Blog du Tristank : IIS

IIS WebDAV Security Advisory

tristank — Tue, 19 May 2009 09:49:20 GMT

Today, an IIS 5.0 to 6.0 security advisory was released:

Vulnerability in Internet Information Services Could Allow Elevation of Privilege

http://www.microsoft.com/technet/security/advisory/971492.mspx

If you’re using WebDAV on any version prior to 7.0 (where it was completely rewritten, and released as an add-on module after ), you’ll want to read the advisory, and take appropriate action.

Mitigating factors are listed in the advisory.

Don’t Use Office Applications (or GDI+, or System.Drawing, or WinInet) in a Server Application (or ASP.Net)

tristank — Thu, 06 Nov 2008 10:03:22 GMT

Johan posted a timely reminder of a long-standing perennial support call generator in his post Office Automation .

Adding one more option to the list of possible workarounds – direct XML-based production/manipulation of an OOXML (or ODF, for that matter) document (Word, Excel, Powerpoint?) might get you where you need to go.

Now, to get the laundry list out of the way, here’s a quick top-of-the-head list of other technologies best kept away from your shiny new ASP.Net application:

Outlook automation on the server isn’t a good idea at all, which is why CDO (or these days, DAV for Exchange Server) is preferred.
The Word/Excel/Powerpoint/Outlook programmable Object Models typically drive the application itself rather than manipulating data files directly, so should be avoided too.
Tom posted a while back on the perils of System.Drawing/GDI+ in ASP.Net applications. The same goes for WPF, last I heard.

We do use System.Drawing as a demo of in some of our IIS 7 demos (most recently seen in the PDC IIS 7 demo that included watermarking using System.Drawing), and elsewhere – it’s an effective demo, but the caveats are as documented.

WinInet (the core HTTP engine used by Internet Explorer) is another old, old case of the same designed-for-client paradigm (which led to the creation of WinHTTP (and in .Net land, HttpWebRequest etc)).

I’m not saying any of the above don’t typically work - most of the time, whatever you’re doing might work fine (I personally wrote a bunch of charting and drawing controls years ago in ASP.Net before discovering this), but when it doesn’t, our options are limited in how we’re able to help.

Site Optimization Tips with VRTA

tristank — Mon, 03 Nov 2008 07:47:01 GMT

New and shiny on MSDN:

12 Steps To Faster Web Pages With Visual Round Trip Analyzer

.HDMP and .MDMP files

tristank — Tue, 23 Sep 2008 11:12:27 GMT

Just a quickie – the rule is blog what you know, but I figure my speculation might be good enough here.

A friend gave me an HDMP file and asked what I could make of it. After the usual “I could make a hat! Or a brooch! Or a dinosaur!” type stuff, I realized it wouldn’t open anyway.

In my experience, most .HDMPs come with matching .MDMP files. I think of these as Minidumps (in the “real” mini sense – just information about threads and thread stacks), and Heap dumps (everything else the process knew or cared about in User mode).

This HDMP wasn’t openable in the debugger directly, but if its corresponding MDMP was present in the same folder at the same time, I reckon it woulda.

The feared WER-wolf produces these files in pairs (that’s Windows Error Reporting, kids, don’t be too scared, except that it invalidates everything we used to know about AEDebug registry keys and similar, but that’s another story for another time), and that’s how I’ve analyzed them in the past. I remember hearing of some sort of merge operation that needed to happen between M and H dumps, but I’m reasonably certain I haven’t bothered with that (I assume I’m lazy by default), so I think the debugger just does it for ya.

Now I’ve written that, I’m going to go look for references to support my assertions!

949180 How to create a user-mode process dump file in Windows Server 2008
http://support.microsoft.com/default.aspx?scid=kb;EN-US;949180

(At the bottom – mini and heap dumps - yay me!). Think that’s enough for today. Hugs!

What does it mean when there's no "broken page" icon in IE8?

tristank — Wed, 10 Sep 2008 10:59:09 GMT

I was just catching up on some of my RSS feeds, and noticed that one of the pages I was at didn't have a broken page icon, but wasn't working quite right (some broken javascript in the photos area, I'm guessing... I'll investigate that next).

I wondered what that meant, so fired up Fiddler2 to have a look.

