Thursday, December 9, 2010

Powershell Script to Swap Two Active Directory Attributes


Advertisement

Advertisement

Background

It is simple to access AD with Powershell and manipulate attributes and LDAP entries much the same as in VB.Net or C#. This Powershell script performs a simple swap of two attributes (specifically first name and last name) for all objects in and below a container in active directory using a subtree search (I picked an organizational unit in this case). It should be easily modifiable for other purposes (changing a value for all users, computers, groups, etc.)

The Script (SwapADAttrs.ps1)

# Developed by Mike Burr # Swap attributes on Active Diretory Objects 
# 12/9/2010 
# This application is provided AS IS with no warranties.  

$Searcher = New-Object System.DirectoryServices.DirectorySearcher   
# Need a couple of things: 
#  - Base Distinguished Name for the LDAP search 
#  - Scope: Base, Onelevel, Subtree 
#  - Filter for the objects that should be returned by the search 
#  

$Filter = "(ObjectCategory=Person)" 
$BaseDN = "LDAP://OU=ToSwap,DC=mikesdevblog,DC=local" 
$Searcher.SearchScope = [System.DirectoryServices.SearchScope]::Subtree 

$Searcher.Filter = $Filter 
$Searcher.SearchRoot = $BaseDN  

#Get all of the objects that match 
$Result = $Searcher.FindAll()  

#Properties to Swap 
$Property1 = "givenName" 
$Property2 = "sn"  

#Swap the attribute values for all of the objects 
foreach ($Object in $Result) {     
     $DirectoryEntry = $Object.GetDirectoryEntry()
     $Temp = $DirectoryEntry.Properties.$Property1.Value
     $DirectoryEntry.Properties.$Property1.Value = $DirectoryEntry.Properties.$Property2.Value     
     $DirectoryEntry.Properties.$Property2.Value = $Temp      
$DirectoryEntry.CommitChanges() }  

Beginning and End Output from LDP

----------- ***Searching... ldap_search_s(ld, "OU=ToSwap,DC=mikesdevblog,DC=local", 2, "(objectCategory=Person)", attrList,  0, &msg) 

Getting 2 entries: Dn: CN=First1 Last1,OU=ToSwap,DC=mikesdevblog,DC=local    
    givenName: First1;  
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mikesdevblog,DC=local;      
    sn: Last1;   

Dn: CN=First2 Last2,OU=ToSwap,DC=mikesdevblog,DC=local
    givenName: First2; 
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mikesdevblog,DC=local;  
    sn: Last2;   

----------- 
***Searching... ldap_search_s(ld, "OU=ToSwap,DC=mikesdevblog,DC=local", 2, "(objectCategory=Person)", attrList,  0, &msg) 
Getting 2 entries: 
Dn: CN=First1 Last1,OU=ToSwap,DC=mikesdevblog,DC=local 
    givenName: Last1; 
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mikesdevblog,DC=local;  
    sn: First1;   

Dn: CN=First2 Last2,OU=ToSwap,DC=mikesdevblog,DC=local
    givenName: Last2; 
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mikesdevblog,DC=local;  
    sn: First2;   
-----------  

Thursday, September 2, 2010

Debugging Tools For Windows: Determine the BIOS Version and Other Useful Information


Advertisement

Advertisement
I saw another forum post where a fellow community member was able to determine the BIOS version and release date for a system based on debugging a small memory dump. Since the debugger command to find this information wasn't included in the post, I hammered the search engines for a few minutes and came up with essentially nothing about finding the BIOS release date and version in a small memory dump. Next, I combed through the help documentation provided with WinDbg and ended up using the classic search feature included in most compiled HTML documents.
To provide a demonstration for identifying the BIOS version, I crashed my system this morning and then used the resulting dump to experiment with various debugger commands to attempt to determine the BIOS version, release date, and system make/model. I stumbled upon the !sysinfo extension debugger command and looked at the accompanying documentation. From a crash dump perspective, you can get useful information in a long form and a short form, both are demonstrated below. The !sysinfo machineid command displays BIOS information and motherboard information fairly compactly, while the !sysinfo smbios command dumps the full content of the SMBIOS table and displays other useful information about the processors, physical memory, and a couple of other onboard devices.
Another neat trick is that this information can be gained from a live system without needing to reboot into debugging mode using LiveKD.

