I'm trying to tweak a configuration file for Adplus.exe and I've encountered an Action EventLog which is, by default, turned on for second chance exceptions. However, I compared the logs with and without EventLog but it seems the effects are just the same. I expected it to generate an Event Viewer log, but it didn't.
Here is my cfg snippet:
<Exception Code='eh'>
<Actions1> Log;stack;</Actions1>
<ReturnAction1> GN </ReturnAction1>
</Exception>
<Exception Code='AV'>
<Actions1> Log;stack;FullDump;EventLog</Actions1>
<ReturnAction1> GN </ReturnAction1>
</Exception>
<Exception Code='*'>
<Actions1> Log;stack </Actions1>
<ReturnAction1> GN </ReturnAction1>
</Exception>
<Exception Code='epr'>
<Actions1> Log;</Actions1>
</Exception>
<Exception Code='bpe'>
<Actions1> Log </Actions1>
<ReturnAction1> GN </ReturnAction1>
</Exception>
Please take note of the EventLog in Exception Code='AV' (Sorry, I can't highlight or bold that part). I tried enabling/disabling this and the generated logs are just exactly the same. Is it really working? If yes, where can the eventlog be found? Or was it already depreciated?
Also, I checked the Adplus v7 documentation and EventLog is not included there, but like I said, UPDATE: It is not in the documentation but is displayed when we run ADPlus –HelpConfig .
by default, it's enabled for 2nd chance exceptions as seen on the generated DebuggerScript.txt below
*| Default Exception Behavior:
*| Action1: Log
*| Return1: GN
*| Action2: Log;Time;Stack;FullDump;EventLog
*| Return2: Q
*| Default Event Behavior:
*| Action1: Log
*| Return1: GN
*|
*| Exceptions:
*| av-AccessViolation
*| Action1: Log;stack;FullDump
*| Return1: GN
*| Action2: Log;Time;Stack;FullDump;EventLog
*| Return2: Q
*| ch-InvalidHandle
*| Action1: Log
*| Return1: GN
*| Action2: Log;Time;Stack;FullDump;EventLog
*| Return2: Q
Advance thanks!
Found it. It's on the DebuggerScript.txt with prefix !elog_str.
Adding/Removing EventLog in Actions didn't changed anything in the log since it's always enabled by default for Second Chance Exceptions. Also, the eventlog displays only the description of the actual eventviewer log.
Actual event viewer log sample:
The description for Event ID 0 from source Application cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
ADPlus detected a SecondChance_clr_NET_CLR in ExceptionGenerator.exe with Process ID 5516 and the output directory is logs\20180312_084515_Crash_Mode
the message resource is present but the message is not found in the string/message table
Adplus EventLog sample:
!elog_str ADPlus detected a SecondChance_av_AccessViolation in AdpProcName with Process ID AdpProcID and the output directory is AdpDumpDir;Q"
Related
I need to parse Windows Defender event log. With this command
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.LevelDisplayName -ne "Information" } | Select-Object -ExpandProperty Message
I get this output:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/TFTPD32&threatid=12892&enterprise=0
Name: Trojan:Win32/TFTPD32
ID: 12892
Severity: Severe
Category: Trojan
Path: file:_\\server\share\path\file1.exe::$DATA; file:_\\server\share\path\file2.exe::$DATA; file:_\\server\share\path\file3.exe::$DATA;
Detection Origin: Network share
Detection Type: Concrete
Detection Source: Real-Time Protection
User: DOMAIN\user
Process Name: C:\Windows\SMSProxy\Microsoft.StorageMigration.Proxy.Service.exe
Signature Version: AV: 1.335.1263.0, AS: 1.335.1263.0, NIS: 1.335.1263.0
Engine Version: AM: 1.1.18000.5, NIS: 1.1.18000.5
When there are multiple files and the line starting with Path: is very long, it is truncated. Not the message property, but only the line.
When I see the record using Event Log viewer, the line is complete.
Is there a way to get full length of the line?
I need to get lines with Name: and Path: from the Message property (multi-line string) only.
How can I get it using e.g. RegEx ^\s+(Name|Path): ?
Update:
I mishmatched event log records, even in Event Log the line Path is truncated.
The second part of the question remains: How to get only some lines from multiline property?
