I'm using check_mk as monitoring solution and I disabled WMI service cause it create timeout when check_mk query for information.
Get-WmiObject / Get-Disk / Get-PSDrive use WMI service to get information and I would like to get disk information like total space, used space etc without using WMI beacause I can't.
Do you know any workaround do to that?
TL;DR -
(echo select disk=0 & echo list partition & (for /l %A in (1,1,10) do #echo select disk=next &#echo list partition)) | diskpart | findstr /i /v /r "^$ > microsoft ^reached ^select ^there ^the\ start"
Details -
The 'diskpart.exe' command can get you what you want. It requires admin rights, but since you mentioned disabling services, that didn't sound like an issue.
Rather than interacting with DISKPART's unique menu system, this example will blindly request the list of partitions on the first 11 disks (and filter away unnecessary lines..). Should be enough.
:-)
Cmd:
(echo select disk=0 & echo list partition & (for /l %A in (1,1,10) do #echo select disk=next &#echo list partition)) | diskpart | findstr /i /v /r "^$ > microsoft ^reached ^select ^there ^the\ start"
Output From My Live System:
Disk 0 is now the selected disk.
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1863 GB 1024 KB
Disk 1 is now the selected disk.
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 350 MB 1024 KB
Partition 2 Primary 270 GB 351 MB
Partition 3 Recovery 845 MB 271 GB
Partition 4 Primary 204 GB 272 GB
Disk 2 is now the selected disk.
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 1024 KB
Related
Here's the output from cygwin
> cat /proc/partitions
8 0 500107608 sda
8 1 266240 sda1
8 2 16384 sda2
8 3 472585216 sda3 C:\
8 4 26214400 sda4 D:\
8 5 1024000 sda5
Here's the output from wmic in Powershell
> wmic diskdrive get Name,Model,SerialNumber,Size,Status
Model Name SerialNumber Size Status
NVMe SAMSUNG MZVLW512 \\.\PHYSICALDRIVE0 0025_38BB_1410_1481. 512105932800 OK
Is 'sda' in cat/proc/partitions a 1:1 equivalence with '\.\PHYSICALDRIVE0'
Followup - here I only have 1 disk drive. If I had multiple drives attached would there be an easy command to tell which 'wmic' entry corresponds to which 'proc/partitions' entry?
I expect the sequence maintained. On my system the
SDA is PhysicalDrive0
SDB is PhysicalDrive1
and the dimensions in byte vs KB is almost matching
wmic diskdrive get Name,Model,SerialNumber,Size,Status
Model Name SerialNumber Size Status
ST1000LM035-1RK172 \\.\PHYSICALDRIVE0 WL10S143 1000202273280 OK
SAMSUNG MZNLN256HAJQ-000H1 \\.\PHYSICALDRIVE1 S3T6NE0JC13444 256052966400 OK
$ cat /proc/partitions
major minor #blocks name win-mounts
8 0 976762584 sda
8 1 960658432 sda1 D:\
8 2 16102400 sda2 E:\
8 16 250059096 sdb
8 17 266240 sdb1
8 18 16384 sdb2
8 19 248765440 sdb3 C:\
8 20 1003520 sdb4
I can get all event log messages via WMI in powershell like
Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Security'"
To enumerate all event logs I use
Get-WmiObject win32_nteventlogfile
FileSize LogfileName Name NumberOfRecords
-------- ----------- ---- ---------------
26218496 Application C:\WINDOWS\System32\Winevt\Logs\Application.evtx 75510
69632 HardwareEvents C:\WINDOWS\System32\Winevt\Logs\HardwareEvents.evtx 0
69632 Internet Explorer C:\WINDOWS\System32\Winevt\Logs\Internet Explorer.evtx 0
69632 Key Management Service C:\WINDOWS\System32\Winevt\Logs\Key Management Service.evtx 0
69632 OAlerts C:\WINDOWS\System32\Winevt\Logs\OAlerts.evtx 39
69632 Parameters C:\WINDOWS\System32\Winevt\Logs\Parameters.evtx 0
12652544 Security C:\WINDOWS\System32\Winevt\Logs\Security.evtx 18840
69632 State C:\WINDOWS\System32\Winevt\Logs\State.evtx 0
8458240 System C:\WINDOWS\System32\Winevt\Logs\System.evtx 15108
69632 Windows Azure C:\WINDOWS\System32\Winevt\Logs\Windows Azure.evtx 0
2166784 Windows PowerShell C:\WINDOWS\System32\Winevt\Logs\Windows PowerShell.evtx 1656
So far found not a way to parse all other logs showing up under Applications and Service Logs
With Powershell I can get the log files via
Get-WinEvent -ListLog *
LogMode MaximumSizeInBytes RecordCount LogName
------- ------------------ ----------- -------
Circular 15728640 1656 Windows PowerShell
Circular 1052672 0 Windows Azure
Circular 20971520 15123 System
Circular 20971520 19404 Security
Circular 1052672 39 OAlerts
Circular 20971520 0 Key Management Service
Circular 1052672 0 Internet Explorer
Circular 20971520 0 HardwareEvents
Circular 26214400 75525 Application
Circular 1052672 0 WitnessClientAdmin
Circular 1052672 Windows Networking Vpn Plugin Platform/OperationalVerbose
Circular 1052672 Windows Networking Vpn Plugin Platform/Operational
Circular 1052672 0 SMSApi
Circular 1052672 66 Setup
Circular 1052672 0 OpenSSH/Operational
Circular 1052672 0 OpenSSH/Admin
Circular 1052672 Network Isolation Operational
Circular 1052672 0 Microsoft-WS-Licensing/Admin
Circular 1052672 0 Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel
Circular 1052672 0 Microsoft-Windows-WWAN-SVC-Events/Operational
But when I try to read other log files then I get nothing. When I try to read e.g. the Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant file I get nothing back:
Get-WmiObject -query "SELECT * FROM Win32_NTLogEvent WHERE Logfile = 'Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant'"
The log file has a different name
Directory of C:\Windows\System32\winevt\Logs
12/26/2019 07:55 PM 69,632 Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
In the event viewer the name is displayed as
What would be the correct log file name I need to enter to the WMI query to read the events?
