Archive for January, 2018

To monitor activityID and ADFS in general:

The module file name is ADFSDiagnostics.psm1, is located under “%programfiles%\Microsoft AD Health Agent\Microsoft AD Diagnostics Service”. Note that it requires elevated access, and PowerShell 4.0 to run. Below are the cmdlets available in the module:

PS C:\Program Files\Microsoft AD Health Agent\Microsoft AD Diagnostics Service> Get-Command -Module ADFSDiagnostics

Monitor ActivityID:

Sometimes it is useful to have it in a table format. For that, use the parameter OutHtmlFilePath, and the cmdlet will format the output to an HTML file and opens up the browser:

import-module ADFSDiagnostics.psm1

Get-AdfsServerTrace -ActivityId 00000000-0000-0000-ce70-0080000000df -OutHtmlFilePath .\report.htm





Full article:

Topic #1: What is the purpose of this tool as opposed to other tools available?

This certainly should be the first question. This tool is focused toward delivering an easy to understand approach to obtaining network captures on remote machines utilizing PowerShell and PowerShell Remoting.

I often encounter scenarios where utilizing an application such as Message Analyzer, NETMON, or Wireshark to conduct network captures is not an option. Much of the time this is due to security restrictions which make it very difficult to get approval to utilize these tools on the network. Alternatively, it could be due to the fact that the issue is with an end user workstation who might be located thousands of miles from you and loading a network capture utility on that end point makes ZERO sense, much less trying to walk an end user through using it. Now before we go too much further, both Message Analyzer and Wireshark can help on these fronts. So if those are available to you, I’d recommend you look into them, but of course only after you’ve read my entire post.

Topic #2: Where can I get this tool?



One of the easiest way to remove the expired SSL Certificate from the Exchange server is using the Powershell command.
When any of the Certificate installed in it get expired , the Outlook starts showing the Security alert. To get rid of that Security alert we need to remove the Expired Exchange Certicate and should install the new one if required.

A) Identify all the Expired Certificates from the Exchange


This command will show all the certificates that were installed in Exchange Server with the Expiry date.  Find out the Certificate whose date is expired.

After finding out the Expired Exchange Certificate, remove them if you want. The Powershell command used to carry out the process is  Remove-ExchangeCertificate. The Syntax of the command is given below: –

The highlighted dates indicate that the date of the Certificate has been expired.

B) Run Remove-Exchange Certificate Command:

Now run Remove-ExchangeCertificate Command along with the thumbprint to remove the expired certificate from the Exchange

Did you see on the top of the URL below:

that you can subscribe to a RSS feed to be notified of the changes

and you can download the PAC or XML file:

Else using PowerShell scripts:

Run the script below on the client machine that’s generating the WMI corruption errors. It recompiles all .mof WMI files found in the %windir%\System32\Wbem\Repository folder.

  • @ECHO OFFsc config winmgmt start= auto

    reg add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /t REG_SZ /d “Y” /f
    reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyAuthenticationLevel /t REG_DWORD /d “2” /f
    reg add HKLM\SOFTWARE\Microsoft\Ole /v LegacyImpersonationLevel /t REG_DWORD /d “3” /f

    reg delete HKLM\SOFTWARE\Microsoft\Ole /v DefaultLaunchPermission /f
    reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineAccessRestriction /f
    reg delete HKLM\SOFTWARE\Microsoft\Ole /v MachineLaunchRestriction /f

    NET STOP SharedAccess

    NET STOP winmgmt

    CD %WINDIR%\System32\Wbem\Repository
    DEL /F /Q /S %WINDIR%\System32\Wbem\Repository\*.*
    CD %WINDIR%\system32\wbem

    REGSVR32 /s %WINDIR%\system32\scecli.dll
    REGSVR32 /s %WINDIR%\system32\userenv.dll

    MOFCOMP cimwin32.mof
    MOFCOMP cimwin32.mfl
    MOFCOMP rsop.mof
    MOFCOMP rsop.mfl
    FOR /f %%s IN (‘DIR /b /s *.dll’) DO REGSVR32 /s %%s
    FOR /f %%s IN (‘DIR /b *.mof’) DO MOFCOMP %%s
    FOR /f %%s IN (‘DIR /b *.mfl’) DO MOFCOMP %%s
    MOFCOMP exwmi.mof
    MOFCOMP -n:root\cimv2\applications\exchange wbemcons.mof
    MOFCOMP -n:root\cimv2\applications\exchange smtpcons.mof
    MOFCOMP exmgmt.mof

    rundll32 wbemupgd, UpgradeRepository

    NET STOP Cryptsvc
    DEL /F /Q /S %WINDIR%\System32\catroot2\*.*
    DEL /F /Q C:\WINDOWS\security\logs\*.log
    NET START Cryptsvc

    cd c:\windows\system32
    lodctr /R
    cd c:\windows\sysWOW64
    lodctr /R


    msiexec /unregister
    msiexec /regserver
    REGSVR32 /s msi.dll

    NET START winmgmt
    NET START SharedAccess

    Execute the commands below in an elevated Command Prompt on the client machine that’s generating the WMI corruption errors. This is an alternate way of resetting the WMI repository to the initial state when the operating system was first installed:

          Winmgmt.exe /standalonehost
          Winmgmt.exe /resetrepository

          Winmgmt.exe /salvagerepository


  • Execute the command below in an elevated Command Prompt on the client machine that’s generating the WMI corruption errors. It checks the integrity of Windows operating system files and attempts to repair errors it finds.
    sfc /scannow
  • If all else fails, reinstall the Windows operating system on the client machine that’s generating the WMI corruption errors.




Latest news:





If you’re looking for a deep-dive course on strategic approaches to building better cybersecurity defenses in your organization, look at the Microsoft Cybersecurity Reference Architecture.

Planning and implementing a security strategy to protect a hybrid of on-premises and cloud assets against advanced cybersecurity threats is one of the greatest challenges facing information security organizations today. Microsoft has built a set of strategies and integrated capabilities to help you solve these challenges and is continuing to invest in making this easier.

This training course explore real-life use cases to help address your organization’s security issues, and offer guidance on protecting an enterprise that spans cloud and mobile devices outside your network controls. Explore common challenges and recommended approaches for threat protection, building an identity-based security perimeter, information protection, and software as a service (SaaS) security. Plus, take a look at device and datacenter security, along with threat detection along the kill chain.

The course outline includes:

  • Overview
  • Building an Identity Security Perimeter
  • Threat Detection
  • Server and Azure Security

Watch the deep dive