The short version:

0: kd> !sysinfo machineid 
Machine ID Information [From Smbios 2.3, DMIVersion 35, Size=2618] BiosMajorRelease = 2 
BiosMinorRelease = 6 
BiosVendor = Dell Inc.                 
BiosVersion = 2.6.0  
BiosReleaseDate = 05/19/2008 
SystemManufacturer = Dell Inc.                 
SystemProductName = Precision WorkStation 390     
BaseBoardManufacturer = Dell Inc.           
BaseBoardProduct = 0GH911 BaseBoardVersion = A00 

The long version:

0: kd> !sysinfo smbios 
[SMBIOS Data Tables v2.3]
[DMI Version - 35]
[2.0 Calling Convention - No]
[Table Size - 2618 bytes]

[BIOS Information (Type 0) - Length 24 - Handle 0000h]
  Vendor                        Dell Inc.                
  BIOS Version                  2.6.0 
  BIOS Starting Address Segment f000
  BIOS Release Date             05/19/2008
  BIOS ROM Size                 100000
  BIOS Characteristics
       07: - PCI Supported
       09: - Plug and Play Supported
       10: - APM Supported
       11: - Upgradeable FLASH BIOS
       12: - BIOS Shadowing Supported
       15: - CD-Boot Supported
       16: - Selectable Boot Supported
       19: - EDD Supported
       21: - Toshiba J-Floppy Supported
       26: - Print Screen Device Supported
       27: - Keyboard Services Supported
       28: - Serial Services Supported
       29: - Printer Services Supported
       48: - System Vendor Reserved
       49: - System Vendor Reserved
       50: - System Vendor Reserved
       51: - System Vendor Reserved
       52: - System Vendor Reserved
  BIOS Characteristic Extensions
       00: - ACPI Supported
       01: - USB Legacy Supported
       04: - LS120-Boot Supported
       08: - BIOS Boot Specification Supported
       09: - Fn-Key NET-Boot Supported
       10: - Specification Reserved
  BIOS Major Revision           2
  BIOS Minor Revision           6
  EC Firmware Major Revision    255
  EC Firmware Minor Revision    255
[System Information (Type 1) - Length 27 - Handle 0100h]
  Manufacturer                  Dell Inc.                
  Product Name                  Precision WorkStation 390    
  Version                       [String Not Specified]
  Serial Number                        
  UUID                          00000000-0000-0000-0000-000000000000
  Wakeup Type                   Power Switch
  SKUNumber                     [String Not Specified]
  Family                        [String Not Specified]
[BaseBoard Information (Type 2) - Length 8 - Handle 0200h]
  Manufacturer                  Dell Inc.          
  Product                       0GH911
  Version                       A00
  Serial Number                                  
[System Enclosure (Type 3) - Length 13 - Handle 0300h]
  Manufacturer                  Dell Inc.                
  Chassis Type                  Tower
  Version                       [String Not Specified]
  Serial Number                        
  Asset Tag Number                        
  Bootup State                  Warning
  Power Supply State            Safe
  Thermal State                 Safe
  Security Status               None
[Processor Information (Type 4) - Length 40 - Handle 0400h]
  Socket Designation            Microprocessor
  Processor Type                Central Processor
  Processor Family              beh - Specification Reserved
  Processor Manufacturer        Intel
  Processor ID                  f6060000fffbebbf
  Processor Version             [String Not Specified]
  Processor Voltage             92h - 1.8V
  External Clock                1066MHz
  Max Speed                     5200MHz
  Current Speed                 2400MHz
  Status                        Enabled Populated
  Processor Upgrade             ZIF Socket
  L1 Cache Handle               0700h
  L2 Cache Handle               0701h
  L3 Cache Handle               0704h
  Serial Number                 [String Not Specified]
  Asset Tag Number              [String Not Specified]
  Part Number                   [String Not Specified]
[Cache Information (Type 7) - Length 19 - Handle 0700h]
  Socket Designation            [String Not Specified]
  Cache Configuration           0180h - WB Enabled Int NonSocketed L1
  Maximum Cache Size            0020h - 32K
  Installed Size                0020h - 32K
  Supported SRAM Type           0001h - Other 
  Current SRAM Type             0001h - Other 
  Cache Speed                   0ns
  Error Correction Type         None
  System Cache Type             Data
  Associativity                 8-way Set-Associative
[Cache Information (Type 7) - Length 19 - Handle 0701h]
  Socket Designation            [String Not Specified]
  Cache Configuration           0281h - Varies Enabled Int NonSocketed L2
  Maximum Cache Size            1000h - 4096K
  Installed Size                1000h - 4096K
  Supported SRAM Type           0001h - Other 
  Current SRAM Type             0001h - Other 
  Cache Speed                   0ns
  Error Correction Type         Multi-Bit ECC
  System Cache Type             Unified
  Associativity                 16-way Set-Associative
[Cache Information (Type 7) - Length 19 - Handle 0704h]
  Socket Designation            [String Not Specified]
