Ultraedit files does not show in tabs even when set for it

Every now and then my File Tabs in UltraEdit disappears. I think though only after a hard reboot crash of my computer. But as it happens often, I save the very simple solution here, easy for me to find later!

Beware, it does not work to simply enable the "View -> Views/Lists -> Open File Tabs" from the menu, that is already enabled, and no file tabs are shown!

So it turns out that all you have to do is delete this section from uedit32.ini:

[ToolBarState1-v110-Bar17]
BarID=59423
Horz=1
Floating=1
XPos=4
YPos=992
Bars=3
Bar#0=0
Bar#1=143
Bar#2=0

You can remove more [ToolBarState1 sections if you want, you will have to fix your toolbars afterwards though.

Uedit32.ini location can be modified, which is a nice feature, enabling you to have your own private .ini file. Simply using the documents and settings location ("C:\Documents and Settings\USERNAME\Application Data\IDMComp\UltraEdit\uedit32.INI") is better than Windows system dir.

Commands from cmd does not set errorlevel as you might expect!

It might not be a surprise to you, but Windows commands inside cmd.exe does not change errorlevel as you might expect.

For example running a echo something > c:\somefile.txt, which will succeed actually creating the file, but not change errorlevel to 0. You can test it like this:

md 2>nul
echo %errorlevel%
1
echo this.works > c:\test.txt
echo %errorlevel%
1
type c:\test.txt
this.works

This echo can not really be solved by using cmd /c echo because that will just always succeed, for example:

md 2>nul
echo %errorlevel%
1
cmd /c echo this.works > c:\test.txt
echo %errorlevel%
0
type c:\test.txt
this.works
cmd /c echo this.fails > drivedoesnotexist:\test.txt
The filename, directory name, or volume label syntax is incorrect.
echo %errorlevel%
0

And now, testing if copy command file1 + file2 into file3 gives errorlevel 1 if one of the source files does not exists. Errorlevel 1 is what you might expect, but it is not the case here:

echo 1 > 1.txt
rm 2.txt
echo 3 > 3.txt
ls -la 2.txt
ls: File or directory "2.txt" is not found
copy /b 1.txt + 2.txt + 3.txt 123.txt
1.txt
3.txt
1 file(s) copied.
echo %errorlevel%0

This is not as I expected, I will want to find a way to get around this.

There are probably same problem with other cmd commands, I didnt try others.

Maybe I am doing something the wrong way, in my environment and installation ... need to investigate :-)

I have not been able to find anything in the cmd command line reference, and it does not seem to solvable if everything is put into a batch script, instead of running commands one by one. I did hope that, because of text on information about setlocal ENABLEEXTENSIONS which can be set in a script, but has no effect on the command prompt:

cmd does not set the ERRORLEVEL variable when command extensions are
disabled

But unfortunately it did not work, here is the run.cmd script i ran:

setlocal ENABLEEXTENSIONS
echo 1 > c:\1.txt
rm c:\2.txt
echo 3 > c:\3.txt
copy /b c:\1.txt + c:\2.txt + c:\3.txt c:\123.txt
echo %errorlevel%
endlocal

The above echo'd 0 and the errorlevel after the script is 0. So not a solution!

I still keep investigating :-)

Oh yeah - in case you ever wondered, you should never manually set the errorlevel to 0 or 1 or whatever you need. Instead you should always use a command for that. I am using "ver" to get errorlevel 0 and "md;2>nul" to get errorlevel set at 1, which I found on one of my favorite batch example webpages.

Dig into the Active Directory information store

I never needed to automated users and groups creation/deletion/changes in Active Directory on Windows. I have however needed to query lists of users and groups, membership and such. That was solved by some vbscripts.

A few days ago I needed to show the list of computers in an Organizational Unit (OU), so I searched for some ways to get that. And I bumped into the Microsoft dstools (dsget/dsquery/....) and they are just perfect for automating Directory service stuff.

The commands works from a Windows 2003 server, but not from XP.

Also, I need a intro for directory services, because I havnt used it much, and a then moved to a good simple dsquery tutorial.

Then I could make some quick oneliners, starting with a very comprehensive query that is highly educative of how the Directory of Level2OU is made:
dsquery * OU=Level2OU,OU=Level1OU,DC=domain,DC=domainext -limit 0 -attr *

Listing the members of a Windows group:

dsget group "CN=somegrp,OU=level2,OU=level1,DC=domain,DC=domainext" -members -expand

Show the computers of an OU:

dsquery computer OU=Level3OU,OU=Level2OU,OU=Level1OU,DC=domain,DC=domainext -limit 0

To automated the query, I have used psexec to run it on a remote server, with a user that has access to do queries:

psexec \\srv -u dom\usr -p pwd -e cmd /C "dsquery ou domainroot"

Other than that I just found the dstools to be very powerful and some googling shows many good examples of what people have done with it! Very impressive!