Better late than never I guess.
Create the following key in registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Program-Compatibility-Assistant/Analytic
No values required, just the key.
You should then be able to run a query like this
select * from Win32_NTLogEvent where logfile = 'Microsoft-Windows-Program-Compatibility-Assistant/Analytic'
According to MS docs, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/restart-computer?view=powershell-6#inputs
Restart-Computer
is the command but the thing is i have two types of restarts on the server:
planned
unplanned
how can i specify the type so that its something like:
Restart-Computer Other(Planned) some_server
The short answer is you can't; not with Restart-Computer. You can, however, use the built-in Windows utility shutdown.exe to provide a reason.
In action:
shutdown.exe /r /f /m \\SERVERNAME /t 0 /d p:0:0 /c "Restart for maintenance"
Help document according to my Server2016 build:
Usage: C:\WINDOWS\system32\shutdown.exe [/i | /l | /s | /r | /g | /a | /p | /h | /e | /o] [/hybrid] [/soft] [/fw] [/f]
[/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]]
No args Display help. This is the same as typing /?.
/? Display help. This is the same as not typing any options.
/i Display the graphical user interface (GUI).
This must be the first option.
/l Log off. This cannot be used with /m or /d options.
/s Shutdown the computer.
/r Full shutdown and restart the computer.
/g Full shutdown and restart the computer. After the system is
rebooted, restart any registered applications.
/a Abort a system shutdown.
This can only be used during the time-out period.
Combine with /fw to clear any pending boots to firmware.
/p Turn off the local computer with no time-out or warning.
Can be used with /d and /f options.
/h Hibernate the local computer.
Can be used with the /f option.
/hybrid Performs a shutdown of the computer and prepares it for fast startup.
Must be used with /s option.
/fw Combine with a shutdown option to cause the next boot to go to the
firmware user interface.
/e Document the reason for an unexpected shutdown of a computer.
/o Go to the advanced boot options menu and restart the computer.
Must be used with /r option.
/m \\computer Specify the target computer.
/t xxx Set the time-out period before shutdown to xxx seconds.
The valid range is 0-315360000 (10 years), with a default of 30.
If the timeout period is greater than 0, the /f parameter is
implied.
/c "comment" Comment on the reason for the restart or shutdown.
Maximum of 512 characters allowed.
/f Force running applications to close without forewarning users.
The /f parameter is implied when a value greater than 0 is
specified for the /t parameter.
/d [p|u:]xx:yy Provide the reason for the restart or shutdown.
p indicates that the restart or shutdown is planned.
u indicates that the reason is user defined.
If neither p nor u is specified the restart or shutdown is
unplanned.
xx is the major reason number (positive integer less than 256).
yy is the minor reason number (positive integer less than 65536).
Reasons on this computer:
(E = Expected U = Unexpected P = planned, C = customer defined)
Type Major Minor Title
U 0 0 Other (Unplanned)
E 0 0 Other (Unplanned)
E P 0 0 Other (Planned)
U 0 5 Other Failure: System Unresponsive
E 1 1 Hardware: Maintenance (Unplanned)
E P 1 1 Hardware: Maintenance (Planned)
E 1 2 Hardware: Installation (Unplanned)
E P 1 2 Hardware: Installation (Planned)
E 2 2 Operating System: Recovery (Unplanned)
E P 2 2 Operating System: Recovery (Planned)
P 2 3 Operating System: Upgrade (Planned)
E 2 4 Operating System: Reconfiguration (Unplanned)
E P 2 4 Operating System: Reconfiguration (Planned)
P 2 16 Operating System: Service pack (Planned)
2 17 Operating System: Hot fix (Unplanned)
P 2 17 Operating System: Hot fix (Planned)
2 18 Operating System: Security fix (Unplanned)
P 2 18 Operating System: Security fix (Planned)
E 4 1 Application: Maintenance (Unplanned)
E P 4 1 Application: Maintenance (Planned)
E P 4 2 Application: Installation (Planned)
E 4 5 Application: Unresponsive
E 4 6 Application: Unstable
U 5 15 System Failure: Stop error
U 5 19 Security issue (Unplanned)
E 5 19 Security issue (Unplanned)
E P 5 19 Security issue (Planned)
E 5 20 Loss of network connectivity (Unplanned)
U 6 11 Power Failure: Cord Unplugged
U 6 12 Power Failure: Environment
P 7 0 Legacy API shutdown
I've hacked together a solution that allows me to commit changes to my Go language application to Azure Websites, compile into a Go binary, and then update the Web.Config to have the httpPlatformHandler use the newly created binary. This allows me to easily deploy changes to my Go app and have them (almost) instantly available on my Azure website. It's a neat prototype, and you can check it out here: https://github.com/wadewegner/azure-website-go-builder/
If you look at the last line of the deploy.cmd you'll see that I use Powershell to kill a w3wp.exe process. This forces it to restart and use the updated Web.Config.
