Czur scanner, scanning with Linux

Czur currently doesn't have Linux software to go with the new scanner. But like the Mac, the scanner is a UVC device and can be used by Linux. Ucview can capture images from a UVC device. The command line convert from Imagemagick can be used to turn multiple images into a single PDF.

Figure 1. USB attached UVC device

Figure 2. lusb recognized UVC device

Figure 3. Ucview

Figure 4. Ucview + Save image  > capture

To combine the jpeg images into a single PDF file requires one of many possible command line tools.

Imagemagick is an old standby on many distributions:

$ convert Image*.jpg New.pdf

What is very useful in this experiment is to see the "difference" the 2D and 3D curve correction makes when post processing the images.

PDF of images captured with Linux

Again an SDK with the USB commands for invoking various features could be turned into a workable driver for VueScan or a SANE native driver to support many paths to eDocuments.

note: Cheese on Linux is often used in place of Photobooth on OSX, but it has a bug on many Linux distros in that it does not accept resolution settings from the command line or a convenient static file. Thus it fails to connect to the Czurtek video device created by the kernel on discovery. Camorama works. But these are probably well know paths to many people.. just throwing the information out there for people.

note: This demonstration was conducted on a RHEL6 install. It should work similarly on CentOS6 or Scientific Linux, Debian, Ubuntu and many others.


Czur scanner, scanning with a Mac

Czur currently doesn't have Mac software to go with the new scanner. But the scanner is a UVC device. Photobooth on  OSX can capture images from a UVC device. The clipboard can then be used to open the images in Preview, which can be edited in Print Preview and saved as a PDF file.

Figure 1. USB attached UVC device

MacMost Now 872: Using Your MacBook As a Scanner

Figure 2. Photobooth.app + cmd + opt + t  > capture

Figure 3. shft +click > multi-select

Figure 4. Preview.app + New from Clipboard

Figure 5. File + Print + PDF v + Open PDF in Preview

Figure 6. v Single Page + < Rotate+ < Rotate

Figure 7. File + Save > Save As > Format PDF

UVC control programs exist for the Mac which could better size the resolution of the scan, the lighting, contrast and other attributes specified by the UVC device specification.

This is just one option.

Photobooth could be used exclusively to capture images and the results further processed in ScanTailor, GIMP or some other post processing program.

VueScan or ExactScan would be the best option.

VueScan leverages their platform to support the same scanner across all three Windows, Mac and Linux.. once that supports the Czurtek scanner it will be very adaptable.

What is very useful in this experiment is to see the "difference" the 2D and 3D curve correction makes when post processing the images.

PDF of images captured with a Mac

It is only a "guess" however I suspect the  2D and 3D curve corrections take place inside the Czur scanner before uploading the image. The [Original] setting on the images within the PC software restore the image to its original state as sent by the scanner. If this is true then there is a USB command which tells the scanner when to scan and submit a "corrected" image. Which means the same could be done for a Mac program or tool to retrieve corrected images.

This command set would make a great SDK to submit to Hammrick software for their VueScan product, since they could then make a first class scanner driver relatively quickly.

The current Czur Software is a combined [acquisition/capture] tool and [post processing] tool and [binder] tool. VueScan could accomplish the same thing as the first tool step. Then the original Czur software used to perform the last two steps, since it will Import folders of previously scanned images.


Czur scanner, USB capture to the PC

Three videos covering the unboxing, software install, setup and user interface explorations have been uploaded to YouTube.

These are not tutorials, but "first person" new user experiences. These are what a user might experience themself. They are not concise. They are musings and guesses, and stumblings about.

Video 1. Unboxing and Assembly

Video 2. Download, Install, 2D capture

Video 3. 3D capture, OCR, PDF, fingertip removal

I believe as a result of these I can see the potential and describe a possible workflow.

The user interface controls are [not common] and I will be sending feedback to the software authors to hopefully encourage changes that will improve the first time user experience.

But its been my experience that over time people tend to become accustomed to a user interface (good or bad) and are not pleased when it changes too much or too quickly.. basically we learn to accomodate, and dislike change [especially while we are learning to accomodate].

I think the best path forward is to determine a path to accomplish a goal and then explain and demonstrate a clear path, so others can follow.

