Brad Rutkowski's Blog : Windows 2003

Taking a circular netmon capture from the command prompt

Brad Rutkowski — Fri, 22 Feb 2008 22:23:42 GMT

You've probably heard that netmon3.1 is out, but you might not know that you can easily launch a capture at the command prompt. I find this useful when we're waiting on a repro, we want a capture, but we don’t know when that's going to happen. Sure you could set this up in the GUI too, but who wants to do that when it's as easy as this?

The below will setup a capture on all networks that the system is attached to and wait until I hit ctrl+c (you can see its been a while with no repro). The CHN extension used tells netmon to take multiple captures in a chain (see file syntax). I also put some examples at the bottom so you can see what else you can do. Have fun!

C:\Windows\system32>nmcap /capture /network * /File netmoncap.chn:100M
Netmon Command Line Capture (nmcap) 03.01.0512.0000

Saving info to:
C:\Windows\system32\netmoncap.cap - using chain captures of size 100.00 MB.

ATTENTION: Conversations Enabled: consumes more memory (see Help for details)

Exit by Ctrl+C

Saved Frames: 9232127 Capture Frames: 9438779 (44181 seconds)

Hit Ctrl+C

Cancelled by user

Final Results : Saved Frames: 722 Capture Frames: 722

C:\Program Files\Microsoft Network Monitor 3>dir netmoncap.cap
Volume in drive C has no label.
Volume Serial Number is FCC3-5AF7

Directory of C:\Program Files\Microsoft Network Monitor 3

02/22/2008 09:06 AM           384,748 netmoncap.cap
               1 File(s)        384,748 bytes
               0 Dir(s) 16,699,654,144 bytes free

Here's the breakdown fo the /File syntax:

/File <Capture File>[:<File Size Limit>]
    Name of capture file to save frames to. Extensions are used to determine
    the behavior of nmcap.
     .cap -- Netmon 2 capture file
     .chn -- Series of Netmon 2 capture files: t.cap, t(1).cap, t(2).cap...
    <File Size Limit> are optional. It limits the file size of each capture
    file generated. Default single capture file size limit is 20M. The
    upper bound of the file size limit is 500M. The lower bound of the file
    size limit depends on the frame size captured. (Note that the maximal size
    of ethernet frames is 1500 Bytes)
    The files are circular, so once the size limit is reached, new data will
    overwrite older data.
    Example Usage: /File t.cap:50M

Some other examples from the NMCAP help:

This example starts capturing network frames that DO NOT contain ARPs, ICMP,
NBtNs and BROWSER frames. If you want to stop capturing, Press Control+C.

nmcap /network * /capture (!ARP AND !ICMP AND !NBTNS AND !BROWSER) /File NoNoise.cap

Starts capturing network frames immediately. All TCP frames that have a source
port or destination port of 80 are saved to the chained capture files named
test.cap, test(1).cap, test(2).cap, ... When the user presses the 'x' key the
program stops.

nmcap /network * /capture tcp.port == 80 /file c:\temp\test.chn:6M /stopwhen /keypress x

This example starts capturing network frames that are TCP Continuations. The
capture filter is searching for String "Continuation in TCP Frame Summary
Description. In order to see the complete list of Netmon Properties that are
filterable,type ".Property" in the Netmon Filter UI.

nmcap /network * /capture contains(.Property.Description, \"Continuation\") /File TCPContinuations.cap

Technorati Tags: Netmon,Network Monitor

Hey Admins! Taking some of the pain out of analyzing perfmon captures.

Brad Rutkowski — Thu, 14 Feb 2008 02:03:20 GMT

Performance Analysis of Logs (PAL) tool

Project Description:

Ever have a performance problem, but don't know what performance counters to collect or how to analyze them? The PAL (Performance Analysis of Logs) tool is a new and powerful tool that reads in a performance monitor counter log (any known format) and analyzes it using complex, but known thresholds (provided). The tool generates an HTML based report which graphically charts important performance counters and throws alerts when thresholds are exceeded. The thresholds are originally based on thresholds defined by the Microsoft product teams and members of Microsoft support, but continue to be expanded by this ongoing project. This tool is not a replacement of traditional performance analysis, but it automates the analysis of performance counter logs enough to save you time. This is a VBScript and requires Microsoft LogParser (free download).

My take on the tool:

For those of us out there that don't have to deal with performance data on a daily basis I see a few options to help troubleshoot performance issues on your servers. 1) If your using 2k3 use SPA. 2) If you're running 2k8/Vista use data collection sets. 3) Collect analyze your own perfmon captures.

Now you might want to look into this tool. I found the tool simple to use and it's really a four step process. The web page created for the analysis has a plethora of info and links to the codeplex site for more info. Sweet.

Really in the end it's just a time saver. After collecting performance data on a server you need to analyze that data. This entails opening the log file, adding the counters that you've collected and finding out if any of the counters are above any thresholds (deemed by you). This tool does that analysis for you. It comes out-of-the-box with some predefined thresholds defined as high according to the MSFT consulting/development but those can be adjusted to whatever suits your fancy.

Once you get everything installed its time to do some analysis. It comes with some threshold templates for AD, System Overview, IIS, SQL, Exchange, etc (see pic) You point the app at the performance log you've captured during your perf issue, choose a threshold template to your liking, answer some basic questions, add the form and execute:

Once it completes it generates a webpage with the analysis information you desire. The webpage shows you alerts for activity that it finds suspect and graphs for the different areas of interest. I can't paste all the pics/info in here as it is quite lengthy depending on the interval you provide. But this definitely seems like a tool that could be handy down the road. Looking at the web page it looks really similar to SPA, but with graphs provided via the Office Web Components add-in. For example here is how I could find out LDP was using too much CPU:

First I found the alert which said that something was being excessive and I clicked on the link (sorry for the blurriness):

Then I found LDP consuming the CPU:

Add it to your bag of tricks, hope it helps.