The Headers collection didn't include the compatibility header (X-UA-Compatible: IE=EmulateIE7 or similar):

HTTP/1.1 200 OK
Proxy-Connection: Keep-Alive
Connection: Keep-Alive
Content-Length: 77144
Via: 1.1 MYPROXY
Date: Wed, 10 Sep 2008 07:42:24 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-AspNet-Version: 2.0.50727
Cache-Control: private

But the META tag was present (link):

<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en"
"http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head><meta http-equiv="X-UA-Compatible" content="IE=7" /><title>
Spied: New Mazda3

So: the page is being told to render in IE7 Standards Mode (forced, as opposed to IE=EmulateIE7, which would behave as IE7 did). This makes the toggle compatibility mode button moot, because the site has chosen their mode explicitly.

Wonder if that's the problem... Time to investigate with the developer toolbar, I think...

(Update: nup, document mode didn't fix it - Script Debugging needed to be un-disabled in IE, and then the debugger showed me it was happening in motiongallery.js. I've lost interest now :) )

Generic Troubleshooting: "Is it still a problem?"

tristank — Mon, 28 Apr 2008 09:38:05 GMT

I've been doing this support thing for a while now.

Frequently, the basics are what get overlooked when troubleshooting an issue, particularly an issue that seems complex on the surface.

Often, though, you'll find that the detailed techniques lead you back to a fairly basic set of rules, the most basic of which is:

Everything's either a file issue, or a settings issue, or just how the software works (by bug or by design).

If something seems unlikely to be a file (corrupted or incorrect file) or settings issue, it could easily be a bug (that is, given the same conditions, you'll be able to reach the same outcome). But if you think you might have hit a bug, what's the most efficient way of addressing it?

Obviously, to find someone else has addressed it already!

So, the Temporal rule of Troubleshooting: try it with the most recent version available.

(this doesn't necessarily mean "try Word 2007 if 2003 doesn't work", I mean "within the same major version").

Today, for example, I was looking at a memory dump (which you usually tend to do at the pointy end of a troubleshooting process, and I'm not going to show working or why these two are relevant), and found these *cough* classics:

0:000> lmvmurlmon
    Loaded symbol image file: urlmon.dll
    Image path: C:\WINNT\system32\urlmon.dll
    Image name: urlmon.dll
    Timestamp:        Wed Aug 04 17:56:37 2004 (411096B5)
    File version:     6.0.2900.2180
    Product version: 6.0.2900.2180
...
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     UrlMon.dll
    OriginalFilename: UrlMon.dll
    ProductVersion:   6.00.2900.2180
    FileVersion:      6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    FileDescription: OLE32 Extensions for Win32
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

0:000> lmvmmsxml3
start    end        module name
    Loaded symbol image file: msxml3.dll
    Image path: C:\WINNT\system32\msxml3.dll
    Image name: msxml3.dll
    Timestamp:        Wed Aug 04 17:59:24 2004 (4110975C)
    CheckSum:         00138815
    ImageSize:        00130000
    File version:     8.50.2162.0
    Product version: 8.50.2162.0
...
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft(R) MSXML 3.0 SP 5
    InternalName:     MSXML3.dll
    OriginalFilename: MSXML3.dll
    ProductVersion:   8.50.2162.0
    FileVersion:      8.50.2162.0
    FileDescription: MSXML 3.0 SP 5
    LegalCopyright:   Copyright (C) Microsoft Corporation. 1981-2003

What does that tell me? Well, lots! Like: this particular machine isn't up to date on IE and XML security patches. Internet Explorer security patches are cumulative, so installing one tends to refresh the majority of the browser software (side bonus: this can also resolve file-level issues, like a corrupted or incorrect DLL).

From that, you can infer that it's probably not up to date on a bunch of stuff. We make it pretty easy to apply security updates these days, and if the security patches aren't up to date, chances are there are non-security patches missing too, and so on.

So: My standard response to any binary implicated in a reproducible problem is to look for and then apply the latest version available (from memory, urlmon was updated this month, and msxml3 sometime since mid-2007).

Once we've applied the latest updates, we'll know whether we actually have more work to do, or whether we're just covering old ground.

So, short version: Try the latest version first.

See the big potential time saving there?

