Unlocker from MajorGeeks contains Babylon RAT

Got hit with thousands in AWS charges from crypto miners this morning. Spent hours figuring out how they bypassed my MFA.

It was Unlocker 1.9.2 from MajorGeeks! Babylon RAT bundled in keylogger, credential stealer, the works. My whole pc was compromised thanks to it.

Windows defender nor Malwarebytes didnt pick it up back then, and even now only Malwarebytes detects the installer.

Hash: fb6b1171776554a808c62f4045f5167603f70bf7611de64311ece0624b365397

This has been known since 2013. Still up. 1.8M downloads.

Hope nobody else falls for this, had pretty excruciating hours at the bank today.

https://redd.it/1pc91kg
@r_systemadmin

Need to decide on making a change.

I am 24 years into working in IT and federal contracting. I have hated aevery min of working in IT for well over the last 14 years. Now I am 50 years old, 4 kids with one in college and the rest still in K -12. I have been laid off twice this year because of this administration's BS, and I cannot stomach the job or the customer anymore. I am looking at trades now. Hard to imagine getting into a trade at 50 years old and making less money. But I rather make less and actually enjoy what I do with my life for once. Just a bad situation all the way around. I am so sick of interviews and applying for these IT jobs. The requirements that companies are looking for. You need to know a dozen different things for one Sysadmin job, and the crap keeps changing every year. IT was the biggest mistake of my life, and the years I will never get back because of it. AI can have this. The future of this feild is going to put so many out of work.

https://redd.it/1pc8o07
@r_systemadmin

I wasn't allowed to swap out APs until I finish OSHA Training for 10 hours.

We had a whole project on swapping out old UniFi WiFi 5 with Meraki Wifi 7 which will be mounted in the ceiling.

I pulled out a ladder and was told to get down from it by HR. Not because I was being dangerous but because I wasn't "ladder trained".

Now I have to take a 10 hour training course and was told this has to be done outside of my normal salaried working hours of 50 a week.

CFO has informed me that HR is allowed to make that requirement. Now I'm burning through my nights so I can get this yearly goal finished.

https://www.oshaeducationcenter.com/osha-10-hour-training-construction/

My users work in construction, they simply picked the same one that the others take. I wouldn't care if this could count towards my normal hours but taking courses doesn't count towards increasing shareholder value.

https://redd.it/1pcc2w1
@r_systemadmin

renaming the domian

hello everyone

as the noscript says i have to rename our domain from tm to soc because the company was bought out this is a new job that i started 2 days ago and this is currently my task
to be totally honest i come from a linux background so really not familiar with windows eco system that much is there any best practices ? should i set up a new domain and use ADMT ? will it move the SIDs with it ? or should i just use rendom my current setup is 2 domain controllers with approx 100 users and 100 computers and approx 70 servers databases and webservers
Appreciate the help

https://redd.it/1pc8oyg
@r_systemadmin

Crash out / vent

Microsoft. Fuck you.

You're wasting billions on AI, claiming we want it when the reality is copilot sucks ass. Its the "Edge" of AI models.

Instead of wasting those billions can you make new outlook have COM add ins? Or better yet - make the fucker be able to export multiple emails into a single PDF?

Or just fix old outlook so it doesnt crash when a stiff fucking breeze comes through?

Thanks. Fuck you.

https://redd.it/1pcevvz
@r_systemadmin

Why do people think its okay to upload sensitive company information on their personal GPT?

Lately I keep hearing people admit they paste entire contracts, client briefs, internal docs, everything, straight into ChatGPT from their personal accounts and random GPTs. No clue where the data goes, no company oversight, nothing. They have their own company AI accounts so its not like thats the problem, its just more "convenient" like ?????
How is this not a compliance nightmare waiting to blow up? Anyone else seeing this?

https://redd.it/1pceobr
@r_systemadmin

How am I supposed to deal with this absolute bullshit from Microsoft?

