Tuesday, April 2, 2019

Copying locked OST files

When trying to copy ost files that were in use I was running into the following error:

esentutl.exe /y /vss <file_to_copy> /d <file_to_save_as>

 Operation terminated with error -1 (JET_wrnNyi, Function Not Yet Implemented) after 4.390 seconds.

 The reason being, Windows VSS engine ignores Outlook's .OST files.












To work around this, the OutlookOST value must be deleted from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot.

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot /v OutlookOST /f

 Once this is done, the file can be copied.

esentutl.exe /y /vss <file_to_copy> /d <file_to_save_as>

 And then the value can be restored when the file is done being copied.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot /v OutlookOST /t REG_MULTI_SZ /d $UserProfile$\AppData\Local\Microsoft\Outlook\*.ost /f
Posted by at No comments:

Monday, April 1, 2019

All things Symantec

This post contains information on my research into Symantec logs and quarantine files. Content will be updated regularly.

Symantec Endpoint Protection Logs

Symantec Management Client (smc) does not show the entire contents of the log. smc.exe has an -exportlog commandline switch where you can select a log type to export.  Log_type numbers are as follows:
  • 0 = System Log
  • 1 = Security Log
  • 2 = Traffic Log
  • 3 = Packet Log
  • 4 = Control Log 
These numbers also correlate to an entry in the header of the logs found in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs.
  • 0 = syslog.log
  • 1 = seclog.log
  • 2 = tralog.log
  • 3 = rawlog.log
  • 4 = processlog.log

Log File Structure

Symantec Endpoint Protection VBN Files

Folder structure makes a difference in what is contained in the vbn file. SEP quarantine files are located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine. In the quarantine folder, there is a vbn file and a folder with the same name as the vbn file.


Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)