Archive | November, 2008

PowerGUI, a graphical user interface and script editor for Windows PowerShell!

27 Nov

What is PowerGUI?

PowerGUI is an extensible graphical administrative console for managing systems based on Windows PowerShell. These include Windows OS (XP, 2003, Vista), Exchange 2007, Operations Manager 2007 and other new systems from Microsoft. The tool allows to use the rich capabilities of Windows PowerShell in a familiar and intuitive GUI console.

PowerShell is built-in feature under Windows Server 2008

Download PowerShell for Windows Vista, Windows 2003 and Windows XP

Download PowerGUI

Power Packs

Active Directory:

Microsoft Operations Manager (MOM):


Microsoft Exchange:




User manuals

For PowerGUI and QAD cmdlets user manuals and FAQ please visit PowerGUI wiki.


Latest PowerGUI and QAD cmdlets news can be found at our team members’ blogs:

Videos and Flash Demos

Don’t forget to post your comments ๐Ÿ™‚


XP as Domain Controller :)

27 Nov

This is very funny XP machine as a domain controller

1) Create a share called SYSVOL on an XP machine

2) Try to unshare the directory you shared as SYSVOL.

3) You will get a nice warning stating:

“This share is required for the machine to act properly as a domain controller. Removing it will cause a loss of functionality on all clients that this domain controller serves. Are you sure you wish to stop sharing SYSVOL?”


But do not worry – unsharing SYSVOL on XP will not break your AD. This is just an example of code reuse that Microsoft does.

Don’t forget to post your comments ๐Ÿ™‚


Useful Blog:
Guy Teverovsky:

ADRestore GUI version

27 Nov

Accidentally deleted user, computer account or OUโ€™s from Active Directory. Donโ€™t worry, now you can get them back using ADRestore tool using GUI interface.

Though there is a command line version of tombstone reanimation tool called adrestore – sysinternals, many people are not CLI savvies and having a GUI version of this functionality could really help them out.

Insight on tombstone: Reanimating Active Directory Tombstone Objects – By Gil Kirkpatrick
Gil Kirkpatrick’s article at Technet

Main features:

  • Browsing the tombstones
  • Domain Controller targeting
  • Can be used with alternative credentials (convenient if you do not logon to your desktop as Domain Admin, which you should never do anyway)
  • User/Computer/OU/Container reanimation
  • Preview of tombstone attributes

Here are some sceenshots:

Enumerating tombstones

Previewing the tombstone attributes

Restoring a deleted user account

Notice that if you delete an OU with accounts in it, you will have to restore first the OUs the accounts were in, otherwise the reanimation of the child object will fail. It is not enough to create an OU with the same name as this will be a totally new object in AD and child object’s lastKnowParent attribute will still reference the deleted OU. Here is a walthrough:

Initial state:

TestOU organizational unit is deleted:

State of tombstones (notice that lastKnownParent attribute of user and computer accounts reference the deleted OU):

OU is restored (lastKnowParent points to the restored OU’s distinguished name):

Both computer and user accounts that resided in TestOU are reanimated:

Download ADRestore.NET

Don’t forget to post your comments ๐Ÿ™‚


Useful Blogs:

ADRestore Rewrite: 
Reanimating Active Directory Tombstone Objects:

Hyper-V Videos by John Savill

27 Nov

One of the most useful videos I have found on the internet, for Hyper-V. Thanks to John Savill for his efforts and time.

Don’t forget to post your comments ๐Ÿ™‚


32-bit Memory Management Explained

20 Nov

Windows 32-bit Operating Systems implement a virtual memory system based on a flat 32-bit address space.  32-bits of address space translates into 4GB of virtual memory.  A process can access up to 4GB of memory address space (using the /3GB switch changes this behavior – and we’ll cover that in a later post).

You can’t have a discussion of Memory Management basics, without distinguishing between Kernel-mode and User-mode memory.  The system space (aka Kernel space) is the portion of the address space in which the OS and kernel-mode drivers reside.  Only kernel-mode code can access this space.  User-mode threads can access data only in the context of their own process.  User-mode threads cannot access data within another processes space directly, nor can it access the system address space directly.  Kernel-mode drivers are trusted by the OS and can access both kernel and user space.  When a driver routine is called from a user thread, the thread’s data remains in the user-mode space.  However, the kernel-mode driver can access the user-mode data for the thread and access the kernel-mode space.