A few key discoveries are that the neck of the device has a set of three "Laser guidelines" which are projected [only] when capturing images in 3D capture mode. In 2D capture mode they are not activated. Possibly this is because the 2D algorithms for de-warping can work with a foreshortened image with a static correction, and then straighten images and text using straight line detection.

The 2D capture is pretty good and subtle.

The 3D capture is also really good at "flattening" the images and removing the depth or Z-Axis distortion introduced by the curvature of a bound book bent back against the natural curve of its spine. This is a useful feature because often the integrity of the book does not allow its disassembly for scanning. A non-destructive scanning method will be used much more often since the book is not damaged or destroyed in the process. And its much more convenient since preparation for scanning is minimal.

This also means a cradle and a platten for "pre flattening" the image is not necessary, minimizing the work area needed and the supplementary equipment on hand, such as a cradle. The result is that although the angled overhead scanning unit is cumbersome, its not entirely non-portable.

As shipped its comes in a very small box, but its easy to imagine a pelican case or some type of otter box might exist which could hold the assembled unit and be made ready for transport.

My impression with the build quality is somewhat middle of the road between inexpensive and high quality. It is sturdy, but its is made of plastic. It has a silky rubberized touch finish which makes it easy to grasp and prevents awkward light reflections which might interfere with an image scan.

Since the scanning head does not move, and the guide lines are fixed, there are no moving parts, which means there is less to break down and virtually no consumable items like rollers, gears and motors which could fail over time. No electronic device is perfect and all have a life cycle in which they are practical and usable, before being superceded by something else or something better.

All electronic devices can fail, but the unit makes use of LED and semiconductor Lasers, it has ample head vents to dissipate heat from the main circuit board. There does not appear to be any type of fan to blow air across the board (it is passively cooled), so it is completely silent. Unlike other scanners, it makes no "click" no "whir" -- no sound at all. There are occasional "beeps" and feedback from the USB PC capture software on the personal computer but all of those are completely within the control of the user.

The document or media being scanned does not need to be moved during the scan, and unlike v-shaped cradles and glass the only user intervention with the media is positioning and turning the page. And to position the page the overhead scan unit has a full color LCD panel with a "live" realtime display of what is placed in its field of view. Even if you used a cell phone as an image acquisiton and capture device, it is not usually optimized for that purpose and aligning the optics can be problematic. The Czur is preset and knows how far it is from it field of view.

The USB PC capture software also produces a full color live preview of what is in its field of view.

Scans in the various capture modes can be triggered from the PC capture software by clicking on a camera icon, or by triggering a capture from the Czur scanner itself, there are two USB ports on the back. One of USB Type-A for connecting a USB cable to the PC. One of a USB Type-B for connecting one of several types of triggering devices. As ordered my scanner came with a hand button and a foot button or "pedal".

The hand button enabled me to trigger a capture while standing at the unit and to prove that repeatedly clicking the button as fast I could would cause a dual indicator on the live overhead scan head LCD panel to show images buffered and total images captured. The buffered images are stored within the overhead scan head unit until it can offload the images to the PC. There is at least 1 GB of storage to hold these buffered images. That is 1000 MB. The average image size is 3 to 4 MB, so that would be somewhere in the 500 captured image range. But even at its slowest across USB 2.0 (the standard used by the Czur scanner) it can offload those images faster than new images can be captured. I was never able to click faster than to build up a buffer of 2 to 3 images. And when I stopped capturing new images they quickly drained to the PC.

The interval between sequential page turing and captures appear to be as low as 1-2 seconds.

Image quality will of course depend on lighting conditions, and the profile selected for scanning.

Images can immediately be post processed to change the hue or gamut of the image, which is important since the LEDs lighting the field of view have a slight bluish tinge to them. By default the profiles include [original, seal, b&w] and a few others, with "tweaking" controls for brightness, sharpness and purity (saturation?) while examining an image. 

The post processing tools contain the usual, re-positioning, left and right rotation about the image center, cropping.

Binding includes the ability to perform OCR while also choosing to produce a PDF in portrait "single face" or landscape "double face" modes (1F or 2F) some would call these single document or multi document mode (a kind of openface or page layout mode).

OCR can also be performed directly on an image and used to create a Microsoft Word document which I have confirmed is in a compound document format (so microsoft office 2003 is not supported, only microsoft 2007 or above). It can also save the results to a Microsoft Excel document format.