The article also mentions some need-to-have directory service binaries from joeware.net/freetools but I havnt tried them. They look good though, like lots of work has been wrappen into those exes:

AdFind [switches] [-b basedn] [-f filter] [attr list]

basedn RFC 2253 DN to base search from.
filter RFC 2254 LDAP filter.
attr list List of specific attributes to return, if nothing specified returns 'default' attributes, aka * set.
...

Dependency Walker commandline example

Dependency Walker (depends.exe) can be downloaded, or is in Windows 2003 resource kit.

I wanted to script the dependency check for some .dll files, so i ran toward remote server:
psexec \\someserver /u someuser -e cmd /c "environment.cmd&depends.exe /c /pb /oc "d:\depends.temp" "some.dll""

Now parse the output file, first column is status, look for "E,":
findstr /bic:"E," \\someserver\d$\depends.temp
if errorlevel 1 echo all OK

I have not made a way to avoid enter password, but if I need I recall there are some runas and similar alternatives.

Hello World and 99 Bottles of Beer collections

Browsing around for some good C++ sample code I stumbled upon the The Hello World Collection. While that is good, the 99 Bottles of Beer song collection is stunning, informative and fun:

... the collection of the Song 99 Bottles of Beer programmed in different
programming languages. Actually the song is represented in 1200 different
programming languages and variations. For more detailed information refer to
historic information.

I went to look for the Perl example for the song, and was completely baffled!! Everything written inside regular expressions, using a perl module which creates shapes out of perl code! Andrew Savige has some serious coding skills!!

Checking the reg exp, it is a bit (but not much really) readable:

perl -MO=Deparse 99-bottles.pl
'' =~ /(?{eval"\$==pop99;--\$=;sub\n_\{(\$;=(\$=No).\" bottle\".\"s\"x!!--\$=.\" of beer\").\" on the wall\"\}print+
_,\", \$;!\nTake one down, pass it around,\n\",_,\"!\n\n\"while++\$="})/;
$: = 'P';
$~ = 'h';
$^ = 'r';
$/ = '`';
99-bottles.pl syntax OK

More good Windows command line tools

Once again I am surprised to see more useful commandline tools, already in Windows.

When I was playing around with Powershell I stumbled upon Windows Command Reference, a .chm file with reference for a lot of command line utils in Windows:

The Windows command-line tools are used to perform various tasks related to
Windows Vista, Windows Server 2003, and Windows Server 2008.You can use the
command reference to familiarize yourself with new and enhanced command-line
tools, to learn about the command shell, and to automate command-line tasks by
using batch files or scripting tools.

Many of the tools in the reference are also in Windows XP and 2003, but the resource kit tools are not listed, for example jt.exe or tail.exe is not in the list.

With all these nice utils, and more to come probably, I am thinking a lot of old selfmade scripts can be replaced or simplified. I prefer to use windows builtin tools if possible, most often wrapped somehow.

Of course there will always come new needs, ideas for improvements, so script wrapping, script/batch control is just as much wanted as before!

Two of the utils I can use immediately, its tasklist.exe and taskkill.exe, which can query and kill processes depending on lots of different restrictions.

One of the good filter options is username, memusage and session number. Unfortunately only on one server at a time:

TASKLIST [/S system [/U username [/P [password]]]]
[/M [module] /SVC /V] [/FI filter] [/FO format] [/NH]

Description:
This command line tool displays a list of application(s) and
associated task(s)/process(es) currently running on either a local or
remote system.

Parameter List:
/S system Specifies the remote system to connect to.

/U [domain\]user Specifies the user context under which
the command should execute.

/P [password] Specifies the password for the given
user context. Prompts for input if omitted.

/M [module] Lists all tasks that have DLL modules loaded
in them that match the given pattern name.
If the module name is not specified,
displays all modules loaded by each task.

/SVC Displays services in each process.

/V Specifies that the verbose information
is to be displayed.

/FI filter Displays a set of tasks that match a
given criteria specified by the filter.

/FO format Specifies the output format.
Valid values: "TABLE", "LIST", "CSV".

/NH Specifies that the "Column Header" should
not be displayed in the output.
Valid only for "TABLE" and "CSV" formats.

/? Displays this help/usage.

Filters:
Filter Name Valid Operators Valid Value(s)
----------- --------------- --------------
STATUS eq, ne RUNNING NOT RESPONDING
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number
SESSIONNAME eq, ne Session name
CPUTIME eq, ne, gt, lt, ge, le CPU time in the format
of hh:mm:ss.
hh - hours,
mm - minutes, ss - seconds
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne User name in [domain\]user
format
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title
MODULES eq, ne DLL name

TclockEx is still a better Windows Clock

Similar to the awesome util Printkey 2000, there is another Windows util that is still my favorite for the task.. even that it is very very old: TclockEx.. a much better Windows task bar/system tray clock!

