Upload
kathleen-page
View
227
Download
0
Embed Size (px)
Citation preview
http://www.samilaiho.com/MVP Windows Expert – IT ProSpringBoard Technical Expert Panel memberSenior Technical Fellow @ SoveltoSenior Technical Fellow @ adminize.comTwitter: @samilaihoFree newsletter:
http://eepurl.com/F-GOj
WHOAMI /ALL
8 against 99Language TranslationFinnish Järjestelmänvalvoja
French Administrateur
Hungarian Rendszergazda
Portuguese (Brazil) Administrador
Portuguese (Portugal) Administrador
Russian Администратор
Spanish Administrador
Swedish Administratör
www.wioski.comFree replacement for SteadyState
www.adminize.comGetting rid of admin rights and provide onetime admin passwordsYou never have to worry about changing local admin passwords again!
blog.win-fu.comhttp://win-fu.com/
My video based training site
Projects
The only logic in Windows is that there is no logicIf something is broken run Process MonitorUse a methodologyKnow when to give upDocument!
Laws of troubleshooting in Windows
Teflon-Princess
Vs
Flypaper
Admin is not the ”Root” in WindowsProcesses can’t do ”anything”
Most common flaws in troubleshooting
Net helpmsg & winrm helpmsgCopy/Paste dialogsOneNoteSnipping toolWindows + Print ScreenPSR
Learn and teach a few basics!
Remote Desktop and RDCMANhttp://www.microsoft.com/en-us/download/details.aspx?id=21101Only online debugging, after logon
TeamViewer http://www.teamviewer.com/I think you need hardware level remoting!
vProhttp://realvnc.com/products/viewerplus/http://blog.win-fu.com/2014/04/enabling-vpro-for-full-kvm-quick-and.html
Your own HelpDesk kit!
What you need #2 - Access!
If your computer is running BitLocker you need the recovery keyIf not or with the Recovery key you just need to Brute Force yourself in ;)
What you need #3 – OS Access
What you need #4 – PrivilegesAdmins can’t see everything – especially in Windows 8.1You need the SYSTEM accountShe
Has more user privileges than Administrator (even the Built in one)Doesn’t need to worry about policiesCan see stuff Admin can’tCan stop processes Admin can’tHas a higher integrity level than Administrator
Troubleshoot Threads!If you’re using Task Manager or otherwise looking at processes you can’t even see what’s not working…Search engines probably know the answer to your question so the real problem with them is noiseHow to get rid of noise?
Make your searches more accurate Make sure you get results from people who have at least a clue on what they’re doingLearn to diagnose threads instead of processes
What you need #5 – Correct object
Get Sysinternals tools and use Process ExplorerNeed more info?
Install Debugging toolsSet the system wide variable _NT_SYMBOL_PATH to SRV*C:\symbols*http://msdl.microsoft.com/download/symbolshttp://support.microsoft.com/kb/311503
Task manager is getting better but…
Case – Hanged virtual machineRemoved the virtual floppy because it was pointing to a nonexistent file
In Windows Vista+ if you don’t have access to a file and you are sure you should:1. TAKEOWN.exe or Robocopy /B2. iCacls /SetIntegrityLevel
Remember to learn Integrity Levels – Most important change in Windows security that was introduced in Vista, yet hasn’t been talked about much
What you need #6 – Access to files
System
High
Medium
Low
Already built inMSCONFIGPERFMON /RESPERFMON /REL
Always addSysinternals toolsAssessment and Deployment Kit (ADK
Windows Performance Toolkit (WPT)RSATMessage Analyzer – Windows 8.1 supports Remote Analyzing!!
Always buildWindows Recovery Environment (WinRE)
What you need #7 - Tools
Info on WinREReAgentc /info
New WinRE image (WIM name must be winre.wim)
Reagentc /setreimage c:\WinRE
Boot to WinRE on next reboot:Reagent /boottore
Windows RE
Test and remember that some policies are tattooed on the computerSo you need to move the computer/user to an OU that doesn’t apply policies AND run
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbosehttp://support.microsoft.com/kb/313222
You can also bypass policies ;)
Slowness is often because of policies
How to access boot options in Windows 8.1 – Live machine
Shift-Restart or
Same if you want to go to your UEFI!
Safemode on an unbootable machine
Unsuccessfull Boot #1 Reboot Unsuccessfull
Boot #2 Reboot Boot into WinRE
Ask the computer to go
to Advanced Options
RebootShow Advanced Startup Menu
(F8)
Choose Safe Mode SAFEMODE!!
No keyboard? + 200ms to hit the key anyway…
Changes in BSOD in Windows 8/8.1
HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Control\CrashControl\ CrashDumpEnabledNone 0x0Complete memory dump 0x1
Kernel memory dump 0x2Small memory dump 0x3Automatic memory dump 0x7
Changes in BSOD in Windows 10
Active Memory DumpYou can get both user + kernel space without having to dump complete memory
http://support.microsoft.com/kb/244139
Make sure you are able to crash when needed!
Basics of BSOD analysis
Install Debugging toolsSet the system wide variable _NT_SYMBOL_PATH to SRV*C:\symbols*http://msdl.microsoft.com/download/symbols
http://support.microsoft.com/kb/311503
Use WINDBGOpen Crash Dump or DaRT’s Memory Dump Analyzer
http://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx
You can manipulate the used imageCreate a refresh image
Recimg /createimage c:\Refresh\Show current image
Recimg /showcurrentSet the current image
Recimg /setcurrent c:\Refresh
Remember Wioski! http://www.wioski.com/
Reset and Refresh in Windows 8.1
Windows 10http://aka.ms/trywin10
Stop by the Windows Booth to sign up for the Windows Insider Program to get a FREE Windows 10 T-shirt, whiles supplies last!
Windows Springboardwindows.com/itpro
Windows Enterprisewindows.com/enterprise
Windows ResourcesMicrosoft Desktop Optimization Package (MDOP)microsoft.com/mdop
Desktop Virtualization (DV)microsoft.com/dv
Windows To Gomicrosoft.com/windows/wtg
Internet Explorer TechNet http://technet.microsoft.com/ie
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.