Thursday, 12 November 2015

What the.....? is now

Yep, it's true, this blog is closing soon.  All content previously available here is available at

Check it out!

Monday, 20 April 2015

MS15-034 Patch NOW!

So I finally had a chance to test this little doozy of an issue this lunchtime. Crash a webserver by issuing a simple wget command? Yep, I can confirm that this is a good 'un against a Windows 2012R2 server as you can see in my screenshot above.
wget --header="Range: bytes=18-18446744073709551615" http://[ip address]/
Find out more here from the SANS Internet Storm Center here:

And here:

Microsoft MS15-034 Security Bulletin:


Monday, 13 April 2015

Monitor Your ADSL / VDSL Connection Statistics via Twitter

Just under a year ago now I was fortunate enough to be able to upgrade from ADSL to FTTC (Fibre To The Cabinet) VDSL broadband.

Overnight my internet connection jumped from around 4Mb/s to over 60Mb/s!

Understandably internet connetivity was good:
And for just under 12 months, all was good.

Just recently however, I had an issue with water ingress on my line and it became necessary once again to keep an eye on my broadband stats.  But surely we can do something a bit more "web 2.0" than just running an app on a desktop / server somewhere.  Apps are all well and good, but it does require a level of effort to login and check the output of the monitoring app.

Wouldn't it be good if I just received the basics via a push notification to me on my phone wherever I am?

In a twitter notification type of way....... :oD

I personally use twitter for all sorts of notifications; blog posts, traffic incidents, etc.  So that I get notifications, I use a second private twitter account and suffix all my tweets @chall32 so that my phone twitter client picks up on the notifications and make the appropriate noises, buzzes etc.

Hence I came up with a very simple powershell script based on Martin Pugh's telnet Powershell script available here:

Team this with the native python twitter client (because it's soo much easier to use than coding your own twitter o-auth stuff in Powershell) and job done.  Here's how.

Step 1: Understand your Modem / Router

I now (I didn't before - but thats a different story for another day) run a Huawei HG612 Modem on my VDSL broadband connection.  I've loaded custom firmware on it as detailed on the brilliant Kitz Wiki:

My modem requires a couple of telnet commands to offer me up it's line stats:

So that's sh (to open busybox) and xdslcmd info --stats to get the goods.

Step 2: Powershell Telnet

Dead simple. I just copied one of Martin's examples. My command ended up looking like this:
Get-Telnet -RemoteHost "" -Commands "admin","password","sh","xdslcmd info --stats" -OutputPath "C:\out.txt" -WaitTime 1500
Breaking this command down, the command logs onto my modem at IP address (yours will probably be at at a different IP address) using "admin" and "password" for credentials.  It then issues the commands "sh" and "xdslcmd info --stats" to the modem, saves the output of the whole telnet session to a textfile "C:\out.txt" after waiting for 1500 milliseconds, closing the telnet session and continuing with the rest of the script.

Step 3: Powershell Text File Crunching

This is the tricky part.  As we are going to be notifying via twitter, we just want the salient points in our tweet - we have no need for the other gumph.

My modem returns the up and down link speed stats in this format:
Bearer: 0, Upstream rate = 20000 Kbps, Downstream rate = 67273 Kbps
So I use this command to get my download speed:
$dnspeed = (Select-String -Path c:\out.txt -pattern "Bearer: 0, Upstream rate =").Line.Split("=,")[4]
Here I'm searching the text file C:\out.txt for "Bearer: 0, Upstream rate =", once I find that line of text, I then splitting the text up into chunks using "=" and "," as delimiters.  From there I grab the fourth chunk of text (text chunks start at 0) which is "67273 Kbps" and save it to the variable $dnspeed

I repeat that for upload speed, but select text chunk 2 instead:
$upspeed = (Select-String -Path c:\out.txt -pattern "Bearer: 0, Upstream rate =").Line.Split("=,")[2]
For link time, handily my modem gives me this via the same command:
Since Link time = 4 days 15 hours 19 min 11 sec
That'll do. I'll just grab that time out of that using:
$uptime = (Select-String -Path c:\out.txt -pattern "Since Link time").Line.Split("=")[1] 
Split the line of text on "=" and grab the second chunk of text, chunk 1.
Finally, pull everything into one variable, called $tweet:
$tweet = "@chall32 D/L=$dnspeed U/L=$upspeed Uptime=$uptime"

