Tuesday, March 31, 2015

How to know the service status on Window 2003

Sc.exe also displays service status and retrieves the values stored in the status structure fields.You can set the parameters to these functions by specifying them on the command line.The tool also lets you specify the name of a remote computer so that you can call the service API functions or view the service status structures on the remote computer.

To know the status of particular service

Go to Run ---> cmd ------> sc query "SERVICE NAME "

C:\Users\Trainer>sc query "IISADMIN"

SERVICE_NAME: IISADMIN
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1066 (0x42a)
SERVICE_EXIT_CODE : -2146893818 (0x80090006)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

C:\Users\Trainer>hostname
Trainer-PC

C:\Users\Trainer>date /t && time /t
Wed 04/01/2015
02:16 PM

C:\Users\Trainer>

sc query

sc query type= service state= all

To create a list of active drivers, use

sc query type= driver

Or for a list of everything, use

sc query state= all

How to Use ?
Open cmd and type
sc query

Some more ways to use SC command.

sc config

This command is used to determine the status of a service at system startup. A service can be set to run automatically, manually or not at all.

sc config ServiceName start= flag

Here ServiceName is the name of the service and flag has one of the values auto, demand. or disabled .

sc config ServiceName start= demand

Note that there must be a space after the equals sign.

If you want to Know the status of services on Remote then type

sc \\server_name query

Error 0X80090016 Keyset does not exist, Task Scheduler is not performing tasks

Set Protected Storage to Automatic and verify the Status is started.

1. Click Start.
2. Choose Run.
3. In the Run box, type services.msc.
4. Click OK.
5. Find the Protected Storage service, and right-click to select it.
6. Select Properties.
7. In the Startup Type list, select Automatic.

8. Verify the service Status is Started.
9. Click OK.
10. Double-click My Computer, and then click Folder Options on the Tools menu.
(THERE WAS NO "My Computer" on the desktop - used Start -> My Computer)
11. On the View tab, click to select Show hidden files and folders, and then click OK.
12. Delete all of the files in the "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18" folder.
13. Stop/start the task scheduler service.
14. Re-enter the password for the user running each job.
(“Right click" -> run now executes the job. And they now also run as scheduled)

WMIC - Windows Management Instrumentation Command-line

WMIC is a command line interface to WMI -- Windows Management Instrumentation. It is an application interface which allows you low level access to a wide variety of information about systems, both hardware and software. Before WMIC, WMI-based applications (such as SMS), the WMI Scripting API, or tools such as CIM Studio were used to manage WMI-enabled computers.WMIC provided you a powerful, user-friendly interface to the WMI namespace. Earlier, you should had grasp on a programming language such as C++ or scripting.While WMIC is very powerful, it also is barely documented.

How to Run WMIC?

To invoke the WMIC command prompt, type
wmic

The following global switches are available:

/NAMESPACE	Path for the namespace the alias operate against.
/ROLE	Path for the role containing the alias definitions.
/NODE	Servers the alias will operate against.
/IMPLEVEL	Client impersonation level.
/AUTHLEVEL	Client authentication level.
/LOCALE	Language id the client should use.
/PRIVILEGES	Enable or disable all privileges.
/TRACE	Outputs debugging information to stderr.
/RECORD	Logs all input commands and output.
/INTERACTIVE	Sets or resets the interactive mode.
/FAILFAST	Sets or resets the FailFast mode.
/USER	User to be used during the session.
/PASSWORD	Password to be used for session login.
/OUTPUT	Specifies the mode for output redirection.
/APPEND	Specifies the mode for output redirection.
/AGGREGATE	Sets or resets aggregate mode.
/AUTHORITY	Specifies the <authority type> for the connection.

For more information on a specific global switch, type: switch-name /?
The following alias/es are available in the current role:

ALIAS

Access to the aliases available on the local system

BASEBOARD

Base board (also known as a motherboard or system board) management.

BIOS

Basic input/output services (BIOS) management.

BOOTCONFIG

Boot configuration management.

CDROM

CD-ROM management.

COMPUTERSYSTEM

Computer system management.

CPU

CPU management.

CSPRODUCT

Computer system product information from SMBIOS.

DATAFILE

DataFile Management.

DCOMAPP

DCOM Application management.

DESKTOP

User's Desktop management.

DESKTOPMONITOR

Desktop Monitor management.

DEVICEMEMORYADDRESS

Device memory addresses management.

DISKDRIVE

Physical disk drive management.

DISKQUOTA

Disk space usage for NTFS volumes.

DMACHANNEL

Direct memory access (DMA) channel management.

ENVIRONMENT

System environment settings management.

FSDIR

Filesystem directory entry management.

GROUP

Group account management.

IDECONTROLLER

IDE Controller management.

IRQ

Interrupt request line (IRQ) management.

JOB

Provides access to the jobs scheduled using the schedule service.

LOADORDER

Management of system services that define execution dependencies.

LOGICALDISK

Local storage device management.

LOGON

LOGON Sessions.

MEMCACHE

Cache memory management.

MEMORYCHIP

Memory chip information.

MEMPHYSICAL

Computer system's physical memory management.

NETCLIENT

Network Client management.

NETLOGIN

Network login information (of a particular user) management.

NETPROTOCOL

Protocols (and their network characteristics) management

NETUSE

Active network connection management.

NIC

Network Interface Controller (NIC) management.

NICCONFIG

Network adapter management.

NTDOMAIN

NT Domain management.

NTEVENT

Entries in the NT Event Log.

NTEVENTLOG

NT eventlog file management.

ONBOARDDEVICE

Management of common adapter devices built into the motherboard (system board)

Installed Operating System/s management.

PAGEFILE

Virtual memory file swapping management.

PAGEFILESET

Page file settings management.

PARTITION

Management of partitioned areas of a physical disk.

PORT

I/O port management.

PORTCONNECTOR

Physical connection ports management.

PRINTER

Printer device management.

PRINTERCONFIG

Printer device configuration management.

PRINTJOB

Print job management.

PROCESS

Process management.

PRODUCT

Installation package task management.

QFE

Quick Fix Engineering.

QUOTASETTING

Setting information for disk quotas on a volume.

RDACCOUNT

Remote Desktop connection permission management.

RDNIC

Remote Desktop connection management on a specific network adapter.

RDPERMISSIONS

Permissions to a specific Remote Desktop connection.

RDTOGGLE

Turning Remote Desktop listener on or off remotely.

RECOVEROS

Information that will be gathered from memory when the operating system fails.

REGISTRY

Computer system registry management.

SCSICONTROLLER

SCSI Controller management.

SERVER

Server information management.

SERVICE

Service application management.

SHADOWCOPY

Shadow copy management.

SHADOWSTORAGE

Shadow copy storage area management.

Shared resource management.

SOFTWAREELEMENT

Management of the elements of a software product installed on a system.

SOFTWAREFEATURE

Management of software product subsets of SoftwareElement.

SOUNDDEV

Sound Device management.

STARTUP

Management of commands that run automatically when users log onto the computer

SYSACCOUNT

System account management.

SYSDRIVER

Management of the system driver for a base service.

SYSTEMENCLOSURE

Physical system enclosure management.

SYSTEMSLOT

Management of physical connection points including ports, slots and peripheras, and proprietary connections points.

TAPEDRIVE

Tape drive management.

TEMPERATURE

Data management of a temperature sensor (electronic thermometer).

TIMEZONE

Time zone data management.

UPS

Uninterruptible power supply (UPS) management.

USERACCOUNT

User account management.

VOLTAGE

Voltage sensor (electronic voltmeter) data management

VOLUME

Local storage volume management.

VOLUMEQUOTASETTING

Associates the disk quota setting with a specific disk volume.

VOLUMEUSERQUOTA

Per user storage volume quota management.

WMISET

WMI service operational parameters management

For more information on a specific alias, type: alias /?

CLASS - Escapes to full WMI schema.

PATH - Escapes to full WMI object paths.