For Mac OSX users there is not a PC capture program available yet, however there has been some mention of a future software package that supports Mac's or the TWAIN scanning standard.

I have connected the Czur to a Mac ..  when it was connected to a Microsoft Windows PC the device driver indentified the scanner as an imaging device with a USB universal video device.. which means OSX will probably identify and possibly work with it as an enhanced Webcam or Video input device.

That opens the possibility of using the Mac OSX (Preview) program as a "Stand in" for PDF document capture. The problem that will remain however is that it will not take advantage of the built-in features to assist in 2D and 3D de-warping of the image such as the Laser guidelines.

This is something I plan to test, albeit I have only an older Mac Mini 10.6 to test with on hand.. I may borrow a MacBook Pro soon to attempt this with a newer version of the OSX operating system.

I still have not removed the plastic film which covers several parts of the scanner.. and I wonder if it covers the optic lens. The film is obviously there to protect against scratches during manufacture and transport. But it also frequently causes webcam manufacturers to receive poor reviews as customers complain of out of focus images. -- mental note to be sure to remove the "film".

So far I have tested the HDMI presentation mode, and USB PC capture mode.. the remaining option is the WiFi capture mode.

WiFi capture mode involves creating an account on the Czurtek website and associating the scanner with my local WiFi subnet, to allow it to get on the internet. I'm somewhat concerned about this mode since I also noted it installed an Audio device driver on the Window PC when the USB PC capture software was installed.. why would a scanner need an [audio] device? Is it a microphone or speaker device?

Regardless testing the WiFi capture mode is next.

In theory scans captured in the WiFi mode will be uploaded to the Czur "cloud storage" account where they can then be accessed from other devices both on my local area network, or anywhere on the internet. While WiFi should be faster than the USB 2.0 standard for offloading images, it will also depend upon my ISP providers upload bandwidth, Czurteks server speeds, and then the entire download infrastructure to whatever device accesses it. This could be convenient, or somewhat problematic. Unless there are additional feature advantages to be had, the USB PC capture option may be the preferred mode of operation.


Czur scanner, a new eBook scanner

The Czurtek ET16 is an overhead scan platform that offers three modes:

HDMI presentation mode
USB image capture mode
Wi-Fi cloud upload mode

When no cables (HDMI or USB) are connected to the scanner it defaults to automatically booting into Wi-Fi cloud upload mode.

When a USB cable is attached to a Windows PC it defaults to USB image capture mode.

When an HDMI cable is attached to a display device it defaults to live video feed presentation mode.

It comes equipped with a laser augmented topographical scan system in its inner "neck" to automatically "map" the surface of any three dimensional objects put within its field of view. This information enables it to not only deal with 2D distortions in a plane, but also 3D distortions that rise out of a plane, such as occurs with bound materials like a manual or book.

It is notable that this scanner has [no] moving parts.

Unboxing consisted mostly of taking inventory of the accessories and then assembling the two piece overhead scan unit to its base. Then securing those with two self tapping screws and covering them up with provided rubber dots to conceal them.

HDMI presentation mode

It was relatively easy to experiment with HDMI mode, hooking an HDMI cable from the scanner to an LCD monitor produced a live image.
Tip! When the Black rubber or felt mat is placed below the scanner scan head it produces a completely dark and featureless background which the live video feed will faithfully reproduce on the LCD monitor. This can be disconcerting at first.. until you place an object or your hand in the field of the view and react to the stark and sudden contrast of the object from the featureless background.
Tip! You may experience the "Samsung Effect" if the HDMI input on your monitor is left to its default signal input settings. The Bias is to assume the HDMI input signal to an LCD monitor is degraded or of poor quality and to attempt to "Enhance" the HDMI input signal which produces "artifacting" and or "un-intentional aliasing" as well as distorting colors and saturation. [Be certain] that for any presentation monitor that the HDMI input signal is manually set for [PC or Digital] input signals.. as opposed to VCR or Blu-Ray or other lesser quality signals. Simply using manual controls to reduce the Sharpness and Color manipulation will unfortunately not overcome these "in-store" demo modes and biasing presets [built-in] to the modern LCD monitors and presentation devices. Consult the youngest member of the household or a regular [gamer] for advanced settings advice, before considering purchasing expensive HDMI cables. Beware! The default as unboxed from a store is to [distort] true digital video signals from PC devices when using an HDMI input on a monitor, this is the normal behavior for many vendors, not just Samsung. It is simply better understood in general by the public for Samsung products. Hence the honorarium.
The base of the scanner has a button for three different lighting levels by repeatedly pressing the button the light levels cycle between the three possible brightness levels. The Zoom [-] and Zoom [+] modes perform as one would expect to enlarge and reduce the field of view.

