Brad Rutkowski's Blog : Ghetto scripting

Check that driver file versions match on all your cluster nodes via Powershell

Brad Rutkowski — Thu, 04 Dec 2008 02:25:00 GMT

This is more of a proof of concept, but I've used it with success internally. Take it and do with it what you want. Many thx to Brandon who did the "heavy lifting" when I got stuck!

Overview:

Ever run into cluster issues and wanted to see if the driver file versions matched on all the nodes of the cluster to rule out a mismatch on a driver level? Well I did! The basic gist is that you can show all the file versions for each node by just running the script against a node name. If you want to see only the drivers that don’t match then you’d use the pipeline with where-object (?).

Typical output:

When All drivers match:
PS C:\Debuggers> Test-MSCluster.ps1 ServerSQL11 | ?{!$_.IsSame}
Getting Nodes via WMI
Getting the drivers on: ServerSQL11
Getting the file versions for the drivers on: ServerSQL11
Getting the drivers on: ServerSQL12
Getting the file versions for the drivers on: ServerSQL12
PS C:\Debuggers>

One Mismatch:
PS C:\Debuggers> Test-MSCluster.ps1 ServerAX | ?{!$_.IsSame}
Getting Nodes via WMI
Getting the drivers on: ServerAX
Getting the file versions for the drivers on: ServerAX
Getting the drivers on: ServerBX
Getting the file versions for the drivers on: ServerBX

FileName                                                                   ServerAX                                                                 ServerBX
--------                                                                   ----------                                                                 ----------
rmcast.sys                                                                 6.0.6001.18000                                                             6.0.6001.18069

Many nodes, many mismatches:

PS C:\Debuggers> Test-MSCluster.ps1 Server-Clus--11 | ?{!$_.IsSame}
Getting Nodes via WMI
Getting the drivers on: Server-Clus--10
Getting the file versions for the drivers on: Server-Clus--10
Getting the drivers on: Server-Clus--11
Getting the file versions for the drivers on: Server-Clus--11
Getting the drivers on: Server-Clus--15
Getting the file versions for the drivers on: Server-Clus--15
Getting the drivers on: Server-Clus--16
Getting the file versions for the drivers on: Server-Clus--16
Getting the drivers on: Server-Clus--13
Getting the file versions for the drivers on: Server-Clus--13
Getting the drivers on: Server-Clus--12
Getting the file versions for the drivers on: Server-Clus--12

FileName : Dbgv.sys
Server-Clus--10 : 4.60
Server-Clus--11 : FileMissing
Server-Clus--15 : FileMissing
Server-Clus--16 : FileMissing
Server-Clus--13 : FileMissing
Server-Clus--12 : FileMissing
IsSame : False

FileName : HpCISSs2.sys
Server-Clus--10 : FileMissing
Server-Clus--11 : FileMissing
Server-Clus--15 : FileMissing
Server-Clus--16 : 6.8.0.64 Build 9 (x86-64)
Server-Clus--13 : 6.8.0.64 Build 9 (x86-64)
Server-Clus--12 : 6.8.0.64 Build 9 (x86-64)
IsSame : False

FileName : USBSTOR.SYS
Server-Clus--10 : FileMissing
Server-Clus--11 : FileMissing
Server-Clus--15 : FileMissing
Server-Clus--16 : FileMissing
Server-Clus--13 : 6.0.6001.18000
Server-Clus--12 : 6.0.6001.18000
IsSame : False

FileName : mrxsmb10.sys
Server-Clus--10 : 6.0.6001.18000
Server-Clus--11 : 6.0.6001.18000
Server-Clus--15 : 6.0.6001.18000
Server-Clus--16 : 6.0.6001.18068
Server-Clus--13 : 6.0.6001.18000
Server-Clus--12 : 6.0.6001.18000
IsSame : False

FileName : nm3.sys
Server-Clus--10 : 03.02.0764.0001
Server-Clus--11 : FileMissing
Server-Clus--15 : FileMissing
Server-Clus--16 : FileMissing
Server-Clus--13 : FileMissing
Server-Clus--12 : FileMissing
IsSame : False

Code:

######################################################################
#Test-MSCluster.ps1
Param($ClusterNode)

# I am using this hashtable to store a unique list of file names. 
$Files = @{}
# I am using this array to store my custom objects we create later.
$FileObjects = @()

Write-Host "Getting Nodes via WMI"
$nodes = gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername $ClusterNode -Authentication PacketPrivacy | %{$_.Name}

