Tired of looking this up the one time a year I use it:

Open a command prompt with administrative permissions on the domain/workgroup
query session /server:SERVERNAMEORIPHERE
reset session SESSIONIDHERE /server:SERVERNAMEORIPHERE

So in my case it was:
reset session 4 /server:testdc

My boss had created an excel spreadsheet to aid us in our network configurations. Unfortunately he’s not a very good speller. There were quite a few spelling errors that were driving me nuts, so I was going to update the template with the correct words. Unfortunately, again, he locked the spreadsheet to prevent changes to the code. And he was on vacation.

So a brief google search found this gem (JSBI), which I’ll repost here just in case it disappears.

Open the spreadsheet with the locked cells or sheets.
Open the Macros area (2007/2010 it’s View tab, then Macros)
Select Record Macro
Just click OK (keep the name Macro1)
Then click Stop Recording
View Macros
Edit Macro1
Copy the below in place of what is there:

Sub Macro1()
'
' Breaks worksheet and workbook structure passwords. Jason S
' probably originator of base code algorithm modified for coverage
' of workbook structure / windows passwords and for multiple passwords
' Jason S http://jsbi.blogspot.com
' Reveals hashed passwords NOT original passwords
Const DBLSPACE As String = vbNewLine & vbNewLine
Const AUTHORS As String = DBLSPACE & vbNewLine & "Adapted from Bob McCormick base code by" & "Jason S http://jsbi.blogspot.com"
Const HEADER As String = "AllInternalPasswords User Message"
Const VERSION As String = DBLSPACE & "Version 1.0 8 Sep 2008"
Const REPBACK As String = DBLSPACE & "Please report failure to jasonblr@gmail.com "
Const ALLCLEAR As String = DBLSPACE & "The workbook should be cleared"
Const MSGNOPWORDS1 As String = "There were no passwords on " & AUTHORS & VERSION
Const MSGNOPWORDS2 As String = "There was no protection to " & "workbook structure or windows." & DBLSPACE
Const MSGTAKETIME As String = "After pressing OK button this " & "will take some time." & DBLSPACE & "Amount of time " & "depends on how many different passwords, the "
Const MSGPWORDFOUND1 As String = "You had a Worksheet " & "Structure or Windows Password set." & DBLSPACE & "The password found was: " & DBLSPACE & "$$" & DBLSPACE & "Note it down for potential future use in other workbooks by " & "the same person who set this password." & DBLSPACE & "Now to check and clear other passwords." & AUTHORS & VERSION
Const MSGPWORDFOUND2 As String = "You had a Worksheet " & "password set." & DBLSPACE & "The password found was: " & DBLSPACE & "$$" & DBLSPACE & "Note it down for potential " & "future use in other workbooks by same person who " & "set this password." & DBLSPACE & "Now to check and clear " & "other passwords." & AUTHORS & VERSION
Const MSGONLYONE As String = "Only structure / windows " & "protected with the password that was just found." & ALLCLEAR & AUTHORS & VERSION & REPBACK
Dim w1 As Worksheet, w2 As Worksheet
Dim i As Integer, j As Integer, k As Integer, l As Integer
Dim m As Integer, n As Integer, i1 As Integer, i2 As Integer
Dim i3 As Integer, i4 As Integer, i5 As Integer, i6 As Integer
Dim PWord1 As String
Dim ShTag As Boolean, WinTag As Boolean
Application.ScreenUpdating = False
With ActiveWorkbook
WinTag = .ProtectStructure Or .ProtectWindows
End With
ShTag = False
For Each w1 In Worksheets
ShTag = ShTag Or w1.ProtectContents
Next w1
If Not ShTag And Not WinTag Then
MsgBox MSGNOPWORDS1, vbInformation, HEADER
Exit Sub
End If
MsgBox MSGTAKETIME, vbInformation, HEADER
If Not WinTag Then
MsgBox MSGNOPWORDS2, vbInformation, HEADER
Else
On Error Resume Next
Do 'dummy do loop
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
With ActiveWorkbook
.Unprotect Chr(i) & Chr(j) & Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If .ProtectStructure = False And .ProtectWindows = False Then
PWord1 = Chr(i) & Chr(j) & Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
MsgBox Application.Substitute(MSGPWORDFOUND1, "$$", PWord1), vbInformation, HEADER
Exit Do 'Bypass all for...nexts
End If
End With
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
Loop Until True
On Error GoTo 0
End If
If WinTag And Not ShTag Then
MsgBox MSGONLYONE, vbInformation, HEADER
Exit Sub
End If
On Error Resume Next
For Each w1 In Worksheets
'Attempt clearance with PWord1
w1.Unprotect PWord1
Next w1
On Error GoTo 0
ShTag = False
For Each w1 In Worksheets
'Checks for all clear ShTag triggered to 1 if not.
ShTag = ShTag Or w1.ProtectContents
Next w1
If ShTag Then
For Each w1 In Worksheets
With w1
If .ProtectContents Then
On Error Resume Next
Do 'Dummy do loop
For i = 65 To 66: For j = 65 To 66: For k = 65 To 66
For l = 65 To 66: For m = 65 To 66: For i1 = 65 To 66
For i2 = 65 To 66: For i3 = 65 To 66: For i4 = 65 To 66
For i5 = 65 To 66: For i6 = 65 To 66: For n = 32 To 126
.Unprotect Chr(i) & Chr(j) & Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
If Not .ProtectContents Then
PWord1 = Chr(i) & Chr(j) & Chr(k) & Chr(l) & Chr(m) & Chr(i1) & Chr(i2) & Chr(i3) & Chr(i4) & Chr(i5) & Chr(i6) & Chr(n)
MsgBox Application.Substitute(MSGPWORDFOUND2, "$$", PWord1), vbInformation, HEADER
'leverage finding Pword by trying on other sheets
For Each w2 In Worksheets
w2.Unprotect PWord1
Next w2
Exit Do 'Bypass all for...nexts
End If
Next: Next: Next: Next: Next: Next
Next: Next: Next: Next: Next: Next
Loop Until True
On Error GoTo 0
End If
End With
Next w1
End If
MsgBox ALLCLEAR & AUTHORS & VERSION & REPBACK, vbInformation, HEADER
'
End Sub

