windows

PRTG sensor to monitor a directory for a specific file type and minimum size and age

The following script will monitor a specific directory for a file of a defined type and minimum size, it will report back to you the newest file of the specified type and over the minimum size and provide you the file age and size to PRTG.

The name of the file will also be reported back as a text value for the sensor in PRTG.

If the script encounters any errors, the total files value will be 0 for no files found or -1 for a script error. Therefor please set minimum channel error values accordingly to get alerted.

The goal here is to get the age of the file back that was found, to make sure the file is not older than expected. This is needed for some automated exports or data transfer files, this was you can be sure that your export routines work as expected.

Linux and DHCP reservations aren’t working

This is something I just came across myself. While deploying an Ubuntu Linux VM the DHCP reservation did not work. This was mixed up with a Windows 2016 DHCP server.

After looking at the wrong DHCP lease I quickly saw an extremely long MAC address and figured that the Linux VM used some kind of randomization for the interface.

IFCONFIG on the system showed the correct hardware MAC address.

It took me a few minutes of research and testing till I found the root cause and rather simple solution.

Linux replaced their NIC handling on many distributions with a newer system called NETPLAN.

I read that a 2019 Windows DHCP would likely handle this correctly, did not have time to test this out. But the following worked for me:

  • List the contents /etc/netplan
    • ls /etc/netplan
    • there should be a file ending in .yaml
  • Edit this .yaml file
    • sudo nano /etc/netplan/<filename>.yaml

The file is structured like this:

Under your NICDEVICENAME add the line dhcp-identifier: mac and save (CNTRL+O) and exit (CNTRL+X) the file.

Now you can either try to apply the netplan config via sudo netplan apply or simply reboot.

This should solve the issue.

Useful registry keys to supplement settings not available in standard GPO templates

This blog entry will list some registry keys to control computer and user settings via GPO but aren’t available in the standard ADMX GPO templates.

Below you find always the same data format:

  • Computer Configuration or User Configuration
  • HIVE
  • Kay Path
  • Value Name
  • Value Type
  • Value Data
  • Short explanation
  • Link if available

Over the years I also always tried to leave a comment in the GPO’s, especially for the Registry Keys, so I could later identify them quickly and possibly even leaving a link so others could read up on these settings and options without doing long research.

Show Drive Letters first in Windows Explorer

This Registry value is set in two areas – Computer Configuration and User Configuration. See both keys below.

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
  • ShowDriveLettersFirst
  • REG_DWORD
  • 0x4 (4)
  • Defines if the drive letter is shown first in Windows Explorer
    • 0 = After
    • 1 = Mixed
    • 2 = No drive letter
    • 3 = Before
  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer
  • ShowDriveLettersFirst
  • REG_DWORD
  • 0x4 (4)
  • Defines if the drive letter is shown first in Windows Explorer
    • 0 = After
    • 1 = Mixed
    • 2 = No drive letter
    • 3 = Before

Support URL

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
  • SupportURL
  • REG_SZ
  • URL to your support system
  • Set the Windows Support URL shown in the Computer Properties in the Support section – Link is behind the Online Support Website.

Support Hours

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
  • SupportHours
  • REG_SZ
  • e.g.:  0800-1700 Pacific Time
  • Set the Windows Support Hours shown in the Computer Properties in the Support section.

Support Hours

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
  • SupportPhone
  • REG_SZ
  • your helpdesk phone number
  • Set the Windows Support Phone Number shown in the Computer Properties in the Support section.

Support Manufacturer

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation
  • Manufacturer
  • REG_SZ
  • Suggest to put in your Company name here
  • Set the Manufacturer Name / Company Name shown in the Computer Properties in the Support section.

Hide Drives with no Media

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HideDrivesWithNoMedia
  • REG_DWORD
  • 00000000
  • If set to 0x0 (0) it will not hide empty drives, if set to 0x1 (1) it will hide empty drive letters from Windows Explorer.

Expand folders to current folder

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • NavPaneExpandToCurrentFolder
  • REG_DWORD
  • 0x1 (1)
  • This will expand all folders to the current folder in the navigation panel of Windows Explorer, by default it will only navigate to the folder but not expand the path to it in the Navigation Panel. The behavior on this changed back in Windows Vista or Windows 7. This sets it back to a more Windows XP like behavior, what makes it easier to navigate Windows Explorer.

Fast Boot Enabled

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SYSTEM\CurrentControlSet\Control\Session Manager\Power
  • HiberbootEnabled
  • REG_DWORD
  • 0x0 (0)
  • Turns off Windows 10 Fast Startup – meaning a real reboot is done rather then a quick reboot that is actually not a real Windows reboot. A real reboot is slower, but much cleaner.

