I don’t know how common this is, but I wanted to share a tip that I recently learned about how to fix slow loading when trying to take a screenshot with the CMD+SHIFT+4 shortcut. It used to pop up the selector instantly, but recently I noticed it was taking multiple seconds to load up. Nothing earth shattering, but annoying and taking me out of my flow state. Here’s how I fixed it.

Load up the full screenshot panel using CMD+SHIFT+5 (note the 5, rather than 4) and see what your microphone is set to. If it’s set to anything other than None, set it _to_ None and then hit the Esc key a few times to exit out of there. Now try doing your CMD+SHIFT+4 again and it should pop up nearly instantly.

My assumption on why this works is that if you have a microphone configured, it probably needs to physically interface with the device and initializing hardware can sometimes take a few seconds. Having a microphone might be useful if you’re doing a screen recording using CMD+SHIFT+5 but the ...+4 option doesn’t do any video, so microphones are really not necessary here. It would be great if Apple bypassed this check already since it’s completely useless, but as it stands today, this should get your screenshot taking back instantly.

After the recent privacy controversy, I decided that it was time to find a replacement for Plex. Many recommendations pointed me to Jellyfin, a system which was forked from Emby, which itself was forked from Plex. I installed it, and started adding my libraries, but quickly found out that the content I had saved on my NAS was not able to be easily mounted (or so I thought). It turns out that Jellyfin really doesn’t want you to use SMB shares, even mounted network drives, but no matter, we’re professionals here. And so I’m going to show you how to use an SMB share on your NAS with Jellyfin on Windows.

We’re going to accomplish this by using a fun trick called a symbolic link. You can think of a symbolic link like an operating system-level path redirection, where one location is sym-linked (or mounted) to a link somewhere else. So for example, if you have a C: drive and an X: drive, but you really only ever want to use C:, you can mount that X: drive to a folder, let’s call it x-drive (but in reality, it can be anything you want) in C: so that to any application, you would browse to C:\x-drive and you would see the contents of X:. Crucially, the application has no knowledge of the symlink, it just sees it as a regular folder in C:. Crucially though, you are not limited to only mounting physical drives in other places; you can also mount network locations via symlinks.

Do you see where we’re going with this? We’re going to mount the SMB folder into a folder on a local drive and Jellyfin will see it as just another folder.

1. Make sure the Jellyfin service is running as an actual user, and not the SYSTEM account. You can verify (and change, if necessary) by opening the Services MMC (Start -> Run -> services.msc). Preferably, set it to use the same user account you actually login to your computer with. This will make it easier for the following steps.
2. Ensure that on your NAS, there is a user account created there (and this is crucial) with the exact same username and password as your PC. They must match character-for-character. So if your username on your PC is bobjones and your password is Q!W@e3r4T%Y^U&I* the account on your NAS should be bobjones and Q!W@e3r4T%Y^U&I* too.
3. Open a PowerShell prompt as an adminstrator
4. Decide on the local physical drive and folder name you’d like to mount the network folder to, and then have the network path to the folder ready. In this example, I’ll use C:\NAS for the local location, and \\NAS-01\Files, but remember that the local location can be any folder you want, as long as it does NOT currently exist; this process will create the mounted folder and will fail if you try to mount the network folder to a folder that already exists.
5. In PowerShell, enter the following command:
   New-Item -ItemType SymbolicLink -Path C:\NAS\ -Target \\NAS-01\Files
6. Open the Jellyfin console and confirm that you can now see C:\NAS (or whatever you decided to call your mountpoint)

The fact that this works as flawlessly as it does just tells me that there is no technical limitation to doing this but that rather the Jellyfin developers — for whatever reason — just simply don’t want to support it. I’ve worked in a number of roles where limiting the scope was necessary, but it’s confusing to me that they would do so for such a common type of network storage.

At any rate, I hope this article was helpful and that you are now able to use an SMB share on your NAS with Jellyfin on Windows.

Today we found ourselves in a position where we had a Windows server – with only the Server Core experience installed – somewhere in EC2 but we could not figure out what AWS account it actually lived in. This meant that we were limiting to finding the missing EC2 instance in AWS using just the command line.

