Blog

When people have cables with combination locks for securing their laptops at their workstation they always remember to turn the tumblers when they secure the laptop. But what happens when they unsecure the laptop? Many people won't turn the tumblers on the opened lock because it is much easier to lock the laptop later if the combination is already set.

In one instance, laptops were stolen by someone who came by when the laptops were not there and noted the combination. They came back later when the laptops were there and used the combination they had noted earlier.


 

After installing the 2482017 and/or 2467023 Microsoft patches you will be unable to connect from the VMware View Connection Server if your View Client  has a build number lower than 353760.  Connection attempts to the VMware View Connection Server will fail.  To fix this problem you can either uninstall the Microsoft patches or upgrade your View Client to a newer version. [more]

Click here to download the VMware View Client patch.

Click here to read the VMware knowledge base article concerning this issue.


 

A local computer consulting client started getting this error every time she tried to close Word or Excel:

The instruction at “0x01003ce4” referenced memory at “0x00000018”.  The memory could not be “read”.  Click on OK to terminate.  Click Cancel to debug the program.

I did a quick search and only saw errors about Office Live Sign in and thought that couldn't be it.  I went on site to remove and reinstall Office.  I first reproduced the error and saw that the message box had "OfficeLiveSignIn.exe - Application Error." in the heading.  The user was using the Office Live messenger instant messaging client.  It had installed an addon to Word and Excel.  Disabling this addon fixed the problem.


 

Log Parser 2.2 is a free command line tool available from Microsoft.  It provides universal query access to text-based data such as log files, XML files, and CSV files.  It also can query Windows system data sources such as the Event Log, the Registry, the file system, Active Directory, and NetMon captures.  You can pick the information you want returned in the results and those results can be sent to a text file, SQL Server, or SYSLOG.  This tool basically reads your log files and lets you query them as if they were in a SQL Server database.  It is also light weight at only 1.4 MB download.

The possible uses for the Log Parser are endless, but I use is specifically for querying IIS logs when trouble shooting problems.  For example, using this tool makes it easy to find all the requests made by a specific signed in user.  Since this application is ran at the command like it can take a little time to get your query right, but after you get it working you can add the commands to a .bat file for future reference or scheduled tasks.  Here are some examples: [more]

Search IIS Logs for User Requests
Here is an example batch file that when run searches a directory of IIS log files for all requests made by users signed in with a username ending in “@example.com” and saves the results to a text file:
cd "C:\Program Files\Log Parser 2.2\"
logparser.exe "select logrow, date, time, c-ip, cs-username, cs-method, cs-uri-stem, cs-uri-query from ‘< your log directory path>\*.*’ where cs-username like '%%@example.com%%' order by date, time, logrow" -i:IISW3C -rtp:-1 > c:\temp\example-requests.txt

Search IIS Logs for Most Download Files
cd "C:\Program Files\Log Parser 2.2\"
logparser.exe " SELECT TOP 10 cs-uri-stem, count(*) as Downloads FROM ' from <your log directory path>\*.*' GROUP BY cs-uri-stem ORDER BY Downloads DESC" -i:IISW3C > c:\temp\most-downloaded.txt

Find 10 Largest Files in a Directory or Subdirectory
cd "C:\Program Files\Log Parser 2.2\"
logparser.exe " SELECT TOP 10 Path, Name, Size, Attributes FROM 'C:\Program Files\*.*' ORDER BY Size DESC"  -i:FS –Recurse:-1 > c:\temp\10-largest-program-files.txt

Get Number of Outbound Emails from Exchange
logparser.exe "SELECT connector-id, client-hostname, COUNT(*) AS Total INTO c:\temp\outbound-email-totals.csv FROM '<log file directory>\MSG*.log,<another log file directory>\MSG*.log' WHERE connector-id LIKE '%outbound' OR connector-id LIKE '%to Internet' GROUP BY client-hostname,connector-id WITH Rollup"  -i:CSV -nSkipLines:4 -o:csv

This is a very flexible tool.  There are tons of parameters that control how the application functions and the number of different queries you could write is only limited by your imagination.  I’ve found the best way to get started using it is to look at examples and there is a “Samples” folder included in the install directory that is helpful.

Related Links
Home Page (http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1976)
Log Parser 2.2 Documentation (http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1976)
Download (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en)
TechNet Article (http://technet.microsoft.com/en-us/library/ee692937.aspx)
Other examples of IIS log queries (http://blogs.iis.net/carlosag/archive/2010/03/25/analyze-your-iis-log-files-favorite-log-parser-queries.aspx)
Log Parser Forums (http://forums.iis.net/default.aspx?GroupID=51)
Graphing Ping Results (http://www.adopenstatic.com/cs/blogs/ken/archive/2005/05/30/22.aspx)
Query Windows Event Log (http://oreilly.com/pub/a/windows/2005/07/12/logparser.html)


 

After listening to a security podcast about Flash security, I decided to change some of my settings. You can do this by going to the Adobe Flash Player Settings Manager web page and clicking on the tabs to disable features.  One of the settings I disabled was "Allow third-party Flash content to store data on your computer". [more]

Adobe Flash Player Settings Manager

One thing I noticed after I disabled the "Allow third-party Flash content to store data on your computer." option was videos at some sites like CNET stopped working. This was happening regardless of which browser I tried, so I suspected a problem with Flash.  But other Flash content worked like YouTube.  Eventually, I remembered changing the Flash settings and re-enabled the third-party Flash content to fix the problem.


