The Raven Report

I was looking for the advanced network settings on a Windows 2008 Server I noticed that the menu bar (file, edit, view, Advanced, etc) is no longer visible by default.  Guess I hadn’t really needed it until this point.  How to get it back you ask? Well there are two ways.

1.       Just like in DOS days , press the ALT key and the bar will pop back up   

2.   Now say you are ALT key challenged and don’t want to use the ALT key. Click on Organize then Folder and Search Options  from there switch to Use Windows classic folders

I regularly have requests to allow a regular user of a system access the event viewer remotely.   What would seem like a trivial task ends up taking some thought as there is no built in way to easily allow this access on Windows 2003.

So say we want to allow Jim Bob user access to the System event log on our server.

First we need to open Regedit and browse out to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

Next dsd well want to copy the CustomSD value into a text editor and add access for Jim Bob

Original Value:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)

Now since we only want to give him read access we’ll mirror the Interactive User’s (IU) default permissions.

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;;; S-1-5-3-3127463467463)

Just copy your newly minted SDDL string back into the CustomSD key and Jim Bob will be good to go.

Now say you just want to allow all Authenticated Users (AU) access you could just modify your SDDL as follows:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x1;;;AU)

Rinse and repeat for any additional event logs that you want to grant access to.

Windows 2008 is much easier as long as you are ok giving the user/group read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

Now if you want to customize things like give someone access to the Application and System log but not the security log you still have to dig into the SDDL.

The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the wevtutil utility. Ok so let’s say Jim Bob now needs access to just the System event log on our Windows 2008 Server.

First we need to open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.

wevtutil gl system > C:\temp\out.txt

Open the text file and copy out the channelAccess: entry

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )

Now once again copy the Interactive User (IU) rights and add Jim Bob to them.

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))

Last we need to apply the new SDDL. Just replace the O:BAG:XXXX with your SDDL String you created in the previous step.

wevtutil sl System /ca:O:BAG:XXXX

There you have it.  As another option, you can remove access for the Event Log Readers group from event log in question by removing the (A;;0x1;;;S-1-5-32-573) entry from the respective log SDDL String.

Background:

While running some reports on server hardware I realized that some of the servers were missing the serial, manufacturer, and model information. Being that I needed this information for inventory forwarding and system model counts. After identifying the systems I realized that all of these systems were Windows 2008 64Bit. So I called Altiris and they acknowledged that this is a know issue and is not likely to be resolved until NS 7.0. Well I need this data in the reports today not months down the road.

The Problem:

The issue appears to be in the aexsnplus.exe uses 16bit code and the 16bit subsystem is removed from Windows 2008 64bit, so the aexsnplus.exe ends failing to run.

The Solution:

Since the information we’re looking is available in a couple WMI classes (Win32_ComputerSystem & Win32_BIOS), I figured I could easily create a built in custom inventory task to get the data, but the stars did not appear to align, and still I returned invalid data. Not letting this minor setback get in the way of inventory, I ended up creating a quick and dirty vbscript that would generate the NSI file. Then I created a new hardware inventory ini file replace the line:

aexsnplus.exe /output xml

With:

cscript getsn.vbs

After the new ini file was created, and the vbscript placed in the following directory:

\\YourNSserver\NSCap\Bin\Win32\X86\Inventory Solution

I created a new program in the Inventory Agent Package referencing my new ini file.

AeXInvSoln.exe /s AEXINVHWSN.ini

Then created a new Inventory Task for the new program targeting only the Windows 2008 64 bit systems and let her rip.

Outcome:

I now have my Serial Number, Model & Manufacturer available for all my Windows 2008 64bit systems. I have attached the vbscript and ini file used to make this possible.

W2K8_SN.zip (1.29 kb)

UPDATE:

Altiris has released a updated AeXSNPlus.exe that appears to resolve the issue.  You can follow the instructions in  the link below.

https://kb.altiris.com/display/1/kb/article.asp?aid=43427

Since a 32 bit OS can only access 4GB of memory, some magic needs to happen to allow the system to see additional memory.  Say hello to Physical Address Extension (PAE).  PAE allows the operating system itself to address more that 4GB of RAM. Each Process is still bound by the 4GB limits, but the VMM can utilize the all the Physical memory up to 64GB. How does PAE do it?  Starting with the Pentium Pro processor the x86 platform actually allows 36bits of address space, so  2³⁶ bytes  = 64GB addressable. PAE is automatically enabled on computers running Windows Server 2003 with Service Pack 1 (SP1) and Windows XP with Service Pack 2 (SP2) when DEP is enabled on a computer with a processor that supports the no-execute page protection feature.

The 2GB dividing line between user memory and kernel memory is completely arbitrary. 4GB memory tuning (4GT) is enabled by putting a /3GB switch in the boot.ini. Using the /3GB switch allocates 1 GB to the kernel and 3 GB to the User-mode space. But be warned, we are stealing from Peter to pay Paul here, and since Nonpaged Pool, Paged Pool & PTEs all reside in Kernel memory,  If the memory reduction in the pools is too great in a specific server installation, the server or the applications may generate an error or appear to stop responding.

You shouldn’t use 4GB Tuning in the following scenarios. The system has more than 16GB of memory, the server is a Terminal server, large file servers and Exchange are good examples when the /3GB alone does more harm than good

Exchange?? What do you mean Exchange? All the docs say to use the /3GB switch. What gives? Please welcome /userva to the party. The /userva=xxxx switch is designed to allow for more precise tuning of User-mode address space for applications that require more than 2 GB of User-mode space but do not require all the space that is provided by the /3GB tuning switch alone. Use the /userva switch with the /3GB switch in the Boot.ini file to tune the User-mode space to a value between 2 and 3 gigabytes (GB), with the difference (3,072 less xxxx) being returned to Kernel mode.

OK, so now the OS can see more than 4GB of Memory, but my application is still limited to 2-3GB of memory.  How can my applications use more memory?

As stated earlier by using PAE we give the OS the ability to address memory over the 4GB mark. Windows 2003 Enterprise and Datacenter Editions make use of the x86 36bit memories addressing for applications with an API called Address Windowing Extensions (AWE). The AWE API allows an application to transfer memory pages above the 4GB limit into the addressable memory area where it can make changes to the pages. This permits applications such as SQL Server that use large datasets to manage them in RAM rather than a slow paging file. AWE locks physical memory address space to an application. No other application can use this memory and it can’t be pages to disk.

What’s new in Vista and Server 2008 32bit?

Let say we have a Windows 2003 Server running Terminal Server  with the following Kernel memory utilization:

–      Paged pool: 50%

–      Non-paged pool: 70%

–      System PTEs: 98%

Even though there is still fair amount of memory in the paged & nonpaged pools, essentially this system is loaded to its maximum capacity because the System PTEs are fully exhausted. 32bit versions of Windows have relatively low maximum values for these memory areas, that all need to be allocated out of the 1-2GB of kernel virtual memory space. Up until Vista this allocation was only done at boot up.

 In Windows Vista/2008, kernel virtual address space is dynamically allocated. The sizes and locations of the paged pool, nonpaged pool, System Cache & PTEs are no longer fixed, but are dynamically adjusted according to the current operational requirements. This simple but effective change resolves the single pool exhaustion issue described above.  Now, not only can Peter steal from Paul, but Paul can steal back from Peter.