Admin logon regedit
Scheduled search returning no results
2024.05.13 22:08 heathen951 Scheduled search returning no results
I've created a scheduled search using the new CQL to look for local account creations. Its scheduled to run every 15 min and so far has been. We had a local account created to test the results of the search and it did not alert to the account creation.
If I take the same query and run it in advanced event search it produces the results I expected.
If anyone has had the same happen and might have some pointers, I'm all ear!
Query for reference:
submitted by heathen951 to crowdstrike [link] [comments]
If I take the same query and run it in advanced event search it produces the results I expected.
If anyone has had the same happen and might have some pointers, I'm all ear!
Query for reference:
"#event_simpleName" = UserAccountCreated in(field="event_platform", values=[Win, Mac]) join({#data_source_name=aidmaster}, field=aid, include=ProductType, mode=left) ProductType=1 $falcon/helper:enrich(field=UserIsAdmin) $falcon/helper:enrich(field=LogonType) $falcon/helper:enrich(field=ProductType) groupBy([@timestamp], function=([count(aid, distinct=true, as=SystemsAccessed), count(aid, as=TotalLogons), collect([Tactic, Technique, UserSid, UserName, ComputerName, UserIsAdmin, LogonType])])) 2024.05.13 21:59 T1Dsecurity Scheduled search not returning results
I created a scheduled search that is supposed to alert on local account creations. I had a test account created and the search did not alert or pick up the account creation but if I run the query in advanced event search it shows me the results of the test account. The search is scheduled to run every 15 min.
Any help would be appreciated.
Heres the query for reference:
submitted by T1Dsecurity to crowdstrike [link] [comments]
Any help would be appreciated.
Heres the query for reference:
"#event_simpleName" = UserAccountCreated in(field="event_platform", values=[Win, Mac]) join({#data_source_name=aidmaster}, field=aid, include=ProductType, mode=left) ProductType=1 $falcon/helper:enrich(field=UserIsAdmin) $falcon/helper:enrich(field=LogonType) $falcon/helper:enrich(field=ProductType) groupBy([@timestamp], function=([count(aid, distinct=true, as=SystemsAccessed), count(aid, as=TotalLogons), collect([Tactic, Technique, UserSid, UserName, ComputerName, UserIsAdmin, LogonType])])) 2024.05.13 03:01 techygeekshome Windows cannot connect to the printer
 | Windows cannot connect to the printer https://tinyurl.com/26vxy8mk #Guide submitted by techygeekshome to tgh [link] [comments] If you are using a print server you may find that you come across an error when trying to connect a end user to a printer stating: Windows Cannot Connect to the Printer This is caused when the print driver is updated or a new driver is created on the print server and stops the end user from adding the printer involved. To fix it, logon to your print server and carry out the following: Go into the regedit tool on the print server and navigate to: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPrintPrinters[PrinterName] You should now see under the printer name a key called... Read More... https://tinyurl.com/26vxy8mk |
2024.05.11 17:36 Fabulous_Structure54 Any one got a basic understanding of Guacamole here?
As per the question - I'm setting up a guacamole instance to connect to various things (VMs etc) - Ive used the official container (I think?) - currently I can logon as the admin and from there logon to a resource (mint with tigervnc) I have followed some fairly poor walkthroughs and got in a mess... I'd like to unassociate the admin user from any resources... create a new user and associate them with the mint VM - obviously I'd like to do more but even the above evades me (AD integration/ssh&RDP targets etc)... if I create a new user it can't logon to the web interface and the docker logs are equally unhelpful and say the user can't logon. So thats a bust.. I see references to guacamole.properties and user-mapping.xml but none of these files exist on my system - various guides on the internet say really helpful things like logon to the server... wait.. what server? theres 3 here to start with (target, server, docker container) anyway I'll let that be for now..
I've obviously a huge architectural disconnect with this product - what is a user? is it a guacalmole user? a guacamole server linux user or target user? - How can I enable LDAP/AD logons to Guacamole and will these credentials be passed to targets? what happens if I don't want them to (eg ssh to a switch that isn't AD integrated) - I've spent a number of years of my career setting up similar products at scale (Citrix/RDSH etc) but I can't even get off the ground here... I think it maybe time to retire... if it helps heres my current docker compose file which might give some clues as to what I'm doing wrong..
submitted by Fabulous_Structure54 to selfhosted [link] [comments]
I've obviously a huge architectural disconnect with this product - what is a user? is it a guacalmole user? a guacamole server linux user or target user? - How can I enable LDAP/AD logons to Guacamole and will these credentials be passed to targets? what happens if I don't want them to (eg ssh to a switch that isn't AD integrated) - I've spent a number of years of my career setting up similar products at scale (Citrix/RDSH etc) but I can't even get off the ground here... I think it maybe time to retire... if it helps heres my current docker compose file which might give some clues as to what I'm doing wrong..
version: '2.0' # networks # create a network 'guacnetwork_compose' in mode 'bridged' networks: guacnetwork_compose: driver: bridge # services services: # guacd guacd: container_name: guacd_compose image: guacamole/guacd networks: guacnetwork_compose: restart: always volumes: - ./drive:/drive:rw - ./record:/record:rw # postgres postgres: container_name: postgres_guacamole_compose environment: PGDATA: /valib/postgresql/data/guacamole POSTGRES_DB: guacamole_db POSTGRES_PASSWORD: 'ChooseYourOwnPasswordHere1234' POSTGRES_USER: guacamole_user image: postgres:15.2-alpine networks: guacnetwork_compose: restart: always volumes: - ./init:/docker-entrypoint-initdb.d:z - ./data:/valib/postgresql/data:Z # guacamole guacamole: container_name: guacamole_compose depends_on: - guacd - postgres environment: GUACD_HOSTNAME: guacd POSTGRES_DATABASE: guacamole_db POSTGRES_HOSTNAME: postgres POSTGRES_PASSWORD: 'ChooseYourOwnPasswordHere1234' POSTGRES_USER: guacamole_user image: guacamole/guacamole links: - guacd networks: guacnetwork_compose: ports: ## enable next line if not using nginx - 8080:8080/tcp # Guacamole is on :8080/guacamole, not /. ## enable next line when using nginx # - 8080/tcp restart: always ########### optional ############## # nginx nginx: container_name: nginx_guacamole_compose restart: always image: nginx volumes: - ./nginx/templates:/etc/nginx/templates:ro - ./nginx/ssl/self.cert:/etc/nginx/ssl/self.cert:ro - ./nginx/ssl/self-ssl.key:/etc/nginx/ssl/self-ssl.key:ro ports: - 8443:443 links: - guacamole networks: guacnetwork_compose: ####################################################################################
2024.05.11 14:59 KiddieSculp Remote script in powershell crashes when calling another script via PSSession
When the script starts installing WinCollect, it simply hangs.
