Delegating Access to the Event Logs

Windows 2003 allow the customization of the permissions on each Event log on a computer. This was not possible in previous versions of Windows and is very useful if your web application need to access it.
More information are available on the following article: 323076 - How to set event log security locally or by using Group Policy in Windows Server 2003

The access control list (ACL) is stored as a Security Descriptor Definition Language (SDDL) string, in a REG_SZ value called "CustomSD" for each event log in the registry.
For more information on SDDL, see "Security Descriptor Definition Language," available on MSDN Online at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/Security/security_descriptor_definition_language.asp.

I also really suggest this other article about Development Impacts of Security Changes in Windows Server 2003.

GSM-Link: a .NET class library for sending and receiving SMS

I'm implementing SMS notification on my monitoring project Healthmonitor and I found a really nice class library for .NET; it is called GSM-Link it's really powerful and is distributed with Light GPL license.
Unfortunately it seems that the project has been discontinued and the project admin is no more reachable.

IIS: How to figure out which site is consuming memory/CPU

On a Windows Server with many sites running on it all in their own process, I can see in task manager all the processes running with the various amounts of ram being used for each but I can't easily associate PID with Application Pool; how can I figure out which site is consuming memory/CPU ?

Internet Information Server 5.0
Each site that is set to Out Of Process will spin up a new instance of dllhost.exe; the trick to find out which dllhost.exe matches which site is to use Component Services. To do so, open Component Services from Administrative Tools, drill down to Computers -> My Computer and select COM+ Applications. Now select View from the top menu and select Status. Beside each site that currently has a dllhost.exe process spin up is the Process ID (PID). Using Task Manager, you can tell the memory and CPU.

Internet Information Server 6.0
Every application pool will create a w3pwp.exe process; iisapp.vbs is a script already placed in %systemroot%\system32 on Windows Server 2003 that reports the process identifiers (PIDs) of currently running w3pwp.exe processes serving a particular application pool as the following example:
W3WP.exe PID: 2232 AppPoolID: DefaultAppPool
W3WP.exe PID: 2608 AppPoolID: MyAppPool

All the script parameters and other useful information about it are located here

MS SQL: Locking

Locking is a feature to ensure transactional integrity and database consistency, it prevents users from reading data being changed by other users, and prevents multiple users from changing the same data at the same time.

If two users try to modify semantically-unrelated but physically-near data in two separate tables in reverse order, both users will start off with row locks, then try to upgrade them to page locks, and the situation will be that each user wants something the other user has, so they're stuck. This is called a deadlock and you need to kill a process to remove it (more details here).

Let's generates a lock using database PUBS:

PRINT 'Script 1''s SPID = ' +CAST (@@SPID as varchar)
DBCC TRACEON(2861)
USE Pubs
GO
PRINT 'Begin a transaction and create a block'
BEGIN TRAN
DELETE FROM authors WHERE au_id = '341-22-1782'
GO
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
PRINT 'Script 2''s SPID = ' + CAST(@@SPID as varchar)
USE Pubs
GO
SELECT * FROM authorsGO

You won't see the result of this query as it is blocked and if you run

sp_lock

You will see a status = WAIT for the process id related to script2

Microsoft SQL Server provide a NOLOCK statement that allow the Server to ignore locks and read directly from the tables.

The LOCK_TIMEOUT setting allows an application to set a maximum time that a statement waits on a blocked resource. When a statement has waited longer than the LOCK_TIMEOUT setting, the blocked statement is canceled automatically, and error message 1222 "Lock request time-out period exceeded" is returned to the application.

To determine the current LOCK_TIMEOUT setting, execute the @@LOCK_TIMEOUT function, for example:

select @@lock_timeout

A value of -1 (default) indicates no time-out period (that is, wait forever).

Windows XP: Making USB Devices Read-Only

During virus cleaning activities you need some useful tools located on USB drive (like a pen drive) but it could be infected from the virus and you couldn't download the tool from internet cause the virus activity.

Windows XP SP2 includes an ability to let users read data from a USB drive, but not write data to that drive. It's a simple Registry change:
create a whole new key: HKLM\System\CurrentControlSet\Control \ StorageDevicePolicies
create a REG_DWORD entry in it called WriteProtect with value 1

TechNet Virtual Lab

Ever wanted to test Microsoft's newest software in a sandbox environment? Wouldn't it be great to be able to test new servers immediately, without formatting hard drives or dedicating one or more computers to the project? Now you can, with the TechNet Virtual Lab.

The following Lab are available: Exchange, ISA, MOM, SMS.

