EventSentry Blog

Announcing EventSentry v2.91

November 30, 2009May 28, 2019 ingmar.koecher 0 Comment Announcements, Event Log, EventSentry, Tools & Utilities eventsentry 2.91 release event log file monitoring health matrix

Now that EventSentry v2.91 has been released, I’m happy to have the opportunity to blog about our monitoring solution again.

The most significant new feature in EventSentry is the Health Matrix, a new way to see your network status in a space-efficient way. In fact, you can see the overall health status of your entire network on a single screen, even if it consists of hundreds of hosts.

We also made numerous other changes throughout the web reports, and added some exciting new filtering capabilities with our event log filters, as well as improved speed with the event log engine and file checksum generations.

EventSentry v2.91 also includes many minor improvements throughout the application, including service monitoring, process tracking and more. We have also updated EventSentry Light, and a new version will be released in the coming days after we have completed testing.

But now to the new features in version 2.91:

Health Matrix
In the health matrix, each host is displayed as a colored square, circle or rectangle, with the color indicating the overall health of the monitored computer. When all of the monitored components of a host are in an OK status, the color of the square is green. The color will change to orange or red when a problem is detected, depending on the number or severity of the issue.

The health matrix is highly customizable, for example both the size and shape of the icons can be adjusted depending on the size of the network (and your monitor).

Event Log Monitoring
In 2.91, the event log filtering engine was improved, resulting in reduced CPU usage of the event log monitoring component. Since the CPU usage of the EventSentry agent is already quite low, you will most likely only notice this improvement on hosts that generate an extremely large number of events, such as domain controllers.

Also new is the ability to filter events based on insertion strings in addition to just filtering based on the event message text. This means that one can now match individual strings inside event messages against strings, numbers, file checksums and group memberships. If you are not familiar with the term “insertion string”, then I highly recommend my previous post about event message files before you read on.

Consider the following hypothetical example: The environment-monitoring component of EventSentry logs event id 10908:

The temperature (78.21 degrees F) has fallen outside the configured range (60F to 76F).

which is defined as:

The temperature (%3 degrees %4) has fallen outside the configured range (%1%4 to %2%4).

This event obviously informs us, that the current temperature has exceeded a set limit. Now let’s say that we wanted to get an email when the temperature exceeds the limit, but also send a page when the temperature exceeds 90 degrees.

The new filtering feature allows you to do just that, by using the numerical comparison functionality with insertion strings (of course you would also need to set the hour/day properties). Assuming that you already have a filter in place for regular email notifications, you would simply setup an additional include filter that would evaluate insertion string 3 (%3) and only match if the number is above 90. See the screen shot below for the example. The result is a filter that only matches when then the temperature exceeds 90 degrees.

2.91 also includes two more comparison options, file checksums and group membership. So, if an insertion string represents a filename (e.g. from a security event), then EventSentry can create a SHA checksum from the specified file and compare it with the value that you specified. Another example would be a security event that includes a username in an insertion string, in which case you could setup a filter that would only match if that user is a member of particular group you specify. Both examples are mostly applicable for security events, since those are most likely to contain either filenames or usernames.
Using file checksums, you can be notified whenever a user plays solitaire, even when the user renames the executable.

Simply create a checksum of the file first using shachecksum.exe (included in the free NTToolkit, make sure you account for different OS versions and platforms) and intercept the corresponding 4688 event.

Service Monitoring
Service Monitoring now collects the username as well as the executable of a service. These additional properties are available in the web reports and in events generated, for example when the username of a service changes.

Software Monitoring
Software monitoring has been overhauled in 2.91, and some limitations and bugs have been removed. On Vista, Win2k8 and later, Windows patches are now monitored and included in the software inventory. 64-bit software is now classified as such and searchable, and searching for installed Windows Updated patches has also been simplified.

SNMP Traps
EventSentry can now send version 2c and version 3 traps, previously only version 1 traps were sent by the agent. The SNMP trap daemon was originally set to be released as part of 2.91, but this feature has been pushed back to v2.92.

