Change Modern Windows Event Log settings with PowerShell

I may be late to the party, but I just found the cmlets I need to update the properties of modern Windows event logs. The Limit-EventLog cmdlet only works with classic event logs. I want to be able to manage the size of a modern event log, the kind that lives under Applications and Services logs.

Screen clip of the Window Event Viewer window with the "Applications and Services Logs" collection circled in red.
The newer event logs require different PowerShell cmdlets for managing their settings.

To read these logs, we need to use the Get-WinEvent cmdlet, but that doesn’t let us change the properties of a log. The other cmdlet with the WinEvent noun is New-WinEvent, also not helpful.

It turns out that the cmdlets we need are in the PSDiagnostics module, Get-LogProperties and Set-LogProperties. Nice. (Available in Windows PowerShell 5.1 and later).

This will allow us to do something like:

PS C:\> Get-LogProperties 'Microsoft-Windows-Ntfs/Operational'                                                          

Name       : Microsoft-Windows-Ntfs/Operational
Enabled    : True
Type       : Operational
Retention  : False
AutoBackup : False
MaxLogSize : 33554432

or

PS C:\> (Get-LogProperties 'Microsoft-Windows-Ntfs/Operational').MaxLogSize / 1MB                                       32

And you can use the Set-LogProperties cmdlet (running as admin) to change these settings. But the only two parameters are -force and -LogDetails. So first, you need to save the output of Get-LogProperties to a variable, change the properties you want to modify with the new values, and then provide this variable as input to Set-LogProperties.

Like so:

# Store Log Propertied in variable
PS C:\> $ntfslog = Get-LogProperties 'Microsoft-Windows-Ntfs/Operational'

# Confirm the ibject type
PS C:\> $ntfslog.GetType()                                                                    
IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     False    LogDetails                               System.Object

# Set the new desired log szie value in the variable
PS C:\> $ntfslog.MaxLogSize = 40MB

# Supply the variable with the new size as the input to the Set- cmdlet
PS C:\> Set-LogProperties -LogDetails $ntfslog

# Checking our work
PS C:\> Get-LogProperties 'Microsoft-Windows-Ntfs/Operational'                                

Name       : Microsoft-Windows-Ntfs/Operational
Enabled    : True
Type       : Operational
Retention  : False
AutoBackup : False
MaxLogSize : 41943040

PS C:\> (Get-LogProperties 'Microsoft-Windows-Ntfs/Operational').MaxLogSize / 1MB
40

Convert Active Directory AccountExpires attribute

I wrote a quick function to convert the AccountExpires attribute from the Long Integer value to a DateTime object or a string object of “!! Never !!”.

function Convert-ADAccountExpires ([long] $ticks) {
    # https://msdn.microsoft.com/en-us/library/ms675098(v=vs.85).aspx

    if ( ($ticks -eq 0) -or ($ticks -eq 9223372036854775807) ) {
        $expires = '!! Never !!'
    }
    else {
        $expires = [DateTime]::FromFileTime($ticks)
    }

    write-output $expires
}

Then you can create a calculated property like so:

PS > $expires = @{Label='AccountExpires';Expression={ Convert-ADAccountExpires -ticks $_.AccountExpires } }

And then you can create reports of user accounts and when they expire:

PS> Get-ADUser -filter * | Select Name,SamAccountName,$expires

Looking at this (with slightly bleary eyes), I’m already thinking that I should add CmdletBinding(), change $ticks to $AccountExpires, and add ValueFromPipelineByPropertyName. Something to sleep on.

Find all hidden network shares

I have a Windows file server with thousands of shares. Occasionally, create hidden shares for data migration or other administrative tasks. How do you find these shares?

Some websites suggest running Get-WmiObject -Class Win32_Share and piping the output of that to Where-Object to filter. That can work, but it has the computer send you all the share objects. If you want to run this command to get shares from a remote computer, this is highly inefficient.

Instead, we can specify a filter in the initial Get- cmdlet. I’m also going to switch to the Get-CimInstance cmdlet, which is optimized for remote execution.

PS Z:\> Get-CimInstance -ComputerName ServerName -ClassName Win32_Share -Filter 'Type = "0" AND Name LIKE "%$"'

The Filter parameter uses a WQL query to specific that I want regular shares (not administrative shares like C$ or IPC$; see the Win32_Share class doc for details) AND whose names end with a dollar sign. It may not return data much faster, but it sends much less data over the wire, which is important especially for remote scenarios.

Preventing Petya ransomware with Group Policy

This post and this twitter thread describe a mechanism to prevent the latest ransomware cyber attack from running. It involves creating 1 (or 3) files with a specific name(s) and with the Read-only attribute set. Although the instructions on the first post describe copying and renaming notepad.exe, any file, even an empty file, with the correct names and the Read-only attribute will suffice, if I read the twitter thread correctly.

There are numerous ways to accomplish this in a large organization, including an SCCM package that either deploys some files, or that runs a script to create the files. However, I decided to use Group Policy File Preferences to copy a small text file to the three filenames described, including setting the Read-only attribute.

Using Group Policy File Preferences to create the files that will block the Petya (NotPetya) Ransomware.

This should be executed on the affected computers at their next GP refresh, which might be sooner than a reboot for a start-up script.

