Best practices for… chkdsk

imageThe longer I work, the more I’m aware of the simple fact: even the most routine and mundane thing, technology or tool can have something to learn about it. Like you never know what is a cake you it is made from, unless you try to make it yourself =)

The same stuff can be told about, say, chkdsk. What do you think: do you need to know something more than command line switches about chkdsk? Ok, if you don’t have an inquiring mind then probably not. But probably you just don’t know what impact it can have on your environment. For example, let’s imagine quite a usual situation: your fileserver has been growing with the company unless you finally got your own very special SLA for it. This SLA was negotiated with IT and everyone took into account practically everything:

– time of recovery for any subset of the information (some bits are required ASAP, while others can wait some time)

– time required to recover broken equipment

– and so on and so forth.

But one pretty good day your volume (which stores about 500M small files) was marked as “dirty” and went into chkdsk after reboot… Had you incorporated this 99 hours (!!!) downtime into your SLA? I hadn’t =(

Fortunately, I still have some time for thinking of it and even more because I haven’t yet run into the situation and now, after reading the document named “NTFS Chkdsk Best Practices and Performance”, I have some ideas for my future SLAs Winking smile

BTW, in Server 2012 there will be some big improvement over described issues. Read and prepare yourself.

Creating your own troubleshooting pack


Take notice: My new feed address is now Please re-subscribe.

As I wrote in one of my blogs, you not only can tell your user which exactly troubleshooting pack to run, you can also create one of your own. Finally I decided to learn how and to tell you. I was pretty sure it was very hard, creating those. But I was plain wrong: it’s easy. Moreover it’s fun, because for creating it you should collect all the components of a geek’s fun:

1) Use GUI

2) Use scripting

3) Run the automation and see the result!

So, let’s begin.

Unfortunately, you cannot just create a pack with Notepad. Well, probably there is a method, but I believe it is far less convenient than the following. First of all you need to download and install Windows 7 SDK. I, honestly, don’t know which component exactly contains the feature we are going to use, so you can find it out yourself, or just follow me and care not about it. After installation you’ll have a menu entry for Troubleshooting Pack Designer:


You only need to decide what is the problem you’re going to solve with the pack. In my example, I’m going to automatically detect and fix one simple yet annoying defect: my Dell notebook sometimes cannot detect network speed while on a dock-station. Disabling and re-enabling the interface is one of the workarounds, which I don’t erally hate, but which I’d like to automate. (ok, I know that just a two line script would be enough, but then I wouldn’t have had a simple enough scenario to show you Winking smile)So, I launch the designer:


and create a new project:



(take notice of “Privacy URL” field: it is mandatory) Everything else is pretty straightforward from now on. Add a new root cause (you can add several of them). In my case it is “A Network is detected 10Mbps instead of 100”:


and hit “Design Troubleshooter” button. You’ll be presented with several settings. Troubleshooter – whether to run it elevated and interact with a user. In my case I set both to No:


Then configure a resolver and in the same way:


Surely we want our tool to check whether the actions taken had fixed all the problems, therefore we need to configure a verifier:


And finally, create and input scripts for them.


# TroubleshooterScript – This script checks for the presence of a root cause

# Key Cmdlets:

# — update-diagrootcause flags the status of a root cause and can be used to pass parameters

# — get-diaginput invokes an interactions and returns the response

# — write-diagprogress displays a progress string to the user


$RootCauseID = "NetIs10"


# Your detection Logic Here

$speed = (Get-WmiObject -Class Win32_NetworkAdapter | Where-Object { $_.Speed -ne $null -and $_.MACAddress `

-ne $null -and $ -like "*82567lm*"}).speed

if ($speed -ne 100000000)


      $RootCauseDetected = $true


      #Replace "$true" with the result of your detection logic


#The following line notifies Windows Troubleshooting Platform of the status of this root cause

update-diagrootcause -id $RootCauseId -detected $RootCauseDetected

It’s a very primitive script, which just checks if the network interface has speed of 100Mbps. Resolver:

# Resolver Script – This script fixes the root cause. It only runs if the Troubleshooter detects the root cause.

# Key cmdlets:

# — get-diaginput invokes an interactions and returns the response

# — write-diagprogress displays a progress string to the user


# Your logic to fix the root cause here

$network = Get-WMIObject Win32_NetworkAdapter | where {$ -like "*82567lm*"}


Start-Sleep 4


Even more simple script: just re-enables the interface.