The Cat's Out Of The Bag: ISA Server will become ForeFront TMG

tristank — Wed, 09 Apr 2008 09:21:00 GMT

So, we all know that ISA 2006 doesn't work on Windows Server 2008. Massive architectural changes to the IP stack, blah blah, etc, etc.

People (uh, yeah, just "people") have been asking about what's to become of ISA Server for a while:

"There's no ISA 2008 announced!" they'd scream.

"This surely means the end of one of the best product lines Microsoft has produced!" might have also been heard (in a somewhat muffled way).

"Won't Tristan be out of a job?" one person wailed, unconvincingly.

Well, that's right - the plan at this point is that there is no ISA Server 2008.

(pause for effect, teeth-gnashing, gasping, horror to subside)

As of the next version, Internet Security and Acceleration Server is ForeFront Threat Management Gateway!

(Now you're going to tell me that ISA was a perfectly good name and not at all unwieldy...)

See our well-formed Press Release for details!

Microsoft also today announced the name of its next-generation network edge security product, Forefront Threat Management Gateway. Forefront Threat Management Gateway is the future version of Microsoft ISA Server and will extend the capabilities of ISA Server 2006 with new features and security technologies, designed to help provide multiple-threat protection, simplified management and secure connectivity, and will be built on Windows Server 2008. More details about Forefront Threat Management Gateway will be available later this year.

Excellent! So, key takeaway: we are working on a successor. The product isn't going away!

There's an early beta available from here, though it's downloading at a slow trickle for me right now (got excitement?).

So, go forth and, you know, Manage Threats! In the future!

Post-SP2 TCP Offload Fix

tristank — Mon, 17 Mar 2008 06:31:00 GMT

I've mentioned Chimney before. Now, a new Windows Update fix for TCP Offload, which turns it off.

It was on by default in Windows Server 2003 SP2, so if your NIC supported Offload, or RSS, or that other thing I can never remember, it was enabled.

But: we (PSS we) typically turn it off as a first troubleshooting step for any network-related issue -

a) because we know from experience that several drivers seem to do interesting things with it installed (that's a nice way of saying update your drivers),

b) because several of our drivers do interesting things with it (if you're going to choose to use it, check for recent-model tcpip.sys hotfixes), and

c) because we want to be able to see TCP traffic in a network capture for troubleshooting purposes.

Off-unless-opted-in brings parity with Windows Server 2008.

IIS7 Modules Aplenty - WebDAV, Bitrate Throttling

tristank — Sat, 15 Mar 2008 14:51:00 GMT

New modules, supported by Microsoft, are now officially RTMd (RTWd?) and available for use with IIS 7.0.

WebDAV

Yay new WebDAV! Yay being able to enable it on specific parts of a site! Yay better!

Robert: http://blogs.msdn.com/robert_mcmurray/archive/2008/03/12/webdav-extension-for-windows-server-2008-rtm-is-released.aspx

Downloads:

• Microsoft WebDAV Extension for IIS 7.0 (x86) http://www.iis.net/go/1621/
• Microsoft WebDAV Extension for IIS 7.0 (x64)http://www.iis.net/go/1618/

Media Bitrate Throttling

Yay something about bandwidth for media files!

Vishal: http://blogs.iis.net/vsood/archive/2008/03/15/bit-rate-throttling-is-now-released.aspx

Downloadies:

· 32 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1640

· 64 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1641

Intro:

The Internet Information Services 7.0 (IIS 7.0) Media Pack – Bit Rate Throttling module provides the ability to throttle progressive downloads of media files (in which audio/video playback starts as soon as sufficient data has been buffered on the client) based on the content bit rate. For sites that deliver audio and video files that may not be watched in their entirety, this module could significantly reduce your media-related bandwidth costs. A secondary feature of the Bit Rate Throttling Module is that it can also be used to throttle non-media ("Data") file types at specified bit rates.

Don't Forget The New FTP Server While You're At It

I already mentioned this, but I'll list it here as a one-stop convenience (aww, aren't I nice?)

Replaces FTP6 (that shipped in the box) with FTP7: FTP with SSL, virtual hostname support, extensibility, right-click-and-add-FTP-to-a-website publishing integration... loads of cool stuff.

