Loading ...

Month: June 2021

Calls Marked as SPAM

Here is a quick tip for anyone doing advertising from their phone number, you can be marked as SPAM LIKELY or SPAM RISK by phone companies. Each phone carrier keeps a list of numbers they determine to be spam risks based on the history of the number. Unfortunately, there is no central database or service so far that manages this number designation. 
 

What Causes the SPAM Designation?

In short, here are the most obvious reasons for designation:

  1. Volume of Outbound Calls Per Day Per Number
  2. Someone Flagged a call from your number in that carrier’s app as spam 
  3. Outbound Caller ID number is not set properly from your system and incomplete will probably be flagged as spam automatically


How to Get De-Listed

You can use the links or email addresses below to register legitimate numbers and also address any incorrect labeling or call blocking with other carriers:

AT&T:

https://hiyahelp.zendesk.com/hc/en-us/requests/new?ticket_form_id=824667

Sprint, Verizon, U.S. Cellular:

https://reportarobocall.com

Comcast, Charter, Cox, Altice and other fixed line (VoIP) providers, email Nomorobo for call blocking services:

reports@nomorobo.com

If your company is looking for locally managed VoIP service, then contact us to find out how much you can save with us. 

RMM Automation: Modify the Registry for All Users

As our business continues to focus on providing white labeled Tier 3 IT support services, RMM as a service, and co-managed IT services this blog will be highlighting tips for RMM automation. Here is one of the recent scripts we added to our RMM. We often find ourselves wanting to modify the registry for all users:

Variables

It is important to not store variables in scripts especially when they are credentials for a user on the local computer, so make sure to define variables accordingly. In this script there are no variables like that, but wanted to explain some that are in the script:

  • $PatternSID = this is the Regular Expression pattern for the Security ID of the users to look for (found it was different for local / domain vs. Azure)
  • $ProfileList = List of SIDs and other information from the HKLM folders
  • $LoadedHives = List of logged in users from HKU
  • $UnloadedHives = List of not logged in users from HKU

Script Snippet

# Regex pattern for Local or Domain SIDs
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
 
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} | 
    Select  @{name="SID";expression={$_.PSChildName}}, 
            @{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}}, 
            @{name="Username";expression={$_.ProfileImagePath -replace '^(.*[\\\/])', ''}}
 
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = gci Registry::HKEY_USERS | ? {$_.PSChildname -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}}
 
# Get all users that are not currently logged
$UnloadedHives = Compare-Object $ProfileList.SID $LoadedHives.SID | Select @{name="SID";expression={$_.InputObject}}, UserHive, Username
 
# Loop through each profile on the machine
Foreach ($item in $ProfileList) {
    # Load User ntuser.dat if it's not already loaded
    IF ($item.SID -in $UnloadedHives.SID) {
        reg load HKU\$($Item.SID) $($Item.UserHive) | Out-Null
    }
 
    #####################################################################
    # This is where you can read/modify a users portion of the registry 

    # This example checks for a key, adds it if missing, and creates / changes a DWORD in that key
    "{0}" -f $($item.Username) | Write-Output
    If (!(Test-Path registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement)) {
	    New-Item -Path registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement -Force | Out-Null
	}
    Set-ItemProperty registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement -Name “ScoobeSystemSettingEnabled” -Value “0” -Type DWord 
    
    #####################################################################
 
    # Unload ntuser.dat        
    IF ($item.SID -in $UnloadedHives.SID) {
        ### Garbage collection and closing of ntuser.dat ###
        [gc]::Collect()
        reg unload HKU\$($Item.SID) | Out-Null
    }
}
# Regex pattern for AzureAD SIDs
$PatternSID = 'S-1-12-1-\d+-\d+\-\d+\-\d+$'
 
# Get Username, SID, and location of ntuser.dat for all users
$ProfileList = gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object {$_.PSChildName -match $PatternSID} | 
    Select  @{name="SID";expression={$_.PSChildName}}, 
            @{name="UserHive";expression={"$($_.ProfileImagePath)\ntuser.dat"}}, 
            @{name="Username";expression={$_.ProfileImagePath -replace '^(.*[\\\/])', ''}}
 
# Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded)
$LoadedHives = gci Registry::HKEY_USERS | ? {$_.PSChildname -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}}
 
# Get all users that are not currently logged
$UnloadedHives = Compare-Object $ProfileList.SID $LoadedHives.SID | Select @{name="SID";expression={$_.InputObject}}, UserHive, Username
 
# Loop through each profile on the machine
Foreach ($item in $ProfileList) {
    # Load User ntuser.dat if it's not already loaded
    IF ($item.SID -in $UnloadedHives.SID) {
        reg load HKU\$($Item.SID) $($Item.UserHive) | Out-Null
    }
 
    #####################################################################
    # This is where you can read/modify a users portion of the registry 
 
    # This example checks for a key, adds it if missing, and creates / changes a DWORD in that key
    "{0}" -f $($item.Username) | Write-Output
    If (!(Test-Path registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement)) {
	    New-Item -Path registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement -Force | Out-Null
	}
    Set-ItemProperty registry::HKEY_USERS\$($Item.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement -Name “ScoobeSystemSettingEnabled” -Value “0” -Type DWord 
    
    #####################################################################
 
    # Unload ntuser.dat        
    IF ($item.SID -in $UnloadedHives.SID) {
        ### Garbage collection and closing of ntuser.dat ###
        [gc]::Collect()
        reg unload HKU\$($Item.SID) | Out-Null
    }
}

Checking whether each item already exists helps the RMM to get the proper exit code and not show the script as failed when run.

If your company is a MSP or wants to become one and automation just seems out of reach, then contact us to run your RMM for you.

Did I see your Indicators of Compromise?

Nobody wants to be hacked, breached, compromised, or whatever else they are calling it now. Here is a quick list of things to think about to keep your company safe:

Compromise Prevention

  • Keep track of your inventory, both software and hardware.
  • Make sure to properly dispose of these things (recycle or responsible destruction)
  • Scan your network for vulnerabilities
  • Patch or remediate everything you find
  • Manage your antivirus & keep it up-to-date
  • Keep your passwords complex & safely stored
  • Remove all users / accounts when no longer in use
  • Look at best practices to harden your computers / network to attacks
  • Monitor your network for strange activity (indicators of compromise)

If your company is concerned about security, then contact us to take care of it for you.

Slow Windows Roaming Profile Logins

Researching issues that several clients were having with slow Windows Roaming Profile logins and found that the common denominator was profiles being too large. Looked at Event Viewer and found nothing but Event ID 6005 – “The winlogon notification subscriber is taking long time to handle the notification event (Logon).” Looked at their Group Policy settings and found the folder that profiles were being saved in. Ran WinDirStat on the user.v6 folder and found some interesting details. It looks like downloads, Slack, Teams, and Zoom were taking up 13+GB of data that was then trying to be synced over the network. Looks like it is time to update the Group Policy to exclude some folders:If your company is looking to virtualize your servers or take them to the cloud, then contact us to setup migration evaluation.

GPO – Exclude directories in Roaming Profile

  1. Open Group Policy Management
  2. Edit the Roaming Profile policy
  3. Open User Configuration > Policies > Administrative Templates > System > User Profiles
  4. Enable – Exclude directories in roaming profiles
  5. Add the following directories – Downloads;AppData\Roaming\Slack;AppData\Roaming\Microsoft\Teams;AppData\Roaming\Zoom
  6. Ok your way out
  7. Open Windows Explorer and navigate to the user.v6 folder and delete the following folders:
    1. Downloads
    2. AppData\Roaming\Slack
    3. AppData\Roaming\Microsoft\Teams
    4. AppData\Roaming\Zoom
  8. Wait 15 minutes for changes to propagate then reboot the effected machines and login again.

If your company is using roaming profiles to keep employees agile in the office, then contact us to setup a group policy evaluation.

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2023- Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

[contact-form-7 id="452" title="Free Network Evaluation"]