Creating Customized Windows 10/8.1 Media (ISO, WIM, Flash Drive)

Creating Customized Windows 10/8.1 Media (ISO, WIM, Flash Drive)

In the Enterprise environment Windows Operation Systems are usually created, captured and deployed via MS SCCM, WDS or other imaging deployment technology. This allows for an Operating System to be deployed that is updated to the latest version(s) and standards of the organization along with any other software (Office suites, AV etc.) or configurations required by that organization. These system images can be ‘pushed’ out to machines, ‘pulled’ across the network via network (PXE) boot, or be placed on portable media to be installed by technicians (usually USB drives).

I also personally install a lot of Operating systems for my SMB clients, friends and family. This requires me to have install media that is as up to date (patch wise) as possible so that I do not have to spend hours, or often days, downloading security updates and patches just to install a system and get it safe.

I used to have a full server farm (including SCCM) on my home server/workstation so creating custom images (.wim) was not too much work. However, that machine physically gave up the ghost a while ago. So for personal images I decided to create a custom image on my laptop using Microsoft Hyper-V (available on Windows 8.1 and Windows 10).

Below is how I created my latest Windows 10 fully patched image. After following these steps you will have a UEFI capable ISO and the ability to produce a UEFI bootable flash drive.

So here we go…

You will need a Microsoft Windows 10 (or 8.1) installation ISO. If you don’t have your Windows 10/8.1 installation media available or someone else’s (just iso not license key needed) it is possible to find the .iso files via a good search.

[Note: you will need a valid installation key once you install your image to a machine to activate it. Or use a KMS server/volume license.]

Download and install the Microsoft Deployment Toolkit here.

image

image

image

Download and install Windows 10 (1607) or Windows 8.1 ADK with these options; you can get them here.

image

Next let’s enable and configure the Microsoft Hyper-V Platform on your workstation.

You can go to the Control Panel and click on Program and Features or hold the Windows key + X and select Programs and Features at the top.

Select Turn Windows features on or off.

image

Select Hyper-V and click OK. When prompted, click Restart now.

image

Once rebooted, open the Start Screen and type "Hyper" > Open Hyper-V Manager.

image

Select your host (computer name) on the left and then click Virtual Switch Manager. (on the right)

image

Select New virtual network switch on the left and External under the type to create. Click Create Virtual Switch.

image

Name the switch something appropriate (I’m using "Main").

Select External Network > Select your main NIC (wireless or wired).

Check Allow management operating system to share this network adapter and click OK.

image

Click Yes on the notice prompt.

image

Create the Staging VM

Now that you’re prepped, within Hyper-V Manager select New > Virtual Machine and then click Next.

image

Type a name for your staging VM (I’m picking stage01) then click Next.

image

Select Generation 1 and then click Next.

image

Enter an appropriate amount of memory (I’m entering 4096 MB), UNselect Dynamic Memory and then click Next.

image

Choose the Network Connection you previously created and then click Next.

image

Designate an adequate amount of storage for your VM (not less than the total GB of all applications you will be installing) and then click Next.

image

Select Install an operating system from a bootable CD/DVD-ROM > Select Image File (.iso) > Find and select the Windows ISO you downloaded earlier > Click Next > Click Finish.

image

image

Back at the Hyper-V Manager, right click stage01 and select Connect… (This will open the console of the VM.)

image

Navigate to Action and click Start.

image

Install Windows 10 by accepting the EULA and choosing Custom > selecting the entire virtual disk and clicking Next.

image

Then let the setup continue until it reboots and you get to the first ‘customization’ screen.

Enter Audit Mode and Install Applications

Start Windows installation normally. After reboot or two Windows is installed and process stops waiting your input. At this point we need to click on the Use express settings button. On next dialog you should not type a username, so don’t enter it. – STOP.

image

Instead, press and hold down the CTRL+SHIFT+F3 keys combination. Windows will now reboot to a special customization mode, the Audit Mode.

When presented with the System Preparation Tool window, click Cancel

image

You’re now in Audit mode. Audit mode is used to add customizations to Windows images. When you use audit mode, the system does not have to apply settings in Windows Welcome – things like creating user accounts, read and accept the Microsoft® Software License Terms, and select their language and time zones etc. It is designed specifically for preparing Windows images for deployment.