Technorati Tags: Windows 2003,Windows 2008,Perfmon,Performance

Windows 2003 KB Released: Slow network communication from Vista RTM (6000) to Windows 2003 SP2

Brad Rutkowski — Thu, 31 Jan 2008 01:10:00 GMT

This was one issue I worked on for quite some time a few months ago. We found that Vista clients were taking forever to download group policies from domain controllers in the regions while Vista SP1 and XP clients did not see the issue. If the local DC was running LH or Windows 2003 SP1, we didn't see any issue. If the server was running Windows 2003 SP2 though and had a certain type of hardware we would see the latency.

Based on customer reports, Windows Dev learned of more widespread devices in the network that don’t understand greater window scale factors. So, they improved the heuristics in SP1 for when to limit or disable auto-tuning, which is why we only saw in in Vista RTM and not SP1.

The bug is in Windows 2003 SP2 and the details can be found here: http://support.microsoft.com/kb/947773

So if you find that you have vista clients experiencing network latency when hitting a Windows 2003 SP2 server (File server, DC, Exchange, etc) then you should look into this hotfix.

Technorati tags: Windows 2003

\SystemRoot\System32\RDPDD.dll failed to load

Brad Rutkowski — Sat, 05 Jan 2008 02:51:00 GMT

This is an FYI post for an issue we've seen on a couple of Windows 2003 SP2 servers internally. Hopefully if someone hits this in the wild they'll be able to find this post on the intertubes.

Symptom:

When attempting to connect from the client via RDP, you would click “connect” and then soon after it would silently fail and “connect” would be clickable again.

Each time when attempting to connect, the server would log this event:

Event Type:   Information
Event Source: Application Popup
Event Category:      None
Event ID:     26
Date:         9/25/2007
Time:         12:13:57 PM
User:         N/A
Computer:     ServerX
Description:
Application popup: : \SystemRoot\System32\RDPDD.dll failed to load

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00000000 006c0002 00000000 4000001a
0010: c0000017 c000009a 00000000 00000000
0020: 00000000 00000000

Our Resolution

A) We found that in our cases it was an issue with the ATI driver and by either rolling back the ATI driver for the display on the server or upgrading the display driver on the server resolved the issue. Reports in the comments show the same for Nvidia drivers

B) In another instance it was found that by going to: Display Properties --> Settings --> Advanced --> Troubleshoot, turn off "Hardware acceleration” resolved the issue as well without adjusting the drivers.

C) On the internet I've seen posts showing SFC to help but in my cases it did not.

Update from comments:

D) A solution found at http://forums.nvidia.com/index.php?showtopic=67147&hl=remote%20desktop&st=60 worked for me (and others.)

It's a registry fix that increases the size of the session image space. Add the following key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]

"SessionImageSize"=dword:00000020

Where 00000020 is hex for 32

In any case the event was a red herring and was just a generic error being bubbled up from Win32k.sys..

Technorati tags: Windows 2003, RDP, SP2

Need to get IPCONFIG /ALL from a computer remotely?

Brad Rutkowski — Sun, 16 Dec 2007 02:04:00 GMT

I know people have scripted this, but this is so much easier... You could use PSExec for running other commands as well, but someone recently asked me an easy way to get the IP info so here it is. If you just want to be sitting at a command prompt on the remote computer then you could just run "PSEXEC \\ServerB cmd" and then you go run whatever command you'd like.

http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx

C:\localbinx64>psexec \\ServerA ipconfig /all

PsExec v1.21 - execute processes remotely
Copyright (C) 2001 Mark Russinovich
www.sysinternals.com

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ServerA
   Primary Dns Suffix . . . . . . . : braddom.bradforest.test
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : braddom.bradforest.test

Ethernet adapter CORP:

   Connection-specific DNS Suffix . : braddom.bradforest.test
   Description . . . . . . . . . . . : HP NC7782 Gigabit Server Adapter #2
   Physical Address. . . . . . . . . : 00-13-21-0D-85-15
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 157.51.6.176
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 157.51.6.1
   DHCP Server . . . . . . . . . . . : 157.5.114.84
ipconfig exited on servera with error code 0.4.162

Kernel stack not resident (Using .pagein)

Brad Rutkowski — Thu, 30 Aug 2007 02:36:10 GMT

You might find yourself debugging an issue and a thread you are interested in is paged out. Here's the steps to use to page in the stack for the kernel side and user side... Be careful when doing this on a live machine that you want to release after debugging as paging in certain section of memory can cause it to bugcheck...

2: kd> !thread fffffa8004415460
THREAD fffffa8004415460 Cid 087c.0acc Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa80044157f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88018c943f0
Impersonation token: fffff8801d302060 (Level Impersonation)
Owning Process            fffffa80046e5610       Image:         snmp.exe
Wait Start TickCount      367059906      Ticks: 15906005 (2:20:55:35.268) //Been waiting a while.
Context Switch Count      13819416
UserTime                  00:00:38.173
KernelTime                00:02:33.972
Win32 Start Address 0x000007fefa7724bc
Stack Init fffffa600440ddb0 Current fffffa600440d6e0
Base fffffa600440e000 Limit fffffa6004408000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 1 IoPriority 2 PagePriority 5
Kernel stack not resident. // We can't see what the stack looks like as it been waiting so long its been paged out.

