Posts Tagged ‘server’

Outlook freezing and spiking Exchange Indexing service processes? You probably have some corruption in your mailboxen

April 9, 2015 Leave a comment

Last night, at about 4:50PM we faced a momentary “freeze” in all Outlook clients.

I hopped onto one of our mailbox servers (the DAG member where our three DBs were mounted), and noticed a large lag in connection.

Read more…


Rolling Performance Monitor (perfmon) log files in Windows

March 7, 2014 Leave a comment

I wanted to monitor all processes’ read and write bytes/sec for a half hour within a given time span nightly, but I didn’t want to fill the disk up with old and useless log files.

It took me more than five seconds of searching to figure out how to “roll perfmon logs” or “delete old perfmon logs automatically.”

The way to do this is to utilize a Data Manager to manage your data collector set data.

Configuring a Data Manager to rotate perfmon log files:

1) Configure a data collector set, setting up the actions and tasks via perfmon.msc.

2) In the perfmon.msc tree, go to Reports\User Defined and you will see your Data Collector set there: right-click> properties.

3) On the Data Manager tab, you can configure various things, but for our purpose of retaining one log file, set Maximum Folders and set this to 1; check “Apply policy before the data collector set starts”, check “Enable data management and report generation”. [refer to the below Manager Data in Windows Performance Monitor article for more info]

4) Go to the Action tab> add> Condition: 1 day; check: delete data files, delete cab file, and delete report.

5) Click OK, OK.

6) I use a quick batch in (local group policy> windows settings> scripts> startup) to start a performance monitor at system boot:

logman start -name “all procs cpu io”

I will be testing this over the weekend, but it should work as it is.


Using and FeedBurner to keep a public eye on your hosts

June 25, 2012 3 comments

Shodan’s net: operator is limited by session cookie. However, Shodan results are available as XML and a few other ways for a fee, and I’m sure the net: operator is revealed through this. The net: operator is NOT available to the free RSS feed, so you shouldn’t expect RSS generated by queries with the net: operator to be able to be read by FeedBurner. In other words: This article doesn’t work, unless you can create your own RSS poller that feeds Shodan with whatever cookie bit it wants (with an HTTP GET). It’s also worth noting that John, from Shodan, got back to me and said he may enable something like leveraging the API key and allow users access to a few net: subnet queries for free. But we’ll wait and see.

Shodan is a search engine that crawls protocol (such as SIP, HTTP, FTP, SSH) headers, and other content and makes it available to users via a web interface and RESTful API.

I decided to look into it this passed weekend while researching Maltego, when I came across some videos of a talk the developers of FOCA gave at DEFCON 18.  I think I had seen Shodan previously, but never looked too deeply at it as it seems ripe for grayhattery which I don’t have time to participate in.

Read more…

Some interesting WMI calls for DFS-R

September 1, 2011 Leave a comment
wmic /namespace:\\root\microsoftdfs path DfsrVolumeInfo get volumepath
wmic /namespace:\\root\microsoftdfs path DfsrReplicatedFolderConfig get rootpath
wmic /namespace:\\root\microsoftdfs path DfsrVolumeConfig get DatabasePath
echo %time% && wmic /namespace:\\root\microsoftdfs path DfsrIdRecordInfo get Fid | grep -c -e .* && echo %time%
wmic /namespace:\\root\microsoftdfs path DfsrSyncInfo get BytesTransferred,replicationgroupname

Method to really monitor DFS replication

August 24, 2011 Leave a comment

Warning… attaching Process Monitor to your system will greatly slow down performance!


This will help answer the question “how long does it take for a file to replicate over DFS-R?”

1) How much data is written in the folders by SMB on the source server?

Use Process Monitor

Filter definitions:

  • Path includes destination directory
  • Process Name includes “System”
  • Operation is “WriteFile”

2) How much data is read by dfsr.exe in a single folder on the source server?

Use Process Monitor

Filter definitions:

  • Path includes destination directory
  • Path excludes “dfsrprivate”
  • Process name includes “dfsr.exe”
  •  Operation is “ReadFile”

[bonus: how effective is RDC?

Use Process Monitor

Filter definitions:

  • Path includes destination directory
  • path includes “dfsrprivate”
  • Process name includes “dfsr.exe”
  • Operation is “WriteFile”


3) Track changes of DFS on Destination server and find out the time the last update to the file(s) occurs, via parsing log file:

DO NOT TAIL THE DFSR DEBUG LOGS!  It will invalidate rotation.  I learned this the hard way.

What you should do is increase the debug log retention via the method mentioned in KB958893 (default is 100):

wmic /namespace:\\root\microsoftdfs path dfsrmachineconfig set maxdebuglogfiles=500 

You can then use 7-zip, etc, to unzip the gzipped debug logs located in c:\windows\debug\*.gz and analyze as follows

cat c:\windows\debug\Dfsr00100.log | grep -E .*Install-rename.*EXT.*
grep -E .*Install-rename.*FILENAME.* -r . > ..\.\log.txt

The output will read similar:

20110824 15:15:59.203 5064 MEET  2426 Meet::InstallRename -> DONE Install-rename
 completed updateName:[FILENAME.EXT] uid:{D32A1438-D8D5-4E3B-8521-05AE2F87EE30}-
v43 gvsn:{D32A1438-D8D5-4E3B-8521-05AE2F87EE30}-v43 connId:{DDDA8CE0-8500-425C-A
9C1-467D74EB64BC} csName:[REPLICATION GROUP NAME] csId:{465C4E61-79EF-4824-B8FF-D62C5A734728}
+       name              [FILENAME.EXT]

Meet::InstallRename -> DONE Install-rename is the log entry for the return of the function that signifies the completion of the file being placed in the live directory (its final location).

Windows: DFS-R patches for 2003

August 23, 2011 Leave a comment
%d bloggers like this: