Converting iCloud contacts for Outlook

iCloud to Outlook Contact conversion

At work, we need to more or less wipe all iphones clear and put them under control of a new MDM. That significantly limits what the users can do with their phones, but should strengthen security.

/* German Title: iCloud Kontakte in Outlook importieren */

The trouble is that some people have hundreds of contacts stored locally on their phones, which have been synched to their iCloud. While this is highly questionable from a GDPR point of view, that makes ist rather easy to export the contacts in vcf format as vcards.

The downside: Outlook only reads the first entry in the file. And the character encoding did not match our Outlook settings, so it screwed up the German umlauts.

So I needed to do two things:

• split the one large vcf file into over a hundred individual ones
• fix the character encoding, so it does not break the umlauts

Pretty easy to do so with a few lines of Python code:

 import os  
 def split_vcf(file_path):  
   with open(file_path, 'r', encoding='utf-8') as file:  
     vcf_content = file.read()  
   vcards = vcf_content.split('END:VCARD')  
   vcards = [vcard + 'END:VCARD' for vcard in vcards if vcard.strip()]  
   output_dir = 'split_vcards'  
   os.makedirs(output_dir, exist_ok=True)  
   for i, vcard in enumerate(vcards):  
     output_file = os.path.join(output_dir, f'{i+1}.vcf')  
     with open(output_file, 'w', encoding='cp1252') as file:  
       file.write(vcard)  
 if __name__ == '__main__':  
   split_vcf('iCloud-vCards.vcf')  

That will read a file "iCloud-vCards.vcf" and split the entries into individual files in a "split_vcards" subdirecrory. While changing the encoding from utf-8 to "Western European (Windows)", i.e. cp1252.

It still does a few strange things like not setting the preferred telephone automatically, but all in all, nothing appears to get lost.

Benefits of using hardware encoding on an Intel HD 630 with ShotCut

CPU Power vs GPU for Video Processing

Shotcut Video Editor

Hardware

My Fujitsu Esprimo Q957 is more of an office PC than a Video editing, Coding, 
CAD or hardware experimenter's platform. But for the space it takes on my much-too-small desk, it does an amazing job in all of the above disciplines.

• The i5-7500T processor sports four "real" cores at 2,7GHz and up to 3.3GHz for a while with TurboBoost. (Overview here.)
• It has an integrated HD Graphics, which is very far from being the pinnacle of GPU performance. There is a good description of it's capabilities here.
• I upgraded it to 16GByte RAM, which is of no concern in this context. More about the upgrade here.

CPU-Z shows the GPU

So all in all, I didn't think the integrated GPU could help me getting the jobs done more quickly.

Encoding on the Intel HD Graphics 630

A near 15 minute video I currently work on, needed an unusually high number of modifications. Each with a lot of noise from the fans running at full speed.

100% CPU

This took nearly 8 minutes at an unpleasant noise level. Time to investigate alternatives...

Let's try that...

Involving the GPU is amazingly efficient. Less CPU usage and the GPU at a little over 50%, along with somewhat less noise.

CPU-wise this does not look like a massive difference, bit it is.

The best part: Videos now encode in half the time. Much better than what I had expected from an integrated "Office-PC" GPU.

Success! Less than half the time :-)

PS: Here is the link to Shotcut (free and open source)

PPS: To my amazement, the tiny Fujitsu desktop easily outperforms my relatively recent Surface Laptop 2. The benchmark only shows a little over 10% difference ( https://cpu.userbenchmark.com/Compare/Intel-Core-i5-8350U-vs-Intel-Core-i5-7500T/m388461vsm218898 ), but the system takes 6 minutes for the same job as above, even with the help of it's Intel HD 620. 

USB drive recovery after partitioning problems

This article once again is a "note so self" so I remember how to fix my thumbdrive after a screw-up experimenting with Linux;

In win 10 start "Windows Power Shell (Administrator)
Start "diskpart", then:

DISKPART> list disk

  Datenträger ###  Status         Größe    Frei     Dyn  GPT
  ---------------  -------------  -------  -------  ---  ---
  Datenträger 0    Online          238 GB  1024 KB        *
  Datenträger 1    Online           29 GB  1024 KB

DISKPART> select disk 1

Datenträger 1 ist jetzt der gewählte Datenträger.

DISKPART> list disk

  Datenträger ###  Status         Größe    Frei     Dyn  GPT
  ---------------  -------------  -------  -------  ---  ---
  Datenträger 0    Online          238 GB  1024 KB        *
* Datenträger 1    Online           29 GB  1024 KB

DISKPART> clean

Der Datenträger wurde bereinigt.

DISKPART> create partition primary

Die angegebene Partition wurde erfolgreich erstellt.

DISKPART> active

Die aktuelle Partition wurde als aktiv markiert.

DISKPART> list part

  Partition ###  Typ               Größe    Offset
  -------------  ----------------  -------  -------
  Partition 1    Primär              29 GB  1024 KB

DISKPART>

Looks good now. At this point the drive shows up in Windows File Explorer and can be formatted from there.

Microsoft Surface DVI-Adapter problem solved

Mini-DP to DVI adapter problems with Microsoft surface

This problem affects all Microsoft Surface PCs (Surface Pro 4 and newer / Laptop 1+2) using the "brick" type dock rather than the older stands. Our good quality Eizo monitors turned black during work or were not recognized by the Surface PC, when conected with a mini Display Port (MiniDP) to DVI cable or adapter.

