Windows – Using osQuery Tool

February 1, 2019

The osQuery Tool is a cross-platform tool to query your devices like a database for Windows, Linux and iOS.

Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

You can dowload it here

osQuery installation on Windows is running the MSI to get it running.

After the installation you will see the binaries in C:\ProgramData\osquery

image

As you can see it has a few PowerShell scripts as well.

But most importantly is the osQuery Shell called osqueryi.exe

If you run the shell command you can see all features like this :

osqueryi .help

image

in the background it uses SQLite Smile

image

You can list all the tables that can be queried like this

image

image

Since you now have the list of the tables you can start using it in a Query.

How to use it :

Example :

osqueryi -line "select * from video_info"

image

osqueryi -line "select * from cpu_info"

image

PowerShell :

You can use osqueryi.exe in PowerShell like this

image

Enjoy !

Advertisements

Windows Server 2016 – DeviceSetupManager Event ID 121

February 1, 2019

How to cleanup stale devices on your servers …

On one of our servers that is running as a Hyper-V Host and using a non windows backup software to backup the VM’s I see a lot of VSS copies hanging around …. ?

When looking at the HIDDEN devices

image

I saw a lot of Generic volume Shadow Copies

See here to know why this is occurs

image

And as well INACTIVE Storage volumes

image

The know why this is happening see here

Solution :

Download the DriveCleanup Tool here 

image

You can run this command to run in TEST MODE

drivecleanup -t > dc-output.txt

You can see this detailed output

image

In my case it suggest these entries to be removed.

image

I could see a clear relationship between the Event ID 121 Errors and output of the drivecleanup tool

image

image

To delete the stale devices and Registry Keys you need to use the Admin Privileges

Make sure you have good backups before removing anything !

Enjoy !


Windows – Stop a Windows Service when this option is GRAYED OUT

January 4, 2019

Sometimes you might encounter that all options of a Windows Service are greyed out ?

image

Solution :

In this case it is the Windows Module Installer

Open the properties of this service.

Copy the Service Name “TrustedInstaller

image

Run this command

sc queryex TrustedInstaller

Look for the PID and run this command

taskkill /F /PID 5984

image

Now you can start the service again. Smile

Success !


Windows Server 2016 – ServerEssentials DesignatedActiveDirectoryServerDown Event ID 1280 Error

December 20, 2018

After removing a DC and cleaning up the metadata I still got errors relating to DesignatedActiveDirectoryServerDown ?

I rechecked all settings and had still some references in the DNS.

But even after removing all of this it was still complaining ?

image

Solution :

Open the registry and go to :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\ADContext

image

Key ConnectedDc was pointing to old DC server.

Correct the value and pointed the key to current  DC :

Correct the registry entry by overwriting with the proper value of the local server.

Restart the dashboard for the change to take effect.

Next go on searching for more references in the registry

image

https://support.microsoft.com/en-us/help/332199/domain-controllers-do-not-demote-gracefully-when-you-use-the-active-di

If there is an entry for Src Root Domain Srv, right-click the value and then click Delete.

This value must be deleted so that the domain controller sees itself as the only domain controller in the domain after promotion.

Remove these registry key

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Root Domain Srv 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NTDS\Parameters\Src Srv objectGuid 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NTDS\Parameters\Src Srv objectGuid 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Src Srv objectGuid
Reboot the server and check again.

Enjoy!


Windows Server 2016 – Disk Event ID 153 Errors

December 18, 2018

I got a lot of Disk Errors Event ID 153 every day when using Windows Backup. Every day at the same time more or less.

image

Analysis :

First we need to find out which one is Disk 4 ?

Open the registry and go to : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\disk\Enum

 image

You will see that I had 4 Disk, of which the number 4 is a USB Memory card storage…

It will match up with the Server Manager Disks

image

Next start the Command Line using Admin Privileges

And run this command

set DEVMGR_SHOW_NONPRESENT_DEVICES=1

devmgmt.msc

image

Go to Portable Devices and see check the Drive letters

In my case it is G: drive ?

On the GENERAL tab you can read that the device is NOT ENABLED

image

Using WMIC to get more info on the Event ID PDO name Device\00000xxx ID

image

Use this command to get all drivers detailed information :

 

wmic /output:c:\temp\drivers.txt path Win32_PnPSignedDriver

And look for the device number in the column PDO

image

If you don’t find it, it means it is a STALE device that can be removed.

See here on how to…

Solution :

In our case we had to disable the INTERNAL SD Card Slot using the BIOS.

Use these steps on an HP server :

UEFI System Utilities and Shell Command Mobile Help for HPE ProLiant Gen9 Servers and HPE Synergy

Going to System Utilities – by pressing F9

Enabling or disabling the Internal SD Card Slot

Procedure :

1. From the System Utilities screen, select System Configuration > BIOS/Platform Configuration (RBSU) > System Options > USB Options > Internal SD Card Slot and press Enter.

2. Select a setting and press Enter:

a. Enabled—The server can access the internal SD card slot.

b. Disabled—The server cannot access the internal SD card slot.

3. Press F10.

Enjoy!


Windows 2016 – Remote Desktop TermDD Event ID 56 Error

December 18, 2018

On a Server running Remote Desktop Services you can encounter the TermDD Event ID 56 Error

image

Solution :

1. Open the Remote Desktop Session Host Configuration

2. Double click RDP-Tcp in the Connections block

image

3. Go to General tab change the Security layer pull down box from Negotiate to RDP Security Layer.

The issue is caused by the latest Security Update related to CredSSP encryption oracle remediation.

See here

Enjoy


Windows Server 2016 – Disk Signature Issues Event ID 58 & VDS Basic Provider Event ID 1 Error

December 12, 2018

On a Virtual Machine Host after doing a P2V. you can encounter the Event ID 58 & Event ID 1 Errors

image

Error Message :

“The disk signature of disk 5 is equal to the disk signature of disk 0.”

Use the Device Manager to see the Hidden Devices

image

Next download the DevNodeClean Utility

This will list all Orphaned Devices on your VM

Run this command :

devnodeclean /n

image

You will see many Registry Keys that WOULD BE removed, but are now only listed.

image

User the /r parameter to delete the registry key…

BE SURE you have always good backups to fall back on in case you need it !


Enjoy !!