The overhead scan unit also has a full color TFT liquid crystal display which is also live at the time of capture and helps to position objects within its field of view.

USB image capture mode

Requires first downloading the software written for the Microsoft Windows PC operating system to a Windows 7 workstation and installing it. The software is not provided in the box and must be obtained from one of two possible download sites on the Internet. In general one site is located in Hong Kong, the other at another location more appropriate to an International user audience.

Tip! The download locations are generally both constrained by the rate at which they support downloading the user manual and software. The user manual does not take much time to download. The scanning software however is over 412 MB and can take from 45 to 60 minutes depending on both your bandwidth connection to the Internet and that of the server providing the download. Plan accordingly.

It is important the software be installed [before] connecting the scanner for the first time, so that alternative software drivers are not sourced and loaded by the Microsoft Windows Plug and Play device driver subsystem.. which can prevent the document scanning software from finding the Czur ET16 device upon start up.

Tip! If you do rush to connect the scanner to a PC and alternative device drivers are selected and loaded by the Microsoft Windows operating system. It may require some additional setup procedures to either manually remove the device drivers while the scanner is still connected, then shutdown the PC and disconnect the scanner.. so that the scanner software and device drivers can be installed [first], the scanner connected [after] the device drivers are present, and the scanner reconnected for [detecting] and loading the proper and specific drivers for the Czur scanner.

During installation the software asks for a [Serial number] which is a string of five groups of five digits each on the bottom of the scanner. There are two major strings of numbers, one just below the barcode the other offset closer to the edge and broken up into five groups of five digits each by hyphenation. The hyphenated string of numbers is the actual [Serial number] required by the software in order to install.

Tip! The [Serial number] font makes distinguishing some alphabetic and arabic numerals from one another difficult. A "numeral 1" may actually be the alphabetic character "I" for the capitalized version of the "9th" letter of the alphabet. Be aware of the possible problems in typing in the correct [Serial number]. Ironically choosing to use an OCR font (while not esthetic) would make reading the [Serial number] less error prone.
.. to be continued ..


document scanning and ebook scanning in particular involves a [four-step] process.

1. acquiring the scan images

2. conforming or "cleaning up" the image, this includes any image cropping, edge detection, re-orientation, centering, de-warping to "rectalinearize" or remove any two dimensional curves; or de-warping to "flatten" or remove three dimensional curves; contrast and brightness enhancements, saturation or desaturation, despeckling, de-noising and edge or sharpness enhancements and anti-aliasing - and any preset profiling customized for "purpose" such as OCR recognition or Esthetically pleasing photographic image optimization

3. OCR - "optical character recognition" or "tagging" or "indexing" an image for "search" functions in a compound document [like] a "PDF" which offers both the original image and a hidden or "layered" image index for locating words or images that are on a region of the page

4. final binding of the images or "pages" into a single document or ebook, either a single view "manuscript" for scrolling through, with an eReader, PDF viewer, ePub viewer or a multi view "open-faced" page layout or book view for simulating a true book experience and to optimize "skimming" pages for information without "deep diving" into content

Any one suite of "capture" tools for the purpose of creating electronic books tends to have its strengths and weaknesses. But also the "user" often fails to realize that "digitization" is currently no less difficult a task than that of the earlier Monastic authors of the documents that they preserved. It is part artform and part data management optimization.

To even get to the point at which all the choices that can be made, requires great captured media from the original material. And that requires a good scanner. The Czur ET16 is currently a very promising entry in the personal preservation and scanning category of devices.


