Virtualization & Automation

Log Files required troubleshooting the Window 7 installation

Lot of time we are unable to install the OS on fresh Computer, we do lot of tries but no luck and we don’t know what to do next, how to dig the issue, which/where to find the logs.

Here is the key to solve failures is identifying where you are in the installation process and when a failure occurs. As you are creating a new installation, the hard drive is not present initially, Windows Setup writes logs into memory, specifically in a Windows PE session (X:\Windows). When hard drive ready to use after formatting, Setup continues logging directly onto the new hard drive (C:\Windows). Whatever Log files created during the Windows PE session are temporary.

Windows Setup Scenario

When a failure occurs in Windows Setup, review the entries in the Setuperr.log file, then the Setupact.log file, and then other log files as appropriate.

Log file	Description	Location
Setupact.log	Primary log file for most errors that occur during the Windows installation process. There are several instances of the Setupact.log file, depending on what point in the installation process the failure occurs. It is important to know which version of the Setupact.log file to look at, based on the phase you are in.	Setup (specialize): X:\Windows\panther Setup (OOBE), LogonUI, OEM First Run:%windir%\panther Windows Welcome (OOBE): %windir%\panther\unattendGC
Setuperr.log	High-level list of errors that occurred during the specialize phase of Setup. The Setuperr.log file does not provide any specific details.	Setup (specialize): %windir%\panther Setup (specialize): %windir%\panther Setup (OOBE), LogonUI, OEM First Run: %windir%\panther
Setupapi.offline.log	Driver failures during the Component Specialization sub-phase of the Setup specialize phase.	%windir%\inf
Cbs_unattend.log	Unattended-setup servicing failures.	%windir%\panther
Setupapi.dev.log	Driver failures during the oobe phase of Setup.	%windir%\inf
Sessions.xml	An XML-based transaction log file that tracks all servicing activity, based on session id, client, status, tasks, and actions. If necessary, the Sessions.log file will point to the DISM.log and CBS.log files for more details.	%windir%\servicing\sessions
CBS.log	Servicing log file that provides more details about offline-servicing failures.	%windir%\Panther

OOBE - Out-of-box experience is the first impressions a user has with a product when opening its packaging and taking it into use. For software, it is "Welcome Screen" or "Initial Configuration" wizard screens that simplify elaborate set-up of the software

As an example, the process of installing Microsoft Windows is OOBE. Whatever steps we do during installation comes in OOBE - to acknowledge software license terms, specify partition to install OS, "product key" etc.

Note: Information is gathered from Technet.

Page Fault

A page fault occurs when a process requests a page in memory but system can’t find it in memory. The system page fault handler attempts to resolve the page fault.

Type of Page Fault

Hard Page Fault – If the requested Page retrieved from disk, the fault is called as hard page fault.

Soft Page Fault - If the requested page found elsewhere in memory, the fault is called as soft page fault

*Most processors can handle large numbers of soft faults without significant consequence. However, hard faults can cause delays because they require disk access.

Given below counters can be used to identify the page faults.

Page Faults/sec - Page Faults/sec is a combination of hard page faults and soft page faults. This counter gives how many times page fault occurs. The Page must either be retrieved from another location in memory or from the pagefile.

Hard Page Fault Counter

· Page Reads/sec – It indicates how often the system is reading the disk because of hard page faults. We can say, the number of pages reads from the disk that was done to satisfy page faults. The amount of pages read each time the system went to the disk may vary but a sustained value of over 5 is a strong indicator of a memory problem. We can say, counter is best indicator of a memory shortage.

· Pages Input/sec - pages were read from disk to resolve hard page faults. We can use this counter in comparison with the Page Faults/sec counter to determine the percentage of the page faults that are hard page faults.

· Pages/sec - pages were read from or written to disk to resolve hard page faults.

In short we can say, a high number of hard page faults may indicate that you need to increase the amount of memory or reduce the cache size on the server.

Soft Page Fault Counter

Transition Faults/sec - page faults were resolved by recovering pages without additional disk activity, including pages that were being used by another process sharing the page.

