分类目录归档:Windows

Windows

Windows Process Activation Service error 5 – Access Denied

解决办法:C:\INETPUB\HISTORY. Under here you will see several folders with a prefix of CFGHISTORY. The folder with the highest revision number will be your latest backup. Copy this file and overwrite the existing file at C:\WINDOWS\SYSTEM32\INETSRV\CONFIG.

I ran into a strange error recently on an Exchange 2013 server. The WWW Publishing Service was stopped. When I tried to start the service it failed on a dependency. A quick check revealed the Windows Process Activation Service (WAS) was stopped. When I tried to start WAS, I received the following error.

Windows could not start the Windows Process Activation Service service on Local Computer Error 13 The data is invalid

Windows could not start the Windows Process Activation Service service on Local Computer. Error 13: The data is invalid.

The Event Viewer was littered with equally cryptic Event IDs, such as WAS 5005 and WAS 5036. 继续阅读

Remove IIS Server version HTTP Response Header

How to remove HTTP response headers in IIS 7, 7.5, 8.0, 8.5, and ASP.NET. Windows Server IIS loves to tell the world that a website runs on IIS, it does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).

Normal HTTP Response headers

Even though I’m not a big fan of security by obscurity (are you?), removing common server response headers is often advised by security experts. Attackers might gain a lot of information about your server and network, just by looking at the response headers a web server returns.

Therefore it’s advised you remove at least some of them. 继续阅读

Windows远程管理

1、启用WinRM时,使用enable-psremoting -force命令时出现的一些错误处理:

PS C:\Users\Administrator> enable-psremoting -force
在此计算机上,WinRM 已设置为接收请求。
Set-WSManQuickConfig : 拒绝访问。
所在位置 行:50 字符: 33
+             Set-WSManQuickConfig <<<<  -force
    + CategoryInfo          : InvalidOperation: (:) [Set-WSManQuickConfig], InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand

PS C:\Users\Administrator> Enable-PSRemoting -Force
在此计算机上设置了 WinRM 以接收请求。
Set-WSManQuickConfig : <f:WSManFault xmlns:f=”http://schemas.microsoft.com/wbem/wsman/1/wsmanfault” Code=”2″ Machine=”l
ocalhost”><f:Message><f:ProviderFault provider=”Config provider” path=”%systemroot%\system32\WsmSvc.dll”><f:WSManFault
xmlns:f=”http://schemas.microsoft.com/wbem/wsman/1/wsmanfault” Code=”2″ Machine=”web79-62.xm.vh.cnolnic.org”><f:Message
>无法检查防火墙的状态。 </f:Message></f:WSManFault></f:ProviderFault></f:Message></f:WSManFault>
所在位置 行:69 字符: 17
+                 Set-WSManQuickConfig -force
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Set-WSManQuickConfig],InvalidOperationException
    + FullyQualifiedErrorId : WsManError,Microsoft.WSMan.Management.SetWSManQuickConfigCommand

处理方法:

gpedit.msc

计算机管理->管理模板->Windows组件->Windows远程管理(WinRM)->WinRM服务中

启用“允许通过WinRM进行远程服务器管理”

说明:

  1. 一般出现上述错误之后,虽然WinRM是启动的,但没有监控端口(5985);
  2. 启用策略之后要重启WinRM服务,正常情况下,监控端口5985有存在;
  3. 由于enable-psremoting -force没有正常运行,所以防火墙规则中要手工添加允许对5985的入站规则。如:netsh advfirewall firewall add rule name=”Windows Remote Management” dir=in action=allow profile=public,private,d
    omain protocol=tcp localport=5985 remoteip=<your ipaddress> description=”Windows Remote Management”

2、远程连接服务器进行管理(WinRM)时,出现如下错误:

[ipaddress] 连接到远程服务器 ipaddress失败,并显示以下错误消息: WS-Management 服务无法处理该请求。在 ipaddress计算机上的 WSMan: 驱动器中找不到 Microsoft.PowerShell 会话配置。有关详细信息,请参阅 about_Remote_Troubles
hooting 帮助主题。
    + CategoryInfo          : OpenError: (ipaddress:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : InvalidResourceUri,PSSessionStateBroken

解决办法:在要进行远程管理服务器上运行如下命令,然后重启WinRM服务

Get-PSSessionConfiguration | Enable-PSSessionConfiguration

PowerShell 远程执行任务

基础

MS 定义了一个叫做 WS-Management 的协议,这个协议为计算机设备远程交换管理数据提供了一个公开的标准。在 Windows 平台上,MS 通过 Windows 远程管理服务(Windows Remote Management service,简称 WinRM) 实现了 WS-Management 协议。这就是我们可以通过 PowerShell 执行远程操作的基础,因为 PowerShell 就是通过 WinRM 服务来进行远程操作的。 继续阅读