Microsoft's recommendations

Microsoft recommends two adapters here on their website. Unfortunately none of these is available inside the EU at the moment. So I ordered the "Cable Matters mDP-to-DVI (model 101022)" directly from the US to try it out.
And sure enough it worked. But I need about 50 of them and would have to get someone to import them to Germany. Too much trouble for my suppliers.

First result:

• Cable Matters model 101022 works perfectly

More research

I then ordered the other adapter from "gofanco" also directly from Amazon US. That has not arrived yet, but in the meantime, I had a closer look at the specs of the gofanco, specifically the chipset:

• Chipset: Parade PS171

Use the force!

So if the Cable Matters adapter works, and the gofanco has a PS171 chipset, the next step is to find out what chipset Cable Matters uses. If it is the PS171, too, we have a well founded theory.

Only one way to find out: We cracked the case open carefully to reveal this:

Inside the CableMatters 101022

I needed a microscope to be sure, but this is a PS171 chip. 

Alternatives to Microsoft's recommendation

The DeLOCK mini DisplayPort to DVI Adapter 62603 lists the same PS171 chipset on it's spec sheet here. And also shares other buzzwords like "Eyefinity" on the list.

I ordered one and I'll report back when we tried it out.

EDIT 2019-03-27:
We had one user testing the DeLOCK 62603 adapter for over a week without any problems. In the meantime, the gofanco adapter arrived from Amazon US. That one (, being recommended by Microsoft,) also works as expected.

Conclusion

For Microsoft Surface pro (Version 4 and newer) and Surface Laptop (Version 1 and 2)  with the new surface dock, use miniDP to DVI-Adapters with the Parade PS171 chip.

SSTV from the ISS - or - How Windows 1803 ruined my weekend

Dell Latitude e6400 audio problems - or so I thought

Ok, I had noticed that for a while my trusty old Dell Latitude e6400 had stuttered on audio playback. But as I hardly ever use that Laptop for video or music, I didn't really care.
Big mistake!

SSTV weekend on the ISS

I was very happy to read, that ARISS announced an SSTV event  for February 8th to 10th. After some initial tests from home on Saturday. I decided that a trip to the open fields with some tech stuff to capture images from space was a great father & son activity.
The Saturday tests went ok with the antenna indoors and my daughter's laptop:

Not great, but promising SSTV image

So far so good. So I packed my SDRPlay RSP2pro, a HB9CV antenna, some cables and my Dell Laptop.

In the field

The plan was to capture the ISS-pass from 12:50 to 13:00 CET with SDRuno and process the captured I/Q data later. This went quite well and thanks to the fact that we could see all of the satellite band, we heard interesting FM traffic on 145.960MHz from stations all over Europe.

On a handheld, we would have missed
this unexpected signal

When finally the ISS came into view, we saved the whole pass to a .wav I/Q file, at the same time trying to decode the SSTV on my mobile with BlackCat's SSTV app. This worked rather poorly, but as it was very windy, I didn't think much of it.
Despite of that, I knew that audio on the laptop was a bit choppy. But that should not affect the I/Q recordings that didn't pass the sound driver.

Discontinuity!

Ok, once we had that, we wanted to see what we got and replayed the I/Q file to MMSSTV through VB Virtual Audio Cable. (Differnt PC, than before.)

Ouch! That didn't work out.

Ok, I could even hear that, when listening to the recording, approx. every five seconds, the interval between the sync pulses was shorter than expected. This meant, that the Dell Laptop completely froze every 5 seconds, and it was quite possibly not just a sound problem.

Windows 10 Version 1803 broke my Laptop

After re-installing drivers one-by-one from the Dell Support Website, it is extremely likely the storage driver was the culprit: After I had reinstalled the Intel Rapid Storage driver from Dell's site, the problem went away.

I also read here, that disabling the eSATA port in the BIOS fixes the problem. (At the cost of losing the eSATA port.)

Unfortunately my collection of SSTV recordings is pretty much unusable, unless I resort to filling in some silence or noise manually. That Sunday was fun but did not yield any results. (Apart from fixing my laptop in the process.)

iPhone / iPad driver missing after installation from Microsoft-Store

How to fix iPhone drivers manually

Install iTunes from Microsoft store

I installed the latest version of itunes (Dec 2018 - 12.9.2.6) from the Microsoft-Store. This was the first time I did that. All previous updates were either direct downloads or downloads from within iTunes itself.

No more drivers?!

Previous iTunes installers had uninstalled older versions and installed both the device drivers and iTunes. The version from the Microsoft-Store app removed the old iTunes and it's drivers, but did not install new device drivers.

This error message came up:

Missing drivers

Windows-Update vs Device-Manager

Although the error message in iTunes suggests trying windows-update, it really is the device-manager that does the trick. You can call it directly from the command line with: devmgmt.msc

And sure enough, there is an Apple iPhone listed there. But that is not sufficient. Right-click the iPhone and click "update drivers". Let the PC look for drivers on the internet.

Update success!!

It adds two new USB-Devices:

Back to iTunes

iTunes now fully recognizes the iPhone / iPad

It is not quite clear to me why the installer from the Microsoft-Store behaves that way, but anyway:

Problem solved.