powershell "stop-process (Get-Process w3wp | Sort-Object ws | Select -first 1).Id"
This is a hack and not ideal. In a default scenario there are two w3wp.exe processes running - one for our website and one for the SCM website (which is a management website). It will not work if we have more than one instance of our Azure website running. It also assumes that the right process to kill is the one with the smaller memory footprint - this is a bad assumption to make.
In Azure Websites we don't have a lot of facilities at our disposal for finding and killing processes.
When I run Get-Process w3wp ... I get this kind of output today:
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
364 40 7196 16032 85 0.55 5516 w3wp
667 77 61972 77372 350 5.72 3448 w3wp
However, with two instances of my website, it could be:
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
364 40 7196 16032 85 0.55 5516 w3wp
364 40 7196 16032 85 0.55 5517 w3wp
667 77 61972 77372 350 5.72 3448 w3wp
(Manually updated to make my point.)
So, the question is, what's the right way to choose the two processes I want to kill? I don't want to kill 3448.
Additionally, how do I find a better heuristic to choose the right processes?
I uploaded tlist.exe to run tlist -t and get this output:
D:\home\site\wwwroot>tlist -t
AdjustTokenPrivileges failed with 1300
w3wp.exe (5516)
20150107_070323.exe (4936)
w3wp.exe (3448)
cmd.exe (1976)
tlist.exe (5868)
This makes it clear that 5516 is the PID I want to kill.
Is there a way in Powershell to run Get-Process but if it somehow inspect child processes and filter out the w3wp.exe PID with the cmd.exe process?
Thank you!
We have a product log database which only produces insert sql。 But we found that
The autovacuum process took so much memory。 it takes about 16 GB at peak, And it is
happend about every 2 month。The folloing is the detail information, Any one know it?
And the table skytf.urs_user_log_201105 only has insert operation, and have no
update,delete operations, So i think the table has no dead tuples! But why the autovacuum
process takes so much memory on the table?
--top detail
top - 16:39:46 up 225 days, 1:12, 1 user, load average: 1.29, 1.51, 1.52
Tasks: 341 total, 2 running, 339 sleeping, 0 stopped, 0 zombie
Cpu(s): 4.8%us, 5.3%sy, 0.0%ni, 85.5%id, 4.1%wa, 0.0%hi, 0.4%si, 0.0%st
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
29267 postgres 14 -1 27.0g 16g 2928 S 1.0 72.2 199:59.74 postgres: autovacuum launcher process
From the above, we can see that the autovacuum process taks about 16 gb;
--current sql
postgres=# select datname, current_query from pg_stat_activity where current_query !='<IDLE>';
datname | current_query
----------+-------------------------------------------------------------------------------------
skytf | autovacuum: VACUUM skytf.urs_user_log_201105 (to prevent wraparound)
--table size
skytf=> \dt+ urs_user_log_201105
List of relations
Schema | Name | Type | Owner | Size | Description
--------+---------------------+-------+--------+-------+-------------
skytf | urs_user_log_201105 | table | skytf | 62 GB |
(1 row)
--memory state
postgres#logdb-> free -m
total used free shared buffers cached
Mem: 24104 24028 75 0 4 5545
-/+ buffers/cache: 18479 5625
Swap: 16386 8824 7561
If you look at this:
autovacuum: VACUUM skytf.urs_user_log_201105 (to prevent wraparound)
this is not a regular autovacuum. it is running to prevent transaction wraparound. this kind of autovacuum must run before transaction id goes beyond two billion. read more at here:
http://www.postgresql.org/docs/8.3/static/routine-vacuuming.html#VACUUM-FOR-WRAPAROUND
you can control the behavior of it with vacuum_freeze_min_age, vacuum_freeze_max_age. you can not disable this kind of autovacuum whether you have disabled autovacuum or not.
only has insert operation, and have no update,delete operations, So i think the table has no dead tuples!
If memory serves, autovacuum will actually do two things:
vacuum
analyze
The first won't kick in if you only ever get inserts. But the second continues to do so when PG thinks the stats might have changed a bit.