# Here we process each node and get all the drivers from the node and add it to our $Files HashTable to be processed
foreach ( $node in $nodes )
{
    Write-Host "Getting the drivers on:"  $node
    # Here we are getting a list of the .sys files. Notice I am only getting the names
    $filelistFinal = get-childitem "\\$node\admin$\system32\drivers" *.sys | %{$_.name}
    
    Write-Host "Getting the file versions for the drivers on:" $node
    foreach($file in $filelistFinal)
    {
        # foreach file found we add it to the hasttable, but hashtables can only have a key once
        # so we need check if the key already exist. I do this because it is possible you could have
        # unique drivers per node.
        if(!$Files.$file)
        {
            $Files.Add($file,"added")
        }
    }
}

# Ok... now we have all our files time to process the hashtable and create our custom objects
foreach($FileName in $Files.Keys)
{
    # This is how I create an object for each file
    $myFileObj = New-Object System.Object
    
    # This is how we add a property. In this case the FileName property. For these scenarios I chose add-member
    # because you can dynamically add properties (i.e. NodeName with value of File version)
    $myFileobj | add-Member -MemberType NoteProperty -Name FileName -Value $FileName
    
    # Now we need to add properties for each node.
    foreach($node in $nodes)
    {
        # Making sure the file exist on the node
        if(Test-Path \\$node\admin$\system32\drivers\$FileName)
        {
            # Getting ProductVersion Info to use as the value for the Node Property
            $fileInfo = [system.diagnostics.fileversioninfo]::getversioninfo("\\$node\admin$\system32\drivers\$FileName")
            $myFileobj | add-Member -MemberType NoteProperty -Name $node -Value $FileInfo.ProductVersion
        }
        else
        {
            # File not found using FileMissing as the value for the Node Property
            $myFileobj | add-Member -MemberType NoteProperty -Name $node -Value "FileMissing"
        }
    }
    # Outputting Object
    $FileObjects += $myFileObj
}

foreach($result in $FileObjects)
{
    $isSame = $true
    # Getting Server Name from Properties of the custom object
    $servers = $result | Get-Member -MemberType Noteproperty | ?{$_.Name -ne "FileName"} | %{$_.Name}
    
    # Checking the value of each server vs the other servers
    foreach($server in $servers)
    {
        foreach($srv in $servers)
        {
            if($srv -ne $server)
            {
                # If the the value is different we set $isSame to $false
                if($result."$srv" -ne $result."$server"){$isSame = $false}
            }
        }
    }
    # add the isSame property to the object
    $result | add-Member -MemberType NoteProperty -Name IsSame -value $isSame
    
    # output object
    $result 
}
######################################################################

***Note: This script is not fast, as it is getting the file versions for every driver (*.sys) on each system, I'd highly suggest not running this over the WAN...

SET-ACL on registry key

Brad Rutkowski — Mon, 29 Sep 2008 18:06:49 GMT

Man it was hard to find info on using set-acl on a registry key! I was looking for a way to set an ACL that once set would be inherited by child keys and values. We needed to give “Local Service” full control on the registry key below and have the subkeys inherit the permission. You might say: “Why not use SUBINACL?”, well due to a bug or by design SUBINACL doesn’t work for WIN7 server core (probably should look into that). Besides, why call an exe when you can do it natively in PS. Anyways here is the code that ended up working. Hope next time someone goes looking for this it’ll be the first hit.

PS C:\> $acl= get-acl -path "hklm:\SOFTWARE\Microsoft\Reliability Analysis"

PS C:\> $inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit, ObjectInherit"

PS C:\> $propagation = [system.security.accesscontrol.PropagationFlags]"None"

PS C:\> $rule=new-object system.security.accesscontrol.registryaccessrule "LOCAL SERVICE","FullControl",$inherit,$propagation,"Allow"

PS C:\> $acl.addaccessrule($rule)

PS C:\> $acl|set-acl

And the output of GET-ACL shows local service now:

PS C:\> get-acl -path "hklm:\SOFTWARE\Microsoft\Reliability Analysis" | fl <—Verifying that it got set.

Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis

Owner : BUILTIN\Administrators

Group : DOMAIN\Domain Users

Access : NT AUTHORITY\LOCAL SERVICE Allow FullControl

BUILTIN\Users Allow ReadKey

BUILTIN\Users Allow -2147483648

BUILTIN\Administrators Allow FullControl

BUILTIN\Administrators Allow 268435456

NT AUTHORITY\SYSTEM Allow FullControl

NT AUTHORITY\SYSTEM Allow 268435456

CREATOR OWNER Allow 268435456

Audit :

Sddl : O:BAG:DUD:AI(A;OICI;KA;;;LS)(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)

Using invoke-command to launch a script on a remote computer which connects to network resources.