Trying to activate some benefits in Partner Centre and I get this message:

Some users, entities, and locations are restricted from using certain Microsoft services.
For this reason, leveraging anonymizing or location hiding technologies (such as VPN,
virtual machine, Internet tracking blocking, etc.) when connecting to these services is
not allowed. If you are using one of these technologies, you'll need to disable/change
your settings to gain access. If you believe you encountered this problem without one
of those causes, please wait 24 hours and try again. If the issue persists, contact our
support team and reference the below message code and transaction ID.
We will engage a team of experts that will help verify your account.
Code: 715-123160 Transaction ID: Removed

Needless to say, I'm not using a VPN, a virtual machine, or any form of browser privacy extension.

I waited 24 hours, tried again, same message.

I created an SR. No response.

I created a scheduled appointment in the SR. Nobody attended the call.

I'm losing my fucking mind with this bullshit.

Anyone got any tips?

https://redd.it/1pc8edb
@r_systemadmin

IT Conferences

With budget season upon us I have the opportunity to request funds to attend conferences next year. Work in a Microsoft shop, team of 3, located in the US, and am a generalist. I have attended Spiceworld a few times.

What other conferences have you attended and would recommend attending or skipping?

https://redd.it/1pcdd0n
@r_systemadmin

We are starting to pilot linux desktops because Windows is so bad

We are starting to pilot doing Ubuntu desktops because Windows is so bad and we are expecting it to get worse. We have no intention of putting regular users on Linux, but it is going to be an option for developers and engineers.

We've also historically supported Macs, and are pushing for those more.

We're never going to give up Windows by any means because the average clerical, administrative and financial employee is still going to have a windows desktop with office on it, but we're starting to become more liberal with who can have Macs, and are adding Ubuntu as a service offering for those who can take advantage of it.

In the data center we've shifted from 50/50 Windows and RHEL to 30% Windows, 60% RHEL and 10% Ubuntu.

AD isn't going anywhere.Entra ID isn't going anywhere, MS Office isn't going anywhere (and works great on Macs and works fine through the web version on Ubuntu), but we're hoping to lessen our Windows footprint.

https://redd.it/1pcrk0t
@r_systemadmin

So my boss up and quit this morning

Topic. Dude turned in his key card and such and then walked out the door. No notice to me or top management or anything.

I’m already covered on like 98% of all of the accounts thru admin emails (admin.user@domain) so for the most part I have that covered. My daily job as “IT Specialist” and global admin access to AD and all servers and emails and all things related to global access. Backups are good. Really the only real problems are anything being paid for by his credit card.

I guess my real concern is, what am I missing? It was just the two of us, me the IT Specialist and him the Director of IT. My responsibilities are “de facto” system admin, help desk, and some networking and his main duties were programming and just policy in general (regardless of how “wacky” it seemed to me).

So what am I missing? What should I look out for that my junior level experience might not think about?

https://redd.it/1pcrulv
@r_systemadmin

Employee took a brand-new company laptop home for personal use without asking — how should this be handled?

We’re a small company that follows strict security and compliance rules (CMMC-level requirements). One of our support technicians took a **brand-new company laptop** home because his personal home computer failed. He did **not** ask permission to take it, and I’m not sure he intended to bring it back.

We discovered the missing laptop, contacted him, and he eventually returned it. The laptop was used for personal activities at home.

This is a clear violation of our policies around asset control and equipment use. We’re trying to determine the appropriate response. Should this be handled as:

* A formal written warning?
* A final warning or suspension?
* Termination due to unauthorized removal of company property?

This isn’t a one-time small mistake like forgetting to log out — it’s taking new company equipment home for personal use without permission, and we work in a regulated environment.

How would you handle this?
Would this be considered gross misconduct at your workplace?

https://redd.it/1pcsu9l
@r_systemadmin

Oh God, here we go. I want to start my own IT company.

I am prepared for whatever may happen with the Reddit ghouls.

