Saturday, 22 June 2013

Office 2010 Icons blank.

So, we were facing issues with some of our domain users losing permissions on their C: drives, and when we re-added their permissions were faced with the annoying side effect of all their office icons going blank and reflecting windows default icons.Rebuilding the icon cache did not help them in this instance.

So i found that the C:\Windows\installer folder was getting flushed every time the permissions were reset:

to fix this:

1: The installer folder is hidden by default to unhide it: Open C:\Windows, click on organize -- folder options -- view -- and uncheck  "Hide Protected operating system files"
click Show hidden files and hit OK.

2: Download the archive from here:
https://www.dropbox.com/s/ltm1f7znmdpvsxr/%7B90140000-0011-0000-0000-0000000FF1CE%7D.zip
and drag and drop its contents into the folder C:\Windows\installer (Very inportant-->" the whole folder in the archive should be dragged and dropped, not the files within the folder ")

3: Log out and log back in and your office 2010 icons should come back.

wow.dll right click error

So i got a malware issue with one of our users recently with a unique twist. She had scanned for and removed malware using malwarebytes following a techs intructions, but whenever she right clicked any file in windows 7 she got the error:



and it also came up whenever she logged into her PC:

a rudimentary glance at the current processes revealed that the process causing this was
rundll32.exe in C:\Windows\SysWOW64.

But further digging with the process explorer revealed that the svchost process was invoking rundll32.exe in order to keep executing this. I ran roguekiller and was immeditely able to find and kill the process,  Since this was only occuring on right click i checked the shell context handlers in the registry:
and found this one with apparently no data:


intrigued i ran shellexview from nirsoft and checked context handlers and found this:


Double clicking on it revealed the cleaned out wow.dll which it was pointing to and not finding:


but deleting this key brought it back after a reboot, so i searched using the CLSID available here and found its startup key  HKEY_CLASSES_ROOT\Wow6432Node\CLsID\fbebsaOs-beee-4442-so4e-4o9d6c451 5e9):

and deleted it which got rid of it.

an update, Eddie from IEEE also had this issue and he was able to get rid of it by following this article, he very kindly let me have the roguekiller logs:


¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][SUSP PATH] HKCR\[...]\InprocServer32 :  (C:\Users\ERABIN~1\AppData\Local\Temp\sdterwm\suqatpo\wow64.dll [-]) -> FOUND
 
thank you Eddie.

Detect autopilot session

  Ensuring that some apps only install during autopilot is not easily accomplished, you can use the below powershell script as a requiremen...