OK – so looking at the diagram above, we can see how the 4GB memory address space is divided.  Windows allocates the lower half of the 4GB address space (from 0x00000000 to 0x7FFFFFFF) to processes for their own unique private storage, and reserves the other half (from 0x80000000 to 0xFFFFFFFF) for the Operating System’s use.  Virtual memory provides a view of memory that does not necessarily correspond to the physical layout of memory.

Kernel memory chart for Windows 2003 Server:


Default                            ( /PAE for 6-16GB )



Free System PTE: 51k          Paged Pool: 282MB 
Non Paged Pool: 212MB

Free System PTE: 32k          Paged Pool: 163MB 
Non Paged Pool: 131MB


Free System PTE: 196k          Paged Pool: 360MB 
Non Paged Pool: 262MB

Free System PTE: 16k          Paged Pool: 262MB
Non Paged Pool: 131MB


Free System PTE: 195k         Paged Pool: 360MB
Non Paged Pool: 262MB

Free System PTE: 14k
Paged Pool: 262MB
Non Paged Pool: 131MB


Free System PTE: 106k          Paged Pool: 336MB 
Non Paged Pool: 285MB

Free System PTE: 15k          Paged Pool: 258MB 
Non Paged Pool: 154MB


Free System PTE: 186k          Paged Pool: 366MB 
Non Paged Pool: 262MB

Free System PTE: 12k          Paged Pool: 239MB 
Non Paged Pool: 131MB


Free System PTE: 182k          Paged Pool: 366MB 
Non Paged Pool: 262MB

Free System PTE: 12k          Paged Pool: 225MB 
Non Paged Pool: 131MB


Free System PTE: 175k          Paged Pool: 366MB 
Non Paged Pool: 262MB

Free System PTE: 12k         Paged Pool: 196MB 
Non Paged Pool: 131MB


Free System PTE: 167k          Paged Pool: 366MB 
Non Paged Pool: 262MB

Free System PTE: 12k          Paged Pool: 169MB 
Non Paged Pool: 131MB

What is /3GB?:

/3GB is a switch used within the Boot.ini to Increase the size of a user process address space from 2 GB to 3G B. This in-turn reduces the Kernel space from 2 GB to 1 GB. This is a positive aspect for virtual-memory-intensive applications such as database servers a larger address space can improve their performance. For an application to take advantage of this feature, however, two additional conditions must be met: the system must be running Windows 2000 Advanced Server or Datacenter Server or Windows 2003 (All Editions) and the application .exe must be flagged as a 3-GB-aware application

With the /3GB switch we enable 3 GB area of  user-mode memory for programs to use. This feature can expand the virtual address range for user-mode memory from 0x0000000 through 0xBFFFFFF (the user-mode address range is typically from 0x00000000 through 0x7FFFFFFF). The range of memory that is available for kernel-mode components shrinks from 0x80000000-0xFFFFFFFF to 0xC0000000-0xFFFFFFFF.


What is /USERVA?:

Windows 2003 Servers and Windows XP SP1 incorporate a new /USERVA switch to work in conjunction with /3GB switch. You can use the /userva= switch for more precise tuning of user and kernel virtual memory space in the Windows Server 2003 family. Use this new switch with the /3GB switch in the Boot.ini file to tune the User-mode space to a value between 2 and 3 gigabytes (GB), with the difference being given back to Kernel mode.


Useful Blogs:

Windows Internals Mark Russinovich’s: 
Memory Management – Demystifying /3GB :
Memory Management:

Performance Analysis of Logs (PAL) Tool

20 Nov

Tired of parsing the Perfmon (*.blg) manually. Let PAL make your job easier, give you html output and highlight high thresholds.


Project Description
Ever have a performance problem, but don’t know what performance counters to collect or how to analyze them? The PAL (Performance Analysis of Logs) tool is a new and powerful tool that reads in a performance monitor counter log (any known format) and analyzes it using complex, but known thresholds (provided). The tool generates an HTML based report which graphically charts important performance counters and throws alerts when thresholds are exceeded. The thresholds are originally based on thresholds defined by the Microsoft product teams and members of Microsoft support, but continue to be expanded by this ongoing project. This tool is not a replacement of traditional performance analysis, but it automates the analysis of performance counter logs enough to save you time. This is a VBScript and requires Microsoft LogParser (free download).


