PCR7 that you did NOT run msinfo32 under "Administrative/Elevated" it says "Elevation required to view".

Here is msinfo32.exe with run as admin, PCR7 would be possible but is not activated

You can see in this specfic machine where PCR7 "Binding Possible" is shown there is not Bitlocker. That's why withou the Fimrware Update which was offered by HP this was the patch has installed.

Solution

1. Check that you have the latest Bios/Firmware
2. Check if you have PCR7 enabled like mentioned above

If not possible > as example because your docking station is not comaptible with latest firmware

Some further links and infos regarding the path:

ADV200011 - Security Update Guide - Microsoft - Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Troubleshoot the TPM (Windows) - Windows security | Microsoft Docs

R730xd, BitLocker, Secure Boot, PCR7 issue - Dell Community

Enteo V6.X Master Referenz Paket (Screensaver/Locked/User Fragen), Version 1.1 vom 10.10.2010

Alle Binaries sowie ein Export des Projektes von Enteo V6.2 sind unter dieser URL zu finden:

http://www.ntfaq.ch/home.aspx?seite=enteo62_Referenz_Paket_Butsch_Informatik

http://www.butsch.ch

Was macht das Paket?

Dieses universelle Referenz Paket soll zeigen wie man in einer reellen Deployment Umgebung auf das Environment und die User eingehen kann.

Bei vielen Software Deployment fehlen diese Optionen obwohl Sie an sich Grundbausteine einer Software Verteilung sind. Dieses Beispiel soll einen

Anstoss in die richtige Richtung und als Ersatz für eine ein fehlendes Beispiel von Enteo dienen. Zielpublikum:

Desktop Engineer mit mehreren Jahren Deployment Erfahrung und Basis Kenntnissen in Enteo. Enteo Quer‐Einsteiger z.B. von SMS, SCCM,

Altiris oder z.B. Highsystem. Nicht geeignet für Supporter, welchen man aus Unwissenheit die Software Verteilung mal Testweise übergibt.

Finger weg und zurück an den IT‐Chef geben und bitten, dass er das Kapitel ITIL‐Risk Management und Recovery besser durchliest;‐)

Pflichtenheft an das Master Paket: Das Paket soll folgendes erfüllen….

‐     Abfragen ob der Screensaver aktiv ist > Denn dann wollen wir nicht installieren

‐     Ermitteln ob der Client gelockt ist > Denn dann wollen wir nicht installieren

‐     Es soll Abfragen ob ein User gerade arbeitet und angemeldet ist (Ev. Geht es nur dann?)

‐     Soll wissen wie es Enteo seitig kommt (Serviceinstaller oder Autoinstaller)

‐     Soll den User Fragen ob Sie das Update wollen oder man möchte diese nur laufen lassen, wenn jemand angemeldet ist (z.B. Green‐IT‐Oeko Shop ohne WOL und mit Stromleisten!)

 Das Master Paket wird anhand eines Beispiels erklärt. In diesem Falls das Deployment von Adobe Flash 10.1.85.3 vom September 2010.

Das Paket macht eine Migration des Flash Players auf die aktuelle Version. Desktop Deployment und IT ist Migration und Wandel.

Frisch installieren kann jeder und ist einfach! Darum wird in einer Präsentation nie eine Migration von Flash Player sonder immer nur eine frische Installation gezeigt.

Im Package Folder haben wir folgende Binary Files. Alle kann man bei uns downloaden.

Dies wird z.B. hier verwendet:

Einzelne Teile des Enteo Skriptes erklärt:

Hier kontrolliere ich mit "locked.exe" ob der Client gelockt/gesperrt ist. Da wir z.B. für eine Flash/Adobe Reader Upgrade offene Apps (Internet Explorer)

zumachen müssen soll dies NICHT passieren wenn der User Weg von seinem PC ist (CTRL‐ALT‐DEL gemacht).

Mit dem Enteo Befehl ExitPROCEX; "UNDONE" verlassen wir das Script. Das "UNDONE" sieht man dann z.B. bei den Policies in der Enteo Konsole.

Der Vorgang wiederholt sich einfach beim nächsten Enteo Intervall oder Start der Maschine spätestens wieder.

WSUS, W10/11 how to install a WSUS Update (KB patch) Manual with DISM from WSUScontent source Directory

This blog entry is about two things.

1. How to install a Windows Update from WSUS Source content folder manual by hand with DISM
2. Mcafee ENS 10.X, IPS Exploit Rule 6133 may block tiworker.exe with some updates (Mitre T1562)

Here is how to get the info which file is for what KB from WSUS-Server:

Search the file in your WSUSCONTENT folder

UN-7ZIP the cab file

For most Monthly patch day packages you also often need SSU (Servicing Stack Update). In most patches this is included. So you have several CAB files as seen above. Install the SSU first.

