Win OS – Error – “Certificate for local system with Thumbprint is about to expire or already expired”


Want to quickly deal with a MS Windows Error.

The error is logged in the Event Viewer and it reads :-

Certificate for local system with Thumbprint is about to expire or already expired.

Event Viewer

Windows Logs



List Events


  1. Log Name :- Application
  2. Source :- CertificateServicesClient-AutoEnrollment
  3. Event ID :- 64

Trouble Shooting



  1. Issue Directory command against local machine’s certificate repository
    • Specifically check machine, not services nor user
  2. Return Sorted By
    • Display the following fields
      • Subject
      • Thumbprint
      • Expire Date



Set-StrictMode -Version Latest


Write-host "Certificates in Local Machine Store"
Write-host "==================================="

dir cert:\LocalMachine\my | Sort-Object NotAfter | Foreach-Object `

		$log = "{0}" -f $_.subject;
		Write-host $log

		$log = "`tThumprint :- {0}" -f $_.thumbprint;
		Write-host $log

		$log = "`tExpiry Date :- {0}" -f $_.NotAfter;
		Write-host $log






We can see that one of our certificates expired at 5 AM this morning.

Event Viewer – Error – “MMC cannot open the file C:\Windows\system32\eventvwr.msc”


On one of our MS Windows Systems, I  have been Unable to use Event Viewer.


Error Image


Error Text

MMC cannot open the file C:\Windows\system32\eventvwr.msc.



  1. Launch Microsoft Management Console ( MMC.exe) shell
    • mmc.exe
  2. In new empty shell
    • Add Event Viewer SnapIn
      • From the “Available snap-ins”
        • Select “Event Viewer”
      • Click Add Button
      • SnapIn should appear under “Selected Snapins”
    • Save Console
      • Save Console under a new name
  3. Launch new MMC Console
  4. Once happy
    • Once happy, return to MMC and overwrite original Event Viewer


New Empty Shell


Select Computer


Add or Remove Snap-ins


Save SnapIn

Save SnapIn – Save As – 01


Save SnapIn – Save As – 02


BFGuard – Day 2


In this post we actually start BFGuard and try to connect to the host from other workstations.


Target OS

Here are the Windows OS that we will use for this exercise:

  1. Server
    • Windows Server 2012 R2
  2. Client
    • Windows Server 2012 R2
    • Windows 7

What we saw

BF Guard

BF Guard – Application

Scenario – After 1 failed Login

BF Guard – Application – Statistics

  1. ip
    • Count :- 1
    • Date :- 2016-06-15 15:34:13
      • Time in GMT, not local time


Scenario – After Numerous failed Logins

BF Guard – Application – Statistics

  1. ip
    • Count :- 7
    • Date :- 2016-06-15 16:47:18
      • Time in GMT, not local time


BF Guard – Application – Log entrys

  1. @ 2017-06-15 09:47:39
    • – Auto blocking IP: for: 54864000 minutes


BF Guard – Application – Blocked IP

  1. IP Address
    • IP Address :-
    • From :- 2017-06-15 09:47:39
    • To      :- 2017-06-15 10:47:39
    • City    :- Blocked


OS – Windows

Windows Logs

Windows Logs – Security

Windows Logs – Security – Filter

Here we filter for “Audit Failure“.

Windows Logs – Security – Logs

And, here are the events captured.


Windows Logs – Security – Log – Detailed

Windows Logs – Security – Log – Detailed- Event ID = 4625


  1. Subject
    • Security SID :- NULL SID
      • Since account that we entered to login in under is not known to the targeted computer or Active Directory, we get “NULL SID
    • Logon ID :-  0x0
      • Again, unknown Logon ID
  2. Logon Type
    • Our Logon Type is 3
      • Logon Type = 3
        • Network
  3. Account for which Logon Failed
    • Security SID :- NULL SID
    • Account Name :- bobsmith
    • Account Domain :- LAB
  4. Failure Information
    • Failure Reason :- unknown username or password
    • Status :- 0xC00006D
    • Sub Status :- 0xC0000064
  5. Process Information
    • Caller Process ID :- 0x0
      • Remote Caller Process is not known
    • Caller Process Name :-
      • Remote Caller Process is not known
  6. Network Information
    • Workstation Name :- ASTSQL01
    • Source Network Address :-
      • Network Address not passed in
    • Source Port :-
      • Network Port not passed in
  7. Detailed Authentication Information
    • Logon Process :- NtlmSsp
    • Authentication Package :- NTLM
  8.  Summary
    • Log Name :- Security
    • Source :- Microsoft Windows security
    • Event ID:- 4625
    • Task Category :- Logon
    • Keywords :- Audit Failure
    • Computer :- Host attempted for logon


OS – Windows Firewall

Reviewed server’s Windows Firewall to see how it is configured for “Remote Desktop“.



  1. Remote Desktop configured as:
    • Domain :- Yes
    • Home/Work :- Yes
    • Public :- No
    • Group Policy – Yes



Unfortunately, Windows was not able to capture the incoming IP Address.

BF Guard was thus unable to read the IP Address from the Windows Logs.

Because of this inability, it is not able to re-configure the local Windows Firewall and have it start blocking the Source IP Address.


BFGuard – Day 1


Googled online to identify steps to take for securing MS Windows Terminal Services.

One of the tools mentioned is BFGuard.


What is BFGuard?

BFGuard stands for “Brute Force Guard”.

How does it work?