Group Policy Management Console

Microsoft provided a lot of policy settings for Windows 2000, and the list just grew longer with Windows XP/2003; now Microsoft has delivered GPMC as an add-on for Windows 2003 Server, you can download it from here.
The good news is that it can also be used to manage Windows 2000 based domain controllers (though not installed on one), the bad news is that there is some learning curve for using it, you can invest 20 minutes on a free online training

I found these useful links:

• TechNet Group Policy Center
• WindowsSecurity.com article
• Microsoft GPMC details

Security: Running restricted

In many security best practice manual I read the suggestion to manage server with a limiter user account and hevitate to use the browser with these rights; pratically many times you are not in this situation so I was wondering it there were any tips for get more security...
This article explain how can you protect your computer when you're browsing "non trusted site" with administrative privileges: Running restricted -- What does the "protect my computer" option mean?
I really suggest Aaron's blog because there are a lot of informations about running with a limited user account, principles of Least Privilege are described here.

Windows XP: Java Virtual Machine

To check which version is installed run from a command prompt "jview", if it's installed you will see something like Microsoft (R) Command-line Loader for Java Version 5.00.3810, the last 4 digits determine the version number.

To download the Microsoft Java Virtual machine see here: Download Build 3805 (required) Build 3810 Update for 3805
To download the latest version of Sun Microsystems Java Runtime Click Here

To uninstall the Java Virtual machine, run the following command:
RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall
After the machine restarts, delete the following items:
the \%systemroot%\java folder
java.pnf from the \%systemroot%\inf folder
jview.exe and wjview.exe from the \%systemroot%\system32 folder
The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM registry subkey
The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM registry subkey (to remove the Microsoft Internet Explorer (IE) options)

VBScript: Monitor HTTP response time

I needed to check if my Nagios monitoring system was working properly because I got a lot of error messages about web sites response time, so I decided to log this result generated with another monitoring tool; what is quicker than vbscript ?

The following script and many other are also available on my web site http://www.vittorio.tk

CheckHost("http://www.vittorio.tk")

Sub CheckHost(host)
dim startdate
Dim objXmlHttp
Dim strHTML
Set objXmlHttp = CreateObject("Msxml2.ServerXMLHTTP")
lResolve = 1 * 1000
lConnect = 5 * 1000
lSend = 10 * 1000
lReceive = 10 * 1000
objXmlHttp.setTimeouts lResolve, lConnect, lSend, lReceive
startdate = now
t1 = timer
objXmlHttp.open "GET", host , False
objXmlHttp.send
If Err.number = 0 and objXmlHttp.status = 200 then
Result = "OK"
'objXmlHttp.responseText
else
Result = "Error"
end if
t2 = timer
Set objXmlHttp = Nothing
wscript.echo "Host: " & host & vbcrlf & "StartTime: " & startdate & vbcrlf & "Result: " & Result & vbcrlf & "Response Time: " & TimeDiff(t2,t1) & "msec"
End sub

Function TimeDiff(iEnd, iStart)
Dim iReturn
iReturn = iEnd - iStart
If iReturn < ireturn =" iEnd" timediff =" 1000">
TimeDiff = 1000 * iReturnEnd Function
End Function

Longhorn Sidebar

I just tried the Desktop Sidebar, it's a free addon for Windows 2000/XP that add a Sidebar similar to the Longhorn's one.




A less cutomizable sidebar is available here: http://www.windowsx.org/enhance/myvs/sidebar.html; it works like an Active Desktop Web Page.

I also tried

VBScript: Encrypt/Decrypt files

Windows provide a COM interface called Capicom that allow easy access to CryptAPI from a VBS; Microsoft SDK Capicom Package contains a sample script (cencrypt.vbs) that allow to cypher a text file (other useful scripts like hashing scripts are also available).

To encrypt a non-text file (e.g. an Access DB) you should encode from Base64-encoded format to plain text and then use cencrypt.vbs; a sample converter is available here http://www.fourmilab.ch/webtools/base64.

Let's see an example:
base64 /e database.mdb dbencoded.txt
cscript cencrypt.vbs encrypt -alg AES -lenght MAX dbencoded.txt dbencrypted.txt mypassphrase

To use these scripts, ensure that WSH (Windows Script Host) is installed and capicom.dll is regitered.

Powered by GMail with 1GB Mailbox

Yesterday I activated my GMail account; the service is still in beta version but the features are really interesting !!

• 1GB ~ 1000MB Mailbox Size


• Free service, you don't have to pay anything


• No pop-up ads, You see only relevant text ads


• Use Google search to find the exact message


• Each message is grouped with all its replies and displayed as a conversation


• HTTP Access (no POP3 or IMAP protocols)

I also use Freepops to download e-mail using POP3 protocol !

RRD (a system to store and display data)

RRD is a tool for handle graphing and logging similar to MRTG, see the homepage for details.


I don't think the manual contains very simple example, I was able to make it run on Windows; after downloading the zip archive you only need to use rrdtool.exe, basically you should create the structure, feed it periodically with data and generate the graph.