Step 4: Powershell Tweeting

Rather than coding something in Powershell to handle twitter o-auth authentication and sending of tweets, I cheat and use the ready made twitter command line executable available here:
The Steps to enable tweeting from the command line (and hence Powershell) are as follows:
  1. Download and install python from 
  2. Once python is installed, open a command prompt and navigate to C:\python34\Scripts
  3. Issue the command pip install twitter 
  4. You should see the following run though:
  5. Now issue the command twitter.exe
  6. A browser window should open prompting you to enter your twitter account credentials (remember to use a twitter account other than you main twitter account so that twitter notifications trigger correctly)
  7. Authorize the app and enter the pin into the command line
  8. Quick test:
  9. Ah yea, all good:
To tweet from powershell, we just use Invoke-Command as follows:
Invoke-Command {C:\Python34\Scripts\twitter.exe set $tweet}
Finally save the script and schedule via windows task scheduler:

That's it !!!

For a full copy of the script head on over to


Monday, 16 March 2015

Re-Arm Remote Desktop Session Host

Scenario:  You have enabled remote desktop session host (also known as remote desktop terminal services mode) in trial mode on a Windows 2012 or Windows 2012R2 server some time ago and now you are receiving the error:

"The remote session was disconnected because there are no Remote Desktop Licence Servers available to provide a licence. Please contact the server administrator"

You may also notice Event ID: 1128 Source: TerminalServices-RemoteConnectionManager being logged in your system event log.

Cause: You are outside of your 120 day remote desktop session host evaluation period and / or the service has not been configured to register with a license server to install licenses.  A remote desktop licensing server is required for continuous normal operation.

Resolution 1: Install a remote desktop licensing server with the appropriate number of remote desktop session host licences and register your session host server with this.

Resolution 2: re-arm your remote desktop session host evaluation to allow for another 120 days evaluation time. Here is how:
  1. Logon to your remote desktop session host server, open up regedit and navigate to

  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

  3. Right click GracePeriod key and select Permissions.  Grant Administrators full control as shown below: 

  4. Delete the L$RTMTIMEBOMB value leaving only the (default) value

  5. Reboot your remote desktop session host server

  6. Job done. You should have another 120 days evaluation time 
I understand that this resolution also works for Windows 2008, Windows 2008R2  As well as Windows 2012 and Windows 2012R2.

- Chris

Monday, 24 March 2014

Fix Boot/BCD 0xc000000f Error

File this one under a post for another day / ah yes, I've seen that before, cant remember how I fixed it however.....
File: \Boot\BCD
Status: 0xc000000f
Info: an error occurred while attempting to read the boot configuration data
Here is how to fix:

Step 0 - Getting to the Recovery Console

1. Insert Windows DVD* and after selecting language and keyboard, select "Repair your computer"
2. Wait for system recovery to run and fail
3. Click "No" to apply any changes
4. Cick "Next" to look for a recovery image
5. Click "Cancel" on the cannot find system image dialogue
6. Click "Cancel" to exit system image dialogue
7. Click Command Prompt

Step 1 - Ensure your system partition is marked as active

As a reminder - this is a typed command
And this is a comment.

1. Boot into the recovery console as per step 0
2. diskpart
3. select disk 0
4. list partition
5. Select the first primary partition. In the screenshot below, the partition to select is partition 2, so select partition 2:

6. detail partition
7. Ensure that the partition is marked as Active: Yes

8. If not, then active to set the partition active
9. exit to exit diskpart
10. exit to exit recovery console 
11. Restart to reboot. 
12. Boot and follow step 0 to enter the recovery console again

Step 2 - Repair Master Boot Record and Repair Boot Sector 

1. Boot back into the recovery console, as per step 0, run the following commands
2. bootrec /fixmbr
3. bootrec /fixboot

Step 3 - Rebuild Boot files

You need to know where your Windows folder is mounted within the recovery console. Sometimes it is at C:\Windows, sometimes D:\Windows, sometimes somewhere else. If you have no idea, use the following to get you a list of drive letters currently in use:

1. diskpart
2. select disk 0
3. list volume

Then it's just a matter of looking for Windows directories on each of those volumes.

So to rebuild the boot files:

bcdboot C:\Windows /s C:

Reboot and you should be done.

*If you can't find your Windows DVD, have a look

Here for Windows 7 DVDs (Release versions)
Here for Windows 2008R2 DVD (Evaluation version)
Here for Windows 8.x DVD (Evaluation version)
Here for Windows 2012 DVD (Evaluation version)

- Chris

Friday, 21 March 2014

LDWin v2.0 Released

Quick post to let you know that yes, I'm still alive and I've just released version 2.0 of my popular link discovery tool for Windows, LDWin.