2: kd> .pagein fffffa600440d6e0 //Grab Current from above... This will get us the kernel side...
You need to continue execution (press 'g' <enter>) for the pagein to be brought in. When the debugger breaks in again, the page will be present.
2: kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff800`0163e1d0 cc              int     3
1: kd> !thread fffffa8004415460
THREAD fffffa8004415460 Cid 087c.0acc Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa80044157f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88018c943f0
Impersonation token: fffff8801d302060 (Level Impersonation)
Owning Process            fffffa80046e5610       Image:         snmp.exe
Wait Start TickCount      367059906      Ticks: 15906070 (2:20:55:36.282)
Context Switch Count      13819416
UserTime                  00:00:38.173
KernelTime                00:02:33.972
Win32 Start Address 0x000007fefa7724bc
Stack Init fffffa600440ddb0 Current fffffa600440d6e0
Base fffffa600440e000 Limit fffffa6004408000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 1 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffffa60`0440d720 fffff800`01647abe : fffffa60`0440da88 fffff880`18c943f0 fffffa60`0440da88 fffff880`18c943f0 : nt!KiSwapContext+0x7f
fffffa60`0440d860 fffff800`016484c5 : 00000000`00303cb0 fffffa60`0440da88 00000000`00000009 00000000`00000001 : nt!KiSwapThread+0x12e
fffffa60`0440d8c0 fffff800`01681067 : 00000000`00000000 00000000`00000011 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x5f5
fffffa60`0440d940 fffff800`018be424 : fffffa60`0440da88 00000000`00303cb0 fffffa80`04415460 00000000`00000000 : nt!AlpcpSignalAndWait+0x97
fffffa60`0440d980 fffff800`018be868 : 00000000`00000000 00000000`00000000 00000000`00303cb0 00000000`00300318 : nt!AlpcpReceiveSynchronousReply+0x44
fffffa60`0440d9e0 fffff800`018a834f : fffffa80`04352e60 fffffa80`00020000 00000000`00303cb0 00000000`00300318 : nt!AlpcpProcessSynchronousRequest+0x251
fffffa60`0440db00 fffff800`016437b3 : fffffa80`04415460 fffffa60`0440dca0 00000000`00000280 fffff800`0189c654 : nt!NtAlpcSendWaitReceivePort+0x19f
fffffa60`0440dbb0 00000000`77af4dca : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`0440dc20)
00000000`016aebc8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77af4dca

1: kd> .pagein /p fffffa80046e5610 00000000`016aebc8 //We take the process ID of the thread and the usermode address at the bottom of the stack.
You need to continue execution (press 'g' <enter>) for the pagein to be brought in. When the debugger breaks in again, the page will be present.
1: kd> g
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus:
fffff800`0163e1d0 cc              int     3

1: kd> !thread fffffa8004415460 //Viola! Now we have the whole stack, you might need to do a .reload for symbols.
THREAD fffffa8004415460 Cid 087c.0acc Teb: 000007fffffd5000 Win32Thread: 0000000000000000 WAIT: (WrLpcReply) UserMode Non-Alertable
    fffffa80044157f0 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff88018c943f0
Impersonation token: fffff8801d302060 (Level Impersonation)
Owning Process            fffffa80046e5610       Image:         snmp.exe
Wait Start TickCount      367059906      Ticks: 15906135 (2:20:55:37.296)
Context Switch Count      13819416
UserTime                  00:00:38.173
KernelTime                00:02:33.972
Win32 Start Address 0x000007fefa7724bc
Stack Init fffffa600440ddb0 Current fffffa600440d6e0
Base fffffa600440e000 Limit fffffa6004408000 Call 0
Priority 11 BasePriority 8 PriorityDecrement 1 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffffa60`0440d720 fffff800`01647abe : fffffa60`0440da88 fffff880`18c943f0 fffffa60`0440da88 fffff880`18c943f0 : nt!KiSwapContext+0x7f
fffffa60`0440d860 fffff800`016484c5 : 00000000`00303cb0 fffffa60`0440da88 00000000`00000009 00000000`00000001 : nt!KiSwapThread+0x12e
fffffa60`0440d8c0 fffff800`01681067 : 00000000`00000000 00000000`00000011 00000000`00000001 00000000`00000000 : nt!KeWaitForSingleObject+0x5f5
fffffa60`0440d940 fffff800`018be424 : fffffa60`0440da88 00000000`00303cb0 fffffa80`04415460 00000000`00000000 : nt!AlpcpSignalAndWait+0x97
fffffa60`0440d980 fffff800`018be868 : 00000000`00000000 00000000`00000000 00000000`00303cb0 00000000`00300318 : nt!AlpcpReceiveSynchronousReply+0x44
fffffa60`0440d9e0 fffff800`018a834f : fffffa80`04352e60 fffffa80`00020000 00000000`00303cb0 00000000`00300318 : nt!AlpcpProcessSynchronousRequest+0x251
fffffa60`0440db00 fffff800`016437b3 : fffffa80`04415460 fffffa60`0440dca0 00000000`00000280 fffff800`0189c654 : nt!NtAlpcSendWaitReceivePort+0x19f
fffffa60`0440dbb0 00000000`77af4dca : 000007fe`fea5c72b 00000000`00001000 00000000`016aee90 00000000`01460058 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffffa60`0440dc20)
00000000`016aebc8 000007fe`fea5c72b : 00000000`00001000 00000000`016aee90 00000000`01460058 00000000`0030ed80 : ntdll!NtAlpcSendWaitReceivePort+0xa
00000000`016aebd0 000007fe`fea6c592 : 00000000`00302b50 00000000`016aef30 000007fe`fe95c8b8 00000000`00001000 : RPCRT4!LRPC_CCALL::SendReceive+0xbb
00000000`016aec50 000007fe`fea6c5e2 : 00000000`016aed00 00000000`00000000 00000000`00000000 00000000`01460058 : RPCRT4!I_RpcSendReceive+0x42
00000000`016aec80 000007fe`feafad2c : 00000000`016aef30 00000000`00000000 00000000`00000000 00000000`0030ed80 : RPCRT4!NdrSendReceive+0x32
00000000`016aecb0 000007fe`feafaef0 : 00000000`00000000 000007fe`fe95d090 00000000`00000011 00000000`016aece0 : RPCRT4!NdrpClientCall3+0x11c
00000000`016aef00 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : RPCRT4!NdrClientCall3+0x7c

1: kd>

Domain not available when trying to TS onto a Windows 2003 server.

