Category Archives: Tools

Best practices for… chkdsk

imageThe longer I work, the more I’m aware of the simple fact: even the most routine and mundane thing, technology or tool can have something to learn about it. Like you never know what is a cake you it is made from, unless you try to make it yourself =)

The same stuff can be told about, say, chkdsk. What do you think: do you need to know something more than command line switches about chkdsk? Ok, if you don’t have an inquiring mind then probably not. But probably you just don’t know what impact it can have on your environment. For example, let’s imagine quite a usual situation: your fileserver has been growing with the company unless you finally got your own very special SLA for it. This SLA was negotiated with IT and everyone took into account practically everything:

– time of recovery for any subset of the information (some bits are required ASAP, while others can wait some time)

– time required to recover broken equipment

– and so on and so forth.

But one pretty good day your volume (which stores about 500M small files) was marked as “dirty” and went into chkdsk after reboot… Had you incorporated this 99 hours (!!!) downtime into your SLA? I hadn’t =(

Fortunately, I still have some time for thinking of it and even more because I haven’t yet run into the situation and now, after reading the document named “NTFS Chkdsk Best Practices and Performance”, I have some ideas for my future SLAs Winking smile

BTW, in Server 2012 there will be some big improvement over described issues. Read and prepare yourself.

Creating your own troubleshooting pack


Take notice: My new feed address is now Please re-subscribe.

As I wrote in one of my blogs, you not only can tell your user which exactly troubleshooting pack to run, you can also create one of your own. Finally I decided to learn how and to tell you. I was pretty sure it was very hard, creating those. But I was plain wrong: it’s easy. Moreover it’s fun, because for creating it you should collect all the components of a geek’s fun:

1) Use GUI

2) Use scripting

3) Run the automation and see the result!

So, let’s begin.

Unfortunately, you cannot just create a pack with Notepad. Well, probably there is a method, but I believe it is far less convenient than the following. First of all you need to download and install Windows 7 SDK. I, honestly, don’t know which component exactly contains the feature we are going to use, so you can find it out yourself, or just follow me and care not about it. After installation you’ll have a menu entry for Troubleshooting Pack Designer:


You only need to decide what is the problem you’re going to solve with the pack. In my example, I’m going to automatically detect and fix one simple yet annoying defect: my Dell notebook sometimes cannot detect network speed while on a dock-station. Disabling and re-enabling the interface is one of the workarounds, which I don’t erally hate, but which I’d like to automate. (ok, I know that just a two line script would be enough, but then I wouldn’t have had a simple enough scenario to show you Winking smile)So, I launch the designer:


and create a new project:



(take notice of “Privacy URL” field: it is mandatory) Everything else is pretty straightforward from now on. Add a new root cause (you can add several of them). In my case it is “A Network is detected 10Mbps instead of 100”:


and hit “Design Troubleshooter” button. You’ll be presented with several settings. Troubleshooter – whether to run it elevated and interact with a user. In my case I set both to No:


Then configure a resolver and in the same way:


Surely we want our tool to check whether the actions taken had fixed all the problems, therefore we need to configure a verifier:


And finally, create and input scripts for them.


# TroubleshooterScript – This script checks for the presence of a root cause

# Key Cmdlets:

# — update-diagrootcause flags the status of a root cause and can be used to pass parameters

# — get-diaginput invokes an interactions and returns the response

# — write-diagprogress displays a progress string to the user


$RootCauseID = “NetIs10”


# Your detection Logic Here

$speed = (Get-WmiObject -Class Win32_NetworkAdapter | Where-Object { $_.Speed -ne $null -and $_.MACAddress `

-ne $null -and $ -like “*82567lm*”}).speed

if ($speed -ne 100000000)


      $RootCauseDetected = $true


      #Replace “$true” with the result of your detection logic


#The following line notifies Windows Troubleshooting Platform of the status of this root cause

update-diagrootcause -id $RootCauseId -detected $RootCauseDetected

It’s a very primitive script, which just checks if the network interface has speed of 100Mbps. Resolver:

# Resolver Script – This script fixes the root cause. It only runs if the Troubleshooter detects the root cause.

# Key cmdlets:

# — get-diaginput invokes an interactions and returns the response

# — write-diagprogress displays a progress string to the user


# Your logic to fix the root cause here

$network = Get-WMIObject Win32_NetworkAdapter | where {$ -like “*82567lm*”}


Start-Sleep 4


Even more simple script: just re-enables the interface.