Office 365 – Update Channel

There is a settings in the Office ADMX files under Microsoft Office 2016 (Machine)/Updates for:

  • Enable Automatic updates
  • Update Channel
  • Update Deadline

Additionally this settings should be set to make sure everything is configured the same and installs the same:

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\Office\ClickToRun\Configuration
  • CDNBaseUrl
  • REG_SZ
  • http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
  • This will set the Office 365 channel to current for the click to run installation.

Allow Print Driver Installation

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  • RestrictDriverInstallationToAdministrators
  • REG_DWORD
  • 0x0 (0)
  • Microsoft released KB5005652 which requires admin rights to install printers, and affects some existing printers that will require an admin to install driver update. Work around is to add the registry key below, which disabled this new security feature.
    • Value: 0
      • Allow non-admin users to install Point and Print printer drivers
    • Value: 1
      • Blocks non-admin users from installing Point and Print printer drivers. If this registry key does not exist, the default with KB installed will be same as Value 1, blocking non-admins from installing Point and Print printer drivers.
  • https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

Ensure Outlook is the default mail client

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Clients\mail
  • (Default)
  • REG_SZ
  • Microsoft Outlook
  • Ensures Microsoft Outlook is the standard mail client

Set Microsoft Teams as the default IM application

See this blog entry as well about this.

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\IM Providers
  • DefaultIMApp
  • REG_SZ
  • Teams
  • Sets Microsoft Teams as the default Instant Messenger Application.

Set Microsoft Office to read User information from Active Directory

Make sure you set both registry keys for this.

Set this to “Apply once and do not reapply” as well.

This will cause Microsoft Office applications read any user information fresh from Active Directory, as it cleans the current values.

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Office\Common\UserInfo
  • UserName
  • (not set)
  • (not set)
  • This will cause the first Office application to read the information from Active Directory and re-create it specifically for the user.
  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Office\Common\UserInfo
  • UserInitials
  • (not set)
  • (not set)
  • This will cause the first Office application to read the information from Active Directory and re-create it specifically for the user.

Disable the Network Sharing Wizard in Windows Explorer

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • SharingWizardOn
  • REG_DWORD
  • 0x0 (0)
  • Disables the Sharing Wizard in Windows Explorer.

Remove the Network form Windows Explorer

Probably one of the more important security measures you can do, to avoid the standard user browsing other systems on the network to much. It does not really prevent it, but makes it a lot less easy for regular end users, as the network area in Windows Explorer simply vanishes.

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
  • REG_DWORD
  • 0x1 (1)
  • Remove Network from Windows Explorer.

Remove Administrative Tools from the Start Menu

This is made out of two combined registry keys. You will need to apply both for this to take affect.

Highly recommend to make sure it does not apply to any administrator accounts, as this can be contra productive.

  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • Start_AdminToolsRoot
  • REG_DWORD
  • 0x0 (0)
  • Removes administrative tools from the start menu.
  • User Configuration
  • HKEY_CURRENT_USER
  • Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • StartMenuAdminTools
  • REG_DWORD
  • 0x0 (0)
  • Removes administrative tools from the start menu.

Windows Update Restart Notifications for End Users

Please apply both Registry Keys for this to take affect.

  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
  • RestartNotificationsAllowed
  • REG_DWORD
  • 0x1 (1)
  • Will display Restart Notifications to End Users.
  • Computer Configuration
  • HKEY_LOCAL_MACHINE
  • SOFTWARE\Microsoft\WindowsUpdate\UX\Settings
  • RestartNotificationsAllowed2
  • REG_DWORD
  • 0x1 (1)
  • Will display Restart Notifications to End Users.

 

Windows 11 and SQL (Express) issues

SQL Express issues on Windows 11

Due to a change on how Windows 11 presents the disk sector size, you can have issues with SQL or SQL Express after your upgrade or even on brand new installations.

SQL might just fail to start after an upgrade, with the Event Viewer Application Log Error 1000 similar to the below one:

This is especially true for Samsung SSD 980 – be aware – the SSD 980 Pro does not have this issue, just the SSD 980. There are other OEM versions of it that have the same issue and actually a bunch of other disks.

The root cause is that the devices report the true sector size, what causes SQL to fail. This is still true with SQL Express 2019 – earlier versions as well.

As described in this Microsoft article, you can add a registry key and reboot to make Windows 11 behave like Windows 10 and earlier Windows versions.

Of course, alternative you can either install SQL on another disk drive or replace the drive with one that does not have these compatibility issues.

It remains unclear if there will be updates to this in the future from either Microsoft of the disk vendors like Samsung in the future. For now, this simple registry adjustment fixes the issue.

Reboot after the registry adjustment for the change to take effect.