I have a Execution.ps1 script that copies several files to a remote host and runs another script inside the copied folder.
The script crashes at this part.
Start-Process msiexec.exe -ArgumentList "/l*v WC_install.log /qb /i wincollect-10.1.8-17.x64.msi QUICK_INSTALL=\"yes`" WC_DEST=192.168.125.110 ADMIN_GROUP=`"true`"" -Wait`
Broken here:
These are the scripts.
If need the files for testing, I can send you the download link if necessary.
Does anyone have any idea what it could be?
submitted by KiddieSculp to PowerShell [link] [comments]
I have a Execution.ps1 script that copies several files to a remote host and runs another script inside the copied folder.
The script crashes at this part.
Start-Process msiexec.exe -ArgumentList "/l*v WC_install.log /qb /i wincollect-10.1.8-17.x64.msi QUICK_INSTALL=\"yes`" WC_DEST=192.168.125.110 ADMIN_GROUP=`"true`"" -Wait`
Broken here:
Executing script remotely on hosts with successful connection... Runhost... Starting installation of the WinC011ect... Installing WinCollect... # Eternal waitThe script is long but it is simple.
These are the scripts.
## Execution.ps1 # Function for copy files to remote hosts and execute installation script function Copy-And-Install { param ( [string]$SourcePath, [string]$DestinationPath, [string]$HostsFilePath, [string]$SuccessLogPath, [string]$FailureLogPath ) # Array to store hosts with successful connection $SuccessHosts = @() # Array to store hosts with unsuccessful connection $FailureHosts = @() # Read hostnames from file $Hosts = Get-Content $HostsFilePath # Iterate over each host foreach ($HostName in $Hosts) { try { # Test connection with host Write-Host "Trying to connect to ${HostName}..." $ConnectionTest = Test-Connection -ComputerName $HostName -Count 1 -Quiet $ConnectionResult = if ($ConnectionTest) { "Connection successful" } else { "Connection fail" } # Add connection result to log file Write-Host "Result of connecting to ${HostName}: $ConnectionResult" if ($ConnectionTest) { $SuccessHosts += $HostName } else { $FailureHosts += $HostName } # Create remote host temp folder if connection is successful if ($ConnectionTest) { # Remove existing temporary directory if any Write-Host "Removing existing temporary directory on remote host ${HostName}..." Invoke-Command -ComputerName $HostName -ScriptBlock { param($DestinationPath); Remove-Item -Path $DestinationPath -Recurse -Force } -ArgumentList $DestinationPath -ErrorAction SilentlyContinue # Create temporary directory on remote host Write-Host "Creating temporary directory on remote host ${HostName}..." Invoke-Command -ComputerName $HostName -ScriptBlock { param($DestinationPath); mkdir $DestinationPath } -ArgumentList $DestinationPath } } catch { # If an error occurs, record it in the log file $FailureHosts += $HostName Add-Content -Path $FailureLogPath -Value "Error connecting to ${HostName}: $_" } } # Save successfully and unsuccessfully connected hosts to separate files $SuccessHosts Out-File $SuccessLogPath $FailureHosts Out-File $FailureLogPath # Run installation script on hosts with successful connection if ($SuccessHosts.Count -gt 0) { # Copy files to successfully connected hosts foreach ($HostName in $SuccessHosts) { Write-Host "Copying files to remote host ${HostName}..." Copy-Item -Path $SourcePath\* -Destination "$DestinationPath" -ToSession (New-PSSession -ComputerName $HostName -Credential (Get-Credential) -ErrorAction Stop) -Force -Verbose } # Execute script remotely on hosts with successful connection Write-Host "Executing script remotely on hosts with successful connection..." Invoke-Command -ComputerName $SuccessHosts -ScriptBlock { param($DestinationPath) # Start script installation on remote host Write-Host "Running installation script on remote host..." Invoke-Expression "powershell.exe -ep bypass -file $DestinationPath\install_wincollect_v2.0.ps1" } -ArgumentList $DestinationPath } } # Source folder path $SourcePath = "C:\Users\Administrator\Desktop\wincollect\wincollect" # Log file for hosts with successful connection $SuccessLogPath = "C:\Users\Administrator\Desktop\wincollect\success.txt" # Log file for hosts with unsuccessful connection $FailureLogPath = "C:\Users\Administrator\Desktop\wincollect\failed.txt" # Temp folder path on remote host $DestinationPath = "$Env:TEMP\wincollect" # Read user hosts $Option = Read-Host "Select option:`n1. Pass path with the txt with the name of hosts`n2. Enter the IP in CIDR (ex: 192.168.1.0/24)" if ($Option -eq "1") { #Read text file path with hosts $HostsFilePath = Read-Host "Enter the path of the text file with the host names" } elseif ($Option -eq "2") { # Read IP in CIDR $CIDR = Read-Host "Enter the IP in CIDR" $Hosts = (1..254 ForEach-Object { "${CIDR}" -replace '\d+$', $_ }) } else { Write-Host "Invalid option." exit } # Call function to copy files and run installation script on remote hosts Copy-And-Install -SourcePath $SourcePath -DestinationPath $DestinationPath -HostsFilePath $HostsFilePath -SuccessLogPath $SuccessLogPath -FailureLogPath $FailureLogPath Write-Host "Complete!" ## install_wincollect_v2.0.ps1 $syslogIP = "192.168.125.110" Write-Host "Starting installation of the WinCollect..." Write-Host "Installing WinCollect..." Start-Process msiexec.exe -ArgumentList "/l*v WC_install.log /qb /i wincollect-10.1.8-17.x64.msi QUICK_INSTALL=`"yes`" WC_DEST=192.168.125.110 ADMIN_GROUP=`"true`"" -Wait Write-Host "Starting installation of the Sysmon..." Write-Host "Installing Sysmon..." Start-Process sysmon64.exe -ArgumentList '-accepteula -i sysmonconfig-export.xml' -Wait Write-Host "Starting copy of XML config files..." Write-Host "Copying XML config files..." Copy-Item -Path "update_addDirectoryService.xml" -Destination "C:\Program Files\IBM\WinCollect\patch\" -Force Copy-Item -Path "update_addDnsServer.xml" -Destination "C:\Program Files\IBM\WinCollect\patch\" -Force Copy-Item -Path "update_addPowerShell.xml" -Destination "C:\Program Files\IBM\WinCollect\patch\" -Force Copy-Item -Path "update_addSysmon.xml" -Destination "C:\Program Files\IBM\WinCollect\patch\" -Force $serviceName = "WinCollect" $serviceRegistryPath = "HKLM:\System\CurrentControlSet\Services\$serviceName" if (Test-Path $serviceRegistryPath) { # Define o valor do logon como "LocalSystem" Set-ItemProperty -Path $serviceRegistryPath -Name "ObjectName" -Value "LocalSystem" Write-Host "Service logon option changed to 'Local System Account'." } else { Write-Host "Service not found." Read-Host "Press Enter to exit." exit } Stop-Service WinCollect Start-Service WinCollect Stop-Service Sysmon64 Start-Service Sysmon64 Write-Host "Complete!" $serviceWinCollect = "WinCollect" $serviceSysmon = "Sysmon64" $getServiceWinCollect = Get-Service -Name $serviceWinCollect -ErrorAction SilentlyContinue $getServiceSysmon = Get-Service -Name $serviceSysmon -ErrorAction SilentlyContinue if ($serviceWinCollect) { if ($getServiceWinCollect.Status -eq "Running") { Write-Host "The service $serviceWinCollect is active and running." } else { Write-Host "The service $serviceWinCollect doesn't exist or isn't running." } } if ($serviceSysmon) { if ($getServiceSysmon.Status -eq "Running") { Write-Host "The service $serviceSysmon is active and running." } else { Write-Host "The service $serviceSysmon doesn't exist or isn't running." } } Read-Host "Press Enter to exit." I have already exhausted all the possibilities I know and have not been able to resolve it.If need the files for testing, I can send you the download link if necessary.
Does anyone have any idea what it could be?
2024.05.10 16:57 Entegy Using kiosk mode with multiple monitors
I have a Windows 10 machine that will act as a POS device. It has a client facing second screen attached, so Windows sees a second screen. Kiosk mode is causing me problems because of this.
If the monitors are set to extend at startup, autologon fails because of kiosk mode's instance on tablet mode. If I force extend monitors after logon, tablet mode remains in a bizarre quasi-state and the POS app's second window doesn't appear on the second screen.
There appears to be no way to disable tablet mode when assigning kiosk mode.
I was thinking of maybe using Windows Defender Application control, but that seems to affect the whole computer and I just need to lock down the kiosk user. There's an LAPS managed admin account on the machine that I don't want restricted in any way.
So I'm at a loss what I can do here to get a multi-monitor kiosk or lockdown environment. Any thoughts?
submitted by Entegy to Intune [link] [comments]
If the monitors are set to extend at startup, autologon fails because of kiosk mode's instance on tablet mode. If I force extend monitors after logon, tablet mode remains in a bizarre quasi-state and the POS app's second window doesn't appear on the second screen.
There appears to be no way to disable tablet mode when assigning kiosk mode.
I was thinking of maybe using Windows Defender Application control, but that seems to affect the whole computer and I just need to lock down the kiosk user. There's an LAPS managed admin account on the machine that I don't want restricted in any way.
So I'm at a loss what I can do here to get a multi-monitor kiosk or lockdown environment. Any thoughts?
2024.05.10 01:14 Matt79AU Configuring wlan and power settings in autounattend.xml
Preface: Deploying a 23H2 ISO via USB due to not having a volume license or Azure/InTune subscription.
I can successfully build machines using this answer file I created, however I'm now looking to add steps like configuring WLAN, power settings, enabling location services etc. When include them in the specialize pass, my build fails. If I try to configure them in OOBE using separate scripts in the root of the install media, my build also fails.
What am I doing wrong?
I can successfully build machines using this answer file I created, however I'm now looking to add steps like configuring WLAN, power settings, enabling location services etc. When include them in the specialize pass, my build fails. If I try to configure them in OOBE using separate scripts in the root of the install media, my build also fails.
What am I doing wrong?
