sync: auto-sync from HOWARD-HOME at 2026-06-29 14:23:40

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-29 14:23:40
This commit is contained in:
2026-06-29 14:24:12 -07:00
parent 602c5e5bd6
commit 00af39d369
12 changed files with 2873 additions and 3 deletions

1
.bdcheck_GG4LKSL Normal file
View File

@@ -0,0 +1 @@
23a8b2e8-c67f-4e70-b219-4a723dc1b957

1
.bdcheck_MJ-PARALEGAL Normal file
View File

@@ -0,0 +1 @@
6dfebcb5-df2d-45fa-b1d6-22695d52895c

View File

@@ -0,0 +1,744 @@
{
"host": "DESKTOP-GG4LKSL",
"collected_at_utc": "2026-06-29T21:17:50Z",
"os": {
"caption": "Microsoft Windows 11 Pro",
"version": "10.0.26200",
"build": "26200",
"install_date": "2025-06-30T15:13:20Z",
"last_boot_utc": "2026-06-29T14:27:52Z",
"architecture": "64-bit"
},
"facts": {
"builtin_admin_enabled": false,
"os_eol": {
"eol_date": "2027-10-12",
"release": "Win11 25H2"
},
"pending_updates": 4,
"pending_reboot": false,
"uptime_days": 0.3,
"acg_managed_tools": "ScreenConnect / ConnectWise Control",
"hardware": {
"model": "HP Pavilion Gaming Desktop TG01-2xxx",
"manufacturer": "HP",
"bios_date": "2023-07-11",
"cpu_logical": 16,
"bios_version": "F.21",
"cpu_cores": 8,
"ram_gb": 31.8,
"serial": "4CE136C774",
"cpu": "11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz"
},
"third_party_av_active": false,
"os_build": "26200",
"secure_boot": false,
"backup_agents": null,
"autoruns_run_keys": [
{
"key": "HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "SecurityHealth",
"value": "C:\\WINDOWS\\system32\\SecurityHealthSystray.exe"
},
{
"key": "HKLM:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run",
"name": "QuickFinder Scheduler",
"value": "\"c:\\Program Files (x86)\\Corel\\WordPerfect Office 2021\\Programs\\QFSCHD210.EXE\""
}
],
"physical_disks": [
{
"health": "Healthy",
"model": "Seagate Backup+ BK",
"media_type": "Unspecified"
},
{
"health": "Healthy",
"model": "WD Green SN350 1TB 2G0C",
"media_type": "SSD"
}
],
"local_users": [
{
"last_logon": "",
"name": "Administrator",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "",
"name": "DefaultAccount",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "2025-06-30",
"name": "Guest",
"password_never_expires": false,
"enabled": false
},
{
"last_logon": "2026-06-29",
"name": "Localadmin",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "2026-06-29",
"name": "owner",
"password_never_expires": false,
"enabled": true
},
{
"last_logon": "",
"name": "WDAGUtilityAccount",
"password_never_expires": false,
"enabled": false
}
],
"scheduled_tasks_count": 18,
"volumes": [
{
"drive": "D:",
"size_gb": 465.8,
"free_pct": 14.6,
"free_gb": 68.1
},
{
"drive": "[unlabeled]",
"size_gb": 0.7,
"free_pct": 8.3,
"free_gb": 0.1
},
{
"drive": "[unlabeled]",
"size_gb": 0.1,
"free_pct": 38.7,
"free_gb": 0
},
{
"drive": "C:",
"size_gb": 930.6,
"free_pct": 74.2,
"free_gb": 690.6
}
],
"network_adapters": [
{
"dhcp": false,
"description": "Intel(R) Wi-Fi 6 AX201 160MHz",
"gateway": [
"192.168.1.1"
],
"mac": "4C:44:5B:57:C8:D0",
"ip": [
"192.168.1.135",
"fe80::b290:dac4:8c2:f9d6"
],
"dns": [
null
]
}
],
"failed_autostart_services": [
{
"name": "GoogleUpdaterInternalService150.0.7863.0",
"display": "Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)",
"state": "Stopped"
},
{
"name": "GoogleUpdaterService150.0.7863.0",
"display": "Google Updater Service (GoogleUpdaterService150.0.7863.0)",
"state": "Stopped"
},
{
"name": "Intel(R) TPM Provisioning Service",
"display": "Intel(R) TPM Provisioning Service",
"state": "Stopped"
}
],
"stability_14d": {
"unexpected_shutdowns": 1,
"disk_errors": 0,
"bugchecks": 0
},
"exposure": {
"smb1_enabled": false,
"laps_present": true,
"rdp_enabled": false,
"uac_enabled": true,
"rdp_nla": true
},
"accounts_password_never_expires": [],
"installed_software": [
{
"publisher": "Adobe",
"name": "Adobe Acrobat (64-bit)",
"version": "26.001.21691"
},
{
"publisher": "Adobe Systems Incorporated",
"name": "Adobe Refresh Manager",
"version": "1.8.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Copilot",
"version": "149.0.4022.80"
},
{
"publisher": "Corel corporation",
"name": "Corel Update Manager",
"version": "2.14.630"
},
{
"publisher": "Google LLC",
"name": "Google Chrome",
"version": "149.0.7827.197"
},
{
"publisher": "",
"name": "HP LaserJet Professional P1100-P1560-P1600 Series",
"version": ""
},
{
"publisher": "Vantage Linguistics",
"name": "iSEEK AnswerWorks English Runtime",
"version": "010.000.0101"
},
{
"publisher": "Chaos Software Group, Inc.",
"name": "Legal Billing",
"version": ""
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft 365 Apps for business - en-us",
"version": "16.0.20026.20182"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge",
"version": "149.0.4022.98"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Edge WebView2 Runtime",
"version": "149.0.4022.98"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft OneDrive",
"version": "26.106.0603.0003"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Update Health Tools",
"version": "5.72.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x86)",
"version": "7.1.00.00"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual Basic for Applications 7.1 (x86) English",
"version": "7.1.0.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.44.35211",
"version": "14.44.35211.0"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "Microsoft Corporation",
"name": "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.44.35211",
"version": "14.44.35211"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Control Panel 391.35",
"version": "391.35"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Display Container",
"version": "1.2"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Display Container LS",
"version": "1.2"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Display Session Container",
"version": "1.2"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Display Watchdog Plugin",
"version": "1.2"
},
{
"publisher": "NVIDIA Corporation",
"name": "NVIDIA Install Application",
"version": "2.1002.275.2323"
},
{
"publisher": "Microsoft Corporation",
"name": "Office 16 Click-to-Run Extensibility Component",
"version": "16.0.20026.20076"
},
{
"publisher": "Intuit",
"name": "Quicken 2013",
"version": "22.1.12.7"
},
{
"publisher": "ScreenConnect Software",
"name": "ScreenConnect Client (1912bf3444b41a08)",
"version": "26.3.11.9650"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021",
"version": "21.0.0.81"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Common Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Common Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - IPM",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - IPM Content",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Lightning Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Lightning Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Presentations Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Presentations Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Quattro Pro Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Quattro Pro Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Redists",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - Setup Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - WordPerfect Files",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - WordPerfect Files English",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office 2021 - WPD format Props x64",
"version": "21.0"
},
{
"publisher": " Corel Corporation",
"name": "WordPerfect Office 2021 - Writing Tools",
"version": "21.0"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office IFilter 32-bit",
"version": "1.8"
},
{
"publisher": "Corel Corporation",
"name": "WordPerfect Office IFilter 64-bit",
"version": "1.8"
}
],
"tpm": {
"enabled": true,
"ready": true,
"present": true
},
"local_groups": [
"Access Control Assistance Operators",
"Administrators",
"Backup Operators",
"Cryptographic Operators",
"Device Owners",
"Distributed COM Users",
"Event Log Readers",
"Guests",
"Hyper-V Administrators",
"IIS_IUSRS",
"Network Configuration Operators",
"OpenSSH Users",
"Performance Log Users",
"Performance Monitor Users",
"Power Users",
"Remote Desktop Users",
"Remote Management Users",
"Replicator",
"System Managed Accounts Group",
"User Mode Hardware Operators",
"Users"
],
"battery": {
"present": false
},
"activation": {
"edition": "Microsoft Windows 11 Pro",
"description": "Windows(R) Operating System, OEM_DM channel",
"licensed": true,
"license_status_code": 1
},
"time_source": "time1.aliyun.com",
"chassis_types": [
3
],
"last_hotfix": {
"hotfix_id": "KB5094126",
"installed_on": "2026-06-10T07:00:00Z"
},
"scheduled_tasks": [
{
"path": "\\",
"name": "Adobe Acrobat Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "CorelUpdateHelperTask-6FE3C4EAF0EA6F48A355A006CED9B153",