Brad Rutkowski — Thu, 16 Aug 2007 20:00:00 GMT

Issue came in this week where when you attempted to logon to a server it would not authenticate your request and would give you a message indicating the "domain is not available". If you tried logging on via your UPN, then it would give a slightly different error message indicating that "there is not enough storage to complete this operation".

After ruling out DNS and routing, I had the person run nltest /sc_query:BRADFOREST to see what DC it was pointing at and found that it did not have a secure channel to a DC which might be a reason we can't authenticate to the server. :) When we tried to reset the secure channel it would fail with error code 8 (ERROR_NOT_ENOUGH_MEMORY).) So we cranked up netlogon debug logging and then I repro'd the issue again. We could then see this in the netlogon debug log:

08/14 22:55:06 [SESSION] BRADFOREST: NlSetServerClientSession: New DC is an NT 5 DC: \\brad-dc-01.bradforest.local
08/14 22:55:06 [SESSION] BRADFOREST: NlSetServerClientSession: New DC is in closest site: \\brad-dc-01.bradforest.local
08/14 22:55:06 [SESSION] BRADFOREST: NlSetServerClientSession: New DC runs the time service: \\brad-dc-01.bradforest.local
08/14 22:55:06 [SESSION] BRADFOREST: NlSetServerClientSession: New discovery flags: 0x1dc; Old flags: 0x0
08/14 22:55:06 [SESSION] BRADFOREST: NlDiscoverDc: Found DC \\brad-dc-01.bradforest.local
08/14 22:55:06 [SESSION] BRADFOREST: NlStartApiClientSession: Bind to server \\brad-dc-01.bradforest.local (TCP) 0 (Retry: 0).
08/14 22:55:06 [MAILSLOT] Going to wait on mailslot. (Timeout: 45000)
08/14 22:55:06 [CRITICAL] NlPrintRpcDebug: Dumping extended error for I_NetServerReqChallenge with 0xc0000017
08/14 22:55:06 [CRITICAL] [0] ProcessID is 780 <-------------------------LSASS.exe
08/14 22:55:06 [CRITICAL] [0] System Time is: 8/14/2007 21:55:6:372
08/14 22:55:06 [CRITICAL] [0] Generating component is 8
08/14 22:55:06 [CRITICAL] [0] Status is 14
08/14 22:55:06 [CRITICAL] [0] Detection location is 313
08/14 22:55:06 [CRITICAL] [0] Flags is 0
08/14 22:55:06 [CRITICAL] [0] NumberOfParameters is 0
08/14 22:55:06 [CRITICAL] [1] ProcessID is 780
08/14 22:55:06 [CRITICAL] [1] System Time is: 8/14/2007 21:55:6:372
08/14 22:55:06 [CRITICAL] [1] Generating component is 8
08/14 22:55:06 [CRITICAL] [1] Status is 10055
08/14 22:55:06 [CRITICAL] [1] Detection location is 311
08/14 22:55:06 [CRITICAL] [1] Flags is 0
08/14 22:55:06 [CRITICAL] [1] NumberOfParameters is 3
08/14 22:55:06 [CRITICAL]      Long val: 1025
08/14 22:55:06 [CRITICAL]      Pointer val: 0
08/14 22:55:06 [CRITICAL]      Pointer val: 0
08/14 22:55:06 [CRITICAL] [2] ProcessID is 780
08/14 22:55:06 [CRITICAL] [2] System Time is: 8/14/2007 21:55:6:372
08/14 22:55:06 [CRITICAL] [2] Generating component is 8
08/14 22:55:06 [CRITICAL] [2] Status is 10055
08/14 22:55:06 [CRITICAL] [2] Detection location is 315
08/14 22:55:06 [CRITICAL] [2] Flags is 0
08/14 22:55:06 [CRITICAL] [2] NumberOfParameters is 0
08/14 22:55:06 [CRITICAL] BRADFOREST: NlSessionSetup: Session setup: cannot I_NetServerReqChallenge 0xc0000017
08/14 22:55:06 [MISC] Eventlog: 5719 (1) "BRADFOREST" 0xc0000017 c0000017   ....

Some interesting things to look at, first off what is 0xc0000017? Well we can use err.exe to see what that translates to.

C:\Windows\system32>err 0xc0000017
# for hex 0xc0000017 / decimal -1073741801
STATUS_NO_MEMORY
# {Not Enough Quota}
# Not enough virtual memory or paging file quota is available
# to complete the specified operation.

Well that pretty much flies with what I was seeing when trying to logon via UPN. We can also see two status codes being returned during the secure channel setup: 14 and 10055.

C:\Windows\system32>err /winerror.h 14
# winerror.h selected.
# for decimal 14 / hex 0xe
ERROR_OUTOFMEMORY
# Not enough storage is available to complete this operation. <-- This is what I was getting when trying to TS via UPN.

C:\Windows\system32>err /winerror.h 10055
# winerror.h selected.
# for decimal 10055 / hex 0x2747
WSAENOBUFS <--------------------HMMMMM?
# An operation on a socket could not be performed because the
# system lacked sufficient buffer space or because a queue
# was full.