Windows 10 Build 2004 / 20H1 – SMBv1 network drives not connecting

SMBv1 network drive not connecting

The newest builds and updates can possibly break some Windows 10 network connections. Saw this specifically in a situation with a SMBv1 drive that was connected via FQDN per GPO.

Windows was not able to connect to the drive, looking at NET USE all you saw was reconnecting.

Connecting to the same share via HOSTNAME and/or IP worked just fine, as well as engaging the UNC path.

The solution to this eventually is a simple registry adjustment, that has to be done in the user-profile HKCU area, so no advanced rights are needed.

Steps:

  1. open REGEDIT
  2. go to HKCU\Network
  3. select the key with the drive-letter you have issues with
  4. add a new REG-DWORD
    1. PROVIDERFLAGS
    2. Decimal 1 or DWORD 00000001
  5. Reboot

Your network drive should work normal again.

Background and Explanation:

The PROVIDERFLAGS instruct Windows to reconnect the SMBv1 network drive, more or less. It eventually did not matter if it was connected per FQDN, IP or HOSTNAME – is was the reconnect that the GPO implied, respective the NET USE /PERSISENTENT:YES switch. If you would use a script – netlogon script – you could just determine the drive as /PERSISTENT:NO and not see the issue either as well as solve it.

Eventually this is specific to SMBv1 and I can’t warn enough about the security risks this protocol has. Still – there are here and there systems that still need to stick around – hopefully secured by firewalls and even sandboxes etc..

ActiveDirectory/LDAP result limits – MaxPageSize

ns a website from a systems administrator for systems administrators Home IT-Admins CMDB IT-Admins tool IT Search EOL Solutions Blog Contact Links ActiveDirectory/LDAP result limits – MaxPageSize

ActiveDirectory, respective LDAP, has a result limit setting, MaxPageSize. Those are set by default to 1000 rows per query.

This is primarily important if you use some kind of programming language to get results from LDAP, this code must compensate those limits and engage paging.

Your LDAP query does not need to provide the limit, only the code needs to do the paging as you always just get the max. amount of results set in the current settings.

In order to check your settings do the following commands in a command prompt / cmd window:

In theory you could set different values now as well, assuming you have the permission level to do so. But this is not recommended and you should engage paging instead, as you otherwise risk to overload your DCs – even if your commands won’t cause it, a possibly DoS attack could happen – malicious or not, so leave the limits, but be aware of them.

 

Windows Print Server Aliases

Windows Print Server Aliases

Windows Print Server Aliases – what is that and why would you even need to think about it?

For File-Servers, you can set up DFS structures and have a single point of entry as from the perspective of the client. It’s a simple named path and works rather flawless if set up right and monitored e.g. with PRTG. But what about your print server? Is it a defined hostname and the printers sit on this host? What happens when you want to upgrade the host to a new windows version or theoretically even do some special DNS routing (that’s very advanced and has hurdles, I will not address this in this posting).

Well – you can sure set up an ALIAS name in your DNS, but soon you will discover you can’t connect to the printers on this server. This is because you are missing some registry tweaks. At this point I also want to make you aware, I saw Windows updates removing those keys, so keep this article handy to reconstruct the registry in case of any issues.

You will need a total of three registry keys added, as follows:

This first key will enable DNSOnWire for the Print-Server itself. This is needed to make the print-server aware that you might use DNS ALIAS / CNAME entries to access him. More can be found e.g. here: Windows couldn’t connect to the printer – Windows Server | Microsoft Docs

This key, DisableStrictNameChecking, we need to configure the SMB server / LANManServer – he needs to be aware as well that we will use CNAMES to access the shares on the server. You can find some more information at the following link: Can’t access SMB file server – Windows Server | Microsoft Docs

And last but not least, the OptionalNames – this is the one key that’s most hidden but still so important. You can also make it REG_MULTI_SZ key. But it works with a simple REG_SZ key and the short CNAME alias that you have specified, you don’t even need use the FQDN.

There are many ways on how to accomplish this one last key, it changed throughout the Windows versions, it was possibly even renamed. Worst I saw on a Windows 2016 server was it vanished after a update session and reboot. So be prepared for that. A simple recreation and reboot fixed the issues.

Also, make sure you reboot after those changes, otherwise it won’t work.

Bypassing Windows 10 UAC for Unknown Publishers

Bypassing Windows 10 UAC for Unknown Publishers

It happens that some programs alert you in Windows 10 about Publisher: Unknown and expect you to possibly provide administrative credentials to even execute it.

Especially in corporate networks users likely don’t have this level of permissions and surely the IT department respective IT-Administrators going to be reluctant to grant administrative privileges when they are not absolutely necessary.