What is LDWin?
LDWin is Network Link Discovery for Windows

What is Link Discovery?
Link discovery is the process of ascertaining information from directly connected networking devices, such as network switches. Consider this for a moment:

Picture: Adam Selwood via Flickr

Do you know where those network cables go?

This is where LDWin comes in!

Find out more on and download your copy of LDWin from LDWin's Github Page

- Chris

Sunday, 8 September 2013

Screaming Woods Pluckley

So what do you and 10 other people do in the woods at night??  No, not that... Ghost hunting of course!

Where better to find some ghosts? Why, Pluckley; often referred to (and listed in 1998 Guinness Book of World Records) as Britain's most haunted village. Why? because Pluckley boasts the following strange goings on and haunted places in and around the village:
  • Phantom Coach & Horses - various locations
  • The Colonel - Park Wood
  • The Highwayman - Pinnock Crossroads
  • The Miller - Site of Old Mill
  • The Monk - Greystones
  • The Red Lady - St Nicholas Church
  • The Schoolmaster - Dicky Buss Lane
  • The Screaming Man - Pluckley Brickworks
  • The Tudor Lady - Rose Court
  • The Watercress Woman - Pinnock Stream
  • The White Lady - St Nicholas Church and Surrenden Manor
  • The Black Horse - The Street
  • The Dering Arms - Station Road
  • The Blacksmith's Arms - Pluckley Thorne
  • The Screaming Woods - Dering Woods & Frith Wood
  • The Devil's Bush - Frith Corner
Don't just take my word for it, see:
Tonights excursion; Screaming (Dering) Woods, an area supposedly haunted by many who have become lost in deep in the woods. You can supposedly still hear their screams from inside the woods at night. An excursion run by

View Larger Map

So fortified with a top slap up meal at the Black Horse (highly recommended) and armed with camera off we went to see what we could see.  Here is what we captured:

As you can see, a nice selection of orbs and a nice bit of mist in IMG_0650 (second row, fourth picture from the left) the only mistly picture in the entire set!

Steve our guide from bought with him a an array of ghost meters, EMF meters and a spirit box (a backwards RF scanner) which kept us all entertained and enthralled with the evenings investigation.  We also completed a vigil where we were contacted by Michael, the spirit of a motorcyclist who died in an accident close to screaming woods.

Am I a believer? Well, no not quite yet, although I would like to hope and believe there is something to look forward to after you pop your clogs...

So all in all, a thoroughly enjoyable and highly recommended evening with
Looking forward to going on another event soon.  Some of these locations look fantastic!

In the meantime, keep watching and GhostHuntEvents Youtube Channel

- Chris

Thursday, 1 August 2013

VM Snapshot Discovery and Attribution

The Golden Snapshot Rule:

What are VMware VM Snapshots?

Normal VM operation involves the virtual machine (VM) reading and writing to it's virtual disk (VMDK) file:
Upon the creation of a snapshot, the VM's virtual disk (VMDK) file is marked as read only. All changes are written to a snapshot log file, also known as a 'delta' file:

So What is the Problem Here?

The problem is that these snapshot delta files left unchecked can grow and grow and grow, consuming more and more storage space.

Surely VMware Have Some Guidelines Around VM Snapshots?

They do, and they are here:‎

Lets pick up on some salient points here as it's worth repeating this as often as possible:
  • Snapshots are not backups (Sound familiar?) 
  • A snapshot file is only a change log of the original virtual disk
  • Snapshots are not complete copies of the original vmdk disk files
  • Use no single snapshot for more than 24-72 hours
  • Regularly monitor systems configured for backups to ensure that no snapshots remain active for extensive periods of time
  • An excessive number of delta files in a chain (caused by an excessive number of snapshots) or large delta files may cause decreased virtual machine and host performance
  • If hosts and/or vCenter Server are prior to vSphere 5.0 confirm that there are no snapshots present (via command line) before a Storage vMotion
  • Confirm that there are no snapshots present (via command line) before increasing the size of any virtual machine virtual disk or virtual RDM. If snapshots are present, delete them prior to increasing the size of the disk. Increasing the size of a disk with snapshots present can lead to corruption of snapshots and a potential data loss

Got it. So How do I quickly and Simply Test for VM Snapshots?

Simple. This is where Chris' VM Snapshot Discovery and Attribution Tool comes in.

Here is a screenshot of the tool in action:

So what do we have here?

Well, you can quite easily see that both the VM's SPONGEBOB and GARY have active snapshots. You can also see the details around these snapshots; their names, their descriptions and their sizes in GB.

What is super cool is we can also see who created them.  In the screenshot the snapshot creator is CHLABS\Chris (me!). OK, cool, but think about it for a moment.  If this was a production situation, it's more than possible that you will have multiple vSphere administrators.  Any one of these administrators can create snapshots.

