Aug 142017

Well, it’s been a looong time since I added any new posts to my blog – almost 4 years! I was busy 😉

In my day job, a lot of my time is spent automating manual tasks. Recently I was asked to look at automating the process of tidying up server reports to give clean data to be used to create a tracker. The data was supplied in xlsb format (Excel binary) and contained a lot of duplicate rows which needed to be removed. The manual process was to open the file in Excel, navigate to the ‘Data’ tab of the ribbon and choose ‘Remove Duplicates’ – this defaulted to all columns being selected so clicking ‘OK’ did the job.

The automated script needed to run across many(!) xlsb files and I found that Excel ran out of memory after the first few if I relied on Excel macros to open multiple consecutive files. My solution was to use PowerShell – this meant that Excel could be closed between workbooks and so free up memory.

There was a lot of trial and error to get the .RemoveDuplicates() part of the script to work, the MSDN docs say that columns are optional, but that does not seem to be the case. My solution was to make an array with the column numbers.
The relevant parts of the script are below – hopefully it will help someone!


Param([String]$filepath) # to get the file name at the command line.

$xl = New-Object -ComObject "Excel.Application"
$wb = $$filepath) # open the workbook
$ws = $wb.Sheets.Item("Sheet1") # specify the worksheet

$columns = 1, 2, 3, 4, 5 # create an array of column numbers

$ws.UsedRange.RemoveDuplicates($columns) # remove duplicates

I then had code that saved the deduplicated sheet.

Let me know if this helps, or if you have a better way of doing it!

 Posted by at 9:48 am
Nov 062013

Public Key cryptography solves one of the main problems with strong cryptography. How do you securely share the encryption/decryption key? If you have a secure channel for doing that, then why not use the same channel to send your plaintext message?

Public Key cryptography uses one key to encrypt and a different key to decrypt. This means you can share your Public Key with the world and anyone can use it to encrypt a message to you, but you are the only person with access to the Private Key to decrypt the message. Clever stuff!

This allows all sorts of exciting things – encryption, signing, non-repudiation and more.

But how does the maths behind this work? I’ve written a worked example below which shows a simplified version of how RSA encryption works. I’ve used small numbers so that you can follow along with a calculator, or a pencil and paper if you are cleverer than me!

Choose two random (large) prime numbers, p and q:
p = 13
q = 7

Multiply the numbers together to get the modulus, N, (the maximum value we can encrypt).
N = pq = 13*7 = 91  This is known as a trapdoor function – it’s easy to work out N if you know pq but very difficult to discover p and q if you only know N (for bigger numbers than we are using here)

Choose a public key, e.
e = 5 (generally chosen from {3, 5, 17, 257, 65537} which are also prime numbers)

To compute the associated private key, you need to know the two prime numbers (p and q). First compute φ (phi)
φ = (p-1)(q-1) =(13-1)(7-1) = 12*6 = 72

Then compute the private key, d.
d = (1/e) mod φ  or, written differently,  ed = 1 mod φ

In English, this means “find a whole number, d, which, when multiplied by ‘e’ and then divided by ‘φ’, leaves a remainder of 1” – there will be multiple values which are suitable.

Substituting the known values, we get
5d = 1 mod 72,  so d = 29  (because 5*29/72 = 2 remainder 1) or 461 (because 5*461/72 = 32 remainder 1) or 7373(because 5*7373/72 = 512 remainder 1) or other, larger, numbers…

We’ll choose the smallest number ’29’ here to make the calculations later a bit easier.

We now have all the required parts to encrypt and decrypt a message.