Okay so now let’s prepare and update the system. In Windows 10 (and 8.1) you can forcefully check for updates here:

image

OR you can use PowerShell to update – as in my previous article. I’d make sure ALL the updates are done – reboot several times (clicking ‘Cancel’ each time) until you’re sure that there are no more updates.

You may also want to uninstall any Windows ‘Store’ apps per this article.

Here is where you will download/install any software you wish to be on your image.

I install things like Office Suites, Acrobat, 7-zip, Java, different Browsers (Chrome Firefox etc.), plugins (Flash, Shockwave etc.) and such.

Once done with all your installs you should clean up all temp files (I use CCleaner portable) and run Disk Cleanup too.

So now let’s finalize and Sysprep the disk.

Shutdown your Staging VM.

Create a Checkpoint

Click Action > Checkpoint.. > Enter "Ready for sysprep" > Click Yes

Power your Staging VM back on.

When logged in, do not close the System Preparation Tool window this time.

Select Enable System Out-of-Box Experience (OOBE)

Checkbox Generalize

Select Shutdown

Click OK

image

Now we’re going to create the WIM file that we’ll use for creating our install media. The WIM file is a compressed image which is deployed during Windows installation. The install.wim file is the actual source used when installing Windows 10. Thus, we need to create our own WIM file, and replace the stock one with it. To do this, we need to "capture" the last Checkpoint – the one named ‘Complete’.

We’ll use the DISM tool to capture a mounted hard drive.

So we first need to mount the VHD (virtual hard drive) of our very last/updated VM – the checkpoint we named complete.

Once your VM is shut down, create another Checkpoint named "Complete". 
Do NOT power your VM back on.

As mentioned above, the install.wim file is the actual source used when installing Windows 10. Thus, we need to create our own WIM file, and replace the stock one with it. To do this, we need to "capture" the last Checkpoint.

On your host (physical machine), open up Disk Management. 
WIN+X > Disk Management

image

Navigate to Action > Attach VHD

image

Click Browse

image

Navigate to the directory where the virtual disks are stored for stage01. By default this directory is: C:\Users\Public\Documents\Hyper-V\Virtual hard disks/

In the bottom right, change Virtual Disk files (* .vhd, * .vhdx) to All files (* . *)

image

Select the file with the most recent Date Modified – this is your Complete Checkpoint!

image

Click Open

Check box Read-only and then click OK.

image

At this point you will see one new disk with two partitions. Make note of the second partition drive letter (in my case, the F: Drive).

image

Now the capture!

Open the Command Prompt with Administrator Rights.

WIN+X > Command Prompt (Admin)

image

Type:

dism /capture-image /imagefile:c:\customInstall.wim /capturedir:F:\ /name:"Windows 10 Enterprise – Customized by: Darth Sidious" /Description:"Windows 10 Enterprise – Customized by: Darth Sidious" /compress:maximum /checkintegrity /verify /bootable

replacing F: with the second partition drive letter you made note of earlier – and replacing "Customized by: Darth Sidious" with whatever you want.

Depending on your processing power, this may take a little while. When complete, you will see "This operation completed successfully." You should now see a file named "customInstall.wim" at the root of your C:\ Drive.

image

Build the Customized Media

Open/Double click the stock ISO you used to install Windows in stage01 to mount it within File Explorer.

Open This PC and double click the newly mounted drive.
(In my case, Drive E: SW_DVD5_WIN_ENT_10_1607_64BIT_English_MLF_X21-07102.ISO)

CTRL+A (to select all) and CTRL+C (to copy)

Create a new folder named WinExtract off your C:\ drive

(Another location is fine too, but these instructions will be assuming C:\)

Navigate to C:\WinExtract\ and CTRL+V (to paste).

image

After the copy completes, navigate to C:\WinExtract\sources\ and delete the install.wim file.

image

Move C:\customInstall.wim (your custom WIM) to C:\WinExtract\sources\.

Rename C:\WinExtract\sources\customInstall.wim to install.wim.

image

At this point, you are ready to create your ISO.

Create UEFI Bootable ISO:

Open Admin Command Prompt

Change directory (cd) to:

C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\Oscdimg

Then enter and run:

oscdimg -m -u2 -bC:\WinExtract\boot\etfsboot.com C:\WinExtract\ C:\Windows10Updated.iso

Once complete, you now have a UEFI bootable ISO named Windows10Updated.iso

[If you are making a Windows 8.1 image you will need to use the right directory for the ‘Windows Kits/adk selection]

You should now test your .iso by using it to create a new VM. Verify that it installs and works. Then you can create a bootable USB drive.

