3. About me
C:>whoami /all
USER INFORMATION
----------------
User Name Twitter E-Mail
============== ============ ==================
ENTISYSdenisg @fdwl DenisG@entisys.com
GROUP INFORMATION
-----------------
Group Name Type SID
====================================== ================ =================
BUILTINGeeks Mandatory group S-1-5-32-540
Mandatory LabelCrazy Russian Label S-1-16-8192
COMMUNITYBay Area Citrix User Group Well-known group S-1-5-32-544
COMMUNITYRussia Citrix User Group Well-known group S-1-5-32-545
9. Log Analysis
• Tons of data
– i.e. PVS logs can produce 10 Mb/minute
• Different sources and formats
– CDF Tracing
– Windows Event Logs
– Procmon
– Wireshark
– Text log Files
10.
11. Log Parser Input Formats
• IIS log files (W3C, IIS, NCSA, Centralized Binary Logs, HTTP
Error logs, URLScan logs, ODBC logs)
• Windows Event Log
• Generic XML, CSV, TSV and W3C - formatted text files
• Windows Registry
• Active Directory Objects
• File and Directory information
• NetMon .cap capture files
• Extended/Combined NCSA log files
• ETW traces
13. SQL-Like Engine
SELECT
timegenerated,
EXTRACT_TOKEN(Strings,1,'|') AS Domain,
RESOLVE_SID(EXTRACT_TOKEN(Strings,0,'|')) AS User,
EXTRACT_TOKEN(Strings,3,'|') AS SessionName,
RESOLVE_SID(EXTRACT_TOKEN(Strings,4,'|')) AS
ClientName,
EXTRACT_TOKEN(Strings,5,'|') AS ClientAddress,
EventID
FROM Security
WHERE EventID=4624 /* xp/2003 = 682 */
ORDER BY timegenerated
14.
15. SQL-Like Engine
SELECT strFileName,dEventtime,strEventtype,strHostname,intThreadid,strThreadname,strThreadmessage,strSessiontype,strSessionid, strModule,strEventdata
USING
EXTRACT_FILENAME (logfilename) AS strFilename,
EXTRACT_SUFFIX(Text,0,']') AS strEventdata,
EXTRACT_SUFFIX(EXTRACT_PREFIX(Text,0,']'),0,'[') AS unparsedMeta,
EXTRACT_TOKEN(unparsedMeta,0,'|') AS unparsedDate,
TO_TIMESTAMP(unparsedDate,'yyyyMMdd?hh:mm:ss.ll?') AS dEventtime,
EXTRACT_TOKEN(unparsedMeta,1,'|') AS strEventtype,
EXTRACT_TOKEN(unparsedMeta,2,'|') AS strHostname,
EXTRACT_TOKEN(EXTRACT_TOKEN(unparsedMeta,3,'|'),0,' ') AS intThreadid,
EXTRACT_TOKEN(EXTRACT_TOKEN(unparsedMeta,3,'|'),1,' ') AS unparsedthreadname,
CASE unparsedthreadname
WHEN NULL then 'N/A'
ELSE unparsedthreadname
END AS strThreadname,
EXTRACT_TOKEN(unparsedMeta,4,'|') AS unParsedThreadmessageAndSessionID,
REPLACE_IF_NOT_NULL(LAST_INDEX_OF(unParsedThreadmessageAndSessionID,'D:'),1) AS sessD,
REPLACE_IF_NOT_NULL(LAST_INDEX_OF(unParsedThreadmessageAndSessionID,'R:'),2) AS sessR,
COALESCE(sessD,sessR,0) AS intSessionType,
case intSessionType
When 0 THEN 'N/A'
When 1 THEN 'Dynamic'
When 2 THEN 'Real'
END AS strSessiontype,
case intSessionType
When 0 THEN unParsedThreadmessageAndSessionID
When 1 THEN EXTRACT_TOKEN(unParsedThreadmessageAndSessionID,0,' D:')
When 2 THEN EXTRACT_TOKEN(unParsedThreadmessageAndSessionID,0,' R:')
END AS strThreadmessage,
case intSessionType
When 0 THEN 'N/A'
When 1 THEN EXTRACT_TOKEN(unParsedThreadmessageAndSessionID,1,' D:')
When 2 THEN EXTRACT_TOKEN(unParsedThreadmessageAndSessionID,1,' R:')
END AS strSessionid,
EXTRACT_TOKEN(unparsedMeta,5,'|') AS strModule
INTO '[OUTPUTFILE]XenServer.csv'
FROM '[LOGFILEPATH]'
WHERE dEventtime is NOT NULL
ORDER BY dEventtime
16.