The public key which you share with the world is (N, e) = (N = 91, e =5)
The private key which is known only to you is (N, d) = (N = 91, d = 29)
The key pair is written ((N,e), d) – in our case ((91, 5), 29)

Before we can encrypt a message, we need to convert the message from letters to numbers. Lets use the standard Unicode Transformation Format 8-bit (UTF-8) encoding where each letter is represented by a number:

A = 65 G = 71 M = 77 S = 83 Y = 89
B = 66 H = 72 N = 78 T = 84 Z = 90
C = 67 I = 73 O = 79 U = 85
D = 68 J = 74 P = 80 V = 86
E = 69 K = 75 Q = 81 W = 87
F = 70 L = 76 R = 82 X = 88

– a space would be represented by 32

So, the message “ATTACK” would be encoded as 65, 84, 84, 65, 67, 75

To encrypt the plaintext message, m, into cypertext, c
c = me mod N
(remember, ‘e’ and ‘N’ are both public information)

A would be 655 mod 91 = 1,160,290,625 mod 91 = 39 (1,160,290,625 / 91 = 12,750,446 remainder 39)
T would be 845 mod 91   = 4,182,119,424 mod 91 = 28
C would be 675 mod 91   = 1,350,125,107 mod 91 = 58
K would be 755 mod 91   = 2,373,046,875 mod 91 = 17

Our encrypted message is now 39, 28, 28, 39, 58, 17

to decrypt the cyphertext, c, back to the plaintext, m
m = cd mod N
(remember, ‘d’ is only known to us!)

39 would be 3929 mod 91 = 1.3831637670618865315545398098597e+46 mod 91 = 65
28 would be 2829 mod 91 = 9.2807464717109449615203639109421e+41 mod 91 = 84
58 would be 5829 mod 91 = 1.37851600677743110483676343403e+51 mod 91 = 67
17 would be 1729 mod 91 = 4.8196857210675091509141182522307e+35 mod 91 = 75

3929 mod 91 is “the remainder when 39 multiplied by itself 29 times is divided by 91” – The numbers when we worked this out above become enormous – we can keep the numbers smaller by dividing by 91 and keeping just the remainder as we go along. If we do this one step at a time, we get:
1: 39*39 = 1,521 – this is bigger than N (91) so we can divide by 91 to get 16 remainder 65 (just keep the remainder!)
2: 65*39 = 2,535 – we can divide by 91 to get 27 remainder 78
3: 78*39 = 3,042 – we can divide by 91 to get 33 remainder 39
…and so on…
27: 65*39 mod 91 = 78
28: 78*39 mod 91 = 39
29: 39*39 mod 91 = 65  <— the same answer we got by doing 3929 mod 91

Our decrypted message, then, is 65, 84, 84, 65, 67, 75 which decodes to ATTACK using the UTF-8 table!

Let me know in the comments below if this makes sense and is useful…

Oct 302013

Certutil is a really useful tool for administering various parts of a Microsoft CA, but not all the switches are documented – they don’t even show up when you do a ‘certutil -v -?’ to show the full help.

So far, I have found the following verbs and options – the verbs have documentation if you specify them on the command line e.g. ‘certutil -setsmtpinfo -v -?’ I have only included the ‘hidden’ verbs and options below – you can find the standard options by checking the certutil help.

If you have any other verbs and options I’ve missed, please let me know in the comments and I’ll add them to this page. If you have any clever ways of using certutil, please let me know – I’m always looking for better ways of doing things!

Note: Microsoft may have hidden these options for a reason – use them with care, and at your own risk! Microsoft probably won’t provide support if you hit problems!

CertUtil [Options] -setsmtpinfo LogonName
Set SMTP info
[-config Machine\CAName] [-p Password]

CertUtil [Options] -getsmtpinfo
Get SMTP info
[-config Machine\CAName]

CertUtil [Options] -7f CertFile
Check certificate for 0x7f length encodings

CertUtil [Options] -Class [ClassId | ProgId | DllName | *]
Display COM registry information

CertUtil [Options] -CNGConfig
Display CNG Configuration

CertUtil [Options] -csptest [Algorithm]
Test CSPs installed on this machine
[-user] [-silent] [-csp Provider]

CertUtil [Options] -csplist [Algorithm]
List CSPs installed on this machine
[-user] [-silent] [-csp Provider]

CertUtil [Options] -delkey KeyContainerName
Delete named key container
[-user] [-silent] [-csp Provider]

CertUtil [Options] -key [KeyContainerName | -]
List key containers
[-user] [-silent] [-csp Provider]

CertUtil [Options] -SCDump [ReaderName]
Dump smart card file information
[-f] [-silent] [-split] [-p Password]

CertUtil [Options] -URL InFile | URL
Verify Certificate or CRL URLs
[-f] [-split]

CertUtil [Options] -SetCASites [SiteName]
Set Site Names for CAs
[-f] [-silent] [-config Machine\CAName] [-dc DCName]

CertUtil [Options] -SetCATemplates [+ | -]TemplateList
Set templates for CA

CertUtil [Options] -dsAddTemplate TemplateInfFile
Add DS Templates
[-dc DCName]

CertUtil [Options] -dsTemplate [Template]
Display DS Template Attributes
[-silent] [-dc DCName]

CertUtil [Options] -dsDeltaCRL [FullDSDN] | [CRLIndex [OutFile]]
Display DS Delta CRLs
[-enterprise] [-user] [-config Machine\CAName] [-dc DCName]

CertUtil [Options] -dsCRL [FullDSDN] | [CRLIndex [OutFile]]
Display DS CRLs
[-enterprise] [-user] [-config Machine\CAName] [-dc DCName]

CertUtil [Options] -dsCert [FullDSDN] | [CertId [OutFile]]
Display DS Certificates
[-enterprise] [-user] [-config Machine\CAName] [-dc DCName]

CertUtil [Options] -dsDel CN
Delete DS DNs
[-split] [-dc DCName]

CertUtil [Options] -ds [CN]
Display DS DNs
[-f] [-split] [-dc DCName]

CertUtil [Options] -getcert [ObjectId | ERA | KRA [CommonName]]
Select a certificate from a selection UI
[-silent] [-split]

CertUtil [Options] -enumstore [\\MachineName]
Enumerate certificate stores
MachineName — remote machine name.
[-enterprise] [-user] [-GroupPolicy]

CertUtil [Options] -exportPFX [CertificateStoreName] CertId PFXFile [Modifiers]
Export certificate and private key
CertificateStoreName — Certificate store name.  See -store.
CertId — Certificate or CRL match token.  See -store.
PFXFile — exported PFX data output file
Modifiers — Comma separated list of one or more of the following:
NoChain — Do not export the certificate chain
NoRoot — Do not export the root certificate
Defaults to personal machine store.
[-f] [-enterprise] [-user] [-GroupPolicy] [-split] [-p Password] [-t Timeout]

CertUtil [Options] -CAPropInfo
Display CA Property Type Information
[-config Machine\CAName]

CertUtil [Options] -getconfig3
Get configuration via ICertConfig

CertUtil [Options] -getconfig2
Get default configuration string via ICertGetConfig

Options: (I can’t find any info about what these do – some experimentation will be required!)

Sep 232013

What happens if an attacker compromises your root private key?

SSL certificates are used to authenticate clients and servers and to provide a means of securely sharing a secret key which is then used to encrypt communication between the server and client.

In order to do this, you have to have a level of trust in the body which issues the certificates; the Certification Authority or CA.

The way this works in practice is that you place the Root Certificate of the Certification Authority in your ‘Trusted Root Certification Authorities’ store on your computer. This says ‘I trust all certificates signed by the private key associated with this certificate’. Since the private key is only known by the Certification Authority, any certificate signed with the key must have been issued by the authority, and passed all the checks as defined in their CPS (Certification Practice Statement).

Once the infrastructure is in place, the flow is as follows:

SSL flow

Over complicated diagram showing keys and certificates.

  1. The client connects to the web server and requests a secure connection.
  2. The web server sends its certificate which includes a public key.
  3. The client verifies the certificate by checking the name matches the site name, that it has not expired (or been revoked) and that it is signed by a trusted authority.
  4. The client chooses a symmetric encryption key and encrypts it with the public key from the certificate. This is sent to the server
  5. The server decrypts the message with its private key. The browser and web server now share a symmetric key which is unknown to anyone else. This key is used to encrypt all communication for the rest of the session.

