Author: Yousef Alahmad

Parameter Hunting: Part II

In my last post on the subject, I discussed the concept of using Process Explorer to discover switches you can use for unattended installs/uninstalls used in enterprise software deployment.

Like before, I have a pesky setup.exe package that wants to guide me through an installation GUI, and would not respond to the usual setup.exe /s /q etc. and so forth…

This particular installer was for a very obscure serial hub manufacturer so there was Googling my way out of this; instead I needed to figure out what was used to build the installer, then work backward from there.

Once against, I launched my trusty Process Explorer (as Administrator) and inspected the setup.exe’s process…to my delight, scrolling down the “Strings” tab I came across this:

Note the string, “This installation was built with Inno Setup.” With that in mind, I was able to look up the documentation associated with the package builder to discover the built-in parameters I needed for silent installation.

While this specific technique might not work for every situation, it never hurts to have another tool in your toolbox!

Email Hide and Go Seek: How to locate a specific email (down to the folder) in Office 365 using PowerShell

In many organizations, end users receive too much email to manage effectively. Many utilize rules to filter emails into specific buckets to make them easier to find. Over time, these rules compound, and could eventually lead to unintended consequences (i.e. receiving an email but being unable to find it).

When this happens, I’d typically run a quick message trace to establish whether the email was actually delivered or not. Many admins will stop there, advising the end-user to check their rule settings, but using PowerShell, we can find the email(s) for them!

First, let’s get logged into the Office 365 tenant:

$Credential = Get-Credential
$ExchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://outlook.office365.com/powershell-liveid" -Credential $credential -Authentication "Basic" -AllowRedirection
Import-PSSession $ExchangeSession

Next, we can determine how many emails match the criteria in case there are more than one (Optional):

search-mailbox -EstimateResultOnly -identity [target user] -searchquery 'from:"[sender emai]" AND subject:"subject"'

Now for the coup de grâce, to reconstruct precisely which folder and sub-folder(s) of where the email(s) that match that criteria are in the user’s inbox:

search-mailbox -identity [recipient] -searchquery 'from:"[sender]" AND subject:"[subject] "' -targetmailbox "[your email] " -targetfolder "SearchResults"

In your inbox, you’ll see a folder called ‘SearchResults’. Using this, you can guide the end-user through the folder structure on their own Inbox that they’ll need to traverse to get to the desired email(s).

Parameter Hunting

Preface: Often in our line of work, the answer requires a little digging. The purpose of this post is to walk you through my thought process in an effort to illustrate how I go about linking disparate pieces of information together to arrive at a solution.

Last week, I was tasked with creating a script to silently uninstall an application across a managed environment with nearly 800 endpoints spanning multiple physical locations and at least 3 separate domains – that was the easy part.

The hard part was that this application was installed as .EXE file rather than an MSI package (i.e. I couldn’t just script out msiexec /x…). While it did have an uninstall.exe file, this called the GUI uninstaller, and I wasn’t about to have someone go through and click ‘next’ ‘next’ ‘next’ for each one!

Many .EXE’s have CLI parameters you can invoke, so I started with the usual suspects:

  • uninstall.exe /?
  • uninstall.exe –?
  • uninstall.exe /help
  • uninstall.exe -help
  • uninstall.exe –help

None of these worked (it wouldn’t be post-worthy if it was that easy)!

Next, I went looking for any documentation that was available for the application – I had:

  • Googled the manufacturer for any documentation/examples – nada
  • Read all of the .txt files in the installation folder – zilch
  • Reviewed the .ini and .config files for clues, saw something vaguely useful – a reference to “NSIS” – tabled it and kept looking

Finally, I decided to use SysInternals Process Explorer to inspect the application:

  1. Run the application you want to inspect
  2. Open Process Explorer (as administrator)
  3. Find the application on the list
  4. Right click on the application and select “Properties…”
  5. Under the “Image” tab, you will see a field for “Command line:”

The Command line will tell you what commands/switches it runs. In this case, the uninstall.exe was running with the switch, “_?=C:\Program Files\[Application Name]”.

I decided to Google the switch itself, which lead me to the Nullsoft Scriptable Install System documentation. I was able to work out that the application used NSIS to create the installer/uninstaller package, and through that, found some examples, one of which (/S) runs the installer/uninstaller silently!

This was exactly what I was looking for! All I had to do was append the command with “/S”, and sure enough, it removed the application without any prompts or launching the GUI!

It just goes to show that persistence pays off, and a little time and effort can save your organization/client hundreds of hours of manual work.

Review: Mouse Without Borders (Free Software KVM)

Keyboard, Video and Mouse (KVM) switches (as a hardware device) have been around for over 20 years, and were used to control multiple computers from a single keyboard, mouse and display. These are still widely use in datacenters to control multiple servers but aren’t that ubiquitous for home use.

I am far more effective on a full-sized keyboard and mouse than I am typing on a cramped laptop keyboard. This is especially trying with the two systems I’m working with presently as they both have function (Fn) buttons, but are in different places.

I could hook up two sets of keyboards and mice, but that would take up a lot more of my desk space, and may not be ideal for many scenarios, particularly when I’m working out of a cubicle from a client site.

I’d been looking for a way to manage multiple systems, but many of the ones I looked at that were advertised as ‘free’ turned out to be nagware, or key features were locked behind a pay wall. After reading an article on raymond.cc, I settled on “Microsoft’s Mouse Without Borders”.

  1. It’s free.
  2. It’s relatively simple to install and configure.
  3. Where it works, it works great!

It doesn’t play nice with VPNs as others have observed. There are ways around this which may or may not work depending on your VPN settings and whether or you’re able to make changes to them.

If you’re managing 4 or fewer computers and don’t require a hardware KVM, I suggest giving it a try! I’ve placed a link on my tools page.



Obscure Skype for Business desktop sharing issue

A colleague of mine reported an issue with Skype for Business where he was unable to either share his screen (or application or PowerPoint presentation), nor could others share their screens with him.

From the user’s side, clicking on the Present button allowed him to toggle what he wanted to share, which would appear to work – the border indicated “connecting” while the recipient(s) waited for the presentation to begin. After 30-40 seconds, the presentation error (…”the invitation has expired”) and time out.

If you encounter this issue, you can try the following registry hack, which worked for me:

  1. Open Regedit as an administrator
  2. Navigate to: 
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
  3. Add the following DWORD and value: 
    MaxUserPort=0000x3a98 (15000)
  4. Reboot for the changes to take effect.

You can find more information about MaxUserPort and other TCP/IP registry settings here. This issue seems to be newly introduced with Windows 10 version 1809.