Why is services.exe changing the Event Log retention policy? - event-log

I have a server running Windows 2003 R2 Enterprise Ediditon with Service Pack 2. I reset the Application Event Log Retention policy within EventVwr (right-click on Application, click the radio button next to "Overwrite events as needed".) A few hours later, somehow this setting got reset to "Overwrite events older than 7 days." This happened several times, so I started up RegMon to monitor what was changing this setting. The setting is located at HKLM\System\CurrentControlSet\Services\EventLog\Applicatin\Retention. I found out that services.exe is changing this setting on a regular basis. Can anyone tell me why services.exe would be automatically changing the Event Log retention policy, and how I can make it stop doing that?

The usual cause for this would be that the machine is part of a domain and Group Policy is being pushed down and applied by something running within services.exe.
That said - you'd probably be better asking this question at serverfault.com =)

Related

Service IKEEXT automatically switched off after Windows 10 reboot

After rebooting Windows 10, the IKEEXT service appears turned off - regardless of it previous state - started, stopped, automatically started or manually started.
No problem to disable or enable it or run manually. Why the state of IKEEXT can appear switched off?
Here are some methods that you can try to trouble shoot the problem:
1.Make sure that the dependence of the this service is set to automatically start.
2.perform a clean boot to disable the 3-party software conflict.
3.Make sure the service is enabled in msconfig.
4.modify the service to automatic restart on failure.
4.change the startup type of these services from Automatic to Automatic Delayed.
-You can go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IKEEXT\DelayedAutostart
-Add DelayedAutostart entry but set value to 0,If nothing helps, you can check the Event Log to see if there is any related errors generated.

Tableau Vizql, Backgrounder and Data server down

Yesterday our extracts failed to refresh with the following message (image extract_error):
Failure: Failed 1 time. Sign in failed.
Resolution Details: Check the Data Connection page for necessary updates to an access token or embedded credentials.
I verified that all our passwords were unchanged and test connections which were successful.
The tableau dashboards now give an error message saying:
HTTP 404:
Unable to connect to the server "localhost". Check that the server is running and that you have access privileges to the requested database. (image tableau_error)
Further, when I opened the Server Status page, I saw that our one of our two Vizql, backgrounder and data servers were down. We have two of each and only one of them is active for all three of them. (image server_status)
So, I decided to remote desktop into the server and run the tabadmin status -v command and strangely it is showing that all processes are running. (image tabadmin_status)
Finally, I opened a case with Tableau Customer Portal and letting them know about this issue (they asked me send them the log.zip file) but the mean time I was trying to problem solve this issue. Any help would be really appreciated.
After trying a lot of things, one process seemed to work.
Stopped the tableau server
Configured it to run 1 Vizql server process instead of 2
Started the server again
Finally, it worked. The status page now shows all the processes are active.
Hopefully, this helps someone who is facing a similar problem.
This may be caused by a firewall issue. Since tabadmin status -v returned all as "running" the cluster is healthy and this is a false alert. The firewall rules could be allowing just the first port and not the entire range (see https://onlinehelp.tableau.com/current/server/en-us/ports.htm) to respond to requests from the application server to build that fancy table with the green and red boxes.
The firewall can be reverted/altered behind the scenes for a number of reasons, usually windows updates or regular group policy synchronization.
Try disabling the windows firewall (https://www.faqforge.com/windows-server-2016/turn-off-firewall-windows-server-2016/), or add an inbound rule allowing access to all ports if your org policy doesn't allow you to actually turn it off. (Follow the steps here, except use "All Local Ports" instead of "Specific Local Ports" https://www.parallels.com/blogs/ras/configuring-windows-server-firewall-for-parallels-ras/)
I had a similar problem and followed these similar steps that Sravee mentioned above to bring the all processes back to active.
Stopped the server
Change the configuration for VizQL server from 2 to 1
Started the server
Enter the licence key (else the server status page will show unlicensed error)
Note: This does not bring the site back but this step is for 'tricking' VizQL server
Stopped the server again
Change the VizQL configuration from 1 to 2 now.
Start the server
Enter the license key
This steps did bring back the server back to active for us. Posting to see if this helps who faces the same problem. Thank you so much.