I use Rufus Portable to create my bootable USBs. Portable download here.

One of the first cool things about Rufus Portable is that no installation is necessary to run it. When you run it, setting it up is simple. Select the USB drive you want to use. To make sure your drive will boot on most devices including newer UEFI ones select the ‘MBR partition scheme for BIOS or UEFI Computers’ and also ‘Use Rufus MBR’ option.

Then select the disc icon next to the ISO drop-down and navigate to the location of your newly created Windows 10 ISO.

image

After that click Start and you should be good to go, within minutes.

image

Hope this helps some. I put this up here, like most of my stuff, mainly so I have a place to remember what I did. 😛

Happy image building.

Completely Uninstall Default Windows Store Apps in Windows 10 (8/8.1 too)

I am NOT a fan of the Windows Store or ‘Charm’ apps. If I want an application – I’ll seek out and get it myself. I don’t like being force fed a bunch of useless stuff I don’t want or need. With the advent of Windows 8 through Windows 10 MS has pushed their default/charm style applications. I use none of them. So I set out to remove them. Here is what I’ve found. Hope it helps.

If you wish to uninstall individual apps in Windows 10, run the following command in an elevated PowerShell window:

Get-AppxPackage | Select Name, PackageFullName

You will be able to see the list of all installed apps and its PackageFullName information.

image

Note down the PackageFullName and replace it in the following command:

Get-AppxPackage PackageFullName | Remove-AppxPackage

So the command to remove some of the apps will look as follows:

Uninstall 3D Builder

Get-AppxPackage *3dbuilder* | Remove-AppxPackage

Uninstall Get Office app

Get-AppxPackage *officehub* | Remove-AppxPackage

Uninstall Get Started app

Get-AppxPackage *getstarted* | Remove-AppxPackage

Uninstall Get Skype app

Get-AppxPackage *skypeapp* | Remove-AppxPackage

Etc…

Run the command to uninstall the particular pre-installed default Windows 10 Store app and then restart your computer.

If you want to uninstall the particular pre-installed app from all user accounts, use the following command format:

Get-AppxPackage -allusers PackageFullName | Remove-AppxPackage

Seems some people lost the Windows Store and wanted/needed it to get Window apps.

Another fully scripted way to remove everything BUT the Windows Store is here:

Get-AppxPackage

-AllUsers | where-object {$_.name –notlike "*Microsoft.WindowsStore*"}

| Remove-AppxPackage

Get-appxprovisionedpackage –online | where-object {$_.packagename –notlike "*Microsoft.WindowsStore*"}

| Remove-AppxProvisionedPackage –online

There are some tools available that will assist users in doing all this via a Graphic Intereface – Notably theWindowsClub’s 10AppsManager for Win10; it’s a freeware that will allow you to easily uninstall and reinstall the default, built-in, preinstalled Windows Store apps in Windows 10. It can be downloaded here.

Using PowerShell to Manage Windows Updates

Using PowerShell to Manage Windows Updates:  PSWindowsUpdate

Often we have to update computers that have not – for whatever reason been updated in a long time. AND we often have to create new deploy images using sysprep. What usually happens is that Windows update will hang at ‘checking for updates’ for a very long time and either error out or never complete. A secret I found to deploying Windows Updates when this happens or from within Audit Mode is an excellent PowerShell module created by Michal Gajda. This module, aptly called PSWindowsUpdate, allows managing Windows Update on any computer running PowerShell 2.0 or higher. This module even enables Windows admins to check for and install updates on remote PCs and servers. PSWindowsUpdate is particularly handy for installing updates on Server Core machines that have no GUI, or in instances such as Sysprep’s Audit Mode where the Windows Update GUI doesn’t work.

· Get started by downloading the latest version of PSWindowsUpdate.zip.

image

· Once downloaded, extract the contents of the zip file to C:\Windows\System32\WindowsPowerShell\v1.0\Modules\.

image

Extracting files from PSWindowsUpdate.zip.

· Click Continue if a UAC prompt appears.

image

· When the files have been extracted into the PowerShell Modules folder, open an elevated PowerShell prompt. Change PowerShell’s Execution Policy to RemoteSigned. The RemoteSigned Execution Policy allows PowerShell scripts downloaded from the Internet to run on a PC as long as they are signed by a trusted publisher.