"state": "Ready"
},
{
"path": "\\",
"name": "CorelUpdateHelperTaskCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineCore",
"state": "Ready"
},
{
"path": "\\",
"name": "MicrosoftEdgeUpdateTaskMachineUA",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Per-Machine Standalone Update Task",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-176541868-3255397159-941698718-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Reporting Task-S-1-5-21-176541868-3255397159-941698718-1002",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-176541868-3255397159-941698718-1001",
"state": "Ready"
},
{
"path": "\\",
"name": "OneDrive Startup Task-S-1-5-21-176541868-3255397159-941698718-1002",
"state": "Ready"
},
{
"path": "\\",
"name": "RtkAudUService64_BG",
"state": "Running"
},
{
"path": "\\",
"name": "ZoomUpdateTaskUser-S-1-5-21-176541868-3255397159-941698718-1002",
"state": "Ready"
},
{
"path": "\\GoogleSystem\\GoogleUpdater\\",
"name": "GoogleUpdaterTaskSystem150.0.7863.0{187F8684-438D-4B52-A213-1183A437F60E}",
"state": "Ready"
},
{
"path": "\\GoogleUserPEH\\",
"name": "RunPlatformExperienceHelperOnUnlock",
"state": "Ready"
},
{
"path": "\\GoogleUserPEH\\",
"name": "RunPlatformExperienceHelper_Daily",
"state": "Ready"
},
{
"path": "\\GoogleUserPEH\\",
"name": "RunPlatformExperienceHelper_Metrics",
"state": "Ready"
},
{
"path": "\\SoftLanding\\S-1-5-21-176541868-3255397159-941698718-1002\\",
"name": "SoftLandingCreativeManagementTask",
"state": "Ready"
},
{
"path": "\\SoftLanding\\S-1-5-21-176541868-3255397159-941698718-1002\\",
"name": "SoftLandingDeferralTask-{7f5041b8-2c64-40bd-a455-a605b3186491}",
"state": "Ready"
}
],
"antivirus_products": [
"Windows Defender"
],
"domain_joined": false,
"defender": {
"antispyware_signature_age": 0,
"tamper_protected": true,
"real_time_protection": true,
"nis_enabled": true,
"available": true,
"antivirus_enabled": true,
"am_service_enabled": true
},
"bitlocker": {
"os_volume": "C:",
"key_protectors": [],
"recovery_key_present": false,
"available": true,
"encryption_percent": 0,
"protection_status": "Off"
},
"is_laptop": false,
"installed_software_count": 50,
"local_administrators": [
"DESKTOP-GG4LKSL\\Administrator",
"DESKTOP-GG4LKSL\\Localadmin",
"DESKTOP-GG4LKSL\\owner"
],
"firewall_profiles": {
"Private": true,
"Domain": true,
"Public": true
},
"domain": "WORKGROUP",
"foreign_agents": null
},
"findings": [
{
"id": "sec.defender.ok",
"category": "security",
"severity": "info",
"title": "Defender active and current",
"detail": "Real-time protection on, service running, signatures current.",
"evidence": "RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True"
},
{
"id": "sec.av_products.defender_only",
"category": "security",
"severity": "info",
"title": "Defender is the only registered AV",
"detail": "Only Microsoft/Windows Defender is registered in Security Center.",
"evidence": "Windows Defender"
},
{
"id": "sec.foreign_agents.none",
"category": "security",
"severity": "info",
"title": "No competitor/leftover management agents detected",
"detail": "No known competitor RMM or unmanaged remote-access agents found in installed programs or services.",
"evidence": "Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service"
},
{
"id": "sec.foreign_agents.acg.screenconnect_connectwise_control",
"category": "security",
"severity": "info",
"title": "Expected ACG management tooling present: ScreenConnect / ConnectWise Control",
"detail": "This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.",
"evidence": "program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650\nservice: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running"
},
{
"id": "sec.firewall.ok",
"category": "security",
"severity": "info",
"title": "All firewall profiles enabled",
"detail": "Domain, Private, and Public firewall profiles are all enabled.",
"evidence": "Private=True; Domain=True; Public=True"
},
{
"id": "sec.bitlocker.unencrypted",
"category": "security",
"severity": "warning",
"title": "OS volume is NOT encrypted with BitLocker",
"detail": "The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.",
"evidence": "Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors="
},
{
"id": "sec.local_admins.list",
"category": "security",
"severity": "info",
"title": "Local administrators (3)",
"detail": "Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).",
"evidence": "DESKTOP-GG4LKSL\\Administrator\nDESKTOP-GG4LKSL\\Localadmin\nDESKTOP-GG4LKSL\\owner"
},
{
"id": "sec.patch.os_supported",
"category": "security",
"severity": "info",
"title": "OS build supported: Win11 25H2",
"detail": "Build 26200 (Win11 25H2) is in support until 2027-10-12.",
"evidence": "Microsoft Windows 11 Pro build 26200"
},
{
"id": "sec.patch.pending",
"category": "security",
"severity": "warning",
"title": "4 pending Windows updates",
"detail": "Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.",
"evidence": "Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4"
},
{
"id": "sec.patch.last_hotfix",
"category": "security",
"severity": "info",
"title": "Last hotfix: KB5094126",
"detail": "Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).",
"evidence": "KB5094126 installed 2026-06-10T07:00:00Z"
},
{
"id": "sec.exposure.smb1_off",
"category": "security",
"severity": "info",
"title": "SMBv1 disabled",
"detail": "SMBv1 server protocol is disabled.",
"evidence": "EnableSMB1Protocol=False"
},
{
"id": "sec.exposure.laps_present",
"category": "security",
"severity": "info",
"title": "LAPS detected",
"detail": "A LAPS mechanism is present.",
"evidence": "Windows LAPS reg key"
},
{
"id": "health.disk_space.D",
"category": "health",
"severity": "warning",
"title": "Disk low: D: at 14.6% free",
"detail": "Less than 15 percent free. Plan cleanup or expansion.",
"evidence": "D: free 68.1 GB of 465.8 GB (14.6%)"
},
{
"id": "health.stability.some",
"category": "health",
"severity": "warning",
"title": "Stability events present in the last 14 days",
"detail": "One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.",
"evidence": "Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0"
},
{
"id": "health.failed_services.stopped",
"category": "health",
"severity": "warning",
"title": "3 auto-start service(s) not running",
"detail": "These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.",
"evidence": "GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped\nGoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped\nIntel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped"
},
{
"id": "health.domain.workgroup",
"category": "health",
"severity": "info",
"title": "Not domain-joined (workgroup)",
"detail": "This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.",
"evidence": "PartOfDomain=False; Domain=WORKGROUP"
},
{
"id": "health.time.source",
"category": "health",
"severity": "info",
"title": "Time service source",
"detail": "Current Windows Time service source.",
"evidence": "Source=time1.aliyun.com"
},
{
"id": "health.backup.none",
"category": "health",
"severity": "info",
"title": "No backup agent detected",
"detail": "No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.",
"evidence": "No matching backup service in Win32_Service"
}
]
}

View File

@@ -0,0 +1,226 @@
# Onboarding Diagnostic Baseline - DESKTOP-GG4LKSL
- **Grade:** AMBER
- **Host:** DESKTOP-GG4LKSL
- **Client:** Michael Johnson (`michaeljohnson`)
- **Collected (UTC):** 2026-06-29T21:17:50Z
- **Agent ID:** 09c08484-2b51-404b-a294-6e39f498867c
- **Command ID:** 67f70181-51cd-470e-a9e2-edd2d53df135
- **Findings:** 0 critical / 5 warning / 13 info / 0 unknown
- **OS:** Microsoft Windows 11 Pro (build 26200)
---
## WARNING (5)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### 4 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 4
```
### Disk low: D: at 14.6% free
- **Category:** health
- **ID:** `health.disk_space.D`
- Less than 15 percent free. Plan cleanup or expansion.
```
D: free 68.1 GB of 465.8 GB (14.6%)
```
### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
```
Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### 3 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped
GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
```
## INFO (13)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=0 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### All firewall profiles enabled
- **Category:** security
- **ID:** `sec.firewall.ok`
- Domain, Private, and Public firewall profiles are all enabled.
```
Private=True; Domain=True; Public=True
```
### Local administrators (3)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
DESKTOP-GG4LKSL\Administrator
DESKTOP-GG4LKSL\Localadmin
DESKTOP-GG4LKSL\owner
```
### OS build supported: Win11 25H2
- **Category:** security
- **ID:** `sec.patch.os_supported`
- Build 26200 (Win11 25H2) is in support until 2027-10-12.
