Great WMI CLI article.

March 10, 2010 at 10:49 am (TechTips, windows) (, )

I used to great article as a reference when trying to find how to kill a process on a remote windows machine using WMI CLI.

http://isc.sans.org/diary.html?storyid=2376

Permalink Leave a Comment

Creating VSS snapshots on Windows 2003 Server.

January 15, 2009 at 4:36 pm (windows) (, , , )

At work, I recently was chosen to be the administrator for a new SAN system that we are purchasing.  I intend to do a full article at some point about this product once it is installed.  For now, I will just tell you that it runs on CentOS and is called FalconStor.  Anyhow, while I was in initial technical training on this system we began a discussion about how to correctly backup windows systems, especially servers.  The major issue with backing up MS OSes is how to acquiesce all applications running on the system.  What I mean by this, is making the system right all data that is in flight to the disk and freezing it.

Microsoft has created an interesting mechanism to make this task more managable.  It is called Volume Shadow Service.  I suggest reading theese two documents first to get an introduction to what the service is and how it works:

Essentially, when you create a a snapshot using VSS the following highly summarized steps occur:

  1. VSS sends a signal to all apps that have been registered as WritersWriters are applications that are writing data to disk in such a way that there might be in flight data.  Each of these writers have a different method of acquiescing it’s data.  For instance, the file system will flush all of it’s buffers to disk.  Another example of a writer is MS SQL server.
  2. Each writer will signal back to the VSS manager once it’s data is in a acquiesced state.
  3. Once all writers have checked in, a Copy on Write snapshot is created.  This snapshot is essentially a frozen image of the data.  This COW snapshot is only updated with differential data.
  4. The VSS manager will wait until it knows that the COW snapshot has successfully been created.
  5. Finally, the VSS manager will notify all writers that they can now un-acquiesce their data.  Essentially, this will thaw out the data and let whatever was being buffered, be written to disk.
  6. All operations have now been completed and a COW based snapshot now exists.

All applications written for the Microsoft platform are supposed to utilize the VSS sub-system for acquiesceing it’s data.  Therefore, the only way to acquiese data on a MS OS is to use VSS.  The reader of this article who has been paying attention will notice something at this time in relation to Microsoft backup software.  Many software companies that sell backup tools for the Microsoft platform also sell little applications called ‘Agents’.  Such as ‘Agent for Open Files’.  It should now be clear that the only way that these applications could be working, is by creating a VSS snapshot and then backing up from that.  Therefore, it would appear that you really don’t need these agents.  One could simply write some scripts that would be lauched using the pre and post script starters of your backup software that could handle this task.  The scripts would simply create the snapshots when needed and delete then when the backup is done.

How would one access the the snapshot though?  How do you actually get at that volume?  The VSS snapshot is not normally exposed as a drive.  However, you can install the tool vshadow.exe from the VSS SDK pack.  More information about this SDK can be found here.  This tool will allow you to create snapshots and manage them in a variety of ways.  One of the more useful functions of this tool, is that it will allow you to expose a VSS snapshot as either a drive letter or a mount point.  This is excellent for scripting, because now you can create a persistent VSS snapshot and mount it as a drive and copy things off of it…like perhaps a backup.

Lets do a few examples of this process.  Before you can try this out, you must install the VSS SDK as discussed above.

Now run:

vshadow.exe -p c:

This will create a persistent VSS snapshot of the C drive.  There are two types of VSS snapshots: 1) Persistent  2) Temporary.  The default type of snapshot to be created is temporary.  Windows XP is only capable of making temporary snapshots.  This means that an application can request that a snapshot be created.  Once it is created, the VSS system will notify the application of the Global Root ID of the snapshot volume.  The application will then access that volume and process it however it wanted to.  Once the application is done processing the data, it will then notify the VSS system it is done.  The VSS system will then stop holding open the snapshot and it will be destroyed.  In Windows 2003 the concept of a persistent snapshot was introduced.  This is where a snapshot can be requested and it will remain in existence, even when there is no application still attached to it.  We want a persistant snapshot, so we provide the -p argument.

