Sunday, December 30, 2012

Access Denied When Deleting Hyper-V VM Files

I have a test environment setup using Hyper-V. I regularly add and remove virtual machines from this Hyper-V host. When you delete a virtual machine in the Hyper-V Management console, it does not delete the files. You need to delete the files manually afterwards.

A significant percentage of the time, I receive an Access Denied message when deleting the VM files. Even though the VM is deleted, I cannot remove the files.The happens because Hyper-V has locked the files.

To unlock the files and allow the files to be deleted you can:
  • Restart the Hyper-V host
  • Restart the Hyper-V Virtual Machine Management service on the host

Saturday, December 15, 2012

PowerShell 3 breaks Exchange 2007/2010

PowerShell 3.0 is now available for Windows Server 2008 and Windows Server 2008 R2 as an optional update in Windows Management Framework 3.0. Do not install this on your Exchange 2007/2010 servers or any workstations with the management tools for Exchange 2007/2010.


Symptoms include the inability to install rollup updates and some cmdlets not functioning properly.

The updates to avoid are:
  • KB2506146
  • KB2506143
For more information, see The Exchange Team Blog:
UPDATE: Feb 11, 2013
Exchange 2010 SP3 has been released and enables support for running on Windows Server 2012. I have not yet tested it, but since Windows Server 2012 has PowerShell v3 installed, this SP should also allow PowerShell v3 to be installed on other versions of Windows Server.
UPDATE: Nov 27, 2013
I have Exchange 2010 SP3 running on Windows Server 2012 with all updates. I was playing yesterday and noticed that EMS loads by using the -version 2.0 switch. If you try to kick it over to use version 3.0, it's not happy. Don't do that!

Thursday, December 6, 2012

Removing a Virus from Startup with Autoruns

My experience lately has been that many viruses/malware only infect the profile of the user that was logged on at the time of infection. This is due mostly to the security of the operating system and browser which generally limit activity to the user profile. However, even older XP machines with users running as a local administrator benefit when the malware assumes that it needs to infect the user profile rather than system files.

If malware is limited to a profile, it makes removal of the malware much easier. Log off as the infected user and log on as a user that is not infected. If the malware is only in the user profile this is just as effective as scanning the hard drive externally from another computer.

Today I had the pleasure of dealing with System Progressive Protection. It is very aggressive fake antivirus software. Once it is in the system, you can't run most tools because it blocks them. However, it was limited to the user profile. When I logged on as another user the system was fine.

My preferred tools for removing this type of malware is MalwareBytes Antimalware (http://www.malwarebytes.org). It removes most of the malware many antivirus programs miss. In this case it picked of some instances of System Progressive Protection, but when I logged on as the original user the malware was still there.

To identify the startup of this malware I used the Autoruns tool from Microsoft (http://technet.microsoft.com/en-ca/sysinternals/bb963902.aspx). Autoruns shows all of the potential startup locations for an application and goes well beyond the locations shown in MSConfig. You can run this tool as one user, but view the autoruns for another user. This is what allowed me to find the location of the malware.

In autoruns, in the runonce key for the infected user, there was a path that pointed to a location in the Application Data folder of the All Users profile. When I went to view the files, they were created with today's date. So, I removed the runonce key and all was good.

Just to test it out, I updated the definitions in MalwareBytes (they update several times per day) and scanned the folder. The folder came up clean even though it was obviously the source of the malware. Not only was the malware no longer running, but when you browsed to the files in Explorer, they displayed with the same icon as the malware used in the system tray. Lucky me, I found a variation of System Progressive Scan that wasn't recognized yet.