It serves a few important purposes for me:

• Display date and time in a better way
• Customizable format of "date and time copy to clipboard" when i doubleclick the systray. I use this format to get a quick datestring for usage in reports and documentation: yyyyMMdd-HHmm (eg. 20080427-0719)
• Display a simple calender with week numbers, shown by single click and week start can be modified to monday.
  

The original site in the About page http://users.iafrica.com/d/da/dalen does not work, instead I used http://www.rcis.co.za/dale/tclockex/.

For the paranoid people, here is my md5 sum for the safe exe:

1238b1c59fd4987d538144aa915e85c2 *tclockex-1.4.2.exe
1238b1c59fd4987d538144aa915e85c2 *tclockex.exe

Read more about alternatives to tclock here:

http://www.techsupportalert.com/best-free-tray-clock-replacement.htm

Windows forfiles.exe, similar to unix find

I have unix tools available on my Windows boxes, so I have have a tendency to use those, eg. using unix find to delete files older than x days.

Now a while ago I saw that there is a forfiles.exe in NT ressource kit, which can do similar job, only it does not work on UNC paths:

forfiles /P file://machine/share /M thesefiles*

ERROR: UNC paths (file://machine/share) are not supported.

You can get inspired by some cleanup examples:

forfiles /p C:\documentService\bin /s /m trace*.* /d -120 /c "cmd /c del @path"

forfiles /p D:\DocumentStore\imagingShare /s /m *.tif* /d -120 /c "cmd /c del @path"

And as always ss64.com has forfiles examples.

Another example for deleting files:

FORFILES /p C:\filename /s /m *.* /d -3 /c “CMD /C del /Q @FILE

File size, file count, file age - batch util

I wanted to know each of this:

• If a filesize (eg. the newest/latest one in a directory) is above or below a certain threshold.
• If a number of files in a dir is equal, above or below a certain limit.
• If the age of a file (eg. the newest/latest one), is above or below a certain age in seconds.

I turned to the batch search/overview sites and looked for inspiration, my findings was

• FileSizeComp is an elegant example in batch, but requires you know the filename.
• GetDirStats returns number of files, elegantly using dirlist from compact.
• I did not find a batch way to get mtime of a file.

So: two problems: I would need a way to find "the latest file" and then pipe that to one of the batch scripts, and I didnt find a ressource kit tool or batch way to get mtime from a file.

So: I made a simple perl script that can handle all of the above. And it also works cross platform.

There was someone who did an mtime (file age) check script in vbscript, i did not use it though.

Identify the process that locks a file on Windows

I wanted to identify the process that locks a file on Windows, I am sure you know the feeling:

del ft*
The process cannot access the file because it is being used by another process.

There was an execellent article that described how one of my favorite tools procexp.exe from PsTools has a "Find handle or dll" (CTRL+F) that does the trick.

I think process explorer can only see local processes locking a file, it can not see if you have locked using a share for example. I have not tested it.

The same article also describes some possible solutions for command line based, I didnt have a need for that yet though:

Note: There is also a command-line tool named Handle from Windows Sysinternals that can display open handles for any process in the system. See: View Open Handles to a file or folder from the context menu from the Winhelponline.com Blog.

...

Once installed, reboot Windows and use the Oh.exe (Open Handles) command-line tool. For exact parameters, open Help and Support center and type-in OH. The following example shows how to find the Process(es) which have locked the file "INBOX.DBX".
Open a Command Prompt window and type:
oh inbox.dbx >C:\Output.txt

As for the oh.exe method it require reboot after windows 2003 resource kit installation, or you will see:

The system global flag `maintain object type lists' is not enabledfor this system. Please use `oh +otl' to enable it and then reboot.

But it looks very powerfull:

oh - Object handles dump -- built by: dnsrv_dev(v-smgum)
Copyright (c) Microsoft Corporation. All rights reserved.

OH [DUMP_OPTIONS ...]
OH [FLAGS_OPTIONS ...]
OH -c [COMPARE_OPTIONS ...] BEFORE_LOG AFTER_LOG

DUMP_OPTIONS are:

-p N - displays only open handles for process with ID of n. If not
specified perform a system wide dump.
-t TYPENAME - displays only open object names of specified type.
-o FILENAME - specifies the name of the file to write the output to.
-a includes objects with no name.
-s display summary information
-h display stack traces for handles (a process ID must be specified)
-u display only handles with no references in process memory
-v verbose mode (used for debugging oh)
NAME - displays only handles that contain the specified name.

Blog backup reminder

Very shortly after I started to use this blog as a placeholder for knowledge, I wondered how I could back the blog up.

I didnt get any backup going, so I am happy to get a reminder from a march post on Taosecurity:

Therefore, for the last several months I've been archiving my blogs using BlogBackupOnline.com. I used the free service while in beta, but my storage requirements for this blog exceed their 5 MB "Freemium" limits. Therefore, I ponied up the money for a "Professional" account with 250 MB storage, and the "advertising" provided by this post should help me double that amount to 500 MB.

