Logging “Audit Success” in Windows Logs

I noticed, while reviewing my logs, that I still get masses of “Audit Success” entries in the Security logs. What I mean is 30+ entries every second, seems an insane number to me, even more so as they were all the 4799 event. I mean so a membership was successfully enumerated? Okay move on, but these entries were now in the tens of thousands.

Much hunting round and I found that since Windows 7, I think, logging of successful events is now on by default. So unless you find the process/Service ID GUID of the services triggering the event and turning them off individually or setting them to “Failure”, which would take weeks trying to remove them you’re stuck, well unless your knowledge of audit policy commands is very good.

So welcome to this Superuser.com article, or rather question and answer, to help you out.

https://superuser.com/questions/1516725/how-to-disable-windows-10-system-log

Sneak peak is to run this command: auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable
To disable successful Credential Manager reads, another frequently logged event, use:
auditpol /set /subcategory:"Credential Validation" /success:disable /failure:enable

The longer version is to read the article and find out how to remove other event types. Either way I’m now down to four or six “Audit Success” events being logged every couple of minutes, and those 4799 events that hid a load of other information are gone now. Woohoo

Remote Desktop – Custom screen size

Sometimes you don’t want to run an RDP session full screen but you do want to want to make use of the real estate more than the default RDP settings allow you to choose. Using the RDP panel you can only select set values from the slider control, there isn’t the ability to be fully flexible.

So you have to customise your RDP session but this time using notepad instead. Generally your RDP session will load its default values from the Default.rdp file, held in your “My Documents” folder. So edit this and change the following two lines to whatever value you want, from the 1920×1080 defaults, in my case.

desktopwidth:i:1600
desktopheight:i:1100

Cannot move Outlook items to offline folders?

Rules failing to run? No message other than cannot move to folder displayed?
Then, if it’s not a corrupt PST file, it could be down to a registry setting. After scanning and fixing up the PST files, using PSTSCAN, I still could move items to the offline folders. But the following allowed me to get back to working:

Open the Run window by clicking ‘Windows+R’ keys together, and then type regedit.
The Registry Editor window gets displayed.
Locate the ‘PSTDisableGrow’ registry key by browsing to the following location:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\PST
Right-click ‘PSTDisableGrow’, and click Edit.
In the Edit DWORD (32-bit) Value box, replace the Value data 1 to 0, and then click OK.

Display not keeping up with the keyboard in MS Word?

So you’re typing away in Word, when you notice that the display hasn’t refreshed! But now you’ve stopped typing and you can see the sentence unfold infront of your eyes! What gives?

I’m not sure what causes the issue to occur in the first place at all, I’ve now had it happen twice. But the fix is relatively straight forward, if time consuming, especially if you have a slow internet connection I’m afraid.

Fire up the Windows Control Panel App and go the Programs section. From there click on the Programs and Features link and it should now display all the software installed on your PC. Scroll down to the office program, “Microsoft Office Professional Plus 2019”, in my case, and click on it. The menu should now show the three options: Organise, Uninstall and Change, it’s this last we want. Click on that and go for the “Online Repair” option and then click the “Repair” button, eventually it will come back and say it’s finished. And so far, well two out of two times, it’s fixed the lagging display issue.

Running a command as Admin

Or how to run a command with elevated privileges on Windows.

Tried to run a chkdsk this morning via a Windows account that wasn’t in the Administrators group and found out that I couldn’t do so. This was when I chanced, by searching t’internet, upon the Control (Ctrl), Shift and Enter magic key combination, never heard of this! Using these keys, instead of just Enter, runs the selected command with Admin privileges, fab!

Windows 10 restarts after shutdown

Currently have an issue where most of the time shutting down the PC just performs a restart, annoying to say the least, been going on since late 2018.
I’m currently trying out this solution to see if it can be resolved.

6-Dec-19: A couple of test shutdowns later and it seems to be working, one to monitor.

Remote Desktop: Map a local drive on the remote host

If you repeatedly use a Remote Desktop session and that session needs access to files on the machine you’re connecting from then you’d normally set up a network drive, possibly mapped as follows:

net use z: \\yourmachine\c$ /persistent:Yes

But, depending on how Draconian your network security is then mapping folders on user machines may actually be blocked. Strange one as this ability is mostly essential when working on a remote machine, especially if a developer. Fortunately you can map using the built in sharing of RDP. Same format as earlier just the machine name changes and effectively becomes a constant, so the mapping is now:

net use z: \\tsclient\c /persistent:Yes

And job done, until the next group policy is introduced blocking that…

 

The current identity (IIS APPPOOl\xxxxxxx) does not have write access to…

If you encounter the following error then this may be the fix you’re looking for.


Server Error in ‘/’ Application.


The current identity (IIS APPPOOL\xxxxx) does not have write access to ‘C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files’.


Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: The current identity (IIS APPPOOL\xxxxx) does not have write access to ‘C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files’.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpException (0x80004005): The current identity (IIS APPPOOL\xxxxx) does not have write access to ‘C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files’.]
System.Web.HttpRuntime.SetUpCodegenDirectory(CompilationSection compilationSection) +10003412
System.Web.HttpRuntime.HostingInit(HostingEnvironmentFlags hostingFlags, PolicyLevel policyLevel, Exception appDomainCreationException) +204

[HttpException (0x80004005): The current identity (IIS APPPOOL\xxxxx) does not have write access to ‘C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files’.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +9947380
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +101
System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +456

 


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.6.1055.0


Simply run this code, from the Developer Command prompt: aspnet_regiis -i

Update 3-Jul-17:
On Windows Server 2012 you may need to run this command:

dism /online /enable-feature /featurename:IIS-ASPNET45 /all