Servicing Stack Updates (SSU): Frequently Asked Questions (microsoft.com)

Install 1 the SSU.

dism /Online /Add-Package /PackagePath:"c:\drivers\SSU-19041.1220-x64.cab.cab"

Install 2 patch itself:

dism /Online /Add-Package /PackagePath:"c:\drivers\Windows10.0-KB5005565-x64.cab"

Keep an EYE on complex Antivirus with IPS Modules that do more than pattern scanning.

We have seen some Exploit IPS rules from Mcafee ENS 10.X which are ON by default but should be on to protect from Ransomware. It is good to keep an eye on those rules. Please carefully read the FULL alert in your ENS. Most of the times it says "WOULD BLOCK" if the EPO Admin did activate some rules in monitor mode (To Test new rules).

Exploit Rule 6133, change EPO side in ENS Policy

Microsoft W10 Update to 1909 failed because the pre Check found the certain DLL somewhere under the c:\drivers or C:\SWSETUP olders. (APP/Software or driver was not installed, Update block by JUST finding the Certain DLL somewhere on certain paths used by certain Producer/OEM.

Often used paths for drivers and where W10 Update tried to find add. Info about a system and what was installed (Beside Software, Registry and Windows-Installer Cache/DB).

• HP > C:\SWSETUP\
• DELL > c:\DRIVERS\
• Our deployment solution > c:\DRIVERS\

We just had a case where we update W10 1709 to 1909 through a Deployment solution. Updates of HP Laptop failed.

If we installed the Update manual we did see that the "Infineon TPM Professional Package" was blocking. But the software was not installed.

Reason for W10 Update failing:

At that customer we use c:\drivers\ for our deployment structure on HP (Like Dell does > By the way don't use c:\drivers for your own packages/batch on DELL systems it will break some DELL batches).

Under that structure we have a library of certain most used HP Service Packs. There was one which included an Infineon TPM driver. Just by searching through those files

Microsoft thinks the drivers IS installed a Blocks the update. The driver was not installed on the system.

Solution:

Just delete those Directory and files if you don't reference them and they are not used MSI-Source files on the system you handle the update. On HP systems you can even rename the folder like from C:\SWSETUP\ to C:\_SWSETUP\ and it will work.

Where we found that info:

We silent deploy the 1909 there will following command line which gives us detailed Debug Log Info:

c:\drivers\setup\CUSTOMER_W10_1909\setup.exe /auto upgrade /copylogs \\SERVER\w10_1909$\CLIENTS_DEBUG\%computername% /DiagnosticPrompt enable /Priority Normal /postoobe c:\drivers\setup\CUSTOMER_W10_1909\CUSTOMER_W10_ENDE_OK.cmd /postrollback c:\drivers\setup\CUSTOMER_W10_1909\CUSTOMER_W10_ROLLBACK.cmd /Quiet /ShowOOBE none /telemetry disable /compat IgnoreWarning /DynamicUpdate disable /migratedrivers all

In these Logfiles then you will find the reason why he did not upgrade. You will also see why if you skip the OPTIONS: /Quiet /ShowOOBE none

search over all log files for "StatusDetail="UpgradeBlock"

It will be found in the logfile Compatdata*.xml

Here is the info regarding the Block within the XML File:

<Program IconId="ifxspmgt.exe_f069054697b0a0ae" Id="0006c5c9b5d907dd9c81f4d74bb61beb7e3900000904" Name="Infineon TPM Professional Package">

<CompatibilityInfo BlockingType="Hard" StatusDetail="UpgradeBlock"/>

<Action Name="ManualUninstall" ResolveState="NotRun" DisplayStyle="Text"/>

</Program></Programs>

The where the files that Windows 10 Update found BUT where not installed on the system.

Just delete the files if unused and the update will do it what it should.

Backup the config from a VMware ESXI free Version up to 6.7.

There is a nice way to backup the free ESXi configuration settings into one file. This us usefull to document the ESXi before you update it and don't want to make 200 screenshots.

1. Download and Install POWERCLI from VMware.

https://my.vmware.com/group/vmware/downloads/details?downloadGroup=PCLI650R1&productId=491

1. Start Power shell elevated (As Administrator)
2. set-executionpolicy remotesigned
3. run from "C:\Program Files (x86)\VMware\Infrastructure\PowerCLI\Scripts"

   .\Initialize-PowerCLIEnvironment.ps1

1. Do the backup

set-executionpolicy remotesigned -Confirm:$False

Set-PowerCLIConfiguration -InvalidCertificateAction ignore -Confirm:$False

Connect-VIServer -Server 192.168.35.90 -User root -Password **********

Get-VMHostFirmware -VMHost 192.168.35.90 -BackupConfiguration -DestinationPath C:\20_SERVER_ESX_ASUS_P11C-M4L\03_ESX_CONFIG_BACKUP