Now just compile (some questions about certificate arise, you can use a test self-signed certificate or configure a right one in options) the pack and use it.


Well, at least for me it was some great experience with a good outcome: I now have an instrument to check and fix everything =)

Network trace without NetMon, wireShark, etc… Part 2

MC91021636214As I told you in the previous episode, there is more than just capturing without installing any software. Much more, actually. There is a .cab file which contains many files: 33 to be accurate (at least in my case). The files contain the heck of information about the computer’s networking configuration as well as logs. Let’s take a look at those files:


1) adapterinfo.txt: contains info about your NICs’ drivers:


How can this be useful? Easily, say, you see the driver for a physical NIC which was issued 5 years ago: why not to upgrade it first? Anyway, this can give you the starting point for troubleshooting.

2) dns.txt: this one contains the output for ipconfig /displaydns command which gives us the content of the DNS client cache


3) envinfo.txt: all you want and even more about the wireless network. Drivers with supported authentication and cipher options, interfaces and their state, hosted networks, WLAN settings, profiles and more and more…


4) filesharing.txt: nbtstat –n, nbtstat –c, net config rdr, net config srv, net share


5) gpresult.txt: no comments

6) neighbors.txt: arp –a, netsh interface ipv6 show neighbors (yeah, calling netsh from netsh… inception… 😉 )

7) netiostate.txt: in my case there were Terede settings


8) osinfo.txt: at first it looks like systeminfo output, but actually it is somewhat different, yet can prove useful.


9) Report.etl: trace log file. I haven’t yet took a look into it. Probably it can be good for a deep troubleshooting

10) wcninfo.txt: wireless computer network information. Services status, files information and again interfaces info, ipconfig, and more…


11) wfpfilters.xml: I haven’t yet undertook a close investigation on the file, but seems like the file contains firewall rules in XML format

12) windowsfirewallconfig.txt: config for the firewall. Is it turned on, global settings and all that stuff

13) several other files, which contain various event logs related to networking, registry keys dumps and other info


14) Report.html: an .html file which contains links to the files above


Well, that’s it. Actually, while troubleshooting some incidents I was forced to request some info several time, just because I didn’t know what exactly I was going to need and I didn’t want to frustrate users with many commands or sending them a .bat file. Now I can give them only two commands and voila! I love it, really. IMHO this ability is just awesome even without taking network traffic capture, so I strongly advise to remember it!

Network trace without NetMon, WireShark, etc…

MC910216362[1]It is often necessary to capture and analyze some network traffic to troubleshoot a problem. Usually, it requires to install some software package similar to several stated in the subject to this article. It’s ok, when the computer in question is, say, your laptop, or its user is at least advanced user, has administrative permissions and it is permitted by a security policy to install some new software. But what if it is not the case? A user is some sales manager who don’t want to spend their time installing anything? Or this is a server, where you cannot change anything?

To cut a long story short, recently I’ve run into a totally awesome blogpost, where among other truly interesting things (the blog is in the top 5 of my most favorite, if not the most interesting, BTW) there was a solution for such a situation.

In short, you don’t have to install, say, Network Monitor onto a Windows7/2008 R2 box to get network capture. It can be done with the built-in tool, that is netsh. You still need

1) to be a local admin on the computer you are tracing

2) NetMon to analyze the package you receive after the capture is complete. But you can do it on any computer you wish.

How does it work? Just excellent 😉

1) Start the trace

netsh trace start capture=yes tracefile=<PathToFile>


2) Then reproduce the problem. I started my chrome (to much open tabs in IE 😉 ) and went to

3) Then stop the trace:

netsh trace stop


Please notice, that the trace created two files: .etl and .cab. The ETL one is where our network trace is placed. The second… It makes the method even more awesome, but I will dedicate the next blog post to it.