```
Microsoft Windows 11 Pro build 26200
```
### Last hotfix: KB5094126
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5094126 installed 2026-06-10T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
```
PartOfDomain=False; Domain=WORKGROUP
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=time1.aliyun.com
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** HP / HP Pavilion Gaming Desktop TG01-2xxx
- **Serial:** 4CE136C774
- **CPU:** 11th Gen Intel(R) Core(TM) i7-11700F @ 2.50GHz (8 cores / 16 logical)
- **RAM (GB):** 31.8
- **BIOS:** F.21 (2023-07-11)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** true / ?
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** true
- **Uptime (days):** 0.3
- **Pending reboot:** false
- **Installed software count:** 50
- **Scheduled tasks (non-MS, enabled):** 18
- **Local administrators:** DESKTOP-GG4LKSL\Administrator, DESKTOP-GG4LKSL\Localadmin, DESKTOP-GG4LKSL\owner
### Fixed volumes
- D: - 68.1 GB free of 465.8 GB (14.6%)
- [unlabeled] - 0.1 GB free of 0.7 GB (8.3%)
- [unlabeled] - 0 GB free of 0.1 GB (38.7%)
- C: - 690.6 GB free of 930.6 GB (74.2%)
### Network adapters
- Intel(R) Wi-Fi 6 AX201 160MHz - IP: 192.168.1.135, fe80::b290:dac4:8c2:f9d6 - DNS: - DHCP: false
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `DESKTOP-GG4LKSL-20260629T211835.json` (immutable)._

File diff suppressed because it is too large Load Diff

View File

@@ -0,0 +1,254 @@
# Onboarding Diagnostic Baseline - MJ-PARALEGAL
- **Grade:** RED
- **Host:** MJ-PARALEGAL
- **Client:** Michael Johnson (`michaeljohnson`)
- **Collected (UTC):** 2026-06-29T21:17:55Z
- **Agent ID:** 4537ac34-e548-484c-b4e9-fd91e7f97a23
- **Command ID:** a3095ece-7fd3-4751-acc6-867a1b41507b
- **Findings:** 2 critical / 4 warning / 14 info / 0 unknown
- **OS:** Microsoft Windows 11 Pro (build 26200)
---
## CRITICAL (2)
### Firewall disabled on profile(s): Private, Public
- **Category:** security
- **ID:** `sec.firewall.disabled`
- One or more firewall profiles are OFF. The endpoint is exposed to lateral movement and inbound attacks on those networks. Re-enable all profiles.
```
Profile states: Private=False; Domain=True; Public=False
```
### Disk critically low: E: at 0% free
- **Category:** health
- **ID:** `health.disk_space.E`
- Less than 8 percent free. Risk of failed updates, crashes, and corruption. Free space or expand the volume urgently.
```
E: free 0 GB of 255.6 GB (0%)
```
## WARNING (4)
### OS volume is NOT encrypted with BitLocker
- **Category:** security
- **ID:** `sec.bitlocker.unencrypted`
- The operating system volume is unencrypted. Data is exposed if the disk is removed or the device is lost. Enable BitLocker and escrow the recovery key.
```
Volume=C:; ProtectionStatus=Off; EncryptionPercentage=0; KeyProtectors=
```
### 2 pending Windows updates
- **Category:** security
- **ID:** `sec.patch.pending`
- Windows Update reports pending (not installed, not hidden) updates. Some may be security updates. Approve/install on the next maintenance window.
```
Microsoft.Update.Session search IsInstalled=0 and IsHidden=0 -> 2
```
### Stability events present in the last 14 days
- **Category:** health
- **ID:** `health.stability.some`
- One or more unexpected shutdowns, BSODs, or disk errors occurred recently. Monitor and correlate with user reports.
```
Unexpected shutdowns (id 41)=1; Bugchecks/BSOD (id 1001)=0; Disk errors (id 7/51/153)=0
```
### 6 auto-start service(s) not running
- **Category:** health
- **ID:** `health.failed_services.stopped`
- These services are set to start automatically but are not running. Some may be benign; review for security agents, backup agents, or AV that should be running.
```
AsusUpdateCheck (AsusUpdateCheck) = Stopped
GoogleUpdaterInternalService150.0.7863.0 (Google Updater Internal Service (GoogleUpdaterInternalService150.0.7863.0)) = Stopped
GoogleUpdaterService150.0.7863.0 (Google Updater Service (GoogleUpdaterService150.0.7863.0)) = Stopped
IBMPMSVC (Lenovo PM Service) = Stopped
Intel(R) TPM Provisioning Service (Intel(R) TPM Provisioning Service) = Stopped
LPlatSvc (Lenovo Platform Service) = Stopped
```
## INFO (14)
### Defender active and current
- **Category:** security
- **ID:** `sec.defender.ok`
- Real-time protection on, service running, signatures current.
```
RealTimeProtectionEnabled=True; AMServiceEnabled=True; AntispywareSignatureAge=1 days; IsTamperProtected=True
```
### Defender is the only registered AV
- **Category:** security
- **ID:** `sec.av_products.defender_only`
- Only Microsoft/Windows Defender is registered in Security Center.
```
Windows Defender
```
### No competitor/leftover management agents detected
- **Category:** security
- **ID:** `sec.foreign_agents.none`
- No known competitor RMM or unmanaged remote-access agents found in installed programs or services.
```
Scanned uninstall hives (HKLM + WOW6432Node) and Win32_Service
```
### Expected ACG management tooling present: ScreenConnect / ConnectWise Control
- **Category:** security
- **ID:** `sec.foreign_agents.acg.screenconnect_connectwise_control`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: ScreenConnect Client (1912bf3444b41a08) 26.3.11.9650
service: ScreenConnect Client (1912bf3444b41a08) (ScreenConnect Client (1912bf3444b41a08)) Running
```
### Expected ACG management tooling present: Splashtop (SOS/Streamer)
- **Category:** security
- **ID:** `sec.foreign_agents.acg.splashtop_sos_streamer_`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Splashtop Streamer 3.8.4.0
service: SplashtopRemoteService (Splashtop? Remote Service) Running
```
### Expected ACG management tooling present: Syncro / Kabuto
- **Category:** security
- **ID:** `sec.foreign_agents.acg.syncro_kabuto`
- This is Arizona Computer Guru managed/remote-access tooling that we deploy. Its presence is expected and not a foreign-agent risk.
```
program: Syncro 1.0.201.18410
service: Syncro (Syncro) Running
```
### Local administrators (3)
- **Category:** security
- **ID:** `sec.local_admins.list`
- Members of the local Administrators group. Review for unexpected or unknown accounts (especially leftover MSP/vendor accounts from a prior provider).
```
MJ-PARALEGAL\Administrator
MJ-PARALEGAL\localadmin
MJ-PARALEGAL\Paralegal
```
### OS build supported: Win11 25H2
- **Category:** security
- **ID:** `sec.patch.os_supported`
- Build 26200 (Win11 25H2) is in support until 2027-10-12.
```
Microsoft Windows 11 Pro build 26200
```
### Last hotfix: KB5094126
- **Category:** security
- **ID:** `sec.patch.last_hotfix`
- Most recently installed update (from Get-HotFix; reflects CBS/MSU packages, not all cumulative metadata).
```
KB5094126 installed 2026-06-10T07:00:00Z
```
### SMBv1 disabled
- **Category:** security
- **ID:** `sec.exposure.smb1_off`
- SMBv1 server protocol is disabled.
```
EnableSMB1Protocol=False
```
### LAPS detected
- **Category:** security
- **ID:** `sec.exposure.laps_present`
- A LAPS mechanism is present.
```
Windows LAPS reg key
```
### Not domain-joined (workgroup)
- **Category:** health
- **ID:** `health.domain.workgroup`
- This machine is in workgroup/Azure AD only mode (Domain=WORKGROUP). No on-prem AD secure channel applies.
```
PartOfDomain=False; Domain=WORKGROUP
```
### Time service source
- **Category:** health
- **ID:** `health.time.source`
- Current Windows Time service source.
```
Source=time.windows.com,0x9
```
### No backup agent detected
- **Category:** health
- **ID:** `health.backup.none`
- No known backup agent service found. Backup expectation varies by endpoint; confirm whether this machine is supposed to have local/cloud backup and whether server-side or M365 backup covers it.
```
No matching backup service in Win32_Service
```
---
## Inventory Baseline Summary
- **Manufacturer / Model:** ASUS / System Product Name
- **Serial:** System Serial Number
- **CPU:** Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz (6 cores / 12 logical)
- **RAM (GB):** 15.8
- **BIOS:** 1620 (2021-07-09)
- **Chassis is laptop:** false
- **TPM present / Secure Boot:** true / true
- **Domain joined:** false (WORKGROUP)
- **OS activation licensed:** true
- **Uptime (days):** 0.3
- **Pending reboot:** false
- **Installed software count:** 98
- **Scheduled tasks (non-MS, enabled):** 24
- **Local administrators:** MJ-PARALEGAL\Administrator, MJ-PARALEGAL\localadmin, MJ-PARALEGAL\Paralegal
### Fixed volumes
- E: - 0 GB free of 255.6 GB (0%)
- [unlabeled] - 0.2 GB free of 1 GB (18.7%)
- D: - 0 GB free of 0 GB (75.5%)
- C: - 70 GB free of 464.2 GB (15.1%)
- [unlabeled] - 0.1 GB free of 0.1 GB (64%)
- [unlabeled] - 0.1 GB free of 0.5 GB (16.6%)
### Network adapters
- Realtek PCIe GBE Family Controller - IP: 192.168.1.136, fe80::b20c:8d0b:48bf:1aea - DNS: 172.16.132.1 - DHCP: true
---
## Diff vs Prior Baseline
- No prior baseline found for this host. This is the first baseline.