How to set Group Policy "Turn Off Automatic Root Certificates Update" vie Registry/Powershell?

I need to disable the following group policy in Windows 7 programatically, for example by modifying a registry key using Powershell:
"Turn Off Automatic Root Certificates Update"
Does anybody know which registry key needs to be set or unset in order to make this work?
I had a similar issue when i was creating an application that communicated with a server over HTTPS using two-way SSL.
This was causing a delay of a full minute when the initial request was made
It ran in WinPE where hand clicking through the local group policy editor was not an option.
There also is no way I am aware of to register a root authority in this environment and it is running in an incredibly restricted environment so it can not access windows update (not that it would find our corporate CA there anyway).
The registry value you are looking for is
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot
DWORD DisableRootAutoUpdate = 1
Source: http://www.group-policy.com/ref/policy/452/Turn_off_Automatic_Root_Certificates_Update
To turn off Automatic Root Certificates Update via Local Group Policy Editor:
Click Start, and then click Run.
Type gpedit.msc, and then click OK.
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
Under computer configuration, Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
Close the Local Group Policy Editor.
Domain policies override local settings. That's how they're supposed to work (they'd be rather useless otherwise). If you want the policy disabled, disable or remove the policy in Group Policy Management or remove the computer from the domain.

Windows Service "Starting"

I have a critical windows service that I need for my web application.
Unfortunately, the windows service does not start properly, but remains in a status of "Starting" for about 7 minutes and 38 seconds, and then fails.
My web application works fine when the service is in the "Starting" mode.
I have a windows scheduled task that runs every minute to restart the service if necessary.
net start "my service"
Therefore there is a gap of about 22 seconds from when the service fails until it starts up again. In additional it takes an additional 30 seconds or so for my application (which is dependent on this service) to start working.
I have intentionally not named the errant service. I did open a separate question https://stackoverflow.com/questions/8470975/oracle-oc4j-service-keeps-stopping whose aim was to actually solve the problem.
In this question, I am not trying to solve the problem, but rather find a workaround to try and keep this service in a status of "Starting" the whole time.
What is infuriating, is that until I restarted the server today, my workaround of restarting the service every 3 minutes actually worked, with no application downtime whatsoever.
Does anybody have any suggestions? I did try changing the registry key of ServicesPipeTimeout to 86400000 (24 hours!) in a bid to keep the service in the status of "Starting" for longer.
I have found a possible solution to my problem that I am very uneasy about...
I downloaded WinDbg from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8279
I opened WinDbg and did Attach to Process, and selected my service.
As long as WinDbg is open, it seems to "hold" the process and prevent it from stopping.
How long it will continue to do so, remains to be seen, but it has held for over half an hour now (whereas before the service stopped after 8 minutes)
If you have the timeout set to 24 hours and the service does not start or stay in 'starting' mode , then it must be either crashing or closing itself down.
If you want to try to restarting your service immediately it crashes, then, on the properties of your service, select the 'Recovery' tab. You should be able to set the service to restart on first, second and subsequent failures and set the service to restart after 0 minutes,
Note, this will not work if windows thinks that the service is closing down properly.
It should go without saying that this is a last resort only if you can't get whoever wrote the service to fix the problems.
Try specifying 'Restart the Service' for all three sections on the Recovery tab, but that will only work if the service is ending abnormally.
Our company faced a similar problem and we developed Service Protector, a commercial application that can babysit a service and keep it running 24/7. It may work in your situation too.

How to change Msmq configuration from workgroup mode to domain mode?