One of the comments on the post is interesting, I have to try that:

.. also check out http://blogbackupr.com, 100MB free space

Now I am thinking if I can find an open source backup application or script that does RSS backup similar to those services? Then I could cron a backup myself.

Windows command box shell tips

After so many years with the Windows command line shell, I still learn new stuff every now and then :-)

Today a collegue showed me a feature similar to bash ctrl+R for recalling commands, instead of using up and down arrow:

1. Type a bit of the command that you know you have used just a while back
2. Toggle through the commands with F8 ... nice :-)

While I am here, I want to remind myself:

• Enable quickedit mode in cmd box options tab: [v] QuickEdit Mode
• Increase Screen Buffer Size, Height: 9999
• Use doskey /history to get the last commands

More options for third party software updates

Not long ago I mentioned the Secunia PSI (Personal Software Inspector) as a mean to update your third party software on Windows.

Now I noticed that SANS ISC has a nice article with some more recommendations:

Other options are UpdateStar (Windows), SUMo - Software Update Monitor (Windows), VersionTracker [Pro] (Mac and Windows), RadarSync (Windows), UDC - UpdateChecker (Windows), Belarc Advisor (Windows), and App Update Widget (Mac).

I have not tried any of them yet :-)

The same day they had a really good point, about something that often bothers me on Windows and Mac:

Unprivileged user vs. Administrator: A few third-party Windows software do not show the availability of new updates unless you are running as Administrator.
...
Therefore, the conclusion is that you need to periodically (every day?) login as (or run things as) Administrator to perform periodic tests for new updates. Obviously, this is not practical for end users, so we clearly need to improve the third-party update mechanisms in Windows to be accurate, up-to-date and work smoothly from non-privileged accounts.

Xcacls.vbs directories only and column output truncated

As i mentioned earlier the xcacls.vbs output is truncated so the information is not fully presented, eg. usernames are cut at 24 characters. This got very annoying, so I was happy to find a solution:
Edit xcacls.vbs line 593, Call PrintMsg( strPackString...
Edit xcacls.vbs line 614, Call AddStringToArray(arraystrACLS,

I changed the two lines to:
Call PrintMsg( strPackString("Type", 8, 1, TRUE) & strPackString("Username", 50, 1, TRUE) & strPackString("Permissions", 42, 1, TRUE) & strPackString("Inheritance", 35, 1, TRUE)) For Each objDACL_Member in objSecDescriptor.DACL

Call AddStringToArray(arraystrACLS, strPackString(strAceType, 8, 1, TRUE) & strPackString(objtrustee.Domain & "\" & objtrustee.Name, 50, 1, TRUE) & strPackString(TempSECString, 42, 1, TRUE) & strPackString(strAceFlags, 35, 1, TRUE),-1) Set objtrustee = Nothing

Now the output is more useful.

The next problem is that I can not get Xcacls.vbs to only work on folders when querying subdirectories. The parameters /s /t does work across subdirs, but it includes files, which is not what I want!

This does not seem possible, i can not find a combination of switches that does travel subdirectories, but only displays directory permissions and not files too. I get output like:
**************************************************************************
Directory: d:\data\file.txt

Permissions:
Type Username Permissions Inheritance
...


So I had to make a small wrapper, to only run XCACLS on a predefined list of dirs, without using any /s /t. This is not scalable at all!

What I would rather like is a script to get a remote dirlisting, where we can check if a filehandle is a dir, and if it is a directory then call xcalcs. I dont have that yet :-)

A better solution is much better.

New remote scanning requirements for PCI compliance

I have heard there might be new remote scanning requirements for PCI compliance, which assumably means Visa will require a higher level of application scanning that before. Even if it might not be so, it is a good chance to improve the organization IT skills, just as like the original PCI compliance test was a huge improvement.

I am reading parts of the PCI Blog - Compliance Demystified blog, where there are some pointers to documents etc.

In one of the recent PCI Blog newsletters I stumbled upon a some quotes regarding scanning:

Scanning is a snapshot ...
Scanning is diagnostic, not preventative ...
...
In fact SQL Injection, one of the most commonly used methods of
compromise, cannot be detected using scanning.
...
Scanning is a component of the information security program, not a
replacement for it - Scanning can be a useful tool when used as a part of a
robust, well-rounded information security program. Relying on scanning
alone can leave a company dangerously exposed to data compromise. However,
when used in conjunction with timely patch management, strong internal policies
and processes that are actively enforced, data classification and control
practices and other elements of security practice, scanning can provide valuable
insight.

I have to question their statement about "SQL injection can not be found from scanning". As with other vulnerabilities found by scanning, some SQL injections attack vectors can be found. In fact Nessus does a good job of finding some SQL injections, but I have seen Nessus miss SQL injections that was later found by Webinspect. The other points in the newsletter are valid and good to keep in mind!