en-US 0409:00000409 en-US en-US en-US en-AU 0 true Windows RE Tools partition System partition (ESP) 1 Primary 300 Microsoft reserved partition (MSR) 2 EFI 100 Windows partition 3 MSR 128 4 Primary true Windows RE Tools partition System partition (ESP) 1 1 NTFS DE94BBA4-06D1-4D40-A16A-BFD50179D6AC MSR partition does not need to be modified 2 2 FAT32 Windows partition 3 3 4 4 C NTFS /image/index 6 0 4 false Do not uncomment the Key element if you are using trial ISOs You must uncomment the Key element (and optionally insert your own key) if you are using retail or volume license ISOs Never true false 1 0409:00000409 en-AU en-AU en-AU en-AU true 0 VK7JG-NPHTM-C97JM-9MPGT-3V66T true true true true Work true true 1 YwBvAG4AcwB1AGwAdAAzADYANQBQAGEAcwBzAHcAbwByAGQA false</PlainText> </Password> <Description /> <DisplayName>P-admin</DisplayName> <Group>Administrators</Group> <Name>P-admin</Name> </LocalAccount> </LocalAccounts> </UserAccounts> <RegisteredOrganization /> <RegisteredOwner>P-admin</RegisteredOwner> <DisableAutoDaylightTimeSet>false</DisableAutoDaylightTimeSet> <FirstLogonCommands> <SynchronousCommand wcm:action="add"> <Order>1</Order> <Description>Control Panel Icon Size</Description> <RequiresUserInput>false</RequiresUserInput> <CommandLine>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel" /v AllItemsIconView /t REG_DWORD /d 1 /f</CommandLine> </SynchronousCommand> <SynchronousCommand wcm:action="add"> <Order>2</Order> <RequiresUserInput>false</RequiresUserInput> <CommandLine>cmd /C wmic useraccount where name="P-admin" set PasswordExpires=false</CommandLine> <Description>Password Never Expires</Description> </SynchronousCommand> </FirstLogonCommands> <TimeZone>AUS Eastern Standard Time</TimeZone> </component> </settings> <cpi:offlineImage cpi:source="wim:c:/users/<user>/downloads/win11_23h2_english_x64v2/sources/install.wim#Windows 11 Pro" xmlns:cpi="urn:schemas-microsoft-com:cpi" /> </unattend> </pre> </div>   submitted by   <a href="?id=27961"> Matt79AU </a>   to   <a href="?id=28259"> sysadmin </a> <span><a href="?id=16429">[link]</a></span>   <span><a href="?id=10251">[comments]</a></span></p> <hr /> <p>2024.05.08 21:42 <i style="color:green;">Rods_br98</i> <b>Rename c:/[User] folder on windows 11</b></p> <p><div class="md">Hello everyone!<br /> I formatted the computer for my brother to use, but the user folder still has my name even after changing the user name in Windows<br /> I watched some videos on YouTube but the ones I found didn't solve the problem.<br /> what I tried was: Create an admin via CMD via net user admin /active:yes Access the created admin and change the name of the folder c:[username] to c:[my brother's name]. Access regedit HKEY_LOCAL_MACHINE\SOFTWATE\Microsoft\Windows NT\CurrentVersion\ProfileList and change the key with my name to my brother's name<br /> If someone knows how to fix it, I'd appreciate.<br /> </div>   submitted by   <a href="?id=23933"> Rods_br98 </a>   to   <a href="?id=6086"> WindowsHelp </a> <span><a href="?id=9290">[link]</a></span>   <span><a href="?id=25355">[comments]</a></span></p> <hr /> <p>2024.05.07 14:58 <i style="color:green;">GetMeAFreshPot</i> <b>Chrome is no longer blocking notifications</b></p> <p><div class="md">Noticed that Chrome has started allowing notifications on Windows 10 in our environment. I've verified the Chrome GPO and the reg setting below on a few different devices, but each on when I open Chrome > Settings > Notifications, the default behavior field is not checked.<br /> When I check 'Do not allow' and restart, it is unchecked again. <br /> GPO > Computer > Admin Templates > Google Chrome > Content Settings > Default Notification setting <br /> Enabled Do not allow any site to show desktop notifications<br /> Regedit Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\DefaultNotificationsSetting<br /> DWORD<br /> 2<br /> </div>   submitted by   <a href="?id=11865"> GetMeAFreshPot </a>   to   <a href="?id=6188"> sysadmin </a> <span><a href="?id=17562">[link]</a></span>   <span><a href="?id=3184">[comments]</a></span></p> <hr /> <p>2024.05.07 10:29 <i style="color:green;">TheITGuyDK</i> <b>Show last logged on user not working</b></p> <p><div class="md">Hi<br /> We are currently working on our journey from Win10 to Win11.<br /> And here are our thoughts that we would like to move as many GPO’s to Intune.<br /> Right now, I’m slamming my head into a wall, because for some reason I can’t get this policy to work.<br /> I’m trying to get it to show the last logged on user, it works If I use the old GPO, but in Intune I’m just getting the bug F finger.<br /> Any suggestions how I should continue my troubleshooting?<br /> Here is the list of policys pushed to the device. (i'm sorry, i could not get the table to work)<br /> Setting name - Setting Value - Setting status<br /> Accounts Block Microsoft Accounts - Users can't add or log on with Microsoft accounts - Succeeded<br /> Devices Prevent Users From Installing Printer Drivers When Connecting To Shared Printers - Disable - Succeeded<br /> Interactive Logon Display User Information When The Session Is Locked - User display name only - Succeeded<br /> Interactive Logon Do Not Display Last Signed In - Disabled (username will be shown) - Succeeded<br /> Interactive Logon Do Not Display Username At Sign In - Disabled (username will be shown) - Succeeded<br /> Interactive Logon Do Not Require CTRLALTDEL - Enabled (a user is not required to press CTRL+ALT+DEL to log on) - Succeeded<br /> Interactive Logon Machine Inactivity Limit - 2700 - Succeeded<br /> Shutdown Allow System To Be Shut Down Without Having To Log On - Enabled (Allow system to be shut down without having to log on) - Succeeded<br /> User Account Control Detect Application Installations And Prompt For Elevation - Enable - Succeeded<br /> User Account Control Run All Administrators In Admin Approval Mode - Enabled - Succeeded<br /> User Account Control Switch To The Secure Desktop When Prompting For Elevation - Disabled - Succeeded<br /> Allow Find My Device - Allow - Succeeded<br /> Default Associations Configuration - PATH\Defaultprograms.txt - Succeeded<br /> Configure Chat Icon - Disabled - Succeeded<br /> Do Not Show Feedback Notifications - Feedback notifications are disabled. - Succeeded<br /> Enable Web Sign In For Primary User - Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. -Succeeded<br /> MDM Wins Over GP - The MDM policy is used and the GP policy is blocked. - Succeeded<br /> Show Lock On User Tile - Enabled - Succeeded<br /> </div>   submitted by   <a href="?id=18421"> TheITGuyDK </a>   to   <a href="?id=21338"> Intune </a> <span><a href="?id=4427">[link]</a></span>   <span><a href="?id=27555">[comments]</a></span></p> <hr /> <p>2024.05.06 19:32 <i style="color:green;">Wooden-Essay-2190</i> <b>Local Admin lockouts resulting in</b></p> <p><div class="md">I have been dealing with this for a while and I am stumped on where to look, our administrator account is disabled, but we still use a local admin account, the issue is that whenever the local admin account is used, it creates a bunch of login attempts as if someone is failing to enter a password and bounces back a brute force attacks. <br /> Below is what the log shows, but i am confused on the cause has anyone seen or dealt with this before? <br /> An account failed to log on.