use sysprep for windows custom deployment, but leave settings like keyboard, start menu the same

I am trying to create a “base/reference” installation of Windows 8.1 which I can use to deploy to other computers with different hardware. After a lot of research, I was pointed to sysprep and ImageX and managed to get a Windows installation up and running on a different computer.

However, I noticed that the Windows settings went missing, including desktop background. However, all software remained installed, which is good. Settings which went missing are like:

  • Updated keyboard speed in control panel to fastest
  • Start Menu set as ‘Use small taskbar buttons’
  • Taskbar buttons: Never combine
  • Desktop background

Is it possible to keep these settings intact? Is this due to some parameters of sysprep?

I used the below:

sysprep.exe /audit /generalize /shutdown

I was using this to install Windows 8.1 Pro.


Exim rejected RCPT

Recently I changed the router on the network, opened all the ports up and got it working
Not long after making this change mail on the server stopped working.

The mail log is returning this message:

“rejected RCPT”

2014-10-09 21:15:04 [] F=<> rejected RCPT <>

Just a straight rejected RCPT

What should I be looking for to solve this issue?

I have telneted into and when running mail <> it returns okay, then "rctp to:" it returns the message:

550 Administrative prohibition

server in question is


Allowing passive FTP connections in FirewallD (CentOS 7)

In CentOS 7 which comes with FirewallD, enabling HTTP access was easy:

firewall-cmd --permanent --zone=public --add-service=http


firewall-cmd --permanent --zone=public --add-service=ftp

doesn’t work: the rule applies, but I can’t access FTP by any means except disabling FirewallD.

Some diagnostic info:

  • I have checked the service definition file (ftp.xml) and it makes use of nf_conntrack_ftp module.
  • On my VPS the module is compiled into kernel (not separate) so it’s not there via lsmod, but I can confirm it’s there by this:

zgrep FTP /proc/config.gz



Prioritize your security work with QRadar Risk Manager

In this four-part video tutorial, Jose Bravo discusses the technology
foundation for IBM Security QRadar Risk Manager and then demonstrates its key
capabilities in a series of live use case scenarios. You’ll learn how QRadar
Risk Manager can help you filter tens of thousands of discovered IT
vulnerabilities in your environment down to a manageable few based on the
severity of the vulnerability, the sensitivity of the machine, and available
attack paths.


Detect database vulnerabilities with Guardium and QRadar

IBM InfoSphere Guardium has a level of visibility into
databases for vulnerabilities that no application scanner can ever have
because it has deep access to the configuration and other information about
the database server. But how do you manage the vulnerabilities that it finds?
How do you prioritize and track the work? The answer is the IBM Security QRadar
family of products.


Graphite SQLite3 DatabaseError: database is locked

While going through the initial installation and set up of Graphite on CentOS 6.4 using Apache mod_wsgi via the stock graphite-web rpm, I’m getting the following “DatabaseError: database is locked” message:

mod_wsgi (pid=9009): Target WSGI script '/usr/share/graphite/graphite-web.wsgi' cannot be loaded as Python module.
mod_wsgi (pid=9009): Exception occurred processing WSGI script '/usr/share/graphite/graphite-web.wsgi'.
Traceback (most recent call last):
  File "/usr/share/graphite/graphite-web.wsgi", line 16, in <module>
  File "/usr/lib/python2.6/site-packages/graphite/metrics/", line 6, in <module>
    from import is_pattern, match_entries
  File "/usr/lib/python2.6/site-packages/graphite/", line 7, in <module>
    from graphite.remote_storage import RemoteStore
  File "/usr/lib/python2.6/site-packages/graphite/", line 8, in <module>
    from graphite.util import unpickle
  File "/usr/lib/python2.6/site-packages/graphite/", line 82, in <module>
  File "/usr/lib/python2.6/site-packages/django/db/models/", line 460, in save
    self.save_base(using=using, force_insert=force_insert, force_update=force_update)
  File "/usr/lib/python2.6/site-packages/django/db/models/", line 553, in save_base
    result = manager._insert(values, return_id=update_pk, using=using)
  File "/usr/lib/python2.6/site-packages/django/db/models/", line 195, in _insert
    return insert_query(self.model, values, **kwargs)
  File "/usr/lib/python2.6/site-packages/django/db/models/", line 1436, in insert_query
    return query.get_compiler(using=using).execute_sql(return_id)
  File "/usr/lib/python2.6/site-packages/django/db/models/sql/", line 791, in execute_sql
    cursor = super(SQLInsertCompiler, self).execute_sql(None)
  File "/usr/lib/python2.6/site-packages/django/db/models/sql/", line 735, in execute_sql
    cursor.execute(sql, params)
  File "/usr/lib/python2.6/site-packages/django/db/backends/", line 34, in execute
    return self.cursor.execute(sql, params)
  File "/usr/lib/python2.6/site-packages/django/db/backends/sqlite3/", line 234, in execute
    return Database.Cursor.execute(self, query, params)
DatabaseError: database is locked

I’ve verified that the DB file (“/var/lib/graphite-web/graphite.db“) is accessible by the apache user which owns the httpd process.

Also, I’ve tried restarting both the httpd and the carbon-cache processes as mentioned in this thread on github.

