I was excited about the Windows 8 developer preview that was released earlier tonight, so I fired up Virtual PC to start playing around with it. I ended up with an error when it was loading so I thought maybe I had a bad copy of the ISO so I thought "I know, I'll do a checksum test." Unfortunately, I don't have a tool to take a checksum on my current machine so naturally I wrote a simple function in PowerShell to do the checksum test for me.
It has only a few simple parameters that you can enter, file and algorithm. "File" is for the actual file you want to checksum. "Algorithm" is either "sha1" or "md5" and will let you get both an MD5 and a SHA1 checksum of the specified file.
Update: If you came here looking for the SHA1/MD5 hashes for the Windows 8 CTP iso’s, here you go.
Windows Developer Preview with developer tools English, 64-bit (x64)
SHA1: 6FE9352FB59F6D0789AF35D1001BD4E4E81E42AF
MD5: 116EB08542BB48FE4314BB6DEA39335E
Windows Developer Preview English, 64-bit (x64)
SHA1: 79DBF235FD49F5C1C8F8C04E24BDE6E1D04DA1E9
MD5: DFCB53C7B32351784C37E5DE0A7B1167
Windows Developer Preview English, 32-bit (x86)
SHA1: 4E0698BBABE01ED27582C9FC16AD21C4422913CC
MD5: 9B7798438FA694ECFA465C93A4C23C97
You can download the full script after the jump.
Read more…
As a Premier Field Engineer for Microsoft, I'm often presenting workshops to classrooms of people on various technologies. During these workshops we take breaks and work on labs and it's nice to have some kind of countdown timer to show the attendees how much time is left in a break or until we begin the next module for example.
Sysinternals has a very useful tool called ZoomIt which allows presenters to zoom in, draw, and even display a countdown timer on the screen. While this tool is well designed and is even used by many PFE’s around the world, including myself, and while it includes useful features such as playing a sound when the timer has completed and even displaying a background image, it left me wanting more. I just wanted something basic that I could use when presenting PowerShell material that would allow me to simply specify a time and a message… so I made my own.
Head after the jump to download the script.
Read more…
An interesting situation came up recently that involved having to execute a PowerShell script through the cmd.exe command prompt. It sounds pretty simple, after all you can simply run powershell.exe –file “<path_to_script>” and call it a day. That wasn’t the case here though because the –File parameter is only available in PowerShell V2 and this situation was dealing with V1. The only option then is to use the -command argument of powershell.exe and to execute the necessary code. This works great, but if you need to include a string with quotes, you may have some trouble.
Read more…
When working in ASP.Net there are a number of code delimiters you need to be aware of, the most recognizable one is <% which, for anyone who has worked with anything from Classic ASP 1.0 (anyone remember IIS 3?) through ASP.Net 4.0 will recognize. Some people call them ASP.net tags or code shortcuts, both of which are only partly true. Calling them “tags” is a little misleading because ASP.NET tags are really things such as “<asp:DropDownList />” and “<asp:ListItem />“. Calling them code shortcuts is a bit misleading as well because, while some of them are shortcuts (<%= ... %> is a shortcut for <% Response.Write (...) %>) not all of them have this kind of purpose.
Read more…
A reader sent me a message asking how to modify the original CA monitoring script I wrote back in November so that instead of monitoring the pending requests, it would send a message based on expiring certificates. The answer is just a modification to the certutil command that was used in the original script. The new script also allows you to specify the number of days advanced notification you are looking for, the default is 30 days. Just keep in mind that if you run this script once a day, you will receive a notification every day until the certificate is either revoked/superseded or the certificate is passed the time period specified. Of course this is all irrelevant if you have the money to spend on SCOM which can do this with one of the released management packs.
The modified certutil command looks a bit like this:
certutil -view -restrict "NotAfter>=8/9/2010,NotAfter<=9/9/2010" -out "Request ID, Request Submission Date, Request Common Name, Requester Name, Request Email Address, Request Distinguished Name, CertificateTemplate, NotAfter" -config "<CA_SERVER_NAME>\<CA_NAME>"
This will return to you all of the certificates that are scheduled to expire between today (August 9th, 2010) and 30 days from now (September 9th, 2010)
You can download the new script here: 
Download monitor_ca_expiry.ps1
Update: Thanks to Aaron (from New Mexico? the original reader) who noticed I forgot one really useful bit of information from the status report that displays when you run the command: the date of expiration for the certificate. I have updated the script and the sample above to reflect the change.
