SYN507: Reducing desktop infrastructure management overhead using “old school” tactics Slides from #CitrixSynergy 2013 #GeekSpeak

1. Denis Gundarev
Senior Consultant
Entisys Solutions
SYN507: Reducing desktop
infrastructure management
overhead using “old school” tactics

2. SYN507: Reducing desktop
infrastructure management
overhead using “old school”
tactics
Denis Gundarev
Senior Consultant
Entisys Solutions

3. About me
C:>whoami /all
USER INFORMATION
----------------
User Name Twitter E-Mail
============== ============ ==================
ENTISYSdenisg @fdwl DenisG@entisys.com
GROUP INFORMATION
-----------------
Group Name Type SID
====================================== ================ =================
BUILTINGeeks Mandatory group S-1-5-32-540
Mandatory LabelCrazy Russian Label S-1-16-8192
COMMUNITYBay Area Citrix User Group Well-known group S-1-5-32-544
COMMUNITYRussia Citrix User Group Well-known group S-1-5-32-545

4. Agenda
Overview
Log file analysis
Windows migration
Windows Installer
User Account Control
Application Compatibility
Performance and Assessment Toolkits
Q&A

5. Old School != Outdated

6. “Free” Tools Disclaimer
TANSTAAFL*
*"There ain't no such thing as a free lunch"

7. “Free” Tools Disclaimer
TANSTAAFL*
*"There ain't no such thing as a free lunch"

8. Log File Analysis

9. Log Analysis
• Tons of data
– i.e. PVS logs can produce 10 Mb/minute
• Different sources and formats
– CDF Tracing
– Windows Event Logs
– Procmon
– Wireshark
– Text log Files

11. Log Parser Input Formats
• IIS log files (W3C, IIS, NCSA, Centralized Binary Logs, HTTP
Error logs, URLScan logs, ODBC logs)
• Windows Event Log
• Generic XML, CSV, TSV and W3C - formatted text files
• Windows Registry
• Active Directory Objects
• File and Directory information
• NetMon .cap capture files
• Extended/Combined NCSA log files
• ETW traces

12. SQL-Like Engine
SELECT
EXTRACT_FILENAME (Filename) as FileName,
date as date,
level as level,
message as message
INTO '[OUTPUTFILE]Errors.csv'
FROM '[LOGFILEPATH]'
order by date DESC

13. SQL-Like Engine
SELECT
timegenerated,
EXTRACT_TOKEN(Strings,1,'|') AS Domain,
RESOLVE_SID(EXTRACT_TOKEN(Strings,0,'|')) AS User,
EXTRACT_TOKEN(Strings,3,'|') AS SessionName,
RESOLVE_SID(EXTRACT_TOKEN(Strings,4,'|')) AS
ClientName,
EXTRACT_TOKEN(Strings,5,'|') AS ClientAddress,
EventID
FROM Security
WHERE EventID=4624 /* xp/2003 = 682 */
ORDER BY timegenerated