Remote Desktop Gateway Service – register NPS

I struggled with getting a new Server 2016 Remote Desktop Gateway Service running. I followed the official documentation from Microsoft, configuring two servers as a farm, and creating a single CAP and RAP identically on each server. But every time I tried to connect, I received an error message from the client that my account:

Remote Desktop can't connect to the remote computer "xxxxxxxx" for one of these reasons:

I love those error messages that say “Contact your network administrator for assistance.”

I found a corresponding entry in the Microsoft-Windows-TerminalServices-Gateway/Operational log with the following text:

The user “CAMPUS\[username]”, on client computer “132.198.xxx.yyy”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: “NTLM” and connection protocol used: “HTTP”. The following error occurred: “23003”.

I double-checked the groups I had added to the CAP and verified the account I was using should be authorized. I even removed everything and inserted “Domain Users”, which still failed.

I found different entries that also corresponded to each failure in the System log from the Network Policy Service (NPS) with Event ID 4402 claiming:

“There is no domain controller available for domain CAMPUS.”

I know the server has a valid connection to a domain controller (it logged me into the admin console). But I double-checked using NLTEST /SC_QUERY:CAMPUS. Yup; all good.

A few more Bingoogle searches and I found a forum post about this NPS failure. The marked solution just points to a description of the Event ID, but one of the comments contains the solution: the Network Policy Service on the gateway systems needs to be registered. This instruction is not part of the official documentation, though upon re-reading that doc, I now see that someone has mentioned this step in the comments.

In this case, registration simply means adding the computer objects to the RAS and IAS Servers AD group (requires Domain Admin privs). Once I made this change, I was able to successfully connect to a server using the new remote desktop gateway service.

Many thanks to TechNet forum user Herman Bonnie for posting the very helpful comment.

 

Moving OneNote notebooks to SharePoint

You may have noticed that Microsoft OneNote displays a little warning for notebooks stored in your Documents folder.

OneNote notebook warning “may not sync correctly.”

This is because Windows computers that are part of UVM’s Active Directory domain use a feature called Offline Files to make your Documents folder available to you when you’re not on the campus network. (see my Offline Files post for more info.)

The warning shows up because OneNote has its own file sync process, and having another file sync process layer under that can mess up its syncing, theoretically. In my many years of using OneNote, I’ve only seen one (maybe two) situations where this may have created problems. That said, ignoring warnings is generally a bad idea; it makes it easier to miss an issue that really does need attention.

But there is another way: SharePoint. Continue reading

Windows 10 Wi-Fi – No Internet

SOS!! 22 hours with no wifi!!!!

In the past 48 hours, two different family members in different households have reported problems with their Windows 10 laptops’ Wi-Fi connections. Some basic troubleshooting — restarting the modem/router, verifying other devices could connect — demonstrated that the issue was with the laptops.

The laptop was connected to the Wi-Fi access point, with full signal strength, but there was no connectivity beyond that connection.

In the first troubleshooting effort, we did the standard things:

  1. Reboot. Of course.
  2. Disable/Enable the Wi-Fi adapter
  3. Checking adapter settings
  4. Running the Network Troubleshooter (didn’t fix things)

The Network Troubleshooter didn’t resolve anything, but it did mention something useful. It reported that the “Wi-Fi” adapter had an invalid configuration.

At this point, I turned to Google, and found a couple of sites suggesting using netsh to reset the IP configuration. We ran the following commands from an elevated command prompt (run as administrator, or it won’t work):

  1. netsh interface IPv4 reset
  2. ipconfig /flushdns

Then we rebooted, and the system came up and connected to Wi-Fi and the Internet was available again.

Subsequently, I found this Microsoft support article entitled Fix network connection issues in Windows 10, which covers may of the steps we tried as well as the steps that resolved our issues.

In Windows 10, if you run Netsh interactively, you see a notification that Netsh is deprecated, and to transition to the admittedly awesome PowerShell modules for managing TCP/IP. However, giving the specific behavior of the netsh interface ipv4 reset command (overwrites registry information; see the More Information section of https://support.microsoft.com/en-us/kb/299357), I’m not sure what PowerShell command would accomplish the same end. Something to look into.

Outlook MessageHeaderAnalyzer and Unsubscribe

Microsoft and other providers have published add-ins that provide additional functionality within Outlook and Outlook for web. We have enabled two add-ins which you may find useful, the Message Header Analyzer and the Unsubscribe Add-on.

To make them available in your Outlook (Win/Mac/Web), you need to log into mail.uvm.edu and go the Manage add-ons option on the Options (gear) menu:

Image of the options menu in OUtlook for web, with the "manage add-ins" item highlighted.

Click the check-box in the Turned on column to make one or both add-ins available in Outlook:

Once this step is complete, the add-ins you have turned on should appear in the message window in your Outlook mail clients for Windows, Mac, and the web. It may take a little while (or maybe a restart of Outlook) before they appear in the Windows and Mac versions.

Outlook add-ins as they appear in Outlook for the Web.

Outlook add-ins as they appear in Outlook for Windows.

The Message Header Analyzer provides a convenient way to view detailed information (metadata) about an email message, including the message routing information.

The Message Header Analyzer in Outlook for Windows.

The Unsubscribe add-in appears when viewing bulk marketing messages, and depending on the content of the message, may unsubscribe your address from the a marketing list or may suggest simply blocking mail from that sender.

The Unsubscribe add-in within Outlook for Windows, suggesting that we block mail from this sender.

We hope that you will find these add-ins useful. Please let us know what you think.