  Cache Configuration           0282h - Varies Enabled Int NonSocketed L3
  Maximum Cache Size            0000h - 0K
  Installed Size                0000h - 0K
  Supported SRAM Type           0001h - Other 
  Current SRAM Type             0001h - Other 
  Cache Speed                   0ns
  Error Correction Type         Multi-Bit ECC
  System Cache Type             Unified
  Associativity                 Unknown
[Onboard Devices Information (Type 10) - Length 6 - Handle 0a02h]
  Number of Devices             1
  01: Type                      Ethernet [enabled]
  01: Description               Broadcom 5751 NetXtreme Gigabit Controller
[Onboard Devices Information (Type 10) - Length 6 - Handle 0a03h]
  Number of Devices             1
  01: Type                      Sound [enabled]
  01: Description               High Definition Audio Controller
[OEM Strings (Type 11) - Length 5 - Handle 0b00h]
  Number of Strings             1
   1                            www.dell.com
[Physical Memory Array (Type 16) - Length 15 - Handle 1000h]
  Location                      03h - SystemBoard/Motherboard
  Use                           03h - System Memory
  Memory Error Correction       05h - Single-bit ECC
  Maximum Capacity              8388608KB
  Memory Error Inf Handle       [Not Provided]
  Number of Memory Devices      4
[Memory Device (Type 17) - Length 27 - Handle 1100h]
  Physical Memory Array Handle  1000h
  Memory Error Info Handle      [No Errors]
  Total Width                   64 bits
  Data Width                    64 bits
  Size                          1024MB
  Form Factor                   09h - DIMM
  Device Set                    [None]
  Device Locator                DIMM_1
  Bank Locator                  [String Not Specified]
  Memory Type                   12h - DDR
  Type Detail                   0080h - Synchronous
  Speed                         533MHz
  Manufacturer                  2CFFFFFFFFFFFFFF
  Serial Number                         
  Asset Tag Number                    
  Part Number                   16HTF12864AY-53EB1
[Memory Device (Type 17) - Length 27 - Handle 1101h]
  Physical Memory Array Handle  1000h
  Memory Error Info Handle      [No Errors]
  Total Width                   64 bits
  Data Width                    64 bits
  Size                          [Not Populated]
  Form Factor                   09h - DIMM
  Device Set                    [None]
  Device Locator                DIMM_3
  Bank Locator                  [String Not Specified]
  Memory Type                   12h - DDR
  Type Detail                   0080h - Synchronous
  Speed                         533MHz
  Manufacturer                  FFFFFFFFFFFFFFFF
  Serial Number                         
  Asset Tag Number                    
  Part Number                                     
[Memory Device (Type 17) - Length 27 - Handle 1102h]
  Physical Memory Array Handle  1000h
  Memory Error Info Handle      [No Errors]
  Total Width                   64 bits
  Data Width                    64 bits
  Size                          1024MB
  Form Factor                   09h - DIMM
  Device Set                    [None]
  Device Locator                DIMM_2
  Bank Locator                  [String Not Specified]
  Memory Type                   12h - DDR
  Type Detail                   0080h - Synchronous
  Speed                         533MHz
  Manufacturer                  2CFFFFFFFFFFFFFF
  Serial Number                         
  Asset Tag Number                    
  Part Number                   16HTF12864AY-53EB1
[Memory Device (Type 17) - Length 27 - Handle 1103h]
  Physical Memory Array Handle  1000h
  Memory Error Info Handle      [No Errors]
  Total Width                   64 bits
  Data Width                    64 bits
  Size                          [Not Populated]
  Form Factor                   09h - DIMM
  Device Set                    [None]
  Device Locator                DIMM_4
  Bank Locator                  [String Not Specified]
  Memory Type                   12h - DDR
  Type Detail                   0080h - Synchronous
  Speed                         533MHz
  Manufacturer                  FFFFFFFFFFFFFFFF
  Serial Number                         
  Asset Tag Number                    
  Part Number                                     
[Memory Array Mapped Address (Type 19) - Length 15 - Handle 1301h]
  Starting Address              00000000h
  Ending Address                001fffffh
  Memory Array Handle           1000h
  Partition Width               01
[Memory Device Mapped Address (Type 20) - Length 19 - Handle 1400h]
  Starting Address              00000000h
  Ending Address                001fffffh
  Memory Device Handle          1100h
  Mem Array Mapped Adr Handle   1301h
  Partition Row Position        01
  Interleave Position           01
  Interleave Data Depth         01
[Memory Device Mapped Address (Type 20) - Length 19 - Handle 1402h]
  Starting Address              00000000h
  Ending Address                001fffffh
  Memory Device Handle          1102h
  Mem Array Mapped Adr Handle   1301h
  Partition Row Position        01
  Interleave Position           02
  Interleave Data Depth         01