So now that is interesting, so the next thing I did was do a netstat -s and looked at the statistics of ports and didn't see anything obvious and I then added the handles column in task manager and noticed that their custom application had 17,000 handles open. Turns out that most of those handles were outgoing calls and used up all the ephemeral ports. We had to set the MAXUSERPORT value in the registry to allow more ports to be used, once we did that everything returned to normal.

Ephemeral Ports

The number of user-accessible ephemeral ports that can be used to source outbound connections is configurable using the MaxUserPorts registry parameter. By default, when an application requests any socket from the system to use for an outbound call, a port between the values of 1024 and 5000 is supplied. The MaxUserPorts parameter can be used to set the value of the uppermost port that the administrator chooses to allow for outbound connections. For instance, setting this value to 10,000 (decimal) would make approximately 9000 user ports available for outbound connections.

Here is the KB article for the issue: http://support.microsoft.com/kb/196271

Here you can read about another setting called TCP TIME-WAIT delay which is how long the port hangs around before being terminated completely (4 minutes). This can also cause issues with apps that perform many outbound connections in a short time may use up all available ports before the ports can be recycled.

Technorati tags: Windows 2003, Networking

The case of Windows Defender not starting.

Brad Rutkowski — Wed, 15 Aug 2007 05:03:00 GMT

Had a client whose machine would not load Windows Defender, each time it was opened it would eventually die on initialization:

Log Name:      Application
Source:        Application Error
Date:          8/13/2007 4:03:10 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server1

Description:
Faulting application MSASCui.exe, version 1.1.1505.0, time stamp 0x45ad8d6e, faulting module ntdll.dll, version 6.0.6000.16386, time stamp 0x4549d372, exception code 0xc0000005, fault offset 0x000000000002aa74, process id 0x1268, application start time 0x01c7dde39a6e9100.

Since it was a problem was with initialization, the first thing I did was enable loader snaps and then put the executable under an IFEO. I didn't see anything jump out from the loader snaps, but when the system was g'd I did see these errors:
0:000> g
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)
(1008.11b8): In-page I/O error c000009c - code c0000006 (first chance)

This translates to STATUS_DEVICE_DATA_ERROR which means that the OS couldn't page in the memory due to a disk error (maps to Win32 error: ERROR_CRC). This is most likely a hardware failure.

I ran chkdsk /r on the c: drive and it was unable to recover the sectors. I ended up having to go to the HDD maker's site and downloading there utility to scan the hard drive and recover the sectors. Once done Defender was happy again. Your probably asking yourself (all three of you that read this blog) Why didn't you see the below event in the eventvwr? I I would have looked in the System log and saw this but unfortunately that wasn't opening before I fixed the disk errors.

Log Name:      System
Source:        disk
Date:          8/13/2007 5:31:43 PM
Event ID:      7
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server1
Description:
The device, \Device\Harddisk0\DR0, has a bad block.

If you don't have disk errors on the system another thing you can do is use SFC (/VERIFYFILE ) to check the integrity of the files in question if there are problems they will be dumped to the CBS.log file under c:\windows\logs\cbs.

SFC [/SCANNOW] [/VERIFYONLY] [/SCANFILE=<file>] [/VERIFYFILE=<file>]
[/OFFWINDIR=<offline windows directory> /OFFBOOTDIR=<offline boot directory>]

/SCANNOW        Scans integrity of all protected system files and repairs files with
                problems when possible.
/VERIFYONLY     Scans integrity of all protected system files. No repair operation is
                performed.
/SCANFILE       Scans integrity of the referenced file, repairs file if problems are
                identified. Specify full path <file>
/VERIFYFILE     Verifies the integrity of the file with full path <file>. No repair
                operation is performed.
/OFFBOOTDIR     For offline repair specify the location of the offline boot directory
/OFFWINDIR      For offline repair specify the location of the offline windows directory

Technorati tags: debugging.vista, windows 2008

How to know if TCP offload is working

Brad Rutkowski — Fri, 10 Aug 2007 23:10:00 GMT

So you went out and got yourself a new server and it came with TOE functionality, and now you're playing Windows 2008 which has TCP offload enabled but you just want to know if its actually offloading traffic. Here's the only way I know of finding what traffic is offloaded without setting breakpoints in the debugger.

First off to check if TCP offload is enabled:

C:\>netsh int tcp show global
Querying active state...

TCP Global Parameters
----------------------------------------------
Receive-Side Scaling State          : enabled
Chimney Offload State               : enabled <-----
Receive Window Auto-Tuning Level    : normal
Add-On Congestion Control Provider : ctcp
ECN Capability                      : disabled
RFC 1323 Timestamps                 : disabled

To turn it on/off (does not require a reboot)

netsh int tcp set global chimney=disabled

netsh int tcp set global chimney=enabled

So how do we see if traffic is offloaded? You run netstat -nt, the 't' dumps their current offload state. I used findstr just to grab the offloaded connections.

C:\>netstat -nt | findstr /i offloaded
TCP    110.100.44.52:445      10.5.17.2:1369     ESTABLISHED     Offloaded
TCP    10.100.44.52:445       1.56.15.14:4741    ESTABLISHED     Offloaded
TCP    10.100.44.52:49157     1.198.5.2:2444     ESTABLISHED     Offloaded
TCP    10.100.44.52:49157     1.100.4.219:2255   ESTABLISHED     Offloaded
TCP    10.100.44.52:49157     1.58.6.50:54620    ESTABLISHED     Offloaded
TCP    10.100.44.52:49157     1.58.20.40:50442   ESTABLISHED     Offloaded
TCP    10.100.44.52:49157     1.58.25.15:1191    ESTABLISHED     Offloaded
TCP    10.100.44.52:49157     1.148.8.6:58308    ESTABLISHED     Offloaded
TCP    10.100.44.52:49449     1.10.3.2:1025      ESTABLISHED     Offloaded

UPDATE:

Windows 2003 its a bit different:

Netsh int ip set chimney DISABLED

Netsh int ip set chimney ENABLED

Want to know more about Scalable Networking?

http://technet.microsoft.com/en-us/network/bb545631.aspx

Are there pending operations waiting for a reboot?