There is a public queue named queue1 on machine A. I want to send messages to this queue from machine B. In order to achieve this, I wrote that c# code.
if (MessageQueue.Exists("machineA\queue1"))
{
label1.Text = "queue found";
}
else
{
label1.Text = "queue could not be found";
}
But Exists() method return false on machine B. The same code works well on machine C.
I found somethings related with msmq domain mode and workgroup mode. I think that msmq installed in workgoup mode on machine B.
How can I change this configuration from workgroup mode to domain mode?
HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters\
Check the data for the REG_DWORD workgroup. Is it 1 or 0?
1 is workgroup mode.
0 is AD mode
Basically the difference between domain and work group mode is not defined by the value of the registry flag "workgroup" mentioned by #engin. This flag just reflects current operational mode but doesn't set it.
Whether you run in domain or workgroup mode is defined whether you installed MSMQ on domain controller or on a member server. Details about differences between these two modes can be found here: https://support.microsoft.com/en-us/kb/884974/
MSMQ 1.0 used to support domain mode only. Current MSMQ version is 5.0.
Next you may see quite interesting behavior when you installed MSMQ on your DC, your workgroup flag continuously reverts to 1 after each MSMQ service restart. This means that you have to grant Network Service account the Create MSMQ Configuration Objects permission to the computer object in Active Directory Domain Services before installing the Directory Services Integration feature on a computer that is a domain controller.
You may find details on how to do it here:
https://technet.microsoft.com/en-us/library/cc730960.aspx
MSMQ runs under the (less privileged) Network Service account instead of (all powerful) Local System account starting from version 4.0 (Vista/Server 2008)
So to answer #mkus question more directly to "set" domain mode you just install MSMQ on domain controller and make sure that proper permissions in place for Network Service account. Once this is done you well see it operating in domain mode with workgroup flag switched to 0 automatically to reflect this.
Also couple of links to clarify issues around MSMQ objects permissions and when/why you need to set them:
http://blogs.msdn.com/b/johnbreakwell/archive/2009/08/03/default-msmq-queue-permissions-have-changed-in-msmq-4-0.aspx. In short starting from MSMQ 4.0 Everyone and Anonymous Logon were removed from default MSMQ objects ACLs as precaution against DoS attacks (though there are exlusions to this change and Workgroup mode is one of those).
And as you may read in Technet article below you need to go a grant certain rigts to MSMQ objects either to Network Service OR to Computer accounts when installing the Routing Service feature on a Windows Server 2008 R2 (or later) computer that is not a domain controller OR when installing the Directory Service Integration feature of Message Queuing on a Windows Server 2008 R2 (or later) computer that is a domain controller. See details here:
https://technet.microsoft.com/en-us/library/cc749102(v=ws.10).aspx
Run Server Manager on the machine that is hosting the queue. Right-click on Features and click "add features"
Drill down under Message Queuing and under Message Queuing Services. You should see a checkbox for Directory Service Integration.
Check it and click install.
Usually you have to reboot the server for it to show the change.
I ran into some problems, no matter how much I installed or uninstalled MSMQ or restarted, I still wasn't able to use the queue. So I wanted to post some links here
http://support.microsoft.com/kb/935498
When it gets to a part about "To work around this problem, use the Active Directory Users and Computer Microsoft Management Console (MMC)...". Below is how you do that.
How to delete from active directory
http://technet.microsoft.com/en-us/library/cc773660(v=WS.10).aspx
"Delete stale computer objects" is the part you are interested in.
I also found this nice error in the event log "The Message Queuing service will not join the domain. An MSMQ Configuration (msmq) object exists in the new domain with an ID differing from the service ID. Please delete the MSMQ Configuration object in the new domain, restart the Message Queuing service, and log on again."- which helped to point out they way.
I have face this issue for windows server 2016, where even thought I was changing registry value to domain mode "0", it reverts to "1", after server restart.
To solve the issue on OS 2016, we need to uninstall below MSMQ feature as they are deprecated from OS 2016 onward.
Message Queuing Trigger
Multicasting support
Routing Service