15. SQL-Like Engine
SELECT strFileName,dEventtime,strEventtype,strHostname,intThreadid,strThreadname,strThreadmessage,strSessiontype,strSessionid, strModule,strEventdata
USING
EXTRACT_FILENAME (logfilename) AS strFilename,
EXTRACT_SUFFIX(Text,0,']') AS strEventdata,
EXTRACT_SUFFIX(EXTRACT_PREFIX(Text,0,']'),0,'[') AS unparsedMeta,
EXTRACT_TOKEN(unparsedMeta,0,'|') AS unparsedDate,
TO_TIMESTAMP(unparsedDate,'yyyyMMdd?hh:mm:ss.ll?') AS dEventtime,
EXTRACT_TOKEN(unparsedMeta,1,'|') AS strEventtype,
EXTRACT_TOKEN(unparsedMeta,2,'|') AS strHostname,
EXTRACT_TOKEN(EXTRACT_TOKEN(unparsedMeta,3,'|'),0,' ') AS intThreadid,
EXTRACT_TOKEN(EXTRACT_TOKEN(unparsedMeta,3,'|'),1,' ') AS unparsedthreadname,
CASE unparsedthreadname
WHEN NULL then 'N/A'
ELSE unparsedthreadname
END AS strThreadname,
EXTRACT_TOKEN(unparsedMeta,4,'|') AS unParsedThreadmessageAndSessionID,
REPLACE_IF_NOT_NULL(LAST_INDEX_OF(unParsedThreadmessageAndSessionID,'D:'),1) AS sessD,
REPLACE_IF_NOT_NULL(LAST_INDEX_OF(unParsedThreadmessageAndSessionID,'R:'),2) AS sessR,
COALESCE(sessD,sessR,0) AS intSessionType,
case intSessionType
When 0 THEN 'N/A'
When 1 THEN 'Dynamic'
When 2 THEN 'Real'
END AS strSessiontype,
case intSessionType
When 0 THEN unParsedThreadmessageAndSessionID
When 1 THEN EXTRACT_TOKEN(unParsedThreadmessageAndSessionID,0,' D:')
When 2 THEN EXTRACT_TOKEN(unParsedThreadmessageAndSessionID,0,' R:')
END AS strThreadmessage,
case intSessionType
When 0 THEN 'N/A'
When 1 THEN EXTRACT_TOKEN(unParsedThreadmessageAndSessionID,1,' D:')
When 2 THEN EXTRACT_TOKEN(unParsedThreadmessageAndSessionID,1,' R:')
END AS strSessionid,
EXTRACT_TOKEN(unparsedMeta,5,'|') AS strModule
INTO '[OUTPUTFILE]XenServer.csv'
FROM '[LOGFILEPATH]'
WHERE dEventtime is NOT NULL
ORDER BY dEventtime

17. Log Parser Output Formats
– Write data to text files in different formats
(CSV, TSV, XML, W3C, user-defined, etc.)
– Send data to a SQL database
– Send data to a SYSLOG server
– Create charts and save them in either GIF or JPG
image files
– Display data to the console or to the screen

21. How To Use Log Parser
• From command line
– check the help file
• From PowerShell
– http://bit.ly/LogParserPowerShell
• As scheduled task
• In your scripts
– Set oLogQuery = CreateObject("MSUtil.LogQuery")
• From Log Parser Studio
– http://bit.ly/LogParserStudio

22. EventCombMT

23. EventCombMT

24. Account Lockout Management

25. Log Analysys
• Log Parser 2.2 -
http://bit.ly/LogParser
• Log Parser Studio -
http://bit.ly/LogParserStudio
• EventCombMT and Account
Lockout tools -
http://bit.ly/ALTools

26. Windows Migration

27. Once upon a time…

29. 12 years later…..

31. 31

32. 32

33. Installation

34. 34
Wilogutl.exe
• Assists the analysis of log files from a Windows Installer
installation, and it displays suggested solutions to errors that are
found in a log file
• Available in the Windows SDK
• Msiexec /i BadApp.msi /l*v c:tempBadApp.log

35. 35
Wilogutl.exe

36. 36
Wilogutl.exe

37. 37
Wilogutl.exe

38. 38
Orca

39. 39
Orca

40. 40
Windows Installer Transforms
• Generic way to customise
an installation
• A Transform describes the delta between the original MSI
package and the customised version
– Saved to an .MST file
– Is applied on the fly

41. 41
Orca
• MSI Database Editor
• When to use?
– Removing launch conditions
– Un-advertising shortcuts
– Changing install levels for features
– Creating transforms
– http://bit.ly/OrcaMSI

42. 42
WiX Toolset
• Builds Windows Installer (MSI) packages from XML
• Integrates with Visual Studio
• Can decompile MSI
• Can be used to repackage your apps
• Create packages for Merchandising Server
– http://bit.ly/MerchMeta
• GUI is available
– http://bit.ly/WiXEditors