---
_Generated by run-onboarding-diagnostic.sh (GuruRMM onboarding diagnostic, Phase 1). Raw snapshot: `MJ-PARALEGAL-20260629T211845.json` (immutable)._

View File

@@ -0,0 +1,148 @@
# Rednour Law — LEGALASST explorer hang on .zip + WordPerfect 5 save error + Win11 plan
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Diagnosed an explorer.exe stability problem on **LEGALASST**, the legal assistant's
workstation at Rednour Law (Carla Skinner's box; active local account `emma`, profile
`C:\Users\Ale`, OneDrive `carla@rednourlaw.com`). Reported via Carrie Rednour: explorer
repeatedly hung/crashed when "opening files or messing with files." Work was driven over
GuruRMM (agent `18825ea7-df58-47bb-b492-822cb16fb5ec`); the office subnet was initially
unreachable from HOWARD-HOME because Tailscale was stuck in `NoState`, which cleared on its
own shortly after.
Established via the Application event log that explorer was **hanging (AppHang Event 1002),
not crashing** — there were no Event 1000 / faulting-module records. Hangs were firing
several times per hour on 2026-06-29 and continued after a 10:52 reboot. The `.NET Runtime`
Event 1022 "profiling API attach" errors (201 of them) were ruled out as benign noise — no
`COR_PROFILER` env var is set, so nothing is being injected into explorer via that path.
Narrowed the cause by elimination. Blocked the Adobe shell extensions (Acrobat context-menu
+ CoreSync overlays) via the Microsoft "Blocked" CLSID list and restarted explorer — no
change, so Adobe was ruled out and reverted. Mapped drives X/Y/Z (→ `\\rednourcarrievirt`,
the cloned Carrie host) were healthy (`Status OK`, no SMBClient errors). The only
non-Microsoft DLLs actually loaded in explorer were the AMD Vega driver
(`amdihk64/atidxx64/aticfx64/atiuxp64`), but there were **zero display-driver TDR events**,
so the GPU driver was not crash-recovering. OneDrive sync was healthy and its overlay was not
even loaded. Howard then supplied the decisive clue: the hang happens **only when opening
`.zip` files**, Word/PDF open fine, and the failing zip is on the **local desktop** (not
OneDrive, not a network share). That isolated the fault to the **built-in Windows Compressed
Folders handler** (explorer's zip-as-folder namespace). `zipfldr.dll` is intact and validly
signed, so the hang is environmental, not a corrupt handler DLL.
Howard installed **7-Zip 26.02** as a workaround — it opens the same zips fine because it is
a standalone app that never invokes explorer's zip namespace. He will set 7-Zip as the
default for `.zip` (and `.7z`/`.rar`, currently unassociated) via the 7-Zip GUI. A second,
separate issue on the same machine was reported: saving from **WordPerfect 5** returns "not
enough free space" regardless of save location, despite Howard verifying ample free space.
The plan is to **upgrade LEGALASST to Windows 11**, which is expected to resolve the
zip-handler hang by rebuilding the shell/system files (and applies the pending SFC repair);
the team will test a local zip with the built-in handler after the upgrade. All diagnostic
changes were reverted and the box was left clean.
## Key Decisions
- Diagnosed live over GuruRMM rather than waiting for on-site access; used `user_session`
context for HKCU/OneDrive/shell-folder reads and SYSTEM context for HKLM/event-log reads.
- Used the Microsoft **Shell Extensions\Blocked** CLSID list (reversible) to test-disable
Adobe/7-Zip shell extensions instead of deleting registrations — clean revert path.
- Treated the `.NET 1022` errors as noise after confirming no `COR_PROFILER` was set, instead
of chasing the profiler-injection theory.
- Did **not** hand-write a per-user UserChoice association hash for `.zip` (hash-protected;
a wrong hash leaves a broken "how do you want to open this?" prompt). Howard opted to set
the default in the 7-Zip GUI; no DefaultAssociations policy was pushed.
- Concluded the Win11 in-place upgrade is the right fix for the zip-handler hang (rebuilds
shell/system files) rather than further low-level surgery on a Win10 22H2 EOL box.
## Problems Encountered
- **Office subnet unreachable from HOWARD-HOME** — Tailscale daemon RUNNING but backend stuck
in `NoState`; a service restart did not clear it, but it came up on its own shortly after.
- **Orphaned RMM diagnostic process** — the first diagnostic command timed out server-side at
120s (a `HKLM\...\Classes\*\shellex` wildcard scan), but the agent's child `powershell.exe`
(PID 1048) kept running on the endpoint for 10+ minutes, churning CPU. This was the
"PowerShell that's been running" Howard noticed. Killed it (SYSTEM context). Logged as
friction.
- **`$pid` reserved-variable collision** — used `$pid` as a variable in a remote script; `$PID`
is the automatic current-process-id variable, so the `.zip` ProgID read returned garbage
(16044). Re-ran with a non-reserved name. Logged as friction.
- **Mis-assumption corrected** — initially assumed LEGALASST was the cloned machine; Carrie's
machine was the one cloned (to host `rednourcarrievirt`), LEGALASST is the legal assistant's
(unchanged) box. Logged as a correction.
## Configuration Changes
Net change to the endpoint: **none** (all diagnostic changes reverted; box left clean). During
the session, on LEGALASST:
- Added then removed Adobe (4 CLSIDs) and 7-Zip shell-extension CLSIDs in
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (Blocked list now
empty).
- Restarted explorer.exe several times (user_session).
- Killed orphaned diagnostic process PID 1048.
- Howard installed 7-Zip 26.02 (standalone; he will set `.zip`/`.7z`/`.rar` defaults).
- Howard ran `sfc /scannow` — found and repaired corruption (0 unrepairable); repair pending
a reboot to load.
Repo: this session log; Rednour wiki record update pending (`/wiki-compile client:rednour`).
## Credentials & Secrets
None discovered, created, or rotated this session.
## Infrastructure & Servers
- **LEGALASST** — legal assistant workstation, Rednour Law "Main Office" site. Win 10 Pro 22H2
(build 19045, **EOL**), AMD Ryzen 3 3200G (Vega 8 iGPU), **5.9 GB RAM**, LAN 192.168.10.213.
GuruRMM agent `18825ea7-df58-47bb-b492-822cb16fb5ec`. Active local account `emma`, profile
`C:\Users\Ale`. OneDrive account `carla@rednourlaw.com`; Documents redirected to
`C:\Users\Ale\OneDrive - Rednour Law\Documents`. Leftover **SyncroLive.Agent.Runner** still
running.
- AMD GPU driver: 31.0.12027.9001 (2023-03-29). 7zFM.exe 26.02 at `C:\Program Files\7-Zip\`.
- `zipfldr.dll` = 10.0.19041.1, signature Valid (handler is intact).
- Mapped drives (user `emma`): X: `\\rednourcarrievirt\Time Matters Shared Files`, Y:
`\\rednourcarrievirt\Timeslips`, Z: `\\rednourcarrievirt\Documents` — all `Status OK`.
- GuruRMM server `http://172.16.3.30:3001`; coord `http://172.16.3.30:8001`.
## Commands & Outputs
- Diagnostic dispatch pattern: `POST /api/agents/<id>/command` (powershell, `context`
system or user_session), poll `GET /api/commands/<id>`.
- Key reads: `Get-WinEvent` Application 1000/1002 + ProviderName 'Application Hang'/'.NET
Runtime'; explorer loaded modules filtered to non-Microsoft `CompanyName`;
`Get-SmbMapping`; `Get-MpComputerStatus`/`Get-MpPreference`; CBS.log `[SR]` parse.
- AppHang count = 10 in last 3h on 2026-06-29; latest 11:31:02 (post 10:52 reboot).
- `.zip` association: `HKCR\.zip` (default) = `CompressedFolder`, **no UserChoice**. 7-Zip
registered only a `7-Zip.iso` ProgId (no `7-Zip.zip`). `.7z`/`.rar` currently unassociated.
- SFC (CBS.log): "Verify and Repair Transaction completed... successfully repaired"; 0
"cannot repair" entries.