Now just compile (some questions about certificate arise, you can use a test self-signed certificate or configure a right one in options) the pack and use it.


Well, at least for me it was some great experience with a good outcome: I now have an instrument to check and fix everything =)

Blog wrap-up


It seems like I haven’t write any wrap-ups for my blog for at least a year. Unfortunately, there wasn’t much to wrap into it. Now, as I returned to the blogging, I just do the thing for the year Winking smile

  • LCDS: Create your own curriculum

    The easiest way so far to create a good looking redistributable, or publishable course from your materials.

  • %systemroot%\System32 secrets: defrag

    the continuation of the series. Defragmentation lost its fancy GUI, so why use it?

  • Network trace without NetMon, WireShark, etc…
  • Network trace without NetMon, wireShark, etc… Part 2

    Two parts of the article which tells you it is possible to collect tons of network related info and even network trace with only two commands.

  • News and freebies

    No comments.

  • Speaking…

    Last year I was speaking at the first Russian TechEd. the results were quite average, but then… I met Tom Shinder and he interviewed me Winking smile 

  • Heads-UP DST Cancellation in Russia and some other countries

    We had changes in DST policy, that is we don’t have it now. So we had all kinds of problems due to it and several quite lively weeks.

  • TechEd is over

    My micro report about the event.

  • Where’s mah mail, dude?! (meme edition)

    The tail about storing mail in your deleted items folder Winking smile 

  • Lync and fortunes

    Probably my most used script. I run it every day =)

  • #RuTeched: the results

    As I have just told my performance as a speaker was but average. Now I know what to improve for the next occasion.

  • MVP, one more time!

    A bit late, but I managed to write about my next award.

  • Yep, I’m paranoid. The question is am I paranoid enough…

    Google-free. I will be such soon.

  • MS SIR #12

    Overview of most interesting stuff from MS Security Intelligence Report.

  • Freebies: books

    No comments

  • Trustworthy computing: non-SDL view
  • Trustworthy computing: non-SDL view. Part 2: non-corporate.

    TC is great. Now it is time to make another step.

  • Myths #2: PKI edition.

    Be careful while planning your security. Some obvious things aren’t correct.

  • Looking for a GP object?

    How to find your GPO

  • Want to learn about cryptography? I know where.

    As, subjectively, now I have more time, I signed up to the cryptography course of Stanford University. It’s fun! Jump in! =)

  • Want to learn about cryptography? I know where.


     Take notice: My new feed address is now Please re-subscribe.

    Do you have some spare time and want to know how cryptography works? What is the most secure cipher? And why λ is always more than ε… Well, the latter is not true =)
    Anyhow, there is a place where you can learn more about cryptography for free. Stanford University provides such a course for free at I’m at the second week now, and already tampered one cipher text and know how decrypted another (it’s not that tricky, but very time consuming).

    So welcome to the world of knowledge Winking smile

    Looking for a GP object?


    Take notice: My new feed address is now Please re-subscribe.

    Well, some time ago I wrote about finding the exact setting in your group policy editor, which is, certainly, quite useful. But this is vital when you try to create a new GPO or find a value in an exact existing one. But what if you want to look at the GPOs in your environment which contain settings from some area? From the age of Server 2003 there is an answer. Not the ideal one, but still, it is better than nothing.

    So, you need to find which of your GPOs have settings related to security? Let’s find one:

    1) Start a GPMC console and right click on a domain you want to look through:


    After clicking on “Search…” you’ll get the search interface:


    Say, we are looking for security settings in computer parts of GPO. Ok, here we go, just add this into search criteria:



    And hit the search button:


    As you can see: there are two GPOs in the domain (those are default ones) which contain security settings.

    Wonderful! Or is it? Well, as I said, it is better than nothing, but not everything you’d like to see. What can be improved? For example, I’d like to search for the GPOs under any OU, not only from the root of the domain. Next, it’d be great to have an ability to look for the name of a particular setting. Any ideas from you, my readers?

    Myths #2: PKI edition.


    Take notice: My new feed address is now Please re-subscribe.

