Monday, July 26, 2021

Microsoft Windows Core Memory Integrity

Microsoft Windows 10 memory integrity, or "core isolation", uses hardware virtualization to protect memory used by Windows system processes from manipulation (often by malware). This is generally a good security feature to enable, though it may interfere with older device drivers. This option is not automatically turned on by some vendors, so you will need to check this yourself.

Read about Microsoft's Core Isolation.

A recently purchased MS Windows 10 chromebook from Dell had this option turned off, so Core Integrity should be checked even on factory-delivered machines. The Dell chromebook was runing the Windows version known as "Windows 10 Home in S mode". 

For any Windows 10, check if Windows is running with virtualization by looking in Task Manager. Press Start button, and type: task manager
Choose the Task Manager app. 

In Task Manager, click the Performance tab, then CPU. Look in the lower right for Virtualization. In the following picture of Task Manager, hardware virtualization is enabled. Alternatively, open a command prompt, run systeminfo, and look for the Hyper-V line.




 

 

 

 

 

 

 

 

 

 

If Virtualization is not enabled, reboot the machine and press a key for BIOS setup (often a function key or the DEL key). In the BIOS setup utility, look for virtualization or "VT" and turn it on. Save the BIOS settings and restart the machine. Here are a couple different BIOS pictures:














After rebooting and starting Windows, go to the Settings app (press the Start button, press the gear icon). In the Settings app, type: security
Press the Open Windows Security button. In the Windows Security app, on the left hand list, press Device Security, then select Core Isolation Details. 


























 

If you do not see Memory Integrity, you will need to restart the computer and enter the BIOS settings and look for virtualization options. 

If Memory Integrity is already turned on, your machine is configured to use core memory integrity and your are done. 

If Memory Integrity is off, try to turn it on. In some cases it will turn on. In other cases it will want a reboot. In more challenging cases it will find incompatible drivers, and you can decide how to correct each driver.














 

It may take a restart to fully set to on. If it finds incompatible drivers, press the Review link.














 

Some incompatible drivers must be completely removed. In one case, I encountered an incompatible Realtek sound driver that I removed, rebooted, turned on Memory Integrity, and then was able to reinstall the same sound driver while successfully keeping Memory Integrity turned on.

























 

 

In this example, the Realtek sound driver and the ViMicro web cam drivers are incompatible. To remove these drivers, look in device manager and uninstall the drivers. In this case, the old ViMicro driver "oem3.inf" could not be removed through device manager, though it was able to be removed from the command line using pnputil /delete-driver.










If a driver will not uninstall, you can also remove it by hand (or rename it). Look in folder C:\Windows\System32\drivers.


When done resolving incompatible drivers, the Memory Integrity setting in Windows Security Center should look like this.






 

 

 

 

 

 

 

 

 

 

When finished, you may want to create a restore point. Press the Start button and type: restore point
Configure and Create the new restore point. 

You should now check for corrupt Windows files. This will run the Windows Module Installer and verify and correct the Windows software.

 

Monday, July 19, 2021

Ubuntu logon info and message of the day (motd)

This post will show you how to determine your public-facing IP address from the command line.


Upon an interactive logon, Ubuntu prints some brief machine information. This includes a header, sysinfo from /usr/bin/landscape-sysinfo and a summary of available patches.

You may add your own scripts by creating a bash script in /etc/update-motd.d and set the execute permission on the file. The files in the directory have a particular naming convention, and are run in alphabetical (numeric) order.

On external facing machines, I often create a script which will print the external IP address following the networking info of the landscape-sysinfo script.

Create file /etc/update-motd.d/61-external-ip owned by root
and give it execute permission:
sudo chmod 755 /etc/update-motd.d/61-external-ip

 

Place the following in this new file:
#!/bin/sh

ONE=$(/usr/bin/curl -s checkip.amazonaws.com)
TWO=$(/usr/bin/curl -s ifconfig.me)

if [ $ONE = $TWO ]
  then
    printf "  External IPv4: "
    printf $ONE
  else
    printf "  External IPv4 may be: "
    printf $ONE
    printf " or"
    printf $TWO
fi
printf "\n"


Save the file, then logon to the machine and look at the interactive logon messages. Some of the output will look like:

Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)

  System information as of Mon 19 Jul 2021 01:30:42 PM MDT

  System load:              0.58
  Usage of /:               5.4% of 1.79TB
  Memory usage:             15%
  Swap usage:               0%
  Temperature:              44.0 C
  Processes:                173
  Users logged in:          1
  IPv4 address for enp0s25: 192.168.0.9
  External IPv4: 123.456.7.89

Friday, July 02, 2021

Fix Corrupt Microsoft Windows Files

Anyone who suspects they have corrupt Microsoft Windows system files (possibly from virus or malware) may try the built-in tools before re-installing the operating system. If you suspect Microsoft Windows Update is not running correctly, you may also try to repair it.


This Microsoft document describes file system checker tool with DISM and SFC. The following examples are for Microsoft Windows 10.


Open a command prompt with elevated privileges:
  • Press Start button
  • Type: cmd
  • Right-click on "Command Prompt" and choose "Run as administrator"


Set up the operating system deployment image. In the command prompt window, type:

  • DISM.exe /Online /Cleanup-image /Restorehealth

 

It will look like:

C:\WINDOWS\system32>DISM.exe /Online /Cleanup-image /Restorehealth

Deployment Image Servicing and Management tool
Version: 10.0.19041.844

Image Version: 10.0.19042.985

[==========================100.0%==========================]
The restore operation completed successfully.
The operation completed successfully.

When the DISM command has finished, you may run the file system checker. It may take hours to run.

  • sfc /scannow

 

If problems are found, it will look like:

C:\WINDOWS\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.
 

Note the location of the log, which you may review.



Next, you may want to check that Microsoft Windows Update is running.

Run the troubleshooter which may be found in the old Control Panel.

  • Press Start button and type: control panel
  • Click on the Control Panel app to run it.
  • In the Control Panel app, top right search box, type: update

  • Click on Troubleshooting

  • Press Next to run the troubleshooter and then follow the prompts.