A short story about date formats

So I was updating my script to read DNS debug logs. I had gotten some comment’s on it in the technet gallery. So I wanted to include all in the script for easier usage.

This is when I realized how many variations there are to the ShortDatePattern used in the local Cultures. Microsoft uses the local culture in the DNS debug log, big sadness. So how many cultures are there?

Okey with 428 different possible cultures I dont think I will go through them one by one. So lets just list all cultures and their ShortDatePattern. And see if we see anything [Read more…]

Formating dates with Powershell for different purposes

So Windows has lots of date formats to choose from. These are a few and functions to convert between them and Datetime.


The default timeformat that we are using in .NET and Powershell. This is probably the first date function you will learn to use. Or you can call on the .NET class.


Microsoft built time format that calculates number of 100 ns intervals since January 1, 1601. Yes this is a really large number. But even though the name suggest this is always for files it isn’t. Also in some file systems the resolution isn’t 100 ns just because the format has that as the smallest incrment.

I did a blog entry about a small discrepancy depending when creating dates using different methods and how they differed by 100ns. This was most easy to spot while looking at the time in a FileTime format.

MSDN page for FileTime structure

DMTF (Distributed Management Task Force) DateTime

As used by AD for some attributes and WMI. The format is almost easy to read.


Unix Epoch

This is the standard format used by *nix based systems. Number of seconds since January 1, 1970.

Also if you dont care about being compatible to older version you could use the [DateTimeOffset] class.

What about the other way then? That is really simpler.

From Event to Object

So I needed to do gather some information on the usage on a Fileserver so we enabled auditing but those logs aren’t that fun. Using the event viewer isn’t really an option with thousands of logentries to process. So I went to Powershell which has Get-WinEvent which returns [System.Diagnostics.Eventing.Reader.EventRecord] objects. But those still isnt that fun, they are event logs so I cant just do a Where-Object search on them as the message is a textblock. BUT I can convert them into XML which allows me to do queries on the XML with Where-Object but that still is limiting as I needed to do convertions, and depending on Powershell version you can do it different ways. So I did a cmdlet to do those for me so I dont have to in the future.

It reads the events you throw at it and create a translation map from the XML to a Powershell object.

So I created ConvertFrom-VirotEvent, a small sample below.

Sample ConvertFrom-VirotEvent
Lets see all times somebody used runas, eleveted them selfs using UAC or RDP.. Well anytime windows presented a loginbox for an already logged on user. Or other process did this to as the taskscheduler.

Or we can just group the SourceUserName




You can download the script from the Microsoft Technet Galleries.


Every function has a beginning, a middle and an end.

Okey so I used a bit of artistic freedom there, the truth is that the main parts of a function is:

  • Parameters
  • Begin
  • Process
  • End


So this is kinda self-explanatory. This is where we input all our parameters that the function will use. For today this is not really an important part so for simplicity I have created an input parameter called….(drumroll).. Input.


This script-block contains things that isn’t really dependent on any parameters that you supply. Here would be a good spot to verify that you have any required modules, have write access or connect to a database.


This is the big script-block that has all the magic. All your core logic goes in here.


When you are done there might be things cleanup or close. Close any database connection that you opened in the beginning.

So whats up with text and no powershell?? Okey here we go.

How it works with code
[Read more…]

Convenience rollup KB3125574 with bonus powershell [W7 & W2K8R2]

So Microsoft has released a convenience rollup that contains loads of updates..

There are a few issues, especially one connected to vNics. So they also released a small VB Script to help remove the offending parts from the registry.
But I hate VBscript and love Powershell so I rewrote it. It went from 30 lines to 8. I know I can sqeeze it into 2 without loosing to much readability but I like it like that.

You can find information about the update at KB3125574. The download is available through the Microsoft Update Catalog (requires IE).

Finding password cheaters

So In my last blog I talked about the possibility of faking a password change, by setting the last time the password was changed.

So lets find out if somebody has been tampered with. To do this we check the last time somebody updated the pwdlastset attribute and compare to the last time somebody updated the ntPwdHistory attribute. If you change passwords the AD will update both. Also I added an allowance for 10 if you needed to check or uncheck the password must be changed checkbox. The AD does store loads of data that most people never see or have to see, One such attribute is the last time an attribute was updated.

Script to check for faked password changes

The script

[Read more…]

User password age and why you cant trust it blindly

There are many ways to check when a user set his password lastly, my two favorites are using either Powershell or the builtin net command that is present in all Current Windows versions.

There are other things that matter when we are discussing passwords. There are a few we need to keep in mind. The most basic are:

  • Checkbox – Password never expires
  • Checkbox – User must change password at next logon
  • Value – Maximum password age
  • Value – When was the password last set

So how is all this stored:

[Read more…]

Active Directory Schema versions

The Active Directory Schema is a living platform that receives changes with every new Windows version. You check what each schema version does by looking at the ldf files in “Support\ADPrep” folder on the installation media.

This is done during the Adprep, before you promote a new Windows Server to a Domain Controller.

Schema Version Introduced with
13 Windows 2000
30 Windows 2003
31 Windows 2003R2
44 Windows 2008
47 Windows 2008R2
56 Windows 2012
69 Windows 2012R2
87 Windows 2016 (Technical preview)

Reverting the AdminSDHolders changes

So everyone knows what the AdminSDHolders does. Okey lets do a short version of that too.

The AdminSDHolder is what is that then.

Well windows has a few “protected” groups and users. If you are a member of one of these protected groups, Windows will do a few things every 60 minutes by default.

  • Set the AdminCount property of a user to 1
  • Disable inheritance on the user object
  • Set the rights on the user objects to a reduced set

This is an extremely simplified version. For more information please read in the Technet article AdminSDHolder.

Users and groups that by default are managed by the AdminSDHolder

Name Type
Administrator User
Account Operators Group
Administrators Group
Backup Operators Group
Cert Publishers Group
Domain Admins Group
Domain Controllers Group
Enterprise Admins Group
Krbtgt User
Print Operators Group
Read-only Domain Controllers Group
Replicator User
Schema Admins Group
Server Operators Group
[Read more…]

Who is 2.16.4.xxx

So I got a question from a customer. Their firewall team detected that clients tried to connect to 2.16.4.xxx (I replaced the last octet with x’s to protect the innocent).
So who is 2.16.4.xxx, lets start with a simple reverse dns query

So now we know that we are talking about Akamai, well that doesn’t really help since it is the or one of the biggest CDN’s in the world.

  1. So I asked the firewall team for information what was sent and they couldn’t help me.
  2. So we need to figure out which name is pointing to the IP. And I didn’t have access to the clients to check either. If I had access to a client I could have run “ipconfig /displaydns” this would have given me the same kind of information as I got from the cache.
  3. But wait I do have access to the DNS servers. Lets check in the DNS Cache.

Exploring the Windows DNS Server cache

Lets dump the entire cache to a file so we can work with it.

Now we have a good file to look through. Lets start looking for A record is pointing to 2.16.4.xxx. I found another akamai name, so I needed to see what CNAME was pointing to that name and so it went a two times.. But in the end we found it. Below is the interesting parts of the dump I did.

So in the end the client tried to reach crl.microsoft.com. This is a standard case why locking down your firewalls by IPs can be a time consuming endeavour.