So I am working with chef and need to chain some resources together if a precondition is true. I need to check if the version of a process is what I want it to be if so do things. I was seeing odd behavior and was noticing that my guard statements are not being evaludated in the way I would expect. So I made this tests
log 'log_version' do
message 'Peregrin Took'
level :error
guard_interpreter :powershell_script
not_if <<-EOH
(C:\\Program Files\\telegraf\\telegraf.exe --version) -Like '*1.7.2*'
EOH
end
log 'log_version' do
message 'Meriadoc Brandybuck'
level :error
guard_interpreter :powershell_script
not_if <<-EOH
(C:\\Program Files\\telegraf\\telegraf.exe --version) -NotLike '*1.7.2*'
EOH
end
And when I run this I get
Recipe: win-telegraf::telegraf
* log[log_version] action write[2018-07-24T07:31:42-07:00] INFO: Processing log[log_version] action write (win-telegraf::telegraf line 47)
[2018-07-24T07:31:42-07:00] INFO: Processing powershell_script[Guard resource] action run (dynamically defined)
[2018-07-24T07:31:43-07:00] ERROR: Peregrin Took
* log[log_version] action write[2018-07-24T07:31:43-07:00] INFO: Processing log[log_version] action write (win-telegraf::telegraf line 57)
[2018-07-24T07:31:43-07:00] INFO: Processing powershell_script[Guard resource] action run (dynamically defined)
[2018-07-24T07:31:43-07:00] ERROR: Meriadoc Brandybuck
Why are both of these statements logging? When I run these powershell snippets in the vm I get one returning true and the other returning false. So I would expect only one log line to write. But when I run both of them are writing.
After doing some reading it seems that the guard statement makes its decision off the $LASTEXITCODE and in the case of my statement both will have a $LASTEXITCODE of 0
So I have tried changing my guard statement to force an exit code of something other than 0
log 'log_version' do
message 'Peregrin Took'
level :error
guard_interpreter :powershell_script
not_if <<-EOH
if((C:\\Program Files\\telegraf\\telegraf.exe --version) -Like '*1.7.2*') { exit 1 }
EOH
end
log 'log_version opposite' do
message 'Meriadoc Brandybuck'
level :error
guard_interpreter :powershell_script
not_if <<-EOH
if((C:\\Program Files\\telegraf\\telegraf.exe --version) -NotLike '*1.7.2*') { exit 1 }
EOH
end
Though this has not changed results and I am still seeing both log resources executed.
So I got a working guard, the issue was with the space in Program Files and the --version being interpreted as Powershell code. by making my guard string like this
"(&'c:\\Program Files\\telegraf\\telegraf.exe' --version) -like '*#{node['windows']['telegraf']['version']}*'"
By single quoting the path the path was correctly interpreted by powershell, and I needed the & operator so that the string in the parentheses was interpreted like a commandlet.
SAS Service "SAS [SASConfig-Lev1] Distributed In-Process Scheduler command-line job runner" is failing to run on Win2012 R2 server.
Its set to Automatic, failed to run on startup and fails now as I try to start it.
Only dependency is the SAS Metadata Server and that is running fine.
In the log at \Lev1\Web\Applications\SASWIPSchedulingServices9.4\dip\serviceLog, the entry reads:
STATUS | wrapper | 2017/08/29 16:51:51 | --> Wrapper Started as Service
STATUS | wrapper | 2017/08/29 16:51:51 | Launching a JVM...
FATAL | wrapper | 2017/08/29 16:51:51 | Unable to execute Java command. The system cannot find the file specified. (0x2)
FATAL | wrapper | 2017/08/29 16:51:51 | "\bin\java.exe" -Djava.system.class.loader=com.sas.app.AppClassLoader -Dsas.app.repository.path="D:\SAS\SASVersionedJarRepository\eclipse" -Dsas.app.launch.picklist="D:\SASConfig\Lev1\Web\Applications\SASWIPSchedulingServices9.4\dip/picklist" -Xmx128m -Dsas.cache.locators=rad1sas1.hps-rad.local[41415] -Dspring.profiles.active=client-locators -Dsas.gemfire.log-level=severe -Dsas.gemfire.log.file= -Djava.library.path="D:\SASConfig\Lev1\Web\Applications\SASWIPSchedulingServices9.4\dip" -classpath "D:\SAS\SASVersionedJarRepository\eclipse\plugins\JavaServiceWrapper_3.2.3\wrapper.jar;D:\SAS\SASVersionedJarRepository\eclipse\plugins\sas.launcher.jar" -Dwrapper.key="eknAd40L52PNah3_" -Dwrapper.port=32006 -Dwrapper.jvm.port.min=31000 -Dwrapper.jvm.port.max=31999 -Dwrapper.pid=14260 -Dwrapper.version="3.2.3" -Dwrapper.native_library="wrapper" -Dwrapper.service="TRUE" -Dwrapper.cpu.timeout="10" -Dwrapper.jvmid=1 com.sas.scheduler.api.servers.ip.engine.mq.client.JobRunnerService "D:\SASConfig\Lev1\Web\Applications\SASWIPSchedulingServices9.4\dip/DIPJobRunner.properties"
FATAL | wrapper | 2017/08/29 16:51:51 | Critical error: wait for JVM process failed
It seems DIP job uses a configuration file sitting at SASHOME
D:\SAS\wrapper.conf
As #DomPazz pointed out the java path was incomplete while assigned to key. I
included the full path and that solved the issue. Strangely, the First time I modified and restarted the box it got overwritten by a backup of the file sitting somewhere.