Brad Rutkowski — Fri, 26 Sep 2008 22:19:00 GMT

First, I found the details here.

Second, things can change as this is being done with the CTP for Powershell 2.0

Third, if you don’t know about remoting in 2.0 watch this 5 minute video. Then read this.

Whew.

Backstory:

You might find yourself in a situation where you want to run a batch/vbs/cmd file on a bunch of servers at once. This batch file requires to connect to network locations to gather/put information during run time. The Powershell 2.0 remoting experience out of the box doesn’t allow you to do these “double hops” with the client side credentials. What happens is that when you remote using powershell, you get a set of credentials for use on that machine. When you go off-box, the request hasthe machine credentials. This obviously can cause issues leaving you two solutions:

1) Change the ACLS on the remote share to include the machine credentials

a. Can be done by adding <domain>\domain computers with read access to the shares(s).

b. Create a group that has all the machines required in it and ACL out the share permissions with that group.

2) Use CredSSP so that you get a credential which can do multi-hop.

So what is required to use CredSSP, thus allowing your client-side credentials to “pass-thru” to the server-side and go off box as your creds?

On the client-side:

new-item HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -force
new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -name AllowFreshCredentials -value 1 -type DWord -force
new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -name ConcatenateDefaults_AllowFresh -value 1 -type DWord -force
new-item HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials -force
new-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials -name 1 -value wsman/* -force
winrm s winrm/config/client/auth '@{CredSSP="true"}'

On the server-side:

winrm s winrm/config/service/auth '@{CredSSP="true"}'

Example without credSSP:

PS C:\Debuggers> Invoke-Command -ComputerName server1.domain.com,server2.domain.com -ScriptBlock {c:\debuggers\test_PS.cmd} -Credential reddom\brad

C:\Windows\System32>cd\

C:\>cd debuggers

C:\Debuggers>md test

C:\Debuggers>copy \\serverx\bradshare\Book1.xlsx <-- Can’t make this happen as it goes off-box as the machine account.

Access is denied.

C:\Windows\System32>cd\

C:\>cd debuggers

C:\Debuggers>md test

C:\Debuggers>copy \\serverx\bradshare\Book1.xlsx

Access is denied.

PS C:\Debuggers>

Example with credSSP:

PS C:\Debuggers> Invoke-Command -ComputerName server1.domain.com,server2.domain.com -ScriptBlock {c:\debuggers\test_PS.cmd} -Authentication CredSSP -Credential reddom\brad

//Had to use the FQDN as it does an SPN lookup and hostname fails.

C:\Windows\System32>cd\

C:\>cd debuggers

C:\Debuggers>md test

C:\Debuggers>copy \\serverx\bradshare\Book1.xlsx <-- Now goes off the server-side with my ‘brad’ user account.

1 file(s) copied.

C:\Windows\System32>cd\

C:\>cd debuggers

C:\Debuggers>md test

C:\Debuggers>copy \\serverx\bradrutk$\Book1.xlsx

1 file(s) copied.

PS C:\Debuggers>

Update:

You must have at least the CTP2 verison of WINRM: https://connect.microsoft.com/WSMAN/Downloads

Make sure to run Configure-Wsman.ps1 and WINRM quickconfig too...

Technorati Tags: powershell

Display warning text when someone logs onto your servers

Brad Rutkowski — Thu, 25 Sep 2008 03:25:00 GMT

This works for Windows 2003 and Windows 2008. We use it during our reliability study to let the server owners know that they shouldn't reboot their boxes without a good reason. You can use it for whatever you’d like. :)

The two keys to set:

reg add "\\brad-dc-01\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /t REG_SZ /d "MSIT Reliability Study" /f

reg add "\\brad-dc-01\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /t REG_SZ /d "This server is part of the MSIT Windows 7 Reliability Study. The server should not be rebooted. If the server is experiencing a bug, please contact DCOPERATE to triage and they will escalate as needed. If you are rebooting the server for a hotfix, private fix, or other legitimate reason, please document it properly in the shutdown tracker so that the statistics are accurate." /f

Hop to loop it and apply it en masse:

Open CMD with your alt creds and do the following:

C:\Windows\system32>for /f %a in (machines.txt) do (

More? reg add "\\%a\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /t REG_SZ /d "MSIT Reliability Study" /f

More? reg add "\\%a\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /t REG_SZ /d "This server is part of the... (HUGE LONG STRING) ... " /f

More? )

How to turn it off:

C:\Windows\system32>for /f %a in (machines.txt) do (

More? reg add "\\%a\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /t REG_SZ /d "" /f

More? reg add "\\%a\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /t REG_SZ /d "" /f

More? )

The result:

Another way of doing this is to set "Interactive logon: Message text for users attempting to logon" in secpol.msc...

