Brad Rutkowski's Blog : Vista and Lognhorn

Display warning text when someone logs onto your servers

Brad Rutkowski — Thu, 25 Sep 2008 03:25:00 GMT

This works for Windows 2003 and Windows 2008. We use it during our reliability study to let the server owners know that they shouldn't reboot their boxes without a good reason. You can use it for whatever you’d like. :)

The two keys to set:

reg add "\\brad-dc-01\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /t REG_SZ /d "MSIT Reliability Study" /f

reg add "\\brad-dc-01\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /t REG_SZ /d "This server is part of the MSIT Windows 7 Reliability Study. The server should not be rebooted. If the server is experiencing a bug, please contact DCOPERATE to triage and they will escalate as needed. If you are rebooting the server for a hotfix, private fix, or other legitimate reason, please document it properly in the shutdown tracker so that the statistics are accurate." /f

Hop to loop it and apply it en masse:

Open CMD with your alt creds and do the following:

C:\Windows\system32>for /f %a in (machines.txt) do (

More? reg add "\\%a\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /t REG_SZ /d "MSIT Reliability Study" /f

More? reg add "\\%a\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /t REG_SZ /d "This server is part of the... (HUGE LONG STRING) ... " /f

More? )

How to turn it off:

C:\Windows\system32>for /f %a in (machines.txt) do (

More? reg add "\\%a\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeCaption /t REG_SZ /d "" /f

More? reg add "\\%a\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v LegalNoticeText /t REG_SZ /d "" /f

More? )

The result:

Another way of doing this is to set "Interactive logon: Message text for users attempting to logon" in secpol.msc...

Technorati Tags: Windows 2003,Windows 2008

Windows Update fails with 8000FFFF (E_UNEXPECTED)

Brad Rutkowski — Thu, 03 Jul 2008 22:07:02 GMT

Quick Solution: Check the permissions on the root of C: and ensure that BUILTIN\Users have Read access.

Long Story:

8000FFFF == E_UNEXPECTED, not very helpful…

Had a client where windows update was continually failing with the error code 8000FFFF. When looking in the Windows Update log we’d see errors like this:

WARNING: PTError: 0x80248014
Handler FATAL: CBS called Error with 0x8000ffff, <— Checked the CBS.log file but that didn’t give any clues.
Handler FATAL: Error source is 106.
DnldMgr Error 0x8000ffff occurred while downloading update; notifying dependent calls.
AU        # WARNING: Download failed, error = 0x8000FFFF
AU        # WARNING: Download failed, error = 0x8000FFFF
AU      WARNING: BeginInteractiveInstall failed, error = 0x8024000C
CltUI   WARNING: AU directive Interactive Progress is exiting due to error 8024000C

And in the event viewer upon each run we’d see these events:

Log Name:      Application
Source:        ESENT
Date:          7/2/2008 3:05:16 PM
Event ID:      491
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXX
Description:
Catalog Database (1560) Catalog Database: An attempt to determine the minimum I/O block size for the volume "C:\" containing "C:\Windows\system32\CatRoot2\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          7/2/2008 3:05:16 PM
Event ID:      257
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXX
Description:
The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032.

After seeing this data I did a stare and compare between my root permissions and his and found that he’d modified the c:\ permissions on his system:

His machine:
c:\temp\xcacls c:
C:\ NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F

Mine:
C:\>xcacls c:\
c:\ BUILTIN\Administrators:F
    BUILTIN\Administrators:(OI)(CI)(IO)F
    NT AUTHORITY\SYSTEM:F
    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
    BUILTIN\Users:(OI)(CI)R <— This is the key one missing that was causing the headache.
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C
    NT AUTHORITY\Authenticated Users:(special access:)
                                     FILE_APPEND_DATA

The Cryptographic Services runs under “Network Service” which would require Users to have read access. I added BUILTIN\Users with read access to C and all worked again.

Hopefully this post will guide others with similar issues to the solution quickly.

Technorati Tags: Vista,Windows Update,WSUS,Windows 2008

Staring at a blank desktop, due to Interactive missing from Users group

Brad Rutkowski — Fri, 30 May 2008 01:51:36 GMT

Ran into an issue this week that was strange. When you TS’d to the box it would just show a blank background and nothing else. If you tried to launch task manager it would just fail silently to the user (actually access denied in the debugger). My user account was in the admin group and the server was completely accessible remotely with administrative perms. It was just when I (or anyone) tried to logon to the server locally or through TS that it was messed up. Another piece of the puzzle was that if you disabled UAC and rebooted the server the issue no longer repro’d.

So what was there with UAC and logging onto this server?

When logging on this event was triggered:

Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          5/27/2008 5:13:28 PM
Event ID:      4006
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      XXXX
Description:
The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:\Windows\system32\userinit.exe.