Brad Rutkowski — Wed, 27 Jun 2007 19:21:20 GMT

Sometimes you might log onto a server and wonder if there have been patches installed and thing needs to be rebooted. Well if the patch wanted to replace a file that was in use by the system (like NTFS for example) then it populates a certain key in the registry, you could check this key to determine if a reboot is pending.

Value: PendingFileRenameOperations

Location: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager

Description:

Stores the names of files to be renamed when the system restarts.

This entry consists of pairs of file names. The file specified in the first item of the pair is renamed to match the second item of the pair. The system adds this entry to the registry when a user or program tries to rename a file that is in use. The file names are stored in the value of this entry until the system is restarted and they are renamed.

Server that doesn't need to be rebooted for pending files:

C:\>reg query "\\server1\hklm\System\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations

ERROR: The system was unable to find the specified registry key or value.

Server that does need to be rebooted for pending files:

C:\>reg query "\\server2\hklm\System\CurrentControlSet\Control\Session Manager" /v PendingFileRenameOperations

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
PendingFileRenameOperations REG_MULTI_SZ \??\C:\WINDOWS\system32\SET2B5.tmp\0!\??\C:\WINDOWS\system32\schannel.dll\0\??\C:\WINDOWS\system32\_000025_.tmp.dll\0\??\C:\WINDOWS\system32\SET2B9.tmp\0!\??\C:\WINDOWS\system32\urlmon.dll\0\??\C:\WINDOWS\system32\SET2BA.tmp\0!\??\C:\WINDOWS\system32\shdocvw.dll\0\??\C:\WINDOWS\system32\SET2CA.tmp\0!\??\C:\WINDOWS\system32\kernel32.dll

Technorati tags: windows 2003, vista

Great tool for Windows 2003: Server Performance Advisor (SPA)

Brad Rutkowski — Tue, 26 Jun 2007 18:47:07 GMT

First off you can download SPA 2.0 here. I'm going to explain how to quickly use SPA, and then what type of data is returned in this post.

What is SPA?

So what is SPA and how can you use it? Well the official overview is:

Microsoft ® Windows Server ™ 2003 Performance Advisor is the latest version of Server Performance Advisor, which is a simple but robust tool that helps you diagnose the root causes of performance problems in a Microsoft Windows Server 2003 deployment. Server Performance Advisor collects performance data and generates comprehensive diagnostic reports that give you the data to easily analyze problems and develop corrective actions
Microsoft ® Windows Server ™ 2003 Performance Advisor provides several specialized reports, including a System Overview (focusing on CPU usage, Memory usage, busy files, busy TCP clients, top CPU consumers) and reports for server roles such as Active Directory, Internet Information System (IIS), DNS, Terminal Services, SQL, print spooler, and others.

Really I think of it as network monitor and performance monitor wrapped into one package so that you can correlate which clients might be causing load on your system.

Some nifty things about SPA:

1) It's XML based so the reports that are collected get organized "automagically" by date and server so you can drill down on a particular server. You could have a thousand reports on your reporting server and its quite easy to navigate via IE to the server and date that you are looking for.

2) You can setup SPA on your servers in "Data" mode and then setup a member server as a SPA "reporting" server, then you can schedule your servers to collect at a certain time and send that data to the reporting server. You can also have SPA (with version 2.0) take the data from those servers and put it in a SQL database for trending purposes. This is what we do internally, we setup the jobs to run at 10 and 2 to get peak utilization trending on our domain controllers. There is a chm file with SPA with more details on this.

3) Doesn't require a reboot to install.

4) Was deemed so awesome it is built right into Vista and Windows Server 2008 (Data Collection Sets)

I'm not going to dabble into the trending and reporting server side of SPA as that would require a lot more typing but like I said if you install SPA, you can read the chm about scheduling tasks and trending. I just wanted to point it out because some people might not have a monitoring solution where you can do some rudimentary trending and this could be a free solution.

The install

Double click MSI, leave defaults.

How and when to use

We're going to be focusing on how to use SPA to troubleshoot, lets look at an example of that. SPA is useful at narrowing down resource issues on a system with regards to processor, memory, network, and disk.

Last week we had a WINS server that was throwing database errors and so our team was engaged. I installed SPA using the steps above,I then could have used the GUI to launch SPA and start a collection (default 300 seconds), but this is the faster way (the way I use).

1) Navigate to the SPA directory, if you installed on an x64 system it will be under "Program Files (x86)", otherwise just "Program Files\Server Performance Advisor"

2) Since I want just a system overview report I ran spacmd start "system overview"

a) At this point the collection starts and you should see some processes labeled plahost running in task manager. You can let this run for 300 seconds but in my case I just needed a quick 30 second snapshot since the repro was constantly happening.

b) If you installed this on a domain controller you could do spacmd start "active directory" or spacmd start * which would start all the templates you have installed.

