Posts Tagged ‘Tools’

Best Practices Analyzers

May 19, 2010 Leave a comment

Best Practices In Windows management, best practices are guidelines to configure a server as defined by experts. For example, it is considered a best practice for most server technologies to keep open ports that are required for the technologies to communicate with other networked computers and also block unused ports. Whereas best practice violations, even very important best practice violations, are not necessarily problematic, they indicate server configurations that can result in poor performance, poor reliability, unexpected conflicts, increased security risks, or other potential problems.

The resulting report of the Best Practices Analyzers, details critical configuration issues, potential problems, and other vital information. By following the recommendations of the tool, administrators can achieve greater performance, scalability, reliability, and uptime.

Some of the IT related BPAs are:

Hyper-V Best Practices Analyzer for Windows Server 2008 R2

You can use Hyper-V Best Practices Analyzer to scan a server that is running the Hyper-V role, and help identify configurations that do not comply with the best practices of Microsoft for this role. BPA scans the configuration of the physical computer, the virtual machines, and other resources such as virtual networking and virtual storage. Scan results are displayed as a list of issues that you can sort by severity, and include recommendations for fixing issues and links to instructions. No configuration changes are made by running the scan.

Microsoft Exchange Best Practices Analyzer v2.8

The Exchange Best Practices Analyzer programmatically collects settings and values from data repositories such as Active Directory, registry, metabase and performance monitor. Once collected, a set of comprehensive ‘best practice’ rules are applied to the topology.

Note: Exchange Best Practices Analyzer v2.8 should not be used to scan Exchange Server 2007 and Exchange Server 2010. In Exchange Server 2007 and Exchange Server 2010, the Best Practices Analyzer is installed during Exchange Setup and can be run from the Exchange Management Console Toolbox.

Microsoft Exchange Troubleshooting Assistant v1.1

The Exchange Troubleshooting Assistant programmatically executes a set of troubleshooting steps to identify the root cause of performance, mail flow, and database mounting issues. The tool automatically determines what set of data is required to troubleshoot the identified symptoms and collects configuration data, performance counters, event logs and live tracing information from an Exchange server and other appropriate sources. The tool analyzes each subsystem to determine individual bottlenecks and component failures, then aggregates the information to provide root cause analysis.

SQL Server 2000 Best Practices Analyzer

The SQL Server 2000 Best Practices Analyzer is a database management tool that lets you verify the implementation of common Best Practices. These best practices typically relate to the usage and administration aspects of SQL Server databases and ensure that your SQL Servers are managed and operated well.

SQL Server 2005 Best Practices Analyzer

The SQL Server 2005 Best Practices Analyzer gathers data from Microsoft Windows and SQL Server configuration settings. BPA uses a predefined list of SQL Server 2005 recommendations and best practices to determine if there are potential issues in the database environment.

Windows SharePoint Services 3.0 and Microsoft Office System 2007 Best Practices Analyzer

The Windows SharePoint Services 3.0 and Microsoft Office System 2007 Best Practices Analyzer programmatically collects settings and values from data repositories such as MS SQL, registry, metabase and performance monitor. Once collected, a set of comprehensive ‘best practice’ rules are applied to the topology.

Internet Security and Acceleration (ISA) Server Best Practices Analyzer

The ISA Server Best Practices Analyzer (BPA) is a diagnostic tool that automatically performs specific tests on configuration data collected on the local ISA Server computer from the ISA Server hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.

Forefront Threat Management Gateway Best Practices Analyzer

The Forefront Threat Management Gateway Best Practices Analyzer is a diagnostic tool that automatically performs specific tests on configuration data collected on the local Forefront TMG computer from the Forefront TMG hierarchy of administration COM objects, Windows Management Instrumentation (WMI) classes, the system registry, files on disk, and the Domain Name System (DNS) settings.

Tags: ,

Microsoft TechNet Desktop Player (Beta)

March 31, 2010 Leave a comment

Microsoft TechNet Desktop Player (Beta)

Microsoft recently launched a Desktop player that allows users to consume selected Microsoft content for IT professionals and developers based on your adoption lifecycle.