CONTEXT - Displays the state of all the global switches.

QUIT/EXIT - Exits the program.

For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?

Examples:

To Get the Information of Patches installed on Computer.

WMIC qfe

To Get the Information of installed Softwares on Computer.

WMIC product get name

To Get the information of User logged to the system with Date

WMIC netlogin get name, lastlogon

WMIC /node:<computername> netlogin get name, lastlogon

Log Files required troubleshooting the Window 7/2008 server installation

Lot of time we are unable to install the OS on fresh Computer, we do lot of tries but no luck and we don’t know what to do next, how to dig the issue, which/where to find the logs.

Here is the key to solve failures is identifying where you are in the installation process and when a failure occurs. As you are creating a new installation, the hard drive is not present initially, Windows Setup writes logs into memory, specifically in a Windows PE session (X:\Windows). When hard drive ready to use after formatting, Setup continues logging directly onto the new hard drive (C:\Windows). Whatever Log files created during the Windows PE session are temporary.

Windows Setup Scenario

When a failure occurs in Windows Setup, review the entries in the Setuperr.log file, then the Setupact.log file, and then other log files as appropriate.

Log file	Description	Location
Setupact.log	Primary log file for most errors that occur during the Windows installation process. There are several instances of the Setupact.log file, depending on what point in the installation process the failure occurs. It is important to know which version of the Setupact.log file to look at, based on the phase you are in.	Setup (specialize):X:\Windows\panther Setup (OOBE), LogonUI, OEM First Run:%windir%\panther Windows Welcome (OOBE):%windir%\panther\unattendGC
Setuperr.log	High-level list of errors that occurred during the specialize phase of Setup. The Setuperr.log file does not provide any specific details.	Setup (specialize):%windir%\panther Setup (specialize):%windir%\panther Setup (OOBE), LogonUI, OEM First Run:%windir%\panther
Setupapi.offline.log	Driver failures during the Component Specialization sub-phase of the Setupspecialize phase.	%windir%\inf
Cbs_unattend.log	Unattended-setup servicing failures.	%windir%\panther
Setupapi.dev.log	Driver failures during the oobe phase of Setup.	%windir%\inf
Sessions.xml	An XML-based transaction log file that tracks all servicing activity, based on session id, client, status, tasks, and actions. If necessary, the Sessions.log file will point to the DISM.log and CBS.log files for more details.	%windir%\servicing\sessions
CBS.log	Servicing log file that provides more details about offline-servicing failures.	%windir%\Panther

OOBE - Out-of-box experience is the first impressions a user has with a product when opening its packaging and taking it into use. For software, it is "Welcome Screen" or "Initial Configuration" wizard screens that simplify elaborate set-up of the software

As an example, the process of installing Microsoft Windows is OOBE. Whatever steps we do during installation comes in OOBE - to acknowledge software license terms, specify partition to install OS, "product key" etc.

Note: Information is gathered from Technet.

Page Fault

A page fault occurs when a process requests a page in memory but system can’t find it in memory. The system page fault handler attempts to resolve the page fault.

Type of Page Fault

Hard Page Fault – If the requested Page retrieved from disk, the fault is called as hard page fault.

Soft Page Fault - If the requested page found elsewhere in memory, the fault is called as soft page fault

*Most processors can handle large numbers of soft faults without significant consequence. However, hard faults can cause delays because they require disk access.

Given below counters can be used to identify the page faults.

Page Faults/sec - Page Faults/sec is a combination of hard page faults and soft page faults. This counter gives how many times page fault occurs. The Page must either be retrieved from another location in memory or from the pagefile.

Hard Page Fault Counter

· Page Reads/sec – It indicates how often the system is reading the disk because of hard page faults. We can say, the number of pages reads from the disk that was done to satisfy page faults. The amount of pages read each time the system went to the disk may vary but a sustained value of over 5 is a strong indicator of a memory problem. We can say, counter is best indicator of a memory shortage.

· Pages Input/sec - Pages were read from disk to resolve hard page faults. We can use this counter in comparison with the Page Faults/sec counter to determine the percentage of the page faults that are hard page faults.

· Pages/sec - Pages were read from or written to disk to resolve hard page faults.

In short we can say, a high number of hard page faults may indicate that you need to increase the amount of memory or reduce the cache size on the server.

Soft Page Fault Counter

Transition Faults/sec - Page faults were resolved by recovering pages without additional disk activity, including pages that were being used by another process sharing the page.

Boot sequence for Windows 2000, XP and 2003:

Windows 2003 booting process

BIOS: performs Power On Self Test (POST)
BIOS: loads MBR from the boot device specified/selected by the BIOS

MBR: contains a small amount of code that reads the partition table, the first partition marked as active is determined to be the system volume
MBR: loads the boot sector from the system volume

BOOT SECTOR: reads the root directory of the system volume at loads NTLDR

NTLDR: reads BOOT.INI from the system volume to determine the boot drive (presenting a menu if more than 1 entry is defined)
NTLDR: loads and executes NTDETECT.COM from the system volume to perform BIOS hardware detection
NTLDR: loads NTOSKRNL.EXE, HAL.DLL, BOOTVID.DLL (and KDCOM.DLL for XP upwards) from the boot (Windows) volume
NTLDR: loads \WINDOWS\SYSTEM32\CONFIG\SYSTEM which becomes the system hive HKEY_LOCAL_MACHINE\System
NTLDR: loads drivers flagged as "boot" defined in the system hive, then passes control to NTOSKRNL.EXE

NTOSKRNL.EXE: brings up the loading splash screen and initializes the kernel subsystem
NTOSKRNL.EXE: starts the boot-start drivers and then loads & starts the system-start drivers
NTOSKRNL.EXE: creates the Session Manager process (SMSS.EXE)

SMSS.EXE: runs any programs specified in BootExecute (e.g. AUTOCHK, the native API version of CHKDSK)
SMSS.EXE: processes any delayed move/rename operations from hotfixes/service packs replacing in-use system files
SMSS.EXE: initializes the paging file(s) and the remaining registry hives
** before this step completes, bugchecks will not result in a memory dump as we need a working page file on the boot (Windows) volume **
SMSS.EXE: starts the kernel-mode portion of the Win32 subsystem (WIN32K.SYS)
SMSS.EXE: starts the user-mode portion of the Win32 subsystem (CSRSS.EXE)
SMSS.EXE: starts WINLOGON.EXE

WINLOGON.EXE: starts the Local Security Authority (LSASS.EXE)
WINLOGON.EXE: loads the Graphical User Identification and Authentication DLL (MSGINA.DLL by default)
WINLOGON.EXE: displays the logon window
WINLOGON.EXE: starts the services controller (SERVICES.EXE)
** at this point users can logon **

SERVICES.EXE: starts all services markes as automatic

post     - power on self test

mbr      -contains a small amount of code that reads the partition table, the first partition marked as active is determined to be the system volume

         - loads the boot sector from the system volume

ntldr    - reads boot.ini ( os selection will be made here )

         - loads \WINDOWS\SYSTEM32\CONFIG\SYSTEM which becomes the system hive HKEY_LOCAL_MACHINE\System

         - loads NTOSKRNL.EXE, HAL.DLL,

ntoskernel - brings up the loading splash screen and initializes the kernel subsystem

           - starts the boot-start drivers and then loads & starts the system-start drivers

smss         -- winlogon - services

source : http://www.answers.com/Q/Windows_2003_booting_process

---------

NOTES:
The SYSTEM volume is the partition from which the boot process starts, containing the MBR, boot sector, NTLDR, NTDETECT.COM & BOOT.INI
The BOOT volume is the partition which contains the Windows folder - this can be a logical partition

BIOS: performs Power On Self-Test (POST)

$Description: C:\Users\Trainer\Desktop\POST.JPG$

BIOS: loads MBR from the boot device specified/selected by the BIOS

MBR: contains a small amount of code that reads the partition table, the first partition marked as active is determined to be the system volume