Signing into Sophos Cloud via


The first page profers to download an install package, or email instructions to a user

Click to deploy protection agents on this device

Next choose a suite [Endpoint Protection]

note: the difference between client and server versions [Endpoint : Server] Protection

Then run the installer, shift rt-ck "Run As Admininstrator"

note: the premise version for agnet already installed

Runs compatibility checks

Summarizes results, and is ready to install

Performs a "Migration" installation

And completes

Dismissing web browser by clicking stylized [X] in upper corner

Reveals the Trial console with 23 days left

Dismissing notification by clicking Mint green [X] upper right

Refreshing shows an updated view

[Analyze] : [Alerts]

[Analyze]:[Logs & Reports]



[Manage]:[Mobile Devices]




[Configure]:[System Settings]



Palo Alto, running User-ID with a Managed Service Account

Palo Alto sells a firewall to allow or deny traffic based on network UserID. To get the UserID information an agent can be run in an isolated enclave with minimal permissions and restricted privileges. The existing documentation is somewhat minimal, here is how to do that.

Windows domains from 2008 and above have Managed Service Accounts.

These are restricted accounts which can be created for use on only one target workstation or server, and cannot be used for logon. Further they have "managed" hidden passwords of 230 digits which are automatically randomized and updated between the domain controllers and the target computer on which they run. The offical method of using them is by using active directory powershell module commands on a domain controller and on the target computer.

1. on a domain controller open a powershell, execute the cmd to create a standalone MSA
2. on a target computer, install the MSA hotfix to support password automatic updates
3. on a target computer install the RSAT remote admin tool kit, then the AD powershell module
4. on a target computer open a powershell, import the AD module, import the MSA standalone
5. add the MSA to the domain built-in "distributed COM users" security group
6. add the MSA to the domain built-in "Event log readers" security group
7. on a domain controller use wimmgmt.msc to grant the MSA, CIM allow permissions

note: membership in the [ServerOps] security group "is not required" for security log monitoring

The Palo Alto windows User-ID agent can be installed on anything from a Windows 7 workstation to a memberserver, but is very small and requires minimal resources. A small virtual machine (hyperv, vmware or virtualbox) would be appropriate.

1. Inbound Rules
2. Custom
3. All programs
4. Any port
5. Remote address: <vm hosting User-ID agent>
6. Allow traffic
7. Profiles all
8. Name: <TCP DCOM WMI CIM queries for User-ID agent>

note: its very possible "existing" (Windows Management Instrumentation) rules could be used

The User-ID agent comes as an executable installer, it must be Run As Administrator on the target computer. The actual runtime account will be changed to that of the MSA account after install.

The User-ID agent installer comes as two components; a GUI tool, for configuration, monitoring and debugging. And a standalone windows service to periodically fetch TCP DCOM enabled WMI queries of the Security Log for Logon information.

The UserID agent also hosts a service to provide User ID to IP mapping results to the Palo Alto firewall as both a push and pull service. The agent can both notify enumerated firewalls, and firewalls can periodically retrieve delta and full userid to ip mapping cache results.

Step 1 after install is to click the "Setup" dialog then click [Edit]

The list of settings from the original "summary grid" are grouped into tabbed pages and stepped through one set at a time.

The first tab is for the [Authentication] or User-ID account that will be used to connect to windows domain controllers. In this case it will be "pre-populated" with the account information of the user account used to install the User-ID agent software. Backspace and erase the information and fill in the [ User name for Active Directory] : with the MSA account information.

MSA accounts are always appended with a "$" dollar sign after they are created, if you forget the "$" dollar sign and attempt to save the account information a warning will appear saying [Account Not Found].

User-ID agent "requires" the "complete" formal UPN syntax when providing the MSA account, which may appear strange when compared to many sources that give examples of using an MSA account. The Down-Level Logon Name - DOMAIN\UserName syntax will not work, it will generate a complex error message when you attempt to save it. The MSA account username must be in the form:


MSA accounts do not require "passwords", the [Password] field should be left empty (it will be automatically populated by the windows subsystems as needed. The MSA password while populated cannot be revealed and should not be a concern, it is 240 characters long and stored only on the target computer for the account and on the domain controllers which are solely responsible for its security and management.

The next tab is for choosing the methods for obtaining User-ID information.