For this specific case, there is a possible workaround – try to start the program with the following CMD-command and see if you might be able to bypass this issue. I sure don’t recommend doing this just for any program, be sure that what you want to start is safe, but there are cases where this is necessary, cause you won’t want to alter the UAC (User Account Control) or permission level or the employee.

Of course, adjust the path to your program. Eventually the parameter __COMPAT_LAYER=RUNASINVOKER is likely to bypass this specific issue.

Note that this also depends on a few more variables, but it sure is worth a try.

Make Microsoft TEAMS the default IM application

Make Microsoft TEAMS the default IM application

Having multiple applications that act as chat respective IM application but you want Microsoft TEAMS to be the default Instant Messenger application especially so Outlook e.g. shows the correct online/offline as well as free and busy status for employees and so they can start a conversation directly from there, you will need to make sure that Microsoft TEAMS is the default IM Provider.

This came up especially in combination with Cisco Jabber, that is often used as the software phone client for a Cisco phone system. This application might overrule the user settings and take presence especially in Microsoft Outlook. Cisco has an article about this here that talks about various registry keys. But this is actually not the direct solution for this issue.

In order to set TEAMS, if installed, the default application for your employees, it is easiest to engage Group Policies, GPOs, for this. Simply follow the below steps. Those settings will find out if Microsoft TEAMS is available and if so set it as default IM Provider. Close Microsoft Outlook and open it again and you will see the status icons and message box being associated with Microsoft TEAMS.

Of course, you could slightly adjust the suggested GPO settings and engage e.g. Cisco Jabber or any other IM provider available instead. Just have a look at the registry path HKEY_CURRENT_USER\Software\IM Providers and see what is available and set the GPO accordingly. All you need is the name of the sub key for the DefaultIMApp value.

Steps for the user GPO

  1. Create a new GPO (or chose an existing GPO)
    1. This will be a User Configuration
  2. Navigate to User Configuration\Preferences\Windows Settings\Registry
  3. Create a new Registry Item
  4. Settings on General tab
    1. Leave the Action settings to Update
    2. Hive: HKEY_CURRENT_USER
    3. Key Path: Software\IM Providers
    4. Value name: DefaultIMApp
    5. Value type: REG_SZ
    6. Value data: Teams
  5. Settings on Common tab
    1. Check Run in logged-on user’s security contact (user policy option)
    2. Check Item-level targeting
    3. Click on Targeting and apply the following settings
      1. The following steps make sure that this is only applied if Microsoft TEAMS is available as a IM provider
      2. Click on New Item and chose Registry Match
      3. Match type: Key exists
      4. Hive: HKEY_CURRENT_USER 
      5. Key Path: Software\IM Providers\Teams
    4. It is good practice to provide a Description for this item – e.g.: This will set Microsoft TEAMS as default IM Provider for e.g. Outlook – if available as IM Provider.

 

Make sure the GPO applies to your users and you should be all set. This will make sure that even if a new application is installed and takes the IM Provider role over, that your clients will still fall back to Microsoft TEAMS. Of course, it will depend on when the GPO was reapplied and that the user actually closes and reopens Outlook.

 

Windows Search Index monitoring

Windows Search Index monitoring

While rolling out Windows Search Indexing I bumped in to quite a few issues and things I wanted to monitor. One of the main information I actually was after is the amount of files in the Windows Search Index. I could see this information in the Indexing Options of the system and it was constantly updating, but I was not able to find the same information per WMI, PowerShell cmdlets, Performance Counters etc.

This caused me headache cause it was clear that the index a) had to grow till it reached a fully indexed system and b) if the index-size dropped below a certain amount (once finished) I surely had an issue – I saw the database rebuilding out of no where – due to pagefile-issues or space on the partition where the index-database resided.

All of this made it clear that monitoring was inherent – but I did not want to play around with EventIDs – clearly the amount of files in the index was a way better indicator.

This caused me to write the following PowerShell script – it will invoke a command to a target system and count the files currently in the index. This has to be invoked, though the OLEDB provider of the Search Index allows remote-requests, it does not give you accurate numbers for the overall scope of the index on the system using remote requests. Getting to a point to even get this information was quite a challenge, I am certain who ever finds this here will know already, assuming you did some research. Hope it helps, though.

An update to this or what I learned

Of course you wouldn’t just monitor the amount of indexed files with the script above. You likely have a dedicated drive / partition where the index resides. You definitive want to monitor the used or free drive space there as well. What you will discover especially in the beginning but as well later if many files are moved or copied to the server, is that the Windows Search Index database will grow after the indexing of huge amounts of files is done and shrink again. As far as I understand this, there is some maintenance and deduplication going on.

On a server with about 14 million files that took about 1 week to index, I ended up with a 250 GB index database, the second it finished it took another 12 hours while the database grew another 100 GB and then shrunk back to actually 200 GB.