<br /> Subject:<br /> <pre>Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 </pre> Logon Type: 3<br /> Account For Which Logon Failed:<br /> <pre>Security ID: NULL SID Account Name: Administrator Account Domain: DMXL2521MG8 </pre> Failure Information:<br /> <pre>Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A </pre> Process Information:<br /> <pre>Caller Process ID: 0x0 Caller Process Name: - </pre> Network Information:<br /> <pre>Workstation Name: DMXL2521MG8 Source Network Address: 10.3.10.174 Source Port: 51094 </pre> Detailed Authentication Information:<br /> <pre>Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 </pre> This event is generated when a logon request fails. It is generated on the computer where access was attempted.<br /> The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.<br /> The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).<br /> The Process Information fields indicate which account and process on the system requested the logon.<br /> The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.<br /> The authentication information fields provide detailed information about this specific logon request.<br /> <pre>\- Transited services indicate which intermediate services have participated in this logon request. \- Package name indicates which sub-protocol was used among the NTLM protocols. \- Key length indicates the length of the generated session key. This will be 0 if no session key was requested. </pre> </div>   submitted by   <a href="?id=3942"> Wooden-Essay-2190 </a>   to   <a href="?id=7910"> sysadmin </a> <span><a href="?id=24846">[link]</a></span>   <span><a href="?id=11063">[comments]</a></span></p> <hr /> <p>2024.05.06 11:40 <i style="color:green;">doofesohr</i> <b>Entra ID App Proxy - Install via Device Login?</b></p> <p><div class="md">Hi, I'd like to install the App Proxy Connector on a Server. My admin account uses phishing-resistant MFA though and the Server obviously can't see the FIDO stick. Is there a command line switch for a device logon? If I remember correctly I used something like that for another Entra Admin Login, but I don't know what and how.<br /> </div>   submitted by   <a href="?id=13169"> doofesohr </a>   to   <a href="?id=4117"> entra </a> <span><a href="?id=307">[link]</a></span>   <span><a href="?id=28622">[comments]</a></span></p> <hr /> <p>2024.05.05 20:38 <i style="color:green;">Open_Sourcey</i> <b>Tree Behavior</b></p> <p><table> <tr><td> <a href="?id=20055"> <img src="https://b.thumbs.redditmedia.com/nPV2sHWaWQJSOB96mdDMHloPc7YXCj7eX2k1RoroVyM.jpg" alt="Tree Behavior" title="Tree Behavior" /> </a> </td><td> <div class="md">Using Cakephp Rev 5 , I am struggling with this behavior. I am trying to implement a menu in a cell. The database looks like this:<br /> <a href="?id=10283">https://preview.redd.it/lb5wvowkinyc1.png?width=2142&format=png&auto=webp&s=979c36a4dc874e8359d2a232569418857143f561</a><br /> Note: I do not have lft or rght. It did not seem to have any effect on this setup<br /> I want to present a different menu based on the users role. I am implementing a closure when I set the table tree behaviour as follows in initialize of MenuTable:<br /> $this->addBehavior('Tree',['scope'=><strong>function</strong>($query){<br /> <strong>echo</strong> '<script>alert("entered tree closure")</script>';<br /> }<br /> ]); The alert is never executed nor does debugging stop in the closure. inside the MenuCell I retrieve the menus as follows: $menuItems = $this->fetchTable('Menus')->find('threaded')->toArray();<br /> $this->set('menus', $menuItems); The display does seem to present the menus appropriately but the behavior closure is never executed.<br /> Under what conditions is it executed? Am I using the wrong method of find("threaded") Any help or pointers are appreciated. I have chased through the code but cannot see where 'scope' is invoked from.<br /> Thanks<br /> </div>   submitted by   <a href="?id=22845"> Open_Sourcey </a>   to   <a href="?id=18549"> cakephp </a> <span><a href="?id=26275">[link]</a></span>   <span><a href="?id=596">[comments]</a></span> </td></tr></table></p> <hr /> <p>2024.05.04 22:28 <i style="color:green;">mrniceguy1990xp</i> <b>PC absturz, nun immer wieder temp profil und hauptbenutzer ordner ist leer... hilfe T_T</b></p> <p><div class="md">Hallo, heut morgen stürzte der PC ab, nachm hochfahren merkte ich das ich auf nem temporär Profil bin.<br /> Hab versucht es zu fixen nach online Anleitung. regedit, waren 2 Register, eine vom temp prof ohne .bak, und der mainprof mit .bak, also den ohne .bak gelöscht, und den mainprof unbenannt das es kein .bak mehr am ende hat. leider nicht geklappt, immer wieder temp prof...<br /> Also neues Admin prof erstellt, und wollte dann Dateien vom alten mainprof auf neuenprof rüber ziehen... aber der ist praktisch leer, nur benutze"mainprof"/appdata/roaming/microsoft/windows/cloudstore aber alles leere ordner und restlichen ordner fehlen alle, und ja "verstecke ordnedatein anzeigen" ist aktiv.<br /> bin schon wie blöd am suchen nach/mit recovery programmen, aber kenn mich da garnicht aus und welche da geeginet sind: -Recuva hat nicht viel gefunden, hauptsächlich alte gelöschte datein. -Minitool power data recovery ist noch am suchen, findet zwar mehr, aber eher random einzel datein wo ich ka wo die hingehören -Testdisk hab ich auch einfach mal gestartet obwohl garnicht sicher was genau das macht, ist aber bald fertig lol.<br /> irgend jemand der so ne erfahrung kennt? oder irgend welche tipps? programme die helfen könnten? Irgend eine lösung? Geht mir hauptsächlich darum mein firefox für passwörtebookmarks und allgemeine game saves wieder herzustellen, wo einzelne datein zu recovern mir wohl vermutlich nicht helfen werden.