Microsoft FTP Publishing Service for IIS 7.0 (x86)

Microsoft FTP Publishing Service for IIS 7.0 (x64)

"Stacking" NTLM Authentication

tristank — Tue, 11 Mar 2008 09:30:49 GMT

This question came up today (well, actually, it was about four weeks ago I started typing this, but bear with me), and it's been a little while since I've rambled about authentication protocols, so let's enjoy a nice, calm discussion on a ~~Monday~~ Tuesday arvo.

The request was something like:
In a Web Publishing scenario, can I do NTLM at the ISA Server and NTLM at the Exchange server too?

No

And the answer is - well, no.

There's no way for the client browser to distinguish between the ISA Server (first) saying 401 WWW-Authenticate: NTLM , and then the IIS Server saying 401 WWW-Authenticate: NTLM.

Because it appears to be a repeated authentication sequence when the connection is already authenticated from IE's perspective (and IE doesn't think it's talking to a different server), IE assumes there's been an auth failure (why else would the server challenge again?).

So, lots of authentication prompts are going to happen. The solution (as described) is not workable.

But

With ISA 2006 and its amazingly-useful-how-did-we-ever-live-without-them Authentication features:

What you could do is Integrated Windows Authentication at the Exchange server (i.e. allow Kerberos), and use protocol transition at the ISA Server, from whatever form of authentication you can accept from a client to Kerberos Credential Delegation (or even another protocol, depending on the auth method used by the listener).

So

The question itself was a "no", but the question almost always isn't actually the question. That one's for free.

Special note: I worked really hard on the headings for this post. I hope it was appreciated.

MaxUserPort - what it is, what it does, when it's important

tristank — Tue, 11 Mar 2008 09:17:57 GMT

What can we say about MaxUserPort that hasn't already been said? Not a lot, it would seem. He's a beautiful dancer, perhaps? Ahh, such gentle humour, and nary a kitten drowned anywhere.

But TCP port shenanigans are fairly frequently misunderstood, so let's talk about the very basics of MaxUserPort.

NB: This is all pre-Vista behaviour - applicable from NT4 through to Windows Server 2003, including all the little NT-flavoured stops on the way.

MaxUserPort controls "outbound" TCP connections

MaxUserPort is used to limit the number of dynamic ports available to TCP/IP applications.

It's never going to be an issue affecting inbound connections. MaxUserPort is not the right answer if you think you have an inbound connection problem.

(I don't know why, I just know it is. Probably something to do with constraining resource use on 16MB machines, or something.)

To further simplify: it's typically going to limit the number of outbound sockets that can be created. Note: that's really a big fat generalization, but it's one that works in 99% of cases.

If an application asks for the next available socket (a socket is a combination of an IP address and a port number), it'll come from the ephemeral port range allowed by MaxUserPort. Typically, these "next available" sockets are used for outbound connections.

The default range for MaxUserPort is from 1024-5000, but the possible range is up to 65534.

When You Fiddle MaxUserPort

So, why would you change MaxUserPort?

In the web server context (equally applicable to other application servers), you'd usually need to look at MaxUserPort when:

- your server process is communicating with some type of other system (like a back-end database, or any TCP-based application server - quite often http web servers)

And:

- you are not using socket pooling, and/or

- your request model is something like one request = one outbound TCP connection (or more!)

In this type of scenario, you can run out of ephemeral ports (between 1024 and MaxUserPort) very quickly, and the problem will scale with the load applied to the system, particularly if a socket is acquired and abandoned with every request.

When a socket is abandoned, it'll take two minutes to fall back into the pool.

Discussions about how the design could scale better if it reused sockets rather than pooling tend to be unwelcome when the users are screaming that the app is slow, or hung, or whatever, so at this point, you'd have established that new request threads are hung waiting on an available socket, and just turn up MaxUserPort to 65534.

What Next? TcpTimedWaitDelay, natch

Once MaxUserPort is at 65534, it's still possible for the rate of port use to exceed the rate at which they're being returned to the pool! You've bought yourself some headroom, though.

So how do you return connections to the pool faster?

Glad you asked: you start tweaking TcpTimedWaitDelay.

By default, a connection can't be reused for 2 times the Maximum Segment Lifetime (MSL), which works out to 4 minutes, or so the docs claim, but according to The Lore O' The Group here, we reckon it's actually just the TcpTimedWaitDelay value, no doubling of anything.