I am going to be starting my own IT company focusing on MSP and data storage. I am a 10 year low voltage technician, specializing in communications and networking. I have a CompTIA A+ certification, and am actively trying towards my CCNA. I currently hold the noscript as an Operational Engineer at a major DC corporation. I have 15 days off a month, an entire workshop already established, and more all around drive in my left nut than most have in their entire bloodline. So here it is Reddit, tell me how to drive this thing into the ground. I would love to hear all the ways that I am going to fail so I know exactly what not to do. Let me have it.

https://redd.it/1pcv2nc
@r_systemadmin

Windows sucks at Automatic Time Zones.

# The Problem:

We have a customer with an office located in Brisbane, Australia, who has a pretty standard setup - Windows 11 Laptops, Cisco Networking, ZScaler for Internet Security, Ethernet to every desk, a common IT SOE.

However, a couple of weeks ago we started seeing hints of an issue with some of the laptops, users were reporting that their device timezone kept changing to Adelaide (which is 2 hours behind), and then back to Brisbane randomly.

This seemed like just a temporary thing at first, but it started getting worse, it went from 1 to 2 laptops, to 5, to 10, to the whole office, it was obvious something had gone wrong, so I started looking into it.

[Example of what we were seeing, but pretend it says Adelaide and not Beijing.](https://imgur.com/yFbfvYD)

# How are Timezones automatically updated on Windows?

You ask a Desktop Support guy this question, and they'd probably say "oh it's from AD/GPO", or "it's from the NTP server", or "it's from the switch/DHCP server", but is that actually true? - **Nope** \- Turns out [Windows Exclusively uses location for automatic Timezones.](https://support.microsoft.com/en-au/windows/windows-location-service-and-privacy-3a8eee0a-5b0b-dc07-eede-2a5ca1c49088#:~:text=Location%20services%20also%20enables%20Windows%20features%20like%20automatic%20time%20zone)

Specifically, [the below are used](https://learn.microsoft.com/en-us/uwp/api/Windows.Devices.Geolocation?redirectedfrom=MSDN&view=winrt-22000#accuracy-expectations):

* GPS : accurate within *approximately* 10 meters. You won't find many (if any) corporate laptops with GPS built-in, so I haven’t spent much time poking at this path.
* Wi-Fi : accurate within *approximately* 30 meters - 500 meters. This method works by scanning the surrounding Network at all times when Wi-Fi is turned on (even if you aren't actually connected to Wi-Fi), Windows also doesn't care if you are using Ethernet, it will still scan. There is **ZERO** public documentation of the “algorithm” or “scoring logic” that Windows uses for this, we just know that it looks at nearby BSSID's (usually the same as the MAC address, though Microsoft only ever calls them MAC's) then checks the [**Microsoft geolocation database**](https://account.microsoft.com/privacy/location-services-opt-out) which we aren't allowed to even see - [at least not anymore.](https://elie.net/blog/privacy/using-the-microsoft-geolocalization-api-to-retrace-where-a-windows-laptop-has-been)
* Cell towers : accurate within approximately 300 meters - 3,000 meters. This is a good one, it might not be the most precise, but it's highly likely to be accurate, of course this is only available on devices with a cellular modem, however it [apparently](https://android.stackexchange.com/questions/140349/can-you-use-cell-tower-triangulation-without-a-sim-card) [does not require an active service](https://android.stackexchange.com/questions/140349/can-you-use-cell-tower-triangulation-without-a-sim-card#:~:text=SIM%20cards%20are,to%20cellular%20networks) or even a SIM card, it uses the Microsoft Geolocation Database similar to the Wi-Fi method.
* IP address: accurate within approximately 1,000 meters - 5,000 meters. As many IT folks know, IP‑based location services aren’t very precise and can be wrong at times - IP addresses change often, and IP‑to‑location databases quickly become outdated. Microsoft maintains its own database for this, but in my experience, Windows only falls back to it when WI‑Fi based location is low-confidence/accuracy.