Rolling out a certificate authority in Windows 2003 and Windows 2008 is a relatively trivial task if you are deploying a stand-alone CA, Enterprise CA’s are a bit more complex, but that’s a post for another day. The web interface (http://server.domain.local/certsrv/) is pretty limited and doesn’t provide the greatest interface for manually requesting certificates, it even relies on cookies for managing requests. It would be really nice to see Microsoft build this into a truly useful application like what you get with the Thawte Certificate Center.
One thing that is a bit frustrating is that even when you have the logging options fully enabled for the CA, events aren’t logged for new certificate requests so you have to manually check the server on a regular basis for outstanding requests. Usually this is a low priority kind of service in your enterprise and can get neglected, which has happened in my case a few times.
This neglect prompted me to write the following Powershell script which very simply uses certutil to check if there are any pending requests, and then fire off an email to a list of users if there are. This script could also be easily modified to check for revoked certificates or to generate a weekly report on existing certificates to monitor expiration dates, among a bunch of other things, however I really only needed this for requests so that’s all it does for right now. If anyone has any interest in something else, let me know and I’ll see about updating the script to include additional features.
To use this script, all you need to do is ensure you have a copy of certutil on the machine running this, update the configurable pieces of the script, then create a scheduled task to run it every hour or so, or whatever time-frame is appropriate for you and your organization.
More information and a download link is after the break…
Read more…
Update 2010-03-03: Keep in mind that this was fixed in vSphere 4 Update 1. Although if you can’t move to Update 1 for some reason, this will still work.
Update 2009-09-08: I just updated the script because I received a report from wohali (Joan) over at VMware communities that they had a problem when the vSphere client was installed on a different drive and I have now fixed that problem. I also added in support for making the host update utility work as well. Lastly, I added a few output messages so you can see what’s going on and know what is getting done.
The past few months I have been enjoying Windows 7 quite a bit (both the RC and now the RTM), but at the office we use VMware for many of our clients and the vSphere Client unfortunately has an issue with Windows 7 due to an incompatibility with a .Net 2.0 library dll that comes installed on Windows 7. When you install the vSphere client, you will be able to get through the install without an issue usually (If you have J# already installed you may encounter issues installing the vSphere client), but once you try to connect to your vSphere server you get an error stating “Error parsing <server> clients.xml file Login will continue contact your system administrator” followed immediately by another error “The type initializer for “VirtualInfrastrcture.Utils.HttpWebRequestProxy” threw an exception” which then brings you back to the login screen and you are unable to connect in.
Read more…
Due to a security update to SMB that fixes a remote code execution vulnerability, you may experience 401.1 or 401.2 errors in certain situations while performing a WebRequest to one of your servers. This is because part of the security update institutes a loopback check on the authentication requests to prevent replay attacks. The Microsoft KB article refers to a few different scenarios where you can see authentication problems after applying this patch, but the one I’m most interested in is when you start getting 401 errors after an HttpWebRequest on an ASP.Net page.
The issues I experienced were while creating a page to display general status of one of my companies Sharepoint servers. The main issue which is the meat of this article was when I switched the authentication over to use NTLM instead of Digest, which broke my script. Everything I had in place should have worked, but the previously mentioned security update slipped under the radar and it took a while to figure out what was going on. You can do a basic web request on a server with Basic authentication by doing the following:
Dim _response As String
Dim _auth As String = "Basic"
Dim _uri As Uri = New Uri("http://my.domain.local/my-page.aspx")
Dim _req As HttpWebRequest = WebRequest.Create(_uri)
Dim _cc As CredentialCache = New CredentialCache()
Dim _res As HttpWebResponse
Dim _sr As StreamReader
_cc.Add(_uri, _auth, New NetworkCredential("username", "password", "domain"))
_req.PreAuthenticate = True
_req.Credentials = _cc.GetCredential(_uri, _auth)
_res = _req.GetResponse
_sr = New StreamReader(_res.GetResponseStream)
_response = _sr.ReadToEnd
_sr.Close()
Read more…
A reader sent in a question asking how to enumerate groups that have spaces in them and this lead me to realize I didn’t follow the specifications for valid distinguished names as well as I thought I had. If you take a look at RFC 2253 and the Microsoft page that defines security group names, you will see what the allowed characters are for these names. At this point the validation is a lot better, but it still isn’t perfect.