    BTW, did you know what do certificate template options like “Allow private key to be exported” or “Prompt the user during enrollment and require user input when the private key is used” really do? Do they make you more secure or not?

    Certainly, some people who read my blog do know the answer, others have already guessed the answer: no. They don’t enforce any behavior on a client: it just communicate the requested by CA features.

    A good example of it was windows 2003: while you weren’t able export the certificate through GUI you could do this with… some certificates. Furthermore, in Windows 2008 R2 (or Windows 7, as it goes) even some GUI instruments can export such a key. So you cannot restrict your user from exporting and moving the certificate.

    Be careful and take care to think if you can trust what you see

    Trustworthy computing: non-SDL view. Part 2: non-corporate.


    Do you think my latest post was about corporate products because only corporate products are subject to not being designed to be secure in deployment? No, consumer ones are built the same way. Say, the famous story about Windows Live Mail and Live Mail’s SSL. Till the recent changes you weren’t able to use both of them. Either you expose your communication without using SSL or you couldn’t use convenient client. I was very glad to receive the ability to use them both.

    To sum up: we have excellent products, which aren’t exploitable in the most of the cases through their functions. Still those products don’t have all the necessary abilities to be incorporated into the strict environment. Some things are being changed, some not, but still there is many possibilities to do it before I or any other user discovers the problems in our own network.

    I’m glad that Microsoft is on steady way to improve those things, but I want them to do some things prior the RTM. Do you remember any cases, similar to what I described in these two blogs?

    Trustworthy computing: non-SDL view


    Take notice: My new feed address is now Please re-subscribe.

    Well, finally it is my time to scold Microsoft. I’m not a fun of this type of self-promotion, still I believe that the only way to move forward is to receive, process and answer some constructive criticism. So let’s begin:
    Several years ago Microsoft announced its widely-known Trustworthy Computing initiative (actually they just celebrated its 10 years). I probably don’t have to remind you the goals and means for the initiative to you, they all can be found without any problems. Anyway, this letter doesn’t pretend to be some kind of thorough analysis after which I will exclaim “MS lies!” On the contrary, it is more about just trying to show that in my humble opinion something in current approach to security can be improved.
    I am an IT Pro with 10+ years of experience, and this fact definitely affects how I see the World, security and Microsoft’s products regarding both of them. My recent impression of Trustworthy Computing is like that:
    “SDL! SDL this! SDL that! SDL is everything and everywhere!”
    Don’t get me wrong, SDL is great even from the perspective of a systems administrator who almost cannot write code. Seriously, I have the feeling that Microsoft’s code itself has become much more secure over the past years. Most of the recent vulnerabilities need me to turn off some safeguards (like DEP or UAC) or to not configure any of them in extremely hazardous environment (not turning off Server service on an Internet-facing computer). As a consequence I feel much safer than, say, 10 years ago with the products I use. Still there are some features in recent situation development that make me believe that the current SDL lacks something vital. One may ask “what exactly do you mean?” Well, it is testing in the environments, which are built according security best practices and creating not only the code which is not vulnerable, but also which provides features to implement the controls recommended by the best practices and can deliver this features without failing. Everything, literally everything starting with smart card authentication and finishing with separation of duties or delegation of access has to be incorporated into the products to build somewhat secure environment. You cannot feel secure if those who make your backups are able to restore them and configure the way they are being created, or if you have to give SQL farm administrator permissions to someone who is to make some basic job. During past several years I have been witnessing some events which made me think that those matters haven’t been in focus for some PGs at least for several years if not at all. To be not accused of making this up I’ll give you some examples from my own experience and observations.
    1) When MS SharePoint Server 2007 was just released, we tried to install it in the company I worked for. Our policies required using of Constrained Kerberos Delegation, publishing of any web application through ISA server SSL bridging and all that stuff including smart card authentication. Sound requirements, aren’t they? Unfortunately, the product obviously wasn’t tested with such constraints. We stepped into multiple problems, which were solved throughout the flow of several MS Support cases. Fortunately all of them were a success. At the very least we received workarounds For example, indexing didn’t work on SSL site, and if you first created SSL site on port 443 and then extended it to the 80th port (which was to be crawled by MOSS), then indexing worked fine, but search didn’t return result. The correct sequence was to install site on the 80th port and then extend it to the 443rd. Not a big deal, one may say, but this could be detected by automatic testing in the relevant environment (BTW, this behavior was told to be in place by-design and was fixed in the following SPs 😉 ).
    2) The second case which is relatively close to the SharePoint is from the people who created WebDAV. The technology is very useful, though it was again, never tested in a secure environment. Publish it through the ISA Server, require users to use their smart cards to get access to the WebDAV resource and… voila! There are your problems.
    3) Smart card support really seems to be the weak point for the developers. We absolutely love to use UC products of Microsoft: Exchange and OCS/Lync. But can you use Outlook and Communicator to authenticate by certificate? Hell, no! Build a VPN channel (or DA), and then use it if you want secure communications.
    4) Data Protection Manager. It is our beloved one. Being as simple yet powerful as it is, it is just charming. Still, three major releases later we didn’t have any duty separation. If I am a local administrator I can backup, restore and configure everything. If I am not a local administrator, I can almost nothing. There are some valuable exceptions, but not all we need. The latest release has RBAC in it as it was promised by PG, still, 5 years without it sucked.
    5) A problem with the SQL server. In order to receive highly available solution some can use SQL Server Mirroring technology. It is great and has really saved our applications many times. But when we stepped over the boundary where we had to implement RBAC for administrative tasks we run into the following problem. Running ALTER DATABASE for any database which is in the recovery mode while having permissions lesser then administrator causes crashing of the process and dumping it into the file by default. The operation described above is very often used with a mirrored database, for example to mirror it. Again the bug was admitted but we were proposed using the administrator’s permission for the job as a workaround. The bug will be fixed in the next release they said. This bug can be costly, at least it is for us (BTW, technically it can cause DOS for the SQL server as dumps can be very large and be created very fast)
    All the bugs above could have been found by testing against the environment built in accordance with the security best practices. Those features which are just absent (not bugs) could be introduced much earlier if someone really thought of secure deployment for them. Unfortunately all the examples above show that the job hasn’t been done. I would like to think that those are only individual mistakes, but if only one man (me) ran into so many of them, then I am afraid they are just the consequence of the lack of integrity in the approach of PGs to the trustworthy computing.