>The system automatically selects the most appropriate location source based on availability, accuracy requirements, and power consumption considerations. - Microsoft

# How Timezones are NOT updated on Windows:

* NTP - So the thing about Network Time Protocol, is it has zero concept of timezones, it [uses UTC time, always,](https://www.meinbergglobal.com/english/faq/faq_32.htm) it leaves timezone settings up to the OS of the client. Interestingly, Windows actually uses UTC behind the scenes for everything and just

applies your timezone offset to stuff that is user facing, who knew.
* Active Directory - AD actually has a protocol for syncing time from DC's that is built off of (but also distinct to) NTP, it's barely documented, but [it's called MS-SNTP](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sntp/8106cb73-ab3a-4542-8bc8-784dd32031cc). MS-SNTP is enabled by default in AD for all clients, *except* if you are running under a hypervisor (then Windows shrugs and uses the HV), but both will **never** set timezones, only time.

[Windows client syncing from a Domain Controller.](https://imgur.com/E645jM5)

* DHCP - If you are well versed in DHCP options, you may know about option 101, which [allows you to configure a timezone to be available from DHCP](https://www.krisolaf.net/2024/11/dhcp-options-42-100-101-for-setting.html). However, rather annoyingly, Windows won't ever request this option from the DHCP server, not on its own. [There's a good doc here about getting Windows to pull this from DHCP and actually use it](https://oofhours.com/2019/12/20/configuring-time-zones-part-2/), but by default the data never goes to the Windows client, so... nope.
* Network switches/firewalls - Fairly obvious, these don't play any part in Timezones being set, if a switch clock is set to Antarctica it doesn't matter (looking at you network engineers). Similarly to DHCP, the 802.11v protocol does have some capability to advertise timezones (from WAP's in this case), but this is rarely implemented in networking hardware, [OpenWRT appears to support it,](https://forum.openwrt.org/uploads/default/original/3X/9/a/9a9f32b40978a4eba54962477529ed1360dc39b4.png) but Windows does not use it anyway.
* Group Policies/Intune - Timezones are rarely set by Group Policy, it would only make sense if you have a single office location and/or had a robust policy that applied based on user/device location. We haven't seen any customers with a setup like this, so in 90% of cases I would immediately rule out any policies as being the source of your device Timezones. That being said, [it can be done](https://www.georgealmeida.com/2013/11/set-time-zone-via-group-policy-object/).

# So what's causing our problem?

This is the tricky part, figuring out what location source Windows is getting the wrong information from.

Let's start with logs, in addition to the notification the user gets, the following event is logged (event ID 1). As you can see, the change is coming from svchost.exe, so this is almost certainly the "Auto Time Zone Updater" service completing its regular check-in.

[Event ID 1, the system time zone has changed.](https://imgur.com/uyFxlAO)

Alright, so we know when changes are happening, but we don't know why. Let's check for more logs, right? - Nope. This is it.

Windows keeps its location tracking methods close to the chest. It won’t tell you which source it used, and it offers no real diagnostics. So when something goes sideways, we’re essentially on our own.

# Screw it, I'll make my own troubleshooting tool.

I wasn't going to sit in front of a laptop all day, wait for the device timezone/location to be wrong and then quickly troubleshoot for the few minutes I had each time, there had to be a better way.

So I spun up PowerShell ISE and wrote [a noscript to monitor the issue](https://github.com/CForChrisProooo/Windows-Auto-Timezone-Troubleshooter) and collect data for troubleshooting. This is what is does:

[My Timezone logging noscript](https://imgur.com/b2VTBNY)

It’s fairly barebones, it uses GeoCoordinateWatcher to pull coordinates, looks them up against OpenStreetMap, and simultaneously scans nearby access points with netsh to capture BSSIDs. It grabs this data every 15 seconds. It’s a bit of a patchwork tool, and there’s plenty of room for refinement, but it collected exactly what I needed.