The Desktop Player filters content by topic based on your role and where you are in your adoption lifecycle (Evaluation, Development/Pilot, Support).

Find videos, webcasts, podcasts, whitepapers and relevant links based on your specific criteria. And get a feed of the latest news for IT pros.

From the EULA:

The Microsoft TechNet Desktop Player (the “PLAYER”) is a content aggregator that surfaces filtered content that exist at Microsoft across various engines that have relevant contextual content for the user.

Use it online or download from

Requirements: .NET Framework 3.5 SP1 installed for the offline version and Silverlight for the online version.

VBScript Tools and Links

March 6, 2010 Leave a comment



Here are a bunch of tools and links you’ll find useful if you are (or want to get) into scripting in VBS.


Code Collections:

TechNet Script Center Sample Scripts
Sample scripts found in the TechNet Script Center Repository.

Script Center All-in-One
Script Center All-in-One features over 160 scripting-related articles collected in a single .CHM file. This collection features all of the Tales From the Script and Office Space columns.

Sesame Script, 2005-2007
The complete collection of Sesame Script, the beginning scripting column published in the TechNet Script Center in a fully-searchable help file, with individual topics arranged by category.

SMS 2003 Scripting Guide
The SMS 2003 Scripting Guide provides over 40 scripts, ranging from tasks such as creating advertisements to running queries. It explains the basics of SMS objects, WMI, and VBScript through a series of ‘How To’ examples.


Code Generators:

Scriptomatic 2.0
Utility that helps you write WMI scripts for system administration.
Scriptomatic 2.0 isn’t limited to writing just VBScript scripts; instead, Scriptomatic 2.0 can write scripts in Perl, Python, or JScript as well. In addition, Scriptomatic 2.0 gives you a host of new output formats to use when running scripts, including saving data as plain-text, as a stand-alone Web page, or even as XML. Scriptomatic 2.0 handles arrays, it converts dates to a more readable format, and it works with all the WMI classes on your computer; on top of all that, it also writes scripts that can be run against multiple machines.

ADSI Scriptomatic
The ADSI Scriptomatic is designed to help you write ADSI scripts; that is, scripts that can be used to manage Active Directory. The ADSI Scriptomatic also teaches you an important point about ADSI scripting: like WMI, there are consistent patterns to ADSI scripts.

WMI Code Creator v1.0
The WMI Code Creator tool allows you to generate VBScript, C#, and VB .NET code that uses WMI to complete a management task such as querying for management data, executing a method from a WMI class, or receiving event notifications using WMI.
The tool is meant to help IT Professionals quickly create management scripts and to help developers learn WMI scripting and WMI .NET. The tool helps take the complexity out of writing code that uses WMI and helps developers and IT Professionals understand how powerful and useful WMI can be for managing computers.
Using the tool, you can query for management information such as the name and version of an operating system, how much free disk space is on a hard drive, or the state of a service. You can also use the tool to execute a method from a WMI class to perform a management task. For example, you can create code that executes the Create method of the Win32_Process class to create a new process such as Notepad or another executable. The tool also allows you to generate code to receive event notifications using WMI. For example, you can select to receive an event every time a process is started or stopped, or when a computer shuts down.
The tool also allows you to browse through the available WMI namespaces and classes on the local computer to find their descriptions, properties, methods, and qualifiers

HTA Helpomatic
The HTA Helpomatic is a utility that helps script writers create HTML Applications (HTAs). HTAs enable you to provide a graphical user interface for your scripts, an interface that can include anything from list boxes to radio buttons to checkboxes. The HTA Helpomatic includes sample VBScript code and sample HTML code showing you how to do things like add a button to an HTA. Equally important, the Helpomatic also shows you how you can run a script any time that button is clicked. As an added bonus, the Helpomatic enables you to modify the scripts and HTML code and test those modifications in the utility itself.

Tweakomatic is a utility that writes scripts that enable you to retrieve and/or configure Windows and Internet Explorer settings.