Then run Macro1. This may take a while depending on the speed of the machine. It looked like excel locked up on my test system. After a minute or two the alerts pop up with the password. In my case it was “password123”. Secure? Sure.

The last few weeks of the year are usually the best to start testing systems at my current job. We currently have the following security measures in place:

Cisco Firewalls
Juniper Firewalls
Cisco IPS
Cisco Switches with ACLs on each VLAN
Secured Syslog Server
Secured Snort (IDS) Server
McAfee Antivirus
Windows Updates*

*Windows Updates are not forced on the Dev Team or Server Farms – Those updates are installed manually usually once a quarter (after testing).

Seeing as it’s Tuesday December 28th, I had some free time to test out the Antivirus installed on each system. Most exploits today are not actually against the OS (Microsoft has done a pretty decent job lately with security issues, even with that huge DLL issue) and are instead targeting 3rd party applications.

What do you consider a 3rd party application? The biggest two are:

Adobe (PDF Reader, Flash Player)
Sun (Java)

So I decided to test in my VMWare environment using the latest and greatest updates for Windows XP. Why did I choose XP over 7? Looking over my log files I see that most visitors to my site include XP users. XP has also been around long enough to get all the kinks worked out. And finally, I chose to use PDF/Java exploits, so the OS doesn’t really matter as much.

Please don’t visit these websites unless you know what you’re doing. And I used smartscan/quickscan whenever possible.

Test 1 (Nod32/Threatfire):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Nod32 Antivirus 4.2.67.10 5739
Threatfire 4.7.0.17
Secunia PSI 2.0.0.1002 100%
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
Blocked by Nod – Downloaded Java (c:\doc and set\Administratorupdate665744669.exe) **PDF/Java/Trojan**

expa82.co.cc/bl2/
Blocked by Nod **Trojan**

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe, Cleaned by Nod **Trojan**

marinada3.com/77/throatnut.php
Blocked by IE – Java exploit blocked by Nod (Freezes IE) **Java/Trojan**

Malwarebytes:
Objects infected: 3 (3 are non-infection related)

Verdict:
Clean system, difficult to infect on accident.
Performed scan by Nod32/Threatfire – nothing found.

Test 2 (McAfee):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
McAfee VirusScan Enterprise 8.7i 6210.0000
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
Allowed to download – no extra processes

expa82.co.cc/bl2/
Allowed to load page – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe, allowed to install (load.exe, csrss in temp folder)

marinada3.com/77/throatnut.php
Blocked by IE – no extra processes

Malwarebytes:
Objects infected: 14 (3 are non-infection related)

Verdict:
CSRSS.EXE running as SYSTEM and Administrator. Infected system.
Performed scan by McAfee – nothing found.