43. 43
WiX’s Simple Syntax 
<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="{2445FCA1-F833-4C97-87A2-618A4AE1EAB7}" Language="1033" Manufacturer="IT Bubble" Name="IT Bubble
Certificates" UpgradeCode="{2A124791-AAD0-4BE9-A719-3DEED3A49041}" Version="1.0.0.0">
<Package Comments="This installer database contains the logic and data required to install IT Bubble
Certificates." Compressed="yes" Description="IT Bubble Root Certs" InstallerVersion="200" Languages="1033"
Manufacturer="IT Bubble" Platform="x86" />
<Binary Id="ITB.cer" SourceFile="binBinaryITB.cer" />
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder" Name="PFiles">
<Directory Id="IT BubbleCert" Name="IT BubbleCert">
<Component Id="IT BubbleCert" Guid="{22AA9F50-0CA6-491F-AC1B-B0FD00BEF0A1}" KeyPath="yes">
<Certificate Id="Certificate.RootCA" Name="ITB.cer" StoreName="root"
StoreLocation="localMachine" Overwrite="yes" BinaryKey="ITB.cer" xmlns="http://schemas.microsoft.com/wix/IIsExtension"
/>
</Component>
</Directory>
</Directory>
</Directory>
<Feature Id="IT BubbleCert" Level="1" Title="IT BubbleCert">
<ComponentRef Id="IT BubbleCert" />
</Feature>
<Property Id="ALLUSERS" Value="1" />
</Product>
</Wix>

44. 44
XML Notepad 2007
• Free XML Editor with Syntax
check
• http://bit.ly/XMLNotepad

45. 45
XMLNotepad & Profile Management

46. 46 |
User Account Control

48. Every time you disable UAC…
Steve Ballmer kills a kitten
Please, think of the kittens

49. Every time you:
•Modifying ACLs on Program Files or
HKLM
•Making user a local admin
•Just give users
SeBackup, SeRestore, SeCreateGlobal
and SeLoadDriver privileges, but keep
them as standard users

50. Why Applications Are Asking For Elevation?
• Some apps are old and doesn’t have embedded manifest
• Some apps trying to write to Program Files or HKLM
• App is not signed
• Some developers are just lazy

51. Manifests
• XML file that contains parameters required for .exe or .dll to run
• May contain list of required components or supported OS
• May configure the need for elevation per file:
• asInvoker
• highestAvailable
• requireAdministrator
• Can be External or Internal
• Use mt.exe from the SDK to inject a manifest
• Use SigCheck.exe from SysInternals to view the manifest

52. UAC Manifests
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity type="win32" processorArchitecture="*" version="1.0.0.0"
name="MyApplication.exe"/>
<description>MyApplication</description>
<ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2">
<ms_asmv2:security>
<ms_asmv2:requestedPrivileges>
<ms_asmv2:requestedExecutionLevel
level="asInvoker||highestAvailable||requireAdministrator"/>
</ms_asmv2:requestedPrivileges>
</ms_asmv2:security>
</ms_asmv2:trustInfo>
</assembly>

53. UAC Virtualization
• Applications without manifest will be virtualized by default

54. File Virtualization Implementation
• File system virtualization is implemented in a file system filter driver, luafv.sys
Luafv.sys
Ntfs.sys
Virtualized
Application
User Mode
Kernel Mode
WindowsApp.ini
Users<user>AppDataLocal
VirtualStoreWindowsApp.ini
Non-Virtualized
Application
WindowsApp.ini
Access Denied

55. Virtualized Files
• Redirected file system locations:
• %ProgramFiles%
• %AllUsersProfile% (ProgramData – what was Documents and SettingsAll Users)
• %SystemRoot% (Windows)
• %SystemRoot%System32 (WindowsSystem32)
• Exceptions:
• Files that have executable extensions (.exe, .bat, .vbs, .scr, etc)
• Prevents masking of system executables for servicing and security
• Exceptions can be added or removed in HKLMSystemCurrentControlSetServicesLuafvParameters
ExcludedExtensionsAdd or ExcludedExtensionsRemove
• Per-user virtual root:
• %UserProfile%AppDataLocalVirtualStore
• Troubleshooting file virtualization
• Event Log: UAC-FileVirtualization
• Note: Virtual files do not roam with Roaming Profiles

