Debugging PRTG Enterprise Console Remover

Paessler just released for PRTG a remover for the deprecated Enterprise Console: PRTG Enterprise Console Remover.exe:

You can uninstall standalone installations of the EC via the Windows control panel under Programs and Features.

If the EC was automatically installed as part of a PRTG installation, you can use the PRTG Enterprise Console Removal Tool as of PRTG 20.2.58 to uninstall the EC independently from the PRTG installation.

Click the Windows Start menu and select PRTG Network Monitor, then click Remove PRTG Enterprise Console to remove the EC from your PRTG core server system.
Source: https://kb.paessler.com/en/topic/85851-how-to-uninstall-the-prtg-enterprise-console-from-the-prtg-server

I like to know what programs do => so I traced what actions are done by "PRTG Enterprise Console Remover.exe". This is a screenshot of all the "write" actions with were performed:

Debugging PRTG Enterprise Console Remover Write Actions

The uninstaller checks more paths, registry entries etc, however only those were deleted or modified on my Windows Server 2016 system. I did not have the standalone installation of PRTG Enterprise Console, but the Enterprise Console was automatically installed as part of the PRTG installation.

Restore CHK files

I just had to restore many broken CHK files of a SD card from a hidden FOUND.000 folder. The program "unchk.exe" helped me: http://www.ericphelps.com/uncheck/. As described I had to install the Microsoft Visual Basic 5 Runtime because of an "MSVBM50.dll not found" error, which can be downloaded from Microsoft.

I checked and noticed, that all the big files of the broken SD card were restored by unchk.exe as *.WRI files. However they actually were AVI video files which can be opened with VLC video player, which I didn't know at that time.

When checking unchk.exe with Sysinternals Process Explorer, I've noticed the description says "Identifies and renames CHK files":
process-explorer-unchk.exe

So I simply renamed the bigger files from *.CHK to *.AVI using the following powershell-script and it worked fine:

Powershell CHK files to AVI:
Dir *.CHK | rename-item -newname { [io.path]::ChangeExtension($_.name, "AVI") }

Powershell WRI (from unchk.exe) files to AVI:
Dir *.WRI | rename-item -newname { [io.path]::ChangeExtension($_.name, "AVI") }

=> ✅ VLC Video LAN Player was able to open the files
=> ✅ You can directly open the CHK files with VLC Video LAN Player (if they were video files in the first place)

Account Lockout Policy - A possible threat

Most companys use an account lockout policy for their directory service like Microsoft Active Directory, LDAP-system, eDirectory or their own environment solution. Locking out accounts is helpful when it comes to password guessing attacks like brute force (https://attack.mitre.org/techniques/T1110/) or similar ones.

However: An attacker is able to use lockout policies, too.

The following scenario is not so old, but was already used in the last two years:
1. Attacker gains access to environment
2. Attacker creates its own administrative accounts
3. Attacker brute forces all other administrative accounts
👉This way, the attacker makes sure, that all legitime administrators are locked out.

This is an advanced threat and a not very common attack, yet. The solution for this is to make sure, that not all accounts are affected by the lockout policy. Instead very few dedicated emergancy accounts, which are normally not used and stored in a safe location, should be excluded from it. Those accounts (as all administrative accounts) should be monitored closely in your SIEM or logging systems.

Filter logs in Splunk - example filtering monitor probe checks

When running Splunk you want to filter logs, for example to get rid of the many health check probe querys from your monitoring system. Examp...