In the future companies that want to have PCI compliance might be forced by Visa to buy and use either Webinspect or IBM Rational AppScan. Both are very expensive!

The Next Generation of Web Application Scanning
WebInspect
7 is the first and only web application security assessment tool to be
re-architected to thoroughly analyze today's complex web applications built on
emerging Web 2.0 technologies. The new architecture delivers faster scanning
capabilities, broader assessment coverage, and the most accurate results of any
web application scanner available

Open source alternatives for web application scanning tools, that just comes even close to the capabilities of Webinspect and Ration AppScan, would be awesome. Please leave a comment if you have any ideas :-)

Searching your logfiles and your knowledge management sources

A friend of mine pointed me to Splunk for log file analysis, thanks for that :-)

I havnt had a chance to install and try Splunk, but looking around, Splunk could be the util to combine knowledge management searches with real time event searches from servers. A single point of entry for searching is crucial, but not easy to up and running in the day to day use.

To benefit from a search engine, that engine should be able to reach all the different places that people put knowledge. And it must be able to crawl all file formats, eg. Open office, MS office, excel, pdf etc. We can get the file indexing working from all kinda places, but the hurdle seems to be indexing mailboxes! The example being a public mailbox archive of all the support answers to customers, with many years of useful knowledge! Indexing mailboxes, eg. Lotus Notes, should be possible with enterprise search engines like Google and Yahoo Omnifind.

For logfile analysis, i usually stick with simple tools ala fetchlog, our own grep scripts on centralized syslog servers, and some OSSEC. Other utils I have played with for correlating of information is prelude.

Perhaps Splunk can combine the above (search engine and logfile analysis) into one application?

Splunk provides a free edition, so I will keep it around, in case I get a chance to try it :-) It sure seems worth a try for an enterprise! Of course, being an open source and community fan, I am more biased toward an open source alternative for Splunk? Prelude and OSSEC are both open source free software.

While looking around I stumbled upon an interesting open source site, Softpanorama.org:

Mission and Vision Statement This is a self-education oriented site (see
about for more info) that contains resources for the independent study in
computer science and programming. The latter is the area were open source really
shines: the academic value of open source software (OSS) cannot be
overestimated.

Softpanorama.org has some Splunk entries in their Log Analyzers News:

[Apr. 17, 2006] Splunk Welcome
Splunk is search software that
imitates Google search engine functionality on logs. Can be considered as
the first specialized log search engine. It can correlate some
alerts:
Splunk Splunk User's Guide
Splunk Administrator's Guide

[Feb 16, 2006] Splunk, Nagios partner on open-source systems-monitoring tools
Log file search and indexing software vendor Splunk Inc. announced Tuesday that it will soon add systems
management host, network and service monitoring capabilities to its software
through a partnership with the Nagios open-source project. ...

Not satisfied with your current Version Control System - discussing switching VCS

At work we are getting increasingly annoyed by the rather old Visual Source Safe we are using. We are going for AccuRev as a replacement. There is an interesting comparison with Subversion. Their Subversion notes might be true, in the sense taht you do need some scripting skills to take full advantage of Subveresion branching and merging. Perhaps this is what you get for the license fee. AccuRev server does on Windows, Mac and Linux, not sure about BSD flavors. It does not come for free:

AccuRev is typically licensed using a named user license model. The
list prices for AccuRev end-user licenses range from $750 to $1,995, depending
on specific products licensed, number of users, and required integrations with
3rd party products (e.g., AccuBridge)

If you want a good reading of version control system discussion and thoughts, I recommend reading the FreeBSD Wiki on the VCS subject. It is very well written, and touches many aspects of version control (also some you probably didnt think about). Of course it is written with reference to the FreeBSD project needs, but if you are a familiar with FreeBSD branches and ports, and working with vendor code for your self, you might get a lot of knowlegde and ideas from reading it. I found it very interesting :-)

In short it is a discussion of open source version control system alternatives, with description of desired and required features, in order to justify the cost of FreeBSD project switching away from CVS. Is similar to our own thoughts on changing version control system here at work.

Most is written by Peter Wemm, who is vouching for Subversion. Here is a snip from Peter's view on why FreeBSD need a new VCS and why Subversion should be the prime target. Should convince you to start reading :-)

Why does my opinion matter? I've been doing this for a while. For the last 13 years, I've been the 'The buck stops here' guy for our repository. I've seen it all. I wrote the rules about what we can and can't do in the repository. I did the hacks to the cvs system to prolong its use for us. I came up with or implemented most of the hair-brained ideas that we live with on a daily basis.