Turns out that they removed the Account "NT AUTHORITY\INTERACTIVE" from the Users group on the machine. We added that account back into the users group and like magic it worked again. I'm working on getting a KB filed and written for this issue, but until then at least people can find it if they notice this event in the event log.

Reference:

http://technet2.microsoft.com/WindowsVista/en/library/00d04415-2b2f-422c-b70e-b18ff918c2811033.mspx?mfr=true

UAC Architecture

While the Windows Vista logon process externally appears to be the same as the logon process in Windows XP, the internal mechanics have greatly changed. The following illustration details how the logon process for an administrator differs from the logon process for a standard user.

Windows Vista logon process

When an administrator logs on, the user is granted two access tokens: a full administrator access token and a "filtered" standard user access token. By default, when a member of the local Administrators group logs on, the administrative Windows privileges are disabled and elevated user rights are removed, resulting in the standard user access token. The standard user access token is then used to launch the desktop (Explorer.exe).

HatTip to Ben on my Team who actually figured this out after I tried to debug it for 3 days...

Technorati Tags: Vista,Windows 2008,UAC,Winlogon

SearchIndexer.exe crashing with the exception code of 0xc00000fd

Brad Rutkowski — Thu, 15 May 2008 02:16:00 GMT

This is an FYI post so others on the intertubes can find the answer quickly.

If you get this error:

Log Name: Application

Source: Application Error

Date: 4.11.2008 07:20:41

Event ID: 1000 Task Category: (100)

Level: Error

Keywords: Classic

User: N/A Computer: xxxxxxx

Description: Faulting application SearchIndexer.exe, version 6.0.6000.16386, time stamp 0x4549b667, faulting module mssrch.dll, version 6.0.6000.16386, time stamp 0x4549bd4b, exception code 0xc00000fd, fault offset 0x00003f8f...

Open up Wercon and if it looks like this:

Product

Microsoft Windows Search Indexer

Problem

Stopped working

Date

4/21/2008 8:30 AM

Status

Report Sent

Problem signature

Problem Event Name: APPCRASH

Application Name: SearchIndexer.exe

Application Version: 6.0.6000.16386

Application Timestamp: 4549b667

Fault Module Name: mssrch.dll

Fault Module Version: 6.0.6000.16386

Fault Module Timestamp: 4549bd4b

Exception Code: c00000fd

Exception Offset: 00007c4c

OS Version: 6.0.6000.2.0.0.256.4

Locale ID: 1033

Additional Information 1: f790

Additional Information 2: 174183f92d554d49550d71425f227859

Additional Information 3: efdd

Additional Information 4: 9c7dda392c8f13823238fe93325e6861

Extra information about the problem

Bucket ID: 349776197

Then you might be able to resolve this by:

A) Upgrading to Vista SP1

B) Install Windows Search 4 (which has now released): http://www.microsoft.com/windows/products/winfamily/desktopsearch/choose/windowssearch4.mspx

Technorati Tags: Vista,Search,SearchIndexer

Stuff to check out for Windows 2008

Brad Rutkowski — Wed, 26 Mar 2008 19:41:25 GMT

Just got released yesterday:

X86: http://www.microsoft.com/downloads/details.aspx?FamilyID=9ff6e897-23ce-4a36-b7fc-d52065de9960&DisplayLang=en

X64: http://www.microsoft.com/downloads/details.aspx?FamilyID=d647a60b-63fd-4ac5-9243-bd3c497d2bc5&DisplayLang=en

Overview

Microsoft Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server 2008 from a computer running Windows Vista with SP1. It includes support for remote management of computers running either a Server Core installation or the full installation option of Windows Server 2008. It provides similar functionality to Windows Server 2003 Administration Tools Pack.
After you install this item, you may have to restart your computer. This update is provided to you and licensed under the Windows Vista License Terms.

Once you install the KB, you need to enable the RSAT tools by doing the following:

1. Click Start, click Control Panel, and then click Programs.

2. In the Programs and Features area, click Turn Windows features on or off.

3. If you are prompted by User Account Control to allow the Windows Features dialog box to open, click Continue.

4. In the Windows Features dialog box, expand Remote Server Administration Tools.

5. Select the remote management tools that you want to install.

6. Click OK.

Other notables:

1) Windows Server® 2008 Network Shell (Netsh) Technical Reference What can you do in Netsh in Win2k8? How do I add IP info? How do I adjust the firewall? How do I connect to a remote server via netsh? You get the point.

2) Active Directory Database Mounting Tool Screencast Great screen cast on how to take a snapshot of your DIT, mount it, and view an offline copy via dsa.msc

3) IIS7 Media Pack Bit Rate Throttling Module For media files, Bit Rate Throttling implements a dynamic per-file throttling capability to provide intelligent progressive downloading.