17. Log Parser Output Formats
– Write data to text files in different formats
(CSV, TSV, XML, W3C, user-defined, etc.)
– Send data to a SQL database
– Send data to a SYSLOG server
– Create charts and save them in either GIF or JPG
image files
– Display data to the console or to the screen
18.
19.
20.
21. How To Use Log Parser
• From command line
– check the help file
• From PowerShell
– http://bit.ly/LogParserPowerShell
• As scheduled task
• In your scripts
– Set oLogQuery = CreateObject("MSUtil.LogQuery")
• From Log Parser Studio
– http://bit.ly/LogParserStudio
34. 34
Wilogutl.exe
• Assists the analysis of log files from a Windows Installer
installation, and it displays suggested solutions to errors that are
found in a log file
• Available in the Windows SDK
• Msiexec /i BadApp.msi /l*v c:tempBadApp.log
40. 40
Windows Installer Transforms
• Generic way to customise
an installation
• A Transform describes the delta between the original MSI
package and the customised version
– Saved to an .MST file
– Is applied on the fly
41. 41
Orca
• MSI Database Editor
• When to use?
– Removing launch conditions
– Un-advertising shortcuts
– Changing install levels for features
– Creating transforms
– http://bit.ly/OrcaMSI
42. 42
WiX Toolset
• Builds Windows Installer (MSI) packages from XML
• Integrates with Visual Studio
• Can decompile MSI
• Can be used to repackage your apps
• Create packages for Merchandising Server
– http://bit.ly/MerchMeta
• GUI is available
– http://bit.ly/WiXEditors
48. Every time you disable UAC…
Steve Ballmer kills a kitten
Please, think of the kittens
49. Every time you:
•Modifying ACLs on Program Files or
HKLM
•Making user a local admin
•Just give users
SeBackup, SeRestore, SeCreateGlobal
and SeLoadDriver privileges, but keep
them as standard users
50. Why Applications Are Asking For Elevation?
• Some apps are old and doesn’t have embedded manifest
• Some apps trying to write to Program Files or HKLM
• App is not signed
• Some developers are just lazy
51. Manifests
• XML file that contains parameters required for .exe or .dll to run
• May contain list of required components or supported OS
• May configure the need for elevation per file:
• asInvoker
• highestAvailable
• requireAdministrator
• Can be External or Internal
• Use mt.exe from the SDK to inject a manifest
• Use SigCheck.exe from SysInternals to view the manifest
54. File Virtualization Implementation
• File system virtualization is implemented in a file system filter driver, luafv.sys
Luafv.sys
Ntfs.sys
Virtualized
Application
User Mode
Kernel Mode
WindowsApp.ini
Users<user>AppDataLocal
VirtualStoreWindowsApp.ini
Non-Virtualized
Application
WindowsApp.ini
Access Denied
55. Virtualized Files
• Redirected file system locations:
• %ProgramFiles%
• %AllUsersProfile% (ProgramData – what was Documents and SettingsAll Users)
• %SystemRoot% (Windows)
• %SystemRoot%System32 (WindowsSystem32)
• Exceptions:
• Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)
• Prevents masking of system executables for servicing and security
• Exceptions can be added or removed in HKLMSystemCurrentControlSetServicesLuafvParameters
ExcludedExtensionsAdd or ExcludedExtensionsRemove
• Per-user virtual root:
• %UserProfile%AppDataLocalVirtualStore
• Troubleshooting file virtualization
• Event Log: UAC-FileVirtualization
• Note: Virtual files do not roam with Roaming Profiles
56. Registry Virtualization
• Virtualizes most locations under HKLMSoftware
• Keys that are not virtualized:
• HKLMSoftwareMicrosoftWindows
• HKLMSoftwareMicrosoftWindows NT
• HKLMSoftwareClasses
• Per user location: HKCUSoftwareClassesVirtualStore
• Flag on a registry key defines if it can be virtualized
• “Reg flags HKLMSoftware” shows flags for HKLMSoftware
57. Useful tools
• Microsoft Windows Software Development Kit (SDK)
• mt.exe – embed manifests
• signtool.exe – Sign Executables
60. 60
Assessment and Deployment Kit
• Combines Windows Automated Installation Kit
(AIK) and OEM Preinstallation Kit (OPK)
• Integrates tools that used to be separate
downloads
• Adds new assessment tools
• Contains lots of stuff…
• http://bit.ly/ADKToolkit
61. 61
ADK Tools
• Application Compatibility Toolkit
– Application Compatibility Manager
– Compatibility Administrator
– Standard User Analyzer
• Deployment Tools
– BCDBoot, BCDEdit, Bootsect
– DISM (and ImageX)
– OSCDImg
– WDSMCAST
– Windows System Image Manager
• User State Migration Tool
– Scanstate
– Loadstate
– UsmtUtils
• Volume Activation Management
Tool
• Windows PE
– CopyPE
– SetSANPolicy
– MakeWinPEMedia
• Windows Performance Toolkit
– Wpa
– Wpr
– XBootMgr
• Windows Assessment Services
• Windows Assessment Toolkit
62. 62
What is in ACT?