Create Structure:
rrdtool create datafile.rrd DS:value:ABSOLUTE:900:0:10000000 RRA:AVERAGE:0.5:1:9600 RRA:AVERAGE:0.5:4:9600 RRA:AVERAGE:0.5:24:6000

Update:
rrdtool update datafile.rrd N:20

Graph:
rrdtool graph graph.png DEF:val=datafile.rrd:value:AVERAGE LINE1:value#ff0000:Value


Below a simple vbscript with 3 switch (create, update, graph).

rrdpath = "rrdtool.exe"
dbpath = "test.rrd"
imgpath = "image.png"
set WshShell = CreateObject("WScript.Shell")
Set oArgs = WScript.Arguments
Action = oArgs(0)
Select Case Action
Case "create"
parameters = "DS:cpu:GAUGE:300:1:100 RRA:AVERAGE:0.5:1:100, RRA:AVERAGE:0.5:1:576,RRA:AVERAGE:0.5:6:672, RRA:AVERAGE:0.5:24:732, RRA:AVERAGE:0.5:144:1460"
WshShell.Run(rrdpath & " create " &amp;amp;amp; dbpath & " " & parameters)
Case "update"
Set Processors = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
for each Proc1 in Processors
parameters = "N:" & proc1.LoadPercentage
next
WshShell.Run(rrdpath &amp;amp; " update " & dbpath & " " & parameters)
Case "graph"
parameters = "DEF:cpu=" & dbpath & ":cpu:AVERAGE LINE1:cpu#ff0000:cpu"
WshShell.Run(rrdpath &amp; " graph " & imgpath & " " & parameters)
End Select

URLScan on IIS 6.0

Since I started using Windows 2003, I was wondering if I need to run URLScan with IIS 6.0....

Basically the asnwer is "probably not", of course that's not a very satisfying, so I suggest to read Microsoft documentation about it, comparing URLScan features vs. IIS 6.0 Builtin features.

Generate Windows Memory Dump

Microsoft Windows 2000 includes a feature that enables you to have the system stop responding and generate a Memory.dmp file (if configured to do so). The "Stop" screen that generates contains the following parameters:

*** STOP: 0x000000E2 (0x00000000,0x00000000,0x00000000,0x00000000)
The end-user manually generated the crashdump.

This feature is disabled by default. To enable this feature, you must edit the registry as indicated below and restart the computer. After restarting the computer, you can cause a system to stop responding by holding down the right CTRL key and pressing the SCROLL LOCK key twice. Pressing left CTRL key does not generate the system to stop responding.

Add the following Value, and then add the following registry value:

HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters
Value Name: CrashOnCtrlScroll
Data Type: REG_DWORD
Value: 1

There are three types of memory dumps that can be generated, see Q254649.

XP SP2: TCP/IP has reached the security limit

Windows XP Service Pack 2 limits the number of simultaneous incomplete outbound TCP connection attempts, after the limit has been reached, subsequent connection attempts are put in a queue, it can limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers but also certain security tools, such as port scanners run more slowly or some P2P apps may fall foul of this, too.

Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, an event ID 4226 appears in the system's event log, more details could be find here.

The "TcpNumConnections" (MS KB 314053) registry entry doesn't seems to affect the limit on half open connections.

There is also an hacked dll on http://www.lvllord.de that workaround this limit even if I haven't tried it.

IIS: Customize Directory Browsing Page

A customer asked me if it's possible to customize the Directory Browsing Page (If there isn't a default document for a Web site, directory, or virtual directory, IIS displays a list of the files and folders to the user), after searching a lot on MS site, I understand that I can't customize the built in one, but I can write a simple asp page with FSO (File System Object) that function like directory browsing without having to enable directory-browsing access.

A sample is available here: 224364 - Creating a Directory Browsing Page Using ASP

Scheduled Task Tips

Below there are many tips for Task Scheduler

In order to troubleshoot error, you can view the log: go to Start, Programs, Accessories, System Tools, Scheduled Tasks. Then go to Advanced, View Log. You'll find a lengthy text file that details every recent action of the Task Scheduler, the time and dates the tasks were run, and whether Task Scheduler was able to complete the actions.

If you want to be notified every time a task isn't working, go to Start, Programs, Accessories, System Tools, Scheduled Tasks, then go to Advanced and select Notify me a missed task task, Windows will display a popup menu with an option to run the missed task

To manage scheduled task from a command line you can use schtasks.exe; this comman is available on Windows 2003 and XP, if you want to use it on Windows 2000 follow the instruction here

You can use explorer to copy the Tasks. Explore to %systemroot%\tasks and you can drag and drop it to another mapped machine. Alternatively can copy the jobs using the copy command at a dos prompt. The jobs have the suffix .job and exist in the %systemroot%\tasks directory.

If you need to use double quotes into the command (e.g. "C:\Program Files\...") , the command line options must be placed OUTSIDE of the "" that surround the path.