The first method is by "monitoring" the domain controller "Security Event Logs"

[v/] Enable Security Log Monitor

Enables a TCP/DCOM/WMI query to the CIM repository on one or more active directory domain controllers to return the Logon Events, which the User-ID agent parses for matching domain\username patterns and associated IP address information.

domain\username patterns [are the "only"] patterns which will match

username without the prefixed domain name for the domain controllers being monitored will not match and will be discarded, no entries for username:ip for plain "username" only Logon events will be recognized by the User-ID agent and will be dropped

There is no "default domain override" as in other areas or versions of this line of products

Each installed instance of User-ID agent can only monitor the active directory domain controllers for [one] domain, in a forest with multiple domains, multiple User-ID agents must be deployed.

This is most common with wap - wireless access points, or other remote access devices like switch ports which provide some type/style of radius authentication via active directory (ex. EduRoam) - in these cases the "last" tabbed group of options will active a Syslog listening service and regex pattern matching tool specifically for capturing username and ip address information which comes from sources other than active directory security logs.

Enabling a TCP/DCOM/WMI query only requires the default permissions and privileges granted to members of the the domain built-in security groups "distributed COM users" and "Event log readers".

"distributed COM users" are granted the ability to launch and active a process on a remote network computer from the local system

"Event log readers" are granted the SDDL permissions to invoke a query which can read the Security event logs on the domain controllers

The native service on the domain controller which receives the authenticated query and actually performs the search is the WMI service on the domain controller(s), which also requires permission for the User-Id agent MSA account to perform a query against the root/CIM objects which contruct the query and serialize and deserialize the results.

That is [all] that is required to read the Security event logs for Logon events.

The next option down

[_] Enable Server Session Read

Is "optional" and [requires] membership in the domain security group [Server Operators].

Periodically user workstations will connect to the shared domain [sysvol] on domain controllers to retrieve updated componets and changes to [domain group policies]. This is a temporary connection and does not persist, it is automatically disconnected after a period of time.

Enabling the [Server Session Read] method, instructs the User-ID agent to periodically connect to each domain controller and using WMI request a "list" of the username and ip addresses of filesharing "sessions" connected to the domain controller. These results are also added to the composite list of username to ip address information obtained from the first method.

Where conflicts arise, LIFO is applied.

Last in First Out - essentially the latest information takes precedence.

The last box contains an option to query the old Netware Directory service, if it is still in use for obtaining username to ip information. It is optional and isn't used that much anymore.

The next tab is for choosing [even more] methods for obtaining User-ID information, but not from the domain controllers, but the actual client workstations.

This requires every workstation on the domain to already be enabled for remote DCOM and WMI queries and/or to allow Netbios probing. (This is increasingly rare).

These methods have gained a bit of notoriety for propagating unauthorized software without the user or systems adminstration knowledge or authorization. They could be classified as [risky behavior]  today.

A client workstation could be fully protected and not enable these methods and yet having this [Client Probing] options enabled could still pose a risk to the security of your network.

By default these methods are [enabled] beware I would suggest you think about disabling them by default. At least until you are confident of your default firewall Ingres rulesets.. and consider the possible downsides -- really spend [a lot] of time considering the downsides.

The next tab is for setting the default timeout for expiring User-ID to IP mapping cache information. The cache does not change even when informed by a Security Log event that a user has Logged out. The username to ip mapping remains in effect until this timeout value for each entry has elapsed.

The next tab is for setting a TCP listening port for a Palo Alto firewall to contact and retrieve username to ip address mapping information

User-ID Service TCP port: 5007

And for enabling a TCP listening port for owner derived and provided scripts and program to proactively contact the User-ID agent and "upload" username to ip address information in json format for inclusion into the username to ip mapping cache.

User-ID XML API TCP Port: 5006

The check box is for confirmation of the intent to activate this "optional" upload service.

The eDirecttory tab is for obtaining username to ip mapping information from a Netware LDAP server.

The Syslog tab is for configuring a Syslog listening deamon process on windows, then parsers for general regex pattern matching for filtering username and ip address from syslog entries, or simplified regex pattern matching based on general pre and post delimeters surrounding  username and ip address information in log entries.

Once these tabs are complete, clikcing Ok enabled the Commit button, which write it to a pseduo xml configuration file in the home directory for the GUI tool and service binary.

Immediately below the configuration summary is the access control list for defining networks for which firewall can call from for u-to-p mapping information, or owner processes or scripts can submit from using the XML API service.

The "Discovery" dialog is for manually or automatically listing (or enumerating) [all] of the active directory domain controllers (or other types of servers) against which this User-ID agent will run its methods to obtain username to ip address mapping information.