WMIC - Windows Management Instrumentation Command-line

WMIC is a command line interface to WMI -- Windows Management Instrumentation. It is an application interface which allows you low level access to a wide variety of information about systems, both hardware and software. Before WMIC, WMI-based applications (such as SMS), the WMI Scripting API, or tools such as CIM Studio were used to manage WMI-enabled computers.WMIC provided you a powerful, user-friendly interface to the WMI namespace. Earlier, you should had grasp on a programming language such as C++ or scripting.While WMIC is very powerful, it also is barely documented.

How to Run WMIC?

To invoke the WMIC command prompt, type
wmic

The following global switches are available:

/NAMESPACE	Path for the namespace the alias operate against.
/ROLE	Path for the role containing the alias definitions.
/NODE	Servers the alias will operate against.
/IMPLEVEL	Client impersonation level.
/AUTHLEVEL	Client authentication level.
/LOCALE	Language id the client should use.
/PRIVILEGES	Enable or disable all privileges.
/TRACE	Outputs debugging information to stderr.
/RECORD	Logs all input commands and output.
/INTERACTIVE	Sets or resets the interactive mode.
/FAILFAST	Sets or resets the FailFast mode.
/USER	User to be used during the session.
/PASSWORD	Password to be used for session login.
/OUTPUT	Specifies the mode for output redirection.
/APPEND	Specifies the mode for output redirection.
/AGGREGATE	Sets or resets aggregate mode.
/AUTHORITY	Specifies the <authority type> for the connection.

For more information on a specific global switch, type: switch-name /?
The following alias/es are available in the current role:

ALIAS	Access to the aliases available on the local system
BASEBOARD	Base board (also known as a motherboard or system board) management.
BIOS	Basic input/output services (BIOS) management.
BOOTCONFIG	Boot configuration management.
CDROM	CD-ROM management.
COMPUTERSYSTEM	Computer system management.
CPU	CPU management.
CSPRODUCT	Computer system product information from SMBIOS.
DATAFILE	DataFile Management.
DCOMAPP	DCOM Application management.
DESKTOP	User's Desktop management.
DESKTOPMONITOR	Desktop Monitor management.
DEVICEMEMORYADDRESS	Device memory addresses management.
DISKDRIVE	Physical disk drive management.
DISKQUOTA	Disk space usage for NTFS volumes.
DMACHANNEL	Direct memory access (DMA) channel management.
ENVIRONMENT	System environment settings management.
FSDIR	Filesystem directory entry management.
GROUP	Group account management.
IDECONTROLLER	IDE Controller management.
IRQ	Interrupt request line (IRQ) management.
JOB	Provides access to the jobs scheduled using the schedule service.
LOADORDER	Management of system services that define execution dependencies.
LOGICALDISK	Local storage device management.
LOGON	LOGON Sessions.
MEMCACHE	Cache memory management.
MEMORYCHIP	Memory chip information.
MEMPHYSICAL	Computer system's physical memory management.
NETCLIENT	Network Client management.
NETLOGIN	Network login information (of a particular user) management.
NETPROTOCOL	Protocols (and their network characteristics) management
NETUSE	Active network connection management.
NIC	Network Interface Controller (NIC) management.
NICCONFIG	Network adapter management.
NTDOMAIN	NT Domain management.
NTEVENT	Entries in the NT Event Log.
NTEVENTLOG	NT eventlog file management.
ONBOARDDEVICE	Management of common adapter devices built into the motherboard (system board)
OS	Installed Operating System/s management.
PAGEFILE	Virtual memory file swapping management.
PAGEFILESET	Page file settings management.
PARTITION	Management of partitioned areas of a physical disk.
PORT	I/O port management.
PORTCONNECTOR	Physical connection ports management.
PRINTER	Printer device management.
PRINTERCONFIG	Printer device configuration management.
PRINTJOB	Print job management.
PROCESS	Process management.
PRODUCT	Installation package task management.
QFE	Quick Fix Engineering.
QUOTASETTING	Setting information for disk quotas on a volume.
RDACCOUNT	Remote Desktop connection permission management.
RDNIC	Remote Desktop connection management on a specific network adapter.
RDPERMISSIONS	Permissions to a specific Remote Desktop connection.
RDTOGGLE	Turning Remote Desktop listener on or off remotely.
RECOVEROS	Information that will be gathered from memory when the operating system fails.
REGISTRY	Computer system registry management.
SCSICONTROLLER	SCSI Controller management.
SERVER	Server information management.
SERVICE	Service application management.
SHADOWCOPY	Shadow copy management.
SHADOWSTORAGE	Shadow copy storage area management.
SHARE	Shared resource management.
SOFTWAREELEMENT	Management of the elements of a software product installed on a system.
SOFTWAREFEATURE	Management of software product subsets of SoftwareElement.
SOUNDDEV	Sound Device management.
STARTUP	Management of commands that run automatically when users log onto the computer
SYSACCOUNT	System account management.
SYSDRIVER	Management of the system driver for a base service.
SYSTEMENCLOSURE	Physical system enclosure management.
SYSTEMSLOT	Management of physical connection points including ports, slots and peripheras, and proprietary connections points.
TAPEDRIVE	Tape drive management.
TEMPERATURE	Data management of a temperature sensor (electronic thermometer).
TIMEZONE	Time zone data management.
UPS	Uninterruptible power supply (UPS) management.
USERACCOUNT	User account management.
VOLTAGE	Voltage sensor (electronic voltmeter) data management
VOLUME	Local storage volume management.
VOLUMEQUOTASETTING	Associates the disk quota setting with a specific disk volume.
VOLUMEUSERQUOTA	Per user storage volume quota management.
WMISET	WMI service operational parameters management.