Web Reporting
We have made a number of improvements in the web reporting to make using our web-based interface easier:

•    Reports are now easily accessible from every page, in addition to the reports p
age.
•    The database usage page now shows the actual page name in addition to the table name.
•    The dashboard page has been overhauled
•    The network status page can be customized (performance counters & disks)

Miscellaneous Improvements

There have of course been other improvements across the board, such as:

•    Notes can now be applied to computers
•    AD-linked groups can be sorted, and authentication properties can be set globally
•    Hardware monitoring now includes the IP address of an interface
•    Process tracking can capture the command line of a process
•    Logon tracking includes group information
•    File checksum generation has been optimized and will now use fewer CPU resources (affects file monitoring and file access tracking)
•    The minimum database interval for environment monitoring has been reduced to 5 minutes from 15 minutes
•    Software uninstallation events now include the same information as software installation events

If you have an active maintenance agreement, then this 2.91 release will of course be free of charge. If you are not already using EventSentry, then you can download a free 30-day evaluation version from https://www.eventsentry.com/downloads_downloadtrial.php.

Happy Holidays,
Ingmar.

Group Policy Software Deployment: Targeting the right computers with WMI filters

October 19, 2009June 17, 2022 ingmar.koecher 5 Comments Tips & Tricks, Tools & Utilities windows group policy software installation wmi filtering

Group policy was introduced with Windows 2000, and is an easy way of centralizing many Windows settings. In addition to centralizing event log and firewall settings, I personally like the ability to deploy MSI-based software applications with Group Policy, since it makes it extremely easy to deploy new software packages.

Even though Software Installation only works only with MSI-based packages, it does make deploying MSI-based software packages extremely easy. Here is a short list of software (mostly tools for sysadmins) that you can deploy using Active Directory:

7-Zip
Firefox (from FrontMotion)
Foxit Reader (a PDF reader)
TortoiseSVN
ActivePerl
Python
SourceGear Vault Client
OpenOffice (I have not tried this)
Adobe Flash (requires custom download)

There are of course many more, and you can distribute most Microsoft client applications, such as Microsoft Office, through Group Policy as well.

We generally deploy software through Group Policy when three or more computers use it, since it’s very easy to create a new package (if you already have a network share etc. setup, then you can literally do it in 2 minutes).

Before I list some of the useful WMI queries we use to target certain operating systems or computer types, there are a couple of things to note for those who are new to software deployment via group policy:

Software packages are always installed right after a reboot, so they’re mostly suitable for workstations.
The network share which hosts the MSI files needs to give the computer accounts (e.g. DESKTOP1$) at least read access. Generally, giving EveryOne Read access works well unless you have a reason to restrict access to the software packages that you distribute.

Since the mechanism to distribute software is based on group policies, any sort of software package you create inside a group policy, will need to be assigned to an organizational unit (OU).

Since OUs can contain a large amount of computers that might not all need that particular software package, you can use two techniques to narrow down which computers receive the software:

Security Filtering
WMI Filtering

Security Filtering
With this method, you create a security group in ActiveDirectory, place the computers that should get a particular software package into the group, and then specify this group in the Security Filtering list.

The screen shot below shows a group policy that will only be applied to members of the “Source Control Computers” group:

WMI Filtering
With this method, you can filter the computers which are affected by your policy, based on common properties of the Operating System. For example, some packages might distinguish between 32-bit and 64-bit, some packages might only work on Vista or later, whereas other packages apply only to servers. With WMI, you can target the right computers without having to mess with group memberships (though you will probably still need to do that). For example:

32-bit vs. 64-bit computers
only workstations
only computers running a certain OS
only computers with a certain amount of RAM
only computers of a certain brand

With WMI filtering, you just create the software group policy, for example:

7-Zip 32-bit
7-Zip 64-bit

and then apply the respective WMI filter to them. But lets cut to the chase, here are a few WMI queries that you can cut & paste:

Operating System 32-bit

Select * from Win32_Processor where AddressWidth = ’32’

Operating System 64-bit

Select * from Win32_Processor where AddressWidth = ’64’

Workstation

Select * from WIN32_OperatingSystem where ProductType=1

Domain Controller

Select * from WIN32_OperatingSystem where ProductType=2

Server

Select * from WIN32_OperatingSystem where ProductType=3

Some filters require multiple WMI queries, which are just chained together.

