Windows 7 Lost the Menus After Virus

Posted at 2:48:57 PM in Recovery (44)

I lost the right side of the Windows 7 menu. All the program short cuts showed up, but Documents, Pictures, Music, Connect To, Control Panel, Devices and Printers, Default Programs and Help and Support didn't show. The %temp%\smtmp folder was present, but all the short cuts there were restored.

I restored the right side menu by right clicking on the start button and selecting properties. Then Customize button on the Start Menu tab. On the bottom of the Customize Start Menu is a button "Use Default Settings" I clicked that button, then okay and close and all the right side options showed again.

Written by Leonard Rogers on Tuesday, January 17, 2012 | Comments (0)

consrv.dll virus

Posted at 2:35:10 PM in Recovery (44)

I have a windows 7 64bit laptop that had a virus, obviously as it hid all the icons on the desktop and files. I ran unhide and malwarbytes and tdskiller and thought I got rid of it. But a new virus popped up a couple of days later, so I knew there had to be a rootkit that wasn't discovered before. When I ran eset's online virus scanner, I didn't clear the check mark and it removed the virus infected file. Unfortunately, I can't get back into it. I'm certain the registry thinks that file is required to start up. It boots, tries to repair, then boots and tries to repair.

I am able to get in using a Windows PE boot disk and I can get in using the windows 7 startup disk, but I have no idea what I'm looking for. The file that was removed as it shows in the Eset log is C:\Windows\system64\consrv.dll It says it's a Win64/sirefif.e trojan. The file is no longer in that directory. Eset cleaned by deleting - quarantined

This was a post I had place to get help to repair the registry so I could get back in to the laptop after Eset had quarantined the consrv.dll file. When this file was removed, it prevented access to the laptop and kept asking to repair the Windows 7 installation. That process failed with a message that any new hardware or software should be removed and try again. This wasn't very easy to do since I had no access to the PC, except through Windows PE.

Through Windows PE, I was able to load the hive from the laptop's system32\config directory. Windows 7 registry is a little confusing now. There appears to be couple of files named SYSTEM and one named SYSTEM.LOG2. One of the files named SYSTEM is only 1K. The actual registry is a much larger file. When loading an external hive, there is no CurrentControlSet, so I had to edit both ControlSet001 and ControlSet002

Open the registry to HKLM\ControlSet001\Control\SessionManager\Subsystems in the key Windows look for the string consrv:ConServerDllInitilization,2 That consrv is calling the consrv.dll virus file. If it gets removed, you won't be able to get back into the OS. Change consrv to winsrv and reboot. Make sure to change both ControlSet's

Written by Leonard Rogers on Tuesday, January 17, 2012 | Comments (3)

RDP printing from Windows XP and Microsoft 2008 R2 servers

Posted at 3:14:39 PM in Installations (48)

Easy Print RDP printing

Well, it's suppose to be easy. On my Windows XP clients, the printers were all showing up on the server as remote printers with the session ID attached to the end just like they were suppose to, but nothing would print. Nothing showed up in the print queue. Print jobs just vaporized. After much research, I discovered this happens when you install the Remote Desktop Host Role on the Domain Controller. Microsoft recommends against it. They suggest you install RDP Host on a separate server and most companies I see this done, will use Hyper-V services and install the DC and the RDP host servers on the same box, but as virtual servers. I'm not sure if there is a licensing issue with this and I prefer not to play around with it. I don't like virtual servers anyway as problems with one server DO affect the other virtual servers on the same machine. So, one server, multiple roles... What do we do?

One of the frequent indicators is a system log message indicating that a print job was rejected with an error stating access was denied. This apparently is on the print spool folder. Microsoft suggested using Cacls.exe, but that program is deprecated in Server 2008 R2 and it's replacement Icacls.exe didn't work. Apparently a method that does work is to modify the security rights with Windows Explorer and grant the user group Everyone full access (instead of just the change rights suggested by Microsoft).

I found one site that had this suggestion, but one contributor suggested this has it's problems and recommended changing the print spool directory and granting access rights to that directory on the domain controller. This is the option I chose and it worked. I haven't been able to find the contributor's web page and if I find it, I'll post it here. But these are the procedures I followed:

On the domain controller:

  1. Create a folder on the root of the drive.
  2. Grant Authenticated Users modify rights to that folder.
  3. Open the Printers and Devices control and highlight a printer (any printer. This shows additional options on the options bar at the top of the window).
  4. Select Print Server Properties.
  5. Select Advanced tab.
  6. Enter the folder name  you created on the root of the drive (there is no browse button).
  7. Click okay. This will pop up a window indicating that the changes will take affect immediately and to ensure no jobs are printing. No reboot is required.

The minimum requirements for Windows XP to properly use Easy Print are Service Pack 3, .Net 3.0 (I assume or above) and RDP 6.1. My machines have SP3 and .net 3.5 sp1 and the correct RDP (found here). I thought it a bit odd that the download states version RDP 7.0, but there's no where to identify that version in the client software. I right clicked on the short cut in order to find the mstsc.exe file that is the executable for RDP. Selected find target. Right-clicked on mstsc.exe and selected properties. Then looked in the program version info. It says the product version is 6.1.7600.16385. Which meets the requirements of Easy Print, but I don't know where the 7.0 is suppose to show up. I also noticed that the remote printers sometimes take a bit of time to start populating the printers and devices on the RD server. If they aren't there right away, check back in a few minutes and they should show.

Tags: Remote Desktop Printing, Easy Print RDP printing, DC and Remote Desktop Host Role on same Server

Site research articles:

Note: In the above article, they say to use Cacls.exe, but in Microsoft Server 2008 R2, if you run that command an error message comes up that states Cacls.exe is depreciated and to use iCacls.exe. However, the command line arguments are not valid for iCacls.exe. They should translate to icacls.exe PRINTER /grant users:M. The /e was to keep the existing creditials, which is not needed. If you want to replace the current creditials you would at an :r to the /grant portion. It would appear as /grant :r users:M (see here for complete explanation of options). The previous C was to allow grant the user the change rights. That would not be M for modify rights. However, when I ran this, it did not work. Apparently, if you are on a domain controller, there are certain file protections installed that prevent granting user rights to this folder.

Written by Leonard Rogers on Thursday, January 12, 2012 | Comments (1)