Technorati Tags: RSAT,Windows 2008,Vista

Taking a circular netmon capture from the command prompt

Brad Rutkowski — Fri, 22 Feb 2008 22:23:42 GMT

You've probably heard that netmon3.1 is out, but you might not know that you can easily launch a capture at the command prompt. I find this useful when we're waiting on a repro, we want a capture, but we don’t know when that's going to happen. Sure you could set this up in the GUI too, but who wants to do that when it's as easy as this?

The below will setup a capture on all networks that the system is attached to and wait until I hit ctrl+c (you can see its been a while with no repro). The CHN extension used tells netmon to take multiple captures in a chain (see file syntax). I also put some examples at the bottom so you can see what else you can do. Have fun!

C:\Windows\system32>nmcap /capture /network * /File netmoncap.chn:100M
Netmon Command Line Capture (nmcap) 03.01.0512.0000

Saving info to:
C:\Windows\system32\netmoncap.cap - using chain captures of size 100.00 MB.

ATTENTION: Conversations Enabled: consumes more memory (see Help for details)

Exit by Ctrl+C

Saved Frames: 9232127 Capture Frames: 9438779 (44181 seconds)

Hit Ctrl+C

Cancelled by user

Final Results : Saved Frames: 722 Capture Frames: 722

C:\Program Files\Microsoft Network Monitor 3>dir netmoncap.cap
Volume in drive C has no label.
Volume Serial Number is FCC3-5AF7

Directory of C:\Program Files\Microsoft Network Monitor 3

02/22/2008 09:06 AM           384,748 netmoncap.cap
               1 File(s)        384,748 bytes
               0 Dir(s) 16,699,654,144 bytes free

Here's the breakdown fo the /File syntax:

/File <Capture File>[:<File Size Limit>]
    Name of capture file to save frames to. Extensions are used to determine
    the behavior of nmcap.
     .cap -- Netmon 2 capture file
     .chn -- Series of Netmon 2 capture files: t.cap, t(1).cap, t(2).cap...
    <File Size Limit> are optional. It limits the file size of each capture
    file generated. Default single capture file size limit is 20M. The
    upper bound of the file size limit is 500M. The lower bound of the file
    size limit depends on the frame size captured. (Note that the maximal size
    of ethernet frames is 1500 Bytes)
    The files are circular, so once the size limit is reached, new data will
    overwrite older data.
    Example Usage: /File t.cap:50M

Some other examples from the NMCAP help:

This example starts capturing network frames that DO NOT contain ARPs, ICMP,
NBtNs and BROWSER frames. If you want to stop capturing, Press Control+C.

nmcap /network * /capture (!ARP AND !ICMP AND !NBTNS AND !BROWSER) /File NoNoise.cap

Starts capturing network frames immediately. All TCP frames that have a source
port or destination port of 80 are saved to the chained capture files named
test.cap, test(1).cap, test(2).cap, ... When the user presses the 'x' key the
program stops.

nmcap /network * /capture tcp.port == 80 /file c:\temp\test.chn:6M /stopwhen /keypress x

This example starts capturing network frames that are TCP Continuations. The
capture filter is searching for String "Continuation in TCP Frame Summary
Description. In order to see the complete list of Netmon Properties that are
filterable,type ".Property" in the Netmon Filter UI.

nmcap /network * /capture contains(.Property.Description, \"Continuation\") /File TCPContinuations.cap

Technorati Tags: Netmon,Network Monitor

I PTE the fool: !SYSPTES 4 works in Vista SP1/WS08

Brad Rutkowski — Thu, 21 Feb 2008 03:21:00 GMT

System Page Table Entry (PTE) issues are some of the top support issues for servers that run large server applications and have a relatively large amount of Random Access Memory (RAM). PTEs are structures used to track pages of RAM, similar to the way a telephone number is used to track a telephone to a specific location.

You can now track down those 3f bugchecks using !sysptes using the public symbols. Usually when we hit a server running out of system PTEs, it will just tip over and we don't see an actual bugcheck.

Prior to Vista SP1/Windows 2008 if you tried to run SYSPTES 4 on a server with public symbols you'd get this error message: "Unable to get System PTE individual lock consumer information". Well Windows Dev has fixed the bug. Below is an example of what we would typically see, and then how we'd use !sysptes to narrow down who is consuming the space.