  • Thresholds files for most of the major Microsoft products such as IIS, MOSS, SQL Server, BizTalk, Exchange, and Active Directory.
  • An easy to use GUI interface which makes creating batch files for the PAL.vbs script.
  • A GUI editor for creating or editing your own threshold files.
  • Creates an HTML based report for ease of copy/pasting into other applications.
  • Analyzes performance counter logs for thresholds using thresholds that change their critieria based on the computer’s role or hardware specs.

Download Link:  

To use PAL

The PAL tool is primarily a VBScript that requires arguments/parameters passed to it in order to properly analyze performance monitor logs. In v1.1 and later of PAL, a GUI interface has been added to help with this process.


Operating Systems
PAL runs successfully on all of the following operating systems: Windows XP SP2, Windows Vista, and Windows 2003 Server. 32-bit only due to OWC11 requirements.
Note: The optional GUI (windows form) portion of PAL requires the Microsoft .NET Framework v2.0.

Log Parser 2.2
Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windowsยฎ operating system such as the Event Log, the Registry, the file system, and Active Directoryยฎ. PAL uses the Log Parser tool to query perform logs and to create charts and graphs for the PAL report.

Microsoft Office Web Components 2003
Log Parser requires the Office Web Components 2003 in order to create charts.

Watch online at:
Download it ( from:

Related Blogs and Reviews
Clint Huffman’s Windows Performance Analysis Blog
Mike Lagase’s Exchange Performance Analysis Blog
Two Exchange Server Tools You Should Know About


Failover Clustering Windows 2008 Videos by John Savill

19 Nov

One of the most useful videos I have found on the internet, for failover clustering. Thanks to John Savill for his efforts and time.

Don’t forget to post your comments ๐Ÿ™‚


Few useful Debugging Commands – WinDbg

19 Nov

All of these commands are for kernel mode. These are few useful commands, that I use on daily basis for debugging. I hope you find them useful

Lists Version information for the machine/dump you’re debugging.  You can also use “version” to tell you about the debugger bits.

1: kd> vertarget
Windows Kernel Version 6001 (Service Pack 1) MP (4 procs) Free x64
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 6001.18000.amd64fre.longhorn_rtm.080118-1840
Kernel base = 0xfffff800`0160c000 PsLoadedModuleList = 0xfffff800`017d1db0
Debug session time: Tue Apr  1 14:29:22.553 2008 (GMT-7)
System Uptime: 0 days 0:03:14.328

Good utility to check the CPU revs, BIOS revs, etc

1: kd> !sysinfo machineid
Machine ID Information [From Smbios 2.31, DMIVersion 0, Size=1695]
BiosVendor = Phoenix Technologies LTD
BiosVersion = 6.00
BiosReleaseDate = 09/24/2007
SystemManufacturer = VMware, Inc.
SystemProductName = VMware Virtual Platform
SystemVersion = None
BaseBoardManufacturer = Intel Corporation
BaseBoardProduct = 440BX Desktop Reference Platform
BaseBoardVersion = None

1: kd> !sysinfo cpuinfo
[CPU Information]
~MHz = REG_DWORD 2000
Component Information = REG_BINARY 0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0
Configuration Data = REG_FULL_RESOURCE_DESCRIPTOR ff,ff,ff,ff,ff,ff,ff,ff,0,0,0,0,0,0,0,0
Identifier = REG_SZ x86 Family 6 Model 15 Stepping 8
ProcessorNameString = REG_SZ Intel(R) Xeon(R) CPU           L5335  @ 2.00GHz
Update Signature = REG_BINARY 0,0,0,0,b4,0,0,0
Update Status = REG_DWORD 2
VendorIdentifier = REG_SZ GenuineIntel
MSR8B = REG_QWORD b400000000

Getting the Server Name from the dump:
It’s quite a bit easier to do internally, but this will get it done too.  Good to know you’re debugging the right server. ๐Ÿ™‚

