Category Archives: Windows Hacking

Modifying Windows to get the results you are looking for. This generally refers to unsupported methods.

Restoring a deleted AD object and avoiding a common error

I accidentally removed some accounts in a non-production domain. I was trying to do a restore using ldp.exe. That wasn’t working well and I came across powershell commands.

I tried the commonly found command everyone has posted:

Get-ADObject -Filter {samaccountname -eq “jsmith”} -IncludeDeletedObjects | Restore-ADObject

and got this error:

Restore-ADObject : Illegal modify operation. Some aspect of the modification is
 not permitted

I tried another version which was more detailed.

Get-ADObject -filter ‘samaccountname -eq “jsmith”‘ -IncludeDeletedObjects | Foreach-Object {Restore-ADObject $_.DistinguishedName -NewName _.Name -TargetPath $_.LastKnownParent}

The idea from reading was that you needed to specify the NewName and the TargetPath. It failed with a different error:

Restore-ADObject : Cannot validate argument on parameter ‘TargetPath’. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

To understand why, we need to look at what information we are actually giving it. The command below will list what is standard output

Get-ADObject -Filter {samaccountname -eq “jsmith”} -IncludeDeletedObjects

Deleted : True
DistinguishedName : CN=jsmih\0ADEL:1ead7f6c-ec52-3450-a847-b1307e0e8e23,CN=Deleted Objects,DC=DOMAIN,DC=loc
Name : jsmith
ObjectClass : user
ObjectGUID : 1ead7f6c-ec52-3450-a847-b1307e0e8e23

This command will return all properties and explain what is going wrong when you look closely.

Get-ADObject -Filter {samaccountname -eq “jsmith”} -IncludeDeletedObjects -Properties *

CanonicalName : DOMAIN.loc/Deleted Objects/jsmith DEL:1aed7e6c-ab52-4305-a397-b1307e0e8e23

CN : jsmith
Created : 2014-10-06 12:34:25 PM
createTimeStamp : 2014-10-06 12:34:25 PM
Deleted : True
Description :
DisplayName :
DistinguishedName : CN=jsmith\0ADEL:1ead7f6c-ec52-3450-a847-b1307e0e8e23,CN=Deleted
instanceType : 4
isDeleted : True
isRecycled : True
LastKnownParent : Users,DC=DOMAIN,DC=loc
Modified : 2014-10-07 12:35:01 PM
modifyTimeStamp : 2014-10-07 12:35:01 PM
Name : jsmith
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory :
ObjectClass : user
ObjectGUID : 1ead7f6c-ec52-3450-a847-b1307e0e8e23
objectSid : S-1-5-21-18311500-3280029727-3500224-5374
ProtectedFromAccidentalDeletion : False
sAMAccountName : jsmith
sDRightsEffective : 15
userAccountControl : 514
uSNChanged : 84182
uSNCreated : 83954
whenChanged : 2014-10-07 12:35:01 PM
whenCreated : 2014-10-06 12:34:25 PM

I noticed I was able to restore an object when I used this command after I got the information I needed from above. (Note: NewName is for sAMAccountName)

restore-adobject -identity “1ead7f6c-ec52-3450-a847-b1307e0e8e23” -NewName “jsmith” -targetpath “OU=Users,DC=DOMAIN,DC=loc”

Above I tried using the information in $ It sounds right until you look at what $ contains. It has the objectguid we need but it also includes extras and the most important extra is a colon (:) which is an illegal character for sAMAccountName.

Name : jsmith

Knowing this and looking over what the information of what is available, I created this command which provides proper values and actually does work:

Get-ADObject -filter ‘samaccountname -eq “jsmith”‘ -IncludeDeletedObjects -properties * | Foreach-Object {Restore-ADObject $_.objectguid -NewName $_.samaccountname -TargetPath $_.LastKnownParent}

Please note -NewName now instead is given $_.samaccountname

The first item after Restore-ADObject can be either one of these:


The AD object is restored. There is still a lot of work to do as it no longer has any groups and some of the information on the account tab needs to be filled it. If I find any way to add these, I will edit the post.

[Solved] Failed to apply policy and redirect folder “Desktop”

I struggled to figure why my folder redirection policy failed to apply fully.  In this case, I was actually trying to have a folder redirection reversal. For some users, we wanted to go back to having the profile local.  My method was to create a security group and associate a policy to it that would put the normal redirected folders back to the local user profile.  I felt I had it all set up right. I made sure the members of the new group were denied the ability to apply the normal redirection policy so the only one that would take effect was the new gpo.

However, after verifying the settings in windows, I saw the changes didn’t fully work.

For anyone who doesn’t know, your profile folders locations are specified here:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Items such as Desktop are normally set as %USERPROFILE%\Desktop unless you or a policy changes it.

I used myself as a guinea pig and ran the group policy results wizard on myself. Not much clues except oddly, some of my folders that were previously redirected did change. Most didn’t.

The clues I needed finally came from eventvwr. I really enjoy the way events are grouped at a high level. It makes things easier.

I actually had some error events in the Application log with Folder redirection as the source. The event ID I had was 502.

Failed to apply policy and redirect folder “Desktop” to “C:\Users\chris\Desktop”.

Redirection options=0x9200.
The following error occurred: “Can not create folder “C:\Users\chris\Desktop””.
Error details: “This security ID may not be assigned as the owner of this object.”.

With this in hand, I went to google and found some posts of people having similar issues in dealing with roaming profiles. The cause turned out to be ownership on my local profile.

I checked mine and sure enough that was it. I had full control of my profile but System was the owner. I checked another user and he had the same problem.

I needed a way to correct this for myself and everyone else. I like using the application subinacl (from Microsoft) for ownership changes. You can find it here.