Thursday, August 26, 2010

Skydrive: Uploading Files For Community Support


Advertisement

Advertisement
If you receive a comment such as "please post this file to SkyDrive" in the forums for a community member to look at a dump file or a large log file, then you can easily post it to Microsoft Live SkyDrive. The key thing is to ensure that the file that you are posting is publicly accessible. At the time of this writing, everyone gets 25 GB of free storage.

To Upload a Publicly Accessible File to SkyDrive

  • Log in to SkyDrive or create an account.
  • Generally there are two folders by default "My Documents" and "Public." Uploading a file and posting a link from the "Public" folder is usually sufficient.
  • Click the Public Folder and click "Add files." From here it is easy to select files from your computer. Note that if you run into a size limit, the files may need to be split to upload.
  • After uploading the files, it is a good idea to post a link to the files, this can be accomplished by selecting Share -> Embed and copying the resulting link back to a post or email.
  • Note that if you are not using the default public folder or need to allow access to a different folder that you have created, then you may need to enable access for everyone. Select Share -> Edit permissions (note that I created a new Test directory to demonstrate the sharing process). Note that it appears that the permissions can only be modified on top level folders. I tried creating a Test folder under My Documents and the sharing permissions could not be modified, but creating a new top level folder allowed the permissions to be set properly.



See Also:
Windows Crash Dump Analysis
How To Split a Large File For E-mail and Upload

Thursday, August 5, 2010

Virus Alerts in System Center Operations Manager 2007 R2 from Forefront Client Security


Advertisement

Advertisement

The Event...

Recently a colleague asked me to build a monitor for a file server that was running Forefront Client Security. The idea is that the monitor can be used to generate an alert that is used to notify our security team for remediation.  I don't routinely have viruses on any of the systems that I run so I didn't know whether Forefront Client Security would generate any events that we could use to generate the alert or feed the subscription. Naturally the first question that I have is "Where can I find a test file that Forefront will detect as a virus?". After a short Google search, I find a post that indicates that the EICAR test file can be used.

<event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="FCSAM" />
    <EventID Qualifiers="0">3004</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-08-05T15:02:37.000000000Z" />
    <EventRecordID>5565</EventRecordID>
    <Channel>System</Channel>
    <Computer>hostname.domain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>%%830</Data>
    <Data>1.5.1981.0</Data>
    <Data>{0241B15E-FF55-4937-A417-CC72198D3A9F}</Data>
    <Data>10</Data>
    <Data>%%843</Data>
    <Data />
    <Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
    <Data>domain</Data>
    <Data>username</Data>
    <Data>SID</Data>
    <Data>Virus:DOS/EICAR_Test_File</Data>
    <Data>2147519003</Data>
    <Data>5</Data>
    <Data>42</Data>
    <Data>http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003</Data>
    <Data>file:C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LFQVJNIJ\eicar[1].com</Data>
    <Data />
    <Data />
    <Data>4</Data>
    <Data>%%814</Data>
    <Data>0</Data>
    <Data>%%823</Data>
    <Data />
    <Data />
    <Data>Severe</Data>
    <Data>Virus</Data>
    <Data />
    <Data />
  </EventData>
</event>

Before I even have a chance to choose a file path for saving the file, ForeFront Client Security has already detected the file as a virus. Poking around in the event logs, these events are created in Windows Logs\System and are from the source FCSAM with ID 3004. Now that we have sufficiently covered the Forefront event that is logged, the big question is how to create the monitor and generate the alert.

The Monitor...

The background of the monitor is that Operations is not interested in remediation of the file server, so the alerts that are generated should not last very long in the "Active Alerts" view and should be sent directly to the security team for review and remediation.

Without actually writing a management pack in the Authoring console, this monitor can be created from the Authoring tab of the Operations console. Under Management Packs\Monitors we will use the "Create a Monitor" action item to create a new unit monitor in an appropriate management pack.

