HoW PGP Whole Disk Encryption Works

In my discussion and demo at the IT-Discuss Live – Security event in May, I used a short slide deck to describe—in broad terms—how PGP Whole Disk Encryption works. This laid the foundation for working through some common-ish support scenarios.


Having received several requests for a copy of the slides, here they are, in both PowerPoint (.pptx) and PDF formats.

Custom event log queries

I really like the newer event log model on Windows 2008 family, and the flexibility of the XML events and the queries that makes possible.

Recently, I started noticing a quiet failure of a scheduled task. The Task Scheduler thinks that the task completed successfully, though the executable called by the task action returned an error code of 3:

Task Scheduler successfully completed task “ShareVol_Sync” , instance “{92ac3257-f52d-47eb-9a3a-ce02c5196bbd}” , action “diskshadow.exe” with return code 3.

I wanted to see how long this have been going on, so I switched from the Task Scheduler console to Eventlog Viewer, and navigated to the Operational log under “Applications and Services Logs”- Microsoft – Windows – TaskScheduler.

I started by using the using the Filter Current log dialog to select events with Event ID 201, but this included all “Action completed” events for all tasks. So I looked at the XML view for one of the events for the task I was researching. The event includes a data value named “ActionName” with the value “diskshadow.exe” that should allow me to find all the relevant events.


Next, I needed to refine my filter to look for this value in the events. I opened the Filter Current log dialog again, and switched to the XML tab, then checked the Edit query manually option. You get a scary warning about not being able to use the GUI again, but that only applies to the current filter. Be bold: click OK.

Next, I edited the query, following examples from this excellent Ask the Directory Services Team blog post. The query is junk the between the select tags. Originally, the query was simply:


To that, I added the following:

*[EventData[Data[@Name=’ActionName’] and (Data=’diskshadow.exe’)]]

So that the whole query looks like this:

      *[EventData[Data[@Name='ActionName'] and (Data='diskshadow.exe')]]

Now event viewer shows me only the “Action Completed” events for the diskshadow.exe command, and I can see exactly when the behavior changed.

Note that you can save use the query XML with PowerShell’s Get-WinEvent commandlet’s -filterXML parameter [See an example]. You can also use the Save Filter to Custom View option to make this view persistent.

I routinely review Windows’ Event logs during diagnostics and troubleshooting. I find the ability to query those logs for specific data is an indispensable technique. No more dumping to CSV and running findstr! I hope you find it helpful, too.

Use it up – Brother HL-3070CW Toner

Use it up, Wear it out, Make it do, or Do without.

There are some things that we can’t really do without. But good old Yankee thrift pains me every time I have to replace printer consumables.

I have a Brother HL-3070CW color laser printer at home, which I really like. I selected it specifically because it has an optional straight-through printing path, to reduce curl on heavier stock.

I’ve also discovered that it reports being out of toner based on page count or something, rather than a measure of actual toner remaining. I found two ways to make sure I get the most from my toner cartridges.

First, I found that there’s a menu for resetting the state of toner in the printer.

  1. Open the top cover
  2. Press the Cancel and Secure Print buttons together to bring up the toner menu
  3. Use the + and – buttons to select the toner cartridge to reset, and press OK (twice). Each color (CMYK) has two options, one each for standard and high capacity cartridges.
  4. When finished, closed the top cover.

In addition, it’s very easy to reset the physical switch on the toner cartridge, as shown in this short video:
Very easy to do.

(Both procedures from )

I’ve used the menu reset option several times, and I haven’t seen any problems with toner coverage on my printed pages.

When I do need to replace the cartridge, I have found the best prices on Amazon and NewEgg.

Script: Shadow Copy Report

We use EMC NetWorker for our enterprise backup solution. Since we migrated our primary file server from a NetApp filer to a native Windows server, we’ve been having a recurring problem with all the Shadow Copies for a volume getting deleted. There are strong indications that the problem is related to the NetWorker backups.

