Pugazhnetwork

MoveFileEx API to rename or delete a file and allows the caller to specify that they want the operation to take place the next time the system boots PendMoves v1.02 and MoveFile v1.01

The user-mode dump heap (UMDH) utility works with the operating system to analyze Windows heap allocations for a specific process. UMDH locates which routine in a specific process is leaking memory. UMDH is included in Debugging Tools for Windows. For full details, see  UMDH . Preparing to Use UMDH If you have not already determined which process is leaking memory, do that first. For details, see  Using Performance Monitor to Find User-Mode Memory Leaks . The most important data in the UMDH logs are the stack traces of the heap allocations. To determine whether a process is leaking heap memory, analyze these stack traces. Before using UMDH to display the stack trace data, you must use  GFlags  to configure your system properly. GFlags is included in Debugging Tools for Windows. The following GFlags settings enable UMDH stack traces: In the GFlags graphical interface, choose the Image File tab, type the process name (including the file name extension), press the TAB key

If you suspect there is a user-mode memory leak but are not sure which process is causing it, you can use Performance Monitor to measure the memory usage of individual processes. Launch Performance Monitor. Add the following counters: Process --> Private Bytes  (for each process you want to examine) Process --> Virtual Bytes  (for each process you wish to examine) Change the update time to 600 seconds to capture a graph of the leak over time. You might also want to log the data to a file for later examination. The  Private Bytes  counter indicates the total amount of memory that a process has allocated, not including memory shared with other processes. The  Virtual Bytes  counter indicates the current size of the virtual address space that the process is using. Some memory leaks appear in the data file as an increase in private bytes allocated. Other memory leaks show up as an increase in the virtual address space. After you have determined which process is le

Running the WUAUServ service in it’s own svchost.exe process net stop wuauserv sc config wuauserv type= own net start wuauser

REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientId /f REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v SusClientIdValidation /f net stop wuauserv move %windir%\windowsupdate.log %windir%\windowsupdate.old.log move %windir%\SoftwareDistribution %windir%\SoftwareDistributionold regsvr32 /s atl.dll regsvr32 /s wucltui.dll regsvr32 /s wups.dll regsvr32 /s wuaueng.dll regsvr32 /s wuapi.dll regsvr32 /s msxml3.dll regsvr32 /s mssip32.dll regsvr32 /s initpki.dll regsvr32 /s softpub.dll net start wuauserv wuauclt /resetauthorization /detectnow

Script start here: Enter KB no and run the below CMD. wusa.exe /quiet /uninstall /kb:------ /quiet /norestart /promptrestart

WSUS REGISTRY Registry keys for configuring Automatic Updates HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. HKEY_LOCAL_MACHINE\SYSTEM\Internet Communication Management\Internet Communication. REF:  https://msdn.microsoft.com/en-us/library/dd939844(v=ws.10).aspx

WSUS MSI Installer and Failed to connect to server Event net stop msiserver msiexec /unreg msiexec /regserver net start msiserver

WSUS simple reset cmd net stop wuauserv net stop cryptSvc net stop bits net stop msiserver ren C:\Windows\SoftwareDistribution SoftwareDistribution.old ren C:\Windows\System32\catroot2 catroot2.old net start wuauserv net start cryptSvc net start bits net start msiserver pause

Windows Server useful log patch for trouble shoot. C:\Windows\WindowsUpdate.log C:\Windows\Logs\DPX\setupact.log C:\Windows\Logs\DPX\setuperr.log C:\windows\setupact.log C:\windows\setuperr.log C:\windows\inf\setupapi.dev.log C:\Windows\WindowsUpdate.log C:\Windows\Logs\CBS\CBS.log

GET REMOTE SYSTEM INSTALLED PATCHES <# SRIPT STARTS HERE #> Function exportqfe { BEGIN {} PROCESS { $server = "$_" if ($_ -ne "") { Write-host "Exporting installed hotfix details of $server, pasting output in c:\Audit" $QFE = Get-hotfix -computername $server | select-object -property Description,HotFixID,InstalledBy,InstalledOn | export-csv c:\$server.csv } } END {} } cls $ScriptPath = Split-Path $MyInvocation.MyCommand.Path $LogFile = $Scriptpath+"\Audit" Get-Content $Scriptpath"\computers.txt" | exportqfe ------------------------------------------------------------------------------------------- <# SRIPT STARTS HERE #> function Hotfixreport { $computers = Get-Content C:\computers.txt  $ErrorActionPreference = 'Stop'  ForEach ($computer in $computers) {   try     { Get-HotFix -cn $computer | Select-Object PSComputerName,HotFixID,Description,InstalledBy,InstalledOn | FT -AutoSize    