So I found a few affected users, set it to run quietly in the background, and logged about an hour’s worth of data.

Before I wrote this noscript, I had a hunch that the issue was somehow ZScaler related, since they don't have any Brisbane

datacentres (at least with our contract right now) and our egress IP through ZIA appeared in Sydney. We raised a ticket with them early on, (because it couldn't hurt) and 2 days later got a response from them.

>We have confirmed that this issue is **not related to Zscaler**, as Zscaler does not set or modify user timezones.

>we recommend checking with your internal IT team, specifically focusing on your **Windows/Active Directory (AD) settings**, as these are the most likely sources of the timezone changes.

It seems that they didn't really understand the issue, which was a common problem when trying to get any engineering/vendor help on this. If our Timezone was changing to Sydney instead of Adelaide, we would have pushed them further as this would be directly caused by ZIA.

Anyway, from my noscript it was pretty clear that the public IP address was not changing at all, which ruled out ZScaler, and based on the accuracy field, it aligned perfectly with the Wi-Fi scanning accuracy expected in metres.

So if we disable Wi-Fi it should stop scanning, and we can see if the issue goes away? Yep, I turned off WLAN on the affected devices and none of them changed their location from Brisbane, perfect.

So this means that Microsoft's Wi-Fi location database is wrong for this location, but if that's the case it should be affecting the business next door too, right?

So I spoke to the IT team from the business next door, and confirmed that they have the exact same issue, with Adelaide as well, and they have a completely separate network to us, wild.

# Now, how do we fix this?

Well, for most customers, it'd be pretty simple, just [disable automatic Timezones on Windows](https://www.elevenforum.com/t/turn-on-or-off-set-time-zone-automatically-in-windows-11.1345/), you could push this via Intune or GPO pretty easily, it's well documented.

For our customer, though, this wasn't a valid option, for these reasons:

* Users travel a lot as part of their roles, and the customer would like Timezones to be automatically updated for them.
* Users are not comfortable managing the system Timezone themselves.
* Service Desk don't have the capacity to be fielding calls for incorrect system times.
* The customer would like the core issue to be resolved rather than using a band-aid solution (fair enough).

# Let's get Microsoft to fix the Geolocation Database.

This is the next logical step, log a support ticket with Microsoft, tell them the problem, give them any data they need, and they should be able to fix it just fine, [people seemed to have luck with this](https://www.reddit.com/r/sysadmin/comments/1jtnrog/comment/nh8l4s0/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button), though apparently it's quite a long and painful process.

So we logged an MS ticket, SEV B (as we've since had a second location affected), and we'll see where it goes.

>Thank you. Your request was successfully submitted to Microsoft Support.

*I'll update the post once we hear back from Microsoft.*

# What else can we do?

Well, there's a few things you can try.

* If you have an Android device, you can [apparently](https://www.reddit.com/r/sysadmin/comments/1mje84j/comment/n7b36n0/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button) run [this app](https://play.google.com/store/apps/details?id=com.here.radiomapper) and walk around your building for 10 minutes, a poster claimed that this resolved the geolocation database issue for Windows about 2 weeks later.
* You could [set up windows to use a different geolocation database from the Microsoft one](https://github.com/catacraciun/windows-location-timezone), this wasn't feasible for us as it's a bit too hacky, and we'd end up in a 6 week long conversation about which database to use.
* You could swap your entire laptop fleet to models that include Cellular radios and/or GPS (good luck).
* You can [request to exclude the nearby WAP's BSSID's from the Microsoft geolocation