For more information on a specific alias, type: alias /?

CLASS - Escapes to full WMI schema.

PATH - Escapes to full WMI object paths.

CONTEXT - Displays the state of all the global switches.

QUIT/EXIT - Exits the program.

For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?

Examples:

To Get the Information of Patches installed on Computer.

WMIC qfe

To Get the Information of installed Softwares on Computer.

WMIC product get name

To Get the information of User logged to the system with Date

WMIC netlogin get name, lastlogon

WMIC /node:<computername> netlogin get name, lastlogon

Booting Process of Window 2003 Server

BIOS: performs Power On Self Test (POST)
BIOS: loads MBR from the boot device specified/selected by the BIOS

MBR: contains a small amount of code that reads the partition table, the first partition marked as active is determined to be the system volume
MBR: loads the boot sector from the system volume

BOOT SECTOR: reads the root directory of the system volume at loads NTLDR

NTLDR: reads BOOT.INI from the system volume to determine the boot drive It shows menu if more than 1 entry is defined

NTLDR: loads and executes NTDETECT.COM from the system volume to perform BIOS hardware detection
NTLDR: loads NTOSKRNL.EXE, HAL.DLL, BOOTVID.DLL (and KDCOM.DLL for XP upwards) from the boot (Windows) volume
NTLDR: loads \WINDOWS\SYSTEM32\CONFIG\SYSTEM which becomes the system hive HKEY_LOCAL_MACHINE\System
NTLDR: loads drivers flagged as "boot" defined in the system hive, then passes control to NTOSKRNL.EXE

NTOSKRNL.EXE: brings up the loading splash screen and initializes the kernel subsystem

NTOSKRNL.EXE: starts the boot-start drivers and then loads & starts the system-start drivers
NTOSKRNL.EXE: creates the Session Manager process (SMSS.EXE)

SMSS.EXE: runs any programs specified in BootExecute (e.g. AUTOCHK, the native API version of CHKDSK)

SMSS.EXE: processes any delayed move/rename operations from hotfixes/service packs replacing in-use system files
SMSS.EXE: initializes the paging file(s) and the remaining registry hives
SMSS.EXE: starts the kernel-mode portion of the Win32 subsystem (WIN32K.SYS)
SMSS.EXE: starts the user-mode portion of the Win32 subsystem (CSRSS.EXE)
SMSS.EXE: starts WINLOGON.EXE

WINLOGON.EXE: starts the Local Security Authority (LSASS.EXE)
WINLOGON.EXE: loads the Graphical User Identification and Authentication DLL (MSGINA.DLL by default)
WINLOGON.EXE: displays the logon window

WINLOGON.EXE: starts the services controller (SERVICES.EXE)
SERVICES.EXE: starts all services marks as automatic

Note: All information capture from Internet.

Monitor memory usage with Task Manager

The Task Manager window contains eight panes. Above two panes shows the CPU Usage, CPU Usage History overall shows processor performance.