In the first part of the wizard, select Windows Events\Simple Event Detection\Timer Reset and select an appropriate management pack. Click Next.

Pick a valid name and description. I used the name "Forefront Client Security Realtime Monitoring Virus alert" and a description describing the monitor. For target, select "Windows Computer" (or another target as appropriate). The parent monitor is likely going to be Entity Health\Security. Click Next

Select the System Event log and click Next. Configure Event Id "3004" and Source "FCSAM". Click Next. Specify a short wait time, I used 10 seconds. Click Next.

Under the "Configure Health" step, configure the "Event Raised" condition to trigger a health state of "Warning" and the "Timer Event Raised" to trigger a health state of "Healthy." Then configure the monitor to generate an alert when it is in the "Warning" state. The monitor is now set up to alert if a virus is found.

The subscription...

The next step is to create a new subscription. This assumes that the appropriate channels and subscribers have been created. Under the Administration tab of the Operations Console, create a new Subscription by either right clicking any node of the navigation tree and selecting "New subscription..." or clicking the Subscriptions node and "New..." in the actions pane.

Select an appropriate name and description for the subscription. Under the "Criteria" step, select "created by specific rules or monitors (e.g., sources)" and search for and select the monitor that we created in the previous section. Select the appropriate subscribers, channels, and configure the appropriate information and create the subscription.

Alternative Method Not Using SCOM...

If you don't want to use SCOM and want to use the native event log functionality in Windows to generate the email. This can be done by right clicking the event in the "System" log in the event viewer and selecting "Attach a Task To this Event..." **Note that this event needs to appear at least once in the event log, so you will need to manually generate it with the EICAR test file referenced above.

Note that this procedure will need to be followed to include the event text in the email. Note that the wevutil script will likely follow

del %temp%\query.txt
wevtutil qe System "/q:*[System [(EventID=3004)]]" /f:text /rd:true /c:1 > %temp%\query.txt

and the %temp%\query.txt file will still be included as the attachment to the email.


Tuesday, August 3, 2010

COMExceptions, HRESULTS, and Windows Calculator


Advertisement

Advertisement
I was recently building a small web application in ASP.Net and C# where I had to deal with a little bit of ADSI and the System.DirectoryServices namespace. During the debugging phase, I used try/catch block to catch exceptions and present them in a label for development purposes and to create useful error messages for users for reasons that they would know and care about (such as an invalid username and password). One of the errors was a COMException with an ErrorCode property of 8007052E:
# as an HRESULT: Severity: FAILURE (1), Facility: 0x7, Code 0x52e 
# for hex 0x52e / decimal 1326 :   ERROR_LOGON_FAILURE                                           winerror.h 
# Logon failure: unknown user name or bad password. 
# 1 matches found for "8007052e" 
So, obviously I give the following a try in C# and am presented with a warning:

if (ex.ErrorCode == 0x8007052E)

Visual studio says "Comparison of integral constant is useless; the constant is outside the range of type 'int'". So I start working with the Exchange Error Code Look-up Tool  (note that it is not just for Exchange, but for any of the "19871 return codes registered from 172 sources" that it has archived on my system) and trial and error and do a little bit of truncation, looking up 0x7052E and 0x52E, which are presumably the same error code,

C:\>err 7052e 
# as an HRESULT: Severity: SUCCESS (0), Facility: 0x7, Code 0x52e 
# for hex 0x52e / decimal 1326 :   ERROR_LOGON_FAILURE                                           winerror.h 
# Logon failure: unknown user name or bad password. 
# 1 matches found for "7052e"  

C:\>err 52e 
# for hex 0x52e / decimal 1326 :   ERROR_LOGON_FAILURE                                           winerror.h 
# Logon failure: unknown user name or bad password. 
# 1 matches found for "52e" 
Sadly, these don't work. Then I remember what I learned when I studied a little bit about two's complement numbers and realize that these error codes will never match and that the MSB of the 8-digit hex value is the one that is going to make the value negative for a 4-byte number, but in a decimal representation. **Note above that I was in error to work with 0x7052E, the error lookup tool was primarily interested in 4 or 8 digit hexadecimal representations of the error, so for the second one it was interested in 0x052E, returning the same error**.

I start poking around with some of the improvements to Windows Calculator (since I didn't want to use pencil and paper) in Windows Server 2008 R2 and Windows 7 and stumble upon the new Programmer mode (you can still perform this in the old calculator application, but using the Scientific mode). I enter the hex code 8007052E, remember that HRESULTs are dwords (4 bytes/32 bits)  and convert to decimal.