The upper grid field is for the active directory (or other) server information. A good place to start is to click on [Add] and satisfy the interview requirements. Click Ok to enter the results and return.

The lower grid field is for naming (nominating) the IP address ranges for which username to ip mapping will be collected. By default it accepts [any], but the first include/exclude entry here results in an implcit [denied to collect username to ip address information] unless explicitly listed as included or excluded.

This provides as way of "mapping" some user to ip traffic while excluding others, in a logical or oversubscribed LAN situation. Some traffic may be passing through your network that is of a network management or sensitive nature that you do not want to map.

to review:

setup - lower grid is for [granting] access to Firewalls and XMLAPI uploaders to User-ID agent

discovery - upper grid is for [listing] servers to contact for username to ip address information
discovery - lower grid is for [listing] subnets to include or exclude from username to ip mapping

Before a Configuaration can be [Commited] after changing over to the MSA account the User-ID will run as in windows. You must grant that MSA account [write] permission to the directory in which the configuration information file will be written.

The file path is:

C:\Program Files (x86)\Palo Alto Networks

Open file explorer in windows and navigate so that you can right click on "Palo Alto Networks" and select Properties then the Security tab.

Add the MSA account to the list of accounts with permissions for this directory, note the permissions granted to the account used to install the User-ID agent software and duplicate those for the MSA account. Inheritance should propagate the same permissions down to all the subdirectories and files so that when the Commit button is pressed the MSA account will have permission to write the new config file.

The Top of the tree [User Indentification] has an [Agent Status] box which should tell you the current status of the User-ID process once its been configured. Usually if everything is properly configured it will immediately start up and start collecting data.

However [File] menu contains and option to increase the level of debug information for troubleshooting. If you choose to use this make sure the regkey for finding the setting also grants the MSA account permission to read this registry key.

It is located at:

HKLM\SOFTWARE\Wow6432Node\Palo Alto Networks

Navigate there and right click, select Permissions and perform the same steps as before. Make sure to add the MSA account and that it has the same permissions as granted to the account used to install the Uer-ID agnet software.

When the User-ID agent begin running it will collect the first 50,000 log entries from each username ip information server source and process them into username to ip address mapping entries for the cache.

The cache is used to provide username to ip address mapping for firewalls and to store any new mappings from any source queried or received by xmlapi.

The cache is visible by navigating to the [Monitoring] node in the left Tree view

Each time a new username to ip address mapping is found, it is added to this view as a line item, checking abox and selecting [Delete] will instantly remove it from the cache.

[VM information sources] can use VMware host communications to obtain additional mapping information.

When using a domain controller for Security Log information, it is important to use a GPO to enable auditing for security events which produce Event IDs which User-ID agent will request and parse.

In general this means use gpmc.msc, create a new GPO object (this is a clumsy example, but the velocity of code change for the supporting microsoft elements makes it a moving target):

Group Policy Management \ Forest:fqdn.domain.com\-

Domains\fqdn.domain.com\Group Policy Objects

Generic Audit User Logons < Rt Click Edit


Generic Audit User Logons
- Computer Configuration
-- Polices
--- Windows Settings
---- Security Settings

-----Local Policies
------ Audit Policy
-------- Audit account logon events - success, failure
-------- Audit logon events - success, failure

-----Advanced Audit Policy Configuration
------ Account Logon
-------- Audit Credential Validation - success
-------- Audit Kerberos Authentication Service - success
-------- Audit Kerberos Service Ticket Operations - success
-------- Audit Other Account Logon Events - success

------ Logon/Logoff
-------- Audit Logoff - success, failure
-------- Audit Logon - success, failure
-------- Audit Other Logon/Logoff Events - success, failure

Then Scope for the GPO should be
[Links] > OU which contains the domain controllers

Security Filtering for the GPO should be
Computer accounts for domain controllers

When applied the GPO will have to be propagated and applied by the domain controllers which will depend on replication intervals, number of domain controllers and loading.

Turning on auditing will increase the logging load on domain controllers, explicitly enumerating the domain controllers through a Security Filter allows testing without widespread performance effecting behavior. Depending on the suer population, number, and velocity of user login and outs and dhcp renewals it may take a few minutes for User-ID mapping entries to appear in the cache.