You find this sort of output in !VM:

0: kd> !vm 1
*** Virtual Memory Usage ***
Physical Memory: 999242 ( 3996968 Kb)
Page File: \??\C:\pagefile.sys
Current: 927744 Kb Free Space: 884312 Kb
Minimum: 927744 Kb Maximum: 927744 Kb
Page File: \??\E:\pagefile.sys
Current: 3072000 Kb Free Space: 3024624 Kb
Minimum: 3072000 Kb Maximum: 3072000 Kb
Available Pages: 265887 ( 1063548 Kb)
ResAvail Pages: 933615 ( 3734460 Kb)
Locked IO Pages: 1679 ( 6716 Kb)
Free System PTEs: 500 ( 2000 Kb)

********** Running out of system PTEs **************

******* 416179544 system PTE allocations have failed ******

Free NP PTEs: 1630 ( 6520 Kb)
Free Special NP: 0 ( 0 Kb)
Modified Pages: 478 ( 1912 Kb)
Modified PF Pages: 477 ( 1908 Kb)
NonPagedPool Usage: 8814 ( 35256 Kb)
NonPagedPool Max: 32351 ( 129404 Kb)
PagedPool 0 Usage: 10590 ( 42360 Kb)
PagedPool 1 Usage: 994 ( 3976 Kb)
PagedPool 2 Usage: 958 ( 3832 Kb)
PagedPool 3 Usage: 972 ( 3888 Kb)
PagedPool 4 Usage: 931 ( 3724 Kb)
PagedPool Usage: 14445 ( 57780 Kb)
PagedPool Maximum: 54784 ( 219136 Kb)
Shared Commit: 4163 ( 16652 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 10930 ( 43720 Kb)
PagedPool Commit: 14485 ( 57940 Kb)
Driver Commit: 1963 ( 7852 Kb)
Committed pages: 747541 ( 2990164 Kb)
Commit limit: 1952440 ( 7809760 Kb)

So what now? If you don't have the registry value set below, well for all intents and purposes you SOL. So reboot, set the value, and then wait for repro. Usually when we see the issue it comes back pretty quickly as some driver is eating up the space.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
trackptes REG_DWORD 0x1

Once the waiting is over and the system tips over, run !sysptes 4 and it will tell you what is allocating the PTEs and how many per call. The “!SYSPTES 4” command only lists driver PTE allocations. This is because, historically, drivers have made the most use and misuse of system PTEs. Sometimes you'll find one heavy hitter with a huge count (like in the article linked below), or in other instances you might find a certain sequence allocating many times, in either case you now have a clue as to who is using the PTEs and can either investigate that driver via break points, or contact the vendor who is eating up all the PTEs.

Cleaned up a bit for sanity's sake:

2: kd>!sysptes 4

VA MDL PageCount Caller/CallersCaller

f0769080 fce7fb18 2         mrxsmb+0x2bed2/mrxsmb+0x2da71
efbbb8b8 fce0f658 2         rdbss!RUserBuffer+0x2f/rdbss!UserBufferForLowIo+0x2b
f1c17080 fd0eb7a8 2         mrxsmb+0x2bed2/mrxsmb+0x2da71
eff41820 fd41bc70 2         rdbss!RUserBuffer+0x2f/rdbss!UserBufferForLowIo+0x2b
f1d10080 fcd91950 2         mrxsmb+0x2bed2/mrxsmb+0x2da71
f027f108 fd051f88 2         rdbss!RUserBuffer+0x2f/rdbss!UserBufferForLowIo+0x2b
efbf7080 fd7f3e80 2         mrxsmb+0x2bed2/mrxsmb+0x2da71
f1cede10 fce71460 2         rdbss!RUserBuffer+0x2f/rdbss!UserBufferForLowIo+0x2b
ef8a8080 fcedde80 2         mrxsmb+0x2bed2/mrxsmb+0x2da71
ef963730 fc9c2868 2         rdbss!RUserBuffer+0x2f/rdbss!UserBufferForLowIo+0x2b
f0281080 fccc52c0 2         mrxsmb+0x2bed2/mrxsmb+0x2da71
f1dfaff8 fd156650 2         rdbss!RUserBuffer+0x2f/rdbss!UserBufferForLowIo+0x2b
f0141080 fc6e82c0 2         mrxsmb+0x2bed2/mrxsmb+0x2da71
ef8f3508 fd003a30 2         rdbss!RUserBuffer+0x2f/rdbss!UserBufferForLowIo+0x2b
ef637080 fee1dde0 2         mrxsmb+0x2bed2/mrxsmb+0x2da71
eff3fa18 fd304050 2         rdbss!RUserBuffer+0x2f/rdbss!UserBufferForLowIo+0x2b

The actual process of tracking down the PTEs is thoroughly explained here: Detection, Analysis, and Corrective Actions for Low Page Table Entry Issues

So next time your system is acting up, get in there with Live KD and see what's going on!

Vista SP1 and Windows 2008: No /console switch with MSTSC

Brad Rutkowski — Mon, 14 Jan 2008 22:35:00 GMT

I've ran into this a few times here and each time I stare at my screen for some time (depends on how much coffee I've had) and then remember this change. When you install Vista SP1 or install Win2k8 the console switch for MSTSC will be ignored (it's gone). They've made a change that requires the use of the /admin switch now. So if you want to connect the console on a Win2k3 server then instead of using MSTSC /console /v:<servername> now use MSTSC /admin /v:servername.