TcpTimedWaitDelay lets you set a value for the Time_Wait timeout manually.

As a quick aside: the value you specify has to take retransmissions into account - a client could still be transferring data from a server when a FIN is sent by the server, and the client then gets TcpTimedWaitDelay seconds to get all the bits it wants. This could be sucky in, for example, a flaky dial-up networking scenario, or, say, New Zealand, if the client needs to retransmit a whole lot... and it's sloooow. (and this is a global option, as far as I remember).

30 seconds is a nice, round number that either quarters or eighths (depending on who you ask - we say quarter for now) the time before a socket is reusable (without the programmer doing anything special (say, SO_REUSEADDR)).

If you've had to do this, at this point, you should be thinking seriously about the architecture - will this scale to whatever load requirements you have?

The maths is straightforward:

If each connection is reusable after a minimum of N (TcpTimedWaitDelay) seconds
and you are creating more than X (MaxUserPort) connections in an N second period...

Your app is going to spend time "waiting" on socket availability...

Which is what techy types call "blocking" or "hanging". Nice*!

Fun* KB Articles:
http://support.microsoft.com/kb/319502/
http://support.microsoft.com/kb/328476

What's in IIS 7.0 for me?

tristank — Fri, 29 Feb 2008 06:16:00 GMT

While having a seemingly-innocuous chat with a colleague, I was asked to "throw together a few points" on what IIS 7.0 would do for a web application I've worked with in the past. Serves me right for talking to people, really.

In this application's case, authoring, publishing and content creation weren't as important as eventual scale-out and actual application performance (otherwise the just-released FTP7 would have been top of the list).

Here's what I came up with, off the cuff:

Reduced attack surface/patching requirements: IIS7 is now modular, and only the parts of the server actually needed by the application are required to be installed. This can also enable performance increases due to reduced memory footprint.
Vastly (imho) improved compression capabilities and compression performance (with automatic compression back-off when CPU use is high! How cool is that!?)
Simplified web farm management - if the application is able to work reliably in a web farm scenario, the IIS configuration store can be centralized and shared across all machines in the farm. (also see MSDeploy)
XCOPYable configuration - easily ensure settings are consistent between dev, qa and prod environments.
Failed Request Tracing (aka FREB) - if failures occur, request traces can be captured that include detailed diagnostic information.
Windows Server 2008 security, performance and scalability improvements - the most secure Windows yet (I expect); support for the latest hardware and 64-bit computing; and optimized TCP/IP performance.
SSL performance greatly increased - Kernel-mode SSL (not the best link for admin types) reduces context switching and ring transitions, and improves performance
Better UI! After a short time working out how the new model worked, I'm sold.

SetSPN improvements in Windows Server 2008! W00t!

tristank — Fri, 21 Dec 2007 10:21:00 GMT

All this stuff is based on a prerelease (RC1) version of Windows Server 2008 and may change before final release. Cheques may not be honoured.

I had a happy moment one night in India when the trainer for our IIS 7.0 TTT course discussed some of the Kerberos-related improvements in IIS7.

... SetSPN got revamped.

We all know (or knew, before my wiki collapsed) that duplicate Kerberos SPNs are bad. (The Wiki is still down, by the way, sorry).

We know that it's been a little bit iffy configuring said SPNs and that the chance of getting it wrong was quite high - there was no control that prevented the registration of the same SPN twice, against different accounts.

Worse: SetSPN was focused on the account (security principal) only - if you thought you had a duplicate, you needed to use a customized LDIFDE command to track it down based on the SPN, as SetSPN wouldn't search by SPN, only by account.

Buuut: Some wonderful SDE that should really be on my Christmas card list decided that SetSPN could become an all-singing all-dancing SPN troubleshooting tool!

Yes folks, SetSPN now has SANITY CHECK (-S) switches and FIND THE PROBLEM (-X) switches! HOW COOL IS THAT!?

In order to not break backwards compatibility (I infer; I didn't actually participate in the conversation or decision making process), these are implemented as new switches, not old ones: Existing scripts that rely on creating duplicates (and then presumably resolving that situation shortly afterwards) won't (er, shouldn't) suddenly break.