- Defender: RTP on, no active scan, signatures fresh, `DisableArchiveScanning=False`,
`MAPSReporting=2`, `SubmitSamplesConsent=1` (archive + cloud scanning on).
## Pending / Incomplete Tasks
1. **Howard:** set 7-Zip as default app for `.zip` (and `.7z`/`.rar`) via 7-Zip GUI
(Tools → Options → System).
2. **Upgrade LEGALASST to Windows 11** (expected to resolve the zip-handler hang; applies
the pending SFC repair). Pre-reqs: enable fTPM + Secure Boot in BIOS (Ryzen 3 3200G is
Win11-supported), bump RAM from 5.9 GB, remove the leftover Syncro agent. **Test a local
`.zip` with the built-in handler post-upgrade.**
3. **WordPerfect 5 "not enough free space" on save** — investigate. Leading hypothesis:
legacy/DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space
value overflows → false "disk full"). This is app-level and will **not** be fixed by the
OS upgrade; mitigate via DOSBox or directing saves to a SUBST'd small-capacity location.
Confirm exact WP version/edition (DOS 5.1 vs Windows).
4. **If the zip hang persists after the Win11 upgrade:** next lead is Defender archive-scan +
cloud (MAPS) lookup stalling the shell when the built-in handler streams zip entries.
5. Standing P1s (pre-existing): reboot to apply SFC repair; remove prior MSP agents.
## Reference Information
- GuruRMM agent id: `18825ea7-df58-47bb-b492-822cb16fb5ec` (LEGALASST).
- Rednour tenant: `rednourlaw.com` (`4a4ca18a-f516-478b-99da-2e0722c5dc18`); Syncro customer
`1224246`.
- Wiki: `wiki/clients/rednour.md`. Refresh: `/wiki-compile client:rednour --full`.
- Reversible shell-ext disable mechanism: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (add CLSID value to block; delete to restore).

View File

@@ -0,0 +1,119 @@
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Resumed work on getting the GuruRMM agent installed on Nick Pafford's Mac at Rednour Law
Offices (Rednour's office). The client/site was already onboarded (2026-05-29), so the goal
this session was to hand Nick the correct macOS download/install link and confirm enrollment.
Pulled the Rednour Main site enrollment details from the vault (site_code GREEN-FALCON-7214)
and provided the public install page URL. On verification, the install **page**
(`/install/GREEN-FALCON-7214`) only exposes clickable buttons for Windows and Linux — there is
no Mac button. Confirmed instead that a macOS install path exists as a `curl | sudo bash`
one-liner at `/install/GREEN-FALCON-7214/macos`. Verified the script body (LaunchDaemon setup,
quarantine strip, site config for GREEN-FALCON-7214) and that the agent binary it downloads is a
Mach-O 64-bit arm64 executable (~3.96 MB), matching Nick's Apple Silicon Mac. Handed Nick the
Terminal one-liner plus his SMB share credential (from vault).
Nick (or whoever was at the Mac) ran the installer and it reported success. However, repeated
fleet checks (3x over the session) showed the agent NOT checking in — no macOS agent appears
under Rednour Law Offices. The three Rednour agents enrolled are all Windows
(FrontDeskReception, LegalAsst, rednourcarrievirt). The only Macs in the entire fleet are
Scileppi's Mac-mini-2 and Mike's MacBook Air — neither is Nick's. So the install succeeded
locally but the agent is not connecting/enrolling to the server.
Howard is no longer onsite and does not have the user's Mac password, so local diagnostics
(foreground run, launchctl check) can't be done right now. Work was deferred. Flagged Mike via
Discord DM that the Apple/macOS installer has an issue, that we're working it but lack the
user's password, and asked whether he has access to another M1/Apple Silicon Mac to test the
installer for repro.
## Key Decisions
- Handed Nick the macOS `curl | sudo bash` one-liner rather than the install page, since the
page has no Mac download button — only Windows/Linux. The `/macos` script path is the
supported macOS install route.
- Verified the downloaded binary architecture (arm64 Mach-O) before handing off, to rule out an
x86/arch mismatch on Nick's Apple Silicon Mac.
- Deferred diagnosis rather than guess: with no onsite access and no user password, the key
diagnostic (foreground `sudo /usr/local/bin/gururmm-agent` to see the connect error) can't be
run, so escalated to Mike and parked it.
- Used a person-targeted Discord DM to Mike (not a #bot-alerts post) since the ask was actionable
and directed at him specifically (needs an M1 to test).
## Problems Encountered
- **macOS agent installs but does not enroll.** Installer reports success on Nick's Apple
Silicon Mac, but no macOS agent shows under Rednour in the fleet after multiple checks.
Unresolved — deferred. Likely causes to check next: LaunchDaemon not actually started /
crashed on launch, Gatekeeper killing the unsigned binary despite quarantine strip, or
outbound connectivity to rmm.azcomputerguru.com blocked. Blocked on onsite access + user
password.
- **Install page has no Mac button** (Windows/Linux only). Worked around with the `/macos`
curl|bash one-liner, which is the real macOS install path.
## Configuration Changes
- None to the repo. No code changes. Vault entries were read-only this session (already
created in prior sessions).
## Credentials & Secrets
- Nick Pafford SMB share access (read this session, already vaulted):
- Vault: `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`
- Username: `REDNOURCARRIEVI\nick`
- Password: `Kg5Qe2Kc3`
- Mac mount: `smb://192.168.10.194/Documents` (Finder Cmd+K)
- Share: `\\REDNOURCARRIEVI\Documents` -> `C:\Users\Carrie\Documents`, access Modify (rw)
- Local Windows account on Carrie Rednour's workstation (workgroup, no AD), PasswordNeverExpires,
created 2026-06-25 per Syncro #32343.
- GuruRMM Rednour Main site enrollment (already vaulted):
- Vault: `clients/rednour/gururmm-site-main.sops.yaml`
- site_id: `c7f5787c-8e71-45b3-841f-fa52436f7d26`
- site_code: `GREEN-FALCON-7214`
## Infrastructure & Servers
- GuruRMM server API: `http://172.16.3.30:3001` (auth via vault gururmm-server.sops.yaml).
- GuruRMM public install host: `https://rmm.azcomputerguru.com` (Cloudflare-fronted).
- Rednour workstation REDNOURCARRIEVI: `192.168.10.194` (LAN) / `10.147.17.253` (ZeroTier).
- Rednour Law Offices fleet (all Windows, online, v0.6.66): FrontDeskReception, LegalAsst,
rednourcarrievirt.
## Commands & Outputs
- macOS install one-liner handed to Nick:
`curl -fsSL https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos | sudo bash`
- Mac agent binary verification:
`curl .../install/GREEN-FALCON-7214/download/macos` -> HTTP 200, Mach-O 64-bit arm64
executable, ~3,960,397 bytes, filename `gururmm-agent-main`.
- Fleet check (no Rednour Mac present):
`curl -s "$RMM/api/agents" -H "Authorization: Bearer $TOKEN" | jq '... select rednour or macos'`
- Suggested local diagnostics for next session (need onsite/password):
- `sudo launchctl list | grep gururmm`
- `ls -l /usr/local/bin/gururmm-agent /usr/local/etc/gururmm/`
- `sudo /usr/local/bin/gururmm-agent` (foreground run to surface connect error)
- `curl -fsS -o /dev/null -w "%{http_code}" https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos`
## Pending / Incomplete Tasks
- **OPEN:** Nick's Mac GuruRMM agent not enrolling despite successful install. Deferred.
- Blocked on: not onsite + no user Mac password.
- Next steps: run foreground diagnostic on the Mac to capture the connect/enroll error; check
LaunchDaemon state and Gatekeeper; verify outbound to rmm.azcomputerguru.com.
- Mike asked (via DM) whether he has access to another M1/Apple Silicon Mac to test/repro the
macOS installer.
