Tool: How to get IBM MPIO disk UID from cmd

Some times we can have many different disks from different vendors connected to several servers, and to avoid such complexity we need general identity to identify disk on all OS, applications equally.

How to obtain IBM MPIO disk UID from Windows Server where is attached IBM SAN disk?
Run the sample by opening a Command Prompt window in catalog IBM MPIO <C:\Program Files\IBM\SDDDSM> (make sure already IBM Subsystem Device Driver Device Specific Module (SDDDSM) is installed ) and typing the following command at the command prompt:

datapath query device

In cmd output find  32 digits long number after word SERIAL and that number is your UID.


/Geecoholic

Windows 2008 R2: Multiple IP's on single netwotk interface and how to change outgoing IP

I have Windows 2008 R2 server with single network interface and ip 10.10.10.17. On server runing multiple services like sql, sftp, http, https, file server. Today i added additional ip adress 10.10.10.10 and assigned only to web services, but after some time noticed that 10.10.10.10 ip are used in other services as outgoing ip. Ipconfig /all command show 10.10.10.10 ip  "above" 10.10.10.17:

Ethernet adapter INTRANET:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
   Physical Address. . . . . . . . . : 00-0C-EE-EE-EE-EE
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.10.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 10.10.10.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 10.10.10.1
   DNS Servers . . . . . . . . . . . : 10.10.10.11 10.10.10.12
   NetBIOS over Tcpip. . . . . . . . : Enabled



Looks like Windows Server 2008 R2 use for outgoing traffic closest to GW ip.
Problem solved  using cmd commands:

netsh interface ipv4 delete address "INTRANET" 10.10.10.10
netsh interface ipv4 add address "INTRANET" 10.10.10.10 255.255.255.224 skipassource=true


Ipconfig /all after fix:

   IPv4 Address. . . . . . . . . . . : 10.10.10.17(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   IPv4 Address. . . . . . . . . . . : 10.10.10.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224


/Geecoholic

Windows 2012 R2 restarts after lsass.exe crash

Description

We have Windows 2012 R2 server with Active Directory role, which  1-2 times in the day starts automatically restart after recorded events 1000 and 1015 to event log:

Log Name:      Application
Source:        Application Error
Date:          3/9/2016 4:37:41 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
Faulting application name: lsass.exe, version: 6.3.9600.17415, time stamp: 0x545042fe
Faulting module name: ntdsai.dll, version: 6.3.9600.18009, time stamp: 0x55c8e51c
Exception code: 0xc0000005
Fault offset: 0x0000000000219d67
Faulting process id: 0x%9
Faulting application start time: 0x%10
Faulting application path: %11
Faulting module path: %12
Report Id: %13
Faulting package full name: %14
Faulting package-relative application ID: %15


Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          3/9/2016 4:37:49 PM
Event ID:      1015
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005.  The machine must now be restarted.



Solution

Server have all up to date fixes until 2/23/2016 and official MS KB2914387 dont' help, because  DLL file Ntdsai.dll noticed in hotfix is older and server already have more fresh version of that DLL.

We found source of restarts - OOMADs.msi(Active Directory Management Pack Helper Object) was recently installed to provide Active Directory monitoring for SCOM agent. After OOMADs.msi uninstall problem gone.

/Geecoholic

Cmd: I'm local administrator?

How to check if current logged in user has local administrator rights.

Run the sample by opening a Command Prompt window and typing the following command at the command prompt:

whoami /groups | find /i "BUILTIN\Administrators"


If any string is returned, yes you are Administrator!

/Geecoholic

EventLog: DNS Client Stopped every 20 min, Event ID 7074

Description

I have a problem with a two Windows Server 2012 R2 with restricted network configuration. About every 20 minutes the DNS Client stopped or started with event ID 7076 in system event log. Here are examples of evens:

Log Name:      System
Source:        Service Control Manager
Date:          3/16/2016 5:43:55 AM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The DNS Client service entered the running state.