Say for example I found that CHLABS\Fred.Bloggs was working on a some VMs, created several snapshots and had completed his changes.  Perhaps Fred did not know or understand The Golden Snapshot Rule.

With this newly discovered information now in hand, we can contact Fred, find out if he still needs those snapshots and perhaps educate him to the Golden Snapshot Rule.

Perhaps Fred forgot about the snapshots.......

Ah, the Forgotten Snapshot!

Don't joke.... it happens.

Where can I get a Copy of Chris' VM Snapshot Discovery and Attribution Tool?

Simple. Grab your copy here:

So I Have VMs With Snapshots. What To Do?

Here are your options:

Snapshot Operation

Take The current state of the virtual machine and its guest operating system is captured.
Revert The state of the virtual machine and its guest operating system reverts back to what it was when a snapshot was taken. If there are multiple snapshots, the snapshot taken immediately prior to the current state is used.

Warning: All current data is permanently lost.
Delete The state of the virtual machine is changed to the current state (that is, changes made after taking the snapshot are saved to the base disk). In earlier versions of some products the menu option is named Remove.
Delete (Snapshot Manager) The state of the virtual machine is changed to the current state (that is, changes made after taking the snapshot are saved to the base disk). The snapshot chosen to be deleted is available for selection in a graphical display that shows all existing snapshots. This is available only in products that support multiple snapshots.
Go To (Snapshot Manager) The state of the virtual machine and its current guest operating system switches to the state of that of an arbitrarily chosen snapshot. The snapshot chosen to switch to is available for selection in a graphical display that shows all existing snapshots. This is available only in products that support multiple snapshots.

May I recommend the Delete option?
Sure it doesn't feel right to click "Delete" to carry on as normal with the VM, but it is the correct option!

What Can I Do Longer Term to Prevent Forgotten Snapshots?

Have a look at
This VMware KB article shows you how to configure VMware vCenter Server to send alerts when virtual machines are running from snapshots.

Conclusion & Troubleshooting

You now know all about VM snapshots, how to test for them, how to find out who created them, and how to delete them.

If you need to troubleshoot any issues with VM snapshots, have a look at the bottom of‎. There are plenty of resources to look at.

- Chris

Wednesday, 3 July 2013

UCS Blade Discovery Failed

A simple job then; lift and shift some Cisco UCS blades from a legacy site to into the Datacentre to help with capacity for consolidation in the Datacentre.

Unfortunately a simple job turned into a bit of a nightmare with the destination UCS deciding not to play nicely with the recycled blades.

Don't get me wrong here folks, Cisco Unified Computing System is a cool piece of kit that is challenging the way we look at hardware nowadays.  It is however not without it's foibles of which this is just one.

Thanks go to @brettchannon and the guys from @VCE for helping with the solution to this issue.


When you install a Cisco UCS blade that is has 1.x firmware installed into a chassis that is running a 2.x firmware, the following error can be seen:
(Click image for larger view)
Code: F1000034
Cause: fsm-failed
Description: [FSM:FAILED] Blade Discovery (FSM:sam:dme:ComputeBladeDiscover)

A re-acknowledge, power cycle, reseat will not allow the blade to be properly discovered.  Any firmware upgrades (other than a CIMC firmware upgrade) will remain in a "Scheduled" status.


USB Legacy mode is set to disabled within the BIOS settings.


Complete the following resolution on each blade affected:

1.  Open the KVM console of the affected blade (Equipment Tab > Chassis > Chassis containing affected blade > Servers > Affected Server > KVM Console):

2. Hit Reset and OK the following warning:

3. Choose Power Cycle and OK the following dialogue:

4.  Hit F2 when prompted to enter the blade's BIOS setup:

5. Once in the BIOS setup hit right arrow key to get to Advanced and down arrow to USB Configuration.

6.  Hit return to open USB configuration and hit down arrow and return to open Legacy USB Support option:

7. Set Legacy USB Support to Enabled:

8. Hit Esc and right arrow to select Exit tab and hit return to Save Changes and Exit:

9.  Close the KVM console and allow UCS to rediscover server. If you cannot wait, select Recover Server > Re-acknowledge > OK to force the UCS to rediscover the blade.


I would love to know more about this error and how the USB mode setting within a blade can cause UCS to give up on a that blade altogether.  

Seems like a crazy simple fix to what - on the face of it - seems a pretty catastrophic error message. All in all we had this issue on 12+ blades and the USB legacy mode fix work on all of them.

Godda love UCS.....!

- Chris

Older Posts