As we have been working on this issue with EMC (since the first week in January!), I wrote a script to tell me two things each morning; how many snapshots exist for each volume, and what VSS errors were logged, if any.

I thought someone might find it useful, so I’ve posted it as a separate page (the script doesn’t fit nicely in the column on the blog).

PowerShell Script: chksnap.ps1

Webmail on a Netbook

Amid the praise for and complaints about the newer version of webmail, we received a plea from a netbook user. She pointed out that the new layout made it very difficult to navigate among her mail folders. I use a netbook myself, and I thought I’d share some things that we can do to improve our browsing from a netbook. Specifically, we’re going to take webmail from this:

Webmail on a netbook - before

to this:

Webmail on a netbook - after

Continue reading

Custom FSRM notification script

I’ve been working on a script to generate an informative message to users when they exceed quota thresholds on our file server. The features of the File Server Resource Manager (FSRM) provides a variety of useful variables that can be plugged into an automated email. However, we have found that it’s often very useful to provide more information about the kind of files that a user is storing, something akin to the output of the very useful and free utility WinDirStat.

I’ve made progress on the script that generates the email. However, I’ve run into a snarl in trying to configure the quota notification to run the script. The script runs just fine from a command prompt, even from a command prompt running as the Local System account. But when I trigger an FSRM event that should drive the script, I get an error in the Application Log:


Continue reading

Semisynchronous WMI

Experimenting with querying WMI from Perl with Win32::OLE, I ran across the following WMI query options in an Perl example from Microsoft’s Script Center:

$colItems = $objWMIService->ExecQuery ("SELECT * FROM Win32_Share","WQL",wbemFlagReturnImmediately | wbemFlagForwardOnly); 

After some digging, I found the following explanation of those options wbemFlagReturnImmediately, and wbemFlagForwardOnly:

Because WMI manages the object, semisynchronous mode is more secure than asynchronous mode. However, if you use semisynchronous mode with more than 1,000 instances, instance retrieval can monopolize the available resources, which can degrade the performance of the program or script and the computer using the program or script. Each object takes up the necessary resources until the memory is released.

To work around this condition, you can call the method with the iFlags parameter set with the wbemFlagForwardOnly and wbemFlagReturnImmediately flags to instruct WMI to return a forward-only SWbemObjectSet. A forward-only SWbemObjectSet eliminates the performance problem caused by a large data set by releasing the memory after the object is enumerated.

[from: ]

I wanted to put this somewhere, because I’m sure I’ll forget.

I should have known better


I spent a some time configuring the Eventlog-to-Syslog service on my domain controllers, yesterday. A bunch of that time was spent trying to figure out why the service wasn’t able to read the config file I had created.

The upshot is that I had installed a 32-bit version of my text editor of choice. When I created the config file in c:windowsSystem32 using 32-bit Vim, the WoW64 file system redirector on Server 2008 R2 was transparently relocating that file to c:windowsSysWOW64. Then, when I tried to start the service, it failed to find or load the config file because it didn’t exist in the correct location.

So, I have replaced the standard gvim install with the native 64-bit version.

Prototyping Windows File Services

After seven years of providing robust file service hosted on a NetApp filer, we’ve decided to migrate our services to native Windows File Services. We have encountered several issues with the interaction of newer Windows client operating systems and NetApp’s third-party implementation of CIFS and SMB2.

We did meet with some staff from various units on campus to discuss the current state of file services, especially the current pain points, and outlined our current plans. The main themes that emerged from our discussion were as follows:

  1. Make the service simpler
    1. H: drive is just confusing; merge it with My Documents
    2. The duplicated folders within user profile directory (e.g. c:usersnetid) create lots of confusion. Any way to address this?
  2. Provide more options (increments) for home directory quotas
  3. Provide notification to departments regarding storage usage and quotas

We are currently prototyping a new design for our Campus File Services — dare I call it CFSv2 — hosted in a Windows Server 2008 R2 Failover Cluster. It’s still early in the process, but the design look promising.