Turning up the debug logging in User-ID agent can also provide some insight into whether the User-ID agent is experiencing any problems reading the config file, contacting domain controllers, initiating and receiving the results of WMI queries agaist the domain controller security logs.. and whether and for what reason entries are found that could be used to map a username to ip address, but were discarded for some reason.

This was a quick sheaft of notes, without the actual commands for creating an MSA account an explicit steps for bringing this to completion. They are accurate and do work. Its very possible steps can be trimmed or customized to improve performance and take many things into account.

These are simply the steps taken to enable User-ID agent in a small domain with a few thousand usernames with an MSA account.. for observation and decision making purposes.

They will be updated with more detail later.


Using a Nexus 5x / iPad, as a video monitor with speakers

In a snap you can use your Android phone or Apple iphone/ipad to receive sound and video from a battery powered PC running Windows that fits in your pocket. Hello Windows Mobile.. its been a while.

Part 1 - In which we meet a "Window-less" Kangaroo PC running "Windows", with TwomonUSB

Part 2 - In which we meet a "Sound-less" Kangaroo PC running "Wireless", with Soundwire

Part 3 - In which we meet a "Key-less" mobile keyboard running "Redacted", with SharpKeys


KangarooPC, Tethered USB Display

The KangarooPC is great for travel, its the size of an average cell phone, but it has no display. You can use your cell phone as a display with a short USB cable and the TwomonUSB app. But there are a few important details. Here is how to do that.

First TwomonUSB is a paid app which you must buy before you can trial it, but Google has made it easier to obtain a refund if you follow their terms regarding the limited time in which you can request a refund.

The TwomonUSB app is available in the Google playstore.

The KangarooPC comes preloaded with Windows 10 and makes the OSLinx program available for iOS, however that only works with Windows 10. It does not work with Windows 8.1 or earlier versions of the Windows operating system.

The TwomonUSB app requires the "Twomon PC Program" program be installed on the KangarooPC but it also works on earlier versions of Windows before Windows 10.

When the KangarooPC starts it must sign in and start the service program so that it can send the display to the USB port.

There are a couple ways to autostart, securely and non-securely.

KangarooPC has a fingerprint reader and can autologon at the touch of a finger to authenticate.

KangarooPC can simply autologon at start up.

The Twomon PC program has a setting for autostart which you can select to make sure it starts on logon.

The KPC will light the power circle on the device so you know when it is on, generally 20 seconds.

Then plugging in the USB Cable between the KPC and an Android device, you will need to start the [TwomonUSB app]  you can slide the autoconnect switch on the app to autoconnect or press the Connect button to begin displaying the KPC desktop.

To switch between the default [Extended display with a taskbar] to [Primary desktop] which are really Mirror and Extended screen displays. Place [three fingers] on the Android screen at one time, a transparent overlay menu will appear and say [TwomonUSB Screen 1] swipe to right [TwomonUSB Extension] or swipe left, then tap the image of the screen, it will un-dim and switch to that mode.

The TwomonUSB app does not carry sound from the KPC to your Android device over the USB cable.

The TwomonUSB app does use the Touch input from the Android device for positioning the mouse [however BE AWARE] the mouse position is "Offset" from its actual location such that the mouse appears in one place on the Android device, but in reality is actually advanced 1/2 icon size higher and farther to the left, so you need to position the mouse cursor that you see 1/2 icon size up and left [before] a Menu button or Hyperlink will actually be activated by a tap for a click.

Pinch to collapse the screen or squish it smaller.

Spread-pinch to expand and zoom the screen and make it larger.

The resolution of the Windows desktop can be changed using normal windows shortcuts  or context menus.

A good resolution on the Nexus 5X is 1334 x 750 there is a trade off between resolution and screen speed, and readability. As there is also a need for a decent resolution in the vertical to reach buttons and menus that some programs or webpages position very far below the visible screen.

The Windows onscreen keyboard is usable, however I use a Microsoft Universal Mobile Keyboard over bluetooth and Logitech M557 bluetooth mouse,

If you use the Microsoft Universal Mobile Keyboard you may notice some keys are missing like PrintScreen, you can use the SharpKeys program from CodePlex to manually re-map a keyboard combo like [Fn]+[-] to simulate a PrintScreen key press, and it will work with other combo key combinations like [ALT]+[PrtScrn] like you would expect.