Workstation 32-bit

Select * from WIN32_OperatingSystem where ProductType=1

Select * from Win32_Processor where AddressWidth = ’32’

Workstation 64-bit

Select * from WIN32_OperatingSystem where ProductType=1

Select * from Win32_Processor where AddressWidth = ’64’

Windows XP

Select * from WIN32_OperatingSystem where Version like ‘5.1.%’ and ProductType=1

Windows Vista

Select * from WIN32_OperatingSystem where Version like ‘6.0.%’ and ProductType=1

Windows 7

Select * from WIN32_OperatingSystem where Version like ‘6.1.%’ and ProductType=1

Windows 2003

Select * from WIN32_OperatingSystem where Version like ‘5.2.%’ and ProductType>1

Windows 2008

Select * from WIN32_OperatingSystem where Version like ‘6.0.%’ and ProductType>1

Windows 2008 R2

Select * from WIN32_OperatingSystem where Version like ‘6.1.%’ and ProductType>1

WIN32_OperatingSystem of course includes more information that can be useful for WMI queries, such as a descriptive name of the installed OS (“Name”) as well as the service pack installed (“ServicePackMajorVersion”).

Manufacturer (e.g. DELL)

Select * from WIN32_ComputerSystem where Manufacturer = ‘DELL’

Installed Memory (e.g. more than 1Gb)

Select * from WIN32_ComputerSystem where TotalPhysicalMemory >= 1073741824

Like I mentioned earlier, this is merely a small sample of the possible WMI queries one can use to filter group policies, but they should cover most relevant scenarios. Feel free to suggest other useful WMI queries and I will include them here.

For more information, check out these resources on WMI:

WMI
Secrets of Windows Management Instrumentation
Scriptomatic (Vista/Win2k8/Win7: run as administrator!)

Happy querying,
Ingmar.

Get your KIX on route 66 – Powerful (login) scripts made easy with KiXtart

September 17, 2009August 30, 2021 ingmar.koecher 1 Comment Event Log, Tips & Tricks, Tools & Utilities kixtart login script

Route 66 was a US highway that connected Chicago with Los Angeles (or vice versa), with a total length of almost 2500 miles (for the rest of world using the metric system: almost 4000 km). It was established in 1926 and Nat King Cole first recorded the song “(Get Your Kicks On) Route 66” in 1946.

Completely unrelated to Route 66 of course is KiXtart, a free, free-format scripting language for Windows.

I first ran across KiXtart back in ’99, when I was looking for a scripting language that I could use to write login scripts in a NT4 network. My goals back then were simple, and included the ability to map printers and shares depending on the user and/or group membership.

I was already familiar with Perl back then, and would have preferred to use that, if it wouldn’t have been for the requirement to install Perl on every workstation. Things have changed since then of course, and installing Perl today on every workstation in your domain would be rather simple with GroupPolicy (ActivePerl provides a MSI).

Still, KiXtart is a surprisingly simple and flexible scripting language that will allow you to accomplish most anything (not only in regards to login scripts) with extremely little effort. KiXtart also supports Windows 9x clients, if you are in the unfortunate position to take advantage of that functionality.

So what can you do with KiXtart? Here is an overview:

Read and/or write to the registry
Manage the event log
Add printer or network share connections
Create shortcuts, program groups etc.
Read and/or write from/to files
Retrieve system information (memory, hostname, IP address, …)
Get group information
And much more …

There really is little you cannot do, and most tasks can be accomplished with as little as one or two lines of code. How about some practical examples of what you can do with KiXtart:

Map the color laser printer to all members of the “Marketing” group at logon.

Map a network share depending on the network location (e.g. IP address) of a user.

Query registry values or log information to the event log.

Add a shortcut or program group

Change the wallpaper 🙂

The KiXtart web site has the complete documentation for all commands and functions that are at your disposal, and you can download them in a variety of formats (I recommend the CHM format) from http://www.kixtart.org/?p=manual.