<br /> Ka ob die disk korruptiert ist und alle daten vom benutzer ordner einfach weg sind, windows fehler überprüfung für die festplatte sagt alles ist ok... oder ob die einfach atm nicht sichtbar sind aus auch immer welchen grund... Tut mir leid bin einfach planlos und hoffe es kann jemand helfen x)<br /> PS: keine backups oder recovery points vorhanden<br /> </div>   submitted by   <a href="?id=5845"> mrniceguy1990xp </a>   to   <a href="?id=20033"> de_EDV </a> <span><a href="?id=18393">[link]</a></span>   <span><a href="?id=25660">[comments]</a></span></p> <hr /> <p>2024.05.03 18:16 <i style="color:green;">SendNootNoots</i> <b>Need help with CTF (Beginner level)</b></p> <p><div class="md">Hi everyone. I'm a beginner to the field and very much new to CTFs. Currently, as part of an assessment, I am doing a CTF that involves getting two (2) flags, local.txt and Proof.txt. From reading online, I more or less know where I can find the files. My roadblock right now is actually getting access to a shell.<br /> So far (in Kali), I have done the following:<br /> <ul> <li>Nmap scan that showed ports 21,22,80 and 3306 are open. <ul> <li>Verified that FTP (vsftpd 3.0.3) anonymous logon is disabled</li> <li>The HTTPServer is Ubuntu (Apache 2.4.41), obtained from running WPScan.</li> <li>Opened the IP in a browser as well as running Whatweb and verified that it was running WordPress (6.5.2)</li> </ul></li> <li>The WordPress site also has the admin login page accessible, and so far I only know the username but not the password. The details of this particular CTF mentions that brute-forcing is not required for this exercise.</li> </ul> <a href="?id=1353">https://preview.redd.it/p2oofqsoj8yc1.png?width=1434&format=png&auto=webp&s=57a1a12a4259e6a723ffbebacf77c4afb5580feb</a><br /> <ul> <li>Robots.txt output</li> </ul> <a href="?id=6290">https://preview.redd.it/qzbgb9sij8yc1.png?width=580&format=png&auto=webp&s=b4a848f46963cf442788f68f98a8479bbdd1d62e</a><br /> <ul> <li>[Edit] I also ran the URL through Nikto, but nothing really stands out that could help me get access.</li> </ul> That pretty much covers what I am able to do and obtain. Any suggestions or insight that could help? As mentioned previously, I am new to this so do bare with me, but I am more than happy to provide any other related information. Thanks in advance!<br /> </div>   submitted by   <a href="?id=4126"> SendNootNoots </a>   to   <a href="?id=23186"> securityCTF </a> <span><a href="?id=7874">[link]</a></span>   <span><a href="?id=24348">[comments]</a></span></p> <hr /> <p>2024.05.03 17:44 <i style="color:green;">luky90</i> <b>Cannot access a Server in Domain via Admin Share</b></p> <p><div class="md">Hello,<br /> i have strange problems in my Active Directory Domain. Suddenly I cannot add 2 other DNS Servers in DNS MMC and some other time I cannot logon to admin smb share c$ or d$ in the same domain. For example I tried to replicate Citrix PVS VHD Files between Fileservers and script returned an error not authenticated or something. Then I had to map a network drive manually to destination server with my admin credentials in order for the script to work again.<br /> Do you think this has to do something with Active Directory or Kerberos?<br /> </div>   submitted by   <a href="?id=18816"> luky90 </a>   to   <a href="?id=5949"> WindowsServer </a> <span><a href="?id=22148">[link]</a></span>   <span><a href="?id=26381">[comments]</a></span></p> <hr /> <p>2024.05.02 17:51 <i style="color:green;">a_man_of_mold</i> <b>Found a Belarc report of our old family PC...yes, my dad bought this thing in 2005</b></p> <p><table> <tr><td> <a href="?id=28804"> <img src="https://preview.redd.it/siyisbgkb1yc1.png?width=640&crop=smart&auto=webp&s=98b8b8569c84844ca44a87df94d4617c41a50642" alt="Found a Belarc report of our old family PC...yes, my dad bought this thing in 2005" title="Found a Belarc report of our old family PC...yes, my dad bought this thing in 2005" /> </a> </td><td> <div class="md">For context, I've gone down a bit of a rabbit hole recently trying to find out any details I can about my two old family PCs, the first a Pentium II and the second a Pentium III (7 years later). I was searching through trying to find any trace of info and found 3 floppy disks at my dad's desk, one of which for some reason by immense luck he decided to put this Belarc Advisor report on. Of course initially the .htm file of this report was the ONLY thing that was corrupted in some way out of all 3 disks, but eventually I got it to copy over and I'm not quite sure how.<br /> I mean, I knew nothing about this PC than I was pretty sure it was a PIII 450 MHz. Of all things, finding a detailed spec report stored on a floppy disk in 2006 is the holy grail. Look at those specs! A whopping 10GB HDD and 256 MB RAM! Aren't you jealous of the mid 2000s Katmai experience? The board info indicates it was from Shuttle, who made those smaller form factor PCs. Somewhere along the line someone evidently decided to take the board out and stick it into a <a href="?id=14372">generic Y2K beige case with blue iMac G3/esque plastic accents</a>, cause that's how we got it. I also remember it had an "evil inside" sticker. I don't know why the graphics is listed as Mobility Radeon 9200, it must have been the desktop variant. <br /> He bought it at a strange little computer shop, and the XP install wasn't genuine. At some point he got sent a genuine disc with a code, I'm sure from contacting Microsoft directly. I doubt they sent it for free out of the goodness of their own hearts, probably cost more than the value of the whole PC. We finally got the internet shortly after getting it, so this is where I first experienced browsing the world wide web, chatting on Skype and Windows Live Messenger, playing mainly late 90s-mid 2000s games. We also all used Limewire and it must have been absolutely riddled with malware. It was used in this exact configuration until 2009, no upgrades. How did we cope?<br /> </div>   submitted by   <a href="?id=9391"> a_man_of_mold </a>   to   <a href="?id=5579"> vintagecomputing </a> <span><a href="?id=13527">[link]</a></span>   <span><a href="?id=25881">[comments]</a></span> </td></tr></table></p> <hr /> <p>2024.05.02 02:24 <i style="color:green;">aidbish</i> <b>Weird issue with Enrolled devices</b></p> <p><div class="md">Having a weird issue lately with devices enrolling through autopilot<br /> <ol> <li>Some users are unable to open thing like regedit it prompts for admin approval.