If you encounter a situation where you need to enumerate members of a group that my validation does not allow, you can scroll down to line 271 in the script and change the $rx variable to “.+” to make it simple which will allow you to pass any characters. If you pass invalid characters you will get some funny errors happening, but it should work. You may have to use quotes around the name if you are looking to use spaces or other allowed special characters.
Taking another look at the code, I also found a small bug that was causing the display of notes associated with a group to print out an error about null strings. This should be fixed now. If anyone notices any other problems, feel free to comment and let me know and I will try to fix it or add in the change as soon as possible. I’ll be posting another update soon that goes the other direction of this script, one that enumerates group membership for a specific user.
Thanks again to Darren from Brisbane(?), Australia for pointing this out.
Here is the updated script download link: Download enumerate_groups.ps1
When working with SQL Server there are often times where you will need to script your logins over to another server such as when you have database mirroring or log shipping configured for certain databases. This is such a common thing that Microsoft provides in-depth instructions on how to do this as well as the T-SQL code required to do it, which you can read more about here: http://support.microsoft.com/kb/918992. The script they provide is missing a few things so I took a little time to clean up the code, revise some of it, and add in a few of the missing pieces.
The three things that are overlooked in the Microsoft article that I have included are default language and default database (being mandatory) for logins as well as the scripting of roles. The lack of the default language is pretty minor, but it’s something that could be important to people so I am including it in my script. The lack of default databases being an option in the Microsoft script is not a big deal because it assumes you are scripting everything, but if you are only concerned with logins that are specific to a certain database you will get errors if you haven’t created that database on the target. The lack of server roles is another important one that I have needed in previous configurations so it is also included here. The resulting script is pretty long so you can check out the source of the revised procedure after the jump, which includes the sp_hexadecimal script from the Microsoft article.
Additionally, something just as important as the revlogin script itself is the question of “Well now that I have this script, how do I schedule this to happen automatically for me instead of just generating more code that I have to execute on the target server?” If you are asking that question then you might want to take a look at the next block of code. In order to automate sp_help_revlogin there are a few options, but the one that I prefer over all else is using osql and a SQL Agent job with a single T-SQL step because it is very simple to implement in most server configurations. The following script is relatively straight forward in that you only have one variable, the target server, to worry about. The only pre-requisites being that xp_cmdshell is enabled and that the Windows account that the job is being executed under has sysadmin rights to both servers. This script could easily be turned into a stored procedure but for the sake of brevity I have included it in its shortest form.
Disclaimer: Use these scripts at your own risk!!
-- Declare and set the target server...
DECLARE @TargetServer SYSNAME
SET @TargetServer = N'DB1.DOMAIN.LOCAL'
-- Define a temporary file to store the script output
DECLARE @guidfile VARCHAR(160)
SET @guidfile = '%TEMP%\' + CONVERT(SYSNAME, NEWID()) + '.txt'
-- execute sp_help_revlogin_roles and save the output to the temp file
DECLARE @cmd VARCHAR(8000)
SET @cmd = 'osql -E -n -h-1 -d master -w 8000 -Q "exec sp_help_revlogin_roles" -o "' + @guidfile + '"'
EXEC master.dbo.xp_cmdshell @cmd
-- execute the temp file on the target server
SET @cmd = 'osql -E -S ' + @TargetServer + ' -d master -w 8000 -i "' + @guidfile + '"'
EXEC master.dbo.xp_cmdshell @cmd
-- delete the temp file
SET @cmd = 'del "' + @guidfile + '"'
EXEC master.dbo.xp_cmdshell @cmd
Click here to view the code for sp_help_revlogin_roles