The rest panes deal with memory usage.

· MEM Usage—It shows the amount of virtual memory is using by your computer.

·         Memory Usage History—It only tracks the size of your virtual memory over time. As name
        suggest past usage of virtual memory by your computer. It only displays the results; it doesn't
        actually record them anywhere.

· Physical Memory Total—The total amount of RAM installed on your computer.

·         Physical Memory Available—The amount of RAM available for CPU processes. This number
        will never go to zero because the operating system will swap data to the hard disk as the memory
        fills also know as paging.

· Physical Memory System Cache—This is the amount of RAM being used by the file cache i.e.
Space used for open files.

· Commit Charge Total—It shows the size of virtual memory in use. This is equal to the number
shown in MEM Usage.

· Commit Charge Limit—This shows the size of your paging limit. The paging limit is the maximum
size your virtual memory can be without making changes to its configuration.

· Commit Charge Peak—It shows the highest amount of virtual memory used since you began
tracking usage.

· Kernel Memory Total—The amount of paged and nonpaged memory used by the operating
system's kernel.

· Kernel Memory Paged—The amount of space assigned for Swapable Pages.

· Kernel Memory Nonpaged—This is the amount of RAM dedicated to the operating system's
kernel.

Note: Please let me correct if I am wrong anywhere. Comments are appreciated.

Script to Pull the information of Patching

Set objSession = CreateObject("Microsoft.Update.Session")
Set objSearcher = objSession.CreateUpdateSearcher
intHistoryCount = objSearcher.GetTotalHistoryCount
Set colHistory = objSearcher.QueryHistory(1, intHistoryCount)
For Each objEntry in colHistory
    Wscript.Echo "Date: " & objEntry.Date
    Wscript.Echo "Title: " & objEntry.Title
    Wscript.Echo "Client application ID: " & objEntry.ClientApplicationID
    Wscript.Echo
Next

If(colHistory.Count <> 0) Then
Wscript.Echo " Server has been Patched. Total " & colHistory.Count & " Patches Installed"
Wscript.Echo
End If

Script To Pull Netbackup Configuration

strComputer = "."
On Error Resume Next
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Const HKEY_LOCAL_MACHINE = &H80000002

Const REG_SZ        = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY    = 3
Const REG_DWORD     = 4
Const REG_MULTI_SZ = 7
' Chose computer name, registry tree and key path
'
hDefKey = HKEY_LOCAL_MACHINE
strKeyPath = "SOFTWARE\Veritas\NetBackup\CurrentVersion\"

Set oReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strSubKeyPath = strKeyPath & "\Config"
oReg.EnumValues hDefKey, strSubKeyPath, arrValueNames, arrTypes
For i = LBound(arrValueNames) To UBound(arrValueNames)
    strValueName = arrValueNames(i)
    if(strValueName = "Exclude") Then
    oReg.GetMultiStringValue hDefKey, strSubKeyPath, strValueName, arrValues
    For Each strValue in arrValues
        if(UCASE(strValue)=UCASE("C:\pagefile.sys")) then
  wscript.echo strValueName & " = " & strValue
end if
    Next
    ENd if
    if(strValueName = "Server") Then
    oReg.GetMultiStringValue hDefKey, strSubKeyPath, strValueName, arrValues
wscript.echo "------------"
wscript.echo "SERVERS LIST"
wscript.echo "------------"
    For Each strValue in arrValues
        'if(UCASE(strValue)=UCASE("C:\pagefile.sys")) then
  wscript.echo strValue
'end if
    Next
    ENd if
Next
' Chose for Master Server
Const HKEY_CURRENT_USER = &H80000001
hDefKey = HKEY_CURRENT_USER
strKeyPath = "SOFTWARE\VERITAS\NetBackup\NetBackup Client\prodsupport"

Set oReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strSubKeyPath = strKeyPath & "\Settings"
oReg.EnumValues hDefKey, strSubKeyPath, arrValueNames, arrTypes
strValueName = "DefaultServerName"
    oReg.GetStringValue hDefKey, strSubKeyPath, strValueName, strValue
     wscript.echo "------------"
wscript.echo "Master Server = " & strValue