Nginx配置WebService、MySQL、SQL Server、ORACLE等代理

nginx配置webservice

#user  nobody;
worker_processes  4;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    upstream esbServer {   
        server 127.0.0.1:8083 weight=1 max_fails=2 fail_timeout=30s;   
    }

    #gzip  on;

    server {
        listen       8081;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location /ladder_web {
            proxy_set_header X-real-ip $remote_addr;
            proxy_pass http://esbServer;
        }

       
    }

}

nginx 配置mysql代理 — 基于nginx1.9以上 stream module 继续阅读

Command Line-Version (SetACL.exe) – Syntax and Description

For a quick start, tell SetACL the following:

  • Object name (-on): This is the path to the object SetACL should operate on (file/directory/registry key/network share/service/printer).
  • Object type (-ot): What kind of object does the object name refer to: file or directory (file), registry key (reg), service (srv), printer (prn), network share (shr)?
  • Action (-actn): What should SetACL do with the object specified?

Example:

SetACL.exe -on c:\Windows -ot file -actn list

SetACL.exe -on c:\Windows -ot file -actn list

This lists the permissions set on the Windows directory in the default list format (CSV).

Have a look at the examples section to get an idea what more complex commands look like. 继续阅读

How to change Registry Permissions with RegIni.exe (VBScript)

Today I’ll show how we can set the following permissions on a registry key with RegIni.exe and a VBScript:

– Creator Owner Full Control
– Users Full Control
– Power Users Full Control
– Administrators Full Control
– System Full Control

I will set the permissions here for testing purposes:

– HKEY_CLASSES_ROOT\AlejaCMaTypelib
– HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp

And for that I will need to create a special regini.exe script which will have the following contents:

HKEY_LOCAL_MACHINE\Software\Classes\AlejaCMaTypelib [1 5 7 11 17]
HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp [1 5 7 11 17]

Notes:
– With regini.exe I won’t be able to set Users Full Control, but Everyone Full Control.
– HKEY_CLASSES_ROOT = HKEY_LOCAL_MACHINE\Software\Classes 继续阅读

Webshell中的不死僵尸删除方法:解决“删除文件或文件夹时出错,无法删除找不到指定文件”

正 文:

今天有客户网站中毒,遂从FTP下载所谓木马文件,本地运行后,生成一个com7.h.asp的文件,在图形界面下无论如何都无法删除。提示“删除文件或文件夹时出错,无法删除 com7.h : 找不到指定文件”。     其实这是利用系统保留文件名来创建无法删除的webshell。

Webshell中的不死僵尸删除方法:解决“删除文件或文件夹时出错,无法删除找不到指定文件”

Windows 下不能够以下面这些字样来命名文件/文件夹:
aux|prn|con|nul|com1|com2|com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt9    但是通过cmd的copy命令即可实现:

D:\>copy piaoyi.asp \\.\D:\lpt6.piaoyi.asp    前面必须有 \\.\

这类文件无法在图形界面删除,只能在命令行下删除:

D:\>del “\\.\D:\lpt6.piaoyi.asp”
D:\>del “\\.\D:\lpt3.1.asp;.jpg”

如果提示找不到文件错误,则可以先解除RHSA只读属性:

D:\>attrib -s -h -r “\\.\D:\lpt3.1.asp;.jpg”
D:\>del “\\.\D:\lpt3.1.asp;.jpg”

注意:因为路径中有分号; 所以需要用双引号,否则,路径找不到。
然而在IIS中,这种文件又是可以解析成功的。Webshell中的 “不死僵尸” 原理就在这。     删除这类文件可以用下面的方法:
最简单也是最方便的,通过命令删除:

del /f /a /q \\?\%1
rd /s /q \\?\%1

把上面的命令保存为.bat后缀名称的文件,然后把不能删除的文件或者文件夹拖到bat文件上就可以。

Remove Unwanted HTTP Response Headers

From:https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

The purpose of this blog post is to discuss how to remove unwanted HTTP response headers from the response. Typically we have 3 response headers which many people want to remove for security reason.

  • Server – Specifies web server version.
  • X-Powered-By – Indicates that the website is “powered by ASP.NET.”
  • X-AspNet-Version – Specifies the version of ASP.NET used.

Before you go any further, you should evaluate whether or not you need to remove these headers. If you have decided to remove these headers because of a security scan on your site, you may want to read the following blog post by David Wang. 继续阅读

How to remove all information about IIS Server from Response Header?

It is amazing technique to remove any information from response header about IIS server is very scarce online. So I decide to blog this.

The reason why you would want this is because you would not want to readily disclose what version of server or what server you are running. For example see blow response header I gathered from  one of the site running IIS:

 

Notice that you have information about Server, X-AspNet-Version, X-Powered-By. There are enough information to know it is running on IIS. Why hide these info? Because why if certain version of IIS server had security hole that the hacker can expose? Sometimes, in Enterprise environment there will be external third party security firms like WhiteHat tagging such exploits so you have to fix. 继续阅读