Tag Archives: Tools

Powershell, ACLs, and DFS-N

I’m working on some storage issues with our file services, and DFS Namespace services may the the best solution. But I will need to be able to keep the permissions on the DFS folders with targets in sync with the permissions on the target folders. I’m hoping that the new DFS-N PowerShell commands will facilitate this process. However, on my Server 2012 test system, I can’t get the help content to download for the DFSN-related cmdlets.

I did find this gem in the PowerShell Tips of the Week archive:

Windows PowerShell Tip: Working With Security Descriptors

Good stuff.

Custom event log queries

I really like the newer event log model on Windows 2008 family, and the flexibility of the XML events and the queries that makes possible.

Recently, I started noticing a quiet failure of a scheduled task. The Task Scheduler thinks that the task completed successfully, though the executable called by the task action returned an error code of 3:

Task Scheduler successfully completed task “ShareVol_Sync” , instance “{92ac3257-f52d-47eb-9a3a-ce02c5196bbd}” , action “diskshadow.exe” with return code 3.

I wanted to see how long this have been going on, so I switched from the Task Scheduler console to Eventlog Viewer, and navigated to the Operational log under “Applications and Services Logs”- Microsoft – Windows – TaskScheduler.

I started by using the using the Filter Current log dialog to select events with Event ID 201, but this included all “Action completed” events for all tasks. So I looked at the XML view for one of the events for the task I was researching. The event includes a data value named “ActionName” with the value “diskshadow.exe” that should allow me to find all the relevant events.

eventvwr-evt-xml

Next, I needed to refine my filter to look for this value in the events. I opened the Filter Current log dialog again, and switched to the XML tab, then checked the Edit query manually option. You get a scary warning about not being able to use the GUI again, but that only applies to the current filter. Be bold: click OK.

Next, I edited the query, following examples from this excellent Ask the Directory Services Team blog post. The query is junk the between the select tags. Originally, the query was simply:

*[System[(EventID=201)]]

To that, I added the following:

and
*[EventData[Data[@Name=’ActionName’] and (Data=’diskshadow.exe’)]]

So that the whole query looks like this:


  
    
      *[System[(EventID=201)]]
       and
      *[EventData[Data[@Name='ActionName'] and (Data='diskshadow.exe')]]
    
  

Now event viewer shows me only the “Action Completed” events for the diskshadow.exe command, and I can see exactly when the behavior changed.

Note that you can save use the query XML with PowerShell’s Get-WinEvent commandlet’s -filterXML parameter [See an example]. You can also use the Save Filter to Custom View option to make this view persistent.

I routinely review Windows’ Event logs during diagnostics and troubleshooting. I find the ability to query those logs for specific data is an indispensable technique. No more dumping to CSV and running findstr! I hope you find it helpful, too.

Is that program running as administrator?

Using Process Explorer to view process integrity levels

A friend asked me how to open a Control Panel applet As Administrator. In Windows Vista, when you see a little shield icon as part of a button or shortcut, that would indicate that you would get prompted by the User Account Control (UAC) facility to elevate the process Integrity Level, that is, to run it as an administrator with full rights to muck with the system.

In Windows 7, the frequency of UAC prompts has been reduced. You will still see the shield icon, but sometimes there’s no UAC prompt.

You can use Microsoft SysInternals Process Explorer tool to view the integrity levels of running processes. On campus, you can run the tool from \filessoftwareutilitiessysinternalsprocexp.exe. Once you’ve started Process Explorer, there are two things you’ll want to do:

  1. From the File menu, select the Show Details for All Processes option (you noted the shield icon, yes?).
  2. From the View menu, choose Select Columns… and check Integrity Level item (on the Process Image tab; see below)

procexp-show-integrity

  Continue reading

Changing Boot drive with BCDBoot

Scott Hanselman is a consistently good source of useful info and commentary. Recently, he needed to change which drive his computer used as its System drive, which is to say the drive containing the boot loader and configuration.

( N.B. For some reason, the “System Drive” contains the boot info, and the “Boot Drive” contains the operating system. Why could this not have been corrected?!)

Scott points out his options:

Approach 1: Nuclear Option. Wipe and Start Over.

Approach 2: Copy the Hidden/System Boot Manager and Boot Folder over to the C: drive and run a tool called BCDEdit to move things around in 12 short steps. 😉

This was a scary prospect for me, because from my point of view, while this was a fairly advanced operation, I just wanted to switch where the boot info comes from.

Turns out there is a new (profoundly advanced, you have been warned) command line tool called BCDBoot.

See Scott’s blog post for more info. /me wonders if one could copy the bcdboot executable to a Vista system and perform the same operation.

Friday – March 6

Storage issues overnight; thanks, Greg, for putting out the fire.

Server storage resize project: IBM RSA access established, trouble getting GNU PartEd.

NERCOMP Campus Agreement LiveMeeting

Planning and design of home directory storage. Did some interesting analysis. Don’t want to break anything before the weekend, though. And I’m back on call.

And I solved a PHP problem for a client of IM; nice way to close the day. Thanks, Laurie.