Technorati Tags: Windows 2003,Windows 2008

Getting Access Denied when trying to query root\MSCluster namespace remotely against Windows 2008.

Brad Rutkowski — Mon, 08 Sep 2008 21:00:56 GMT

Ran into a weird issue where I was getting access denied when trying to query nodes remotely in powershell. The query was working fine against Windows 2003 cluster names and worked locally when ran on a Windows 2008 cluster node, it just didn’t work remotely.

Against 2k3:

PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k3-01 | Select-Object Name

Name
----
Server-2k3-01
Server-2k3-02

Against 2k8:

PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01
Get-WmiObject : Access denied
At line:1 char:5
+ gwmi <<<< -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01

I also tried the query outside of powershell to eliminate that form the equation with the same results and it still failed. So why the difference? Well looking around on the target, I noticed this event in the event log:

Log Name:      Application
Source:        Microsoft-Windows-WMI
Date:          9/5/2008 10:17:52 AM
Event ID:      5605
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server-2k8-01
Description:
Access to the root\mscluster namespace was denied because the namespace is marked with RequiresEncryption but the script or application attempted to connect to this namespace with an authentication level below Pkt_Privacy. Change the authentication level to Pkt_Privacy and run the script or application again.

Doing a little research I ran across this article explaining the event and what needs to happen to run the query properly:

http://technet.microsoft.com/en-us/library/cc727103.aspx

In VBScript that means adding: authenticationLevel=pktPrivacy to your query. In Powershell (I’m using 2.0) you just add the authentication switch to get it to work. Now the query works on downlevel as well as 2k8:

PS C:\Debuggers> gwmi -q "Select name from MSCluster_Node" -namespace root\mscluster -computername Server-2k8-01 -Authentication PacketPrivacy | Select-Object Name

Name
----

Server-2k8-01
Server-2k8-02
Server-2k8-03
Server-2k8-04
Server-2k8-05

PostScript:

You can do a whole bunch of cool stuff with powershell check it out! Here’s just a little query to tell me each node and ‘t state:

PS C:\Debuggers> gwmi -q "Select * from MSCluster_Node" -namespace root\mscluster -computername TK5-CLUS-01 -Authentication PacketPrivacy | Select-Object Name,State | Format-Table -au

Name           State
----              -----
tk5-clus-01     0
tk5-clus-02     0
tk5-clus-03     0
tk5-clus-04     1
tk5-clus-05     0
tk5-clus-06     0

Find out who pings on a subnet quick and easy

Brad Rutkowski — Thu, 24 Apr 2008 02:57:00 GMT

So i know there are tools out there to do this but figured some would be interested on how to do this real quick with stuff that's already in the OS.

1) Turn off echos to make the out put clean (don’t forget to turn it back on when its done via “echo on”).

2) The set is a sequence of numbers from start to end, by step amount. So (1,1,5) would generate the sequence 1 2 3 4 5 and (5,-1,1) would generate the sequence (5 4 3 2 1). So in this instance 1,1,254 would step to 254.

3) For the ping the –n says send one request instead the default of four. the –w sets the timeout for the echo request to 300 milliseconds, since I knew the subnet was close, so I did not need to wait the full timeout for the packet to return.

Example:

C:\debuggers>echo off
for /L %a in (1,1,254) do ping -n 1 -w 300 20.232.12.%a |findstr /i reply
Reply from 20.232.12.1: bytes=32 time=2ms TTL=245
Reply from 20.232.12.7: bytes=32 time=2ms TTL=55
Reply from 20.232.12.8: bytes=32 time=2ms TTL=53
Reply from 20.232.12.9: bytes=32 time=2ms TTL=55
Reply from 20.232.12.11: bytes=32 time=2ms TTL=53
Reply from 20.232.12.12: bytes=32 time=2ms TTL=55
Reply from 20.232.12.14: bytes=32 time=2ms TTL=55
Reply from 20.232.12.15: bytes=32 time=2ms TTL=53
Reply from 20.232.12.27: bytes=32 time=2ms TTL=53
Reply from 20.232.12.78: bytes=32 time=2ms TTL=53
Reply from 20.232.12.81: bytes=32 time=2ms TTL=55
Reply from 20.232.12.82: bytes=32 time=2ms TTL=53
Reply from 20.232.12.83: bytes=32 time=2ms TTL=53
Reply from 20.232.12.84: bytes=32 time=2ms TTL=53
Reply from 20.232.12.85: bytes=32 time=2ms TTL=55
Reply from 20.232.12.87: bytes=32 time=2ms TTL=53
Reply from 20.232.12.88: bytes=32 time=2ms TTL=53
Reply from 20.232.12.89: bytes=32 time=2ms TTL=53
Reply from 20.232.12.107: bytes=32 time=1ms TTL=53
Reply from 20.232.12.108: bytes=32 time=2ms TTL=53
Reply from 20.232.12.110: bytes=32 time=2ms TTL=53
Reply from 20.232.12.111: bytes=32 time=1ms TTL=55
Reply from 20.232.12.113: bytes=32 time=2ms TTL=55
Reply from 20.232.12.115: bytes=32 time=2ms TTL=55
Reply from 20.232.12.116: bytes=32 time=2ms TTL=53
Reply from 20.232.12.117: bytes=32 time=2ms TTL=55
Reply from 20.232.12.118: bytes=32 time=1ms TTL=55
Reply from 20.232.12.119: bytes=32 time=2ms TTL=53
Reply from 20.232.12.120: bytes=32 time=2ms TTL=53
Reply from 20.232.12.231: bytes=32 time=2ms TTL=53
Reply from 20.232.12.234: bytes=32 time=1ms TTL=55
Reply from 20.232.12.235: bytes=32 time=1ms TTL=55
Reply from 20.232.12.237: bytes=32 time=2ms TTL=55
Reply from 20.232.12.238: bytes=32 time=1ms TTL=55
Reply from 20.232.12.239: bytes=32 time=2ms TTL=53
Reply from 20.232.12.242: bytes=32 time=1ms TTL=55
Reply from 20.232.12.244: bytes=32 time=1ms TTL=55
Reply from 20.232.12.245: bytes=32 time=2ms TTL=53
Reply from 20.232.12.246: bytes=32 time=2ms TTL=53
Reply from 20.232.12.247: bytes=32 time=1ms TTL=55
Reply from 20.232.12.248: bytes=32 time=1ms TTL=55
Reply from 20.232.12.249: bytes=32 time=2ms TTL=53
Reply from 20.232.12.250: bytes=32 time=2ms TTL=55

Update:

And in powershell: 1..254 | % {ping -n 1 -w 300 157.56.144.$_ | findstr /i reply }

Hey Admins! Gathering information from remote machines using WMI (the easy way).

Brad Rutkowski — Sat, 15 Mar 2008 00:48:55 GMT

Those who are just getting into scripting might be wondering how to query info from remote machines using WMI and how to find useful information to query. When I started out trying to learn some of the WMI syntax and gathering info, I started with ScriptoMatic.

I found this tool to be quick and painless for finding out what could be pulled from WMI and how it was done, if you've never played with it, go grab it and check it out.

When you click the "run" button it'll dump out whatever you asked scriptomatic to search for:

==========================================
Computer: ServerA
==========================================
Caption: Domain
ClientSiteName: NA-WA-SITE
CreationClassName: Win32_NTDomain
DcSiteName: NA-WA-SITE
Description: Domain
DnsForestName: microsoft.com
DomainControllerAddress: \\2002:4898:dc5:33:218:feff:fe75:904
DomainControllerAddressType: 1
DomainControllerName: \\DC-DC-35
DomainGuid: {F488EF59-EEEF-11D2-A5DA-00805F9F34DE}
DomainName: Domain
DSDirectoryServiceFlag: True
DSDnsControllerFlag: False
DSDnsDomainFlag: False
DSDnsForestFlag: True
DSGlobalCatalogFlag: True
DSKerberosDistributionCenterFlag: True
DSPrimaryDomainControllerFlag: False
DSTimeServiceFlag: True
DSWritableFlag: True

Name: Domain: Domain
PrimaryOwnerContact:
PrimaryOwnerName:
Roles:
Status: OK

Other site with WMI scripts prepopulated for you:

WMI has a plethora of information that can be gathered locally or remotely from systems so it might be daunting to find out what you want to gather. I stumbled upon this site today and found a ton of stuff that will be useful to admins: WMI Tasks for Scripts and Applications.

Here are the the task categories and descriptions from the page:

Accounts and Domains
Obtain information such as the computer domain or the currently logged-on user. Many domain- or account-related tasks are best performed with ADSI scripts. For examples, see the TechNet ScriptCenter at http://www.microsoft.com/technet.

Computer Hardware
Obtain information about the presence, state, or properties of hardware components. For example, you can determine whether a computer is a desktop or laptop.

Computer Software
Obtain information such as which software is installed by the Windows Installer (MSI) and software versions.