Here are my snips from my reading through all the sections:

Automated or mechanically assisted merging. FreeBSD's development model requires that (unless it's an exceptional circumstance) changes first go in to the HEAD. If they are suitable candidates to go in to stable then they should be merged to the relevant stable branch.
In addition, new features may first be developed on a separate branch, before being merged in to the HEAD.
The VCS should support easy merging of changes from HEAD (or its equivalent) to the stable branches, and from feature branches to HEAD. Merges should also be able to go both ways, and be easily repeatable (e.g., a long lived feature branch may merge changes from HEAD on to the branch several times, and may merge changes from the branch back to HEAD several times)

Branch, Easy & cheap branches (and history-aware merging) and tags to enable parallel lines of development (that is essential for projects like SMPng which have a very big impact on many source files)

SVN Repo Layout: A proposed repository layout if FreeBSD moves to Subversion. This includes a good suggestion of handling Vendor code.

SVN Merging: A walkthrough of merging changes with Subversion and svnmerge.py. This walkthrough of branching and merging is very educational :-)

ACL, Access control: the ability to constrain developers to operating in specific areas of the tree, implement branch-based policy restrictions, as well as to enforce policy such as tagging of commits for developers working outside their normal areas. Implementing these via hooks would not be a regression from what we currently do in CVS.

Offline, Ability to work offline -- like on a plane -- without requiring too much work: not only being able to list differences but also to commit

SVK which brings history-aware merging and distributed features to SVN

There are some really interesting (biased of cource) quotes when it comes to comparing Git and Subversion conversion going from CVS, which are right on, and makes you think:

For us to switch to svn would be an evolutionary step. We could use it
as a better cvs, with the sharp edges fixed. hg and git require more of a
revolution in the way we go about things.

git/hg make it very easy to take stuff offline....Encouraging the
taking of stuff further offline is going in the wrong direction for *us*. If
anything, we need to make it easier for people to get stuff to us and in the
tree in some form.

Linus wrote git to suit his needs for linux. He has one thing going for us that we don't. There is a large cult of personality surrounding Linus. There is intense pressure to "validate" your work by getting it approved (directly or by proxy) by Linus. On the other hand, we already have problems extracting work from people. We can't assume that we'll get the same inward flow that Linus gets.

From http://lwn.net/Articles/246381/ - there are some choice quotes. The topic is the problems the KDE folks had making git work for them.

We're not Linux. A good number of our best supporters stick with us because we're a coherent tree and not like linux' chaos.

Why do you seem to be pushing subversion?It's because I am. I think the whole hg/git thing is a distraction.

• it works the same way we've become accustomed to cvs working. Except without most of the silly problems/restrictions.
• there are a huge bunch of tools out there to talk to svn. Things like svnsync (cvsup for svn repository replication) are out there.
• We can use live changeset based exporting to export the tree to cvs to maintain HEAD and RELENG_* branches. Our end users will be able to keep doing exactly what they've always been doing for getting their "fix" of freebsd.
• svk, as an optional add-on, gets you the ability to have a private playground, in spite of my encouragement to work on the public servers.

Notes on Git Conversion: Why git is interesting to FreeBSD, is also very educating. From the little bit of Git reading that I have done, it seems to me that Git gives abilities to hide development cycles, not something I would appreciate in the projects I participate in. Some Git quotes:

git is distributed

Now, you can commit as you develop, then test, then push. If
you find things in your testing that are wrong, you can commit fixes before
pushing, or even go back and edit your local history to erase your mistakes,
making you look even more ninja than you really are.

You can also push your
changes up to a personal repository for others to access. They can merge it to a
personal tree of their own, do repeated merges all sorts of directions, and have
it just Do The Right Thing.

I am a fan of Subversion, and it works on many platforms. So far Subversion has fitted all my needs for version control, automation, documentation, management etc!

After reading the above articles I am even more convinced Subversion will continue to meet my needs, so I am not changing :-) SVK is something for me to try though. And AccuRev might prove useful for the enterprise, we will see.

Query MSSQL from perl

I mentioned how to connect to MSSQL from batch, eg. using osql.exe, but today I wanted to do the same from Perl.

There are many samples on Google, using Win32::OLE or Win32::ODBC. Usually finding the right connection string is the hurdle.

For the ODBC connection strings it can look like this:

$DSN = 'driver={SQL Server};Server=$hostname\\$instance;database=$db;uid=$u;pwd=$p;';
if (!($db = new Win32::ODBC($DSN))){ die "Error: " . Win32::ODBC::Error() . "\n"; }

For Win32::OLE connection string with password can look like this:
my $ConnStr="Provider=SQLOLEDB;Initial Catalog=$db;Data Source=$server;User ID=$u;Password=$p;Network Library=DBMSSOCN";

But I really want to avoid the user and password in scripts. So for Win32::OLE connection string integrated security, without password, can look like this:
my $ConnStr="Provider=SQLOLEDB;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=$d;Data Source=$s;use Procedure for Prepare=0;Connect Timeout=4;Trusted_Connection=Yes";
# Provider=SQLOLEDB.1 or Provider=SQLNCLI.1