Most cloud providers offer an instance metadata endpoint that you can query to get some basic info about the instance itself. It usually operates on http://169.254.169.254 (that IP is not a placeholder, it’s literally the IP you query) and AWS is no different. As per the AWS documentation, if you hit http://169.254.169.254/latest/meta-data/ you can get some information about the running instance which was exactly what we needed.

The first thing we knew is that we needed to be in PowerShell, since the basic Windows command line doesn’t have an HTTP client.

Microsoft Windows [Version 10.0.20348.1070]
(c) Microsoft Corporation. All rights reserved.

C:\Users\nexxai>powershell.exe
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\nexxai>

Next, we tried to use the Invoke-WebRequest cmdlet, except being Server Core, it did not have the Internet Explorer (lol) components installed that this cmdlet apparently needs.

Thinking on our feet, we considered that maybe the Invoke-RestMethod cmdlet didn’t have the IE dependency since it was strictly used for REST-based calls and may have be implemented without any IE components. Success.

PS C:\Users\nexxai>Invoke-RestMethod -Uri http://169.254.169.254/latest/meta-data/
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hostname
iam/
instance-action
instance-id
instance-life-cycle
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
services/

We tried a couple of different endpoints, but then saw the iam entry and gave it a shot.

PS C:\Users\nexxai>Invoke-RestMethod -Uri http://169.254.169.254/latest/meta-data/iam/
info
security-credentials/

Then naturally we checked out info.

PS C:\Users\nexxai>Invoke-RestMethod -Uri http://169.254.169.254/latest/meta-data/iam/info

I can’t share the results of this command for obvious reasons, but contained within the results was the ARN of the IAM role that the EC2 instance was associated with, which – and here’s the important part – includes the account number! Yes!

After some more digging, it turns if you have the AWS CLI installed on the VM (unsure if this is installed by default), you can also run aws sts get-caller-identity which will show the account the instance is running in.

Once we were able to get the account number, we were quickly able to locate the rogue instance and deal with the original problem we were searching it out for. I hope you never have to try and find a missing EC2 instance using just the command line, but if so, hopefully we’ve just made it a little easier to do so.

I just published a new Python script that I’ve dubbed Excel to Markdown to Github and wanted to share the details of the what and the why.

Using some of the PowerShell scripts I published on nexxai.dev last week, I found that I had a need to dump the results of some of these spreadsheets into a more accessible documentation repo. We use Confluence here and so the easy choice was to convert those worksheets to Markdown. However, when I looked around, I couldn’t find anything that would do what I needed without costing several thousand(!!!) dollars.

This script takes a single input (the path to your spreadsheet), will prompt you for the heading level to use for the title of the table, and will dump to the screen every worksheet in the workbook. You can then copy/paste this text into the documentation management system of your choice, and presto, you have an editable document that you and your teams can use.

I hope this help you if you ever have to convert Excel to Markdown!

Today I had to get all of the scopes and reservations from all activated DHCP servers in our Active Directory domain. I whipped up this PowerShell script and figured someone else out there might need it. Please note that the Import-Excel package is required if you plan on using this script verbatim. It can be easily modified to not use it, however this is left as an exercise for the reader to implement.

Get-DhcpServerInDC | ForEach-Object {
    $DHCPServer = $_
    $hostName = $DHCPServer.DnsName
    Write-Host $hostName

    $scopes = Get-DhcpServerv4Scope -ComputerName $DHCPServer.DnsName | Where-Object { $_.State -eq "Active" } | Select-Object -Property Name, ScopeId, SubnetMask, StartRange, EndRange
    $scopes | Export-Excel ".\DHCPScopes.xlsx" -WorkSheetname "$($hostName)-Scopes" -AutoSize -AutoFilter

    ForEach ($scope in $scopes) {
        $reservations = Get-DhcpServerv4Reservation -ComputerName $DHCPServer.DnsName -ScopeId $scope.ScopeId | Select-Object -Property ClientId, Description, IPAddress, Name
        $reservations | Export-Excel ".\DHCPScopes.xlsx" -WorkSheetname "$($hostName)-Reservations" -AutoSize -AutoFilter 
    }
}

Just a quick post here as I found myself needing to find out what conditional forwarders each domain controller in an Active Directory domain had configured. We have nearly a hundred domain controllers and so going manually one-by-one was simply not an option.