Connecting to the WMI Service
To get data from WMI, either on the local computer or from a remote computer, you must connect to the WMI service by connecting to a specific namespace. In most cases, use either the shorthand moniker connection or the Locator connection.

Dates and Times
Windows XP introduced several WMI classes and a scripting object to parse or convert the CIM datetime format.

Desktop Management
Obtain data from or control remote desktops. For example, you can determine whether or not the screensaver requires a password. WMI also gives you the ability shut down a remote computer.

Disks and File Systems
Obtain information about disk drive hardware state, logical volumes.

Event Logs
Obtain event data from NT Event log files and perform operations like backing up or clearing log files.

Files and Folders
Change file or folder properties through WMI, including creating a share or renaming a file.

Networking
Manage and obtain information about connections and IP or MAC addresses.

Operating Systems
Obtain information about the operating system such as version, whether it is activated, or which hotfixes are installed.

Performance Monitoring
Use the WMI classes that obtain data from performance counters to access and refresh data about computer performance.

Processes
Obtain information such as the account under which a process is running. You can perform actions like creating processes.

Printers and Printing
Manage and obtain data about printers, such as finding or setting the default printer.

Registry
Create and modify registry keys and values.

Scheduled Tasks
Create and get information about scheduled tasks.

Services
Obtain information about services, including dependent or antecedent services.

One last thing:

Scritpomatic does have a twin for ADSI too: ADSI ScriptoMatic.

Using TypePerf to get performance data on the command prompt.

Brad Rutkowski — Sat, 22 Sep 2007 23:29:36 GMT

I was tracking a high CPU issue this week and needed to know when one of my servers was pegged so I could investigate. I could of used perfmon I guess but I really like to do everything I can from the command prompt. I always like it when there is a tool that can do data collection from the command prompt as this gives you the ability to easily script it if warranted.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nt_command_typeperf.mspx?mfr=true

C:\Windows\system32>typeperf "\\Server1\Processor(_Total)\% Processor Time"

"(PDH-CSV 4.0)","\\Server1\Processor(_Total)\% Processor Time"
"09/20/2007 15:42:42.926","18.097697"
"09/20/2007 15:42:43.928","21.217785"
"09/20/2007 15:42:44.929","15.757631"
"09/20/2007 15:42:45.931","16.537653"

The command completed successfully.

You can collect any counter that lives in the perfmon world, I'm sure some of you out there will find a use for this.

C:\Debuggers>typeperf "\\serverX\Server\Server Sessions" -sc 2

"(PDH-CSV 4.0)","\\serverX\Server\Server Sessions"
"09/22/2007 13:21:54.110","8.000000"
"09/22/2007 13:21:55.117","8.000000"

The command completed successfully.

Full Syntax below, you can adjust the collection in numerous ways.

C:\Debuggers>typeperf -?

Microsoft r TypePerf.exe (6.0.6001.16656)

Typeperf writes performance data to the command window or to a log file. To stop Typeperf, press CTRL+C.

Usage:
typeperf { <counter [counter ...]> | -cf <filename> | -q [object] | -qx [object] } [options]

Parameters:
<counter [counter ...]> Performance counters to monitor.

Options:
-?                            Displays context sensitive help.
-f <CSV|TSV|BIN|SQL>          Output file format. Default is CSV.
-cf <filename>                File containing performance counters to monitor, one per line.
-si <[[hh:]mm:]ss>            Time between samples. Default is 1 second.
-o <filename>                 Path of output file or SQL database. Default is STDOUT.
-q [object]                   List installed counters (no instances). To list counters for one object, include the object name, such as Processor.
-qx [object]                  List installed counters with instances. To list counters for one object, include the object name, such as Processor.
-sc <samples>                 Number of samples to collect. Default is to sample until CTRL+C.
-config <filename>            Settings file containing command options.
-s <computer_name>            Server to monitor if no server is specified in the counter path.
-y                            Answer yes to all questions without prompting.

Technorati tags: Windows 2008, Vista, XP, Admin

Are there pending operations waiting for a reboot?

Brad Rutkowski — Wed, 27 Jun 2007 19:21:20 GMT

Sometimes you might log onto a server and wonder if there have been patches installed and thing needs to be rebooted. Well if the patch wanted to replace a file that was in use by the system (like NTFS for example) then it populates a certain key in the registry, you could check this key to determine if a reboot is pending.

Value: PendingFileRenameOperations

Location: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager

Description:

Stores the names of files to be renamed when the system restarts.

This entry consists of pairs of file names. The file specified in the first item of the pair is renamed to match the second item of the pair. The system adds this entry to the registry when a user or program tries to rename a file that is in use. The file names are stored in the value of this entry until the system is restarted and they are renamed.