• Application Compatibility Manager
– Helps to create and analyse applications
• Standard User Analyser
– Easy to use GUI to create shims
• Windows Application Verifier
– Checks application for potential compatibility issues
• Windows Compatibility Administrator
– helps you select and apply compatibility fixes
66. 66
What Are Shims?
• Applied to specific apps
– Configured with Compatibility Administrator in the App Compat Toolkit
– Deployable to enterprise
• Changes what the app thinks it sees
• Does not change what app is allowed to do
67. 67
What Are Shims Good For?
• Great for many kinds of bugs:
– Bad Windows version checks
– Writing to HKCR at runtime
– Unnecessary checks for “am I admin?”
– Writing to WRP-protected keys and files
– Windows thinks your app is an installer
– File/Registry redirections
69. 69
Most Used Shims
• VirtualRegistry
– Fixes the problem with
reading/writing registry value
– AddRedirect ( HKLMKey ^
HKCUKey ^ HKLMKey2 ^
HKCUKey2)
• CorrectFilePaths
– Fixes the problem with
reading/writing a file
– c:Program.ini=
%AppData%Program.ini
• WRPRegDeleteKey
– Lie when app tries to delete
protected OS registry key
• ForceAdminAccess
– Spoofs queries of administrator
group membership
• VirtualizeDeleteFile
– Spoofs deletion of global file
• LocalMappedObject
– Forces global section objects into
user’s namespace
• VirtualizeHKCRLite, VirtualizeRe
gisterTypeLib
– Redirects global registration of COM
objects
72. 72
Compatibility Administrator
• Used to create advanced shims
• Can be used to create a warning messages
• Windows 8 contain 7239 apps in a AppCompat database
• Shims can be installed using %windir%system32sdbinst.exe
utility
• About 400 shims available
81. Xperf
• Was a part of Windows 7 SDK
• Grab process lifetimes
• Captures and analyzes information to help troubleshoot Windows
performance issues
– Slow boot
– GPO processing delays
– Application performance issues
– Slow services
– Ugly minifilter drivers
91. System assessment basics
• System assessment is a process that uses the ADK tools to
measure
and analyze a PC
• Assessments are core functionality tests
• Combinations of these tests provide additional measures of the
entire PC experience
• Quality expectations are changing
• Software + hardware + Windows = PC experience
• The way we measure PC quality must also change
92. System assessments
• CheckLogo and driver assessments
• File handling
• Photo handling
• Internet Explorer launch/tab create
• Hybrid boot
• On/off assessments (boot/shutdown/S3/S4)
• Browser assessment
• Media transcode performance
• Metro performance
• Memory footprint
• First boot experience
• Media streaming
• WinSAT comprehensive
• Battery life (and idle efficiency analysis)
• MiniFilter driver performance impact
(option for other assessments)
• Internet browsing workload for battery
life assessment
• Windows Media Player performance
and quality
93. What Metrics are captured by the Assessment
• Both Boot and Shutdown durations are captured using Event Tracing
for Windows (ETW)..
• Process level details such as CPU and Disk utilization are also
provided.
• Assisted Performance Diagnostics identifies potentially problematic
performance issues.
94. • Run the assessments on computers without
downloading the ADK on all systems.