You will now see some output that looks similar to this:

VSHADOW.EXE 2.2 - Volume Shadow Copy sample client
Copyright (C) 2005 Microsoft Corporation. All rights reserved.

(Option: Persistent shadow copy)
(Option: Create shadow copy set)
– Setting the VSS context to: 0x00000009
(Gathering writer metadata…)
(Waiting for the asynchronous operation to finish…)
Initialize writer metadata …
Discover directly excluded components …
– Excluding writer ‘MSDEWriter’ since it has no selected components for restore.

Discover components that reside outside the shadow set …
Discover all excluded components …
Discover excluded writers …
Discover explicitly included components …
Verifying explicitly specified writers/components …
Select explicitly included components …
* Writer ‘System Writer’:
– Add component \System Files
* Writer ‘Event Log Writer’:
– Add component \Event Logs
* Writer ‘Registry Writer’:
– Add component \Registry
* Writer ‘COM+ REGDB Writer’:
– Add component \COM+ REGDB
* Writer ‘WMI Writer’:
– Add component \WMI
Creating shadow set {97147285-295c-4112-ac7b-365a667c62e8} …
– Adding volume \\?\Volume{4910a320-7ecf-11db-8356-806e6f6e6963}\ [C:\] to the s
hadow set…
Preparing for backup …
(Waiting for the asynchronous operation to finish…)
(Waiting for the asynchronous operation to finish…)
Creating the shadow (DoSnapshotSet) …
(Waiting for the asynchronous operation to finish…)
(Waiting for the asynchronous operation to finish…)
Shadow copy set succesfully created.

List of created shadow copies:

Querying all shadow copies with the SnapshotSetID {97147285-295c-4112-ac7b-365a6
67c62e8} …

* SNAPSHOT ID = {647617de-d55b-45c5-a087-74f0143cbffa} …
– Shadow copy Set: {97147285-295c-4112-ac7b-365a667c62e8}
– Original count of shadow copies = 1
– Original Volume name: \\?\Volume{4910a320-7ecf-11db-8356-806e6f6e6963}\ [C:
\]
– Creation Time: 1/14/2009 1:52:16 PM
– Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5
– Originating machine: mymachine.mydomain.com
– Service machine: mymachine.mydomain.com
– Not Exposed
– Provider id: {b5946137-7b9f-4925-af80-51abd60b20d5}
– Attributes: No_Auto_Release Persistent Differential

– Mark all writers as succesfully backed up…
Completing the backup (BackupComplete) …
(Waiting for the asynchronous operation to finish…)
(Waiting for the asynchronous operation to finish…)

Snapshot creation done.

The important line to pay attention her is the one called SNAPSHOT ID.  This is the ID number of the snapshot that was just created.  You will need this to expose this volume as a drive letter or a mount point.

You can verify that that the snapshot has been created by running this command:
vshadow.exe -q

At this point you are ready to expose the snapshot as either a drive letter or a mount point.
vshadow.exe -el={18b93c57-ca61-467d-abc4-d4fa19559ded},m:\mypoint

This will expose the snapshot with the ID string that is in the braces on the mount point of M:\mypoint.  This command can also be used to just mount it on a drive letter that is currently not in use.  To do this, just put the drive letter of choice and colon as the second argument:
vshadow.exe -el={18b93c57-ca61-467d-abc4-d4fa19559ded},X:

Next, you might wonder how you can un-expose a snapshot volume from a drive letter or mount point.  I have not been able to find a way to do this, while keeping the snapshot in tact.  The only way that I have found to do this is to delete the snapshot itself.  If you can figure out a way to keep the snapshot while un-exposing it, please post the solution as a comment to this article.

This command will delete that snapshot volume and remove the drive letter or mount point:
vshadow.exe -ds={18b93c57-ca61-467d-abc4-d4fa19559ded}

That should be enough information to get you started with VSS snapshots.  This information should help the skilled SysAdmin take better control of backing up the Windows Server 2003 servers that he is tasked to work with.  There are many other features of VSS that seem like they would be interesting to explore, such as transportable snapshots, etc.  I hope to look more into it in the future.