I whipped up this PowerShell script and figured that someone else out there might need something similar. It is parallelized (the number of $instances can be changed to do more/less parallel work) and then just dumps it to a CSV-ish file.

$instances = 10

Get-AdDomainController -Filter * | ForEach-Object -ThrottleLimit $instances -Parallel {
    $dc = $_
    Write-Host $dc.Name
    $zones = Get-DnsServerZone -ComputerName $dc.Name | Where-Object {$_.ZoneType -eq "Forwarder" }
    $string = $dc.Name + ","
     ForEach ($zone in $zones) {
         $string = $string + $zone.ZoneName + ","
     }
    Write-Host $string
    $string | Out-File -FilePath ".\zones.txt" -Append 
}

There’s a lot of room for improvement here obviously, but it should at least get you going.

We ran into an issue this morning where we needed to renew our Azure DevOps Service Connection’s expired secret but there is no officially supported way to do this. The error was AADSTS7000215 - invalid clientid or secret. Thankfully, it’s not that difficult to solve.

Fake a change

1. Open your project in ADO (https://dev.azure.com/[GROUP]/[PROJECT])
2. At the bottom-left, choose Project settings
3. In the Pipelines section, choose Service connections
4. Select the service connection you’re having issues with
5. If you click the Edit Service Principal link, you should see a red warning at the top of the page stating that one or more secrets for this service principal have expired; you can verify this by clicking the Certificates and secrets link on the blade and seeing that the single secret expired in the past
6. Close this tab
7. Click the Edit button
8. You’ll notice there is no visible way to actually refresh the secret, however if you first click Verify (which should fail), make a simple change to the Description (add an extra space, for example; anything to make it different than it was)
9. Now click Save
10. Now if you re-open the Edit Service Principal link, you should no longer see the warning about expired secrets, and if you go to the Certificates and secrets link on the blade, there should be exactly one secret and should be valid for 2 years from today’s date

Now, if you ever need to renew an Azure DevOps Service Connection’s expired secret, hopefully you can avoid wasting precious time by trying to figure out how to do it manually and just trick the system into doing it for you.

Azure recently implemented a change to the API Management service whereby deleting the instance only puts it into a soft-deleted state rather than completely nuking it from orbit. This may be desirable for data recovery purposes but it means that if you run a terraform destroy on an environment with an APIM instance on it and then you try and rebuild that environment, it will fail due to the fact that the name you’re trying to use is being held onto by the previously removed instance. So since neither Azure CLI nor Az PowerShell natively support purging, I’m going to show you how to manually purge a soft-deleted Azure API Management instance.

NOTE: The below script uses the basic Az PowerShell tools but with a little elbow grease could be adapted to bash/zsh (provided you have a way of retrieving your Azure access token using OAuth).

$token = Get-AzAccessToken

$request = @{
    Method = 'DELETE'
    Uri    = "https://management.azure.com/subscriptions/{subscriptionGuid}/providers/Microsoft.ApiManagement/locations/{region}/deletedservices/{apimName}?api-version=2020-06-01-preview"
    Headers = @{
        Authorization = "Bearer $($token.Token)"
    }
}

Invoke-RestMethod @request

The only values you’ll need to supply are the subscriptionGuid, region, and apimName in the Uri.

Now the next time you’re stuck wondering why you can’t tear down and rebuild your environments with your IaC tool of choice, you’ll know how to purge a soft-deleted Azure API Management instance.

Source: Microsoft docs

Your small business website is likely an essential part of your marketing strategy. It may also be your e-commerce sales channel or the platform you deliver your software on. In short, you need to keep your small business website safe. However, you likely can’t afford the same cybersecurity services as the big guys. Fortunately, there is a lot you can do yourself. This quick guide from nexxai.dev can help you figure out what you need to do.

Set Strong Login Credentials

The various login credentials you use for your website are one of your most important lines of defense. Make sure you are using long, strong passwords for any accounts. Additionally, at a minimum, all accounts with administrator access should be using either two-factor authentication or SSH keys. This may seem like a lot of trouble, but it is worth it.