## Reference Information
- Install page: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214`
- macOS install script: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/macos`
- macOS agent binary: `https://rmm.azcomputerguru.com/install/GREEN-FALCON-7214/download/macos`
- MSI (Windows): `https://rmm.azcomputerguru.com/api/sites/c7f5787c-8e71-45b3-841f-fa52436f7d26/installer`
- Discord DM to Mike: message_id 1521264675965374656
- Syncro ticket (SMB access): #32343
- Related prior logs: `2026-06-25-howard-nick-smb-share-and-mac-rmm.md`,
`2026-06-26-howard-nick-mac-rmm-rootcause.md`

View File

@@ -17,6 +17,7 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
<!-- Append entries below this line -->
<<<<<<< HEAD
2026-06-29 | GURU-5070 | remediation-tool/reset-password.sh | [friction] JIT de-elevation can never succeed: an app-only SP cannot remove its OWN Privileged Authentication Administrator assignment ('no privilege to remove self'). Every admin-account reset leaves standing PAA on the ComputerGuru Tenant Admin SP; requires a human Global Admin to remove. Likely also left PAA on birthbiologic.com (2026-06-08). [ctx: tenant=5c53ae9f-7071-4248-b834-8685b646450f sp=fccda86c-77ca-4248-b876-b0cdba8605d4 role=PrivilegedAuthAdmin fix=PIM-or-second-principal-or-human-GA]
2026-06-29 | GURU-5070 | remediation-tool | reset-password: failed to remove JIT Privileged Auth Admin role - standing privilege left behind, REMOVE MANUALLY [ctx: tenant=5c53ae9f-7071-4248-b834-8685b646450f assignment=ikzke6-tKk6E1qsmSeCKE2yozfzKd0hCuHawzbqGBdQ-1 http=400]
@@ -30,6 +31,23 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
2026-06-29 | GURU-5070 | rmm/bash | [friction] passed ~20KB base64 inline via jq --arg in command line -> 'Argument list too long'; should stage data on the endpoint (it already had the CSV) or chunk-upload, never inline-pass large blobs [ctx: ref=CLAUDE.md windows-rules; host=ACG-DWP-X-BB]
2026-06-29 | GURU-5070 | migration/datto-to-sharepoint | 2026-06-26 SharePoint push corrupted files: byte array stringified ('$bytes') so each file written as space-separated DECIMAL TEXT instead of binary (xlsx '80 75 3 4...', pdf '37 80 68 70...'); format-agnostic, ~15 local + up to ~3298 cloud-only files modified 06-26; Datto source intact [ctx: client=birth-biologic host=ACG-DWP-X-BB vector=base64/stdout-capture-upload fix=use OneDrive-sync/SPMT or [IO.File]::WriteAllBytes]
=======
2026-06-29 | Howard-Home | cascades/SG-Caregivers | [correction] assumed adding Feller + Nyanzunda to SG-Caregivers per 6/4 worklist; correct is group = frontline caregivers ONLY, exclude admins/managers/admin-adjacent (Feller PA-remote, Nyanzunda MC admin asst) do NOT go in
2026-06-29 | Howard-Home | rmm/coord | [friction] 172.16.3.30 unreachable from Howard-Home (RMM :3001 + coord :8001 dead; Cascades VPN up) — ACG-internal route down [ctx: ref=cascades-caregiver-group-task]
2026-06-29 | Howard-Home | rmm/powershell | [friction] used $pid as a variable in remote PS script; $PID is a reserved automatic variable (current process id) so the .zip ProgID read was clobbered (showed 16044). Use a non-reserved name e.g. $zipProg [ctx: ref=feedback_windows_quote_stripping-style-PS-gotchas]
2026-06-29 | Howard-Home | rmm/rednour-legalasst | [correction] assumed LEGALASST was the cloned machine; correct is that CARRIE'S machine was cloned (to host rednourcarrievirt) and LEGALASST is EMMA'S machine (not cloned). Emma's drives X/Y/Z were remapped today to
ednourcarrievirt [ctx: client=rednour host=LEGALASST]
2026-06-29 | Howard-Home | rmm-auth/tailscale | [friction] RMM+coord unreachable (http=000); tailscaled service RUNNING but backend stuck in NoState after restart -> 172.16.3.30 unping-able from HOWARD-HOME [ctx: ref=remote-diag fix=tailscale-relogin]
2026-06-29 | Howard-Home | rmm-auth | RMM login failed (no token returned from /api/auth/login) [ctx: url=http://172.16.3.30:3001 resp=]
2026-06-29 | Howard-Home | rmm-search | RMM auth failed via rmm-auth.sh (no TOKEN/RMM)
2026-06-29 | Howard-Home | rmm-search | RMM auth failed via rmm-auth.sh (no TOKEN/RMM)
>>>>>>> a0d073f (sync: auto-sync from HOWARD-HOME at 2026-06-29 14:22:54)
2026-06-29 | Howard-Home | save/rmm-scratch | [friction] wrote RMM command-id scratch files (.netprobe_id, .stage_id, etc.) to repo root C:/claudetools; .netprobe_id got swept into a sync commit by git add -A and needed git rm. Use the session scratchpad dir for transient IDs, not the repo root. [ctx: ref=feedback_tmp_path_windows]

View File

@@ -0,0 +1,143 @@
---
type: client
name: michaeljohnson
display_name: Michael Johnson (Law Office)
last_compiled: 2026-06-29
compiled_by: HOWARD-HOME/claude-main
sources:
- clients/michaeljohnson/onboarding-baselines/DESKTOP-GG4LKSL-20260629T211835.md
- clients/michaeljohnson/onboarding-baselines/MJ-PARALEGAL-20260629T211845.md
- Syncro customer 152567 (ticket history + contact record)
- GuruRMM onboarding 2026-06-29 (client + site "Main", BRIGHT-RIVER-8998)
---
# Michael Johnson (Law Office)
## Profile
- **Business type:** Solo legal practice (Tucson, AZ) — *inferred* from the paralegal
workstation, WordPerfect + "Seabill" legal-billing software, and the recurring
shared-file / Outlook-calendar-sync work between Michael's and Crystal's machines.
Not formally stated in Syncro (no `business_name` on the record).
- **Syncro Customer ID:** 152567 (customer record created 2013-12-04 — long-standing client)
- **Billing model:** Break-fix / time-and-materials. **No prepaid block** (`prepay_hours = 0.0`,
live 2026-06-29). History is overwhelmingly emergency / onsite / remote one-off tickets.
- **Address:** 177 N Church, Tucson, AZ 85701
- **GuruRMM onboarded:** 2026-06-29 (Howard) — client + site "Main"; both workstations enrolled same day.
- **Onboarding grade:** DESKTOP-GG4LKSL = **AMBER**; MJ-PARALEGAL = **RED**.
## Contacts
| Name | Role | Email / Phone | Notes |
|---|---|---|---|
| Michael Johnson | Owner / attorney | michaeljohnson311@gmail.com / 520-622-0065 | Primary Syncro contact; uses DESKTOP-GG4LKSL |
| Crystal (Krystal) | Paralegal / assistant | (no email on file) / 520-906-4672 | Uses MJ-PARALEGAL; most day-to-day tickets are hers |
Email is on **Gmail / Google Workspace** (consumer/Workspace — not M365). Several past tickets
involve Google account storage/payment and Outlook talking to the Google calendar; mail is **not**
hosted or managed by ACG M365 tooling.
## Infrastructure
### Network
- **Topology:** Workgroup, peer-to-peer (no on-prem AD, no domain join). Both machines report
`PartOfDomain=False` / `Domain=WORKGROUP`.
- **LAN subnet:** 192.168.1.0/24.
- Shared files are served peer-to-peer between the two workstations (consistent with the long
history of "can't access shared files" tickets) — exact share host/path **not yet mapped**.
### Workstations (GuruRMM enrolled 2026-06-29, site "Main")
| Hostname | User | Model | CPU | RAM | OS | IP | Agent ID | Grade |
|---|---|---|---|---|---|---|---|---|
| DESKTOP-GG4LKSL | Michael | HP Pavilion Gaming TG01-2xxx | i7-11700F 8c/16t | 31.8 GB | Win 11 Pro 25H2 (build 26200) | 192.168.1.135 (Wi-Fi) | 09c08484-2b51-404b-a294-6e39f498867c | AMBER |
| MJ-PARALEGAL | Crystal | ASUS (desktop, generic board) | i5-10400 6c/12t | 15.8 GB | Win 11 Pro 25H2 (build 26200) | 192.168.1.136 (wired) | 4537ac34-e548-484c-b4e9-fd91e7f97a23 | RED |
Both on Win 11 25H2 (supported until 2027-10-12), OS activated, agent v0.6.75, Defender active &
current with Tamper Protection on, SMBv1 disabled, LAPS reg key present. Neither has a backup agent.
MJ-PARALEGAL was recently recovered + upgraded to Win11 (Syncro #31768).
### RMM site / enrollment
- **Client:** Michael Johnson · **Site:** Main · **Site code:** `BRIGHT-RIVER-8998`
- **Client ID:** `99022a2e-6b8f-472b-9269-6a746ef0970b` · **Site ID:** `94b5cb21-3d8e-484a-8ef3-8388b66417d2`
- **Install page:** https://rmm.azcomputerguru.com/install/BRIGHT-RIVER-8998
- **Enrollment key vault path:** `clients/michaeljohnson/gururmm-site-main.sops.yaml` (also stamped `syncro_customer_id: 152567`)
## Onboarding Findings (2026-06-29 baselines)
### MJ-PARALEGAL — RED (2 critical / 4 warning)
- **[CRITICAL] Firewall OFF on Private + Public profiles** (`Domain=True` only). Exposed to inbound /
lateral attacks on the local network. Re-enable all profiles.
- **[CRITICAL] E: drive 0% free** (0 GB of 255.6 GB). Risk of failed updates, crashes, corruption.
Find what is filling it (likely data / scanned docs) and clean up or expand urgently.
- [WARNING] BitLocker off on C: · 2 pending Windows updates · 1 unexpected shutdown in last 14 days ·
6 auto-start services stopped (Asus/Lenovo/Google updaters + Intel TPM provisioning — mostly benign,
but note Lenovo *and* Asus services on the same box suggests image/hardware churn).
- DNS server set to **172.16.132.1** on a 192.168.1.x LAN — anomalous (looks like a stale/foreign
resolver, possibly a leftover VPN/management DNS). Verify and correct to the local gateway/ISP DNS.
- Local admins: `Administrator`, `localadmin`, `Paralegal`.
### DESKTOP-GG4LKSL — AMBER (0 critical / 5 warning)
- [WARNING] BitLocker off on C: · 4 pending Windows updates · D: 14.6% free (68.1 GB of 465.8 GB) ·
1 unexpected shutdown in last 14 days · 3 auto-start services stopped (Google updaters + Intel TPM).
- Note: C: is the large/healthy volume (690 GB free of 930 GB); **D: is the low one** — confirm which
volume holds working data before cleanup.
- Windows Time source is **time1.aliyun.com** (Alibaba NTP) — unusual; reset to a standard pool
(`time.windows.com` / `pool.ntp.org`).
- Local admins: `Administrator`, `Localadmin`, `owner`.
### Common to both
- No BitLocker (workgroup, no escrow target — would need manual key storage / vault).
- No backup agent on either machine — **no backup coverage confirmed.** For a law office this is the
biggest gap; confirm whether anything (cloud sync, manual) protects the working files.
- Defender-only AV, firewall (GG4LKSL all-on / PARALEGAL needs fixing), SMBv1 off — baseline security
otherwise reasonable.
- ACG remote tooling present and expected: ScreenConnect on both; Splashtop + Syncro agent additionally
on MJ-PARALEGAL. No competitor/foreign RMM agents detected.
## Syncro
- **Customer:** Michael Johnson, id `152567` (since 2013-12-04). Break-fix, no prepaid block.
- **Open ticket:** #32477*Onsite - Check machine connections and printers.* (New)
- **Recent relevant:** #31768 *Recovered Paralegal Machine and Win11 Upgrade* (Invoiced) — origin of the
current MJ-PARALEGAL build; #32329 *Calendar issues* (Resolved).
- **Recurring ticket themes** across ~50 tickets: printer setup/offline errors, Outlook<->Google
calendar sync between Michael & Crystal, "can't access shared files", mice failing after power
outages, WordPerfect/Seabill hangs, new-machine builds.
## Patterns & Known Issues
- **Two-person peer-to-peer office.** Everything is workgroup + shared files between Michael's and
Crystal's PCs. Shared-file and calendar-sync breakage is the single most common call — there is no
server, so a machine being down/offline breaks the other's access.
- **Mail is Google, not M365.** Do not reach for the ComputerGuru M365 remediation suite here — Outlook
is configured against a Google account. Google storage/billing has caused outages historically.
- **Power-outage sensitivity.** Multiple "mouse/peripheral dead after a power outage" and
"machines went down" tickets — no UPS protection documented; a UPS on each machine would cut repeat
emergency calls.
- **Backups unverified.** No backup agent on either workstation. For a legal practice's working files
this is the top risk to close.
- **MJ-PARALEGAL E: full + firewall off** are the two immediate must-fix items from onboarding.
## Active Work / Open Items
| Priority | Action | Owner | Notes |
|---|---|---|---|
| P1 | Re-enable firewall (Private + Public) on MJ-PARALEGAL | Howard | CRITICAL onboarding finding |
| P1 | Clear/expand E: on MJ-PARALEGAL (0% free) | Howard | CRITICAL; identify what's filling 255 GB |
| P1 | Establish/confirm backup coverage for both PCs | Howard/Mike | No backup agent on either; law-office data |
| P2 | Fix anomalous DNS (172.16.132.1) on MJ-PARALEGAL | Howard | Should be local gateway / ISP DNS |
| P2 | Onsite #32477 — check machine connections + printers | Howard | Open Syncro ticket |
| P2 | Install pending Windows updates (4 on GG4LKSL, 2 on PARALEGAL) | Howard | Next maintenance window |
| P3 | Free space on GG4LKSL D: (14.6%) | Howard | Confirm which volume holds data first |
| P3 | Reset GG4LKSL time source off Alibaba NTP | Howard | Use standard NTP pool |
| P3 | Evaluate UPS for both machines | Mike | Repeat post-outage peripheral failures |
| P3 | Consider BitLocker (with key escrow) | Howard | Both unencrypted; workgroup needs manual key storage |
## Backlinks
- [[projects/gururmm]] — DESKTOP-GG4LKSL + MJ-PARALEGAL enrolled (site: Main / BRIGHT-RIVER-8998)

View File

@@ -2,13 +2,14 @@
type: client
name: rednour
display_name: Rednour Law Offices
last_compiled: 2026-06-02
compiled_by: DESKTOP-0O8A1RL/claude-main
last_compiled: 2026-06-29
compiled_by: HOWARD-HOME/claude-main
sources:
- clients/rednour/reports/2026-05-31-onboard-and-rename-emma-to-carla.md
- clients/rednour/reports/2026-06-01-carla-password-set.md
- clients/rednour/reports/2026-06-02-carrie-emma-display-name-stale-pin.md
- clients/rednour/session-logs/2026-06-02-session.md
- clients/rednour/session-logs/2026-06/2026-06-29-howard-legalasst-zip-hang-wp5-win11.md
- session-logs/2026-05-31-mike-rednour-and-claudetools-infra.md
- clients/rednour/onboarding-baselines/FRONTDESKRECEPT-20260529T195614.md
- clients/rednour/onboarding-baselines/LEGALASST-20260529T200647.md
@@ -183,6 +184,44 @@ Created a dedicated standard local account **`nick`** on REDNOURCARRIEVI (Passwo
Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Documents tree exceeded the RMM command timeout (twice), and since stdout is dropped on timeout a randomly-generated password was lost each time — generate passwords locally so they survive a timeout (logged to errorlog).
### 2026-06-29 — LEGALASST (legal assistant / "Emma") explorer hang on .zip + WordPerfect 5 save error; Win11 upgrade planned
**Operator: Howard Enos** (reported via Carrie). The legal assistant's workstation
**LEGALASST** (Carla Skinner's box; active local account `emma`, profile `C:\Users\Ale`,
OneDrive `carla@rednourlaw.com`) repeatedly hung explorer when opening files. Diagnosed live
over GuruRMM (agent `18825ea7-df58-47bb-b492-822cb16fb5ec`).
- **explorer HANGS, not crashes** — AppHang Event 1002 (no Event 1000 / faulting module);
~10 in 3h on 2026-06-29, continuing after a 10:52 reboot.
- **Root cause: the built-in Windows Compressed Folders handler** (explorer's zip-as-folder
namespace). Symptom narrowed to **opening `.zip` only** (Word/PDF/folders fine), and the
failing zip is **local (desktop)** — not OneDrive, not a network share. `zipfldr.dll` is
intact + validly signed, so the hang is environmental, not a corrupt handler DLL.
- **Ruled out:** Adobe shell extensions (blocked/tested via the Microsoft `Shell Extensions\
Blocked` list, no change, reverted); AMD Vega driver (only non-MS DLLs in explorer, but
zero TDR events); OneDrive (overlay not even loaded, sync healthy); remapped drives X/Y/Z →
`\\rednourcarrievirt` (Status OK, SMB healthy); `.NET Runtime 1022` "profiling API attach"
(201 events but no `COR_PROFILER` set — benign noise).
- **SFC** (run by Howard) found and repaired corruption (0 unrepairable) — repair pending a
reboot to load.
- **Workaround:** Howard installed **7-Zip 26.02** (`C:\Program Files\7-Zip\7zFM.exe`); it
opens the zips fine (bypasses explorer's zip namespace). Howard to set 7-Zip as default for
`.zip` (and `.7z`/`.rar`, currently unassociated). `.zip` had no UserChoice; 7-Zip only
registered a `7-Zip.iso` ProgId on install.
- **Second issue (same machine): WordPerfect 5 "not enough free space" on save** regardless
of save location, despite Howard verifying ample free space. Leading hypothesis: legacy/
DOS-era WordPerfect free-space miscalculation on large-capacity volumes (free-space value
overflows → false "disk full"). App-level; **the OS upgrade will not fix it**. Mitigate via
DOSBox or a SUBST'd small-capacity save target. Exact WP version/edition (DOS 5.1 vs
Windows) to be confirmed.