Language Documentation and References:

Windows Script 5.6 Documentation
Extensive reference and conceptual documentation for all of Microsoft Windows Script Technologies, including VBScript, JScript and WSH.

VBScript Quick Reference
Four-page booklet Word Document reference guide to commonly-used VBScript commands.

VBScript (Visual Basic Script)
Microsoft Visual Basic Scripting Edition (VBScript) is an easy-to-use scripting language that enables system administrators to create powerful tools for managing their Windows based computers.

WSH (Windows Script Host)
Windows Script Host (WSH), a feature of the Microsoft® Windows® 2000 family of operating systems, is a powerful multi-language scripting environment ideal for automating system administration tasks. Scripts running in the WSH environment can leverage the power of WSH objects and other COM-based technologies that support Automation, such as Windows Management Instrumentation (WMI) and Active Directory Service Interfaces (ADSI), to manage the Windows subsystems that are central to many system administration tasks.

WMI (Windows Management Instrumentation)
Windows Management Instrumentation (WMI) is the primary management technology for Microsoft Windows operating systems. It enables consistent and uniform management, control, and monitoring of systems throughout your enterprise. WMI allows system administrators to query, change, and monitor configuration settings on desktop and server systems, applications, networks, and other enterprise components.

ADSI (Active Directory Service Interfaces)
Administering a directory service often involves numerous repetitive tasks such as creating, deleting, and modifying users, groups, organizational units, computers, and other directory resources. Performing these steps manually by using graphical user interface (GUI) tools is time-consuming, tedious, and error prone. A key to reducing time consumption, tedium, and errors when administering a directory is automating repetitive tasks by using scripts.
Active Directory Service Interfaces (ADSI) is the technology that allows you to create custom scripts to administer directories. ADSI-enabled scripts are capable of performing a wide range of administrative tasks involving network directories such as the Active Directory directory service.

PerfMon BlackBox

February 20, 2010 5 comments

BlackBoxWhen an airplane crashes, the first thing to do (after searching for survivors of course) is to search for the “blackbox” since it would contain vital information about what might have caused the plane to crash. You can apply this technique on your servers as well.PerfMon

The “PerfMon BlackBox” is an always-running capture of key performance counters. So when a server crashes, hangs or starts to slow down significantly, you can take the collected data (the blg file) and analyze it for memory leaks or other unexpected resource consumption.

For this, you’ll need a set of two files. One (BlackBox_Counters.txt) containing the list of performance counters to be collected, and a second (BlackBox.cmd) containing the script set of commands to create the data collector using logman.exe.