C:\Users\Administrator>setspn
Usage: setspn [modifiers switches data] computername
Where 'computername' can be the name or domain\name

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

Switches:
-R = reset HOST ServicePrincipalName
Usage:   setspn -R computername
-A = add arbitrary SPN
Usage:   setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage:   setspn -S SPN computername
-D = delete arbitrary SPN
Usage:   setspn -D SPN computername
-L = list registered SPNs
Usage:   setspn [-L] computername
-Q = query for existence of SPN
Usage:   setspn -Q SPN
-X = search for duplicate SPNs
Usage:   setspn -X

Examples:
setspn -R daserver1
It will register SPN 'HOST/daserver1' and 'HOST/{DNS of daserver1}'
setspn -A http/daserver daserver1
It will register SPN 'http/daserver' for computer 'daserver1'
setspn -D http/daserver daserver1
It will delete SPN 'http/daserver' for computer 'daserver1'
setspn -F -S http/daserver daserver1
It will register SPN 'http/daserver' for computer 'daserver1' if no such SPN exists in the forest

So, any instructions out there that currently use the positively archaic SETSPN -A can now be updated to use the shiny new SETSPN -S.

Again, I ask you: How cool is that!?

I should add that I haven't actually tried this yet, just gurgled at the wonderful new options and imagined their effect. If it throws a "NotYetImplementedException", please forgive my enthusiasm :)

401.3, you say? Not 403?

tristank — Mon, 22 Oct 2007 12:35:12 GMT

You're running an IIS 6.0 website, and you have a virtual directory configured for anonymous authentication only (that is, you've unticked Integrated Windows Authentication).

Using a web browser, you try to access a file in that virtual directory. http://example.com/vdir/something.txt

What's a web browser?

Know what IE is, Leon?

Yeah.

Same thing.

I've never seen an IE. But I know what you mean.

Anyway, the something.txt file is ACLd such that the anonymous user account (IUSR_MACHINENAME) doesn't have any NTFS permissions to it. IIS impersonates the anonymous user for any anonymous request, and if it's knocked back, it 401s the client with a WWW-Authenticate header describing the types of authentication supported.

Now IIS needs to ask for some kind of credential, but the only authentication method ticked is Anonymous. So IIS can't ask for credentials. It can't 401 with a WWW-Authenticate header because it's got nothing to put in it. It won't send a 403 because it hasn't yet made a good-faith attempt to impersonate a user other than Anonymous.

But you haven't configured it to ask for credentials. You could tick Integrated Windows and make the pain go away. Or you could allow the Internet Guest Account (at least) Read access to the file. But you're not doing that, Leon.

Why is that, Leon?

Do you make these questions up yourself, or do you have them written down for you?

Actually, people come to me with questions all the time, and I sometimes write them down.

Like this one: tell me only the good things that come to your mind, about... Personal Web Server on Windows 95.

Personal Web Server? Let me tell you about Personal Web Server...

Tip o' the Week: WEVTUTIL for EVTX/EVT file conversion

tristank — Fri, 05 Oct 2007 09:19:19 GMT

This week, a pointer to a solution to a problem I occasionally hit.

Windows Vista (and by extension Windows Server 2008, I assume) utilizes a new EVTX log format for event log exports. It's XML-based, natch.

Problem: Everyone's Favourite Log Digestion Tool Log Parser uses system APIs to read event log exports, and the old .EVT event log format isn't "native" any more. Long story short, it chokes on them.

This, to put it mildly, was annoying, as most customers haven't moved to Windows Server 2008 yet (I mean, it's only five months from release - is there ever a better time?) and so supply event logs in the old format when asked.

Anyway - you can convert the old-school event logs into shiny new event logs through the user interface (just double-click the EVT, wait for it to open and display in chronological order; then do a Save As, pick a location and filename and answer an obscure question about language formatting; then find and open the newly-resaved log file), but bluntly, the GUI process leaves a bit to be desired if you have the slightest inkling towards type-A behaviour, and all I really want is something that'll work in Log Parser, really.

WEVTUTIL (and NeilCar) to the rescue. It's included out of the box, and it'll convert those dusty old event logs from the command line, with nary a GUI or common dialog in sight, ready for consumption by Logparser, or any other EVTX-friendly file muncher.

Neil's example (for the click-inhibited):

wevtutil epl application.evt application.evtx /lf:true

Bewdiful.