Server that doesn't need to be rebooted for pending files:

C:\>reg query "\\server1\hklm\System\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations

ERROR: The system was unable to find the specified registry key or value.

Server that does need to be rebooted for pending files:

C:\>reg query "\\server2\hklm\System\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
PendingFileRenameOperations REG_MULTI_SZ \??\C:\WINDOWS\system32\SET2B5.tmp\0!\??\C:\WINDOWS\system32\schannel.dll\0\??\C:\WINDOWS\system32\_000025_.tmp.dll\0\??\C:\WINDOWS\system32\SET2B9.tmp\0!\??\C:\WINDOWS\system32\urlmon.dll\0\??\C:\WINDOWS\system32\SET2BA.tmp\0!\??\C:\WINDOWS\system32\shdocvw.dll\0\??\C:\WINDOWS\system32\SET2CA.tmp\0!\??\C:\WINDOWS\system32\kernel32.dll

Technorati tags: windows 2003, vista

Republish printers easily on a print server to Active Directory.

Brad Rutkowski — Mon, 25 Jun 2007 22:16:04 GMT

Printers can get pruned from the directory for many reasons. The way it is supposed to work is if the printer is stale then a DC will remove the print queue object from the directory after trying to contact it 3 times at 8 hour intervals (default). This also means that if a DC can't net view the print server for a 24 hour period it could potentially prune the print queue objects too. This can happen if one of your domain controllers are in a "bad" state where its online but not functioning as expected.

So what can you do once the print queue objects have been removed? Well to easily republish them you can create a simple script like below. You can then save this as a vbs and then use it to republish the printers in the directory.

If WScript.Arguments.Count <> 1 then
strPC = GetPC()
Else
strPC = wscript.arguments(0)

end if

Set objWMIService = GetObject("winmgmts:\\" & strPC & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Printer",,48)
For Each objItem in colItems
    Wscript.Echo "ShareName: " & objItem.ShareName
     objItem.Published = False
      objItem.Put_
      Wscript.Echo "Published: " & objItem.Published
     objItem.Published = True
      objItem.Put_
      Wscript.Echo "Published: " & objItem.Published
Next

function GetPC()
GetPC = InputBox ("What Server would you like republish the printers on?", "Servername")
End function

To work around this you could do a number of things:

1) Fix the network connectivity issue

a) Find out what Dc is not working as expected and resolve.

2) Disable the spooler service on your DCs

a) Could have lots of stale printers to manually clean up if you have printers in flux in your environment

3) Disable pruning via GPO

a) Set the Directory Pruning Interval value to Never via GPO

b) There will be stale printers in the directory and they will need to be manually cleaned up.

4) You can allow the printers to be pruned and set the Check Published State policy for specific (or all) print servers in the domain. This policy causes the spooler on a print server to periodically verify that its published printers exist in Active Directory. By default, the Spooler service verifies the state of published printers only when it is started.

a) Because the widespread use of this policy on many computers in the domain (that are constantly checking the publication status of their PrintQueue objects in Active Directory) can adversely affect network performance. Microsoft recommends that you set this policy only on the main production print servers.

If you want to know more about how printers are published and pruned this is a thorough article on the subject.

Need an easy way to create a unique file name with the date?

Brad Rutkowski — Thu, 12 Apr 2007 22:46:00 GMT

I needed to dump winlogon and do some checks against the dump file and needed and easy way to get the computername and date in the file name and formatted so I could easily perfrom next steps. Here was the soution:

C:\Debuggers>echo %computername%_%DATE:~10,4%.%DATE:~4,2%.%DATE:~7,2%
SK8ORDIE_2007.04.12

Here was the script I was running to do some checks and get a dump of winlogon...

c:\debuggers\tlist -v |findstr /c:" 0 " |findstr "winlogon.exe" > c:\tlist.txt

for /f "tokens=3" %%a in (c:\tlist.txt) do SET PID=%%a

echo %PID%

C:\debuggers\cdb -p %PID% -pvr -c ".dump /ma C:\debuggers\%computername%_%DATE:~10,4%.%DATE:~4,2%.%DATE:~7,2%_winlogon.dmp;qd" //Noninvasive attach to the process (pvr) gets userdump and quits.

del /f c:\tlist.txt

Hey I forgot to turn on RDP on my server!

Brad Rutkowski — Wed, 18 Oct 2006 19:07:00 GMT

Ever find yourself away from your server after building it out and forgot to turn on RDP so you could TS onto the machine? Well in XP and 2k3, you can just toggle a reg key and most of the time (pending firewall issues) you can then TS into the box. Doesn't work in Windows 2000 as you need to install a service for TS, which is why the script checks that below.