 

One of our Lubbock IT support clients uses both the PS and PCL6 versions of the Xerox Global Print Driver (GPD) in a Windows 2008-x86 clustered print server environment.

To fix an issue that we were having with v5.173 of the GPD, Xerox suggested we upgraded to the current 5.185 version of the driver.

I successfully upgraded the PS language of the v5.185 driver on both print servers without any problems.

The problem appeared after I upgraded the PCL6 driver. I downloaded and installed the PCL6 driver to both print servers. Both servers showed that the update was installed successfully; however, the version of the driver within print management still showed to be v5.173. When I pulled up the printer that was using the driver, the version showed to be the updated version (5.185). When print jobs were sent to printers using the updated PCL6 version of this driver, the print spooler would crash and fail over. This occurred on both print servers. [more]

I was unable to uninstall the driver at this time, because over 40 printers were pointed to this driver. I then modified each printer to use the PS version of the driver. After doing so, I then removed the driver package from the print server through print management. I successfully removed the driver and the package from one print server. On the second print server, I received the following error upon removal: “Failed to remove driver package x2univx.inf. Driver package in use.” The driver itself was no longer listed in the print management window.

I then reinstalled v5.185 of the global print driver on both servers. Printing was successful on the print server on which the driver was removed successfully. However, the print spooler continued to crash on the server which had the error on driver removal. I attempted to remove the driver again, but received the same error. Restarting the print spooler as well as the server after an install but before the removal did not alleviate the issue. At this point, I called Xerox. Unfamiliar with the issue, they suggested I remove some files manually from the print virtual quorum. I completed this process, but the error still occurred upon driver removal.

Finally, I reinstalled v5.173 of the global print driver. After a successful installation, I then attempted to remove the driver.  The driver package was removed successfully and installed the new version of the driver (v5.185). I modified some of the printers to use this new driver and printing was successful.


 

After the December 2010 Internet Explorer 8 updates I was seeing some strange behavior for a couple sites including gotomeeting.com.  Users could get to the first page, but if they clicked on any of the links they would get a page cannot be displayed error.  It appeared like the user could browse to the first page via the proxy, but all subsequent pages were being sent direct. 

It turns out the IE8 updates changed the behavior of the WPAD script that we were using and we had to edit the following line:
proxy = "PROXY proxy.company.com:8080; DIRECT";

We had to change it to look like:
proxy = "PROXY proxy.company.com:8080";

After making this change the sites in question began to work.


 

We recently encountered a terminal server user who said they were in Outlook and accidentally hit some keyboard combination that caused it to close.  When they tried to get back into Outlook it kept giving an error message.

When I connected and tried to run Outlook, it kept displaying an error message that there was no Outlook Profile setup.  However, when I checked the profiles there were in fact several profiles listed.  I tried creating a brand new profile, but still received the error message.

I had the user log off and back on to the terminal server, checked outlook from my account to make sure it wasn’t something server wide, and then I checked the actual outlook.exe under the Program Files directory.  I did not see anything checked for compatibility with my account, but when I checked the outlook.exe from her account, it had Compatibility Mode for Windows 95 checked. [more]

My assumption on what happened is that outlook crashed, came back up, and asked if it should be run in compatibility mode.  I am assuming the user said yes at this point, and it turned the option on which caused outlook to not work anymore.


 

I had looked at a problem with IE where the user worked frequently with data input into form fields.  The problem that they had was that it would not start giving the auto complete suggestions as they started typing. 

I checked Internet Options -> Content -> AutoComplete Settings and verified that the "Forms" option was checked.  Since it appeared that everything was enabled to do what the user wanted, I selected the "Delete AutoComplete history" option.  After clearing the history, the auto complete started working again. 

I am unsure whether or not the files containing the information for this feature were corrupt or possibly too large to continue working.


 

We had an ongoing issue with a customer’s HP server where the internal fans continually ran at full RPM. We had to move the server to a new location because the noise was too much for the employees. The HP monitoring software would shut down the server occasionally because it senses it over heating, but there was never any real sign or indication that there was an overheating issue. The problem typically occurred when backups were running so we thought it was possibly the tape drive was causing a faulty temperature reading.

We went as far as to purchase a USB temperature logger which I placed on the server to monitor the environment for a week.  All readings came back normal. I opened a case with HP Support and their recommendation was to update the firmware and the drivers and everything else they could think of. But nothing they suggested made a difference. [more]

I decided to take the server down and look at the internal parts for possible obstructions in air flow that would cause it to think it was overheating. I was checking the second processors heat sink I noticed it was not seated exactly right but was clamped down. I removed the heat sink and found dust under it. That’s right... dust between the CPU and the silver paste. As you can tell from the picture below the silver paste had never contacted the CPU, except on one corner. I grabbed some canned air, blew the dust off, and reseated the heat sink.  Closed up the server and started it up. Since that time the server has run super quite with no thermal issues to this day. However, HP did have to replace an internal fan that failed from running so long at high RPM.