The correct value to use in the branch is actually -2147023570. No more warning. The word value is 0x52e (decimal 46), another possible result if the return value for a function written in an old version of Windows or one that only returns a 2 byte (16 bit) value.

Friday, July 30, 2010

WinDbg/KD: Debugging a Processor Cache Issue (0x124 WHEA_UNCORRECTABLE_ERROR)


Advertisement

Advertisement
The Debugging Tools for Windows are required to analyze crash dump files. If you do not have the Debugging Tools for Windows installed or dump files are not being generated on system crash, see this post for installation/configuration instructions:
http://mikemstech.blogspot.com/2011/11/windows-crash-dump-analysis.html

I recently helped a user out with a stop error involving the processor cache and I realized that there are not a lot of posts that detail the information that is included in this kind of small memory dump. Professionals who work intimately with kernel level structures and the physical processor and chipset know that there are typically two or three caches (referred to as L1, L2, and L3 caches) as well as the TLB (table lookaside buffer) cache.

When there is a failure in one of these caches, there will likely be a stop error (sometimes called a bugcheck error, after the function that generates the dump and safely brings down the system, KeBugCheckEx) and a resulting memory dump in C:\Windows\Minidump. These files end in .dmp and can be read with a couple of utilities. I use the Debugging Tools for Windows to view these files. Note that after installing the Debugging Tools for Windows, it may be necessary to configure symbols for the debuggers. In WinDbg this is done from the File ->  Symbol File Path menu item. Using the linked article, it is possible to use the Microsoft symbol server to get all of the necessary symbols for the OS and to use the generated .pdb files for custom projects to load the necessary symbols for debugging custom applications.

After all of the initial setup tasks, starting WinDbg from the start menu is a simple task. Loading a dump file can be accomplished by pressing Ctrl+D or from the file menu using the "Open Crash Dump" command.

Since cache failures are usually detected as hardware errors, the error code 0x00000124 (WHEA_UNCORRECTABLE_ERROR) is the stop code that is displayed when the system crashes and the small memory dump is created. This error only appears on Windows Vista and later (Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2). Older Windows versions (Windows XP, Windows Server 2003) crash with 0x9C MACHINE_CHECK_EXCEPTION.

The universal way to start debugging a crash dump is with the !analyze -v command. This displays key information about the process that likely caused the fault, the stack trace leading up to the crash, and key information about the error. When I look at these types of errors, I also use the !cpuinfo command to get information about the processor(s) involved with the crash.

The !cpuinfo extension command can help identify the failing processor on a multicore/multi-CPU system, but successful interpretation of the output depends on vendor documentation and how the kernel interacts with the hardware. The main value in the command is that someone interpreting the dump can use the information to help identify the processor and propose updated drivers to try before replacing the CPU. The F/M/S is the Family/Model/Stepping information for the processor. This can usually be used to identify the processor in use. In this case, this is a Family 15 Model 107 Stepping 2 64-bit processor manufactured by AMD (likely the AMD Athlon Dual Core Processor 5050e).

Once it has been identified as a WHEA_UNCORRECTABLE_ERROR, it is fairly simple to see that Arg2 is a pointer to the WHEA_ERROR_RECORD structure describing the nature of the error. This can be further analyzed by using the errrec address command where address is the address denoted by Arg2. It is simple to see from Section 0 that this was a failure during a read operation of the L1 processor cache.

This error does not always indicate a failure in the processor, but can also be caused by problems in the BIOS, so before sending the CPU back to the manufacturer or purchasing a replacement, always ensure that all of the system drivers and the BIOS are up to date. You should perform a stress test on the CPU to help determine whether a hardware issue exists. For more information, see this post.

Loading Dump File 
[C:\Users\Administrator\Documents\Dumps\072910-21078-01\072910-21078-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7600 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16539.amd64fre.win7_gdr.100226-1909
Machine Name:
Kernel base = 0xfffff800`02a13000 PsLoadedModuleList = 0xfffff800`02c50e50
Debug session time: Thu Jul 29 17:38:35.915 2010 (UTC - 6:00)
System Uptime: 0 days 20:28:58.649
Loading Kernel Symbols
...............................................................
................................................................
..................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 124, {0, fffffa8004b0f038, b6204000, 135}

Probably caused by : hardware

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

WHEA_UNCORRECTABLE_ERROR (124)
A fatal hardware error has occurred. Parameter 1 identifies the type of error
source that reported the error. Parameter 2 holds the address of the
WHEA_ERROR_RECORD structure that describes the error conditon.
Arguments:
Arg1: 0000000000000000, Machine Check Exception
Arg2: fffffa8004b0f038, Address of the WHEA_ERROR_RECORD structure.
Arg3: 00000000b6204000, High order 32-bits of the MCi_STATUS value.
Arg4: 0000000000000135, Low order 32-bits of the MCi_STATUS value.