Permalink 11 Comments

Do neat tricks with WMI from the DOS prompt.

August 28, 2008 at 9:40 am (windows) (, )

In my System Administrator role, I am always looking for ways to make my job easier.  Often I can make my job easier by finding ways to be more efficient.  One of the the best ways to become more efficient is by writting scripts to automate tasks for you….scripts can be like little robots that do work for you.  However, sometimes the task you are trying to do doesn’t need a whole script because it’s something small.  This is where WMI can be really helpful.

We all know that Windows is very high maintenance.  Many tasks related to servicing users’s workstations often requires making a remote desktop connection or physically walking over to their desk.  However, much of this tedious work can be conducted right from your workstation more efficiently by using WMI.

Most articles on the internet discussing WMI that I’ve seen are talking about utilizing WMI via VB script.  I’ve found that usually, I do not need a whole script…rather I just need to remotely launch an application or view all installed updates, etc.  Quick actions like those can be done without writting any scripts even by using WMIC.  WMIC is that WMI console for the DOS prompt.

Here is a good article that demonstrates some basic uses and should get you on a good start using WMI in daily tasks:

http://blogs.technet.com/askperf/archive/2008/04/18/wmic-leveraging-the-power-of-wmi.aspx

Permalink 1 Comment

Message stuck in Microsoft SMTP service Queue

July 28, 2008 at 12:51 pm (Technology, windows) (, )

Recently I ran into a problem where emails that were generated using CDOSys were getting stuck in the Microsoft SMTP service outgoing queue.  If you are having problems with the Microsoft SMTP service, you may have discovered that it is difficult to troubleshoot.  This difficulty is mostly caused by the fact that the service has very little logging available to it.  It is true that you can enable logging via the IIS console, but that logging is minimal at best.  Errors are not recorded very well in that log.

I did spot in the event viewer some interesting entries that were complaining about internal DNS errors that appeared to be coming from the SMTP service.  Upon further research I found that IIS 5.0 running on Windows Server 2000 is not able to make DNS queries via UDP.  IIS is only able to query DNS servers using TCP.  This poses a problem since TCP is usually only used for zone transfers; therefore most DNS servers have TCP blocked and only allow UDP queries.

This will result in the SMTP service being unable to query DNS at all.  In that state SMTP service will initially process mail that is put into the ‘pickup’ directory by CDOSys, and move it into the ‘queue’ directory.  From this directory it is normally processed further and sent to the next MTA.  However, when SMTP service is unable to query DNS it just leaves the message in the queue directory and begins ‘BadMail’ processing.

How can you test to see if this is the issue you are having?  The first step I recommend is using nslookup to verify proper operation of DNS as per the needs of IIS 5.0.  Simply run nslookup from the command line (this can be done on either Windows or Linux), and force it to do all queries using TCP.  While in nslookup enter:

set vc

Now any queries you enter will be done using TCP.  If this fails, try turning off forced TCP and run the query again.  If this works you know that the IIS server cannot make TCP DNS queries to it’s designated DNS server.  You can turn off forced TCP by using this command in nslookup:

set novc

Also there is a useful tool from Microsoft that runs various mail sending steps and can help you in debugging this and other issues with SMTP service.  This tool is called SMTPDiagHere is a good article that shows a little on how to use SMTPDiag.

If you have determined that your mail is getting stuck because of TCP DNS queries being rejected or dropped, there are essentially three options for you to fix this:

  • If your firewall is preventing TCP DNS queries, modify the rules to allow it.
  • If possible, change the configuration of the DNS server to allow TCP queries.
  • Change the IIS server to use a DNS server that is configured to allow TCP queries.

Use the nslookup procedure shown above to determine both that the firewall rules are configured to allow TCP queries AND that the DNS server that you’d like to use is allowing TCP queries.  Once are sure that you have set IIS to query a DNS server that allows TCP queries, simply restart the SMTP service and all mail in Queue should begin to process.

Remember:  On Windows Server 2000, you must reboot the server after you changed the DNS servers for a interface in order for the change to take effect.

Permalink 9 Comments