Don’t let those numbers scare you, we talk about 10 TB (terra byte) of data in those 14 million files. This is quite a bit. Most other file servers won’t have such huge databases and you won’t see such huge increases while the index database is doing some kind of clean up, nor will it take a week for the initial index to finish.

What I wanted to show with this is simply that you really want to monitor all those information and keep a close eye on it. I saw the database make huge jumps in size in very very short periods of time. If the drive then is full your index possibly would get corrupted and Windows will start from zero again. You want to avoid this. Once the index is finished and no huge incoming file operations take place you won’t see to many jumps anymore. It will calm down. But still, always make sure you have enough space on the partition where the index database resides and proper monitoring on it to be able to react quickly (going as far as automating a service stop for the Windows Search index while the space goes down to avoid database corruption).

Setting up Windows Search Index

Setting up Windows Search Index

The Windows Search indexing is a solution from Microsoft that will index your file servers and their files full text and allow your end users to get results quickly while actually engaging the fulltext search database seamlessly.

This is accomplish by just using the search box in the upper right of the Windows Explorer while residing on a network share or mapped network drive.

Many people say that the Windows Search does not work right, but my experience is that quite the opposite is true and it only depends on the right set up. This I will explain here further.

Before we go in to details – there is a challenge that goes along with DFS namespaces. I found a way to bypass this, look here to understand how it works.

  • add an additional drive to your file servers
    • I roughly recommend about 10% of the total use size of your file shares that you want to index
    • you might be able to go with less or more – but expect 10% to be more on the safe side
  • give the new drive a drive-letter (e.g. I: for Index) and name it INDEX (to make clear that this is only to be used for the INDEX database)
  • add the following path to this drive
    • I:\ProgramData\Microsoft
    • The path above mirrors the default path on the C: drive where the index will reside by default, I recommend to mirror this path on the new target drive to keep things simple and clear
  • add the feature Windows Search to your server
  • download the Microsoft Filter Pack 2.0 and install it on your server
    • yes – this is a Office 2010 SP2 filter pack and yes that’s okay
    • just download the x64 bit version of it and install it
    • this will add a iFilter pack to Windows that allows Windows to understand DOCX and XLSX files (and others) and full text index them
  • enable the new service Windows Search
    • set it to start type automatic
    • start the service
  • from your start menu (or Control Panel) open the Indexing Options
    • click on ADVANCED
      • select the earlier created path I:\ProgramData\Microsoft as new path for the index
      • after you click on OK Windows will stop the service and move the existing index
        • you might need to manually start the service again
    • click now on MODIFY and select the server shares respectively local paths you want to index
    • if you leave the Indexing Options open you will see that Windows updates the count constantly
      • Windows will slow down indexing if you work on the console or via RDP on the server Desktop
      • You will see the message INDEXING COMPLETED once all files have been index
        • this can take many days – don’t be surprised and be patient
  • think about monitoring the index and the partition the index resides on

One challenge resides – if your indexing drive becomes full, Windows Search indexing will crash the index database and likely determine it as corrupt and start from scratch. This can happen within minutes, even before any of your monitoring solutions might warn you about the full drive. There are eventlog entries about and you would easily see that the number of indexed files dropped to a very low number again. The drive becomes suddenly pretty empty as well again. This is sure one of the downsides of how Microsoft implemented this, but if you provide plenty of space in the first place, you likely won’t experience this issue.

iFilters for PDF files seem not to be necessary on current Windows versions. In the past I downloaded a iFilter for PDF files from Adobe but I experienced many issues with temporary files on the C:\ of my file servers. This is a known bug with the Adobe iFilter – as for Windows 2016 those files are full text index, but the same restrictions as in the past apply – PDF file can hold editable text that can be indexed or they hold pictures – what is often due to scans of documents – as long your scanner didn’t due OCR and translate the image to text, those files can’t be full text indexed.

Monitoring

It is almost essential to have proper monitoring in place for this. Actually, you want to monitor everything within your network, but that’s another story. I faced the same challenges and even was able to find out more about how the index database grows and why many people aren’t happy with it. Eventually it comes down to improper configurations and bad or nor monitoring at all. I highly recommend you have a look at this additional blog article about Windows Index Monitoring.

Shadow copies aren’t accessible – advanced VSS configuration

Shadow copies aren’t accessible – advanced VSS configuration

Most file servers are configured to use the Windows internal shadow copies / VSS to allow administrators or even users to quickly restore files.

Microsoft allows you to extend the default maximum of 64 shadow copies to a total of up to 512 as described here: https://docs.microsoft.com/en-us/windows/desktop/Backup/registry-keys-for-backup-and-restore#maxshadowcopies

It is pretty easy to implement this – no restart needed (if running, restart the volume shadow copy service).