The security of the above transaction relies on the private key being stored securely by the web server. If someone had access to that key, they could decrypt the message containing the secret symmetric session key and therefor read all the encrypted messages which follow during that session. However, its unlikely that the owner of the web server would allow the key to leave the server. If an attacker managed to compromise the server to such an extent that he had access to the key, he would have full control of the server and would be able to access the communication anyway. If a government requested the key through legal means, they would be able to read all the communication but, again, they would get much more information by just requesting full access to the server.

So everything is nice and safe as long as the private key is kept secure. (There are, of course, other problems if, for example, there is malware on either end, but I’m ignoring that here).

So, what happens if someone gets access to the Certification Authority’s Private Key either by compromising their key store or by demanding it via legal channels?

Having the root private key would still not allow the attacker to intercept the symmetric key as it is encrypted using the public/private keypair generated by the web server, and the private key is still only known by the web server. It would, however, allow the attacker to create his own certificate and sign it with the Root CA private key. This would mean that it is trusted by the client computer and it would be very difficult to tell it apart from the genuine server certificate.

The attacker can now perform a ‘Man-in-the-middle’ (MITM) attack to capture all the traffic between the client and server. He does this by posing as the web server and authenticating with the client. The client now sends the symmetric key to the attacker encrypted with the attacker’s public key. The attacker decrypts the key and sets up a secure connection with the client. At the same time, the attacker connects to the genuine site and poses as the client. The attacker acts as a proxy between the client and server and can read both sides of the communication. Further, the attacker can change the information from either side. Say, for example, you think you are connected to your bank and you check your balance. The attacker can report the correct balance, but in the background could transfer all your money into his own account. If he needs any extra passwords, or a two-factor authentication, he can prompt you for those details and, if its convincing enough, you may be fooled into providing what he needs.

Aug 292013

I recently changed the theme on my photography portfolio site to the beautiful ShutterShot theme from I had been looking for a simple full-screen to showcase my photography and this is exactly what I wanted.

The one thing that I didn’t like was the sidebar which had a space for a Twitter feed and some sponsored ads (which I assume fab themes make some money on if you don’t change the default links) – It seems that lots of other people wanted to remove the sidebar too judging by the comments online.

The solution I found was to do the following:

Load your blog in a tab of your browser and navigate to a page which shows the sidebar with Twitter feed and sponsored links.

In another tab, go to the theme editor by navigating to Appearance > Editor in the dashboard. Choose ‘Sidebar’ from the list of templates on the right.You will now see the code for the sidebar.php page – this is what is displayed in the sidebar. At the very top of this page, type


on a line of its own, then on the very last line type


This will make all the content be treated as a comment so not display. Click the ‘Update file’ button at the bottom of the page and reload your blog.

You should see that the sidebar is now empty, but there is still a blank space where it used to be.

The width of the content on the blog page is controlled by the ‘content’ definition in the CSS. In the editor, click the stylesheet link on the right side, and find the section which has a line beginning

 #content { 

The width of the content is defined two lines below that. change it to read:

width: 740px;

Save the page and reload your blog – the content should now fill the space where the sidebar once was.

While you’re in the stylesheet, you might want to fix the menu so that it works on mobile devices.

Find the section which reads

#submenu {
margin: 0px 0px ;
padding:0px 0px;

and change it to

#submenu {
margin: 0px 150px ;
padding:0px 0px;

changing the value ‘150px’ will move the menu horizontally – 0px will be against the right side, 150px was about right for me.

I hope this helps you out – let me know in teh comments how you get on!

 Posted by at 10:06 pm
May 272013

I regularly connect to the Internet using free WiFi hotspots with my Nexus 7 tablet and, although most of the services I connect to use SSL to secure the connection, I felt it would be a good idea to have some extra protection in the form of a VPN.