A list of lsof shows the following:

# lsof | grep graphite.db
httpd      9006    apache   17u      REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9007    apache   17u      REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9008    apache   17u      REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9008    apache   22u      REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9009    apache   17u      REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9009    apache   22u      REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9010    apache   17ur     REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9010    apache   18u      REG              253,2      512     526174 /var/lib/graphite-web/graphite.db-journal
httpd      9010    apache   24ur     REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9011    apache   17u      REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9012    apache   17u      REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db
httpd      9013    apache   17u      REG              253,2    69632     526186 /var/lib/graphite-web/graphite.db

In my mind it’s got to be related to httpd, but I’m not getting anywhere with it.


cUrl for an HTTPS address/domain times out unless previously accessed from browser

I’ve lost a couple days to this problem and hope it sparks a thought from someone.

I am integrating several systems together using Powershell scripts. One of the two services I am connecting to (hosted JIRA) can be accessed just fine from my local system, but the script would fail when running from one of my VMs. I found, through chance, that if I opened/refreshed a browser on the server for an HTTPS URL for that host then the script would be able to access the API over HTTPS for about 20-30 seconds afterwards.

I receive a timeout error when I remote into the server and try this from a powershell console. I then verified the same behavior occurs with cUrl (verbose output included below). Refreshing a browser with that domain then allows both to access HTTPS URLs for a short period of time. It appears to be timing out on the initial connection before SSL negotiation.

Representative PoSH Command:

Invoke-RestMethod -Method Get -Uri “,id,status” -Headers @{“Authorization” = “Basic “+ [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(‘USERNAME:PASSWORD’))}

Representative cUrl command:

curl.exe “,id,status” -u “USERNAME:PASSWORD” -v -X GET

I’ve done a lot of digging on this and I’m pretty stumped. I did try using Wireshark to dig deeper, but it’s been years since I used a packet sniffer and I’m rusty and having to learn the UI.


Here are the questions/answers I could think of while trying to isolate the problem:

  • Is it powershell?
    • Using cUrl also times out
  • Is it all HTTPS?
    • works fine without timeout
    • https://localhost/... works fine without timeout
  • Is it a system that has accessed JIRA via browser ever?
    • I verified my home desktop could connect via PoSH despite never having accessed JIRA
  • Is it Host, DC, or OS?
    • This is a 2008 R2 VM in Azure, I verified the PoSH and cUrl commands work fine in a 2nd Azure VM running 2008 R2
  • Firewall, Antivirus?
    • Disabled Antivirus and Firewall, cUrl + PoSH still timeout
  • User agent?
    • Including a user agent didn’t make a difference on problem system or working systems
  • What does Fiddler say?
    • Fiddler w/ SSL decryption caused gateway errors to occur instead of timeouts, I haven’t dug deeper
  • Maybe it’s a network issue for Atlassian? Intermittent connectivity?
    • I’ve been consistently getting errors from my server and it’s been consistently working from everywhere else I have tried
    • I performed 10 in a row calls on the server and locally and got perfect returns from the 10 local and perfect timeouts from the server. After doing the browser refresh trick on the server, I had 10 in a row perfect responses.
  • What does it look like in Wireshark?
    • With cUrl: Wireshark shows the initial TCP call go out, but it isn’t ACKed, so you then see two TCP Retransmission attempts
    • With cUrl after brower priming: Wireshark shows the first TCP call is ACKed and then everything works as expected

For a short amount of time I thought I had gotten cUrl working consistently. I was using -3 -4 to force SSL3 and ipv4 addresses and it appeared to be working without me having to prime the connection with a web browser. Unfortunately after rebooting this no longer works.

Methods I have tried on the server:

  • cUrl, cUrl with -3 -4
  • PoSH: Invoke-RestMethod, Invoke-WebRequest, WebClient, WebRequest/WebResponse, setting default SSL to SSL3 via ServicePointManager, setting proxy and proxy credentials via system defaults in case there is one (not to my knowledge)
  • IE: works
  • Chrome: works

cUrl Output

Here is some sample output from cUrl. I already have a browser open to (it’s sitting on the login screen), but I’ve left it sitting for a while so the connection would be stale.

cUrl output before refreshing the browser:

* Hostname was NOT found in DNS cache
*   Trying
* connect to port 443 failed: Timed out
* Failed to connect to port 443: Timed out
* Closing connection 0

cUrl output when I run right after refreshing the browser:

* Hostname was NOT found in DNS cache
*   Trying
* Connected to ( port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: C:\Users\Administrator\AppData\Local\Apps\cURL\bin\curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
... rest of handshake and HTML for a 401 error page because I didn't force pre-authentication ...


I added Wireshark results to questions above.

I’ve now also found that if I run the cUrl command and cancel it before it times out and immediately run it again, it is successful. if I let the cUrl command timeout then immediately run it again, it times out again.

If I run the PoSH command and cancel it before it times out and immediately run it again, I can actually run it 5+ times in a row successfully.

This is definately something networking related, I’m going to see if re-running the command eventually gets to a point where it times out again or if cancelling out of the first call somehow lets me keep making subsequent calls as long as I can (which may be possible, I think PoSH is taking advantage of keep alive once the initial connection is formed).


Learn everything you need to know about XGS

XGS is a next-generation Intrusion Prevention System (IPS) that provides
intrusion prevention and security awareness and control of applications,
content, and users. This document details how to configure and showcase the
features of the IBM Security Network Protection (XGS) system for a deployment
or a Proof of Concept (PoC).