Blog

A network support customer with DSL had lost Internet access over the weekend.  They tried rebooting the DSL modem and Linksys WRT54G router to no avail.  When I got onsite, I connected to the router’s wireless as well as Ethernet port with my laptop and confirmed that there was no Internet access.  I connected to the web management interface of the router which had a complex password, so the customer likely had not gone in and changed anything. 

I could see that the router had successfully obtained a public IP address, gateway, and DNS servers from the ISP.  There was an internal ping utility built into the router, and I was able to use it to successfully ping the DNS servers and gateway IP addresses.  When I tried from the connected PC, I could ping the router’s public interface, but not the gateway of the router or the DNS servers. 

I looked through the settings to see if I could find any reason that traffic was dying going through the router and could not find anything.  I then backed up the configuration of the router to my laptop and did a factory reset.  After the router came back up, I was able to access the Internet through the router and ping everything.  [more]

I uploaded the configuration file back on to the router and it broke the connection again.  I decided at this point to factory reset again and manually set the password and SID on the unit back to the previous settings.  It is my guess at this time that the configuration on the router had become corrupted.

A few weeks ago, I was asked to set up scheduled reports for PGP Endpoint. These weekly reports would include information such as devices blocked or allowed and would be emailed to a small subset of administrators. After setting up the report and using my email address as a test, I waited for it to send. It didn’t send. I changed the report to save to a file to troubleshoot and it wouldn’t do that either. Time to call PGP.

The engineer assigned to my case didn’t have much experience with PGP Endpoint and, as such, took a bit longer to research and get back to me than was normal. After sending him the debug logs, he got back to me saying that the license key was invalid and to double check that I had a licensed installed. [more]

Yup! From the main screen of the management console, there it is…

Fast forward to a week and a half later, and I get another email from my engineer. “Make sure that there are no characters in the report template name that cannot be in a Windows File Path.” Wait, what?

Sure enough, my template names included a “/” in the template name. Take that out, and everything works fine. It turns out that this scheduler generates the report, using the template name as the file name, and saves it in a temporary location until it can attach the file to an email and send it off. What was happening is the scheduler would save the file in a location that doesn’t exist (because of the “/”), turn around and try and attach the file (that doesn’t exist) to an email and fail, and then try and send off an email (that doesn’t exist because the previous process failed). And then report that the license file was invalid.

To add another layer of humor to this problem, take a look at this list of templates. The ones with red arrows have NOT been modified since the initial installation of PGP Endpoint. Notice anything peculiar about the names?

When people have cables with combination locks for securing their laptops at their workstation they always remember to turn the tumblers when they secure the laptop. But what happens when they unsecure the laptop? Many people won't turn the tumblers on the opened lock because it is much easier to lock the laptop later if the combination is already set.

In one instance, laptops were stolen by someone who came by when the laptops were not there and noted the combination. They came back later when the laptops were there and used the combination they had noted earlier.

After installing the 2482017 and/or 2467023 Microsoft patches you will be unable to connect from the VMware View Connection Server if your View Client  has a build number lower than 353760.  Connection attempts to the VMware View Connection Server will fail.  To fix this problem you can either uninstall the Microsoft patches or upgrade your View Client to a newer version. [more]

Click here to download the VMware View Client patch.

Click here to read the VMware knowledge base article concerning this issue.

A local computer consulting client started getting this error every time she tried to close Word or Excel:

The instruction at “0x01003ce4” referenced memory at “0x00000018”.  The memory could not be “read”.  Click on OK to terminate.  Click Cancel to debug the program.

I did a quick search and only saw errors about Office Live Sign in and thought that couldn't be it.  I went on site to remove and reinstall Office.  I first reproduced the error and saw that the message box had "OfficeLiveSignIn.exe - Application Error." in the heading.  The user was using the Office Live messenger instant messaging client.  It had installed an addon to Word and Excel.  Disabling this addon fixed the problem.

Log Parser 2.2 is a free command line tool available from Microsoft.  It provides universal query access to text-based data such as log files, XML files, and CSV files.  It also can query Windows system data sources such as the Event Log, the Registry, the file system, Active Directory, and NetMon captures.  You can pick the information you want returned in the results and those results can be sent to a text file, SQL Server, or SYSLOG.  This tool basically reads your log files and lets you query them as if they were in a SQL Server database.  It is also light weight at only 1.4 MB download.

The possible uses for the Log Parser are endless, but I use is specifically for querying IIS logs when trouble shooting problems.  For example, using this tool makes it easy to find all the requests made by a specific signed in user.  Since this application is ran at the command like it can take a little time to get your query right, but after you get it working you can add the commands to a .bat file for future reference or scheduled tasks.  Here are some examples: [more]

Search IIS Logs for User Requests
Here is an example batch file that when run searches a directory of IIS log files for all requests made by users signed in with a username ending in “@example.com” and saves the results to a text file:
cd "C:\Program Files\Log Parser 2.2\"
logparser.exe "select logrow, date, time, c-ip, cs-username, cs-method, cs-uri-stem, cs-uri-query from ‘< your log directory path>\*.*’ where cs-username like '%%@example.com%%' order by date, time, logrow" -i:IISW3C -rtp:-1 > c:\temp\example-requests.txt