Install all exe in mentioned folder: <# We need to run this set-execution policy before run the script #> Set-ExecutionPolicy -ExecutionPolicy RemoteSigned --- <# Sript starts here, save it as "any-name.ps1" and move to mention folder and double click on it #> $dir = (Get-Item -Path ".\" -Verbose).FullName Foreach($item in (ls $dir *.msu -Name)) {     echo $item     $item = $dir + "\" + $item     wusa $item /quiet /norestart | Out-Null

Powershell to remove / upgrade the CMD mode to GUI mode switch  ( $id )          {               "1"  {Uninstall - WindowsFeature Server - Gui - Mgmt - Infra,Server - Gui - Shell}               "2"  {Install - WindowsFeature Server - Gui - Mgmt - Infra,Server - Gui - Shell}               "3"  {                      Import - Module Dism                      Enable - WindowsOptionalFeature  - online  - Featurename ServerCore - FullServer,Server - Gui - Shell,Server - Gui - Mgmt                  }          } OR GUI On with PowerShell The first thing we need to do is get into PowerShell, so type PowerShell and hit enter. Now we need to use the Add-WindowsFeature to add the components  back: Add-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra Again this is just an alias for: Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra When its done, we will need to restart our server by using the Shutdown command: Shutdown

The system file cache consumes most of the physical RAM https://support.microsoft.com/en-us/help/976618/you-experience-performance-issues-in-applications-and-services-when-th https://blogs.msdn.microsoft.com/ntdebugging/2009/02/06/microsoft-windows-dynamic-cache-service/ https://blogs.msdn.microsoft.com/ntdebugging/2007/11/27/too-much-cache/ https://blogs.technet.microsoft.com/askperf/2008/01/11/getting-started-with-svchost-exe-troubleshooting/

Two Minute Drill: Using PROCDUMP Parameter Information -64 If you are running ProcDump on a x64 system, then by default ProcDump captures a 32-bit dump of a 32-bit process.  The – 64  switch overrides this and creates a 64-bit dump -c Defines the CPU threshold for the process -e Writes a dump when the process encounters an unhandled exception -h Writes a dump if the process has a hung window -ma Writes a dump file with all process memory.  The default includes thread and handle information -n Number of dumps to create.  Those of you that have worked with us in the past may have used ADPlus to capture a series of process dumps for high CPU issues – it’s the same concept -o Overwrite an existing dump file -r Reflect (clone) the process (Windows 7 and higher only) – this helps to minimize the time required to suspend the process while the dump is written -s Number of consecutive seconds that the process has to be over the CPU threshold before the dump is written.  This helps

Restricting Active Directory RPC traffic to a specific port Member servers do have the Netlogon RPC Interface, but it is rarely used. Some examples would maybe be remote configuration retrieval such as "nltest /server:member.contoso.com /sc_query:contoso.com". Registry key 1 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters Registry value: TCP/IP Port Value type: REG_DWORD Value data: (available port) You need to restart the computer for the new setting to become effective. Registry key 2 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters  Registry value: DCTcpipPort Value type: REG_DWORD Value data: (available port) You need to restart the Netlogon service for the new setting to become effective. Note  When you use the DCTcpipPort registry entry, and you set it to the same port as the "TCP/IP Port" registry entry, you receive Netlogon error event 5809 under NTDS\Parameters. This indicates that the port

SERVICE_STATUS_PROCESS structure: dwServiceType The type of service. This member can be one of the following values. Value Meaning SERVICE_FILE_SYSTEM_DRIVER 0x00000002 The service is a file system driver. SERVICE_KERNEL_DRIVER 0x00000001 The service is a device driver. SERVICE_WIN32_OWN_PROCESS 0x00000010 The service runs in its own process. SERVICE_WIN32_SHARE_PROCESS 0x00000020 The service shares a process with other services. Ref: https://msdn.microsoft.com/en-us/library/ms685992.aspx

What Port is that Service using netstat.exe –a –n –o -a: listing of all connections and listening ports -n: display address and port numbers in numerical form -o: display the owning PID associated with each connection Then find PID value using  tasklist.exe. Example to find pid for SVhost server running in tasklist. tasklist /svc /FI "PID eq 4784" tasklist /SVC /FI "IMAGENAME eq svchost.exe" Get-Process -Id (Get-NetTCPConnection -LocalPort 443).OwningProcess We can view same in Process Monitor (resmon.exe) Now open the task manager Go to “View” and “Select Columns” Put a Tick mark on “PID (Process identifier)”