1: kd> dS srv!srvcomputername
e1b64db0  “Phantom”

Display current thread on the target system

1: kd> !thread
THREAD fa6046c8  Cid 1ab4.1f34  Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 1
IRP List:
    fa0cc490: (0006,01d8) Flags: 00000404  Mdl: 00000000
Not impersonating
Owning Process            fa15f3e0       Image:         cmd.exe
Wait Start TickCount      16627733       Ticks: 0
Context Switch Count      1102                 LargeStack
UserTime                  00:00:00.312
KernelTime                00:00:00.109
Win32 Start Address 0x00407ccc
Start Address 0x77e617f8
Stack Init f1e9d000 Current f1e9c4b8 Base f1e9d000 Limit f1e99000 Call 0
Priority 6 BasePriority 6 PriorityDecrement 0
ChildEBP RetAddr  Args to Child             
f1e9c174 e105bba7 0000008e c0000005 e11294a0 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f1e9c538 e10346b4 f1e9c554 00000000 f1e9c5a8 nt!KiDispatchException+0x3a2 (FPO: [Non-Fpo])
f1e9c5a0 e1034668 f1e9c628 e11294a0 badb0d00 nt!CommonDispatchException+0x4a (FPO: [0,20,0])
f1e9c628 e1131ac4 fa6046c8 fa15f3e0 f9de0310 nt!Kei386EoiHelper+0x186
f1e9c628 e1131ac4 fa6046c8 fa15f3e0 f9de0310 nt!SeCreateAccessState+0x27 (FPO: [Non-Fpo])
f1e9c648 e112d742 f9de0310 f9de03c8 00000180 nt!SeCreateAccessState+0x27 (FPO: [Non-Fpo])
f1e9c680 e112c65d 00000000 00000000 b57f0000 nt!ObOpenObjectByName+0x8f (FPO: [Non-Fpo])
f1e9c6fc e1131d22 f1e9c7fc 00000180 f1e9c7b8 nt!IopCreateFile+0x447 (FPO: [Non-Fpo])
f1e9c758 f4df068a f1e9c7fc 00000180 f1e9c7b8 nt!IoCreateFile+0xa3 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f1e9c7a4 f4defe67 80005510 00540052 e9fa0920 savrt+0x4668a
00000000 00000000 00000000 00000000 00000000 savrt+0x45e67

Display information about an I/O request packet

1: kd> !irp fa0cc490
Irp is active with 10 stacks 12 is current (= 0xfa0cc68c)
No Mdl: No System Buffer: Thread fa6046c8:  Irp is completed. 
     cmd  flg cl Device   File     Completion-Context
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

            Args: 00000000 00000000 00000000 00000000
[  0, 0]   0  0 00000000 00000000 00000000-00000000   

            Args: 00000000 00000000 00000000 00000000
[ 12, 0]   0  0 fd1a8020 00000000 00000000-00000000   
            Args: 00000000 00000000 00000000 00000000
[ 12, 0]   0  0 fd101cd8 00000000 00000000-00000000   
          *** ERROR: Symbol file could not be found.  Defaulted to export symbols for SYMEVENT.SYS –
            Args: 00000000 00000000 00000000 00000000

Investigate what data structures are consuming the various memory pools

!poolused 2 – sorted by Non-paged pool, summary
!poolused 3 – sorted by Non-Paged pool, details*
!poolused 4 – sorted by Paged pool, summary
!poolused 5 – sorted by Paged pool, details*

!running -ti
This will dump the stacks of each thread that is running on each processor

1: kd> !running -ti

System Processors 3 (affinity mask)
  Idle Processors 1

     Prcb      Current   Next   
  0  ffdff120  8089d8c0            …………….

ChildEBP RetAddr 
f45f0c70 bf8bb568 win32k!CanForceForeground+0x42
f45f0ca4 bf8bab6a win32k!CheckAllowForeground+0x79
f45f0cb4 bf8b7f41 win32k!xxxInitProcessInfo+0x54
f45f0cdc bf8b8032 win32k!xxxUserProcessCallout+0x23
f45f0cf8 809456dd win32k!W32pProcessCallout+0x43
f45f0d54 8088948e nt!PsConvertToGuiThread+0x13d
f45f0d58 00000000 nt!KiBBTUnexpectedRange+0xc
WARNING: Process directory table base EFFC7BE0 doesn’t match CR3 EFFC7020
WARNING: Process directory table base EFFC7BE0 doesn’t match CR3 EFFC7020

  1  f7727120  8c034bd0            …………….