Here's an easy script that you can save as a cmd file that will work...

@echo off

IF "%1"=="?" GOTO SYNTAX
IF "%1"=="/?" GOTO SYNTAX
IF "%1"=="-?" GOTO SYNTAX

reg query "\\%1\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber |findstr CurrentBuildNumber >> c:\tmp.txt
for /f "tokens=3" %%a in (c:\tmp.txt) do (
if %%a LSS 2600 goto :W2k)
reg query "\\%1\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
reg add "\\%1\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
reg query "\\%1\HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
goto :EOF

:W2k
Echo.
Echo Server is Windows 2000 or below, this command can only be run on XP or Windows Server 2003
Echo.
goto :EOF

:SYNTAX
ECHO.
ECHO --------------------------------------------------------------------------------------
ECHO RDP.cmd : Turn on Remote Admin mode terminal service in XP/Windows Server 2003
ECHO --------------------------------------------------------------------------------------
ECHO.
ECHO Usage: RDP.cmd servername (You must be an admin on the box)
ECHO --------------------------------------------------------------------------------------

:EOF
if exist c:\tmp.txt( del /Q c:\tmp.txt ) 1>nul 2>nul

Technorati tags: RDP, AD, Active Directory, Scripting, Wnidows

Dumping out all the DCs in a domain to a txt file

Brad Rutkowski — Tue, 17 Oct 2006 20:47:00 GMT

Short and sweet way of dumping out the DCs to a txt file, in a script:

for /f "skip=1" %%a in ('netdom query dc /domain:YOURDOMAIN') do (if %%a == The (echo.) else echo %%a >> test.txt)

So what's the deal with all the syntax, and how would this be useful? Well if you do simple admin scripting then this is pretty useful, say you want to look at all the DCs in the forest and check to make sure that they all have a certain reg key (sample below), well you could create a simple cmd script in about 5 minutes using the above line and the use reg query to do the dirty work. Hope you can find a use for this, my next post will use this to demonstrate how to do some ghetto time skew monitoring on DCs.

Syntax breaks down like this:

/f is needed because we are using a command to pull the variable %a ('netdom query dc /domain:YOURDOMAIN')

"skip=1" We use this so that we skip the first line of the output from netdom query dc which looks like this:

C:\localbinx64>netdom query dc /domain:braddom
List of domain controllers with accounts in the domain: <-- Skips this line.

BRAD-DC-20
BRAD-DC-22
BRAD-DC-26
BRAD-DC-15
The command completed successfully. <-- Don't want this either see below on how we get around this.

(if %%a == The (echo.) else echo %%a >> test.txt) And what's all this? Well its my way of getting around the last line.

Here is a script that uses this technique and checks the strict replication key, I don't dump the servers to a txt file because hey I dont need to, just save this into a cmd file... Play around to figure our what the findstr does.

@echo off

for /f "skip=1" %%a in ('netdom query dc /domain:Yourdomain') do (
if %%a == The (echo.)
echo %%a
reg query \\%%a\HKLM\system\currentcontrolset\services\ntds\parameters /v "strict replication consistency" |findstr /i strict)

Output looks like:

C:\>strict.cmd
BRAD-DC-20
strict replication consistency REG_DWORD 0x1
BRAD-DC-22
strict replication consistency REG_DWORD 0x1
BRAD-DC-26
strict replication consistency REG_DWORD 0x1
BRAD-DC-05
strict replication consistency REG_DWORD 0x1
BRAD-DC-27
strict replication consistency REG_DWORD 0x1
BRAD-DC-10
strict replication consistency REG_DWORD 0x1
BRAD-DC-11
strict replication consistency REG_DWORD 0x1
BRAD-DC-25
ERROR: The system was unable to find the specified registry key or value.
BRAD-DC-24
ERROR: The system was unable to find the specified registry key or value.
BRAD-DC-35
strict replication consistency REG_DWORD 0x1
BRAD-DC-04
strict replication consistency REG_DWORD 0x1
BRAD-DC-03
strict replication consistency REG_DWORD 0x1
BRAD-DC-23
strict replication consistency REG_DWORD 0x1
BRAD-DC-14
strict replication consistency REG_DWORD 0x1
BRAD-DC-08
strict replication consistency REG_DWORD 0x1
BRAD-DC-18
strict replication consistency REG_DWORD 0x1
BRAD-DC-15
strict replication consistency REG_DWORD 0x1

Technorati tags: Active Directory, Directory Service, AD

IceRocket tags: Active Directory