Software Restriction Policy: Can't Install HP Data Protector 7.03_108 on Windows 2003

During agent upgrade installation setup cancels with message(same writes su msi log on temp catalog):

[ 99] ERROR: Error 1260.Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.

[110] {16777216} Error 1260.Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.

Solution

Save following code example to *.reg file and apply register changes:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
"SecureRepairPolicy"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\SecureRepairWhitelist]
"{02F80D5F-D2A7-499D-8961-77583CEF495B}"=""
"{21F107FF-FD00-477D-B49D-5C3854A39FFE}"=""
"{3B31F119-6344-4FA3-894F-8CE196858401}"=""
"{52C9F3C8-8C89-4288-95CB-86C6CB1E5BBC}"=""
"{CAEDB28E-A1E5-4E7F-88D3-D6CA4FC891C2}"=""
"{DE5100C5-E5C6-40B7-9294-FAD5F81E987F}"=""


Product codes in braces{} are for HP Data Protector 7.03 build 108 and if you have different version or another software, just obtain different product codes from isntalation *.msi files(or msi file loh in temporary user catalog like C:\DOCUME~1\your_username\LOCALS~1\Temp\ ) and put on the registry list.
Solution made using official MS KB.

/Geecoholic

EventLog: How to solve WmiApRpl and BITS errors in Event ID 1008

On Windows Server 2012 with installed SharePoint 2013 and IIS roles have repetitious in Application event log errors. Errors not critical and can be ignored but pollute events and deside cleanup.

Here typical example of Event ID 1008 generated every 15 minutes::

Log Name:      Application
Source:        Microsoft-Windows-Perflib
Date:          2016.04.23 13:15:53
Event ID:      1008
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The Open Procedure for service "WmiApRpl" in DLL "C:\Windows\system32\wbem\wmiaprpl.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

Log Name:      Application
Source:        Microsoft-Windows-Perflib
Date:          2016.04.23 13:15:53
Event ID:      1008
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

Solution

Launch Regedit.exe and give READ permissions to the user WSS_WPG on following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApRpl

The is no need restart any service or server, errors just disappear.
After server restart errors come back once during startup and do not occurs later.

/Geecoholic

PowerShell: How to clear all Event Logs

Run PowerShell as an administrator and use example:

wevtutil el | Foreach-Object {wevtutil cl "$_"}

Warining! Command will clear ALL events on ALL event logs!



/Geecoholic

Tool: How to get IBM MPIO disk UID from cmd

Some times we can have many different disks from different vendors connected to several servers, and to avoid such complexity we need general identity to identify disk on all OS, applications equally.

How to obtain IBM MPIO disk UID from Windows Server where is attached IBM SAN disk?
Run the sample by opening a Command Prompt window in catalog IBM MPIO <C:\Program Files\IBM\SDDDSM> (make sure already IBM Subsystem Device Driver Device Specific Module (SDDDSM) is installed ) and typing the following command at the command prompt:

datapath query device

In cmd output find  32 digits long number after word SERIAL and that number is your UID.


/Geecoholic

Windows 2008 R2: Multiple IP's on single netwotk interface and how to change outgoing IP

I have Windows 2008 R2 server with single network interface and ip 10.10.10.17. On server runing multiple services like sql, sftp, http, https, file server. Today i added additional ip adress 10.10.10.10 and assigned only to web services, but after some time noticed that 10.10.10.10 ip are used in other services as outgoing ip. Ipconfig /all command show 10.10.10.10 ip  "above" 10.10.10.17:

Ethernet adapter INTRANET:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
   Physical Address. . . . . . . . . : 00-0C-EE-EE-EE-EE
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 10.10.10.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 10.10.10.1
   DNS Servers . . . . . . . . . . . : 10.10.10.11 10.10.10.12
   NetBIOS over Tcpip. . . . . . . . : Enabled



Looks like Windows Server 2008 R2 use for outgoing traffic closest to GW ip.
Problem solved  using cmd commands:

netsh interface ipv4 delete address "INTRANET" 10.10.10.10
netsh interface ipv4 add address "INTRANET" 10.10.10.10 255.255.255.224 skipassource=true


Ipconfig /all after fix:

   IPv4 Address. . . . . . . . . . . : 10.10.10.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 10.10.10.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224


/Geecoholic

Windows 2012 R2 restarts after lsass.exe crash

Description

We have Windows 2012 R2 server with Active Directory role, which  1-2 times in the day starts automatically restart after recorded events 1000 and 1015 to event log:

Log Name:      Application
Source:        Application Error
Date:          3/9/2016 4:37:41 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
Faulting application name: lsass.exe, version: 6.3.9600.17415, time stamp: 0x545042fe
Faulting module name: ntdsai.dll, version: 6.3.9600.18009, time stamp: 0x55c8e51c
Exception code: 0xc0000005
Fault offset: 0x0000000000219d67
Faulting process id: 0x%9
Faulting application start time: 0x%10
Faulting application path: %11
Faulting module path: %12
Report Id: %13
Faulting package full name: %14
Faulting package-relative application ID: %15


Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          3/9/2016 4:37:49 PM
Event ID:      1015
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.



Solution

Server have all up to date fixes until 2/23/2016 and official MS KB2914387 dont' help, because  DLL file Ntdsai.dll noticed in hotfix is older and server already have more fresh version of that DLL.

We found source of restarts - OOMADs.msi(Active Directory Management Pack Helper Object) was recently installed to provide Active Directory monitoring for SCOM agent. After OOMADs.msi uninstall problem gone.

/Geecoholic

Cmd: I'm local administrator?

How to check if current logged in user has local administrator rights.

Run the sample by opening a Command Prompt window and typing the following command at the command prompt:

whoami /groups | find /i "BUILTIN\Administrators"


If any string is returned, yes you are Administrator!

/Geecoholic

EventLog: DNS Client Stopped every 20 min, Event ID 7074

Description

I have a problem with a two Windows Server 2012 R2 with restricted network configuration. About every 20 minutes the DNS Client stopped or started with event ID 7076 in system event log. Here are examples of evens:

Log Name:      System
Source:        Service Control Manager
Date:          3/16/2016 5:43:55 AM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The DNS Client service entered the running state.

Log Name:      System
Source:        Service Control Manager
Date:          3/16/2016 5:43:55 AM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The DNS Client service entered the stopped state.

Log Name:      System
Source:        Service Control Manager
Date:          3/16/2016 5:23:55 AM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The DNS Client service entered the running state.


Solutions

• Disable DNS Client(dnscache) service

or

• Unblock the firewall rule "Network Discovery (LLMNR-UDP-In)" in the active profile.

/Geecoholic

Logoff all users from Windows RDS/Terminal Server using cmd

How to logoff all users in server except administrator? Save sample below to a file named userslogoff.cmd to c:\temp directory:

query session |find /i "tcp#" | find /v /i "administrator" >session.txt
for /f "skip=1 tokens=3," %%i in (session.txt) DO logoff %%i
del session.txt


Run the sample by opening a Command Prompt window and typing the following command at the command prompt:

cd\
cd temp
userslogoff.cmd


Logoff command do not prevent uses for new logins, use command to disable new logins:

change logon /disable


Logons are re-enabled when you restart the system or use command to enable:

change logon /enable


/Geecoholic

Service: Free online antivirus scanner on many engines

There is many situations when you can get programs via download, receive from Skype buddy or strange email attachment and exactly don't have antivirus or just untruest current on your pc.
What options we have?

1. Don't open/execute file ever
2. Run suspicious file on free downloaded virtual machine and delete machine after use
3. Or just scan online https://virusscan.jotti.org/

/Geecoholic

EventLog: Who and when restarted/shutdowned computer

Here the Sysem event ID's that shows computer restart/shutdown and when started on all Windows family Windows 2003/XP, Windows Vista/7/2008, Windows 8/10/2012:

1074, 6005

Here typical example of Evend ID 1074 generated after windows updates install and automatically restart(shows time, user, type):

Log Name:      System
Source:        User32
Date:          2/28/2016 1:57:06 AM
Event ID:      1074
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      COMPUTERNAME.DOMAIN
Description:
The process C:\Windows\system32\svchost.exe (COMPUTERNAME) has initiated the restart of computer COMPUTERNAME on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Recovery (Planned)
 Reason Code: 0x80020002
 Shutdown Type: restart


Here typical example of Evend ID 6005 generated whane computer starts(shows time):

Log Name:      System
Source:        EventLog
Date:          2/28/2016 1:59:18 AM
Event ID:      6005
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The Event log service was started.


