Posted by Shawn Anderson on Wed, Jul 21, 2010
Photo by HikingKid
I was working on a problem last week that caused me to, more than once, blaspheme various deities known to humankind. I had 10 servers each running SQL 2008 Express. An application that was supposed to process data in these databases had unexpectedly quit and, thus, I had 4 tables in each DB that had more than 60,000 rows of data to process and more data coming in. The application which had to process the data was using 2 GB of memory and quickly rising. 2 GB may not seem like a lot but we are talking an x86 server with 4 GB of RAM.
The thing about all this data, however, is that it is largely time specific. Online status, computer logons (not user logons) etc. After 30 minutes or so, the data was not important any longer (as it had been replaced by other logon events and online status updates.)
The amount of data that had to be processed at each of the servers was so immense that the servers were not responding the way I needed them to. Since I didn't need the data, I simply decided to purge the outdated data from certain tables.
I opened up Admin Arsenal and selected and ran a Remote Command against a collection which held all my servers on which Microsoft SQL Express was installed.
Since Admin Arsenal's Remote Command feature will actually run the command on each selected system there was no need for me to provide a server name.
Within 2 minutes all of my databases were processing current data and all was well.
I needed a quick solution and I got one. I couldn't log on to each system from the SQL Database Manager application provided by Microsoft. The overhead of each connection was so great that even increasing the timeout to 300 seconds was not enough. Plus, even if I COULD have attached to each DB via the Manager I would have been working against myself. I needed all the unneccesary data gone from all the systems fast. Individual attention to each would take too long.
Remember, sometimes your solution is just one command away...
Follow me on Twitter @ShaneCorellian
Posted by The Admin Arsenal Team on Mon, Feb 01, 2010
Author: Adam Ruth
When it comes to deploying MSI installers, it's almost always best to use the /quiet option to ensure that the installer runs silently. Almost. There is actually more than one level of "quietness" when it comes to MSI, and there are some very rare occasions when you may want to use one of them.
Recently, while troubleshooting an installer that wasn't being deployed properly with Admin Arsenal, I discovered one such situation. The Apple QuickTime installer version 7.65.17.80 (the latest version at the time of writing) has an unusual quirk. When installed with the /quiet option it doesn't install all of the files even though it installs fine when run normally. (Note, the installer is packaged as an .EXE file, but it's built with MSI as can be seen when you run it with the /? option.)
While troubleshooting I decided to try installing with one of the the less quiet options, just to see what would happen. For those of you not aware, the following are all of the various options for quietness:
- /quiet or /qn (no UI) - Completely silent
- /passive or /qb (basic UI) - Shows only a progress dialog
- /qr (reduced UI) - Skips all parts of the UI that ask for information
The /passive option worked in my lab. There must be a bug in the installer where it's not properly handling the /quiet option. There are valid reasons for doing things differently during a quiet install vs. a normal install, so it seems that the QuickTime installer developers just missed some case somewhere.
Swapping /passive for /quiet was very simple within Admin Arsenal since the installer is an .EXE file. But it's not so obvious how to change the option when installing an MSI file. To achieve the same effect you need to uncheck the quiet option and then add the replacement option in the "Other Options" box.
Posted by The Admin Arsenal Team on Mon, Oct 05, 2009
One of the better hidden features of Admin Arsenal (and "better hidden" isn't really a compliment) is the ability to see the output from remote commands when running them on a group of computers.
Let's say you want to edit the registry of a group of computers using reg.exe. You send out your command to a couple of computers and you end up with something like this:
It looks like everything worked perfectly, but you can't be sure there weren't any warnings without seeing the output of the command. Right-click on a computer and select "See Output..."
You'll be taken to the remote command window where you can see the output and re-run the command if you wish.
A note on return codes: Currently remote commands will show "successful" in the task window even if the remote command failed. This is because the task is only showing whether or not the command was successfully sent to the computer. The next update of Admin Arsenal 1.4 will show a failure if the command returns a non-zero error code. This isn't a guarantee, though, because not all command line utilities will return non-zero on failure and some will return non-zero even if they succeed.