· Type Set-ExecutionPolicy RemoteSigned and press Enter. When prompted, confirm the change by pressing Y and then Enter.

image

Changing PowerShell’s execution policy

This completes the one-time configuration of the module! Now it’s time to put PSWindowsUpdate to use!

· If running PowerShell v2.0, type Import-Module PSWindowsUpdate and hit Enter. This isn’t necessary in PowerShell v3 and higher, but it doesn’t hurt anything either. This step simply guarantees that the modules cmdlets will be available to the PowerShell v2.0 session.

· Display a list of all the module’s available cmdlets by typing Get-Command –module PSWindowsUpdate and hitting Enter.

image

Using Get-Command -module PSWindowsUpdate.

· Possibly the most important function for getting and installing updates is Get-WUInstall. Help for each cmdlet is available, so to see full help for Get-WUInstall type Help Get-WUInstall –full and press Enter.

image

Looking at help for Get-WUInstall.

When applying updates, I prefer connecting to the Microsoft Update servers. Using these instead of the standard Windows Update servers allows installing updates to Office and other Microsoft products in addition to the normal Windows updates. Unfortunately, trying to connect to the Microsoft Update servers using the PSWindowsUpdate module from a fresh Windows installation will produce an error, as shown below.

image

· The reason for this error is because Windows is registered to use only the standard Windows Update servers by default. To use the Microsoft Update servers, the Microsoft Update Service must be registered on the computer. In the GUI, this is done by selecting the checkbox for Give me updates for other Microsoft products when I update Windows from the Control Panel – Windows Update – Change Settings applet.

· In the PSWindowsUpdate module, the same process is completed by using the Add-WUServiceManager cmdlet with the ServiceID for the Microsoft Update service specified. Type Add-WUServiceManager -ServiceID 7971f918-a847-4430-9279-4a52d1efe18d and press Enter. When prompted, confirm registering the service by typing Y and pressing Enter one more time.

image

Registering the Microsoft Update servers.

· List available updates from the Microsoft Update servers by typing Get-WUInstall –MicrosoftUpdate –ListOnly and pressing Enter. After a few moments, the system will return a list of the available updates for the current machine. No error this time!

image

· The same results are produced by typing Get-WUList –MicrosoftUpdate and pressing Enter.

image

· Type Get-WUInstall –MicrosoftUpdate and press Enter to go through the available updates, confirming installation of each one manually.

image

PSWindowsUpdate and Parameter Support

Another awesome feature of the PSWindowsUpdate module is its support of parameters. For example, using the –AcceptAlland the –AutoReboot parameters with the Get-WUInstall cmdlet changes the manual process into an automated one. Type Get-WUInstall –MicrosoftUpdate –AcceptAll –AutoReboot and press Enter. The system will download and install all available updates and then automatically reboot if any of the updates require a reboot.

image

Retrieving updates and installing automatically.

Don’t want a particular update to be installed? No problem! Use Hide-WUUpdate. Selection parameters such as –Title or –KBArticleID narrow in and hide specific updates. Feel free to use wildcards with these parameters. As an example, type Hide-WUUpdate –Title “Bing*” –KBArticleID “KB2673774” –MicrosoftUpdate –Confirm:$false and press Enter to hide the Bing Bar 7.3 update.

image

Hiding an unwanted update.

Notice that I used the –Confirm parameter, along with the $false switch, to automatically confirm hiding the selected update. In the future the update won’t appear when listing available updates.

Did you make a mistake and hide the wrong update? No problem! Hide-WUUpdate can unhide an update by using the –HideStatus parameter with the $false switch. To unhide the update hidden earlier, type Hide-WUUpdate –Title “Bing*” –KBArticleID “KB2673774” –MicrosoftUpdate –HideStatus:$false –Confirm:$false then press Enter. As before, I used the –Confirm:$false parameter to keep everything streamlined.

image

Unhiding a previously hidden update.

Once all the updates are complete make sure to open PowerShell (as Administrator) and set the Execution Policy back to ‘restricted’:

Type Set-ExecutionPolicy Restricted and press Enter. Then exit

Delete all trash in Google Voice

Delete all trash in Google Voice

I’ve have been using Google Voice since its inception in 2007. I have plenty of spam rules and other delete immediately rules.

This has all led to a massive trash folder.

Google’s method to delete the trash only allows for you to select 10 items at a time, then delete them then select another and so on. For me this was 3000 pages of crap!