<br /></li> <li>The ESP is setup to rename the devices, some have worked, some have had to be manually renamed.<br /></li> <li>Under users some are listed with their full UPN on other devices they are listed as their short domain name.<br /></li> </ol> just trying to figure out the inconsistencies, before we deploy more devices<br /> Anyone had anything similar?<br /> </div>   submitted by   <a href="?id=7111"> aidbish </a>   to   <a href="?id=19377"> Intune </a> <span><a href="?id=24706">[link]</a></span>   <span><a href="?id=10019">[comments]</a></span></p> <hr /> <p>2024.04.30 12:53 <i style="color:green;">Praba_Petrova01</i> <b>Find Inactive Guest Users in Microsoft 365 using PowerShell</b></p> <p><div class="md">Are you an M365 admin concerned about stale guest users in the organization?<br /> <em>Relax! We've got just the solution for you.</em> While Microsoft 365 doesn't offer a direct way to export inactive guest users, we have developed a user-friendly PowerShell script. Running this script allows you to identify inactive guest accounts, enabling proactive security management. Don't let stale guest accounts become the gateway to unauthorized access or data breaches!<br /> Below are a few major use cases of this script.<br /> <ul> <li>Track licensed guest users and their last logon time</li> <li>Find inactive guest users' based on inactive days</li> <li>Export guest users' logon time based on non-interactive sign-ins</li> <li>View the last logon time for sign-in-enabled guest users</li> <li>Get a list of never-logged-in guest users</li> <li>Schedule guest users' last logon time report</li> </ul> <em>The script supports certificate-based authentication, automatically installs the required PowerShell module, and is compatible with the Windows Task Scheduler.</em> <br /> Explore the PowerShell script to audit Microsoft 365 guest users' last logon time now!<br /> <a href="?id=11646">https://o365reports.com/2024/04/30/export-microsoft-365-guest-users-last-logon-time-report-using-powershell/</a><br /> </div>   submitted by   <a href="?id=2568"> Praba_Petrova01 </a>   to   <a href="?id=20132"> M365Reports </a> <span><a href="?id=26700">[link]</a></span>   <span><a href="?id=21659">[comments]</a></span></p> <hr /> <p>2024.04.29 21:58 <i style="color:green;">nocsi</i> <b>FreeIPA kerberos shares are now possible with TrueNAS Scale</b></p> <p><div class="md">And no I'm not talking about the LDAP configurations as made available in Credentials > Directory Services. I could never get that to work, especially not with macOS clients.<br /> My setup is to create a fedora jail through jailmaker (use the podman template), passthrough /dev/zfs and install the zfs-utils for fedora. Next you join the new fedora jail as a freeipa-client, install and run freeipa-samba-client. There's some other stuff you'd have to figure out, such as ACLs on the zfs shares and avahi. The key is being able to run freeipa-samba to configure samba in the correct way that can actually authenticate to the freeipa host. <br /> Here's my samba configuration:<br /> <pre>[global] aio max threads = 2 # Limit number of forked processes to avoid SMBLoris attack max smbd processes = 1000 # Use dedicated Samba keytab. The key there must be synchronized # with Samba tdb databases or nothing will work dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab # Set up logging per machine and Samba process log file = /valog/samba/log.%m log level = 3 # We force 'member server' role to allow winbind automatically # discover what is supported by the domain controller side server role = member server obey pam restrictions = yes unix password sync = yes passwd program = /usbin/passwd %u passwd chat = *Enter\snew\s*\password:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes realm = NOCSI.ORG netbios name = PODMAN workgroup = NOCSI # Local writable range for IDs not coming from IPA or trusted domains # use spnego = no # client ntlm auth = yes # client ntlmv2 auth = no idmap config * : range = 0 - 0 idmap config * : backend = tdb idmap config NOCSI : range = 1228400000 - 1228599999 idmap config NOCSI : backend = sss ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ldap ssl = off ldap suffix = dc=nocsi,dc=org ldap user suffix = cn=users,cn=accounts # ldap admin dn = cn=Directory Manager ldap admin dn = uid=podman,cn=sysaccounts,cn=etc,dc=nocsi,dc=org ldap passwd sync = no wins support = yes domain master = no local master = no preferred master = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true load printers = no log file = /valog/samba/log max log size = 100000 # domain logons = yes # domain master = yes registry shares = Yes disable spoolss = Yes #passdb backend = ldapsam:ldap://idm.nocsi.org passdb backend = ipasam:ldap://podman.nocsi.org ldap://idm.nocsi.org # security = ads security = USER create krb5 conf = No rpc_daemon:lsasd = fork rpc_daemon:epmd = fork rpc_server:tcpip = yes rpc_server:netlogon = external rpc_server:samr = external rpc_server:lsasd = external rpc_server:lsass = external rpc_server:lsarpc = external rpc_server:epmapper = external ldapsam:trusted = yes vfs objects = shadow_copy2 acl_xattr catia fruit streams_xattr map acl inherit = yes acl_xattr:ignore system acls = yes shadow: snapdir = .zfs/snapshot shadow: sort = desc shadow: format = -%Y-%m-%d-%H%M shadow: snapprefix = ^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(weekly\)\{0,1\}\(monthly\)\{0,1\} shadow: delimiter = -20 fruit:encoding = native fruit:metadata = stream fruit:zero_file_id = yes fruit:nfs_aces = no fruit:advertise_fullsync = true fruit:aapl = yes fruit:copyfile = no fruit:model = MacSamba client max protocol = default client min protocol = SMB2_02 server max protocol = SMB3 server min protocol = SMB2_02 # min protocol = SMB2 template homedir = /home/%U template shell = /bin/bash # Default homes share [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes spotlight backend = elasticsearch [TMBackup] aio write size = 0 path = /mnt/spool/timemachine/%U mangled names = illegal #valid users = %S, %D%w%S valid users = %U, @smb_users force user = %U # valid users = %S #write list = @smb_users # durable_handles = yes kernel oplocks = no kernel share modes = no posix locking = no vfs objects = acl_xattr catia fruit streams_xattr ea support = yes browseable = Yes spotlight = Yes writable = Yes printable = no read only = No inherit