Search IIS Logs for Most Download Files
cd "C:\Program Files\Log Parser 2.2\"
logparser.exe " SELECT TOP 10 cs-uri-stem, count(*) as Downloads FROM ' from <your log directory path>\*.*' GROUP BY cs-uri-stem ORDER BY Downloads DESC" -i:IISW3C > c:\temp\most-downloaded.txt

Find 10 Largest Files in a Directory or Subdirectory
cd "C:\Program Files\Log Parser 2.2\"
logparser.exe " SELECT TOP 10 Path, Name, Size, Attributes FROM 'C:\Program Files\*.*' ORDER BY Size DESC"  -i:FS –Recurse:-1 > c:\temp\10-largest-program-files.txt

Get Number of Outbound Emails from Exchange
logparser.exe "SELECT connector-id, client-hostname, COUNT(*) AS Total INTO c:\temp\outbound-email-totals.csv FROM '<log file directory>\MSG*.log,<another log file directory>\MSG*.log' WHERE connector-id LIKE '%outbound' OR connector-id LIKE '%to Internet' GROUP BY client-hostname,connector-id WITH Rollup"  -i:CSV -nSkipLines:4 -o:csv

This is a very flexible tool.  There are tons of parameters that control how the application functions and the number of different queries you could write is only limited by your imagination.  I’ve found the best way to get started using it is to look at examples and there is a “Samples” folder included in the install directory that is helpful.

Related Links
Home Page (http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1976)
Log Parser 2.2 Documentation (http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1976)
Download (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en)
TechNet Article (http://technet.microsoft.com/en-us/library/ee692937.aspx)
Other examples of IIS log queries (http://blogs.iis.net/carlosag/archive/2010/03/25/analyze-your-iis-log-files-favorite-log-parser-queries.aspx)
Log Parser Forums (http://forums.iis.net/default.aspx?GroupID=51)
Graphing Ping Results (http://www.adopenstatic.com/cs/blogs/ken/archive/2005/05/30/22.aspx)
Query Windows Event Log (http://oreilly.com/pub/a/windows/2005/07/12/logparser.html)

After listening to a security podcast about Flash security, I decided to change some of my settings. You can do this by going to the Adobe Flash Player Settings Manager web page and clicking on the tabs to disable features.  One of the settings I disabled was "Allow third-party Flash content to store data on your computer". [more]

One thing I noticed after I disabled the "Allow third-party Flash content to store data on your computer." option was videos at some sites like CNET stopped working. This was happening regardless of which browser I tried, so I suspected a problem with Flash.  But other Flash content worked like YouTube.  Eventually, I remembered changing the Flash settings and re-enabled the third-party Flash content to fix the problem.

One of our Lubbock IT support clients uses both the PS and PCL6 versions of the Xerox Global Print Driver (GPD) in a Windows 2008-x86 clustered print server environment.

To fix an issue that we were having with v5.173 of the GPD, Xerox suggested we upgraded to the current 5.185 version of the driver.

I successfully upgraded the PS language of the v5.185 driver on both print servers without any problems.

The problem appeared after I upgraded the PCL6 driver. I downloaded and installed the PCL6 driver to both print servers. Both servers showed that the update was installed successfully; however, the version of the driver within print management still showed to be v5.173. When I pulled up the printer that was using the driver, the version showed to be the updated version (5.185). When print jobs were sent to printers using the updated PCL6 version of this driver, the print spooler would crash and fail over. This occurred on both print servers. [more]

I was unable to uninstall the driver at this time, because over 40 printers were pointed to this driver. I then modified each printer to use the PS version of the driver. After doing so, I then removed the driver package from the print server through print management. I successfully removed the driver and the package from one print server. On the second print server, I received the following error upon removal: “Failed to remove driver package x2univx.inf. Driver package in use.” The driver itself was no longer listed in the print management window.

I then reinstalled v5.185 of the global print driver on both servers. Printing was successful on the print server on which the driver was removed successfully. However, the print spooler continued to crash on the server which had the error on driver removal. I attempted to remove the driver again, but received the same error. Restarting the print spooler as well as the server after an install but before the removal did not alleviate the issue. At this point, I called Xerox. Unfamiliar with the issue, they suggested I remove some files manually from the print virtual quorum. I completed this process, but the error still occurred upon driver removal.

Finally, I reinstalled v5.173 of the global print driver. After a successful installation, I then attempted to remove the driver.  The driver package was removed successfully and installed the new version of the driver (v5.185). I modified some of the printers to use this new driver and printing was successful.

After the December 2010 Internet Explorer 8 updates I was seeing some strange behavior for a couple sites including gotomeeting.com.  Users could get to the first page, but if they clicked on any of the links they would get a page cannot be displayed error.  It appeared like the user could browse to the first page via the proxy, but all subsequent pages were being sent direct. 

It turns out the IE8 updates changed the behavior of the WPAD script that we were using and we had to edit the following line:
proxy = "PROXY proxy.company.com:8080; DIRECT";

We had to change it to look like:
proxy = "PROXY proxy.company.com:8080";

After making this change the sites in question began to work.