Catch

Semisynchronous WMI

Posted on by Geoff / 0 Comment

Experimenting with querying WMI from Perl with Win32::OLE, I ran across the following WMI query options in an Perl example from Microsoft’s Script Center:

$colItems = $objWMIService->ExecQuery ("SELECT * FROM Win32_Share","WQL",wbemFlagReturnImmediately | wbemFlagForwardOnly);

After some digging, I found the following explanation of those options wbemFlagReturnImmediately, and wbemFlagForwardOnly:

Because WMI manages the object, semisynchronous mode is more secure than asynchronous mode. However, if you use semisynchronous mode with more than 1,000 instances, instance retrieval can monopolize the available resources, which can degrade the performance of the program or script and the computer using the program or script. Each object takes up the necessary resources until the memory is released.

To work around this condition, you can call the method with the iFlags parameter set with the wbemFlagForwardOnly and wbemFlagReturnImmediately flags to instruct WMI to return a forward-only SWbemObjectSet. A forward-only SWbemObjectSet eliminates the performance problem caused by a large data set by releasing the memory after the object is enumerated.

[from: http://msdn.microsoft.com/en-us/library/aa384832(v=vs.85).aspx ]

I wanted to put this somewhere, because I’m sure I’ll forget.

Posts

I should have known better

Posted on by Geoff / 0 Comment

vim_editor

I spent a some time configuring the Eventlog-to-Syslog service on my domain controllers, yesterday. A bunch of that time was spent trying to figure out why the service wasn’t able to read the config file I had created.

The upshot is that I had installed a 32-bit version of my text editor of choice. When I created the config file in c:\windows\System32 using 32-bit Vim, the WoW64 file system redirector on Server 2008 R2 was transparently relocating that file to c:\windows\SysWOW64. Then, when I tried to start the service, it failed to find or load the config file because it didn’t exist in the correct location.

So, I have replaced the standard gvim install with the native 64-bit version.

Posts

Prototyping Windows File Services

Posted on by Geoff / 0 Comment

After seven years of providing robust file service hosted on a NetApp filer, we’ve decided to migrate our services to native Windows File Services. We have encountered several issues with the interaction of newer Windows client operating systems and NetApp’s third-party implementation of CIFS and SMB2.

We did meet with some staff from various units on campus to discuss the current state of file services, especially the current pain points, and outlined our current plans. The main themes that emerged from our discussion were as follows:

    1. Make the service simpler
      1. H: drive is just confusing; merge it with My Documents
      2. The duplicated folders within user profile directory (e.g. c:\users\netid) create lots of confusion. Any way to address this?
    2. Provide more options (increments) for home directory quotas
    3. Provide notification to departments regarding storage usage and quotas

We are currently prototyping a new design for our Campus File Services — dare I call it CFSv2 — hosted in a Windows Server 2008 R2 Failover Cluster. It’s still early in the process, but the design look promising.

Guides/Posts

How to catch a phish

Posted on by Geoff / 0 Comment

I’ve received several phishing attempts, recently, this time masquerading as mail from Twitter. I thought I’d share how I recognized this as an attack. Many list members already know this stuff, but I thought I’d share since we still see folks responding to these kinds of attacks.

 

1. Unexpected

Before I even looked at the content of the message, I was suspicious because I don’t have any twitter stuff associated with my UVM email. I could have deleted the message then and, if I was using twitter, logged into my twitter account directly to see if something was going on.

But I wondered how the message was crafted, so I opened it with awareness.

 

2. False link

A false link is shows a web address in the message, but the link that is attached to it is different. Below, my mail program shows that the link will actually send me to pachitanglangbarcelona.com.

twitter-scam-ol

Continue reading →

Posts

What’s my IP Address?

Posted on by Geoff / 0 Comment

It’s one of the first questions that we ask clients when we’re helping diagnose a problem with a network resource. There are several different ways to determine your IP address. There’s even a website, whatsmyip.org which will show you what Internet servers think your IP address is.

In this post, I describe how to determine your IP address(es) on Windows 7 using the control panel. You can also use the ipconfig command-line tool, but if you know about that tool, you probably don’t need me to tell you about it.

Network and Sharing Center

One of my favorite aspects of Windows 7 is the search feature in the start menu. As you type a search term, Windows will show you matching programs and documents.