But that’s all nothing but dry theory, so I will show you how to create a KiXtart script that accomplishes the following:

Creates a printer connection depending on the group membership of the user
Maps network shares depending on the group membership
Displays a warning message if the latest service pack is not installed
Maps another network share only if the user is in a certain IP network
Display a warning if the password is older than 180 days

1. Creating a printer connection

IF INGROUP("MARKETING")
? "Connecting to color laser ..."
ADDPRINTERCONNECTION("\\PRINTSERVER\COLOR_LASER_1")
ENDIF

In this example we are taking advantage of two functions, INGROUP and ADDPRINTERCONNECTION. I think they are fairly self-explanatory. If the currently logged on user is in the MARKETING group, then a printer connection to \\PRINTSERVER\COLOR_LASER_1 will be established.

2. Mapping network shares

The same INGROUP feature can be used to add network connections as well, so here is how you can control connections to network shares based on group membership

;Map Home Directory
USE G: "\\FILESERVER\@USERID"

IF INGROUP("Marketing")
USE I: "\\FILESERVER\Marketing"
ENDIF

IF INGROUP("SALES")
USE J: "\\FILESERVER\Sales"
ENDIF

In this example I introduced macros (@USERID), another powerful feature of KiXtart. By default, pretty much any system property is available as a macro (macros always start with the @ symbol). @USERID contains the user name of the currently logged on user, but there are others, such as:

@ProductType (OS type, e.g. “Windows Vista Ultimate”
@Wksta (computer name)
@LDomain (logon domain)
@CSD (service pack information)
@CPU (CPU information)
@Address (MAC address of network adapter)
@IPaddress0, @IPaddress1, … @IPaddress3 (IP address of xth network adapter)
@PWAge (password age)

Lines that contain comments in KiXtart start with a semi-colon.

3. Display a warning based on the service pack number

KiXtart also includes a variety of functions for handling strings. We can use the @CSD variable to get the service pack information:

? "Service Pack: " + @CSD

which will yield something similar to

Service Pack: Service Pack 1

In order to display a dynamic message, we can get the last character and evaluate it. So let’s display a warning message if a user is running Vista with a service pack smaller than SP 2:

IF INSTR(@ProductType, "Vista") > 0
IF RIGHT(@CSD, 1) < 2
MESSAGEBOX("Important Message from your IT Department" + @CRLF + @CRLF + "Your computer is not running the latest service pack, and will be upgraded tomorrow automatically at 10am. The upgrade will take approximately 30 minutes, and you will not be able to use your computer at that time." + @CRLF + @CRLF + "Thank you for your understanding.", "Service Pack Installation", 48)
ENDIF
ENDIF

The INSTR() function checks whether a string appears inside another string, and the LEFT() function retrieves the specified number of characters from the beginning of a string.

4. Map a network share depending on the IP address

Let’s imagine that we have a network share with lots of really large files (e.g. corporate training videos and more) and that we only want to map this share if a user is in the headquarter, opposed to a satellite location which has a slow access speed.

IF LEFT(@IPADDRESS0, 11) = " 10. 10.  0"
USE Z: "\\FILESERVER\TrainingVideos"
ENDIF

Now the network share is only mapped if the user is in the 10.10.0.0/24 subnet. You can also use the EnumIPInfo() if you need to get more information from the network adapter.

5. Display a warning if a password is old

Most networks require users to change their passwords on a regular basis, but wouldn’t it be nice if we could give our users a one-time warning before they are faced with the inevitable prompt that requires them to change their password?

$PasswordWarningThreshold = 170

IF @PWAge = $PasswordWarningThreshold
MESSAGEBOX("Your password is " + $PasswordWarningThreshold + " days old and will have to be changed in 10 days. Please think of a really good password in the meantime.", "Password Expiration", 64)
ENDIF

In this example I also introduced variables, which are specified with the dollar sign. These are simplified examples, and there is a lot more you can do. For example, using the registry functions, you can save user responses and previous alerts in the registry, and later read them again.

So, forget multiple logon scripts or batch scripts using “NET USE” commands. With KiXtart, you can have one central login script that can adjust dynamically to the user, location, operating system or even the computer itself.