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\Settings
  • MaxShadowCopies DWORD
  • official maximum: 512 (decimal, NOT HEX!!!) (HEX: 0x200)

Now – we detected in January 2019 a bug that at least affects Windows 2016 servers, if not even more. We could not see the shadow copies of the current day. Any shadow copies of the previous day seemed to be fully available. The cut off was literally before midnight. After about 12 subsequent shadow copies they started to triple in.

Once we adjusted the maximum to 500 (decimal – HEX: 0x1f4) and restarting the service respective waiting till the next scheduled shadow copy executed (plus a few minutes to process a cleanup) we eventually could see the most current shadow copy from the Windows Explorer menu.

This seems to work way better then the 512 that is the defined maximum. There seems to be some kind of a bug that started with some update. We couldn’t determine it in detail and simulating this would take a lot of time.

NirSoft has a great tool to investigate your shadow copies as well here: http://www.nirsoft.net/utils/shadow_copy_view.html

This is a GUI based tool that partly lets you look in to your shadow copies. Only, if you try to open the most current paths while the 512 maximum was set, Windows Explorer still couldn’t handle it. But it was a nice detailed proof to see that the current shadow copies where as a matter of fact there.

Similar results could be determined while using PowerShell and command line commands like VSSadmin – we saw the shadow copies where there.

WMI provided the same information as well – for an example see the script here what uses WMI and PowerShell to gather information about shadow copies: https://www.it-admins.com/monitoring-shadow-copies-with-prtg/

Suggestions to configure shadow copies:

  • set a maximum of 500 instead of 512
  • do them e.g. hourly – as you need them
    • this is all a calculation, straight hourly provides you 500 copies / 24 hours a day = +/- 20 days back
    • if you go e.g. 5 AM to 9 PM and no Sundays you extend this: 500 / 17 snaps a day (hourly) = +/- 29 days => add the removed Sundays in the equation and you easily bypass a whole month
      • this would allow you while doing full virtual machine backups (VHD level backups) to keep the month end tape of every month and still be able to restore files from the shadow copies in theory – I had cases where I had to dig that deep..
  • volume configuration on your file servers (the drive letters don’t matter much)
  • add monitoring to your VSS – like described here with PRTG

 

 

SNMP was deprecated

SNMP was deprecated

Microsoft deprecated the SNMP in Windows 2012 (R2). As of Windows 10 1809 respective Windows 2016 this feature is pretty much hidden. The decision likely was made due to security risks related to SNMP, in any case – as of right now it is still available if you really need it – but not via the good old Control Panel – Add Remove Features function. The following should even work on Windows 2019, since there is no indication that Microsoft finally removed the feature itself.

The following link is for Windows Server 2012 (R2) – it clearly states that SNMP is deprecated: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831568(v=ws.11)

Windows client and server operating systems share the same kernel in the background – for the most part.

Alternate ways to enable the feature:

  • using Apps & Features will help you getting SNMP via Optional Features
    • then use Add a feature
  • PowerShell commands:
    • Either those commands
    • or the following version of commands
  • or you use DISM on a command prompt

In all cases – you will run in to an possible issue if you use WSUS – you might need to temporarily bypass it in order to install this feature. It is possible that you need to restart the Windows Update service on the system for this setting to take effect.

  • Open Regedit and adjust the following key

It is pretty obvious that this feature will be removed at one point – but  as of now it is still available.

Let’s talk about a few things in regards to SNMP on Windows – or even in general when it comes to all your switches, firewalls, routers and other network components.

  • using SNMP on a Windows OS is a potential security risk – actually – SNMP itself is in general, cause it is standardized in often not locked down while having as well just limited security features
  • I personally don’t see a reason to use SNMP to monitor a Windows Server – the system itself can easily be monitored by WMI and other methods – that might have pro’s and con’s – but it generally works
  • There are circumstances then you need SNMP enabled – I had this while coming across mostly UPS software that only allowed to interact with it via SNMP – the UPS itself was connected per USB and the software on a Windows server/client allowed no API calls or similar – you had to enable SNMP on Windows and then use SNMP through Windows to grab data for e.g. UPS monitoring
    • having said this – this is actually a flaw by the vendor in such a case and should by addressed with the vendor
    • there is possibly more then just an UPS software that does behave like this

Read the UEFI stored Windows key and activate Windows

Read the UEFI stored Windows key and activate Windows

Ever wanted to read out the UEFI stored Windows key and probably automatically try to activate Windows with a single script?

The UEFI stored Windows license key is essential due to the fact that you don’t have a physical license anymore and you should keep it just in case for situations like your motherboard was exchanged and the key not transferred properly. I came across similar situations and was glad that I had the key.