As a case in point, you can type Network in the Start Menu search box, and click the Network and Sharing Center control panel item in the search result.

win7-netcpl-0-annotated

Alternatively, you can open Control Panel, then Network and Internet, and then click the Network and Sharing Center item.

Continue reading →

Posts

Edit a meeting you can’t see

Posted on by Geoff / 0 Comment
The situation:

I’m working in Oracle Calendar as a person’s designate, managing his calendar on his behalf. We’ll call him Sam. I create a meeting for Sam with some other attendees. Later, I remove Sam from the meeting rather than deleting it. Perhaps the other still want to meet but didn’t want to create a new meeting. Later still, those folks decide they want to reschedule the meeting.

The problem:

If a person isn’t listed as an attendee, then that meeting doesn’t appear in their calendar. However, in Oracle Calendar, only the person who created the meeting can edit it or delete it. This person is listed in the details of the meeting as Proposed by.

So Sam owns the meeting, but it isn’t displayed on his agenda for me to manage it. How do I edit or delete a meeting I can’t see?

The solution:

I need the In-tray Window in Oracle Calendar. This window is something that most people ignore or disable, but it will display the calendar entries you’ve sent out, including once that you aren’t attending. In addition, if I’ve been granted rights to work as someone’s designate, there’s a folder for their entries in my In-tray as well.

In this screenshot, I’m looking at a meeting that I created as Sam’s designate and from which I then removed his as an attendee. If the meeting isn’t recent, you may need to adjust the display options (Tools – Options – In-tray – Sent out) to allow you see the particular event.

OracleCalendar-InTray-AsDesignate

Another work-around would be to have Sam open the calendar of one of the attendees, find the meeting and edit or delete it. But since I can get to it via the In-tray, I don’t need to bother Sam at all.

I hope this is helpful.

Guides/Posts

Microsoft Office Troubleshooting

Posted on by Geoff / 0 Comment

Recently, I was asked to talk with our Help Line staff about strategies for troubleshooting problems with Microsoft Office. I spent some time addressing the activation issues relating specifically Office 2010, which I wrote up in a separate post.

The most important point I want to make about general Office troubleshooting is that reinstalling office will rarely fix a problem. Office will kick-off a repair operation automatically if it detects problems with core Office files. Application, heal thyself.

More importantly, a repair operation or uninstall/reinstall process will refresh Office program components, but it won’t touch templates, user and system specific registry information, and add-ins that are the most frequent cause of problems.

Safe mode

The first step in troubleshooting should be to start the application in safe mode. Most versions of Office applications support a safe mode, which doesn’t load templates, registry info, and add-ins. This step quickly determines whether the problem lies with Office itself or elsewhere.

Invoking Office safe mode is as easy as adding the command-line parameter /safe. Usually, I open the Run window (WindowsKey+R), and type the name of the office executable and add the /safe parameter. If you don’t know the executable name, you can find it with the browse button, and then add the parameter at the end:

office14-safemode-run

If the app doesn’t start, then you probably do need to perform a Repair installation. If the application starts successfully (sometimes without opening a document in safe mode), then you know that the core office files are fine, and a reinstall isn’t likely to help.

Continue reading →

Guides/Posts

Troubleshooting Microsoft Office Activation

Posted on by Geoff / 6 Comments

Microsoft Office volume license editions have used the Volume License 2.0 mechanism to manage activation since Office 2010. Microsoft Office will activate against our campus Key Management Service (KMS), without user intervention, in a manner similar to the way current versions of Windows activate.

Occasionally, the activation process doesn’t work. Problems are usually related to network communication with the KMS. Below are some steps to identify and resolve problems that might occur during activation.

Gather Information.

Gathering data is essential to fixing problems. If you ask me (or other IT staff) for help with Office activation, the first thing I will ask from you is the output of the commands in the steps below.There are a few steps that will make it easy to collect all the output of your troubleshooting steps.

  • Open an elevated Command Prompt (Run As Administrator)
  • Run cscript /h:cscript, which changes the default script host to cscript, so that output will go to the command prompt instead of a pop-up dialog box.
  • Change the Properties of the command prompt window to increase the Screen Buffer
    height to, say, 3000 lines. This will prevent you losing earlier steps as the lines scroll off the screen.