Disconnect-VIServer -Server 192.168.35.90 -Confirm:$False

Restore from the backup would be:

set-executionpolicy remotesigned -Confirm:$False

Set-PowerCLIConfiguration -InvalidCertificateAction ignore -Confirm:$False

Connect-VIServer -Server 192.168.35.90 -User root -Password **********

Set-VMHostFirmware -VMHost 192.168.35.90 -Restore -SourcePath C:\20_SERVER_ESX_ASUS_P11C-M4L\03_ESX_CONFIG_BACKUP \configBundle-192.168.35.90.tgz -HostUser root -HostPassword **

Disconnect-VIServer -Server 192.168.35.90 -Confirm:$False

You can view the config if you UNPACK 10x TAR and ZIP files from the backup file:

VMware Link:

https://kb.vmware.com/s/article/2042141

Here is how to catch different Windows 10 OS release within WMI.

We used this the first time during a 1709 > 1909 Migration where we wanted to push customer startlayout.xml (Different new syntax and command for W10 1909)

with GPO ONLY to the 1909 clients. SBS/KMU seamless upgrades but often forget to handle GPO Policy side during the upgrade process. If you wan to modify

The startlayout/startmenu tiles this is often the first place you will need the WMI filters.

W10 Version Info:

Major   Minor   Version Build      Info       Released

10           0             1607       14393    2016 RTM LTSC 09/26/2016

10           0             1709       16299    2016 SAC            10/17/2017

10           0             1803       17134    2016 SAC            04/30/2018

10           0             1809       17763    2019 LTSC           11/13/2018

10           0             1903       18362    2019 SAC            5/21/2019

10           0             1909       18363    2019 SAC            11/12/2019

WMI Query to check which version you run of Windows 10.

NAMEPSPACE: Root\CIMv2

W10 1607:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "14393"

W10 1709:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "16299"

W10 1803:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "17134"

W10 1809:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "17763"

W10 1903:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "18362"

W10 1909:

SELECT * FROM Win32_OperatingSystem where version like '10%' and producttype='1' and BuildNumber = "18363"

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wql-sql-for-wmi

GPO WMI FILTER

Based on above info from us you can build the GPO filter for each W10 version.

Example: Use the Paessler WMI tester to check

If the query was successful then you get FEEDBACK from the Query (if not it would be empty)

Please also check these WMI related links from us:

http://www.butsch.ch/post/W10-Enable-Remote-Management-for-WMI-from-Commandline-silent.aspx

http://www.butsch.ch/post/How-to-identify-WSUSWindows-Update-Patches-installed-on-a-Windows-7-in-Batch.aspx

http://www.butsch.ch/post/Script-WMI-Fetch-modell-BIOS-Version-with-VB-like-SM_info-from-Dell.aspx

http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

http://www.butsch.ch/post/IE11-GPO-Settings-PROXY-Explained-F5-F8.aspx

We have a Server 2016 fully patched until 05/2019. We run a KMS-Server which does not have a SRV KMS 2016 channel activated.

PROBLEM: Strangely we can't change to Product key with the GUI. There is simply no reaction when you click "Change product key" button.

We have seen things like this under Control Panel (Unable to scroll) in W10 1903 where Dameware did not work and only possible with RDP.

Use the Activation Wizards to do it. In a cmd type.

slui 3

The wizard appears

Enter the MAK key (NOT any KMS please ;-)

You can also change the key with Commandline direct:

slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
slmgr.vbs /ato

If you don't connect MDT on Server 2016 to an SQL Database it will use SQL Server Compact to store information

You see in MONITOR. You ONLY access the Info from the Compact Edition with SQL Management Studio 2008R2

And NOT the newer Version I have read somewhere. With the SQL Management Studio 2008R2 we

Can open the SDF database from C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf

You can also access through API Web:

http://localhost:9801/MDTMonitorData

http://localhost:9801/MDTMonitorData/Computers

http://localhost:9801/MDTMonitorData/ComputerIdentities

It's written that they keep the information in there for 3 days. So this is only a temporary solution until the client runs.

C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf

To see or view data itself you could use:

https://www.linqpad.net/

To date there are two Social MSDN Threads where people and very und-happy and Microsoft DOES not think it's important

to mention the Problem on their KB Article under Problems. This has just come into our timeline range where

we rollout and MDT/WDS Server for medium sized customer who has no Enterprise Agreement and thus no SCCM.

Manage over 15 WSUS servers for SBS to Enterprise but has no info in that direction. (Not mentioned on MS/TechNet or Ask Woody which we mostly consult for good info)

Problem during PXE Boot:

Windows failed to start a recent hardware or software change might be the cause.

"Status 0xc0000001"

support.microsoft.com/de-ch/help/4489881/windows-8-1-update-kb4489881

Here is how to fix it:

Uncheck under TFTP the option Enable Variable Window Extension

Reboot the WDS/MDT Server or restart the WDS Service.