3) Now stop the collection: spacmd stop "system overview"

a) At this point as long as you left the defaults during install you should see a new folder under c:\perflogs with the server name and a few files underneath that.
C:\PerfLogs\Data\System Overview\Current\BRAD-SERVER_200706211545>dir
Volume in drive C is C_Drive
Volume Serial Number is 70C4-9FFD
Directory of C:\PerfLogs\Data\System Overview\Current\BRAD-SERVER_200706211545
06/21/2007 03:49 PM    <DIR>          .
06/21/2007 03:49 PM    <DIR>          ..
06/21/2007 03:49 PM             1,673 global_reg.xml //Some registry settings are checked by SPA there saved here
06/21/2007 03:49 PM         1,441,792 system_kernel.etl //A trace file that SPA analyzes during the capture.
06/21/2007 03:49 PM         1,638,400 system_perf.blg //Perfmon binary log file that SPA analyzes from the capture.
               3 File(s)      3,081,865 bytes
               2 Dir(s)     960,020,480 bytes free

4) Now we need to compile the data we captured into a report: spacmd compile "system overview"

a) Once this is complete, you should see the report in the reports directory. If using the GUI then the report will show up under reports under System Overview.
C:\PerfLogs\report\System Overview\Current\BRAD-SERVER_200706211545>dir
Volume in drive C is C_Drive
Volume Serial Number is 70C4-9FFD
Directory of C:\PerfLogs\report\System Overview\Current\BRAD-SERVER_200706211545
06/22/2007 09:35 AM    <DIR>          .
06/22/2007 09:35 AM    <DIR>          ..
06/22/2007 09:24 AM             1,721 global_reg.xml
06/22/2007 09:35 AM             2,365 obelisk.ip
06/22/2007 09:35 AM           608,594 report.xml //Double click this one.
06/22/2007 09:34 AM            62,417 report.xsl
06/22/2007 09:35 AM               656 summary.xml
06/22/2007 09:24 AM         6,881,280 system_kernel.etl
06/22/2007 09:24 AM         6,094,848 system_perf.blg
               7 File(s)     13,651,881 bytes
               2 Dir(s)     963,108,864 bytes free

Analyzing the report

So now that we have the report we can open it up and start looking at it, just double click report.xml and IE should open. You'll want to allow scripts and ActiveX so that you can adjust the data in the xml doc as it is dynamic. For example, if you look in the second JPG below on the top right its says "3 of 15" if you wanted to see the top 15 of 15 you could just click the 3 and type in 15, and the report would change.

The first part of the report is a summary, and links to other sections pertaining to CPU, Network, Disk, and Memory. Below that is any performance advisories that SPA flagged for you and then how each of the components were doing. In the first JPG below, on the right there is a little help icon, if you click the icon it will open a chm file with further steps you can take to narrow down the issue.

I can't go through each area of concern but you get the idea. As I was going through the network section I noticed this:

This seemed odd so I filtered my network monitor capture that I took during the same time period for vm-lab-machine and it came back with a ton of 1F registrations and releases for the 1F record for that server like so:

13861    5.703125    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Registration Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13863    5.703125    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Release Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13864    5.703125    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Release Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13865    5.703125    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Registration Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13866    5.703125    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Registration Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13867    5.703125    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Release Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13868    5.703125    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Release Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13869    5.703125    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Registration Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13870    5.703125    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Registration Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13871    5.718750    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Release Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13872    5.718750    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Release Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13873    5.718750    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Registration Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13874    5.718750    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Registration Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13875    5.718750    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Release Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13876    5.718750    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Release Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13877    5.718750    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Registration Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13878    5.718750    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Registration Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13879    5.718750    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Release Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13880    5.718750    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Release Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13881    5.718750    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Registration Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13882    5.718750    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Registration Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13883    5.718750    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Release Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13884    5.718750    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Release Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13885    5.718750    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Registration Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13886    5.718750    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Registration Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13887    5.718750    VM-LAB-MACHINE         BRAD-SERVER    NbtNs    NbtNs: Release Request for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx
13888    5.718750    BRAD-SERVER    VM-LAB-MACHINE         NbtNs    NbtNs: Release Response, Success for VM-LAB-MACHINE      <0x1F> NetDDE Service, xxx-xx-xxxx-xx

I then popped the query 1F Wins Server into live.com and the first hit was the issue.

SPA roles:

There is more than just the "system overview" template, there are templates for AD, print servers, terminal servers, etc. Each one of these templates focuses on that role and collects different counters depending on the role. For example, on a DC SPA will capture the DS perfmon counters and then analyze the output from those counter and flag issues it finds for follow-up.

Conclusion:

Using SPA I was able to easily find the network client causing the issue on our WINS server and then correlate that with the network capture. This is only one example of where SPA has really assisted in narrowing down the issue for me. One caveat, SPA is CPU intensive when it compiles the report, so if the system is already pegged at 100% its best to compile the report off the the system in question.

If you run into any issues with SPA (only supported on Win2k3), send me an e-mail or drop a comment and I'll try to help you out.

Technorati tags: Windows 2003, SPA

IceRocket tags: Windows 2003, SPA

People squatting on your TS sessions?

Brad Rutkowski — Tue, 15 May 2007 02:29:06 GMT

Something that administrators deal with quite a bit is trying to connect to a machine using remote desktop (mstsc) and getting our favorite message:

Boy this messagewill get you angry, damn squatters. pre-Vista/LH you could always give the /console switch a go and see if the console session is available:

mstsc /console /v:<server>

Even if the console session is being used you can still kick the person off if you feel like it.

The other option is to query who is connected and (if you have the rights and don't care whats going on in their session) boot off whomever you don't want connected to free yourself a slot:

query session /SERVER:<server>

reset session /Server:<server> <id>

And in real practice, goodbye squatter2.

The query.exe and reset.exe commands live in System32 so they should come with the OS. Links to the syntax of those commands below.

query session

reset session

Technorati tags: windows 2003, terminal services, mstsc, vista

How to easily calculate your system availability (uptime).

