ETW File IO Monitoring on XP/2003 - windows-xp

I've been investigating ETW for process/file/registry/network monitoring. It looks like it on Win7 it has everything I need. However, on XP it seems to be lacking the same level of detail. Specifcally, with file IO only "FileCreate" events seem to be logged and process creation events don't give a full path.
Is it possible to determine when a file is written to on XP with ETW? And how about the full path to a process start event?

Starting with Vista MS added a lot of ETW providers to Windows. XP/Server only had a few of them. So you can't fix this for XP.

Related

Running Windows Powershell script always from task scheduler

This might be a very basic question. I have FileWatcher script in windows powershell which I want to run always so that it keeps watching a particular location for files. when I run it from Windows Powershell IDE its run perfectly fine. I understand that I can schedule a task in windows task scheduler for that but what's happening is that the task runs and then comes back in "Ready" status. This is NOT working. I think it should be in "Running" state always. I might be missing something. Please kindly help with your valuable suggestions.
You can do this with TaskSchedule…
Running PowerShell scripts as a “service” (Events: Prologue)
but this is also what permanent Event Subscriptions are for or setting up as user10675448 suggest, make it a real service.
How to run a PowerShell script as a Windows service
Windows PowerShell - Writing Windows Services in PowerShell
This article presents the end result of that effort: A novel and easy
way to create Windows Services, by writing them in the Windows
PowerShell scripting language. No more compilation, just a quick
edit/test cycle that can be done on any system, not just the
developer’s own.
There is also this approach...
PowerShell and Events: Permanent WMI Event Subscriptions
Unlike the temporary event, the permanent event is persistent object
that will last through a reboot and continue to operate until it has
been removed from the WMI repository.
There are multiple ways of setting up the WMI events and I will be
covering 3 of those ways (as they deal with PowerShell) in this
article.

"Exception code: C0000005 ACCESS_VIOLATION" in progress application, application terminated

Progress application terminated during execution. Here is the protrace:
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 101DA9BF 01:001D99BF C:\Ultra\dlc91e\bin\prow32.dll
How to find what program caused this issue? Is there any way to debug and find the problematic code?
If it was a 4gl session that crashed there should be a "procore" or a "protrace" file in the working directory of the session that crashed. It might also be in the temp directory (specified with the -T startup parameter).
If you can find the protrace file it has a 4gl stack trace which ought to tell you where the problem originated.
Some notes here:
9.1e is truly ancient. But still Progress has a history of supporting older versions a long time. It's actually set to be "retired" October 2015.
So if you have an active license you shouldn't hesitate to contact support.
There's also the knowledgebase to search. I found this that might be something similar. First of all you should think of all things that have changed since the system worked (file system layouts, installation of software like antivirus and firewalls, operating system upgrades, security changes etc etc).
Knowledge base home: http://knowledgebase.progress.com/.
I never use the internal search, I always Google with:
site:knowledgebase.progress.com

Windows Service startup time

Is there a way to programmatically retrieve start-up time/duration for all the Windows Services that have started during boot in Windows XP?
That is, the time the service was initialized to getting to the "started" state.
Thank you in advance!
P.S. I'm not asking for software recommendation.
I would start with looking at the logs in event viewer, check if that information you want is there.
If it is, then use Microsofts EventLog class to get the log you want.
For example if you're interested in the System log use -
EventLog systemLog = new EventLog("System");
systemLog contains a collection of all entries in the System log. Should be easy from there.

Application Deployment with Powershell

I've developed a Powershell script to deploy updates to a suite of applications; including SQL Server database updates.
Next I need a way to execute these scripts on 100+ servers; without manually connecting to each server. "Powershell v2 with remoting" is not an option as it is still in CTP.
Powershell v1 with WinRM looks the most promising, but I can't get feedback from my scripts. The scripts execute, but I need to know about exceptions. The scripts create a log file, is there a way to send the contents of the log file back to the "client" (the local computer making the remote calls)?
Quick answer is No. Long version is, possible but will involve lots of hacks. I developed very similar deployment script/system using PowerShell 2 last year. The remoting feature is the primary reason we put up with the CTP status. PowerShell 1 with WinRM is flaky at best and as you said, no real feedback apart from ok or failed.
Alternative that I considered included using PsExec, which is very much non-standard and may be blocked by firewall. The other approach involves using system management tools such as MS's System Center, but that's just a big hammer for a tiny nail. So you have to pick your poison...
Just a comment on this: The easiest way to capture powershell output is to use the start-transcript cmdlet to pipe console output to a file. We have a small snippet at the start of all our script that sends a log file with the console output from each script to a central file share, and names the log file with script name and date executed so that we'll have an idea of what happened. Its not too hard to pipe all those log files into a database for further processing either. Probably won't seolve all your problems, but would definitely help on the "getting data back" part.
best regards,
Trond

Un-enlisting a BizTalk MSMQ send port in batch file

I've got a solution which I setup / cleanup using batch files ...
- there are a pair of MSMQ ports, send and receive, with another application on the end of the queues
I'm finding I can't properly stop the orchestration in the batch file ... the error is the send port is unenlisted
- I'm using the StopOrch.vbs script from the SDK samples
But I can go into BizTalk Admin Console and manually stop the orchestration with Full Terminate Ok
The setup / cleanup works Ok if I don't actually push any messages down the MSMQ queues
You might also take a look at the Microsoft.BizTalk.ExplorerOM.dll. It is contains business level objects that are pretty nice to interact with in .NET code. You can find the dll in the installation directory, mine is at: C:\Program Files (x86)\Microsoft BizTalk Server 2009\Developer Tools
Here is the MSDN documentation on it:
http://msdn.microsoft.com/en-us/library/microsoft.biztalk.explorerom(BTS.20).aspx
And a good high level walk through of its use:
http://geekswithblogs.net/claeyskurt/archive/2008/10/13/125815.aspx
Steve,
I would look at using a powershell script to handle terminating all the suspended messages and also shutdown the the orchestration the proper way. I believe there's a set of these scripts on codeplex if you search. Also look at the SDC MSBuilt components on complex for doing that as well.
-Bryan