But the script below does more then just reading and displaying the key – it will try to activate Windows as well.

Please note – it is wise to combine the read out of the key with an export and save method – like writing it to a database – this script will only show the basic functionality – but this is the most important part already.

The next two lines help additionally – if you create this batch file as well and store both files in the same directory, you simply can right click the .CMD file and execute it with elevated rights (run as administrator) and it will make your live even easier. This is just a simple trick to bypass some restrictions that you might encounter while trying to execute a PowerShell script with elevated rights and bypassing the execution policy for scripts at the same time.

Read the UEFI stored Windows key and activate Windows

Read the UEFI stored Windows key and activate Windows

The following script will read the UEFI stored Windows licensing key and show it – it then will attempt to activate Windows and probably even e.g. your Microsoft Office installation – this is not necessarily intentional by the script, rather then a coincidence that I discovered by using this script to activate Windows after it was automatically deployed from an image that had a pre-injected volume license key. Office likely got activated along with Windows.

In any case – it helps you to activate Windows or simply read out your license key.

 

Gathering profile information from computer

Gathering profile information from computer

Every now an then you might need to know who logged on and when was the last logon of which user to a specific workstation as well as the size of each user profile. For this I once wrote the PowerShell script you can find below. It does a WMI query against a list of one or more target computers and reads out the information reporting it back.

As input parameter use a comma separated list of computer names – those must be reachable and administrative accessible (you need at least admin rights on the target system). You then get a output set per profile.

The output can e.g. be transformed with the parameter |ft to see it in table format – like typical in PowerShell.

Output values are:

  • ComputerName
  • ProfileName
  • ProfilePath
  • ProfileType
    • Temporary
    • Roaming
    • Mandatory
    • Corrupted
    • local
  • IsinUse
  • IsSystemAccount
  • Size
    • this needs to most processing time – it is a manual size check including even temp files.. – other then what Windows shows you
  • LastUseTime

Prevent ScreenSaver coming up with a PowerShell script

Prevent ScreenSaver coming up with a PowerShell script

In our daily business, we often have the issue that a GPO enforces a screensaver after a certain amount of time. This can become very annoying and actually even be an issue if you are remote in on a end-user system and don’t know their password. After doing quite some research I found out that PowerShell actually is able to help here and I wrote a script to prevent the screensaver from coming up.

First I thought, let’s see if I can control the mouse cursor, cause I thought it would be less invasive, this is actually possible – but interestingly did not have the expected effect and the screensaver kept coming up. So I did go with keystrokes, but of course I was worried about what key would be save to send. Doing some research on Microsoft websites (here the link), I found the F16 – testing around with it I found it the least invasive key to send periodically to a system – it does not even exist on a regular keyboard and can only be simulated with a key-combination. To simulate F16 you need to press SHIFT + F4 – there might be a Windows 10 (may be even earlier) combination out of WINDOWS + SHIFT + F4 respective WINDOWS + F16 what would cause a shutdown. Once I found out about that, I decided to adjust the script to F17 what seemed to bypass even that small chance of an issue that would be more problematic then the screensaver itself – you sure don’t want the system to shutdown :-).

The script you find below can be simply executed. It has a setting $minutes that you could add as a parameter and therefor adjust it when you start it – by default it will use 9999 what is a pretty long time. To be clear – this is actually not a minute interval, it is a 30 second interval and ends up in half minutes. Why? Simple – Windows has a minimum setting of 1 minute that an screensaver can come up. If the script would fire in a minute interval, there is a theoretical chance the screensaver would still win.

This is further not pure PowerShell code – well it is but actually the key stroke is send via a Windows Scripting Host WSH / WScript command SendKeys. The PowerShell only surrounds to command. It has the nice habit of having a PowerShell window open that you simply can close to end the script. If you would do the same in WSH you would need to execute the script more manual with CSCRIPT rather then just double-clicking the file what would execute it via VBSCRIPT instead causing a hidden window / process and you would need to identify it in the task-manager to kill the process. Therefor, PowerShell was the best choice in the end to accomplish the task.

Additionally you could use the below more advanced script that will control the screensaver only during a defined time window. This is a more advanced way and more usable in certain situation, cause it would automatically allow the screensaver to come up outside the defined time window and minimize the exposure of the system more. It is also more effective then completely disabling any screensaver GPO settings, cause it is more specific and adjustable.

Update: As of 10/202 I updated the script below from F13 to F10, as this works better for most situations. Be aware, it all depends on what your foreground windows will react too. Make sure the keystroke you use does not cause you any harm.