56. Registry Virtualization
• Virtualizes most locations under HKLMSoftware
• Keys that are not virtualized:
• HKLMSoftwareMicrosoftWindows
• HKLMSoftwareMicrosoftWindows NT
• HKLMSoftwareClasses
• Per user location: HKCUSoftwareClassesVirtualStore
• Flag on a registry key defines if it can be virtualized
• “Reg flags HKLMSoftware” shows flags for HKLMSoftware

57. Useful tools
• Microsoft Windows Software Development Kit (SDK)
• mt.exe – embed manifests
• signtool.exe – Sign Executables

58. Assessment and Deployment Kit

59. 59
Assessment and Deployment Kit

60. 60
Assessment and Deployment Kit
• Combines Windows Automated Installation Kit
(AIK) and OEM Preinstallation Kit (OPK)
• Integrates tools that used to be separate
downloads
• Adds new assessment tools
• Contains lots of stuff…
• http://bit.ly/ADKToolkit

61. 61
ADK Tools
• Application Compatibility Toolkit
– Application Compatibility Manager
– Compatibility Administrator
– Standard User Analyzer
• Deployment Tools
– BCDBoot, BCDEdit, Bootsect
– DISM (and ImageX)
– OSCDImg
– WDSMCAST
– Windows System Image Manager
• User State Migration Tool
– Scanstate
– Loadstate
– UsmtUtils
• Volume Activation Management
Tool
• Windows PE
– CopyPE
– SetSANPolicy
– MakeWinPEMedia
• Windows Performance Toolkit
– Wpa
– Wpr
– XBootMgr
• Windows Assessment Services
• Windows Assessment Toolkit

62. 62
What is in ACT?
• Application Compatibility Manager
– Helps to create and analyse applications
• Standard User Analyser
– Easy to use GUI to create shims
• Windows Application Verifier
– Checks application for potential compatibility issues
• Windows Compatibility Administrator
– helps you select and apply compatibility fixes

63. 63
Application Compatibility Manager

64. 64
Application Verifier

65. 65
Introduction to Shims

66. 66
What Are Shims?
• Applied to specific apps
– Configured with Compatibility Administrator in the App Compat Toolkit
– Deployable to enterprise
• Changes what the app thinks it sees
• Does not change what app is allowed to do

67. 67
What Are Shims Good For?
• Great for many kinds of bugs:
– Bad Windows version checks
– Writing to HKCR at runtime
– Unnecessary checks for “am I admin?”
– Writing to WRP-protected keys and files
– Windows thinks your app is an installer
– File/Registry redirections

68. 68
Version Lie Shims
• Win95VersionLie
• WinNT4SP5VersionLie
• Win98VersionLie
• Win2000VersionLie
• Win2000SP1VersionLie
• Win2000SP2VersionLie
• Win2000SP3VersionLie
• WinXPVersionLie
• WinXPSP1VersionLie
• WinXPSP2VersionLie
• Win2K3RTMVersionLie
• Win2K3SP1VersionLie
• VistaRTMVersionLie
• VistaSP1VersionLie
• VistaSP2VersionLie
• Win7RTMVersionLie

69. 69
Most Used Shims
• VirtualRegistry
– Fixes the problem with
reading/writing registry value
– AddRedirect ( HKLMKey ^
HKCUKey ^ HKLMKey2 ^
HKCUKey2)
• CorrectFilePaths
– Fixes the problem with
reading/writing a file
– c:Program.ini=
%AppData%Program.ini
• WRPRegDeleteKey
– Lie when app tries to delete
protected OS registry key
• ForceAdminAccess
– Spoofs queries of administrator
group membership
• VirtualizeDeleteFile
– Spoofs deletion of global file
• LocalMappedObject
– Forces global section objects into
user’s namespace
• VirtualizeHKCRLite, VirtualizeRe
gisterTypeLib
– Redirects global registration of COM
objects