Posted by The Admin Arsenal Team on Fri, Sep 18, 2009
Photo by mandj98
While attending TechEd in 2008 I heard over and over again a technique used for running a command on a server; remote desktop. A few people were using sysinternals for this common task, and my hat is off to them. That's a much more efficient way of running a command or two without the headache of logging into the system.
We've seen this problem too and our system administrator product, Admin Arsenal, has a quiet little feature that handles this very challenge. We call it "Remote Command".
It's simple. You select the computer(s) that you wish to run a command and you run it from within the Admin Arsenal GUI. The output is provided back to you as though you had issued the command locally.
I was surprised at the number of admins who were using the manual method. It's a good reminder to keep your eyes and ears open. Doing so will keep you more attentive as you discover solutions to problems you didn't know that you had.
Posted by The Admin Arsenal Team on Fri, Aug 28, 2009
Photo by shawncampbell
A command-line tool that I have found very useful lately is reg.exe, the command-line registry editor. It is particularly useful to make changes to computers remotely using Admin Arsenal's batch file deployment or remote command.
It has a number of different commands (see them by running reg /?) but the ones I use most are ADD and DELETE. It is available on all current versions of Windows so you don't need to worry about deploying it. It's particularly helpful to make a configuration change to a number of computers at a time without using a GPO and waiting for it to be applied. Recently I needed to enable unsolicited Remote Assist on a bunch of computers and reg.exe came to the rescue.
I created the following batch file:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowUnsolicited /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowUnsolicitedFullControl /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
The using Admin Arsenal's software deployment, I pushed the batch file out to the computers and voilà Remote Assist was enabled.
Next time you need to make registry changes on more than one computer, keep this option in mind.
Posted by Adam Ruth, Shane Corellian, and Shawn Anderson on Fri, Jun 26, 2009
OK, I am writing this on a Friday afternoon. I don't feel like starting a new project. I don't feel like working through my list of to-do's and, well, it's very obvious that I'm not the only person who feels like this today. But I'm at work, slightly bored and I have administrative rights on all of these computers. Sweet.
I think it's time to confuse the hordes of co-workers who are playing Solitaire. I'm gonna write a Monitor to watch for, and kill any running solitaire process.
Let's open up Admin Arsenal and select the Monitors button:
As you can see from the images above, I created a Monitor called Solitaire - Vista. I look for the executable called Solitaire.exe. Every 120 seconds Admin Arsenal (AA) will poll selected target systems and check to see if any process called Solitaire.exe is Running. If it detects the process running it will trigger two Actions that I have defined. The first will kill the process Solitaire and the other will send an email to me stating some information that about the event. If you notice in both Action examples I have called variables like {Process}. These variables can be select by pressing the 
button and selecting my desired variable.
After you define your Monitor, don't forget to add the targets. You can add individual machines or Collections or Active Directory OUs as targets. Since I'm bored, I'm going to select all Vista machines as targets.
Sit back and wait for various groans and grunts from other cubes.
*NOTE* For versions of Windows prior to Vista, the Solitaire exe is 'Sol.exe'
Posted by The Admin Arsenal Team on Wed, May 13, 2009
This is probably my most hated error in Windows administration. It is, I have concluded, a boneyard or "catch all" error that can mean just about anything. I finally ran across a solution which, commonly, seems to fix the problem in XP and 2003 (I'm still looking for a good solution for Vista and Windows 7). You do need to run a command on the target machine. I use the Remote Command feature in Admin Arsenal, this way I don't have to actually visit the target system(s). Here is the command you need to run and NO, there isn't a typo.
SC sdset SharedAccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
If anyone has any other suggestions for the dreaded catch-all RPC Server error, PLEASE let me know.
Posted by Adam Ruth, Shane Corellian, and Shawn Anderson on Wed, Apr 08, 2009
We often get questions about uninstalling software remotely. We will be providing this capability in version 2.0, but until then there are ways to get what you want done.
Method 1
The first and simplest way to uninstall remotely only works if the application was installed with a .msi file and you have access to the install file. You simply "deploy" the .msi file with Admin Arsenal using the Uninstall option:
- MSI Uninstall Option
Admin Arsenal will then go through the standard deployment process, except that it will uninstall the application.