Solution for VSS exceptions with VMware guests / VM tools

Solution for VSS exceptions with VMware guests / VM tools

Today’s blog is about “Solution for VSS exceptions with VMware guests / VM tools” and was initially posted by myself here: https://vox.veritas.com/t5/Backup-Exec/Solution-for-VSS-exceptions-with-VMware-guests-VM-tools/td-p/829072 – it actually became a KB entry for an as of today older version of Veritas Backup Exec – but I did not want to leave it out of my blog.. Here is the link to the KB article: https://www.veritas.com/docs/000009506

Here is the article I wrote – starting with a description of the actual issue:

We have been experiencing VSS issues with VMware guests in regards to the installed Backup Exec Agent and a previously installed VMware Tools VSS option.

Uninstalling the VMware Tools VSS option in various ways including restarts did not fix our issues. If you search the internet for solutions, you find many attempts but no real solution or explanation.

One of our admins spend several hours with the Veritas support without a solution, he was about to escalate the issue with them, when we found the root cause and could actually fix our issues.

First the steps to solve this:

  1. Uninstall the VMware Tools VSS option (no restart will be requiered)
  2. Make sure VMware VSS service was deleted
    1. If this is not the case, you might need to do so manually and remove additional DLL’s etc. as well as restart the system, but this is independent from this solution
  3. You might have already done steps 1 and 2 but you still get VSS exceptions from the backup that says you have more than one VSS agent installed:
    1. V-79-8192-38331 – The backup has detected that both the VMware VSS Provider and the Symantec VSS Provider have been installed on the virtual machine ‘hostname’. However, only one VSS Provider can be used on a virutal machine. You must uninstall the VMware VSS Provider.
    2. Now you wonder what causes this and you get stuck
    3. You could uninstall the Veritas/Symantec Backup Exec Agent and only back the system up per VMDK
    4. You would lose the GRT / granular backup / restore capabilities
  4. Check your registry for the following reg key
    1. HKLM\System\CurrentControlSet\Services\BeVssProviderConflict
    2. If this key exists, but your VMware VSS provider is uninstalled, you need to follow up with step 5
  5. Open a notepad as administrator
  6. Open this file in the notepad
    1. C:\ProgramData\VMware\VMware Tools\manifest.txt
  7. Search for the following two entries:
    1. Vcbprovider_2003.installed
    2. vcbprovider.installed
  8. Make sure both of them are set to FALSE, most likely one of them is TRUE
  9. Run a test backup
    1. This test backup now should not show the exception anymore
    2. The registry key should vanish (refresh/press F5) without you taking action

So what happened?

You uninstalled the VMware Tools VSS provider, but this manifest file did not get updated. We actually could see that it sometimes does get updated and sometimes does not. This seems to be some kind of issue with the VMware Tools uninstalled/installer.

But why this manifest.txt file?

As we found out, there scripts that get executed by Symantec/Veritas Backup Exec before the backup. You might find them in two locations, and it seems to depend a bit on the Windows version which script is executed (at which location). You could edit them both and just undo the checks in the scripts, but this wouldn’t be correct. It is more correct to update the manifest.txt file. If you want to, you can check the date/time of the manifest.txt file before you change it – you might see it was not updated while you uninstalled the VMware Tools VSS provider (assuming you did only do this and not do additional installs/uninstalls within the VMware Tools / please note as well that this only is true when you still experienced those issues).

Now, back to those scripts, you find them here:

  • C:\Windows
  • C:\Program Files\Symantec\Backup Exec\RAWS\VSS Provider

The name of the script that matters:

  • pre-freeze-script.bat

This script checks several DLLs, registry entries, paths and on Windows 2008 and newer the ProgramData-Path for this specific manifest.txt file and the two entries mentioned.

Once you uninstall the VMware VSS provider, and the file did not get updated, you might see this issue and wonder how to solve it. The solution is to simply update it to mirror the uninstallation of the VMware VSS provider (vcbprovider). We double checked this with several installations and could see if the file actually gets updated, those two values are set to FALSE, if it doesn’t, at least one of the values remains true, what causes the pre-freeze-script.bat to write the registry key mentioned earlier and therefor causing the issue in the backup – exceptions.

If you still have the same issues after updating the manifest.txt, simply check all the DLL’s that are mentioned in the script and make sure they don’t exist. You might also consider to manually delete the registry-key (it seems to be just a dumy-key) to make sure there is no issue that prevents the script from deleting it. Make sure it does not re-appear after a backup! Otherwise you might still have some DLLs left on your system that cause the script to re-create the registry key.

Hope this helps a few of you out there. This was an ongoing issue for a while and I came accross those issues many times ever since Windows 2008. This applies to Windows 2008 R2, Windows 2012, Windows 2012 R2 and pretty sure to Windows 2016 as well.

It helped us getting rid of those issues completely and actually not even needing a single restart of the guest VM to solve the issues (removing the VMware VSS provide did not need a restart).