Testing connection, create a query, execute it, and work with is pretty straight forward:
my $Conn = Win32::OLE-> new('ADODB.Connection');
$Conn-> Open($ConnStr);
my $err = Win32::OLE::LastError();
if (not $err eq "0") { print"FATAL: no connection, OLE error 0x%08x: $err\n"; exit; } else { print"Connected OK\n"; }
my $Statement = "select servername from servertable where x = 0 AND id = 11";
if(! ($RS = $Conn->Execute($Statement)))
{ print Win32::OLE->LastError() ; exit; }
while (! $RS->EOF) {
$servername= $RS->Fields(0)->value;
print"servername is: $servername\n";
$RS->MoveNext; }
$RS->Close;
$Conn->Close;

Just for future reference the ODBC SQL update code could look like this:
$SqlStatement = "insert into dbo.MyTable values (\'$var1\',$var2,$number,getdate())";
if ($db->Sql($SqlStatement)){ print "Error: " . $db->Error() . "\n"; $db->Close(); exit; }

Windows IT Pro dec07 notes

It was a while since I read december 2007 Windows IT Pro issue, but here goes some notes from stuff I found particular useful, or otherwise hard to remember :-)

PDF utilities, similar to PDFcreator (that does not work on Vista), and working on Vista: CutePDF and PDFTools. I use PDFcreator all the time, but I dont use Vista just yet, but this is good to keep in mind! Some quotes from PDFTools features:

• encrypt a PDF file by assigning it a password
• create a protection-free version of encrypted PDF file
• create a PDF file by joining multiple PDF files
• split a PDF file in multiple ways, such as splitting each page to new PDF file and splitting a file after a given page number
• arrange pages in a PDF file
• overlay text or an image over a PDF file
• convert an XML file into a PDF file

Note that you need Java Runtime Environment/Java Development Kit (JRE/JDK) 1.4 or later to use PDFTools.

It was interesting to read "Are IT Pros Steering Their Children Away From IT" and "A Good Career For Your Kids", as since I recently became a dad I have actually been thinking about this several times!

I am certainly not recommending IT business to just anyone. I like to think of IT as being a "call", a desire, for helping people, deliver results, services and service to people, a call to engineer stable and innovative IT systems. For my daughter I will encourage her to do what ever she likes, and if that is IT, that is OK. I think an IT developer, administrator or project manager can be a happy job, but you have to be very aware of the all the factors. This is a hard topic to just put down some notes on, I definately have to give it some more thoughts and its own post, its really interesting and worth dicussing with wife, family and friends!

As you probably know Windows 2008 will have the Server Core option, which has a very limited GUI. This will be exciting to use, and undoubtly we will have to get used to many new command line utils and new/better usage of existing ones. One of the new tools we will get used to is the script SCRegEdit (Server Core RegEdit). Although regedit is a gui that will work in Server Core, SCRegEdit will help edit many registry keys, eg.:
scregedit /ar 0 enables remote desktop
scregedit /au 4 will download and install updates
scregedit /cs will allow Pre-Vista clients to connect with terminal services
... check out Microsofts Server Core guide, there are good tips:

Managing a Server Core installation: Overview
...
The script is located in the \Windows\System32 folder of a server running a Server Core installation. At a command prompt, open the folder, and then use the following command to display the usage instructions for the previous options:

cscript scregedit.wsf /?

Note:
You can use this command with the /cli option to display a list of common command-line tools and their usage.

Some VMware Server and VMware Workstation differences. So far I have managed fine with Server version. ESX will be next, the Workstation is never considered! But anyways interesting:

• Price, VMware Server is free :-)
• Server is service, Workstation is a desktop application
• Multiuser access for Server, not for Workstation. Server has a webinterface too!
  
• Workstation supports virtuals machines (VM) up to 8 GB RAM, Server only 3.6 GB RAM.
• Server can have only one snapshot, Workstation can have many.
• You can clone a Workstation virtual machine. In Server copying a VM is a manual process, but works fine.
• Workstation lets you manage several VMs in teams, eg. to have certain VMs startup before others. Server dont have VM Teams.
• Drag and drop objects from your desktop to the Workstation VMs. Server can not.
• You can capture an .avi movie of all activity in a Workstation VM.

So it was another great Windows IT Pro issue :-)

UPDATE: It was brought to my attention that VMWare workstation can be set up as a service [http://blogs.techrepublic.com.com/datacenter/?p=429&tag=nl.e101]

Query MSSQL from batch

Sometimes you want to perform the same batch task on several servers. For that I need a list of the servers that will need some job done. So I want to get the serverlist from the serverdatabase, instead of hardcoding the scripts. The most obvious would probably be using VBscript, but in this case turned to osql.exe for a quick solution:

set sqlbinary="\\someserver\c$\Program Files\Microsoft SQL Server\80\Tools\Binn\osql.exe"
set sqlserverinstance=HOSTNAME\INSTANCE
FOR /F "usebackq" %%A IN (`tempfile`) DO set sqltmp=%%A
set sqltmp=%sqltmp:/=\%
if exist %sqltmp% del %sqltmp%
echo Creating sql inputfile : %sqltmp%
echo set nocount on > %sqltmp%
echo select ServerName+^'::^'+ServerDesc >> %sqltmp%
echo from ServerTable where ServerType = 1 AND ServerGroup = 11 >> %sqltmp%
echo go >> %sqltmp%
%sqlbin% -d ServerDatabase -i %sqltmp% -n -E -S %sqlserverinstance% | egrep "^ [sS][0-9]" | sort | sed 's/^[ \t]*//'