Why the change? Check Nick's post for further details and a link to the TS team blog with more info.

The more you know...

Here is the TS teams blog post with all the details you'd ever want to know: http://blogs.msdn.com/ts/archive/2007/12/17/changes-to-remote-administration-in-windows-server-2008.aspx

Performance update for Vista RTM released today

Brad Rutkowski — Thu, 13 Dec 2007 02:20:03 GMT

Saw this on the Windows Vista team blog today.

http://support.microsoft.com/?kbid=943899

This update improves performance, responsiveness, and reliability of Windows Vista in various scenarios. This update resolves the following issues on a Windows Vista-based computer:

•You receive a "Stop 0x000000A0" error when you try to switch the computer to the hibernate state.

•You receive a "Stop 0x0000009f" error when you switch the computer to the hibernate state or to the standby state. Or, you receive this Stop error when you resume the computer from the hibernate state or from the standby state. This problem occurs on a computer that has a wireless network connection.

•The disk does not spin down after a specified time of inactivity.

Additionally, this update can help improve performance when you perform operations that are related to large disk I/O. After you apply this update, you may notice up to a 15 percent performance improvement in some copying operations and when moving some large files.

Returning just the errors using Wevtutil.exe

Brad Rutkowski — Mon, 05 Nov 2007 21:20:00 GMT

I posted on how you can use Wevtutil to enumerate the event logs on server core or LH. Someone left a comment asking how could they just return the errors from the System log instead of all the events. Seems like a reasonable question and with a bit of research here is the solution.

This will query the SYSTEM log for all events with a level of 1 (critical) or a level of 2 (Error), dumps it out in text format with a count of 4.

C:\Windows>wevtutil qe System "/q:*[System[(Level=1 or Level=2)]]" /f:text /RD:TRUE /C:4
Event[0]:
Log Name: System
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date: 2007-11-04T17:11:22.000
Event ID: 1041
Task: N/A
Level: Error
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Comp1
Description:
Autoreconnect failed to reconnect user to session because authentication failed. (Access is denied.)

Event[1]:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 2007-11-04T14:04:33.147
Event ID: 1006
Task: N/A
Level: Error
Opcode: Start
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: Comp1
Description:
The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.

Event[2]:
Log Name: System
Source: TermDD
Date: 2007-11-04T12:01:21.118
Event ID: 56
Task: N/A
Level: Error
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Comp1
Description:
The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.

Event[3]:
Log Name: System
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Date: 2007-11-04T11:44:23.000
Event ID: 1041
Task: N/A
Level: Error
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Comp1
Description:
Autoreconnect failed to reconnect user to session because authentication failed. (Access is denied.)

Update: Use the /r:<system> on the end to query a remote server.

More details on Event selection: http://msdn2.microsoft.com/en-us/library/aa385231.aspx

Technorati tags: Windows 2008, Longhorn. Vista, Server core

Not getting kernel memory dumps in Windows Vista or Windows 2008?

Brad Rutkowski — Tue, 16 Oct 2007 19:36:11 GMT

Backstory:

With the advent of Windows Vista there are changes made in how the operating system determines if it can take a kernel memory dump or not. Starting in Vista the amount of memory allocated for kernel mode could vary dynamically. If the pagefile is not big enough, switching to minidump at dump time can’t be done easily. So the dump stack initialization is happening at the time of boot where this check for the pagefile size is done.

What does this mean? It means if you don't have a pagefile as large as physical memory at boot, and your system is configured for a kernel dump, you'll end up getting a minidump. If you permit me to opine, this makes sense in the client space where a valid dump is more critical than a corrupted kernel dump, as the results usually would get uploaded to Microsoft via WERCON or another mechanism. If further triage is needed MSFT could contact you with the ability to setup a kernel capture.

In the Server world though, it's different. We have thousands of x64 systems with 16GBs of RAM and there is no way we could have a 16GB page file as the system either does not have the space (on C), or it does not make fiscal sense with regards to disk space. We have all our systems configured to take kernel dumps in case we crash the server via debugger/keyboard. We dogfood our beta operating systems, and a hung server is a normal site to see, and sometimes we can't break in via the debugger and a crash dump is our last and only resort. Crashing a box and ending up with a minidump does not suffice in our role.

The change in Vista SP1 RC0/Windows 2008 RC0 on:

Starting with the release of RC0, there is a new registry key that can be set which will tell the OS to ignore the page file check on boot up and you'll take your chances getting a valid kernel dump. We've tested this internally and all works as expected. So if you need kernel dumps on your large memory systems, this might be something to remember for your bag of tricks.