Estimated computer downtime can be calculated from time differences between Date fields in both example logs:
1:57:06 AM minus 1:59:18 AM = 2 min 6 sec

Official MS information on 6005 and 1074 ID's.

/Geecoholic

Tool: How to expand Windows 2003 partition without server restart

I know that Windows 2003/XP is very old, not more supported by MS, they have many security holes and more blablabla, but they still exist and we need powerful tools for online partitions(particularly system) expand like in Windows 2008/2012/10.

Good news is such tool for command prompt ExtPart.exe exist on Dell support site: Dell Basic Disk Expansion.

Official MS KB for expansion with build-in tools if you want try in MS way before Dell.

/Geecoholic

PowerShell: How to get users list with password related information from AD

The following example demonstrates how get user list from Active Directory(AD) and export to excel friendly format with non ASCII characters for later filtering:

$maxPasswordAge = (get-addefaultdomainpasswordpolicy).MaxPasswordAge.Days

Get-ADUser -Filter * -Properties CannotChangePassword,PasswordNeverExpires,LastLogonDate,Passwordexpired,passwordlastset | Select Name, SamAccountName ,CannotChangePassword, PasswordNeverExpires, Enabled, LastLogonDate, Passwordexpired, Passwordlastset,@{l="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}} | sort -property name | export-csv users_export.csv -Encoding UTF8

/Geecoholic

PowerShell: How to get Fibre Channel Adapter's WWN's

A World Wide Name (WWN) or World Wide Identifier (WWID) is a unique identifier used in storage technologies including Fibre Channel, Advanced Technology Attachment (ATA) or Serial Attached SCSI (SAS).

Get wwn with PowerShell on Windows 2008 or later:

Get-WmiObject -class MSFC_FCAdapterHBAAttributes -namespace "root\WMI" | ForEach-Object {(($_.NodeWWN) | ForEach-Object {"{0:x}" -f $_}) -join ":"}

/Geecoholic

VBScript: How to get needed Windows updates count

Save sample below to a file named NeededUpadatesCount.vbs:

Set updateSession = CreateObject("Microsoft.Update.Session")
updateSession.ClientApplicationID = "Geecoholic Script"

Set updateSearcher = updateSession.CreateUpdateSearcher()

WScript.Echo "Searching for updates..." & vbCRLF

Set searchResult = _
updateSearcher.Search("IsInstalled=0 and Type='Software' and IsHidden=0")

WScript.Echo "Updates Count: " & searchResult.Updates.Count
WScript.Quit


 You can run the sample by opening a Command Prompt window and typing the following command at the command prompt:

script NeededUpadatesCount.vbs

Script made using example from MS link

/Geecoholic

Windows OS disk backup from cmd

How to make Windows OS/System disk (C:) and related boot partitions backup using Command prompt:

WbAdmin start backup -backupTarget:W: -include:C: -allCritical -quiet

where W: is removable USB or other disk. W: can be replaced to network path \\server\backup

/Geecoholic

PowerShell: Total all hdd space script

On local computer:

Get-WMIObject Win32_LogicalDisk | ForEach-Object {[math]::round($_.size / 1GB)}|Measure-Object -sum | select sum

On remote computer:

Get-WMIObject Win32_LogicalDisk -ComputerName RemoteComputerName | ForEach-Object {[math]::round($_.size / 1GB)}|Measure-Object -sum | select sum

/Geecoholic

TF214025: No build service host was found

Description

We have 2 build servers (TFS 2015.1) run using a domain account called DOMAIN\TFSBuildService. Two months run without issue. One day build controllers stopped with same error per controller:

Exception Message: TF214025: No build service host was found with the URI vstfs:///Build/ServiceHost/16. Either the URI does not exist, or DOMAIN\TFSBuildService does not have permission to access it. (type BuildServiceHostNotFoundForUriException)

Solution

Add build account to Advanced group on "Aceess Levels" tab in yout TFS site http://yourTFSServer:8080/tfs/_admin/_licenses

/Geecoholic