It principally monitors the local machine’s event log.  The relevant log file in this case is the “Security Log“.

Upon finding entries that indicate failed logins correlative data is gathered.  Obvious correlative data includes username and IP Address.

Once the configured maximum number of failed attempts are reached the specific IP Address is blacklisted.


Please download the free tool from here.

Screen Shots Please

Log Entries


Blocked IP







From the screen shots here are the functionalities offered:

  1. A listing of “Blocked IPs
  2. Ability to whitelist specific IP Addresses
  3. Statistics on each connected IP Address



Wanted to introduce the product.

In the days ahead we will revisit and update our post.

Technical : Microsoft – Event Log / Event Viewer – Query via PowerShell

Technical : Microsoft – Event Log / Event Viewer – Query via PowerShell


After my fiasco of not paying attention to my Event Log, I need a quick way to aggregate Event Log entries and here is what I came up with through curating Google web postings.


# PowerShell example which groups event then sorts in descending order.

$logName = "System"

#get date
$dateCurrent = Get-Date

#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)

Write-Host "Log Entries since $dateNDaysAgo"

Get-WinEvent -Logname $logName  | `
where-object { $_.timecreated -gt $date  -and $_.levelDisplayName -in "Critical", "error", "warning" } | `
Group-Object ProviderName, levelDisplayName, ID | `
Sort-Object Count -descending | `
Format-Table Count, Name -auto




And, yes I have too much time on my hands, and not enough brains; as I need Splunk, Nagios, or System Center.


Addendum – 2014.01.20

Tried the code above on an MS Windows Vista Machine, but unfortunately it failed.

The original code was developed and targeted an MS Windows 2012 box.

The error message we got on the Vista box read:

You must provide a value expression on the right-hand side of the '-' operator.
At C:\temp\eventvwr.ps1:16 char:68
+ where-object { $_.timecreated -gt $date  -and $_.levelDisplayName - <<<< in "
Critical", "error", "warning" } | `
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : ExpectedValueExpression

To Correct:

# PowerShell example which groups event then sorts in descending order.

$logName = "System"

#get date
$dateCurrent = Get-Date

#For the Week
$NDays = -7
$dateNDaysAgo = $dateCurrent.AddDays($NDays)

$logLevel = @("Critical", "Warning", "Error")
$logLevelCritical = "Critical"
$logLevelWarning = "Warning"
$logLevelError = "Error"

Write-Host "Log Entries since $dateNDaysAgo"

Get-WinEvent -Logname $logName  | `
where-object {   ($_.timecreated -gt $date)  `
                 -and ( `
                       ($_.levelDisplayName -eq $logLevelCritical)  `
                   -or ($_.levelDisplayName -eq $logLevelWarning)   `
                   -or ($_.levelDisplayName -eq $logLevelError)     `
                      )  } | `
Group-Object ProviderName, levelDisplayName, ID | `
Sort-Object Count -descending | `
Format-Table Count, Name -auto


Event Log


Mac OS/X – Reading Microsoft Windows Event Log file (*.evtx) files


As always, it is one inter-operability problem or another.

I need to send Windows Event Viewer Log files (*.evtx) to a colleague whose primary work computer is a Mac OSX.


So what to do, tried using the App Store.

App Store - evtx

But, got no help.

Next goggled for help.

Found a gem in:

Cross-platform Windows Event Log viewer

which led me to :

Windows Event Log Viewer (evtx_view)

tried to install the version for OSX (evtx_view.v.0.69.osx.tar.gz), but the system barked at me, that I needed X11 server and client libraries for OS X Mountain Lion.

Which in turn led me to XQuartz project: Link. You should use XQuartz version 2.7.2 or later.

So please go ahead to and download XQuartz-2.7.4.dmg.

X Quartz

Thanks goodness that the version# is part of the dmg file’s name.  And, that version# is 2.7.4.  We needed at minimum a 2.7.2 and so this particular version should be sufficient.

Install XQuartz-2.7.4.dmg

The install base is quite big; about 200 MB.

XQuartz 2.7.4 Installer

So this installs several utilities, including:

  • An XWindows sub-system (that allows Unix type applications to be used on a Mac)

When we tried running the App (evtx_view):


We received an error message stating:

FXApp::openDisplay: unable to open display :0.0

So what to does that error mean. Goggled and shouted for help and was able to determine that Xwindows needed to be installed and running.

To initiate an X-Windows Session, the best help I found are:

Installing FXRuby on OS X (Matthew Bass)

You should see an error message that looks something like this:

FXRbApp::openDisplay: unable to open display :0.0
It means your X11 terminal isn’t running. You can find it in /Applications/Utilities. Double click to launch. If you roll with Quicksilver, you should be able to type in X11 and launch it that way. Once launched, run the Ruby script again and you should see a tiny window with the title “Hello World.”

But, since X Windows support on Mac is now an Open Source project, you want to look for /Applications/Utilities/XQuartz


Once XQuartz is running, please go back and run evtx_view


And, you should now see a running XApp App.

EventLog viewer

And, yes we are able to read MS Windows Log Files on Mac OS/X via this free rool evtx_view.  But, I am a bit put-back that the visually it is a bit lacking.

But, that only means that the data format is XML or at least published and well understood and that the display just needs to be worked-on.


  • Cross platform Windows Event Log Viewer
  • Event Log File Viewer
  • About X11 and Mac OS
  • XQuartz
  • How to run X 11 apps on the Mac
  • Using X11 in Mountain Lion