Test 3 (McAfee/Threatfire):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
McAfee VirusScan Enterprise 8.7i 6210.0000
Threatfire 4.7.0.17
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
Allowed to load page – file would not download

expa82.co.cc/bl2/
Allowed to load page – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe, Threatfire detected and blocked the installation, then found and blocked load.exe

marinada3.com/77/throatnut.php
Blocked by IE – no extra processes

Malwarebytes:
Objects infected: 4 (3 are non-infection related)

Verdict:
Only infection file was located as a temporary internet file download and was not referenced in the registry. “Clean” system.
Performed scan by McAfee and Threatfire – nothing found.

Test 4 (Nod32):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Nod32 Antivirus 4.2.67.10 5739
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
Blocked by Nod

expa82.co.cc/bl2/
Blocked by Nod

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe – Not found by Nod32

marinada3.com/77/throatnut.php
Blocked by IE – Java exploit blocked by Nod32

Malwarebytes:
Objects infected: 13 (3 are non-infection related)

Verdict:
Infected system, somewhat hard to infect on accident, but a definite possibility. CSRSS.exe is loading.
Performed scan by Nod32 – nothing found.

Test 5 (No AV):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
IE reported this site as BAD – File not found to download

expa82.co.cc/bl2/
Site loaded fine – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe – Saved and run successfully

marinada3.com/77/throatnut.php
Blocked by IE – Java exploit allowed to load – no additional processes

Malwarebytes: (google searches redirected to other websites, had to kill load.exe)
Objects infected: 14 (3 are non-infection related)

Verdict:
It’s always better to have some sort of antivirus software installed. So I can’t recommend this at all.

Test 6 (Microsoft Security Essentials MSE):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408

cryyahoo.info/tre/boba.exe
IE reported this site as BAD – File not found to download

expa82.co.cc/bl2/
Site loaded fine – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe – Saved and run successfully

marinada3.com/77/throatnut.php
Blocked by IE – Java exploit allowed to load – no additional processes

MSE found a few files it needed to send in for verification, but did not block anything.

Malwarebytes:
Objects infected: 12 (3 are non-infection related)

Verdict:
MSE didn’t actively block anything – it only found the files when I scanned the computer using MSE. I prefer a more active participant.

Test 7 (Microsoft Security Essentials MSE with TF):

Windows XP Pro SP3
Fully Updated 12.28.2010
Internet Explorer 8.0.6001.18702
Adobe Flash Player 10 ActiveX 10.1.102.64
Java 6 Update 23 6.0.230
Malwarebytes Anti-Malware 1.50.1.1100 5408
Threatfire 4.7.0.17

cryyahoo.info/tre/boba.exe
IE reported this site as BAD – File not found to download

expa82.co.cc/bl2/
Site loaded fine – no extra processes

1.oresmir.co.cc/1/load.php?spl=mdac
IE labeled download as unsafe – Threatfire blocked the installation

marinada3.com/77/throatnut.php
Blocked by IE – Threatfire blocked the java exploit from running

MSE, like in the previous test, did not block anything.

Malwarebytes:
Objects infected: 3 (3 are non-infection related)

Verdict:
MSE didn’t actively block anything – it only worked well with TF in finding new problem programs. I still prefer a more active participant, but MSE and TF worked well.

Final Results:
So it appears as though Threatfire really does help out. It also appears that Nod32 is only slightly better than McAfee and MSE edged them both out. McAfee did not find the infections on access or during a scan. Nod32 blocked only one file on access, but found nothing during a scan. MSE blocked nothing during on access, but found a couple files with issues during a scan.
I also realize that I didn’t include Adobe Reader as part of the package. Since I’ve already disposed of the virtual machines I don’t think I’ll go back and correct this error.

No AV – 11 infections
McAfee – 11 infections
Nod32 – 10 infections
MSE – 9 infections
McAfee with Threatfire – 1 infection
Nod32 with Threatfire – 0 infections
MSE with Threatfire – 0 infections

Final recommendation:
While I will continue to use Nod32 alongside Threatfire (I pay for the Nod32 subscription), and will continue to recommend it to my peers/clients, I must say that for the average home user MSE has come through with flying colors. However, when utilizing MSE you MUST scan your system after each download or on regular scanning intervals. Their lack of on-access scanning is my major gripe at this time.