Fix iPhone USB disconnects from Microsoft surface dock

iPhone 8 frequently disconnects - update your dock firmware

My iPhone 8 disconnected from my Microsoft Surface Laptop frequently, and reconnected immediately. I tried several cables, re-starting the phone & computer. Nothing helped.
This was especially annoying because I couldn't transfer photos and videos reliably from the phone.

Surface Dock updater

What solved it for me (at least for the moment), was to update the surface dock firmware.
I got the latest version from Microsoft here.

Microsoft dock updater

Several rounds needed?

I ran the updater three times (taking about 5 minutes for each round), following the instructions of the updater each time.
Finally re-running the updater reported:

Dock firmware fully updated

And that seemed to fix it. The iPhone now syncs with iTunes reliably and I can transfer data without disconnects.

How to build a low cost applause-o-meter

Building an applause-o-meter with a WS1361

1)The task

When a friend asked me if I could build an applause-o-meter (clap-o-meter, clapometer, applausemeter) for a concert, I thought that should be quick and painless. - I was wrong.
But not knowing what one is up against can be a blessing. And so it went:

Detail of the application: Progress bars as bargraphs

2) The Hardware

So I bought the cheapest sound level meter I could find at my favourite Chinese seller that sported an USB interface: The Wensn WS1361, also sold as HY1361.
See this article about the driver setup to get it up and running with the original software in this blog post.
The other things needed for the applause-o-meter are a projector and a computer running a current version of Windows.

3) The software

For my purposes, the supplied software is pretty useless. So I set out to write my own software for reading the meter.

3.1 libusb-win32 vs libusb

While the SoundPCLink  software relies on libusb-win32, I found a fantastic project for using the libusb at libusb.info. Full support for Visual Studio 2017. - Very handy.
You need to change the driver for the WS1361 from libusb-win32 to libusb (Winusb) with Zadig.

Change the driver with Zadig

If you don't see the WS1361 listed, check the "list all devices" option.

3.2 Simple c++ sound level reader

After a little time it took to understand the library, I wrote a very simple command line tool to read a single db value from the meter:

 /*  
  * ReadSoundMeter: Read DB Value from WS1361 / HY1361 sound level meter  
  * 2018-09 by AReResearch (Andy Reischle)  
  * www.areresearch.net  
  * Inspiration and many lines of code taken from  
  * Pete Batard <pete@akeo.ie> 's example code to libusb, xusb.c  
  */  
 #include "pch.h"  
 #include <stdio.h>  
 #include <stdint.h>  
 #include <stdlib.h>  
 #include <string.h>  
 #include <stdarg.h>  
 #include <C:\Buffer\SoundMeter\libusb-master\libusb\libusb.h>  
 #define CALL_CHECK_CLOSE(fcall, hdl) do { int _r=fcall; if (_r < 0) { libusb_close(hdl); ERR_EXIT(_r); } } while (0)  
 #define ERR_EXIT(errcode) do { perr("  %s\n", libusb_strerror((enum libusb_error)errcode)); return -1; } while (0)  
 #if defined(_WIN32)  
 #define msleep(msecs) Sleep(msecs)  
 #else  
 #include <time.h>  
 #define msleep(msecs) nanosleep(&(struct timespec){msecs / 1000, (msecs * 1000000) % 1000000000UL}, NULL);  
 #endif  
  // Future versions of libusb will use usb_interface instead of interface  
  // in libusb_config_descriptor => cater for that  
 #define usb_interface interface  
 int r;  
 static uint16_t VID = 0x16C0;  
 static uint16_t PID = 0x05DC;  
 static void perr(char const *format, ...)  
 {  
      va_list args;  
      va_start(args, format);  
      vfprintf(stderr, format, args);  
      va_end(args);  
 }  
 static double test_device(uint16_t vid, uint16_t pid)  
 {  
      uint8_t resultat[2];  
      libusb_device_handle *handle;  
        
      handle = libusb_open_device_with_vid_pid(NULL, vid, pid);  
        
      if (handle == NULL) {  
           perr(" Failed.\n");  
           return -1;  
      }  
        
      r = libusb_control_transfer(handle, 0xC0, 0x04, 0, 0, resultat, sizeof(resultat), 1000);  
      if (r < 0) {  
           fprintf(stderr, "Error during control transfer: %s\n",  
                libusb_error_name(r));  
      }  

      libusb_close(handle);  
        
      return ((resultat[0] + ((resultat[1] & 3) * 256)) * 0.1 + 30);  
 }  
 int main(int argc, char** argv)  
 {  
      libusb_context *ctx = NULL; //a libusb session  
      r = libusb_init(NULL);  
      if (r < 0)  
           return r;  
    }  
      printf("%f\n", test_device(VID, PID));  
      libusb_exit(NULL);  
 }  

3.3 And some visual basic

Writing a Windows forms application in C++ turned out a lot harder than expected. It feels like Microsoft had never even intended that to go smoothly.
So I took an extremely ugly approach to call the above command line tool and read it's output into a visual basic windows forms application. The way I did that eats half the CPU power of a brand new i5 machine.
But I needed a quick solution. After the better half of a night of coding, I had a working version.

applause-o-meter GUI (German)

As you might see from the screenshot (German, sorry), the idea is to have three contesting pieces of music per group and three groups.
The audience can "vote" one of the three pieces of each group to be played fully that evening.

