T O P

Bypass / Remove Windows Evaluation Restart

I ran into this one recently on a VM I run for Windows – I let the evaluation license expire but couldn’t recreate a new VM.

Even though I am logged in with an administor account, I do not have access to disable the service that checks and reboots the computer. To disable this service, you can do the following:

  1. Download PsExec tools from Microsoft site here
  2. After downloading, extract the files to any folder
  3. open cmd and Run as administrator
  4. cd to the folder path
  5. execute psexec -i -s cmd.exe
  6. This will open another cmd prompt as shown below :

7. Now type whoami to confirm you are the system (as shown below)

Type services.msc as shown above

9. This will open services and now you can navigate to Windows License Monitoring Service and disable it

10. Restart the VM or computer and the service will be disabled, won’t start, and your machine will be good to go!

Office365: Order & Precedence of Protection Rules

Deep within Microsoft’s documentation ecosystem lies this document – the order in which various spam filters are applied to incoming emails!

The order of processing for the email protection type: This order isn’t configurable, and is described in the following table:

OrderEmail protectionCategoryWhere to manage
1MalwareCAT:MALWConfigure anti-malware policies in EOP
2High confidence phishingCAT:HPHSHConfigure anti-spam policies in EOP
3PhishingCAT:PHSHConfigure anti-spam policies in EOP
4High confidence spamCAT:HSPMConfigure anti-spam policies in EOP
5SpoofingCAT:SPOOFSpoof intelligence insight in EOP
6*User impersonation (protected users)CAT:UIMPConfigure anti-phishing policies in Microsoft Defender for Office 365
7*Domain impersonation (protected domains)CAT:DIMPConfigure anti-phishing policies in Microsoft Defender for Office 365
8*Mailbox intelligence (contact graph)CAT:GIMPConfigure anti-phishing policies in Microsoft Defender for Office 365
9SpamCAT:SPMConfigure anti-spam policies in EOP
10BulkCAT:BULKConfigure anti-spam policies in EOP

Finding Windows Services That Are Stopped That Should Be Started With Powershell

This was a scriptlet that got heavy use on servers and even in our RMM. It can report back services on Windows servers and desktops are are in the Stopped state that are set to Auto or Enabled.

GWMI is short for Get-WmiObject

GWMI win32_service -Filter "startmode = 'auto' AND state != 'running'"  | select DisplayName, Name, StartMode, State, ExitCode | ft -auto

Find All PST Files Via Powershell

This script came in handy for various purposes! I used this in my RMM tool to report on how many and where PST files may be lying. This was helpful for machines that were re-used. You can narrow down the folder list using the path command.

gci -path c:\ -recurse -include *.pst -erroraction 'silentlycontinue'|select-object fullname,lastwritetime | fl fullname