\Cache\Dirty Pages
\Cache\Lazy Write Flushes/sec
\LogicalDisk(*)\% Free Space
\LogicalDisk(*)\% Idle Time
\LogicalDisk(*)\Avg. Disk Bytes/Read
\LogicalDisk(*)\Avg. Disk Bytes/Write
\LogicalDisk(*)\Avg. Disk Queue Length
\LogicalDisk(*)\Avg. Disk sec/Read
\LogicalDisk(*)\Avg. Disk sec/Write
\LogicalDisk(*)\Current Disk Queue Length
\LogicalDisk(*)\Disk Bytes/sec
\LogicalDisk(*)\Disk Reads/sec
\LogicalDisk(*)\Disk Transfers/sec
\LogicalDisk(*)\Disk Writes/sec
\LogicalDisk(*)\Free Megabytes
\Memory\% Committed Bytes In Use
\Memory\Available MBytes
\Memory\Cache Bytes
\Memory\Commit Limit
\Memory\Committed Bytes
\Memory\Free & Zero Page List Bytes
\Memory\Free System Page Table Entries
\Memory\Pages Input/sec
\Memory\Pages Output/sec
\Memory\Pool Nonpaged Bytes
\Memory\Pool Paged Bytes
\Memory\System Cache Resident Bytes
\Memory\Transition Pages RePurposed/sec
\Network Inspection System\Average inspection latency (sec/bytes)
\Network Interface(*)\Bytes Received/sec
\Network Interface(*)\Bytes Sent/sec
\Network Interface(*)\Bytes Total/sec
\Network Interface(*)\Current Bandwidth
\Network Interface(*)\Output Queue Length
\Network Interface(*)\Packets Outbound Errors
\Network Interface(*)\Packets Received/sec
\Network Interface(*)\Packets Sent/sec
\Network Interface(*)\Packets/sec
\Paging File(*)\% Usage
\PhysicalDisk(*)\Avg. Disk Queue Length
\PhysicalDisk(*)\Avg. Disk sec/Read
\PhysicalDisk(*)\Avg. Disk sec/Write
\PhysicalDisk(*)\Current Disk Queue Length
\PhysicalDisk(*)\Disk Bytes/sec
\PhysicalDisk(*)\Disk Reads/sec
\PhysicalDisk(*)\Disk Writes/sec
\Process(*)\% Privileged Time
\Process(*)\% Processor Time
\Process(*)\Handle Count
\Process(*)\ID Process
\Process(*)\IO Data Operations/sec
\Process(*)\IO Other Operations/sec
\Process(*)\IO Read Operations/sec
\Process(*)\IO Write Operations/sec
\Process(*)\Private Bytes
\Process(*)\Thread Count
\Process(*)\Virtual Bytes
\Process(*)\Working Set
\Processor Information(*)\% of Maximum Frequency
\Processor Information(*)\Parking Status
\Processor(*)\% DPC Time
\Processor(*)\% Interrupt Time
\Processor(*)\% Privileged Time
\Processor(*)\% Processor Time
\Processor(*)\% User Time
\Processor(*)\DPC Rate
\Server\Pool Nonpaged Failures
\Server\Pool Paged Failures
\System\Context Switches/sec
\System\Processor Queue Length
\System\System Calls/sec
\TCPv4\Connection Failures


set “LogName=BlackBox”
set “LogsPath=D:\Perflogs”
set “CountersFile=BlackBox_Counters.txt”

logman query |find /i /c “%LogName%”
if ERRORLEVEL 1 goto CreateLog

logman update %LogName% -v nnnnnn -cf “%~dp0%CountersFile%” -si 00:01:00 -f bincirc -o “%LogsPath%\%LogName%_%COMPUTERNAME%” -max 1024
goto StartLog

logman create counter %LogName% -v nnnnnn -cf “%~dp0%CountersFile%” -si 00:01:00 -f bincirc -o “%LogsPath%\%LogName%_%COMPUTERNAME%” -max 1024

logman start %LogName%

forfiles /p %LogsPath% /m *.blg /d -7 /c “cmd /c del /q @path”

Now you can set your server’s “PerfMon BlackBox” by putting both files in a folder under your %USERDOMAIN%\NETLOGON folder, then create a new GPO, and assign the BlackBox.cmd script as the computer startup script. This way, whenever a server boots up, it will cerate/update the BlackBox collector and run it.

Note: The last line of the script file (under ClearOldLogs) is responsible for deleting blg files older than 7 days, so your disk is not bloated with old and irrelevant counter files.

Before you go and analyze the counters using perfmon, I recommend you use a set of registry tweaks that will make your life working with PerfMon a little easier.


Windows Registry Editor Version 5.00

#The Process object in Performance Monitor can display Process IDs (PIDs)

#Display Comma Separators in the Windows Performance Tool

#Vertical lines are displayed in the Sysmon tool that obscure the graph view

And if you don’t know how, you can always use PAL to analyze the performance logs. It generates an HTML based report which graphically charts important performance counters and show alerts when thresholds are exceeded. Just remember PAL is not a replacement of traditional performance analysis, but it automates the analysis of performance counter logs enough to save you time.

Performance Analysis of Logs (PAL) Tool

Related reading:


January 16, 2010 37 comments

Updated to version:!

Lets say you have many exported EventLog (evt/evtx) files, and need to search for specific event entries on all of them. how do you do it?
Yes. Of course you can use Microsoft Log Parser 2.2 but then you have to write the cumbersome query yourself. bummer.

EvtLogParser EvtLogParser to the rescue!