4) The performance

A few brief words explaining voting procedure was all that it took. This was the first time that had been done in church music, and as a part of a city-wide, cultural event, it was received very well by the audience.

Showing the results after the performance

Unsurprisingly, J.S. Bach's Toccata in d-minor made it 1st among the 12 pieces.



PS: The visual basic code is quite ugly and needs some tidying before publication. If you are in dire need of a clap-o-meter, please leave a note in the comments and I will make the code available regardless of it's shortcomings.



Intersting WS1361 links:

• Troy Simpson did a in-depth analysis of the WS1361 sound level meter's USB protocol on his web site www.ebswift.com/reverse-engineering-spl-usb.html 
• There is a very cool arduino project with an arduino teensy and a usb host shield on this Chinese web site. This helped me a lot!
• Project on Github using Python running on Linux
• Manufacturer's product web site
• I bought the meter here from Banggood
• Here is a link to my own driver install instructions for the WS1361 (more secure)

The weird and wonderful world of the WS1361 sound level meter USB driver

WS1361 / HY1361 sound level meter

When I had the need to build an applause-o-meter, I thought I'd go the easy route and buy a cheap sound pressure meter with an USB interface. What could possibly go wrong?

It is bigger than it looks here

About the meter

As seen so often, the identical meter appears under several manufacturer labels:

• Hongyan / Hong Yan HY1361
• Wensn WS1361
• Unmarked HY 1361 (My device)

There is also a model with an Card slot on the market (WS1361C / HY13611). I didn't need recording, but I'll crack the device open some time to see if I can fit a SD-module.

I don't know any details about these meters:

• Benetech GM1356 digital usb noise level meter
• CHEER GM1356 digital usb noise level meter
• Sinokit SK1356 

These look like the WS1361 with the exception that they have no card slot. The WS1361 card slot is sealed with the QC label. Please let me know if you have one of these meters. They might run the same protocol.
Then again, the Tondaj SL-814 also looks similar, but runs a serial protocol on what looks like a USB-Port. But it needs a cable with a prolific pl2303 chip to connect to usb. So a similar appearance can be misleading.

The tripod mount is a nice touch, especially since the case does creak when not handled carefully. Apart from better scaling on the LCD bar graph, I can't see any reason why I should change the ranges from the 30-130db setting. Neither the resolution on the PC, nor on the LCD changes like we're used to see on multimeters.

USB Driver issues

After ordering the meter, I did a little research and prepared for the worst: No signed drivers, proprietary protocol.... a nightmare.

Things could have been so easy if the meter had presented itself as a serial interface.

The device manufacturer's web site might be this one. With installation instructions here. And a software download page here.

The instructions include disabling driver signature enforcement. Not such a great idea.

So I decided to have a closer look.

USB Details

Ok, so the important bits are:

Vendor ID: 16C0

Product ID: 05DC

This Vendor ID is registered to voti.nl. Further research on shows, that the product ID had been reserved as "shared ID for use with libusb". Not a great choice for a consumer product. But then again not really a problem.

The same VID/PID seems widely used for the USBasp Atmel programmer (ISP).
That also explains why the .inf file in the driver is called usbasp.inf and why the .cat file's signature does not match the .inf file. Probably because whe whole driver set has been "borrowed" from there and modified.

New drivers?

While the sound meter's driver, as well as older drivers I found relied on libusb-32, the later versions available for the USBasp use libusbK in a version from 2015. Unfortunately the .inf is also not signed there.

Different approach - Zadig

So what it all boils down to is, that the above Vendor/Product ID pair needs to be associated with a generic usb driver. The driver disc that came with the meter had libusb-win32 on it.
There is another option beside having a signed driver. This is well known to everyone who tried using an RTL-SDR receiver on windows. - Zadig.
There are numerous versions of this floating around. Get the latest version from the Zadig web site.

Zadig

On my system, the WS1631 is instantly recognized. As the SoundLink software appears to rely on libusb-win32, choose that as the target driver for the WS1361. Zadig installs the driver without any complaints.

Success

And sure enough, the SoundLink software is happy with that:

SoundPCLink Software

As with many cheap Chinese instruments, the software ist very limited in it's abilities. So based on the fact that it uses libusb-win32, it should be possible to write my own code. There are some hints in the links below.

Intersting WS1361 links:

• Troy Simpson did a in-depth analysis of the WS1361 sound level meter's USB protocol on his web site www.ebswift.com/reverse-engineering-spl-usb.html 
• There is a very cool arduino project with an arduino teensy and a usb host shield on this Chinese web site. 
• Project on Github using Python running on Linux
• Manufacturer's product web site
• I bought the meter here from Banggood
• Here is a link to my own applause-o-meter project with the WS1361

How to remove unwanted drivers from Windows 10

Remove unwanted USB device drivers (Win7 to Win10)

Why would you want to remove drivers from the Windows driver store?

I need to remove drivers on two occasions:

• When I screwed up designing my own USB devices with v-usb
• When experimenting with SDR (software defined radio) receivers

Locate the offending driver

Microsoft documents the process here. You need an elevated shell (admin shell). Both CMS and PowerShell are ok.
Type:

pnputil -e

This will list the drivers in the driver store.
The output should look like this:

Excerpt of pnputil's output.