Brad Rutkowski — Tue, 24 Apr 2007 20:39:17 GMT

We all have managers and ALL managers love that little word called metrics, and ALL managers like to know that their service has 99.99% uptime. So how can you easily get this information off a Windows server? Well there is a simple tool out there called uptime.exe.

To get the uptime of a server use: Uptime.exe /s <servername>. If the system log has "wrapped" then your not going to get the events you need to get a good uptime report from the beginning. Uptime will show you each reboot and then at the bottom report give you valuable data that you can then put in a nice spreadsheet and send up to management.

Perhaps I should start a new section called metrics, because there are quite a few other easy things you can do to get relevant information to managers...

C:\localbin>uptime /s brad-dc-02
Uptime Report for: \\brad-dc-02

Current OS: Microsoft Windows Server 2003, Service Pack 1, Multiprocessor Free.
Time Zone: Pacific Daylight Time

System Events as of 4/24/2007 10:27:16 AM:

Date: Time: Event: Comment:
---------- ----------- ------------------- -----------------------------------
2/5/2007 1:50:11 PM Boot Prior downtime:0d 0h:1m:54s
2/5/2007 2:01:34 PM Shutdown Prior uptime:0d 0h:11m:23s
2/5/2007 2:03:30 PM Boot Prior downtime:0d 0h:1m:56s
2/5/2007 2:11:31 PM Abnormal Shutdown Prior uptime:0d 0h:8m:1s
2/5/2007 2:15:30 PM Boot Prior downtime:0d 0h:3m:59s
2/5/2007 2:15:31 PM Bluescreen STOP 0x0000000a
2/6/2007 12:22:12 PM Shutdown Prior uptime:0d 22h:6m:42s
2/6/2007 12:23:57 PM Boot Prior downtime:0d 0h:1m:45s
2/12/2007 1:08:06 PM Shutdown Prior uptime:6d 0h:44m:9s
2/12/2007 1:09:54 PM Boot Prior downtime:0d 0h:1m:48s
2/12/2007 1:54:09 PM Shutdown Prior uptime:0d 0h:44m:15s
2/12/2007 1:55:57 PM Boot Prior downtime:0d 0h:1m:48s
2/12/2007 2:15:49 PM Service Pack Service Pack 3 removed
2/12/2007 2:16:21 PM Shutdown Prior uptime:0d 0h:20m:24s
2/12/2007 2:18:05 PM Boot Prior downtime:0d 0h:1m:44s
2/12/2007 2:31:20 PM Shutdown Prior uptime:0d 0h:13m:15s
2/12/2007 2:33:06 PM Boot Prior downtime:0d 0h:1m:46s
2/12/2007 2:45:34 PM Service Pack Service Pack 3 removed
2/12/2007 2:48:06 PM Shutdown Prior uptime:0d 0h:15m:0s
2/12/2007 2:50:29 PM Boot Prior downtime:0d 0h:2m:23s
2/24/2007 12:09:42 AM Shutdown Prior uptime:11d 9h:19m:13s
2/24/2007 12:12:13 AM Boot Prior downtime:0d 0h:2m:31s
3/27/2007 12:26:16 PM Shutdown Prior uptime:31d 11h:14m:3s
3/27/2007 12:27:57 PM Boot Prior downtime:0d 0h:1m:41s
4/7/2007 12:04:53 AM Shutdown Prior uptime:10d 11h:36m:56s
4/7/2007 12:07:20 AM Boot Prior downtime:0d 0h:2m:27s
4/20/2007 9:45:10 PM Shutdown Prior uptime:13d 21h:37m:50s
4/20/2007 9:47:11 PM Boot Prior downtime:0d 0h:2m:1s

Current System Uptime: 3 day(s), 12 hour(s), 40 minute(s), 38 second(s)

--------------------------------------------------------------------------------

Since 11/3/2005:

System Availability: 99.9860%
Total Uptime: 460d 5h:51m:10s
Total Downtime: 0d 1h:48m:13s
Total Reboots: 31
Mean Time Between Reboots: 17.31 days
Total Bluescreens: 1

If you only want to see the uptime for the last 30 days then you can use the p: switch, there are other switches too.

C:\localbin>uptime /s brad-dc-01 /p:30
Uptime Report for: \\brad-dc-01

Current OS: Microsoft Windows Server 2003, Service Pack 1, Multiprocessor Free.
Time Zone: Pacific Daylight Time

System Events as of 4/24/2007 10:28:53 AM:

Date: Time: Event: Comment:
---------- ----------- ------------------- -----------------------------------
3/27/2007 12:26:16 PM Shutdown Prior uptime:31d 11h:14m:3s
3/27/2007 12:27:57 PM Boot Prior downtime:0d 0h:1m:41s
4/7/2007 12:04:53 AM Shutdown Prior uptime:10d 11h:36m:56s
4/7/2007 12:07:20 AM Boot Prior downtime:0d 0h:2m:27s
4/20/2007 9:45:10 PM Shutdown Prior uptime:13d 21h:37m:50s
4/20/2007 9:47:11 PM Boot Prior downtime:0d 0h:2m:1s

Current System Uptime: 3 day(s), 12 hour(s), 42 minute(s), 14 second(s)

--------------------------------------------------------------------------------

Since 3/25/2007: (Last 30 Days)

System Availability: 99.9860%
Total Uptime: 30d 10h:22m:44s
Total Downtime: 0d 0h:6m:9s
Total Reboots: 3
Mean Time Between Reboots: 10.15 days
Total Bluescreens: 0

Technorati tags: Windows, Vista, Windows 2003

del.icio.us tags: Windows, Vista, Windows 2003