Deleting Folders or Files

I recently ran into an error with a client’s off-site backup using Cloudberry to Backblaze B2 that simply said: file name segment must be no more than 250 bytes

Nice, right? Digging into the logs, I found that it was erroring out on an amazingly long .JS file a user had copied over with a bunch of personal files.

Enter SuperDelete on Github. Download it from the release page or compile it yourself, move it to the problem folder and let it do its magic. Simply run the executable (no installation necessary!) and name the file in question and you’re golden!

Disabling IMAP and POP Enabled for Mailboxes in Office365 Using Powershell V2 Module

I recently wrote about Microsoft’s new Powershell V2 Module and locating IMAP and POP enabled mailboxes using it. Now we’re going to get to disabling IMAP and POP to keep things secure! As of the date of this post (January, 2020) there are no new V2 modules to Set-CASMailbox, so we’ll have to use a V1 command. This will disable IMAP and POP across the tenant:

Get-EXOCASMailbox -Filter {IMAPEnabled -eq $True -or POPEnabled -eq $True} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false

If you’d like to see a list of who will have the settings applied, you can add -whatif to the end

Locating IMAP and POP Enabled from Mailboxes in Office365 Using Powershell V2 Module

Using Microsoft’s recently released Exchange Online PowerShell V2 Module, we can easily find IMAP and POP from mailboxes in Office365 via Powershell.

Finding IMAP and POP Mailboxes, Powershell V2:

Get-EXOCASMailbox -Filter {IMAPEnabled -eq $True -or POPEnabled -eq $True}

If you’d like to disable, take a look at my next post about doing that!

Using Microsoft’s New Exchange Online PowerShell V2 module

Microsoft recently released a preview of their new Exchange Online Powershell module. One of the highlights is that it has built-in support for MFA-enabled admin accounts. One of my biggest pet peeves was that Microsoft made you jump through hoops and poorly supported MFA with their V1 module.

To get started, install the module from the Powershell gallery via

Install-Module -Name ExchangeOnlineManagement

Note only Powershell 5 is supported, with Powershell Core and 7 support coming… soon.

The commands have changed too. Get-Mailbox is still able to be run, but the new command is Get-EXOMailbox, which yields output more efficiently then its predecessor according to Microsoft, by changing what properties get shown and not including blank properties.

You can now connect via “Connect-ExchangeOnline” which creates an MFA-capable prompt. After you sign-in, you’re shown the new cmdlets!

Powershell One-Liner: Find all PST files on a workstation

For reasons I don’t want to get into, I’ve had to locate all PST files on a number of workstations. Plugging this one line Powershell command into our RMM, I was able to see what workstations had what files and upload them to Office365 for safe(r) keeping.

gci -path c:\ -recurse -include *.pst -erroraction 'silentlycontinue'|select-object fullname,lastwritetime | fl fullname

Office365 Powershell One-Liner: Find Emails Stuck in Users’ Outboxes

I wrote this quick and dirty one-liner to help monitor and find stuck emails in Exchange / Office365 mailboxes across a tenant and export the list as a CSV.

Get-Mailbox -ResultSize Unlimited | Get-MailboxFolderStatistics | Where-Object {$_.Name -eq "Outbox" -and $_.ItemsInFolder -gt '0' } | Select-Object Identity, FolderType, ItemsinFolder, FolderSize | Export-CSV "C:\CSVs\Outbox.csv"

Using ProcessExplorer Integration with VirusTotal

1. Download Process Explorer from its homepage here: Process Explorer

2. Extract the ZIP file contents to a folder of your choosing. If you don’t have a 3rd party Zip program (I recommend 7-Zip!) you can use Windows’ built-in one: right click the Zip file and select “Extract all…”

3. Double-click the file procexp.exe

4. Enable “Check”

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-enable-vt.png

The new column VirusTotal will be added automatically, and initially show “Hash submitted…”. After a few seconds it will show the results

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-vt-standard.png

5. Processes that are running as System and not as a standard user won’t show a VirusTotal result until Process Explorer is restarted with elevated permissions

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-admin-launch.png

You may see a UAC prompt here… click Yes. After a few seconds, we will see the VirusTotal result for every process:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-admin.png

A VirusTotal result of 0/55 means that 55 anti-virus products have checked the file and that non of them have detected anything awry!

Click the result/link to open the detailed report in a web browser. There you’ll find when the scan was done and other useful information like what anti-virus products detected anything and what type of possible infection/malware.

Example of a VirusTotal detection:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)

   Note If only one AV detected something chances are that it’s a “false positive” (wrongly detected) and that the file is clean. Click the VirusTotal link to get more details about it. 6. If you have processes that show “Unknown” in the VirusTotal column, it means that specific file and version has never been uploaded to VirusTotal. To automatically upload these files to VirusTotal select this option:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-submit-unknown.png

7. To submit a file to VirusTotal manually, any file (not only “Unknown” ones), which means to upload and re-scan the file, double click a process, go to the Image tab and click the button below named “Submit”

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-submit-one.png

You can then exit the Properties window and wait until you see a result in the VirusTotal column for that process. It’ll take a few minutes.
8. You can also do a VirusTotal check for all the DLL files a process uses. Select a process and press Ctrl+L to toggle the lower pane. It will submit the file hashes to VirusTotal and show the result after a few seconds:

Process Explorer + VirusTotal (to check all processes with 50+ AV's)-pe-lower-pane.png

If you find more than one suspicious process and want to terminate them, it’s recommended by Mark Russinovich, the father of Process Explorer, to first suspend (via right click menu) them. As the vast majority of malware infections include multiple processes that can easily restart each other when a single one is killed, suspending first is a much safer way.

WordPress Error: There has been a critical error on your website. Please check your site admin email inbox for instructions. Learn more about debugging in WordPress.

There has been a critical error on your website. Please check your site admin email inbox for instructions. Learn more about debugging in WordPress.

I encountered this error recently and while WordPress was operational, I could not access the admin dashboard.

The resolution for me was to access my CPanel / file manager for my WordPress back end and rename the WP-Content/Plugins folder to PluginsOLD, which effectively disabled all plugins. After this, I was able to access the admin dashboard and then one by one move the plugins back into a new Plugins folder until one broke the dashboard again… and there you have your problematic plugin!

Managing Alerts for Non-Certified Dell Drives in OpenManage

The pricing for Dell physical drives, especially in servers is often outrageously expensive. Of course, they come with Dell ProSupport so often the price is worth it. Sometimes though, you’ll need to buy and use drives that are not from Dell. If you do this, OpenManage will throw alerts about being non-certified, which will throw off monitoring. Here is the fix:

Open stsvc.ini located in either C:\Program Files\Dell\SysMgt\sm or C:\Program Files (x86)\Dell\SysMgt\sm depending on whether you have the 32-bit/64-bit version. Next, look for the section near the top that reads

; nonDellCertified flag for blocking all non-dell certified alerts.

Change NonDellCertifiedFlag=yes to NonDellCertifiedFlag=no and save the file. Lastly, restart the Dell OpenManage service, called DSM SA Data Manager, in your Services Manager. Voila!