Remove the driver from the Windows driver store

If (for argument's sake), this was the offending driver:

Veröffentlichter Name:            oem123.inf

Treiberpaketanbieter:   SDRplay Ltd
Klasse:                     Audio, Video und Gamecontroller
Treiberversion und -datum:   08/26/2017 5.22.11.11
Name des Signaturgebers:               Microsoft Windows Hardware Compatibility Publisher

The driver can be removed, using it's oemXYZ.inf identifier:

pnputil -d oem123.inf

This will remove the driver package from the driver store. If the device is busy, you can try the -f option to force the removal.

Reinstall driver

When you re-connect the device, it will prompt for a driver.

This procedure always worked for me when I need to start over with odd USB devices.

Firefox FF Protecter malware plugin

FF Protecter [sic!]

Wahrscheinlich jeder, der sich "mit Computern auskennt", hat eine nette alte Dame deren Bitte doch mal nach ihrem PC zu schauen er nicht abschlagen kann.

Scareware?

Allein die Tatsache, dass ich aus dem Hilferuf der Dame nicht schlau wurde, legte nahe, dass irgend eine Form von Scareware am Start war. Unmöglich das am Telefon vernünftig zu qualifizieren.
Also Kinder ins Bett gebracht und ins Auto gestiegen.

Scareware!

Schon der erste Eindruck war deutlich: Firefox hatte sich über den gesamten Bildschirm gelegt und allerhand obskure Warnfenster in etwas unbeholfenem Deutsch aufgeworfen:

Sehr hässlich!

Keines der Fenster konnte mehr geschlossen werden. Der Task-Manager zeigte keine verdächtigen Prozesse, der Firefox Prozess konnte über den Task-Manager beendet werden. Damit war der Spuk vorbei.
Ich checke in solchen Fällen zuerst mit Autoruns, ob Programme im Kontext des Benutzers gestartet werden. Administrative Rechte hat die Dame nicht.
Das ist auch gut so, denn im "Downloads" Ordner lagen einige suspekte Installer für "Recovery" Programme. Hätte die Installation geklappt, wäre die Situation unangenehmer geworden.

Plugins

Firefox startete nun zunächst wieder unauffällig. Aber nicht für lange: Nach wenigen Klicks poppte über eigentlich unverdächtigen Websites Werbung für Potenzpillen auf. Ein Indiz, dass die Ursache des Problems im Dunstkreis des Firefox liegt. Also mal einen Blick in die Plugins werfen...
Ooops... die installierten Plugins lassen sich nicht anzeigen. Offensichtlich schützt sich da ein Stück Schadsoftware selbst.

Safe mode

Also den Firefox mit gedrückter "Shift" Taste gestartet, schon war der Plugin Manager wieder zugänglich.

FF Protecter

Zwei Einträge passten vom Datum her sehr schön zum Beginn der Probleme. Beide Plugins nannten sich "FF Protecter" [sic!]. Nach deren Deinstallation gab es keine Auffälligkeiten mehr.

Eine Suche bei Google nach "FF Protecter" ergab keine Treffer. Die Suche nach der angeblichen Microsoft Support Nummer 08938034150 hingegen ergab, dass seit Ende Dezember 2017 mit Scare-Popups zum Anrufen bewegt werden sollen.
Was bei so einem Anruf passiert habe ich hier beschrieben.

Wake on lan (WOL) from Microsoft SCCM through Cisco Layer3 Switches

How to securely forward wake-on-lan packets from remote subnets through Cisco layer 3 switches

To facilitate software deployments, we need to wake PCs up from the deployment server. As the server uses directed broadcasts to the destination subnet, this fails in any reasonably secure network.

In our scenario, the SCCM server resides in VLAN10, while the destination PC lives in VLAN20. The SCCM server sends a "magic packet" to 192.168.20.255. This packet will normally be discarded by the router / L3 switch.

To be a bit more obscure, we have choosen port 12287. During the tests it seemed like the packet needed to be allowed in several ways:

1. explicitly enable forwarding for udp 12287
2. explicitly allow such a packet on the ingress interface with an ACL
3. explicitly allow the packet on the egress interface with an ACL
   (but I might be mistaken here. -> needs testing if it works without)

Despite the fact that we do use a Microsoft SCCM server, it's WOL function wouldn't work for us. We used a 3rd party WOL tool instead and schedule the wake-ups. Wolcmd could do that for you.

Systemwiederherstellung nach Microsoft Tech Support Betrug

Computer nach Anruf von "Microsoft Tech Support" Betrügern befreien

Es gibt diesen Blogeintrag auch auf ENGLISCH.

This article is also available in ENGLISH.

Ein unerwarteter Anruf

Eine Freundin bekam kürzlich einen Anruf von einem freundlichen, englischsprachigen Microsoft Mitarbeiter, der ihr helfen wollte ein Virusproblem auf ihrem PC zu beheben. Das behauptete er jedenfalls.

Hinweis: Microsoft ruft niemals Endkunden an. Jeder Anrufer der das behauptet ist ein Betrüger

Hier ist eine grobe Rekonstruktion des Scripts dem der Angreifer folgte. Es ist aus ihrer Erinnerung und dem rekonstruiert was ich auf dem PC fand.

Ihr PC meldet Fehler an unsere Server

Der Betrüger zeigte eine bewundernswerte Geduld dabei mit meiner Freundin die Brisanz der Lage begreiflich zu machen und ihr Vertrauen zu gewinnen.