To get started, simply follow these steps:

Create a batch file (e.g. login.cmd) with the following line:
%0\..\WKix32.exe %0\..\login.kix
Create the actual login script for KiXtart, e.g. “login.kix”
Assign the login script login.cmd to all user accounts that require them

That’s it. You don’t have to install anything on the client computers, and you now have a single login script for your entire network.

Until next time,
Ingmar.

Wish Sandwich – 5 (free) tools we wish Windows had

August 13, 2009January 10, 2017 ingmar.koecher 0 Comment Tips & Tricks, Tools & Utilities favorite tools windows editor command line putty console launchy

“Have you ever heard of a wish sandwich? A wish sandwich is the kind of a sandwich where you have two slices of bread and you, hee hee hee, wish you had some meat…”

These are part of the lyrics from the “Rubber Biscuit” song by “The Chips“, covered by the Blues Brothers in 1978. At the time, UNIX was almost 10 years old, the first version of BSD had been released, and Microsoft had their office in Albuquerque with Bill Gates being 23 years old.

It would take almost another 20 years before Windows NT 4 would be released. But back to the future now.

Well, after working with Windows for about 15 years now, I also wish that the base set of utilities that ship as part of Windows would have been updated and improved. It might seem odd, but one of the first things I do when I install a new release of Windows, is to open notepad, the calculator and paint – to see if they have improved.

Somewhat surprisingly, Windows 7 brings a lot of improvements to the core utilities that ship with Windows. Microsoft not only spiced up Paint and Wordpad by giving them the “Ribbon”, but also improved the calculator in ways never imagined before. Yeah!

But these improvements do not satisfy a long-time Windows user! Having worked with Linux, OS X and Windows since the 3.0 days, I have my own list of apps that I use to substitute or extend some of the archaic tools that ship with Windows.

And here they are:

1. Notepad
What we know today as “Notepad”, was first seen in Windows NT 4.0. When Windows 2000 came out, notepad hadn’t changed. Well, fair enough – it had only been 4 years after all. A short while later Windows XP was released with a bang, but notepad was still the same. Windows 2003 showed that an upgrade to notepad obviously had low priority, and the release of Vista confirmed to me that notepad was clearly no longer under development. The recent release of Windows 7 crushed my hopes of Microsoft ever releasing an updated version of Notepad. Sigh.

So, why was Notepad left behind? Well, I have a few theories:

a)    The developer who originally developed Notepad has left the company, and nobody at Microsoft understands the existing code enough to make modifications.
b)    Companies developing third-party editors formed a powerful, mafia-like lobby, threatening Microsoft (presumably kidnappings) to never ever release an update to notepad, to ensure that third-party editors will continue to sell well.
c)    Microsoft deems Notepad complete, and cannot imagine how this robust application could be improved.
d)    Windows applications do not use text files, since all configuration is stored in the registry or databases. Even though unneeded, Notepad is provided as a courtesy and might be excluded from future version (like, telnet.exe!).

Whatever the reason (I may never find out), fact is that Notepad hasn’t been updated in 13 years, and since Windows 8 won’t be out until 2012, probably won’t change in 16 years. That’s a lot of years for a software program.

Line Numbers?
Basic syntax highlighting?
Anyone?

So what could replace Notepad? Why, Notepad2 of course! To be fair, there are more powerful editors out there than Notepad2, but it’s free, light-weight and fast. Florian’s Notepad2 supports line numbers, syntax highlighting, line highlighting, encodings, Unix/Windows line endings, transparency and much more. An extended version from Kai Liu is also available here, most notably including code folding abilities. Tabs are not supported in either version, unfortunately.

My other favorite editor is Ultraedit, as it includes pretty much any feature you could ever want from an editor. A nice feature, for sysadmins in particular, is the ability to switch environments. The “System Administrator” view for example, allows you to show SSH/telnet/FTP windows along with the editor windows.

2. Command Prompt
Yeah, this hasn’t changed much since the early days either, though the introduction of the PowerShell deserves some credit. Using Linux regularly though, I miss some of the features like tabs, transparency and so forth.

The good news is, there is an excellent substitution out there called Console. The latest beta of version 2 features transparency, multiple tabs, appearance options and is free. It’s so free, that they even give you the source code if you want it! It works on all the machines I use (mostly Vista, soon to be Win7) and I’m very happy with it overall – though it is a beta still and you might run into a glitch every now and then. I sit around in the command line a lot, and having multiple tabs open is nice.