I went on a search or method to empty this garbage once and for all. The responses from Google on their forums were pretty much ‘tough luck’ we’re not going to add that functionality. Even though for them that would be, programmatically, an INCREDIBLY simple adjustment.

I finally found a simple and working method!! Thought I’d share.

Here’s how to delete all Google voice messages in trash!

Install Tamper monkey extension in either Chrome or Firefox.

[I had best luck using Chrome for this instead of Firefox]

http://tampermonkey.net/

Then grab the script from here:

Download the script .zip and extract the file "gv-delete.user.js"

Then Open with text editor and copy all.

OR

Copy the entire script in the github script window.

clip_image002

clip_image004

Open Tampermonkey interface from Chrome browser (it’ll be on the tool bar)

clip_image006

Click on the ‘+’ next to the ‘Installed userscripts’

Copy over (or backspace over) any code

clip_image008

Paste the copied script into the window

clip_image010

Then press Save

Now

Navigate to your Google Voice page (stay on the Inbox – don’t go to the Trash folder) :

https://www.google.com/voice

And you’ll now see a two new buttons.

One says “Delete ALL” the other “Empty Trash”

clip_image012

Clicking on the Empty Trash will kick off the script and begin emptying all of the items in your Trash folder of Google Voice. It will take some time if you trash is large BUT it will finish. Just minimize the window and have a cup of tea or coffee or whatever.

And viola’ all gone!

SERIOUS OpenID and OAth2.0 flaw revealed

skull

Okay folks ANOTHER security issue you should be aware of.
A bug has been found in OpenID and OAuth 2.0, two authentication programs that let you log into web sites using your Google, Facebook, and other major accounts. Read here and here too

OAuth—and its alternative OpenID—let you log into sites or apps using your Google, Twitter, Facebook, or other credentials, without having to create yet another account or give the app more permission than necessary. OAuth and OpenID, in essence, authenticate you with the site or tell the site you are who you say you are and let you log in without having to enter a username and password.

For example; logging into LinkedIn you are asked if you’d like to use your Google or Facebook account credentials. Then you enter said credentials (FB or Google) and you can then get on because they then ‘authenticate/use’ your other credentials. You see this all the time on news sites and blogs – if you’d like to comment or post you’re asked for some sort of ‘authentication’ usually Google, Yahoo, Hotmail or Facebook etc..

THAT’S why I live by the mantra – use different credentials (username AND passwords) for EVERY site you login to!! AND NEVER ‘LINK’ ANY ACCOUNTS!
Though this may seem difficult given the amount of our lives that are now ‘online’ it is not that hard if you use an app/service like LastPass or KeePass. I NEVER use any ‘other’ account to login to any services – ever. Every account gets it’s own credentials. That way if one is compromised no other one will be.

Please be safe out there folks!

OS X Mavericks Update and Security Fixes

apple-logo

I recently wrote about the major security whole in the latest version of OS X – read my last post. It appears Apple has released the fix finally. Although the ‘fix’ comes not in a simple ‘patch’ but in an entire Operating System upgrade!

After several months of testing, Apple has released OS X version 10.9.2. The MAJOR (and very dangerous) SSL bug isn’t mentioned in the release notes that appear in Software Update, but the bug is mentioned on Apple’s security page for the update. Seems Apple is being their usual shity selves when it comes to security – hide or lie about it, sort of hiding the fact that this is so important.

To be a ‘little’ fair, this update does add some features but over all is really a bug fix of many major issues with the new Operating System. In Windows terms it would be called a full Service Pack.

As with any large Operating System upgrade/update you should of course back up your system – Use Time Machine or any other method I’ve described in previous posts.

Run the Software Update to update your system to 10.9.2 and if any other software shows updates available, select them too. If you’d like you can grab the full Combo update here.

If you have Mountain Lion it too has an update available – run Software Update to get it.

Please make sure if you run an Apple desktop or laptop computer that you update as soon as possible.

Be safe, Peace.

Serious OS-X and iOS Security Vulnerability Completely Opens Up Your ALL Your Secure Communications

Rotten_plus_GreenApple

It had been know for MONTHS that there was a serious security flaw in iOS and possibly the latest version of OS X that could allow attackers to surreptitiously circumvent the most prevalent Internet security protocol – TLS/SSL and and Security Certificate validations. The issue is a “fundamental bug in Apple’s SSL implementation,” This can allow attackers to view ANY of your ‘secure’ Web communications. This includes e-mail, banking sites. Facebook etc..