Key: HKLM\System\CurrentControlSet\Control\CrashControl

Value: IgnorePagefileSize

Type: DWORD

Data: 1

Technorati tags: Windows 2008, Vista, Debugging

Using TypePerf to get performance data on the command prompt.

Brad Rutkowski — Sat, 22 Sep 2007 23:29:36 GMT

I was tracking a high CPU issue this week and needed to know when one of my servers was pegged so I could investigate. I could of used perfmon I guess but I really like to do everything I can from the command prompt. I always like it when there is a tool that can do data collection from the command prompt as this gives you the ability to easily script it if warranted.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nt_command_typeperf.mspx?mfr=true

C:\Windows\system32>typeperf "\\Server1\Processor(_Total)\% Processor Time"

"(PDH-CSV 4.0)","\\Server1\Processor(_Total)\% Processor Time"
"09/20/2007 15:42:42.926","18.097697"
"09/20/2007 15:42:43.928","21.217785"
"09/20/2007 15:42:44.929","15.757631"
"09/20/2007 15:42:45.931","16.537653"

The command completed successfully.

You can collect any counter that lives in the perfmon world, I'm sure some of you out there will find a use for this.

C:\Debuggers>typeperf "\\serverX\Server\Server Sessions" -sc 2

"(PDH-CSV 4.0)","\\serverX\Server\Server Sessions"
"09/22/2007 13:21:54.110","8.000000"
"09/22/2007 13:21:55.117","8.000000"

The command completed successfully.

Full Syntax below, you can adjust the collection in numerous ways.

C:\Debuggers>typeperf -?

Microsoft r TypePerf.exe (6.0.6001.16656)

Typeperf writes performance data to the command window or to a log file. To stop Typeperf, press CTRL+C.

Usage:
typeperf { <counter [counter ...]> | -cf <filename> | -q [object] | -qx [object] } [options]

Parameters:
<counter [counter ...]> Performance counters to monitor.

Options:
-?                            Displays context sensitive help.
-f <CSV|TSV|BIN|SQL>          Output file format. Default is CSV.
-cf <filename>                File containing performance counters to monitor, one per line.
-si <[[hh:]mm:]ss>            Time between samples. Default is 1 second.
-o <filename>                 Path of output file or SQL database. Default is STDOUT.
-q [object]                   List installed counters (no instances). To list counters for one object, include the object name, such as Processor.
-qx [object]                  List installed counters with instances. To list counters for one object, include the object name, such as Processor.
-sc <samples>                 Number of samples to collect. Default is to sample until CTRL+C.
-config <filename>            Settings file containing command options.
-s <computer_name>            Server to monitor if no server is specified in the counter path.
-y                            Answer yes to all questions without prompting.

Technorati tags: Windows 2008, Vista, XP, Admin

Kernel stack not resident (Using .pagein)

Brad Rutkowski — Thu, 30 Aug 2007 02:36:10 GMT

You might find yourself debugging an issue and a thread you are interested in is paged out. Here's the steps to use to page in the stack for the kernel side and user side... Be careful when doing this on a live machine that you want to release after debugging as paging in certain section of memory can cause it to bugcheck...

2: kd> !thread fffffa8004415460
THREAD fffffa8004415460 Cid 087c.0acc Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa80044157f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88018c943f0
Impersonation token: fffff8801d302060 (Level Impersonation)
Owning Process            fffffa80046e5610       Image:         snmp.exe
Wait Start TickCount      367059906      Ticks: 15906005 (2:20:55:35.268) //Been waiting a while.
Context Switch Count      13819416
UserTime                  00:00:38.173
KernelTime                00:02:33.972
Win32 Start Address 0x000007fefa7724bc
Stack Init fffffa600440ddb0 Current fffffa600440d6e0
Base fffffa600440e000 Limit fffffa6004408000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 1 IoPriority 2 PagePriority 5
Kernel stack not resident. // We can't see what the stack looks like as it been waiting so long its been paged out.