One option I really like is the ability to show the currently executing command as the tab title, which is useful because you can see when a long-running process finishes (see screenshot above where fping is running in the 2nd tab).

When downloading, get the latest beta and simply extract all files from the

Console2\bin\release

folder to a directory of your choice.

3. Desktops / Spaces
Linux, and Unix, had multiple desktops since the industrial revolution. Well, at least it seems that way. I’m not sure why this hasn’t been added to Windows yet, given that:

• Every major Operating System OTHER than Windows includes it
• Microsoft provides a tool (part of Sysinternals) that offers this functionality

Yes, in the age of affordable large monitors, multiple desktops aren’t really that necessary anymore. But, many of us still work on laptops and having multiple virtual desktops can help group different work into different workspaces.

I recommend Sysinternals’ Desktops, but there are more tools out there that do the same thing – though they are not all free.

4. Launchy
It indexes all of your applications in the start menu, and you can simply launch them by typing their name – or part of their name. No
longer do you have to wade through dozens and dozens of menu items just to find a shortcut. Simply launch Launchy with ALT+SPACE and type a couple of letters. Voila!

5. PuTTY
If you work with Windows and UNIX/Linux machines, then it’s pretty much impossible that you haven’t heard of PuTTY. It’s a free SSH client that no only provides SSH/Telnet functionality, but also comes with other SSH-related utilities like PSCP, PSFTP and PLINK (see previous post on this).

I’d love it if Windows would ship with a command-line SSH client, just like all UNIX and Linux distributions do.

Of course there is more, but these are the tools “desktop” that we really use on a daily basis.

If your computers are in an Active Directory domain and you want to roll out some of these tools with your computers by default, then I recommend reading our previous post: Your favorite tools and utilities always available everywhere.

What do you want for nothing?

Rubber Biscuit?

Firefox .NET Framework Assistant Paranoia

June 5, 2009January 10, 2017 ingmar.koecher 4 Comments AutoAdministrator, Tips & Tricks, Tools & Utilities Mozilla Firefox .NET Framework Assistant Removal Security Exploit

There has been a lot of concern and uproar recently about the .NET Framework Assistant Firefox Add-On (plug-in), that Microsoft silently installs with the Microsoft .NET Framework 3.5 Service Pack 1 (which was pushed in early 2009 with Windows Update). As such, if you are using Firefox, then there this is a very high probability that you have this Firefox Add-On installed, maybe even without knowing it.

To quote Microsoft: “In the .NET Framework 3.5 SP1, the .NET Framework Assistant enables
Firefox to use the ClickOnce technology that is included in the .NET
Framework.”

There are dozens of blogs that complain about the security implications, how the Add-On cannot be uninstalled and eventually post instructions on how to remove the Add-On from your computer, essentially implying that the AddOn harbors major security risks. Contrary to most Firefox Add-Ons, this one can’t be uninstalled through the browser since it was installed at the “computer level”. As such, you have to remove files from the file system and modify the Firefox configuration to disable it.

I’d have to admit that I haven’t heard much about the ClickOnce technology before this sneaky little AddOn was set free, and the buzz words one reads in all the blogs, newspapers etc. certainly have the potential to make one uneasy and follow the surgical removal procedure without much hesitation:

Microsoft installs .NET AddOn without user approval!
AddOn can’t be uninstalled
AddOn silently runs .NET applications without user knowledge!
ActiveX security hell is back!

So is the AddOn a security risk and do you have scramble to rip it out? Not in my opinion, and I will explain why.

In this post I will clear up some misconceptions about the ClickOnce technology, but also show you how to remove the AddOn from any number of computers with a few clicks – using our new AutoAdministrator 2.0 – just in case you do want to rip it out :-).

What most people don’t know, is that the ClickOnce “technology” is already present in Internet Explorer, and is not even close to what was/is possible with ActiveX applets.