Log Name:      System
Source:        Service Control Manager
Date:          3/16/2016 5:43:55 AM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The DNS Client service entered the stopped state.

Log Name:      System
Source:        Service Control Manager
Date:          3/16/2016 5:23:55 AM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The DNS Client service entered the running state.


Solutions

• Disable DNS Client(dnscache) service

or

• Unblock the firewall rule "Network Discovery (LLMNR-UDP-In)" in the active profile.

/Geecoholic

Logoff all users from Windows RDS/Terminal Server using cmd

How to logoff all users in server except administrator? Save sample below to a file named userslogoff.cmd to c:\temp directory:

query session |find /i "tcp#" | find /v /i "administrator" >session.txt
for /f "skip=1 tokens=3," %%i in (session.txt) DO logoff %%i
del session.txt


Run the sample by opening a Command Prompt window and typing the following command at the command prompt:

cd\
cd temp
userslogoff.cmd


Logoff command do not prevent uses for new logins, use command to disable new logins:

change logon /disable


Logons are re-enabled when you restart the system or use command to enable:

change logon /enable


/Geecoholic

Service: Free online antivirus scanner on many engines

There is many situations when you can get programs via download, receive from Skype buddy or strange email attachment and exactly don't have antivirus or just untruest current on your pc.
What options we have?

1. Don't open/execute file ever
2. Run suspicious file on free downloaded virtual machine and delete machine after use
3. Or just scan online https://virusscan.jotti.org/

/Geecoholic

EventLog: Who and when restarted/shutdowned computer

Here the Sysem event ID's that shows computer restart/shutdown and when started on all Windows family Windows 2003/XP, Windows Vista/7/2008, Windows 8/10/2012:

1074, 6005

Here typical example of Evend ID 1074 generated after windows updates install and automatically restart(shows time, user, type):

Log Name:      System
Source:        User32
Date:          2/28/2016 1:57:06 AM
Event ID:      1074
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      COMPUTERNAME.DOMAIN
Description:
The process C:\Windows\system32\svchost.exe (COMPUTERNAME) has initiated the restart of computer COMPUTERNAME on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Recovery (Planned)
 Reason Code: 0x80020002
 Shutdown Type: restart


Here typical example of Evend ID 6005 generated whane computer starts(shows time):

Log Name:      System
Source:        EventLog
Date:          2/28/2016 1:59:18 AM
Event ID:      6005
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      COMPUTERNAME.DOMAIN
Description:
The Event log service was started.


Estimated computer downtime can be calculated from time differences between Date fields in both example logs:
1:57:06 AM minus 1:59:18 AM = 2 min 6 sec

Official MS information on 6005 and 1074 ID's.

/Geecoholic

Tool: How to expand Windows 2003 partition without server restart

I know that Windows 2003/XP is very old, not more supported by MS, they have many security holes and more blablabla, but they still exist and we need powerful tools for online partitions(particularly system) expand like in Windows 2008/2012/10.

Good news is such tool for command prompt ExtPart.exe exist on Dell support site: Dell Basic Disk Expansion.

Official MS KB for expansion with build-in tools if you want try in MS way before Dell.

/Geecoholic

PowerShell: How to get users list with password related information from AD

The following example demonstrates how get user list from Active Directory(AD) and export to excel friendly format with non ASCII characters for later filtering:

$maxPasswordAge = (get-addefaultdomainpasswordpolicy).MaxPasswordAge.Days

Get-ADUser -Filter * -Properties CannotChangePassword,PasswordNeverExpires,LastLogonDate,Passwordexpired,passwordlastset | Select Name, SamAccountName ,CannotChangePassword, PasswordNeverExpires, Enabled, LastLogonDate, Passwordexpired, Passwordlastset,@{l="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}} | sort -property name | export-csv users_export.csv -Encoding UTF8

/Geecoholic