Schritt 1: Vertrauen herstellen

Er ließ sie die Windows-Taste und "r" drücken und mit "CMD" eine Shell aufmachen. Dann bat er sie "assoc" zu tippen und die Enter-Taste zu drücken. Wenn die weltweit einzigartige Client ID "888DCA60-FC0A-11CF-8F0F-00C04FD7D062" am Ende der Ausgabe angezeigt werde, dann sei das der PC, der das Problem verursache.

Oh nein!

Und wer hätte es gedacht: genau diese ID stand da. Hier musste sofort eingegriffen werden.

Fernsteuerung

Nach dem was wir rekonstruieren konnten, wurde sie dann auf eine Webseite gelotst, die aber wenig später schon nicht mehr existierte. Vermutlich um von dort TeamViewer herunter zu laden.
Jetzt gab ihr der Angreifer eine kleine Tour durch ihr System:

Eventvwr:

Oh, so viele Fehler! Da muss etwas faul sein.

Tree:

Der Trick ist nett und es hat eine Weile gedauert bis ich verstanden hatte was das soll.

Da: Es sagt, dass es gehackt ist!

Der Angreifer bat sie "tree c:\ /F" in das Kommandofenster einzugeben. Damit ist das System eine Weile beschäftigt. Dank Teamviewer tippt der Betrüger jetzt einen beängstigenden Satz ein und drückt dann STRG+C. Die Ausgabe bricht ab und die Meldung erscheint auf dem Bildschirm

Gib mir Dein Geld!

So ungefähr das muss der Moment gewesen sein in dem ihr das 300€ "full-service" angeboten wurde. Als sie zögerte das anzunehmen, bereitete der Betrüger drastischere Schritte vor.

Schilde runter!

Er rief jetzt "msconfig" auf. Vermutlich um dort die Systemwiederherstellung abzuschalten. Nicht ganz sicher, aber das war in der Befehlshistorie der vorletzte Befehl der gespeichert war und die Systemiederherstellung war abgestellt als ich später versuchte die Maschine wiederherzustellen.

So um diese Zeit herum muss er auch das "syskey" Kommando aufgerufen haben. Damit lässt sich die Datei der Registry verschlüsseln, die die Benutzerkennwörter speichert. Dabei ist egal ob die Benutzer der Maschine überhaupt Passwörter haben oder nicht.

Zu gruselig

Der Anrufer wollte, dass sie auch Ihre Banksoftware testen sollte, was sie aber so unter Beobachtung nicht tun wollte. Beim nächsten Schritt wuede es ihr zu bunt: Der Anrufer, offensichtlich durch die angenehme Damenstimme am anderen Ende etwas aus dem Konzept gebracht wollte mehr sehen. Vermutlich rief er dazu die "Kamera" App auf. Als die Freundin sich selbst auf dem Bildschirm sah, klappte sie das Gerät zu und legte auf.

In den folgenden Stunden bekam sie mehrere Anrufe von unbekannten Nummern aus dem Ausland, die sich nicht annahm. Vermutlich wollte ihr jemand das Passwort zu ihrem PC verkaufen.

AReResearch zu Hilfe!

Sie zeigte den Vorfall bei der Polizei an, die das Thema zwar kannten, aber nicht wirklich helfen konnten. Also rief sie bei mir an und kam am nächsten Tag vorbei.

Als ich das Laptop bekam, lief es noch einwandfrei. Nach einem kurzen Blick auf die zuletzt aufgerufenen Kommandos (Windows+r und dann den Dropdown-Pfeil drücken) habe ich den Rechner heruntergefahren. (Das war möglicherweise nicht die cleverste Entscheidung.)
Das Laptop war nicht gerade neu, hatte aber schon ein UEFI Bios mit aktiviertem Safeboot.
Um von einem anderen Medium booten zu können musste ich auf "LegacyBios" umstellen um von einem USB-Stick mit einem aktualisierten "Desinfec't" starten zu können.
Dabei hanelt es sich um eine auf Ubuntu basierende Linux Live DVD mit mehreren Virenscannern, die jährlich dem c't Magazin beiliegt. (Aber auch zu einem moderaten Preis gekauft werden kann.)
Die Scanner fanden keine Infektionen auf der Platte. Offenbar hatte der Angreifer keine Schadsoftware auf dem System hinterlassen.

Alles ok also?

Nachdem ich das Bios zurück in die Ausgangskonfiguration gefummelt hatte, wollte das Windows nicht mehr starten, sondern blieb an einer mir bislang unbekannten Passwortaufforderung hängen.
"Zum Starten des Computers ist ein Kennwort erforderlich. Geben Sie das Startkennwort ein."

Und jetzt???

Ich kam nicht weiter.Die üblichen, nicht-destruktiven Reparaturmechanismen beim Systemstart klappten alle nicht, weil (wie ich zu diesem Zeitpunkt noch nicht wusste) die Systemwiederherstellung deaktiviert worden war.
Ein bisschen Goooogeln brachte dann schnell Klarheit: Die Passwortabfrage bedeutete, dass die SAM-Datei verschlüsselt worden war.
Windows legt (unabhängig von der Systemwiederherstellung) zyklisch (ich konnte nicht herausfinden wann) eine Kopie der Registry an.
Mit etwas Glück sollten die noch da sein.

Und so wird's gemacht:

• PC von einer Linxu Live-DVD/USB-Stick starten. Das muss nicht Desinfec't sein, da die Virenscanner hier nicht benötigt werden.
• Das "C-Laufwerk" im Schreib/Lese Modus verbinden. Für Ungeübte könnte das knifflig sein. Am einfachsten ist die Windowspartition an ihrer Datenträgerbezeichnung zu erkennen.
• Mit dem Dateimanager der live-DVD zum windows-Verzeichnis auf dem neu eingehängten Laufwerk wechseln. Dort dann nach "system32" und "config"
• Dort die folgenden Dateien umbenennen (z.B. mit einer ".orig" Dateierweiterung)

1. DEFAULT
2. SAM
3. SECURITY
4. SOFTWARE
5. SYSTEM

• Dann eine Verzeichnisebene tiefer in den Ordner "RegBack" wechseln
• Die 5 oben genannten Dateien vom Ordner "RegBack" eine Ebene höher in den "config" Ordner kopieren
• PC neu starten (vorher evtl. BIOS Einstellungen zurück setzen)

Das war's. Sie konnte ihre Maschine wieder mitnehmen. Ich habe noch den nicht benötigten Teamviewer, der sich beim Systemstart gestartet hatte deinstalliert und nochmal mit Microsofts "Autoruns"-Tool über das System geschaut. Dabei aber keine Unregelmäßigkeiten festgestellt.

Recover from Microsoft Tech Support Scam

How to recover from the "Microsoft Tech Support Scam"

There is also a GERMAN VERSION of this in my blog.
Diesen Artikel gibt es in meinem Blog auch AUF DEUTSCH.

An unexpected call

A friend of mine got a call from a friendly Microsoft support technician to help her fix a virus on her PC. - That is what he claimed, anyway.

Note: Microsoft will never call you about problems with your computer. 100% of the callers claiming to do so are fraudsters.

Here is a rough idea of the scammer's script as we could reconstruct it from her PC and what she remembered.

Your PC reports problems to our servers

With my friend, being a native German speaker, the scammer showed amazing patience making her understand the seriousness of the problem.

Step one: establsh trust

He let her type "Windows+r", then cmd to run a command shell. There he asked her to type "assoc" and asked if a line near the bottom read "888DCA60-FC0A-11CF-8F0F-00C04FD7D062" which is a globally unique identifier for the machine that causes the problem.

Oh no!

Sure enough the IDs matched. This calls for immediate action!

RemoteControl

From what I could gather, she was then asked to go to a website, that had already been taken down when I went to investigate. Presumably she installed TeamViewer from there.

Now the attacker gave her a tour of her system:

Eventvwr:

Just look at all these errors. There must be something wrong!

Tree:

That is a neat one and I had to investigate a little how it works.

There: It says it's been hacked!

The attacker let her run "tree c:\ /F" in the cmd-window. That takes a loooong time to complete. While it is running, the attacker (thanks to teamviewer) types some scary text and hits CTRL-C.

Give me your money

This must have been the moment when she was offered the 300€ full service support package. As she was still hesitant to accept that, the attacker prepared the more drastic moves.

Shields down!

Now he called msconfig, presumably to disable system recovery. Not absolutely sure, though, but system recovery was off when I got the machine and there were no restore points to revert to.

Around that time, he also must have run the syskey command that encrypts the SAM hive of the registry. That is the part that stores the user's password hashes.

Too scary

When he asked her to check her banking software, she started to smell a rat.
But the point when my friend freaked out was this: The caller, obviously sidetracked by my friend's friendly female voice, Wanted to see who he was dealing with and presumably ran the "camera" utility. When my friend saw herself on the screen, she closed the laptop's lid and hung up.

In the following hours, she got a number of calls from several unknown, foreign numbers which she didn't take. Presumably to "sell" her the password to her system.

AReResearch to the rescue!

She reported the incident to the police, who are aware of the problem, but couldn't offer much help. So she called me and came over to my house the next day.

The laptop still ran but I shut it down. (In retrospect, possibly not the best idea.)

The laptop was not new, but new enough to have an UEFI bios with safeboot. I set it to legacy mode and started the system from a "Desinfec't 2017" USB thumbdrive.

That is essentially an Ubuntu live linux with a selection of virus scanners, published annually by the renowned German c't magazine.

The scanners came up empty. The attacker apparently hadn't left any malicious software on the system.

So I set the bios back to uefi, but windows wouldn't boot but came up with a password dialog I hadn't seen before:
"This computer is configured to require a password in order to start up. Please enter the Startup Password below."

Now what???

I was stuck. The usual repair mechanisms wouldn't work. (I was not aware of the disabled system recovery at this point)

A bit of googling helped me find a solution:

The password dialog meant, that the SAM file was encryptend.

Windows does save a copy of the registry files from time to time, regardless of the system recovery settings.With a little luck, those were still in place.

So here is what to do:

• Boot the locked machine from a linux live DVD. It doesn't need to be Desinfec't, as we don't need the scanners.
• Mount your "C-drive" in R/W mode. For beginners, is might be easiest to recognize the right partition from it's volume name.
• Using the file manager of the live-DVD (or USB-drive for that matter), navigave to your windows directory. Go to "system32" and then "config"
• Rename the following files (e.g. with a ".orig" extension)

1. DEFAULT
2. SAM
3. SECURITY
4. SOFTWARE
5. SYSTEM

• Then go one step deeper in the directory tree to the "RegBack" folder
• Copy the 5 files with the names listed above from the "RegBack" folder up to the config folder
• Reboot the machine from the windows drive (you might have to change back the bios settings)

That was it. The machine was good to go. I just uninstalled the unwanted version of TeamViewer and checked for anomalies with autoruns. Nothing out of the ordinary.