Apple finally released an ‘emergency patch’ to the latest version of iOS last week, but it appears that the flaw affects more than just Apple’s mobile platforms. It actually affects the latest versions of OS X – Apples latest desktop Operating System too!!

If you have an iDevice I’d recommend backing it up; via iTunes or any of the other methods I’ve previously recommended. Then checking for any System Updates. Tap Settings > General > Software Update. Then download and Install to download the update. [Updates might download automatically while your device is connected to Wi-Fi and a power source.]

As for you Desktop computer, well there lies the rub. Apple appears to have at first done the usual – deny, then downplay, then finally admit there is a serious problem and ‘promise a quick fix/patch’. [It’s really crazy that they are able to get away with this so often; I guess those reporting are too busy licking Apple sack….but I digress]

So what to do..

If you use the Desktop Apple Operating System – OS X you should always use the latest versions of Chrome or Firefox for internet browsing to help mitigate some of the possible exposure. [I NEVER use Safari and always recommend to all my clients that they don’t either]. Even if you’ve take the latest update on your iDevice I’d still recommend I’d recommend Chrome for iOS.

Here one of the latest articles I’ve found with a VERY good explanation. You should at least read this! But I’d recommend hitting all my sources.

Be safe folks!

Sources to read 1, 2, 3

Zero Day Adobe and Microsoft Exploits

Adobe has released (for the second time this month) an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers.

Attackers are already exploiting it!

Please apply this patch and stay secure.
If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is v. 33.0.1750.117 for Windows, Mac, and Linux. To learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu (the option to apply any pending updates should appear here as well).

The most recent versions of Flash are available from the Adobe download center here, but beware potentially unwanted add-ons, like McAfee Security Scan, Chrome browser etc..). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

AND..

Microsoft has released a stop-gap fix for a previously unknown zero-day vulnerability in Internet Explorer versions 9 and 10 to combat a separate zero-day campaign. IF possible (many users cannot because of other ‘line of business software’ that requires versions 9 or 10) to update to version 11 of IE, since it contains exploit mitigations not available in earlier releases. Those who are prevented from running version 11 should install the Microsoft fix as soon as possible.

Microsoft site explanation is here

Actual ‘Fix-It tool is here

If you run it make sure you ‘right-click’ on the file after it’s downloaded and ‘Run As Administrator’

Be safe folks, Peace.

CryptoLocker news

Okay folks, here we go again. More ransomware is spreading and it can hit you. [Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system’s hard drive (cryptoviral extortion), while some may simply lock the system and display messages intended to coax the user into paying.]

Ransomware/Malware that encrypts your data and tries to sell it back to you, or else, is not new. In fact, one of the earliest pieces of malware that was written specifically to make money, rather than simply to prove a point, was the AIDS Information Trojan of 1989. That Trojan scrambled your hard disk after 90 days, and instructed you to send $378 to an accommodation address in Panama.

Enter the latest Menace – CryptoLocker. If you have become seriously infected and do not take IMMEDIATE remedial steps, there is, sadly, not much you can do [unless you have full ‘offline’ backups as I am always ranting about] but pay up!

This is getting some recent much needed attention by the press. Here is a recent short article. A Google search will turn up hundreds more.

The endgame is the same in all cases: if you have a reliable and recent backup, you’ll have a good chance of recovering without too much trouble.

Prevention, in this case, is significantly better than cure:

  • Stay patched. Keep your operating system and software up to date.
  • Make sure your anti-virus is active and up to date.
  • Avoid opening attachments you weren’t expecting, or from people you don’t know well.
  • Make regular backups, and store them somewhere safe, preferably offline.

Don’t forget that services that automatically synchronise your data changes with other servers, for example in the cloud, don’t count as backup!!

They may be extremely useful, but they tend to propagate errors rather than to defend against them.

What is CryptoLocker

CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

How do you become infected with CryptoLocker

This infection is typically spread through emails sent to company email addresses that pretend to be customer support related issues from Fedex, UPS, DHS, etc. An unsuspecting computer user will either get an email purporting to be from their bank, friends, Facebook or a host of other fake senders or be asked to click on a pop up in a Website. The person thinks it’s legitimate, clicks on it and before they know it the virus is installed on their computer which encrypts their data. The person will be given a time period, for instance 72 hours, to make a payment in exchange for the key to decrypt all the data. Refuse and the data on the hard drive will be gone forever.