database](https://account.microsoft.com/privacy/location-services-opt-out), which I'm not sure is even legal if you don't own all the nearby hardware. Microsoft may completely ignore your request ["if it seems problematic"](https://account.microsoft.com/privacy/location-services-opt-out#:~:text=If%20a%20request%20seems%20problematic%2C), and apparently, [this also isn't a permanent fix.](https://www.reddit.com/r/sysadmin/comments/1jjif2b/comment/mjo2dxm/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
* If you have patience, you could wait for the issue to resolve itself. No, seriously, [the database gets updated by Windows devices all the time as they scan the area](https://support.microsoft.com/en-au/windows/windows-location-service-and-privacy-3a8eee0a-5b0b-dc07-eede-2a5ca1c49088?utm_source=chatgpt.com#:~:text=If%20location%20services,of%20the%20provider.), so eventually it might just be fixed. Logically, if you have a Windows device with cellular and/or GPS in the area, the location accuracy should also improve, and faster.
* If your users *only* travel between different company offices, you could [configure Timezones via DHCP and force Windows to use them](https://oofhours.com/2019/12/20/configuring-time-zones-part-2/), but this would only work on *your* Networks and would need manual intervention from users/IT anywhere else.
* If users workflow allows, you could disable Wi-Fi entirely, to force Windows to rely purely on IP based location, if you use a proxy/internet security service like ZScaler though you'll need to make sure the egress IP is in the desired Timezone.
* You can always build your own geolocation database, perhaps make a policy/noscript that has a list of known IP addresses, SSID's, whatever you like and force timezones from that, however this is only possible if you know every location that a user might need to work from.
* The last option is to just deal with the issue, if it's not that impactful to your environment then you can choose to ignore it.

# And that's it.

As of writing this, our problem is ongoing, we've passed the issue on to Microsoft and once we hear back I'll update this post. Our customer isn't particularly interested in any of the available workarounds, so that leaves us standing around, for now.

Hope this helped!

Cheers,

https://redd.it/1pcv5ot
@r_systemadmin

Every time I open Azure I swear something has moved

I logged into Azure this morning and found a setting in a place I’m pretty sure it didn’t exist last week.



Some days whole menus shift.

Some days a toggle appears out of nowhere.

Some days something I use daily is suddenly three clicks deeper.



I don’t know if Microsoft keeps quietly rearranging things or if Azure is just slowly reorganizing itself like a haunted house.



Does everyone else run into this or is it just my brain melting..

https://redd.it/1pcz542
@r_systemadmin

Requests

How do you guys mentally manage all the requests you get?

I’m saying, even if you have a ticketing system, there are so many requests from these users and a lot of times I think about them outside of work when I don’t want to.

I need to start telling myself a lot of people at the company make a lot more money than I do, so work should stay at work. It is tomorrow’s problem.

https://redd.it/1pd2ful
@r_systemadmin

Hey SHI could you NOT send renewal notices that look like Knowb4 tests?

Like seriously, how hard is it to send a link to a web page that has all the renewals listed. An Excel file with a list sent as an attachment is not gonna cut it in this day an age.

https://redd.it/1pd3nep
@r_systemadmin

We work in an industry with more buzzwords than people. Hyper Zero Trust, UltraSASE, AI-XDR, AI sec Posture, AI AI AI AI …& more AI ..it’s getting insane.

Every vendor is trying to invent the next big term just to sound revolutionary.
Half the time it’s the same product with a longer name, a new acronym, and a marketing team that got too much budget.

What’s the most ridiculous buzzword you’ve seen lately?

https://redd.it/1pd5cbs
@r_systemadmin

Just got dumped with the job of getting our environment documentation under control and wow, it’s way worse than I thought.

We’ve got on prem, cloud, random mystery VMs no one will admit to owning, and basically zero up to date diagrams or any clue about what talks to what. I need a tool that can actually auto discover servers, apps, and dependencies, spit out something that looks like a real living map or CMDB, and stay current without me spending the rest of my life in Visio. Agentless or low effort is a huge plus because I’m not looking to babysit another tool.

Right now I’m looking at ServiceNow Discovery and Service Mapping, Faddom, and Dynatrace, but I’d love to hear what’s actually worked for people or any horror stories from trying to clean up this kind of documentation disaster.

https://redd.it/1pd3wx4
@r_systemadmin