2: kd> .pagein fffffa600440d6e0 //Grab Current from above... This will get us the kernel side...
You need to continue execution (press 'g' <enter>) for the pagein to be brought in. When the debugger breaks in again, the page will be present.
2: kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff800`0163e1d0 cc              int     3
1: kd> !thread fffffa8004415460
THREAD fffffa8004415460 Cid 087c.0acc Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa80044157f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88018c943f0
Impersonation token: fffff8801d302060 (Level Impersonation)
Owning Process            fffffa80046e5610       Image:         snmp.exe
Wait Start TickCount      367059906      Ticks: 15906070 (2:20:55:36.282)
Context Switch Count      13819416
UserTime                  00:00:38.173
KernelTime                00:02:33.972
Win32 Start Address 0x000007fefa7724bc
Stack Init fffffa600440ddb0 Current fffffa600440d6e0
Base fffffa600440e000 Limit fffffa6004408000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 1 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffffa60`0440d720 fffff800`01647abe : fffffa60`0440da88 fffff880`18c943f0 fffffa60`0440da88 fffff880`18c943f0 : nt!KiSwapContext+0x7f
fffffa60`0440d860 fffff800`016484c5 : 00000000`00303cb0 fffffa60`0440da88 00000000`00000009 00000000`00000001 : nt!KiSwapThread+0x12e
fffffa60`0440d8c0 fffff800`01681067 : 00000000`00000000 00000000`00000011 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x5f5
fffffa60`0440d940 fffff800`018be424 : fffffa60`0440da88 00000000`00303cb0 fffffa80`04415460 00000000`00000000 : nt!AlpcpSignalAndWait+0x97
fffffa60`0440d980 fffff800`018be868 : 00000000`00000000 00000000`00000000 00000000`00303cb0 00000000`00300318 : nt!AlpcpReceiveSynchronousReply+0x44
fffffa60`0440d9e0 fffff800`018a834f : fffffa80`04352e60 fffffa80`00020000 00000000`00303cb0 00000000`00300318 : nt!AlpcpProcessSynchronousRequest+0x251
fffffa60`0440db00 fffff800`016437b3 : fffffa80`04415460 fffffa60`0440dca0 00000000`00000280 fffff800`0189c654 : nt!NtAlpcSendWaitReceivePort+0x19f
fffffa60`0440dbb0 00000000`77af4dca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`0440dc20)
00000000`016aebc8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77af4dca

1: kd> .pagein /p fffffa80046e5610 00000000`016aebc8 //We take the process ID of the thread and the usermode address at the bottom of the stack.
You need to continue execution (press 'g' <enter>) for the pagein to be brought in. When the debugger breaks in again, the page will be present.
1: kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff800`0163e1d0 cc              int     3

1: kd> !thread fffffa8004415460 //Viola! Now we have the whole stack, you might need to do a .reload for symbols.
THREAD fffffa8004415460 Cid 087c.0acc Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa80044157f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88018c943f0
Impersonation token: fffff8801d302060 (Level Impersonation)
Owning Process            fffffa80046e5610       Image:         snmp.exe
Wait Start TickCount      367059906      Ticks: 15906135 (2:20:55:37.296)
Context Switch Count      13819416
UserTime                  00:00:38.173
KernelTime                00:02:33.972
Win32 Start Address 0x000007fefa7724bc
Stack Init fffffa600440ddb0 Current fffffa600440d6e0
Base fffffa600440e000 Limit fffffa6004408000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 1 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffffa60`0440d720 fffff800`01647abe : fffffa60`0440da88 fffff880`18c943f0 fffffa60`0440da88 fffff880`18c943f0 : nt!KiSwapContext+0x7f
fffffa60`0440d860 fffff800`016484c5 : 00000000`00303cb0 fffffa60`0440da88 00000000`00000009 00000000`00000001 : nt!KiSwapThread+0x12e
fffffa60`0440d8c0 fffff800`01681067 : 00000000`00000000 00000000`00000011 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x5f5
fffffa60`0440d940 fffff800`018be424 : fffffa60`0440da88 00000000`00303cb0 fffffa80`04415460 00000000`00000000 : nt!AlpcpSignalAndWait+0x97
fffffa60`0440d980 fffff800`018be868 : 00000000`00000000 00000000`00000000 00000000`00303cb0 00000000`00300318 : nt!AlpcpReceiveSynchronousReply+0x44
fffffa60`0440d9e0 fffff800`018a834f : fffffa80`04352e60 fffffa80`00020000 00000000`00303cb0 00000000`00300318 : nt!AlpcpProcessSynchronousRequest+0x251
fffffa60`0440db00 fffff800`016437b3 : fffffa80`04415460 fffffa60`0440dca0 00000000`00000280 fffff800`0189c654 : nt!NtAlpcSendWaitReceivePort+0x19f
fffffa60`0440dbb0 00000000`77af4dca : 000007fe`fea5c72b 00000000`00001000 00000000`016aee90 00000000`01460058 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`0440dc20)
00000000`016aebc8 000007fe`fea5c72b : 00000000`00001000 00000000`016aee90 00000000`01460058 00000000`0030ed80 : ntdll!NtAlpcSendWaitReceivePort+0xa
00000000`016aebd0 000007fe`fea6c592 : 00000000`00302b50 00000000`016aef30 000007fe`fe95c8b8 00000000`00001000 : RPCRT4!LRPC_CCALL::SendReceive+0xbb
00000000`016aec50 000007fe`fea6c5e2 : 00000000`016aed00 00000000`00000000 00000000`00000000 00000000`01460058 : RPCRT4!I_RpcSendReceive+0x42
00000000`016aec80 000007fe`feafad2c : 00000000`016aef30 00000000`00000000 00000000`00000000 00000000`0030ed80 : RPCRT4!NdrSendReceive+0x32
00000000`016aecb0 000007fe`feafaef0 : 00000000`00000000 000007fe`fe95d090 00000000`00000011 00000000`016aece0 : RPCRT4!NdrpClientCall3+0x11c
00000000`016aef00 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : RPCRT4!NdrClientCall3+0x7c