A VPN, or Virtual Private Network, is a secure connection from your device to a proxy server which makes all your internet retests on your behalf. This means that anyone attempting to listen in on your connection to the WiFi access point will not be able to read any of your data, and won’t even be able to see what sites you are visiting (of course, you need to trust the VPN operator as they may have access to all your traffic!)

There are many VPNs to chose from, some free and some who charge. I decided to try Hotspot Shield which has Android, iOS and Windows versions. They offer a free service and a paid subscription – I decided to try the paid version which promises private browsing, malware protection, and data savings and only costs £0.69 / $0.99 per month.

The client installed with no problem on my Nexus 7 tablet and I was able to purchase the subscription via Google Play without any problem. The connection establishes quickly and seems stable (I found the free version dropped the connection regularly which had the unwanted side effect of leaving you connected to the internet insecurely with no warning). Browsing seems to be a bit quicker when connected to the VPN, and I have seen reports online that the data compression saves approximately 30% which seems about right to me.

The subscription should allow the client to be run on up to 5 devices but, unfortunately, my account code (which needs to be entered on each additional device) is not displayed when I choose the appropriate option from the menu.

I have installed the free version on my Motorola RAZR i phone (running Android 4.1.2) but I cannot get it to connect at all. I get an ‘error 1024’ popup which indicates a connection time out. I have submitted a support request to the Anchorfree team who produce Hotspot Shield and I will update the solution here as soon as I have one.


Main screen showing successful connection to the VPN


Screenshot showing the missing account code


Screenshot showing unprotected connection on phone


Screenshot showing connection error on phone

Update 2 July 2013, My Hotspot Shield reverted to the free version despite still having an active subscription. This meant that I no longer had malware protection, and I got adverts popping up when i started the VPN. My issue with not being able to use the subscription on multiple devices was never resolved. I contacted AnchorFree to query the new problem and the following day my subscription was mysteriously cancelled. I have had no response from AnchorFree. I have now uninstalled Hotspot Shield and cannot recommend it due to poor technical support and customer service. It’s a shame since the application actually seems to work well.

May 152013

Suppose you have a list of companies you deal with, and each company has more than one contact. You want to send a customised email to each company based on entries in an Excel spreadsheet. You want each of the recipients to be in the ‘To:’ field of the email. You’re out of luck because a mail merge from Excel will only accept a single email address, even if you separate them with semicolons.

My solution is to create a local distribution list in Outlook for each company and send to the distribution list name – this will resolve to the multiple email addresses and the recipients will be able to see who else received the email.

Unfortunately, I had over 200 companies with between 2 and 9 contact addresses each. It would have been a huge job to create these distribution lists manually, and keeping them up to date would have been a headache too.

After some research, I found an Excel macro which was a great starting point and I was able to customise it to create the distribution lists for me.

Firstly, my spreadsheet containing the distribution list data looks like this:

1 Contact List
2 Company Name Contact 1 Contact 2 Contact 3 Contact 4
3 Acme Inc. bob@acme.tld fred@acme.tld joe@acme.tld john@acme.tld
4 Beta Co. kevin@beta.tld alice@beta.tld tony@beta.tld
5 Carrot Design sheila@carrot.tld colin@carrot.tld gerry@carrot.tld jen@carrot.tld

The original macro was configured to generate a single distribution list and required the spreadsheet to be arranged vertically in two columns. I made a few changes and additions as follows:

' Create multiple Outlook distribution lists from Excel spreadsheet
' by Andy Younie
' Heavily based on JP's code which can be found at

Const olDistributionListItem = 7
Const olFolderContacts = 10

Sub MaintainDistList()

Dim DNAME as String ' Distribution list name
Dim outlook As Object ' Outlook.Application
Dim contacts As Object ' Outlook.Items
Dim myDistList As Object ' Outlook.DistListItem
Dim newDistList As Object ' Outlook.DistListItem
Dim objRcpnt As Object ' Outlook.Recipient
Dim arrData() As Variant
Dim rng As Excel.Range
Dim numRows As Long
Dim numCols As Long
Dim i As Long
Dim x As Long ' Counter for groups

