To Decompress all files on an NTFS Volume

compact /u /s:X:\ /i /f /a /q > C:\compression.log

where X: is the drive to decompress.

If you get Could not Start the Remote Procedure Call (RPC) Service. Error 2: cannot find the file specified, it’s probably because you are missing svchost.exe from the C:\windows\system32 directory. Running sfc /scannow or copying the file from a working machine should do the trick.

Nifty trick found today while trying to diagnose a Windows firewall issue, getting error “For your security, some settings are controlled by Group Policy”

1. Click Start, Run and type Regedit.exe
2. Navigate to the following location:

HKEY_LOCAL_MACHINE \ SOFTWARE \Policies \ Microsoft \ WindowsFirewall

1. Backup the key and then delete the WindowsFirewall branch.
2. Close Regedit.exe and restart Windows.

Thanks to this site.

Picked up a cool trick, using CACLS, you can forcefully set full control to the everyone account on everything on the HDD. This is great if you are an Administrator, but you still cant get into some files, or the “Take Ownership/Replace permissions on child objects” trick doesn’t work properly, or you are having some sort of generic “access denied”, “permission denied”, “unable to open” or “interface is unknown” issues.

cacls C:\ /g everyone:F /c /t

So, for the first time in my career today, I had to remove the Sony DRM Rootkit. It hides any files, folders, or registry keys starting in $sys$. Nasty. Here is how you remove it. Quick Fix:

1. Run cmd /k sc delete $sys$aries
2. Reboot
3. Delete anything starting in $sys$

All clean.

So, I was bailing out two of my technicians, because a computer they both worked on came back for Blue Screen Of Death and Firefox crashing issues. (To their credit, the suggestions I gave them based on the information they gave me didn’t help them fix it. P) After some digging, and a very lucky crash while trying to convert the filesystem from FAT32 to NTFS, I found out it was a rootkit infection! So, if your Windows 2K/XP/2003 machine is giving a STOP 0×0000008e on boot,.reboot, or during lots of filesystem access -or- STOP 0×00000044 while surfing the net, especially in Firefox, -or- you get a STOP error message with the module lzx32.sys, you probably have a Backdoor.Rustock.B infection. Quick Fix: Boot your machine to a Recovery Console using your Windows Install CD, type DISABLE pe386 (this disables the rootkit), eject CD, Boot into normal mode, and run rustbfix.exe. Thanks to Symantec and the guy who made the rootkit killer.

Found a cool article here and here that talks about hacking the boot.ini file in XP/Srv2003 to completely shut off Data Execution Prevention. Useful if the machine is infected with some sort of baddie and the friggin shell won’t load because Explorer has had code injected and it keeps crashing and you want to pull your flippin hair out… Disable Data Execution Prevention (DEP) completely

1. Click Start, and then click Control Panel.
2. Under Pick a category, click Performance and Maintenance.
3. Under or Pick a Control Panel icon, click System.
4. Click the Advanced tab, and in the Startup and Recovery area, click Settings.
5. In the SystemStartup area, click Edit.
6. In Notepad, click Edit and then click Find.
7. In the Find what field, type /noexecute and then click Find Next.
8. In the Find dialog box click Cancel.
9. Replace the policy_level (for example, "OptIn" default) with "AlwaysOff" (without the quotes). WARNING: Be sure to enter the text carefully. Your boot.ini file switch should now read: /noexecute=AlwaysOff
10. In Notepad, click File and then click Save.
11. Click OK to close Startup and Recovery.
12. Click OK to close System Properties and then restart your computer.

This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. Verifying DEP is Disabled

1. Click Start, and then click Control Panel.
2. Under Pick a category, click Performance and Maintenance.
3. Under or Pick a Control Panel icon, click System.
4. Click the Advanced tab.
5. In the Performance area, click Settings and then click Data Execution Prevention.
6. Verify that the DEP settings are unavailable and then click OK to close Performance Settings.
7. Click OK to close System Properties then close Performance and Maintenance.