High CPU usage on Surface Pro3 running Windows 10

System interrupt uses one CPU core

Windows 8.1

I already had this issue running Windows 8.1 and could work around it, simply disabling the realtek high definition audio driver, that seems to be the docking station's audio system.

Windows 10

The problem came back with Windows 10. But this time disabling drivers did not help.

That should be an "idle" system

What brought the fan to a standstill, however was:

Restarting the Surface Pro 3 while in the docking station.

I don't mean powering it down and switch it back on again. That doesn't do any good. It is the restart that does the trick for me.

A very relaxed CPU

This, of course, is only a very temporary solution. So whenever the fan (which rarely ever stops completely) gets on my nerves, I reboot and things are better for the rest of the day.

Docking station drivers?

I suppose that a driver for the docking station's peripherals causes the problems. But disabling any of them did not cure the problem, so I might be wrong. Can anyone shed more light on that issue?

--

Edit 2017-03-08: The current driver package SurfacePro3_Win10_1700802_1.msi did not help either.

How to delete a stuck Thumbs.db file

From time to time Windows users complain that they can't delete folders. The 1st level support people usually think it is some file system permission problem and escalate it to the sysadmin team.

The error message is, that the file is in use. This is almost certainly not the case here.

File in use?

However, it is amazingly easy to fix:
Change the view to "large icons" and back to "details". This apparently rewrites the thumbs.db file.

The thumbs.db file can simply be deleted then.

Trend Micro OfficeScan WebReputation filter gone paranoid

Trend Micro OfficeScan web reputation problems

Safe or sorry

Yesterday users started reporting problems with blocked elements on websites. This also completely blocked sites with Anti-Adblock-features.
Although this banner has now disappeared from TrendMicro's OfficeScan support pages, the problem did not disappear completely.

TrendMicro's info about the problem

Options...

There are two three ways to go:

1. wait it out till TM has fixed it.
   (not an option)
2. add exceptions for blocked servers manually
   (more secure - more work)
3. disable web reputation service
   (less work - less secure)

To add exceptions to the filter, navigate to http://YOURTRENDMICROSERVER.YOURDOMAIN:8080/officescan and go to the Web reputation settings:

Agent settings

Here you can manually add exceptions:

By default, the exception list is not avtive. Do don't forget to enable it.

That should fix it for a limited number of sites. You can get a list of blocked sites from the client's web reputation protocol and copy/paste from there.

The other option is to temporarily disable Web Reputation filtering altogether:

Uncheck the activation box for the web reputation service on to disable it globally.

Microsoft Office Click-to-run component prevents Visio 2016 installation

Click-to-run

On the Surface Pro 3 I use at work, I need Microsoft Visio 2016 for a project documentation. We still use Office 2007 (32 bit), so I also have to run with the 32bit version of Viso. (Not an issue.)
But when trying to install Visio from the CD-Image, the installer complained about an

Office 2016 click-to-run

installation, that prevents Visio from installing.
I followerd quite a few hints about removing that click-to-run component, but couldn't find it on my system as described.

Greek gift

It turned out to be a greek gift from microsoft:
The Surface Pro 3 came with "Office 2016 Home&Student" as "click-to-run" package. In the list of installed programs it was listed as "Office".

MSI-installer

I removed that and Visio 2016 (32bit) installed without a problem. It also did not harm the OneNote App I frequently use with the SurcafePro3.

Getting started with a Samsung Portable SSD T1 (500GByte)

For my wife's macbook, I was looking for an new external 500GByte USB-SSD drive. She had filled an external 256MByte Transcend SSD with her iPhoto library and now it was time for the next step.

I found a very reasonably priced, now discontinued Samsung Portable SSD T1 (Model MU -- PS500B) at a nearby consumer electronics store. Manufacturing date is 03/2015. Not the latest&greatest, but for 129€, it seemed like a bargain. Worth a try.

From the comments on Amazon, I knew that installation was not painless and many had complaints. So I decided to "unlock" the drive on my Windows 10 PC and re-format it on the MacBook later.

In Windows 10 the drive did not show up with a driver letter, so I couldn't install the software required to unblock the drive. I had expected to see a "tools"-Partition or something like that
The manual was not helpful either.

There is a new drive!

But it looks pretty useless

No tools or utilities partition and no driver CD in the box. Gooooogling helped:

I found the T1 Activation Software here.

I then extracted "SamsungPortableSSD.exe" from the ZIP Archive and ran it.
I choose not to use a password and a few moments later, the drive was accessible:

exFAT... Ugh!

Reformatting to NTFS was quick and painless. The SamsungPortableSSD tool did not seem to leave unwanted stuff on my system.

Re-formatted to NTFS

It is now possible to partition  / format the drive on the MacBook with a HFS file system. No need for stuff that hooks into OSX.

Shows up as expected

Re-formatting to HFS is easy.

Yes, we're sure!

Now that wasn't too hard, although Samsung didn't really make it intuitive. And that might be the reason why I got this drive for cheap.