4) Open the trace on any computer where you have Network Monitor installed:


Oops… What’s with parsers? If we take a closer look at the interface we’ll see the following:

Process: Windows stub parser: Requires full Common parsers. See the “How Do I Change Parser Set Options(Version 3.3 or before) or Configure Parser Profile (Version 3.4)” help topic for tips on loading these parser sets.

Well, some parsers are definitely not turned on. Let’s do it now, it’s easy (I have NetMon 3.4). Go to tools->options


Look at Parser Profiles tab:


and turn on the Windows profile by right clicking it and selecting Set As Active option:


That’s what we were looking for:


5) Now do all the NetMon stuff, for example I was looking for Chrome activity and, say, I need to look at DNS requests:


Isn’t that great? No, it is simply awesome, because we haven’t yet take a look at .cab file, which contains tons of useful info. But we’ll do it in the next article.

%systemroot%System32 secrets: defrag

The next command also seems to be used the further the less. Partly, probably, because performance of modern computers allows forgetting about the problem of fragmentation unless it is too late becomes huge. Partly because some myths about it have successfully died. But mostly because it is running by default once a week. Earlier (in 9x age) we had a nice GUI-based defragmentation program, now we have only a command line tool and very reduced (without that visualized fragmentation status: it was totally useless, but absolutely awesome. Hey, I believe that the fact we don’t have this magic now is probably the main reason we don’t need defrag 😉 ) GUI to manage it. Running this command in background (with low priority, by the way) on a regular basis means that we don’t have much of fragmentation:


But we also don’t have the magic =(

Anyway, if you don’t want “this bloody computer to operate your data” or are just not satisfied with the schedule, then you can switch it off in dfrgui program:


Change the time it runs in the same place, or create some sophisticated schedule in the task scheduler:


You can even implement some advanced logic, if you wish. Say, why even bother to run defrag if you see the picture like this:


You can write a script which checks for fragmentation, does defragmentation if needed, consolidates free space once in a while and do nothing at all other times.

Anyway, I’m quite comfortable with the default behavior, but even this fact doesn’t mean I have to know nothing about my options.

LCDS: Create your own curriculum

imageOften I need to conduct some kind of internal presentation, just to relay the knowledge I have about the infrastructure and the procedures. It always take some time to create or refresh some PowerPoint slides and get myself prepared to deliver it. It’s cool, but very time consuming. Now I am considering creation of some internal learning curriculums for these purposes. The tool I think I’ll be using for it is named MS Learning Content Development System. It’s quite a tool with simple yet powerful interface, many features and abilities. You can download it here, then just install it and create some courses. You can embed audio and video, create a quiz or assessment game… You name it. After that you can export it into one of several formats. No, really, if you have something to say, everything else is easy with the tool.

For example, it took me only 15 to 20 minutes to create my own demo course (of course, the media was ready to the moment).


imageA friend of mine twitted about some new small but great good tool: TextAnalysisTool.NET. It’s simple, yet can be very useful. What it does is just simple search for a string or several strings in a file. Do you think “who has written such a stupid thing”? We have findstr, not speaking of PoSh and all that stuff. I thought so too. But when I took a look at it, I discovered that there are situation when it is simply great. For example:

  1. Looking for several different strings at the same time. Using the tools mentioned above it is not very convenient. With the new tool it is.
  2. You need to take a look not only at the string itself but at its surroundings. Again it ‘is not very easy with other tools.
  3. You need to revise your search for a large to very large file. When you do it with, say, with findstr, it reads all the file again. In my case (log file of 640MB, over 2,000,000 lines) it takes 60 to 80 seconds. In case of the discussed tool it is way below 20 seconds. With PoSh it would be, probably other story, still, considering the first to items in this list, TextAnalysisTool.NET is to be considered for use.

What can the tool do:

  • Open files (brilliant, isn’t it? =) ). It can also reload them is they change.


  • Load and save filters set. This can be useful if you search for the same patterns often. (It is in XML format, by the way, so you can take a look at it)
  • Usual search, like, say, in Winword. Except the fact that it can be a RegExp.


  • Switch the view between the whole text, or only the strings you are looking for.