When you are ready to copy the text from the command prompt, right-click the title bar of the window, select Edit > Select All, and then Control-C to Copy the text to the clipboard. Then you can paste the text to any place you want; an email message, a footprint entry, or a text file in notepad. (No need for images pasted into Word documents; please no!)

Continue reading →

Posts

Powershell Join-String function

Posted on by Geoff

Update: better yet, read about the -Join and -Split PowerShell operators. Live and learn.
—Geoff

Something I’ve found myself missing in PowerShell is a function to combing the elements of a list with a given separator, like Perl’s join() function. I finally got annoyed enought to write one. It seems to do what I want, so I’m going to add it to my profile.

Here it is in action:

PS C:\> $array = 3.14,'Puppy',$false,'','Green',$null,'foo'
PS C:\> $array | Join-String
3.14,Puppy,False,,Green,,foo
PS C:\> $array | Join-String -collapse
3.14,Puppy,Green,foo
PS C:\> $array | Join-String -collapse ' - '
3.14 - Puppy - Green - foo


Update: Now supports list items as parameter (non-pipeline) usage:


PS C:\> $y = Join-String $array -collapse
PS C:\> $y
3.14,Puppy,False,Green,foo
PS C:\> $y.gettype()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     String                                   System.Object



Here’s the code:


# Join-String - A simple pipeline-oriented function to
# concatenate a bunch of strings together with a separator
# Geoffrey.Duke@uvm.edu  Wed 11/17/2010
#   updated 11 July 2013 to handle non-pipeline usage

function Join-String
(
[string[]] $list,
[string] $separator = ',',
[switch] $Collapse
)
{

[string] $string = ''
$first  =  $true

# if called with a list parameter, rather than in a pipeline...
if ( $list.count -ne 0 ) {
$input = $list
}

foreach ( $element in $input  ) {
#Skip blank elements if -Collapse is specified
if ( $Collapse -and [string]::IsNullOrEmpty( $element)  ) {
continue
}

if ($first) {
$string = $element
$first  = $false
}
else {
$string += $separator + $element
}
}

write-output $string
}



If you have a notion for how it could be improved, please comment.
Posts/worklog

Event data mining with PowerShell

Posted on by Geoff / 2 Comments

On Server 2008 and 2008 R2, if your Domain Controllers aren’t configured to require LDAP signing and disallow simple LDAP binds in plaintext, Active Directory Domain Services logs a warning event on startup, and summary events every 24 hours.

A couple weeks ago, I followed the recommendation to enable logging of unsigned and plaintext LDAP authentication requests. Setting the LDAP Interface Events value to 2 generates a Directory Services event 2889 for each connection.

Now I want to do some analysis of the collected events. The event structure puts the important details, namely the client name and IP address, in the big description text field. It looks like this:

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 11/3/2010 11:46:38 AM
Event ID: 2889
Task Category: LDAP Interface
Level: Information
Keywords: Classic
User: ANONYMOUS LOGON
Computer: CDC01.campus.ad.uvm.edu
Description:
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
132.198.124.202:53298
Identity the client attempted to authenticate as:
CAMPUS\myhost0256BB4$

Previously, I’ve exported the logs to CSV format, then used Excel and some text-mangling functions to pull out the important details. But I noted that the two important values were nicely separated in the XML representation of the event:

Event Xml: 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
  <System> 
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS LDAP" /> 
    <EventID Qualifiers="16384">2889</EventID>
    <Version>0</Version> 
    <Level>4</Level> 
    <Task>16</Task> 
    <Opcode>0</Opcode> 
    <Keywords>0x8080000000000000</Keywords> 
    <TimeCreated SystemTime="2010-11-03T15:46:38.219250600Z" /> 
    <EventRecordID>122013</EventRecordID> 
    <Correlation /> 
    <Execution ProcessID="512" ThreadID="3396" /> 
    <Channel>Directory Service</Channel> 
    <Computer>CDC01.campus.ad.uvm.edu</Computer> 
    <Security UserID="S-1-5-7" /> 
  </System> 
  <EventData> 
    <Data>132.198.124.202:53298</Data> 
    <Data>CAMPUS\myhost0256BB4$</Data> 
  </EventData> 
</Event>

Continue reading →