  *** Stack trace for last set context – .thread/.cxr resets it
ChildEBP RetAddr 
f45f0c70 bf8bb568 win32k!CanForceForeground+0x42
f45f0ca4 bf8bab6a win32k!CheckAllowForeground+0x79
f45f0cb4 bf8b7f41 win32k!xxxInitProcessInfo+0x54
f45f0cdc bf8b8032 win32k!xxxUserProcessCallout+0x23
f45f0cf8 809456dd win32k!W32pProcessCallout+0x43
f45f0d54 8088948e nt!PsConvertToGuiThread+0x13d
f45f0d58 00000000 nt!KiBBTUnexpectedRange+0xc

This is a great utility to check what threads are waiting on for each process.  Find out more in the debuggers chm.

1: kd> !stacks 2
Proc.Thread  .Thread  Ticks   ThreadState Blocker
Max cache size is       : 1048576 bytes (0x400 KB)
Total memory in cache   : 0 bytes (0 KB)
Number of regions cached: 0
0 full reads broken into 0 partial reads
    counts: 0 cached/0 uncached, 0.00% cached
    bytes : 0 cached/0 uncached, 0.00% cached
** Prototype PTEs are implicitly decoded
                            [fffffa8000c77950 System]
   4.000008  fffffa8000c774c0 ffffe94b GATEWAIT   nt!KiSwapContext+0x7f
   4.000010  fffffa8000ca0720 ffffff8c Blocked    nt!KiSwapContext+0x7f
   4.000014  fffffa8000c78bb0 fffffcb0 Blocked    nt!KiSwapContext+0x7f

It will display a list of all kernel mode locks that are being held by threads. Each lock is displayed with the mode the lock was taken out with (shared or exclusive). The owning thread(s) will be listed with an asterisk next to the thread id. If any waiters are queued up for the lock, it will list these too.

1: kd> !locks
KD: Scanning for held locks….

Resource @ nt!CmpRegistryLock (0xe10ad4c0)    Shared 2 owning threads
    Contention Count = 87
     Threads: fc783020-01 feee9db0-01
KD: Scanning for held locks…

Resource @ 0xfeeed078    Shared 4 owning threads
     Threads: fad42330-01 fad33020-01 fad33db0-01 fad42b40-01
KD: Scanning for held locks…………………………………

Resource @ 0xfc6df828    Shared 1 owning threads
     Threads: fa6046c8-01
KD: Scanning for held locks..

Resource @ 0xfc7e91c8    Shared 1 owning threads
     Threads: fa6046c8-01
KD: Scanning for held locks.

Resource @ savrt (0xf4daf040)    Shared 1 owning threads
    Contention Count = 1
     Threads: fa6046c8-01
KD: Scanning for held locks…………………….

Resource @ 0xfa6c1380    Shared 1 owning threads
    Contention Count = 71388
     Threads: f9ed1918-01
KD: Scanning for held locks…………………………

Resource @ 0xfaab7840    Shared 1 owning threads
     Threads: feee9db3-01 *** Actual Thread feee9db0
KD: Scanning for held locks………………..
11756 total locks, 7 locks currently held

command which displays all the various spinlocks. All processors are displayed across the top and codes appear next to the corresponding spinlock if owned or not, waiting or corrupt.

1: kd> !qlocks
Key: O = Owner, 1-n = Wait order, blank = not owned/waiting, C = Corrupt

                       Processor Number
    Lock Name         0  1  2  3

KE   – Dispatcher              
MM   – Expansion               
MM   – PFN                     
MM   – System Space            
CC   – Vacb                    
CC   – Master                  
EX   – NonPagedPool            
IO   – Cancel                  
EX   – WorkQueue               
IO   – Vpb                     
IO   – Database                
IO   – Completion              
NTFS – Struct                  
AFD  – WorkQueue               
CC   – Bcb                     
MM   – NonPagedPool            

Command will show you some useful info from the processor control block.  Like the current thread, next, DPQ queues (Can run !dpcs).