Additionally, you should be very cautious about who has access to your website. If you need to give access to employees or freelancers, only give them the permissions they need. For example, if someone is just posting blogs, he or she doesn’t need administrator access.

Implement SSL

Secure socket layer or SSL is a technology used to encrypt data between computer browsers and website servers. It is a must-have technology for any small business website.

First, it will ensure that no one can snoop on the traffic between your visitors and your website. This includes if you are trying to log into your website back end from your own computer.

Second, many browsers are all but requiring HTTPS connections (achieved using SSL). It makes your website more secure, more professional-looking, and in compliance with the latest best practices. In short, you need to use this technology. According to the University of Michigan, around 80 percent of websites use HTTPS. If you aren’t, you are falling behind.

Back Up Your Website Often

You are hopefully already backing up your business data regularly. You should be doing the same with your website content. Anything that you have on your website should be backed up fairly regularly. If you post a lot of new content or capture customer data through your site, consider daily or even hourly backups. If not, you may be able to do weekly backups.

Get Help Configuring It

There are a lot of options when setting up a website, especially if you manage your own server or content management system. It is a good idea to get someone to help you set it up. This will help you to ensure that your website complies with all the latest security best practices. Even seemingly unrelated errors can cause significant vulnerabilities. Don’t risk your website or your business’s financial well-being. Consider hiring a freelancer. When you are considering an individual, look at his or her reviews from other customers. Also, make sure you have clear expectations about cost and delivery time.

Use Malware Protection

Finally, remember to use malware protection with your website hosting service. If you are renting or setting up a server on your own, you should install the appropriate anti-malware software – and keep it updated. Additionally, you will want a firewall (ideally a stand-alone network firewall). If you are using a shared hosting service, learn about your host’s security practices. Never use a host that doesn’t have a well-defined security plan.

Get Started Today

Discover more today about keeping your small business website safe. With a few best practices and the right help, you can ensure that your website is safe from cyberattacks.

About the Author

Cody McBride’s love for computers stems from high school when he built his own computer. Today he is a trained IT technician and knows how the inner workings of computers can be confusing to most. He is the creator of TechDeck.info where he offers easy-to-understand tech related advice and troubleshooting tips.

Many SSL certificate authorities (CAs) do not natively support .PFX format certificates which means that if you plan on installing them on something like an Azure App Service, you may encounter issues. Today, let’s figure out how to convert a CRT SSL certificate chain to PFX format.

First, let’s generate a private key and certificate signing request. Run the following command, and answer the questions as accurately as possible. The private key file (domain.key) should be kept secret and protected.

openssl req \
        -newkey rsa:2048 -nodes -keyout domain.key \
        -out domain.csr

Next, take the contents of domain.csr (it is just a plaintext file with your answers and some other non-secret information base64-encoded; it can be opened in any text editor) and request your certificate through your CA. This process varies per certificate authority, and so is out of scope for this article.

[Time passes]

Now, your CA provides you with a .ZIP file with the following files.

your_domain_com.crt
AAACertificateServices.crt
DomainValidationSecureServerCA.crt
USERTrustRSAAAACA.crt

^{(where your_domain_com.crt is the actual certificate file and the other .CRT files represent the various certificates that will allow a browser to chain up to the root; while the filenames and number of files will almost certainly be different for each certificate authority, the point here is to illustrate that there will be some number of .CRT files and that they are all important)}

Extract those files into the same folder that you have the domain.key file from earlier in.

Finally, let’s take our certificate and combine them with the rest of the chain to create a single .PFX file by running the following command. Your site’s certificate should be specified in the -in parameter, and for each of the chain certificates, adding another -certfile entry.

openssl pkcs12 -export -out certificate.pfx \
        -inkey domain.key \
        -in your_domain_com.crt \
        -certfile AAACertificateServices.crt \
        -certfile DomainValidationSecureServerCA.crt \
        -certfile USERTrustRSAAAACA.crt

NOTE: Azure App Services and Azure Key Vaults require a password-protected .PFX file, so ensure that you enter one when prompted. When you go to upload the certificate and you are required to select the .PFX file and a password, the password you created here is the one it’s referring to.

And you’re done! You now have a file in that folder (certificate.pfx) that you can upload/install and ensure your site is protected against MITM attacks.