Set outlook = GetOutlookApp
Set contacts = GetItems(GetNS(outlook))

' Count how many groups there are in the list
numRows = ActiveSheet.Range("A1").CurrentRegion.Rows.Count

' Start loop to create distribution list for each group
For x = 3 To numRows 'First group is on line 3 of the spreadsheet

' Set DNAME to the group name in column A
DNAME = ActiveSheet.Cells(x, "A").Value

On Error Resume Next
Set myDistList = contacts.item(DNAME)
On Error GoTo 0

If Not myDistList Is Nothing Then
' delete it
End If

' recreate it
Set newDistList = outlook.CreateItem(olDistributionListItem)

With newDistList
.body = DNAME
End With

' loop through worksheet and add each member to dist list
' assume active sheet
numCols = Activesheet.Cells(x, "A").CurrentRegion.Columns.count - 1

ReDim arrData(1 To 1, 1 To numCols)

' take Group Names out of range
Set rng = Activesheet.Range("A1").CurrentRegion.Offset(x - 1, 1).resize(1, numCols)
' put range into array
arrData = rng.value

' assume 1 row with a variable number of columns
For i = 1 To numCols
Set objRcpnt = outlook.Session.CreateRecipient(arrData(1, i))

newDistList.AddMember objRcpnt
Next i


' End loop to create distribution list for each group
Next x
End Sub

Function GetOutlookApp() As Object
On Error Resume Next
Set GetOutlookApp = CreateObject("Outlook.Application")
End Function

Function GetItems(olNS As Object) As Object
Set GetItems = olNS.GetDefaultFolder(olFolderContacts).items
End Function

Function GetNS(ByRef app As Object) As Object
Set GetNS = app.GetNamespace("MAPI")
End Function

So, where do you put the code to make it work? Open your spreadsheet in Excel, and go to View > Macros (or press Alt+F8) to bring up the Macros dialogue. Type a macro name (it doesn’t matter what name you use at this point) then click the ‘Create’ button. You are now in the VB editor. Delete the code which looks like:

Sub test()

End Sub

Now, paste in the code from above and close the editor window to get back to your spreadsheet.

Save your spreadsheet, then press Alt+F8 again, you should see a macro called ‘MaintainDistList’ – highlight it and click the ‘Run’ button.

You will be prompted to allow access to Outlook, accept that and flick to your contacts list in Outlook – you should see all the new distribution lists being created.

You will now be able to do a mail merge from a spreadsheet which contains your company names and the data you want to merge into your template document. The company name will resolve to the addresses in the distribution list which has the same name.

An example spreadsheet containing company information:

1 Company Details
2 Company Name Value Number of Orders Renewal due CEO Name
3 Acme Inc. $20,135 23 May 2013 John Smith
4 Beta Co. $13,998 12 July 2013 Carrie Jones
5 Carrot Design $18,268 58 January 2014 Simon Brown

I hope this is useful to you, let me know in the comments how you get on!

Feb 152013

A very quick post today to tell you how to force an update to your Nexus 7 tablet if you have been checking for software updates unsuccessfully.

1. Stop the Google Services Framework application by choosing settings > Apps > All > Google Services Framework. Click “Force Stop” then “Clear Data”
2. Choose Settings > About Tablet > System Update.
   It should say last checked 01/01/1970
3. Click “Check Now” and your update should start to load.

The download is 47mb and takes about 10 minutes to install. You will need to reboot the tablet to complete the installation.

Hope this helps!

Feb 042013

I finally decided to rejoin Pure Gym, the gym I signed up with about 3 years ago when it was just opening.

When I first signed up, I made an effort to go to the gym regularly – probably 3 or 4 times a week. I would do some cardio, mostly on the elliptical trainer, and then do a circuit of the weight resistance machines. Since I wasn’t really changing my duet at the time, I wasn’t losing any weight and I didn’t feel I was getting any fitter. When I moved house, I couldn’t get to the gym for a couple of weeks. That broke the habit and I didn’t go back.