ClickOnce applications run in a sandbox, similar to Java, and – by default – do not have any permission outside the sandbox. As such, a web site can’t just install a trojan horse or spam client on your computer – at least not using ClickOnce. The users permission is asked before elevated permissions are assigned to the application, and software that’s being installed can be signed – just like Windows applications are. Please see the Microsoft article below for more information on ClickOnce deployment and security:

ClickOnce Deployment and Security

So the AddOn is really just a gateway into something that is already on your system in the first place – .NET. Java does the same thing, and the AddOn Microsoft provides is likely much leaner than the Java plugins – and doesn’t register a new plugin with every new Java update that is released.

Don’t get me wrong – Microsoft could have handled this much better, and the inability to uninstall the AddOn really doesn’t help their case.

Oh, and by the way, to see a sample ClickOnce application then you can click here. It’s hosted by the author of the FFClickOnce Firefox AddOn, a predecessor of the .NET Framework Assistant if you will.

However, Microsoft has recently provided information on their site that outlines the required steps to remove the Add-In from Firefox, and has also released an update that will allow you to uninstall it on a per-user basis. Keep in mind that even with this update, every user would have to uninstall the Add-On manually:

Update to .NET Framework 3.5 SP1 for the .NET Framework Assistant 1.0 for Firefox

Having said all that, you might still want or have to remove the AddOn from multiple computers if you need to remove the ability for your users to run ClickOnce applications from Firefox. The good news is that you can remove all files as well as all registry entries that are associated with this Add-On from any number of computers within a matter of minutes — using AutoAdministrator.

AutoAdministrator integrates with ActiveDirectory, and lets you query/modify files, services, registry entries and more on any number of computers with the click of a few buttons. Read on to find out more.

Microsoft states that you need to perform three steps to remove the Add-On (official removal instructions – KB963707):

1. Delete the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{20a82645-c095-46ed-80e3-08825760534b}

2. In the Firefox preferences (about:config), right-click the general.useragent.extra.microsoftdotnet property and select “reset”.

3. Delete the folder %SYSTEMDRIVE%\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\DotNetAssistantExtension.

We can accomplish (1) and (3) with AutoAdministrator, which does remove the Add-On. It doesn’t reset the setting inside Firefox (2), but that should be merely a formality without the actual plug in. Our tests have shown that the plug in is gone after deleting the registry key and the directory on the file system.

There are two prerequisites for this to work: Your remote machines need to have the remote registry service running (you can temporary toggle that too with AutoAdministrator if it’s not running!) and the ADMIN$ share needs to exist.

As with all things you can do with AutoAdministrator, you should be very careful. We cannot take any responsibilities if you end up corrupting your Firefox installations, or worse, the Windows OS.

So, fire up AutoAdministrator and select the computers you want to uninstall the pesky Add-On from in the right pane. Then, select “Registry” from the toolbar and paste the key from step one in there and select “Delete key”.

The screen shot above shows the result list, using the “Read Value” option. To actually delete the key, you would need to select “Delete key”. Machines that are turned off are displayed as “Ping Failure: …”, and machines that don’t have the Add-On installed show a Windows API error message.

When you are doing ripping the registry settings out, you can delete the folder as well. This time, select “File Management” from the toolbar, and paste the directory in there. Note that the remote path should start with ADMIN$, as shown in the screen shot below:

You can also save these s
ettings as a preset, so that you can retrieve these settings at any point in the future with the click of a button.

I hope this information helps you make an informed decision as to how to proceed with the AddOn if it’s already installed in your network. You can

Leave it
Give your users instructions on how to disable it
Roll-out the Microsoft patch to give your users the ability to uninstall it ( arguably identical to (2) )
Remove it from all systems with AutoAdministrator or scripts

I think if this exercise reveals anything, then it’s that Firefox’s AddOn framework leaves some room for improvement. For example, why did Firefox not inform me that this AddOn had been installed? Skype also silently installs an AddOn, though that can be removed easily.

And if you’re really serious about browser security, then you might want to check out the Flashblock AddOn. It disables all flash animations by default, leaving placeholders that you can click to load any flash animation. This improves page load times, can help suppress annoying flash-based ads and of course helps security. I haven’t tested it on many sites yet, but it can quickly get annoying if you’re accessing a lot of web sites that contain reporting widgets that are flash-based.

So long,
Ingmar.