EvtLogParser uses the LogParser.dll from Microsoft Log Parser 2.2, and provides a simple UI for the query.


All you need to do, is drag-and-drop or right-click and select Add EventLog Files...  to add your files to the list, select the query filter using the query filter panel, and click Query.

EvtLogParser: Query Filter Panel

Then, you’ll be able to see the query results in the grid view below.

EvtLogParser: GridView and Context Menu

Right-click to view a specific event, save it as a text file or export all the data to an XML file.

EvtLogParser: View Event

Note that Windows Vista, 7 and Server 2008 uses the new evtx format for event log exports.
Since Log Parser uses system APIs to read event log exports, and the old .evt event log format is not "native" any more on these OS’s you’ll probably get an error message saying "The event log file is corrupted".

So if you want to read evt files on Windows Vista, 7 or Server 2008, you should convert them old-school EventLog files into the shiny new format. You can accomplish this using any of the two methods described below:

1. Through the user interface
just double-click the evt file, wait for it to open, then right-click, select Save Event As, enter the location and filename, click Save and OK.

2. Using the Windows Events Command Line Utility (WevtUTIL)
It’s built in the OS and it’ll convert those old EventLog files from the command line:

wevtutil epl application.evt application.evtx /lf:true

Also, you can copy the text below into Notepad, save it with the .reg extension, and merge it into your registry.
After restarting your system, you’ll be able to right-click an .evt file and select the "Convert to evtx" option from the context menu.

Windows Registry Editor Version 5.00

@="Convert to evt&x"
@="\"wevtutil.exe\" epl \"%1\" \"%1x\" /lf:true"


Please note it requires you to have at least .NET Framework 2.0 installed

Scanning multiple EventLogs with EventCombMT

December 28, 2009 3 comments

Have you ever needed to search for a specific event on many computers?
if you did, and didn’t use EventCombMT… shame on you!

EventCombMT is a multithreaded tool (hence the ‘MT’ at the end) that you can use to search the event logs of several different computers for specific events, all from one central location.

you can set the EventCombMT to search for individual event IDs, multiple event IDs or a range of event IDs, a specific event source with or without specific text in the event’s description, you can also set how many minutes, hours, or days back to scan the event logs.

EventCombMT has many built-in searches such as such as Account Lockouts (Event IDs 529, 644, 675, 676, and 681) and NETLOGON Failed To (De)Register DNS Records (Event IDs 5774, 5775, 5781, 5788)

After the search finishes, the program opens the local \TEMP folder (or the folder you selected as the output folder), which will contain a number of text file logs for the search action:
EventCombMT.txt: The log for the program’s own actions
%machine%-_LOG.txt: Results for the search on that particular machine’s log.

The EventCombMT.exe also has many command line options, such as:

– To load a search that you previously saved use: /load:<name of saved search>

– To add all DCs in your domain to the list of servers to search use: /dc

– To add DCs from another domain use: /dc:<domain name>

– To add servers from a text file use: /file:<path to file>

– To specify events to search for use: /evt:”events” (for example: /evt:"644 528 639")

– To specify the types of events to collect use: /et:weisafasu OR /et:all

  (w – Warning, e – Error, i – Informational, sa – Success Audit, fa – Failure Audit, su – Success)

– To specify event logs types use: /log:sysappsecdsfrsdns OR /log:all

  (sys = System, app = Application, sec = Security, ds = Directory Services, frs = FRS, dns = DNS)

– To specify the output directory use: /outdir:”path to output folder”

– To specify the number of threads use: /t:<number> (The default is 25)

– To specify the Event Source use: /source:”event source” (for example: /source:netlogon)

– To specify the text that needs to be in the event use: /text:"text to match"

NOTE: The search is case insensitive.

– To automatically start searching use the /start argument


The EventCombMT utility is included both in the Windows Server 2003 resource kit tools and in the Account Lockout and Management Tools

The EventCombMT.exe from the Win2K3RK is from April 2003, and the EventCombMT.exe from the ALTools is from May 2002 but seems to have more options under the options menu. Weird…