1: kd>

Discrepancy in volume size when you extend a volume with DISKPART

Brad Rutkowski — Wed, 15 Aug 2007 23:51:59 GMT

Had an issue come in today where the customer requested that one of their drives on SAN storage be expanded. They carved out the necessary disk space and expanded the LUN which was verified showing 430GB total on the array. Rescanned in Disk Management and showed the Unallocated Space. They then used diskpart to expand the D$ drive, disk management then shoed 430GBs. However, properties still showed only 359GB. Diskpart list disk showed 430GB.

So why the discrepancy? Well when you extend a volume with DISKPART it doesn't automatically extend the file system with it, so you need to do the following:

C:\Debuggers>diskpart

Microsoft DiskPart version 6.0.6001

On computer: ServerX

DISKPART> sel vol d

Volume 1 is the selected volume.

DISKPART> EXTEND FILESYSTEM

DiskPart successfully extended the file system on the volume.

When that is completed, then you'll see all the space in the properties. If you extend the volume via the MMC then this happens automatically for you behind the scenes.

Technorati tags: vista, windows 2008

Vista: Two hotfixes now released to improve performance, compatibility, and reliability.

Brad Rutkowski — Tue, 07 Aug 2007 23:24:00 GMT

http://support.microsoft.com/?kbid=938194

This update resolves some compatibility issues and reliability issues in Windows Vista. By applying this update, you can achieve better reliability and hardware compatibility in various scenarios.
This update resolves the following issues:

•The screen may go blank when you try to upgrade the video driver. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

932539 (http://support.microsoft.com/kb/932539/) The screen may go blank when you try to upgrade the video driver on a Windows Vista-based computer

•The computer stops responding, and you receive a "Display driver stopped responding and has recovered" error message. You can restart the computer only by pressing the computer's power button.

•The computer stops responding or restarts unexpectedly when you play video games or perform desktop operations.

•The Diagnostic Policy Service (DPS) stops responding when the computer is under heavy load or when very little memory is available. This problem prevents diagnostics from working.

•The screen goes blank after an external display device that is connected to the computer is turned off. For example, this problem may occur when a projector is turned off during a presentation.

•A computer that has NVIDIA G80 series graphic drivers installed stops responding.

•Visual appearance issues occur when you play graphics-intensive games.

•You experience poor playback quality when you play HD DVD disks or Blu-ray disks on a large monitor.

•Applications that load the Netcfgx.dll component exit unexpectedly.

•Windows Calendar exits unexpectedly after you create a new appointment, create a new task, and then restart the computer.

•Internet Connection Sharing stops responding after you upgrade a computer that is running Microsoft Windows XP to Windows Vista and then restart the computer.

•The Printer Spooler service stops unexpectedly.

•You receive a "Stop 0x0000009F" error when you put the computer to sleep while a Point-to-Point Protocol (PPP) connection is active. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

931671 (http://support.microsoft.com/kb/931671/) Error message when you put a Windows Vista-based computer to sleep while a PPP connection is active: "STOP 0x0000009F"

http://support.microsoft.com/?kbid=938979

This update resolves issues that may affect some Windows Vista-based computers. These issues have been reported by customers who are using the Error Reporting service or Microsoft Customer Support Services.
By applying this update, you can achieve better performance and responsiveness in various scenarios. This update also improves the reliability of Windows Vista.
This update resolves the following issues on a Windows Vista-based computer:

•You experience a long delay when you try to exit the Photos screen saver.

•A memory leak occurs when you use the Windows Energy screen saver.

•If User Account Control is disabled on the computer, you cannot install a network printer successfully. This problem occurs if the network printer is hosted by a Windows XP-based or a Windows Server 2003-based computer.

•When you write data to an AVI file by using the AVIStreamWrite function, the file header of the AVI file is corrupted.

•When you copy or move a large file, the "estimated time remaining" takes a long time to be calculated and displayed.

•After you resume the computer from hibernation, it takes a long time to display the logon screen.

•When you synchronize an offline file to a server, the offline file is corrupted.

•If you edit an image file that uses the RAW image format, data loss occurs in the image file. This problem occurs if the RAW image is from any of the following digital SLR camera models:

•Canon EOS 1D

•Canon EOS 1DS

•After you resume the computer from hibernation, the computer loses its default gateway address.

•Poor memory management performance occurs.

Technorati tags: Vista