Debugging Details:
------------------


BUGCHECK_STR:  0x124_AuthenticAMD

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  Wow.exe

CURRENT_IRQL:  f

STACK_TEXT:  
... : nt!KeBugCheckEx
... : hal!HalBugCheckSystem+0x1e3
... : nt!WheaReportHwError+0x263
... : hal!HalpMcaReportError+0x4c
... : hal!HalpMceHandler+0x9e
... : hal!HalHandleMcheck+0x47
... : nt!KxMcheckAbort+0x6c
... : nt!KiMcheckAbort+0x153
... : 0x698d668e


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: hardware

IMAGE_NAME:  hardware

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  X64_0x124_AuthenticAMD_PROCESSOR_CACHE

BUCKET_ID:  X64_0x124_AuthenticAMD_PROCESSOR_CACHE

Followup: MachineOwner
---------

0: kd> !cpuinfo
CP  F/M/S Manufacturer  MHz PRCB Signature    MSR 8B Signature Features
 0 15,107,2 AuthenticAMD 3114 0000000000000000                   203b7dfe

0: kd> !errrec fffffa8004b0f038
===============================================================================
Common Platform Error Record @ fffffa8004b0f038
-------------------------------------------------------------------------------
Record Id     : 01cb2ecb7afdac79
Severity      : Fatal (1)
Length        : 928
Creator       : Microsoft
Notify Type   : Machine Check Exception
Timestamp     : 7/29/2010 23:38:35
Flags         : 0x00000000

===============================================================================
Section 0     : Processor Generic
-------------------------------------------------------------------------------
Descriptor    @ fffffa8004b0f0b8
Section       @ fffffa8004b0f190
Offset        : 344
Length        : 192
Flags         : 0x00000001 Primary
Severity      : Fatal

Proc. Type    : x86/x64
Instr. Set    : x64
Error Type    : Cache error
Operation     : Data Read
Flags         : 0x00
Level         : 1
CPU Version   : 0x0000000000060fb2
Processor ID  : 0x0000000000000000

===============================================================================
Section 1     : x86/x64 Processor Specific
-------------------------------------------------------------------------------
Descriptor    @ fffffa8004b0f100
Section       @ fffffa8004b0f250
Offset        : 536
Length        : 128
Flags         : 0x00000000
Severity      : Fatal

Local APIC Id : 0x0000000000000000
CPU Id        : b2 0f 06 00 00 08 02 00 - 01 20 00 00 ff fb 8b 17
                00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
                00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00

Proc. Info 0  @ fffffa8004b0f250

===============================================================================
Section 2     : x86/x64 MCA
-------------------------------------------------------------------------------
Descriptor    @ fffffa8004b0f148
Section       @ fffffa8004b0f2d0
Offset        : 664
Length        : 264
Flags         : 0x00000000
Severity      : Fatal

Error         : DCACHEL1_DRD_ERR (Proc 0 Bank 0)
  Status      : 0xb620400000000135
  Address     : 0x0000000063c20ef0
  Misc.       : 0x0000000000000000

Tuesday, July 6, 2010

Active Directory Certificate Services: Issuing Common Certificate Types on Standalone CAs (Part 1)