These emails would contain a zip attachment that when opened would infect the computer. These zip files contain executables that are disguised as PDF files as they have a PDF icon and are typically named something like FORM_101513.exe or FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and people open them.

Please make sure that your antivirus/malware software and systems are up to date. And for Pete’s sake do NOT open attachments from the likes of those listed. IF you think you need to track something go to the ‘front door’ of the shipping company or bank and login/track there.

Once YOU infect yourself (yes, it is an action taken by the user that starts the infection!!) [Like any other piece of malware, common sense goes a long way. The critical thing is it’s not going to install files by itself. You have to initiate some action.] you will soon probably see a screen that looks like this:

CryptoLocker-thmb

Examples of known CryptoLocker email subjects include:

USPS – Your package is available for pickup ( Parcel 173145820507 )

USPS – Missed package delivery ("USPS Express Services" <service-notification@usps.com>)

USPS – Missed package delivery

FW: Invoice <random number>

ADP payroll: Account Charge Alert

ACH Notification ("ADP Payroll" <*@adp.com>)

ADP Reference #09903824430

Payroll Received by Intuit

Important – attached form

FW: Last Month Remit

McAfee Always On Protection Reactivation

Scanned Image from a Xerox WorkCentre

Scan from a Xerox WorkCentre

scanned from Xerox

Annual Form – Authorization to Use Privately Owned Vehicle on State Business

Fwd: IMG01041_6706015_m.zip

My resume

New Voicemail Message

Voice Message from Unknown (675-685-3476)

Voice Message from Unknown Caller (344-846-4458)

Important – New Outlook Settings

Scan Data

FW: Payment Advice – Advice Ref:[GB293037313703] / ACH credits / Customer Ref:[pay run 14/11/13]

Payment Advice – Advice Ref:[GB2198767]

New contract agreement.

Important Notice – Incoming Money Transfer

Notice of underreported income

Notice of unreported income – Last months reports

Payment Overdue – Please respond

FW: Check copy

Payroll Invoice

USBANK

Corporate eFax message from "random phone #" – 8 pages (random phone # & number of pages)

past due invoices

FW: Case FH74D23GST58NQS

Symantec Endpoint Protection: Important System Update – requires immediate action

What should you do when you discover your computer is infected with CryptoLocker

When you discover that a computer is infected with CryptoLocker, the first thing you should do is disconnect it from your wireless or wired network. This will prevent it from further encrypting any files. Some people have reported that once the network connection is disconnected, it will display the CryptoLocker screen.

Users who are infected with the malware should IMMEDIATELY consult with a reputable security expert to assist in removing the malware. And should NOT attempt to mitigate or in anyway try to ‘fix’ the issue themselves – this will only insure the loss of data!!

It is not advised that you remove the infection from the %AppData% folder until you decide if you want to pay the ransom. If you do not need to pay the ransom, simply delete the Registry values and files and the program will not load anymore. You can then restore your data via other methods.

It is important to note that the CryptoLocker infection spawns two processes of itself. If you only terminate one process, the other process will automatically launch the second one again. Instead use a program like Process Explorer and right click on the first process and select Kill Tree. This will terminate both at the same time.

Is it possible to decrypt files encrypted by CryptoLocker?

Unfortunately at this time there is no way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break the key. Also any decryption tools that have been released by various companies will not work with this infection. The only method you have of restoring your files is from a backup or Shadow Volume Copies if you have System Restore enabled. Newer variants of CryptoLocker attempt to delete the Shadow Copies, but it is not always successful. There are methods that can/may be used to recovery you ‘Shadow Copies’, but this often times requires an expert.

If you do not have System Restore enabled on your computer or reliable backups, then you will need to pay the ransom in order to get your files back.

So to summarize the very first line of defense is to have good computing common sense and usage. Second if my usual mantra FULL IMAGE BACKUPS ON A REGULAR BASIS TO EXTERNAL/REMOVABLE MEDIA. I can’t say this enough. And I’m sure to get the calls from folks who are screwed. I sympathize, a little anyways.

Okay end rant. Be safe. Peace all.

Windows 8.1 is here

Windows 8.1 is here just a year after Windows 8. This update—free to existing Windows 8 users. The update is simple and hassle free through MS update.

I’d recommend it to anyone who has Windows 8 to make it more easily navigable and user friendly. Especially those of us in the business desktop world.

Some reasons to update can be found here.

Another pretty good review article is here.