acls = Yes fruit:posix_rename = yes fruit:zero_file_id = yes fruit:veto_appledouble = no fruit:wipe_intentionally_left_blank_rfork = yes fruit:delete_empty_adfiles = yes fruit:time machine = yes fruit:resource = file fruit:metadata = netatalk fruit:locking= netatalk fruit:encoding = native fruit:time machine max size = 2 T nfs4:acedup = merge nfs4:chown = true fruit:volume_uuid = 636e4d36-bc76-4159-96d7-928990b823ce root preexec = /etc/samba/scripts/create_user_time_machine.sh %U create mask = 0664 directory mask = 0755 force directory mode = 0700 create mode = 0600 force create mode = 0600 access based share enum = yes hide unreadable = yes [User] path = /mnt/spool/users/%U valid users = @smb_users writable = yes browseable = yes read only = no root preexec = /etc/samba/scripts/create_user_share.sh %U </pre> I can write a formal guide if needed. But this should be enough information for anyone that's banged their head over trying to get TrueNAS scale to work with FreeIPA<br /> tl;dr<br /> <ol> <li>Passthrough zfs directly to fedora jail</li> <li>Join fedora jail to freeipa realm</li> <li>Configure samba with kerberos/ldap </li> <li>Configure ZFS ACLs</li> <li>Configure Avahi/mdns for macOS clients</li> </ol> </div>   submitted by   <a href="?id=24948"> nocsi </a>   to   <a href="?id=9655"> truenas </a> <span><a href="?id=18269">[link]</a></span>   <span><a href="?id=23834">[comments]</a></span></p> <hr /> <p>2024.04.29 09:01 <i style="color:green;">doetlingerlukas</i> <b>Deleted Domain Account still works for elevation (run as Administrator)</b></p> <p><div class="md">Hello everyone, I have a very strange logon behavior in Windows 10/11 and would like to get your opinion on this. A client of ours approached me last week saying he had deleted an old client admin account, but people in the regarding department are still using it.<br /> I had a look at his AD and he seemed to be correct. But how? After some testing in his Domain, I tried to verify this in my fresh lab Domain. Here is what I found:<br /> A domain account, who was previously a member of the local Administrators group on a Windows 10/11 workstation, was deleted. As expected, the account cannot be used for an interactive logon anymore.<br /> However, the account can still be used for elevation on the workstation, e.g. CMD.exe run as Administrator and entering the credentials of the deleted domain user account.<br /> <strong>Connection to the Domain Controller was present at all times.</strong><br /> There seems to be a general problem with cached credentials on Windows. If the deleted user had his credentials cached (because it was used for an elevation previously), they will still work for the "Run As" elevation. Although the Domain Controller was available, using the deleted account caused a CachedInteractive Logon (Type 11) regarding to the Event Log ID 4624. This should only occur without sight to the DC.<br /> If the same deleted account is used in the "run as other user context", Event ID 4624 shows a Logon Type of 2 (Interactive) and an error that the provided credentials are not working. This seems to work as expected and refreshes the cached credentials, so the account does not work anymore.<br /> <strong>To conclude</strong>, I think that the "run as administrator" elevation in Windows does not check whether the Domain Controller is available, if there are locally cached credentials. The cached credentials are not verified when the DC is in sight.<br /> Has anyone noticed this before?<br /> To add some context: Local Administrator privileges were deployed to the workstation using group policies, which adds a domain group "workstationAdmins" to the local Administrators group on the workstation. The deleted user was, until it's deletion, a member of this "workstationAdmins" group.<br /> Steps to reproduce: - Create a domain user a.temp - Create a domain group workstationAdmins - Add the workstationAdmins group to the local Administrators group of the Windows 10 workstation - Add a.temp to workstationAdmins and verify that a.temp can elevate processes on the worksation (e.g. cmd.exe run as administrator) - Delete the domain account a.temp - a.temp will still work for elevation on the workstation - This issue persists even after restarting the workstation - Trying to interactively logon with a.temp will refresh the local cached credentials and the elevation will not work anymore<br /> </div>   submitted by   <a href="?id=7572"> doetlingerlukas </a>   to   <a href="?id=26698"> sysadmin </a> <span><a href="?id=15996">[link]</a></span>   <span><a href="?id=24164">[comments]</a></span></p> <hr /> <p>2024.04.27 07:39 <i style="color:green;">I-Should-Travel</i> <b>Saving hash table as variable vs immediately piping?</b></p> <p><div class="md"><pre>(@{ 'AutoAdminLogon' = 1 'DefaultUserName' = "ex@amp.le" 'DefaultPassword' = 'example' }).GetEnumerator() ForEach-Object { Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name $_.Key -Value $_.Value } </pre> Vs<br /> <pre> $autologon = @{ 'AutoAdminLogon' = 1 'DefaultUserName' = "ex@amp.le" 'DefaultPassword' = 'example' } $autologon.GetEnumerator() ForEach-Object { Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name $_.Key -Value $_.Value } </pre> If I'm not going to be reusing the hash table again, is there any point to storing it in a variable and then calling it with .GetEnumerator() versus just immediately creating and piping the hash table? I assume the big reason is readability, generally.<br /> E: While I'm essentially asking a similar question - what's the real difference between iterating through objects via a defined foreach ($item in $collection) loop, versus % { code here }? When is one 'better' than the other?<br /> </div>   submitted by   <a href="?id=24021"> I-Should-Travel </a>   to   <a href="?id=12326"> PowerShell </a> <span><a href="?id=26445">[link]</a></span>   <span><a href="?id=13636">[comments]</a></span></p> <hr /> <p></p><p><a href="http://rodzice.org/">http://rodzice.org/</a></p><p></p><h3></h3> <ol><li></li></ol> <p></p><div id="menu" class="menu">[ <a href="?id=29485">29485</a> ] [ <a href="?id=29486">29486</a> ] [ <a href="?id=29487">29487</a> ] [ <a href="?id=29488">29488</a> ] [ <a href="?id=29489">29489</a> ] [ <a href="?id=29490">29490</a> ] [ <a href="?id=29491">29491</a> ] [ <a href="?id=29492">29492</a> ] [ <a href="?id=29493">29493</a> ] [ <a href="?id=29494">29494</a> ] </div></div> </body> </html><!-- ID: 780 | Time: 0.60182 Sec | Mem: 1159 KiB -->