- **Plan: upgrade LEGALASST to Windows 11** — expected to resolve the zip-handler hang by
rebuilding the shell/system files (also applies the SFC repair). Verify by opening a local
`.zip` with the *built-in* handler post-upgrade. If the hang persists, next lead is Defender
archive-scan + cloud (MAPS) lookup stalling the shell.
All diagnostic changes were reverted (Adobe/7-Zip Blocked-list test entries removed; an
orphaned RMM diagnostic process killed) — the box was left clean.
## Patterns & Known Issues
- **EWS required for personal contact work.** No app in the ComputerGuru suite holds `Contacts.Read` or `Contacts.ReadWrite` on Graph. Personal contact folder reads and modifications must go through EWS (`full_access_as_app` on the Exchange Operator SP with `ExchangeImpersonation`).
@@ -194,6 +233,18 @@ Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Docum
- **macOS RMM agent won't run on Apple Silicon if unsigned.** The site-code installer serves an unsigned aarch64 binary; Apple Silicon SIGKILLs unsigned Mach-O. Until the server publishes a signed/notarized build (`build-macos-signed.sh`), Apple Silicon Mac enrollment fails (blocks Nick's Mac; same root issue likely affects Scileppi's Mac).
- **LEGALASST and REDNOURCARRIEVI are on Win 10 22H2 (EOL).** No security updates since 2025-10-14. Plan OS upgrade to Win 11 or Win 10 newer build.
- **REDNOURCARRIEVI: Defender was off at onboarding.** Confirm it has been re-enabled; it is a critical finding.
- **LEGALASST: built-in Compressed Folders handler hangs explorer on `.zip` open.** Local zips;
Word/PDF fine. `zipfldr.dll` intact (environmental, not a corrupt DLL). AppHang Event 1002,
no faulting module. Workaround = 7-Zip as default for `.zip`. Win11 upgrade planned to
resolve. If it persists post-upgrade, suspect Defender archive-scan + cloud (MAPS) lookup
stalling the shell. To test-disable any shell extension reversibly, add its CLSID to
`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked` (delete to restore).
- **LEGALASST: WordPerfect 5 "not enough free space" on save** despite verified free space and
regardless of save location. Likely legacy free-space overflow on large-capacity volumes;
**OS upgrade will not fix it**; mitigate via DOSBox / SUBST small-capacity drive. Confirm WP
version/edition.
- **`.NET Runtime 1022` "profiling API attach" errors are noise** unless a `COR_PROFILER` env
var is actually set — do not chase them as a hang cause.
## Active Work / Open Items
@@ -202,6 +253,9 @@ Operational note: PowerShell `Set-Acl` ACL propagation down Carrie's large Docum
| P1 | Re-enable Defender on REDNOURCARRIEVI | Howard/Mike | Was off at onboarding 2026-05-29; confirm current state |
| P1 | Remove prior MSP agents (ScreenConnect, Splashtop, Syncro, Datto RMM) | Mike/Howard | Present on all 3 machines; Datto RMM on REDNOURCARRIEVI only |
| P1 | Upgrade LEGALASST and REDNOURCARRIEVI to a supported OS | Mike | Both on Win 10 22H2 (EOL 2025-10-14) |
| P1 | Upgrade LEGALASST to Windows 11 | Mike/Howard | 2026-06-29: expected to resolve the explorer-on-.zip hang (rebuilds shell/system files) + applies pending SFC repair. Pre-reqs: enable fTPM + Secure Boot (Ryzen 3 3200G is Win11-supported), bump RAM from 5.9 GB, remove leftover Syncro agent. Test a local `.zip` with the built-in handler post-upgrade |
| P2 | LEGALASST: WordPerfect 5 "not enough free space" on save | Howard | 2026-06-29: error on save regardless of location; ample free space verified. Likely legacy free-space overflow on large volume; OS upgrade will NOT fix. Mitigate via DOSBox / SUBST small-capacity drive; confirm WP version/edition |
| INTERIM | LEGALASST: set 7-Zip as default for `.zip`/`.7z`/`.rar` | Howard | 2026-06-29: 7-Zip 26.02 installed as workaround for the built-in zip-handler hang; set defaults via 7-Zip GUI (Tools -> Options -> System) |
| DONE | Shared-drive access for Nick Pafford | Howard | 2026-06-25: created local `nick` account on REDNOURCARRIEVI; `Documents` share = Change + NTFS = Modify; cred vaulted `clients/rednour/nick-smb-rednourcarrievi.sops.yaml`; Nick's Apple Silicon Mac mounts `smb://192.168.10.194/Documents` |
| P1 | Fix GuruRMM macOS agent install on Nick's Apple Silicon Mac | Howard/Mike | 2026-06-25 install failed. Likely cause: served aarch64 binary is **unsigned** -> Apple Silicon SIGKILLs it. Fix: serve the signed+notarized binary (`agent/build-macos-signed.sh`, Mike's Developer ID) or ad-hoc `codesign -s -` in the installer. Confirm with Mac log (`killed: 9`). Deferred (limited ScreenConnect session only) |
| P2 | Return visit: phone + printer setup at Rednour | Howard | 2026-06-25: pending; may require running a new wire / installing a switch |

View File

@@ -1,6 +1,6 @@
# Wiki Index
Last updated: 2026-06-26
Last updated: 2026-06-29
Compiled by: HOWARD-HOME/claude-main
This wiki is LLM-maintained. Do not edit articles manually — run `/wiki-compile` to update.
@@ -58,6 +58,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
| [Universal Minerals International](clients/universal-minerals.md) | Minerals/commodities, Tucson AZ; Syncro 34844920; **break-fix, no prepaid/RMM**; CyndyOffice (HP Pavilion TP01, Win11 Home, QuickBooks Enterprise 22.0) intermittent hard-freeze (Kernel-Power 41, no dump = hardware/firmware) — BIOS F.38 + Fast Startup off + memtest passed 2026-06-10, PSU prime remaining suspect; QB messaging crash-loop repaired; ticket #32397 monitoring; temporary diagnostic RMM agent removed same-day | 2026-06-10 |
| [Putt Land Surveying](clients/putt-land-surveying.md) | Land surveying firm; Syncro 7180175; managed services $223.92/mo; 7 devices; M365 direct (8 mailboxes, cloud-only, 2x Basic + 5x Premium); **DNS wipe 2026-06-09** — all records deleted (MX, SPF, autodiscover, A), email+website down; GoDaddy domain in client's own account (no ACG control); ticket #32404 Waiting on Customer; remediation tools onboarded 2026-06-10 | 2026-06-10 |
| [Gonzvar Tax Services](clients/gonzvar-tax-services.md) | Tax services firm; Syncro 1830740 ("Gonzvar Tax Service", break-fix, ~$175/hr); 6 machines in GuruRMM (GTS.local AD, 2 servers + 4 workstations); open security findings from 2026-06-06 onboarding baseline; QuickBooks RemoteApp + Tailscale VPN pending | 2026-06-12 |
| [Michael Johnson (Law Office)](clients/michaeljohnson.md) | Solo legal practice (inferred — WordPerfect/Seabill, paralegal), Tucson AZ; Syncro 152567 (since 2013), break-fix, no prepaid; mail on Google (not M365); 2-person peer-to-peer workgroup (Michael + Crystal); GuruRMM onboarded 2026-06-29 (site Main, BRIGHT-RIVER-8998) — DESKTOP-GG4LKSL (AMBER) + MJ-PARALEGAL (RED: firewall off + E: 0% free); no backup agent on either; open #32477 onsite printers | 2026-06-29 |
| [Tohono O'odham Nation DoIT](clients/tohono-oodham-doit.md) | Tribal government IT dept; Syncro 33069069; Starlink reseller client — 2x Check Point 1550 field sites on Starlink Roam (CGNAT); break-fix $175/hr; VPN design (IPsec vs Tailscale) pending | 2026-05-27 |
| [Tucson Golden Corral](clients/tucson-golden-corral.md) | Restaurant (Tucson AZ); Syncro 3859123; prepaid block 12.75 hrs; email on Neptune Exchange; WS2016 single-box DC/RDS/Hyper-V/SQL + Sage 100 ERP (TGC-SERVER colocated at ACG main office); architecture concerns outstanding | 2026-05-26 |
| [Russo Law Firm](clients/russo-law.md) | Tucson law practice; Syncro 23331699; managed $543.50/mo (GPS+AV+backup+Seafile hosting+Office) + OIT phone $45.44/mo; 12 prepaid hrs; M365 rrs-law.com (~3 seats, admin guru@ vaulted); **active pre-sales 2026-06: wants to move ~6.5 TB from Seafile to SharePoint — full live move ~$1,120/mo (~$13.4K/yr), recommend hybrid (SP Online working set + Seafile bulk); phone meeting pending, client not yet responded** | 2026-06-15 |