Advertisement

Advertisement

Background

Active Directory Certificate Services can be used to generate a number of certificates with different purposes. Active Directory Certificate Services gives four options for installation: Standalone CA or Enterprise CA and Root or Subordinate. Enterprise CAs are only possible within an Active Directory Domain Services infrastructure. A full discussion of an enterprise PKI infrastructure is not given here, but can be found in any of the books on PKI or on Microsoft Technet.
These CAs allow multiple types of certificates to be automatically issued through a process known as autoenrollment. Users can also submit requests through a web enrollment interface or send a request to a CA administrator. Autoenrollment requires the creation and maintenance of one or more certificate templates that the issuing CAs (typically subordinate CAs) issue based on the requests that they receive. Many templates come with ADCS and correspond to different purposes, such as securing connections between clients and servers (ex. IPSec and SSL), authenticating individuals and computers (ex. smart card certificates and client certificates), and encrypting data (ex. Encrypting File System certificates).
Standalone CAs can issue the same types of certificates that enterprise certification authorities can, but they do so without the use of autoenrollment and certificate templates. Users can send requests to a CA administrator or submit the request through web enrollment. All of the information used to specify the certificate's purpose is included in the request. Searching a couple of search engines like Google and Bing, it becomes apparent that if an organization lacks an enterprise CA, then they may not have a handy resource to determine which extensions are required if they need to create a custom request manually on a system. This post will provide the extensions that are required for various certificate templates installed with ADCS.
The following is a list of most of the certificate templates installed with a Windows Server 2008 R2 Enterprise Edition Enterprise Certification Authority and their extensions.
Name
Template Name
Subject Type
Purpose (if applicable)
Basic ConstraintsKey UsageEnhanced Key Usage
Administrator
Administrator
User
Signature and Encryption
The subject is an end-entity.Signature Requirements: Digital Signature
Allow key exchange only with key encryption.
Critical Extension.
Microsoft Trust List Signing
Encrypting File System
Secure Email
Client Authentication
Authenticated Session
ClientAuth
User
Signature
The subject is an end-entity.Digital signature
Critical extension
Client Authentication
Basic EFS
EFS
User
Encryption
The subject is an end-entity.Allow key exchange only with key encryption
Critical extension.
Encrypting File System
CEP Encryption
CEPEncryption
Computer
Encryption
The subject is an end-entity.Allow key exchange only with key encryption
Critical extension.
Certificate Request Agent
Code Signing
CodeSigning
User
Signature
The subject is an end-entity.Digital signature
Critical extension
Code Signing
Computer
Machine
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension
Client Authentication
Server Authentication
Domain Controller
DomainController
Directory e-mail replication
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension
Client Authentication
Server Authentication
EFS Recovery Agent
EFSRecovery
User
Encryption
The subject is an end-entity.Allow key exchange only with key encryption
Critical extension.
File Recovery
Enrollment Agent
EnrollmentAgent
User
Signature
The subject is an end-entity.Digital signature
Critical extension.
Certificate Request Agent
Enrollment Agent (Computer)
MachineEnrollmentAgent
Computer
Signature
The subject is an end-entity.Digital signature
Critical extension.
Certificate Request Agent
Exchange Enrollment Agent (Offline Request)
EnrollmentAgentOffline
User
Signature
The subject is an end-entity.Digital signature
Critical extension.
Certificate Request Agent
Exchange Signature Only
ExchangeUserSignature
User
Signature
The subject is an end-entityDigital signature
Critical extension.
Secure Email
Exchange User
ExchangeUser
User
Encryption
The subject is an end-entity.Allow key exchange only with key encryption
Critical extension.
Secure Email
IPSec
IPSECIntermediateOnline
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
IP security IKE intermediate
IPSec (Offline Request)
IPSECIntermediateOffline
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
IP security IKE intermediate
Root Certification Authority
CA
Certification authority (CA)
The subject is a certification authority (CA).
Critical extension.
Digital signature
Certificate signing
CRL signing
Critical extension.
None
Router (Offline request)
OfflineRouter
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Client Authentication
Smartcard Logon
SmartcardLogon
User
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Client Authentication
Smart Card Logon
Smartcard User
SmartcardUser
User
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Secure Email
Client Authentication
Smart Card Logon
Subordinate Certification Authority
SubCA
Certification authority (CA)
The subject is a certification authority (CA).
Critical extension.
Digital signature
Certificate signing
CRL signing
Critical extension.
None
Trust List Signing
CTLSigning
User
Signature
The subject is an end-entity.Digital signature
Critical extension.
Microsoft Trust List Signing
User
User
User
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Encrypting File System
Secure Email
Client Authentication
User Signature Only
UserSignature
User
Signature
The subject is an end-entity.Digital signature
Critical extension.
Secure Email
Client Authentication
Web Server
WebServer
Computer
Signature and Encryption
The subject is an end-entity.Digital signature
Allow key exchange only with key encryption
Critical extension.
Server Authentication
There are several templates that have additional extensions. These will be covered in a different article.
  • CA Exchange
  • Cross Certification Authority
  • Directory Email Replication
  • Domain Controller Authentication
  • Kerberos Authentication
  • Key Recovery Agent
  • OCSP Response Signing
  • RAS and IAS Server
  • Workstation Authentication