95. • Use Log Parser to combine or transform log files
• Use Manifests to control UAC behavior and enable UAC
Virtualization
• Use Application Compatibility Administrator to “patch” your
applications
• Use Assessment Engine to compare performance of your
desktops and servers
• Use Performance Recorder and Analyzer to optimize boot
Key Takeaways
97. Confidential – Internal Use Only
Q&A
• @fdwl
• denisg@entisys.com
• http://BayCUG.com
• http://blog.itbubble.ru
Notas do Editor
I’m going to talk about old school, so let’s make slides look older first!
We will talk about Tools that are available from MicrosoftTools that will help you in your day-to-day workTools that will help with Windows XP Migration
Disclaimer:Free software doesn’t mean that it’s totally free, please read EULA each time when you download anything from any website
Disclaimer:Free software doesn’t mean that it’s totally free, please read EULA each time when you download anything from any website
Hard to find required info
Query for combining PVS Logs
EVENTS: Find All Remote Logons
Typical output of XenServer logging
Query that transform unreadable XenServer output into CSV format
Event Comb allows you to:Define either a single Event ID, or multiple Event IDs to search forDefine a range of Event IDs to search forLimit the search to specific event logsLimit the search to specific event message typesLimit the search to specific event sourcesSearch for specific text within an event descriptionDefine specific time intervals to scan back from the current date and timeFor a complete set of featureshttp://support.microsoft.com/kb/308471/en-us
Gather specific events from event logs from several different computers into one central location Specifying the Event Logs and Event Types to SearchEvent LogsSystemApplicationSecurityEvent typesError Informational WarmingFor more details on Auditing and monitoringhttp://www.microsoft.com/technet/security/topics/auditingandmonitoring.mspx
Xpirience Windows XP and Metaframe XP delivering Microsoft Office XP Running on AMD Athlon XP Processor
Everyone need to migrate from Windows XP
Can we migrate to MacOS or Linux??
No, we can’t migrate to fancy-looking OS, there is no LOB apps there
Ok, we trying to migrate, first problem that we see there is installation failure
If installer built using MSI, try to enable logging and use Wilogutl.exe from SDK
When you will find the root cause of error, use orca to edit MSI
When ORCA is not enough, use WiX toolset
Example of WiX file for creating msi with a root cert
Use free tools to edit XML
Use the same free tools for creating UPM Cross-Platform files
requireAdministratorThe application runs only for administrators and requires that the application be launched with the full token of an administrator asInvokerThe application runs with the same token as the parent processhighestAvailableThe application runs with the highest privileges the current user can obtain
Windows ADK OverviewKey Messages:Collection of assessment and deployment tools to aid in the deployment of Windows 8Required for any automated Windows 8 operating system deployment using the MDT and/or the Operating System Deployment (OSD) feature in System Center 2012 Configuration Manager Keep the discussion brief as this is not the primary focus of the sessionThe Windows ADK is a collection of assessment and deployment tools that aid in the deployment of Windows 8.These tools are required for any automated Windows 8 operating system deployment using the MDT and/or the OSD feature in System Center 2012 Configuration Manager.Each of the tools in the Windows ADK will be discussed in separate slides.
So, there a tons of shims, how to choose the right one?
Use SUA
Or LUABudLight from Aaron Margosis
How to deal with slow logons?
Xperf command line for troubleshooting slow logons. Not easy?
Use WPA
Windows Assessment Console Create consistent metrics from systems with reproducible targeted testsAssessmentsShow the results and issuesDemoStartStart > All Programs>Windows Kits>Windows ADK>Windows Assessment ConsoleHome tab Introduce Jobs, Details, Results, and RunRun a jobResults tab Introduce Chart and Table, Issues and detailsLink to Windows Performance Analyzer
Easily create a collection of most useful assessments Start a new jobSelect assessments Configure the settingsSave
There is a lot of free tools available from Microsoft, some of them are well-known, such as Resource Kits and Support tools for Windows. Lot of tools like where.exe, ktlist, robocopy or taskkill were included with the latest version of windowsResource Kits, Support Tools, Administration Kits and RSATSysinternals http://live.sysinternals.com/procmon.exeSoftware Development Kits (SDK)Blah Kits and Yada YadaYada ManagerWindows Assessment and Deployment Kit (ADK)Windows Automated Installation Kit (AIK)Application Compatibility Toolkit (ACT)Enhanced Mitigation Experience Toolkit (EMET)Deployment Toolkit (MDT)Business Desktop Deployment (BDD)Security Compliance Manager (SCM)Assessment and Planning (MAP) Toolkit