Is it posible to read a certificate out from registry without booting windows, if you know login credentials and computer name.
I have writen a little tool which automate copying of data from standard windows user folders like my document.
This tool is then part of live linux distro which we use to copy users data when we making transition from previous to our IT. Only problem is that we can't get certifikates this way and i'd like to solve this, if it's possible.
This program can read from the Windows registry Hives under Linux: http://pogostick.net/~pnh/ntpasswd/ .
I don't know where the certificates are stored or in what format, but they're in the registry somewhere. Check MSDN for information or do a registry diff before and after storing a cert.
Betcha they're DER-encoded binary keys.
Related
When I want to check in my registry for changing keys for bitlocker I don't seem to have this location:
HKLM\Software\Policies\Microsoft\FVE
The FVE map isn't there. So I also can't change these keys with PowerShell.
Its a local computer, not in a domain.
Anyone know how I can solve this?
You need to Edit local group policy. Located here:
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength
You will also need to install the MBAM Client in order for that reg hive to appear.
Once you enable the GPO and install the MBAM Client you will be able to change what you want within the registry. However, local group policy works just fine in this case.
I'm attempting to use the wget program to retrieve and save a list of data from my Siemens S7-1200 PLC. Using a batch file I had written I was able drill down the folder path to my wget.exe file. Upon running the wget executable I get the error message seen in the attached screenshot, labeled "Command Prompt Screenshot".
The command prompt shows me that I've "connected" and I know the username and password are correct because I can log into the PLC using my web browser. It's for those reasons I'm stumped on what the problem is.
Has anyone seen this before or can anyone point me in the right direction?
Thanks for the response Ken. I was actually able to get it working with the assistance of the Siemens technical support. Apparently my computer didn't like the way I was trying to pass it the username and password login credentials. Through Siemens TIA Portal software I was able remove the login restrictions, allowing all users access to reading data off the PLC and it works now. I've attached a copy of the exact batch file I used. Also, to make sure I'm adding as much detail as possible, I have the batch file and the wget.exe file saved to a folder on my c:\ drive. Functional wget batch file
I need the certificate from my smart card to be in the Windows service local sotre. I opened the store with mmc -> snap-in -> certificates.
I used different little tools to see informations(ATR etc.) about my smartcard and they all worked out.
I can see a lot of certificates there, but the one from my smartcard is missing in the store. The folder 'Smartcard trusted Roots' is empty. Windows gets the .cer/.pfx-data from smart cards automatically, right?
Or is there no chance, i can do it without using low-level programming(APDU-commands etc.)
First read this:
http://technet.microsoft.com/en-us/library/ff404288(v=WS.10).aspx
As it's written
A logged-on user inserts a smart card.
CertPropSvc is notified that a smart card was inserted.
CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store
So yes, gnerally certificates should pop up in User Personal Certificate Store automatically.
First thing to check is that you have CertPropSvc service runnig.
Another thing that I saw that some smart cards drivers doesn't work with Windows API. One example I know was old RSA tokens. We have changed them to Gemalto .NET cards and USB readers because of this
Note: In the artcle I linked it's written that this is valid for Windows 7 and 2008 but it worked for me on XP and Vista.
Does any one how to tell what folders are trusted when the ExecutionPolicy is set to RemotedSigned? I want to run a number of Powershell script of our network share (which is not mapped, hence using the full unc), but i do not want to have to digitally signed them all.
Any help would be great.
Thanks.
We have done this in the past by adding a registry key under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains that names the server where the share resides. Under the EscDomains key, add a key that is the server name. Under that key, add a DWORD value with the name "file" and the value 2.
You need to do this on each machine that will run scripts from the server, but you can do that via group policy. There are security implications to this beyond running PowerShell scripts. I don't know if this will work if your computers are not in a domain. If there are better solutions, I look forward to learning about them.
For more information, see this KB article.
So, what happens when you run a script from UNC Path?
With RemoteSigned, you should be able to run all scripts written & run locally without a digital signature.
RemoteSigned
- Scripts can run.
- Requires a digital signature from a trusted
publisher on scripts and configuration files that
are downloaded from the Internet (including
e-mail and instant messaging programs).
- Does not require digital signatures on scripts that you have run
and that you have written on the local computer (not
downloaded from the Internet).
- Risks running unsigned scripts from sources other
than the Internet and signed, but malicious, scripts.
Unrestricted
- Unsigned scripts can run. (This risks running malicious
scripts.)
- Warns the user before running srcipts and configuration
files that are downloaded from the Internet.
Can any script or setting be written (autorun file?) to disable formatting of a USB Flashdrive? (Win XP, via Windows Explorer > Format)
I'm aware of write-protection, but I don't want to completely prevent modifying files, instead something like what a Group Policy setting could do?
Edit: Really what I'm asking for is a registry setting or else that I can modify on USB drive startup to tell Win XP not to format drive X:
Format the things as NTFS. That should give you sufficient security. You need admin rights to the volume to reformat the USB stick. Anyone with those rights can by definition disable any protection you could enable. If you allow Everyone to create and modify files in the root directory and below, users can still write files as demanded.
Registry key 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD' restricts the formatting and ejecting of external drives (see this helpful Microsoft spreadsheet full of registry keys that the Group Policy editor controls).
Set it to 'Administrators' or another group which you can trust not to go formatting where they shouldn't.