    Freebies: books

    imageTake notice: My new feed address is now Please re-subscribe.


    A couple of books I believe are worth at least stealing a look at. Free books, of course.

    1) The book has been advertised in almost every Windows-related blog for several days. I believe that you couldn’t have missed it but just in case you haven’t read about it I give you the link. Introducing Windows Server 2012 is quite small and cannot cover all I would want to know, but it is named “Introducing…”. It’s definitely the place to start if you haven’t been tracking news all over the internet. You can get it in four different formats: 3 to download and paper version.
    2) Security and Privacy for Microsoft Office 2010 User. Easy-to-read book about security and privacy. It unlikely teach anyone who is not already concerned with those matters, but is users read it it would make security professionals a bit less tired and less paid Winking smile 

    MS SIR #12

    like_a_sir Okay, better late than never. I finally got to the latest Microsoft Security Intelligence Report. While usually there is not much unexpected this time I was almost shocked with the first section of the document. And I believe it’s excusable, because it is named…

    How Conflicker CONTINUES to propagate.

    Conflicker! The three-years-old malware! CONTINUES to be a THREAT! Are we going nuts? =)

    60% of people who could have got it (if not for antivirus) have weak admin’s passwords. Also 17 to 42% (XP only) have the vulnerability which is used by the worm. Three years after the patch was issued…

    This is crazy word, guys =)

    Everything else in the report is not half as thrilling as this:

    1) HTML/JavaScript exploits are on the rise

    2) It seems like document exploiting steadily grows too. Probably sooner or later we’ll see some book reader exploited Winking smile

    3) SPAM seems to decline in quantity (at least in this report =) ). What become a surprise for me is the fact that the #1 contributor to the spam flow were emails with content advertising non-sexual pharmacy. Probably I wasn’t interested in the section while reading previous reports. Still it’s very refreshing to find that health is more reliable way to earn money than “enlarging someone’s manhood” =)

    4) No surprise in the fact that most successful malware needs user action to be installed. But Conflicker is #6… Like I said – shocking discovery =(