70. 70
Compatibility Administrator

71. 71
Warning Messages
Citrix Confidential - Do Not

72. 72
Compatibility Administrator
• Used to create advanced shims
• Can be used to create a warning messages
• Windows 8 contain 7239 apps in a AppCompat database
• Shims can be installed using %windir%system32sdbinst.exe
utility
• About 400 shims available

73. 73
Citrix Confidential - Do Not

74. 74
Standard User Analyzer
Citrix Confidential - Do Not

75. 75
Standard User Analyzer
Citrix Confidential - Do Not

76. 76
LUABudLight
Citrix Confidential - Do Not

77. 77
Why Applications Are Asking For Elevation?
• Some apps really need it

78. Performance and Assessment
Toolkits

79. Assessment and Deployment Kit

81. Xperf
• Was a part of Windows 7 SDK
• Grab process lifetimes
• Captures and analyzes information to help troubleshoot Windows
performance issues
– Slow boot
– GPO processing delays
– Application performance issues
– Slow services
– Ugly minifilter drivers

82. Xperf

83. Xperf

84. Xperf

85. Xperf
C:>xperf -on base+latency+dispatcher+NetworkTrace+Registry+FileIO -
stackWalk CSwitch+ReadyThread+ThreadCreate+Profile -BufferSize 128 -start
UserTrace -on "Microsoft-Windows-Shell-Core+Microsoft-Windows-
Wininit+Microsoft-Windows-Folder Redirection+Microsoft-Windows-User
Profiles Service+Microsoft-Windows-GroupPolicy+Microsoft-Windows-
Winlogon+Microsoft-Windows-Security-Kerberos+Microsoft-Windows-User
Profiles General+e5ba83f6-07d0-46b1-8bc7-7e669a1d31dc+63b530f8-29c9-4880-
a5b4-b8179096e7b8+2f07e2ee-15db-40f1-90ef-9d7ba282188a" -BufferSize 1024
-MinBuffers 64 -MaxBuffers 128 -MaxFile 1024

86. Windows 8 ADK
• Windows Performance
Analyzer replaces xperview
• Windows Performance
Recorder replaces
xbootmgr
– Also replaces xperf trace
capture functionality
• xperf command line actions
remain in WPT

88. Windows ADK

89. Windows Assessment Console and Engine

90. Windows Assessment Console and Engine

91. System assessment basics
• System assessment is a process that uses the ADK tools to
measure
and analyze a PC
• Assessments are core functionality tests
• Combinations of these tests provide additional measures of the
entire PC experience
• Quality expectations are changing
• Software + hardware + Windows = PC experience
• The way we measure PC quality must also change

92. System assessments
• CheckLogo and driver assessments
• File handling
• Photo handling
• Internet Explorer launch/tab create
• Hybrid boot
• On/off assessments (boot/shutdown/S3/S4)
• Browser assessment
• Media transcode performance
• Metro performance
• Memory footprint
• First boot experience
• Media streaming
• WinSAT comprehensive
• Battery life (and idle efficiency analysis)
• MiniFilter driver performance impact
(option for other assessments)
• Internet browsing workload for battery
life assessment
• Windows Media Player performance
and quality

93. What Metrics are captured by the Assessment
• Both Boot and Shutdown durations are captured using Event Tracing
for Windows (ETW)..
• Process level details such as CPU and Disk utilization are also
provided.
• Assisted Performance Diagnostics identifies potentially problematic
performance issues.

94. • Run the assessments on computers without
downloading the ADK on all systems.

95. • Use Log Parser to combine or transform log files
• Use Manifests to control UAC behavior and enable UAC
Virtualization
• Use Application Compatibility Administrator to “patch” your
applications
• Use Assessment Engine to compare performance of your
desktops and servers
• Use Performance Recorder and Analyzer to optimize boot
Key Takeaways

96. Confidential – Internal Use Only

97. Confidential – Internal Use Only
Q&A
• @fdwl
• denisg@entisys.com
• http://BayCUG.com
• http://blog.itbubble.ru