1: kd> !pcr
KPCR for Processor 1 at f7727000:
    Major 1 Minor 1
    NtTib.ExceptionList: f4ac3d44
        NtTib.StackBase: 00000000
       NtTib.StackLimit: 00000000
     NtTib.SubSystemTib: f7727fe0
          NtTib.Version: 00336d13
      NtTib.UserPointer: 00000002
          NtTib.SelfTib: 7ffde000

                SelfPcr: f7727000
                   Prcb: f7727120
                   Irql: 0000001f
                    IRR: 00000000
                    IDR: ffffffff
          InterruptMode: 00000000
                    IDT: f772d800
                    GDT: f772d400
                    TSS: f7727fe0

          CurrentThread: 8c034bd0
             NextThread: 00000000
             IdleThread: f772a090


lm t n
Displaying the list of installed drivers reveals our obsolete culprit

1: kd> lm t n
start             end                module name
dd800000    dd9d0000     win32k   win32k.sys   Wed Mar 19 17:01:40 2008 (47E0F99C)
dd9d0000    dd9e7000     dxg      dxg.sys      Sat Feb 17 11:44:39 2007 (45D69D4F)
dd9e7000    dda3e100     ati2drad ati2drad.dll Mon Mar 22 21:53:41 2004 (405F130D)
dda3f000    dda5d000     RDPDD    RDPDD.dll    Sat Feb 17 19:31:19 2007 (45D70AAF)
e1000000  e127a000     nt       ntkrnlmp.exe Mon Mar 05 18:32:02 2007 (45EC14CA)
e127a000   e12a6000     hal      halmacpi.dll Sat Feb 17 11:18:26 2007 (45D6972A)
f1ca4000   f1cb81e0      naveng   naveng.sys   Fri Aug 15 09:30:26 2008 (48A4FF5A)
f1cb9000   f1d8ca20      navex15  navex15.sys  Fri Aug 15 08:40:42 2008 (48A4F3B2)
f31a0000  f31cb000      RDPWD    RDPWD.SYS    Sat Feb 17 11:14:38 2007 (45D69646)
f38b4000  f38bf000     TDTCP    TDTCP.SYS    Sat Feb 17 11:14:32 2007 (45D69640)
f3904000  f3912000     HIDCLASS HIDCLASS.SYS Tue Mar 25 12:40:17 2003 (3E8000D9)
f3d14000   f3d1d000     hidusb   hidusb.sys   Tue Mar 25 12:40:17 2003 (3E8000D9)
f3d74000   f3d9e000     Fastfat  Fastfat.SYS  Sat Feb 17 11:57:55 2007 (45D6A06B)
f4046000   f40a3000     srv      srv.sys      Sat Feb 17 11:57:20 2007 (45D6A048)
f466b000   f4683000     clusnet  clusnet.sys  Sat Feb 17 11:32:57 2007 (45D69A91)
f48b3000   f48c8000     Cdfs     Cdfs.SYS     Sat Feb 17 11:57:08 2007 (45D6A03C)

When I want to find out ifno about a particular driver in the dump, i use “lm n t” to get all of them, but then !lmi to drill into one.

1: kd> !lmi win32k.sys
Loaded Module Info: [win32k.sys]
         Module: win32k
   Base Address: bf800000
     Image Name: win32k.sys
   Machine Type: 332 (I386)
     Time Stamp: 47e0f99c Wed Mar 19 17:01:40 2008
           Size: 1d0000
       CheckSum: 1cd134
Characteristics: 10e  perf
Debug Data Dirs: Type  Size     VA  Pointer
             CODEVIEW    23, 1935ac,  1929ac RSDS – GUID: {09B6D936-14C4-4CA1-90CF-A00888CD89A8}
               Age: 2, Pdb: win32k.pdb
                CLSID     4, 1935a8,  1929a8 [Data not mapped]
     Image Type: MEMORY   – Image read successfully from loaded memory.
    Symbol Type: PDB      – Symbols loaded successfully from symbol server.
    Load Report: public symbols , not source indexed

Donโ€™t forget to leave your comments ๐Ÿ™‚