Method 2
The second method is a bit more tricky, but doable. It is this process that Admin Arsenal version 2.0 will automate for you. What you need to find is the "Uninstall String" which is the command that is run by the Add/Remote Programs control panel when you want to uninstall a program. This is located in the registry on the computer where the application is installed.
To find the uninstall string, navigate to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
- Uninstall Registry Key
Within this key there will be entries for the programs that are installed. It may be a bit tricky to find exactly the one you're looking for, but using search should help you get to it. Most entries will have an UninstallString value. This is the value you want. In the highlighted example above, the value is:
"C:\Program Files\TightVNC\unins000.exe"
Running this command will give you exactly what you get when running the Add/Remove Programs control panel. The same caveats about silent installations applies to uninstalling as installing. If you ran this uninstall string, as it is, remotely it would hang and never finish. This is because it pops up asking if you "really, honest to goodness, pinky swear want to uninstall?" but the question won't be visible to allow you to answer.
A quick search in for "unins000.exe silent" in [your search engine of choice] revealed that if you use /silent as the argument, you'll avoid the question and the install runs without user intervention.
"C:\Program Files\TightVNC\unins000.exe" /silent
Tip: Some uninstall strings include MsiExec.exe. These always have the same options to uninstall quietly. Simply change a value like this:
MsiExec.exe /I{3EE9BCAE-E9A9-4535-9B1C-83A4D357E05C}
to this:
MsiExec.exe /X{3EE9BCAE-E9A9-4535-9B1C-83A4D357E05C} /q
Now that you have the uninstall string, you just need to run it as a remote command, and voilà, a clean slate.
Posted by Adam Ruth, Shane Corellian, and Shawn Anderson on Wed, Apr 01, 2009
What in the hell are Dependencies?
Dependencies are files of any type that you define as "necessary to do my job". An easy example might be:
You want to uninstall the Microsoft SMS Advanced Client on your computers. Using Admin Arsenal's Remote Command feature, you can do this very easily. Microsoft provides a utility to remove SMS called "CCMClean.exe", therefore all we have to do is make certain that CCMClean.exe is a dependency in Admin Arsenal. This way we know that CCMClean.exe will be present on the remote computers when needed.
You can add or remove dependency files via the Admin Arsenal Preferences window.
- Admin Arsenal Preferences
We have the option of including Dependency files when running a Remote Command.
Dependency files will be deleted from target machines after the Remote Command has completed. Obviously marking very large files as Dependencies should be avoided.
Posted by Adam Ruth, Shane Corellian, and Shawn Anderson on Wed, Mar 04, 2009
Your users are complaining that they are constantly seeing a reminder window to update Java. They usually want to know one or more of the following:
- Should I install the update?
- Should I ignore the update?
- Can I have these notifications disabled?
Since most applications keep their respective configurations in the Windows Registry it is a good bet that you can reach your desired goals by modifying the registry.
Note: I hate the phrase "hack the registry". You can only "hack" the registry if you make a change to the registry that wasn't intended to be made. Most areas of the registry are made to be modified, either manually or automatically, so it is as much of a "hack" to modify a value in the registry as it is to modify a sentence in a Microsoft Word document.
By looking online (thank you Google) I was easily able to find the modification needed to turn off Updates for Java. Here is the following Registry Key that you need to modify:
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy
Turn off the Java Update feature by setting the EnableJavaUpdate value to "0". This will not only prevent the user from seeing the update requests, but it will also prevent them from updating at all. When you, as the administrator, are ready to update Java across your environment you can do so in an orderly and efficient way with software deployment.
To turn off the Java Update feature on mulitple machines, I suggest using the Remote Command feature in Admin Arsenal. The following command will turn off Java Updates:
REG ADD "HKLM\SOFTWARE\JavaSoft\Java Update\Policy" /v EnableJavaUpdate /t REG_DWORD /d 0 /f
The above command basically states: Add (or modify) the EnableJavaUpdate value to "0" and the type is DWord. The /f option forces an overwrite, which you will want to set if you are going to make this change en masse.
You can find the usage options for REG.EXE by running the following command from your Command Prompt:
REG /?
and
REG ADD /?
Run your desired command on multiple computers at once (above we have selected an entire Collection)
What are some common commands that you find yourself using? We'd love to hear how you use Remote Commands in your environment. Tell us your experiences by posting a comment to our blog.