I did some testing and created a script to do the corrections for me. I stored subinacl.exe in the netlogon folder.

Here is the script I created. I called it SetOwner.bat

<start of script>

REM Set owner at profile root
\\domain.loc\netlogon\subinacl /subdirectories “%Userprofile%” /setowner=”ncdsb\%username%”
REM Set owner on files and folders in profile
\\domain.loc\netlogon\subinacl /subdirectories “%Userprofile%\*.*” /setowner=”ncdsb\%username%”

<end of script>

I made the .bat file a script that would run on user logon in my new local redirection policy.  Maybe I don’t need to correct the root profile folder and the files in two separate lines. In my testing, I didn’t see changes in subfolders without it.  However, I did notice checking ownership on my Desktop folder twice in the same logon session did take some time to update. There might be some processing time for it to all work.

After the permissions are corrected, a second reboot is required to fully fix the folder redirection.

The only mystery left in this for me is how System ended up as owner of my profile.


How to block Ultrasurf at the workstation level in Windows

Some time ago, I discovered students were using a program called Ultrasurf to get around our internet filter.  The app is portable and so can run off a USB key or from a cloud drive. (As of writing this, the latest file name is u1403.exe. You can recognize it is running by a yellow gold lock icon on the screen and usually in the lower right corner)

Apparently it was designed for citizens of China to get around “The great firewall of China.”  The app sets itself up as a proxy.  Ultrasurf then changes Internet Explorer to use this new proxy to surf. Behind the scenes the app works by connecting to an IP overseas from a wide-range of choices. From what I saw, it connects using https and the port can be varied by users. Blocking it is a daunting task.

Blocking the app itself via group policy is tough as well. The checksum is a moving target.   Ultrasurf often has a new version out plus old versions can be found everywhere.

You might think that blocking proxy access in IE via GPO would help. It really doesn’t. All the GPO does it block being able to put in the settings via Internet Options.  Policies still allow changing the actual proxy value in the registry.

What I discovered is that to block Ultrasurf, you need to prevent the users from being able to edit HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings.

This is where IE stores it’s proxy information. As long as the user has write access, Ultrasurf can work.

Introducing UltraFin!

I have created a script that works at the user level. I deploy it via a policy that will run as the user for anyone who is a member of our student user group.  I called it UltraFin as a play on UltraSurf. A surfers day is ruined if they see a Fin in the water 🙂

What the script does is use a tool called regini.exe to set the part of the registry I mentioned above as read-only. This essentially locks them out from making any changes to their proxy settings. To undo the permissions settings, an admin would have to mount their profile hive (ntuser.dat) and correct the permissions.

Once this is done, launching Ultrasurf says it is connected but will go nowhere. Ultrasurf normally launches IE once it connects but this won’t happen anymore.

I keep both my script and regini.exe in the netlogon folder of our DC’s.

You get regini.exe as part of the  Windows Server 2003 Resource Kit Tools.

Here is my script and please note, you will need to rename it from ultrafin.txt to ultrafin.vbs

In the GPO I create, here is where I place it:

User Configuration->Policies->Windows Settings->Scripts->Logon


I use the logonserver variable to reduce network traffic and to prevent a workstation from hanging up on logon if X server is down.

One important note, I still keep a policy in place for this group that prevents them from changing their proxy settings in IE.  The main reason for this is so my users in question can’t manually set a different browser to use the Ultrasurf proxy address. Ultrasurf thrives on IE but there is the potential to workaround it.

To ensure this, I also have imported policy templates for the other popular browsers such as Chrome and Firefox. I enable settings to force these browsers to use IE proxy settings.

I hope this helps someone as I haven’t found many good ways so far on how to block Ultrasurf.

Remove network printer queue by batch script

For some reason, group policy preferences isn’t removing some old printer queues from user machines for me. (I converted over to using simple queue names compared to the previous method where the queue name contained the printer model. It makes them shorter for staff and really eases management. Now when  a printer is replaced, I change the driver. That’s it. No queue name to change. No policy to update.)

I searched around and didn’t find much on how to force remove a queue so I made my own.

This method is for removing queues stored in the user profile. You can find the ones you have listed in HKEY_CURRENT_USER\Printers\Connections

Click on the queue key in this location and export to quickly be able to copy the long name
ie HKEY_CURRENT_USER\Printers\Connections\,,SERVERNAME,Basement_Copier

Please note that the  HKEY_CURRENT_USER converts to HKCU in the script

The script will look for the queue name and remove from the registry. To make it disappear in Devices and Printers, the spooler needs to restart. I test the output of the reg delete to make sure we don’t restart the spooler for nothing.

@Echo off

reg delete HKCU\Printers\Connections\,,SERVERNAME,QUEUENAME /f > Nul

REM if entry NOT found in regedit, skip over spooler restart

REM restart spooler to remove device from Devices and Printers
net stop spooler && net start spooler


Start menu workaround for Windows 8/8.1

I always enjoyed the start menu. When I got Windows 8, I was really thrown off by no start menu. When I upgraded to 8.1, I was anxious for the promised return of the start button.

I was disappointed to learn it was more like a function shortcut menu than access to program groups like every other version of Windows in recent memory.

I wanted to share my workaround to at least get access to the program folders that still live in the start menu.

(To do this, you may need to enable Show Hidden Files, Folders and Drives in Folder and Search options)

Right click on your task bar and then select Toolbar, New Toolbar..

Browse to C:\ProgramData\Microsoft\Windows

In there, you will see a folder called Start Menu. Click it once and press select.

You will now have an addition to the task bar called Start Menu>>. Press the >> and this will bring up a menu showing a few shortcuts and another folder called Programs.

Expand Programs and you will see the same groupings you would on the Start menu.

Now when you install a new program, you can go here and find the icons.