  • Mark some lines (select them and press Ctrl+<number>) and go to them by just pressing a number you’ve marked them with.


  • Create and edit filters. Filter can contain strings and RegExps. The results can be highlighted in color.


Well, it is in my arsenal from now on.

%SystemRoot%System32 Secrets: compact & convert

I’ve been quite busy for some time, so there is a quick run over two utilities: compact and convert. The first one can be used sometimes while the second, I think, has almost died out. Let’s take a look on them.


Remember cipher? The same stuff: cipher deals with encryption, this one – with compression on an NTFS volume. You need to script it or find it boring to use all that GUI? It’s for you. But seriously: do many people use it? I don’t like the feature, actually. But anyway, if you need it, you get it.


This command I haven’t used for years. Really, who has a file system which can be converted to NTFS now? Probably, on some thumb drive. Yet it was very useful back then, in time when we all were moving from windows 9x to Windows 2000 or XP. I used it quite often, so when I found it still placed on my W7 system, I decided to honor it even if it is worthless now. BTW, probably, it isn’t? Then tell me =)

%SystemRoot%system32 secrets: cipher

Next command in my list is what you never remember about unless user comes in with a cry: “I’ve reset my password and now all my EFS-encrypted files are gone!!!”. Are you familiar with the situation? I am not, fortunately, but I heard some related horror stories. Backup the encryption keys is the key. And updating of keys on the files. And creating of recovery keys. And backing up the encryption keys. All that the utility in the question can do for you.

There are plenty of articles about the actions described above. But when I tried to look at the utility’s description more closely, I found one new function: cipher with arguments “/W” and a folder will remove all data from unused disk space on the volume where the folder is placed. What it is doing is:

1) Creating folder EFSTMPWP on the volume:

2) Creating there a temp file (or several, according to some sources)


3) Writing there zeros, then ones, and polishes it with some random values:


It does each step until the whole disk is filled up and then repeats:




Of course it is quite time consuming, especially on large volumes. But if I was the person to design the command, I’d rather made it to write not just zeros and ones, but just encrypt every free cluster with a random key. Luckily it wasn’t me, so it is not even more long procedure 😉

The command asks you to close all the applications to make the effort as effective as it is possible, mostly to eliminate all the temp files with data in them.

Further reading:

cipher /?

BITS Transfer PowerShell cmdlets

One friend of mine told me that I shouldn’t have spread knowledge about BITSAdmin command while there was the PowerShell cmdlets in place. Well, to some extent he is definitely right:

  • 1) PowerShell is better self-documented.

2) It is waaaay easier to script with.

3) It is more simple to use in some basic situations like “just give me that darn file”.

4) Many people just like PoSh.

So, the tasks I did in my post about BITSAdmin seems to be done in one command:

Start-BitsTransfer –source <URL> –destination <PathToFile>

but one need to do his homework better:


Seems like the module for BITS is not imported by default. Let’s correct the mistake:


and now we have our cmdlets:


So, let’s our download begin:


Excellent, isn’t it (it even show the progress very visually)? No, it isn’t. Because when I turned my network connection off the download was cancelled:


Even though it was stated that “BITS will try again” – it wouldn’t and there wasn’t any job registered with BITS. I don’t know why, actually (I hope my friend will explain it to me), but I found a “workaround”. Just add “-Asynchronous” option to the string and it will fork just fine for you although you won’t be able to see that beautiful download bar:



But even when the state changed to “Transferred”, there was only a .tmp file in my directory. Actually, when I started the command without “-Asynchronous” option, I’ve got the file immediately after the end of the transfer, but you already know that you cannot then resume the transfer if it was interrupted. Therefore, I had to complete the transfer manually:


Not very big difference from what we did with BITSAdmin, I guess. And I couldn’t tell how to do is to monitor my jobs in fasion BITSAsmin /MONITOR does.

So, let’s sum it up:

1) PoSh is best for scripting

2) You can use for interactive tasks whichever command set you are used to, but remember, that BITSAdmin can be discontinued any moment

So, my best approach is, do everything I can with PoSh and monitor with BITSAdmin, until someone tells me how to do it with PoSh 😉