Contents of the wrapper.conf :
# Java Application
# In Error state the key below had the value of "\bin\java.exe"
wrapper.java.command=D:\SAS\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\java.exe
# Java Classpath (include wrapper.jar) Add class path elements as
# needed starting from 1
wrapper.java.classpath.1=D:\SAS\SASVersionedJarRepository\eclipse\plugins\JavaServiceWrapper_3.2.3\wrapper.jar
wrapper.java.classpath.2=D:\SAS\SASVersionedJarRepository\eclipse\plugins\sas.launcher.jar
# Java Additional Parameters
wrapper.java.additional.1=-Djava.system.class.loader=com.sas.app.AppClassLoader
wrapper.java.additional.2=-Dsas.app.repository.path="D:\SAS\SASVersionedJarRepository\eclipse"
Note : Another wrapper.conf sits in D:\SASConfig\Lev1\Web\Applications\SASWIPSchedulingServices9.4\dip but that seems have properties for the Windows service!
I am trying to script the elimination/backup of the OEM partition (which just brings back the system to an outdated version of no practical use).
On many systems, using DISKPART list partition returns more recovery type partitions: one is the official Microsoft Recovery Tools partition (WinRE) and others come from the OEMs.
The first step is to safely identify the position of the WinRE partition. I did not find any straight way in bcdedit or PS other than:
$renv=(bcdedit /enum "{default}" | Select-String "^recoverysequence" | Out-String | Select-String "{.+}").Matches.Value
(bcdedit /enum $renv | Select-String "^device" | Out-String | Select-String "\[.+\]").Matches.Value
This returns a string like:
[\Device\HarddiskVolume1]
where the volume number is the partition to use in Diskpart. (Remaining recovery partitions and the OEM type partitions can be backupped).
Is this the correct procedure to identify the WinRE partition?
Any more straight and/or better approach?
There's a command line tool called ReagentC, and it's in the path, so you can call it from any administrative command prompt.
reagentc /info
...will produce some output like:
Windows RE status: Enabled
Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
Boot Configuration Data (BCD) identifier: 496c58c4-71cb-11e9-af8f-001c42903d2e
Recovery image location:
Recovery image index: 0
Custom image location:
Custom image index: 0
Also, if you're writing code to do the work, you can discover the recovery partition by calling a winapi function to do the work. It's an obnoxiously complicated api to call...but for what it's worth, it's DeviceIOControl with the control code of IOCTL_DISK_GET_PARTITION_INFO_EX. If you're not using C or some language that defines unions, this is a pain. The structure you get back varies with whether the disk is GPT or MBR format.
If the disk is MBR, the returned partition type will be 0x27, and if it's a GPT drive the partition type will be the guid: de94bba4-06d1-4d40-a16a-bfd50179d6ac.
Aside from streamlining the Select-String with a Lookbehind-RE
I dont't see a better approach ATM.
$renv=(bcdedit /enum "{default}" | Select-String "(?<=^recoverysequence\s+)({.+})").Matches.Value
(bcdedit /enum $renv | Select-String "(?<=^device.+)\[.+\]").Matches.Value
[\Device\HarddiskVolume5]
Getting the following error in the Project View against projects reading changes from a clearcase snapshot
Error collecting changes for VCS root 'VS Root Name'
jetbrains.buildServer.vcs.VcsException: Process cleartool lshistory -eventid -recurse - since 22-December-2010.16:42:08 -fmt %u#--#%Nd#--#%En#--#%m#--#%Vn#--#%o#--#%e#--#%Nc#- -#%[activity]p###----###\n \\server\D$\path\vob returns -1
jetbrains.buildServer.vcs.VcsException: Error collecting changes for VCS root 'VS Root Name'
jetbrains.buildServer.vcs.VcsException: Process cleartool lshistory -eventid -recurse - since 22-December-2010.16:42:08 -fmt %u#--#%Nd#--#%En#--#%m#--#%Vn#--#%o#--#%e#--#%Nc#--#%[activity]p###----###\n \\server\D$\path\vob returns -1
at jetbrains.buildServer.buildTriggers.vcs.clearcase.ClearCaseSupport.collectChangesWithConnection(ClearCaseSupport.java:622)
at jetbrains.buildServer.buildTriggers.vcs.clearcase.ClearCaseSupport.collectChanges(ClearCaseSupport.java:612)
The simplest way to troubleshoot that kind of error is to execute the same command in a shell sesssion (DOS here), and see the detailed error message that cleartool will produce.
(TeamCity only display the fact that the command has failed)
Possible errors are:
no albd process on the server where the snapshot view is
UNC path problem (can you make a simple 'dir \\server\D$\path\vob'?)
right issue (are you using the right account to query this view)
...