MBR: loads the boot sector from the system volume

BOOT SECTOR: reads the root directory of the system volume and loads NTLDR

NTLDR: reads BOOT.INI from the system volume to determine the boot drive (presenting a menu if more than 1 entry is defined)

NTLDR: loads and executes NTDETECT.COM from the system volume to perform BIOS hardware detection

ntdetect.com is a component of Microsoft Windows NT-based operating systems that operate on the x86 architecture. It is used during the Windows NT startup process, and is responsible for detecting basic hardware that will be required to start the operating system

The bootstrap loader takes the control over the booting process and loads NTLDR. Ntdetect.com is invoked by NTLDR, and returns the information it gathers to NTLDR when finished, so that it can then be passed on to ntoskrnl.exe, the Windows NT kernel.

Ntdetect.com is used on computers that use BIOS firmware. Computers with Extensible Firmware Interface, such as IA-64, use a method of device-detection that is not tied to the operating system.[1]

Hardware detection operates somewhat differently depending on whether or not Advanced Configuration and Power Interface (ACPI) is supported by the hardware. It passes on the hardware details gathered from the BIOS onto the OS. If ACPI is supported, the list of found devices is handed to the kernel, Windows will take responsibility for assigning each device some resources. On older hardware, where ACPI is not supported, the BIOS takes responsibility for assigning resources, not the operating system, so this information is passed to the kernel as well.

In addition, ntdetect.com will make a determination as to which hardware profile to use. Windows supports multiple distinct hardware profiles, which allows a single copy of Windows to work well in situations where the hardware changes between specific layouts on a regular basis. This is common with portable computers that connect to a docking station[citation needed].

In Windows Vista and later Windows operating systems, ntdetect.com only supports ACPI, so that Windows will be able to control hardware resource allocation on every machine in the same way. Hardware profiles are also no longer supported in Windows Vista.

The information gathered by ntdetect.com is stored in the HKLM\HARDWARE\DESCRIPTION key in the Windows Registry at a later stage in the boot process.

Classes of hardware detected

Hardware identification

Hardware date & time

Bus and adapter types

SCSI adapters

Video adapters

Keyboard

Serial and parallel communication ports

Hard drives

Floppy disks

Mouse

Floating-point coprocessor

Industry Standard Architecture-based devices

NTLDR: loads NTOSKRNL.EXE, HAL.DLL, BOOTVID.DLL (and KDCOM.DLL for XP upwards) from the boot (Windows) volume

NTLDR: loads \WINDOWS\SYSTEM32\CONFIG\SYSTEM which becomes the system hive HKEY_LOCAL_MACHINE\System

NTLDR: loads drivers flagged as “boot” defined in the system hive, then passes control to NTOSKRNL.EXE

NTOSKRNL.EXE: brings up the loading splash screen and initializes the kernel subsystem
NTOSKRNL.EXE: starts the boot-start drivers and then loads & starts the system-start drivers

NTOSKRNL.EXE: creates the Session Manager process (SMSS.EXE)

SMSS.EXE: runs any programs specified in BootExecute (e.g. AUTOCHK, the native API version of CHKDSK)
SMSS.EXE: processes any delayed move/rename operations from hotfixes/service packs replacing in-use system files
SMSS.EXE: initializes the paging file(s) and the remaining registry hives
** before this step completes, bugchecks will not result in a memory dump as we need a working page file on the boot (Windows) volume **
SMSS.EXE: starts the kernel-mode portion of the Win32 subsystem (WIN32K.SYS)
SMSS.EXE: starts the user-mode portion of the Win32 subsystem (CSRSS.EXE)
SMSS.EXE: starts WINLOGON.EXE

WINLOGON.EXE: starts the Local Security Authority (LSASS.EXE)
WINLOGON.EXE: loads the Graphical User Identification and Authentication DLL (MSGINA.DLL by default)

WINLOGON.EXE: displays the logon window

WINLOGON.EXE: starts the services controller (SERVICES.EXE)
** at this point users can logon **

SERVICES.EXE: starts all services markes as automatic