Tag Archives: windows

Detecting WINS Service Status With PowerShell


Posted on July 19, 2020 by

To slightly modify something that Edwin Starr sang in the 1970 hit “War


What is it good for?

Absolutely NOTHING!

In most environments, the WINS service is no longer necessary as the Netbios protocol is no longer needed for name lookups (now handled by DNS).

Netbios can (and should) be disabled on all endpoints (servers and workstations). Windows OS Hub has a great article on how to do that. But that still might leave the WINS service running on servers in the environment.

To detect the state of the WINS service on all Domain Controllers, I created the PowerShell script below. It gets a list of all DCs, then determines if the WINS service is installed or not, then gets the state of the WINS service.

$Servers = @(Get-ADDomainController -filter *).name

Foreach ($Server in $Servers)
    $WINSService = Get-Service -ComputerName $Server -Name WINS -ErrorAction SilentlyContinue

    if ($WINSService)
        Write-Host "$Server,installed,$($WINSService.status)"
        Write-Host "$Server,not installed,"

This script needs to be run as a user with the ability to query services on Domain Controllers.

It will write its output is CSV format similar to what is below:

SERVER3,not installed,

This should help identify Domain Controllers that are still running WINs or that have the service installed, but stopped.

Auditing Passwords with Active Directory Properties


Posted on August 28, 2015 by

Have you ever been looking through Active Directory and notice something strange in one of the fields?  Maybe the Organization or Description field has a weird string of letters, numbers, and characters.  You think, “Huh, that kind of looks like a password.”

Ding! Ding! Ding!

Yes, it happens.  Either through lack of understanding or just laziness, sometimes passwords get put into the plain text fields in AD.  This is dangerous because those fields are readable by everyone on the domain.

So how do you know if any of these fields are being used to store passwords?  I managed to cobble together a PowerShell script that can help. (more…)

Advanced Security Audit Settings Spreadsheet


Posted on February 19, 2014 by

I was recently reviewing the Advanced Security Audit settings available for Windows 2008 and above and decided to create a spreadsheet with all of the details. While Microsoft does have all of the details on their website, the details are spread across multiple pages.  Having it all in one document made it easier to research each setting, compare the defaults to existing settings, and make recommendations for changes.  The spreadsheet can be downloaded off of Google Drive below:


The spreadsheet contains two worksheets.  The first gives the default for each setting and the volume of logs generated with each setting.

The second worksheet lists every Event ID generated by each setting and the message associated with each Event ID.

Hopefully this will be useful to others.

Information Gathering Incident Response Script


Posted on October 24, 2012 by

So, you have a PC on your network that you think might be infected with some malware.  What do you do?  Well, you could always PSExec into the computer and run a series of commands.  But why not automate that process and store the results?

That was my motivation for writing this IR-Script.  It is like a first response tool for investigating a possibly infected PC.  You run the tool, gather a bunch of information, and store it for review.  The script gathers the following information from a PC: (more…)

EMET v3 is Awesome Sauce


Posted on September 19, 2012 by

If you read the computer security news feeds, you’ve probably heard about the recent Java 7 and IE 6-9 exploits.  The problem is that these exploits are discovered before there are any patches or reasonable workarounds for them.  Fortunately, there is something that can be done to provide some additional protection that doesn’t involve an anti-virus company.  Earlier this year, Microsoft released the Enhanced Mitigation Experience Toolkit (or EMET) version 3.  The goal of EMET is to make exploitation of Windows applications difficult or impossible using the common attack techniques we see today.  It’s not a silver bullet and won’t protect against every type of attack.  But it does add additional layers of protection to your system by enforcing DEP, ASLR, Heap Spray Protection and more. (more…)