If you’ve been following my blog, you’ll know that in the last 6 months I have lost a heap of weight by dieting. That’s let me do more exercise and I’m noticing that my fitness is improving steadily. I had read about El Diabolo’s 666 Bodyweight Course online and decided to give it a try.

One of the progressions requires a pull-up bar which I don’t have at home, and its too cold at this time of year to use an outdoor one, so I decided to join the gun again.

Pure Gym has changed quite as lot since I was last there. There are a few new machines, but the biggest change is the number of free classes which they are running now. On my first day back, I signed up for the ‘Pure Bodyweight’ class which I thought might be similar to El Diabolo’s. There were supposed to be another 7 people booked on, but none of them turned up so I got a free one-on- one session with Stuart MacEwan, one of the personal trainers.

The class was excellent. I found it very hard work and, if I had been doing it on my own, would have probably stopped half way through. Stuart pushed me just enough to get through it. The class consisted of a mix of cardio exercises and some bodyweight exercises – sit ups, pushups, squats etc. We had a bit of a chat afterwards and he gave me some good tips. He is also putting together a duet plan for me to improve my nutrition. At some point, I’ll ask him to put together a tailored exercise plan and maybe have a few personal training sessions.

Today, I can feel all the muscles was exercising, but I definitely feel better for having done it and am looking forward to booking another class soon! There are lots to chose from – I think I’ll try the Pure Spin, Pure Kettle Bells and Pure Core classes over the next couple of weeks.

If you fancy trying Pure Gym, you can find out more and sign up using my referral code D92C2C at – let me know what you think and which classes you find most interesting.

Jan 222013

A step by step guide to moving a virtual machine from one datastore to another in VMware ESXi 5.1 (probably applies to earlier versions too)

I had been running my VMware host with two small physical hard drives, but added a new SATA III 2TB drive which should be a bit faster and give me space for more images. I needed to migrate my existing guests to the new datastore.

In the vSphere Client, expand the host in the left window of the inventory screen and highlight the guest you want to migrate. Click the ‘Summary’ tab in the right pane.

Under ‘Resources’, right-click on the datastore and choose ‘Browse Datastore…’

Browse Datastore...

Browse Datastore…

In the Datastore Browser, click the folder in the left window which contains your guest OS files. Click the ‘Move a file…’ button on the menu bar.

Move a file

Move a file…

Click ‘Yes’ on the Confirm Move pop-up window.

Confirm move

Confirm move

In the ‘Move Items To…’ dialog, choose the new Datastore (and a directory if you like) and click the ‘Move’ button.

Move To...

Move To…

The directory will be moved – the progress bar shows how long remains.

Moving progress bar

Moving progress bar

Once the move is complete, the virtual machine will still be listed in the inventory, but it still links to the old location, so if you try to power it on you will get an error message.

Error message

Error message

To resolve this, right-click the guest in the inventory and choose ‘Remove from Inventory’

Remove from Inventory

Remove from Inventory

Highlight the host at the top of the inventory list, then click the ‘Configuration’ tab. You should see all your datastores listed. Right-click the datastore you moved the guest to and choose ‘Browse Datastore…’, open the directory which you moved in the earlier step and locate the .vmx file. Right click it and choose ‘Add to Inventory…’

Add to inventory

Add to inventory

Choose a new name for the image if appropriate.

Choose a name

Choose a name

Click ‘Next’ on the Resource Pool Screen.

Resource pool

Resource pool

Click ‘Finish’ on the Ready to Complete screen.

Ready to complete

Ready to complete

Your guest will now appear in the inventory list again. When you power the guest on, you will be asked whether you moved or copied the machine. Choose ‘I moved it’ .

Virtual Machine Question

Virtual Machine Question

Your guest OS should now boot from the new datastore.

Guest Booting

Guest Booting

Let me know in the comments how you get on, or if any of the instructions above are unclear.