Now I have a list with servernames and descriptions, which I can pipe to a .txt file or perform something on each :)

By the way, I stumbled upon an awesome Batch FAQ, really old, but with some very good points and links to more info. Here are some quotes:

*** How do I perform if-then-else in batch?

if not .%1==.help goto else
rem then commands here
goto endif
:else
rem else conditions here
:endif

...

*** What do all those }{ and $ things mean?

They're uniquely named temp files or variable names. It is
desirable to make the filenames as weird as possible to avoid
overwriting files that happen to have the same name. Also,
confusion is found in spacing and where the redirection
characters are, these all write "hey!" to a temp file...

echo>[myfile] hey!
>$$$tmp$$.$ echo hey!
echo hey! > tempfile

...

*** Utility programs for batch files

Batch simply wasn't designed to do the kinds of things users
want to do, although us batch hackers ignore this and try to
do them anyway. Batch input routines are especially kludgy
and incompatible, often it's easier to just use a utility
designed for the purpose and avoid the hassle.

SENVAR by Ed Schwartz makes it very easy to set an environment
variable to standard-input...

senvar evar - input from keyboard
program senvar evar > nul - input from program
senvar evar <> nul - input from file

SENVAR is at http://www.infionline.net/~wtnewton/batch/senvar.txt

The shareware XSET program by Marc Stern has many extra options,
like reading a file from a specific column and line number...

xset /mid 6 2 /line 3 evar <> nul

XSET is at http://members.tripod.com/~marcstern/xset.htm

ASET by Richard Breuer, free, makes mathematical operations as
easy as ASET result=2+2, functions for math, string handling,
file/kb input and more. File aset10.zip at Simtel.

Strings by Douglas Boling, free, provides commands for string
handling, modifying memory and master environment, reading files,
math, keyboard input and more. File string25.zip at Simtel.

Many more useful batch utilities can be found at...
Garbo: http://garbo.uwasa.fi/pc/batchutil.html
SimTel: ftp://ftp.simtel.net/pub/simtelnet/msdos/batchutl/

Playing with cmd, start and exit commands and parameters

If you are playing with Windows batch files you are probably using cmd parameters, such as /k to keep cmd box, or /c to close it after command completes, eg:
psexec \\server -e cmd /c "reg import d:\registry_setting.reg"

And similar, you are probably using "exit /b 1" to set errorlevel (returncode) of your script to 1 if it somehow failed.

I havnt used "start" before, but i had a bunch of scheduled tasks and one of those is running every minute, so I figured I would use "start /MIN". This workaround came to mind, because I have no idea how to make sure a tasks is running in session 0 for example, so the repeating task (every minute) can popup with stuff it is doing.. very annoying!

So I added "start /MIN" before my .bat script, but that was not enough. Running the scheduled task would not really start the script. So i added "cmd /C start /MIN somescript.bat", ugly but it worked! Now the scheduled task is minimized on every run.

I noticed that the start command creates its own "cmd /K" process, so my solution results in a process command line like this: "cmd /K somescript.bat". This means that because I am starting the somescript.bat with "start", I now have to add a trailing "exit" in the somescript.bat. Also ugly, but it works.

Now the weird thing I have been puzzled about is a bunch of cmd.exe processes hanging! Using procexp (part of pstools) I can see they are all started from within a Batch control system by running command "start anotherscript.bat". But the anotherscript.bat *does* actually have an exit at the end, so it seems strange that it is hanging. Perhaps it is a hickup in the batch control system!

I can not reproduce a hanging cmd.exe exit command, but I did manage somehow, with a bunch of start, cmd, exit, exit /b 1, etc etc, to create a hanging cmd.exe, where exit command would NOT complete! I dont know how, but in process explorer (procexp), I could see the cmd that was hanging. What could be happening is that exit hangs it self if a child process has disappeared. From the procexp I can not bring window for hanging cmd.exe pid 4696 to front. And then exit command inside cmd.exe pid 4448 is hanging for ever! It did not help to kill 4696 manually, exit of 4448 is still hanging! I had to kill 4448 manually, very annoying!

I suspect it being something weird with start and exit usage, but I am not sure. The exit /? puzzles me, and i am always using exit /B 1 instead of just exit 1. Maybe thats wrong?

exit /?
Quits the CMD.EXE program (command
interpreter) or the current batch
script.

EXIT [/B] [exitCode]

/B specifies to exit the current batch script instead of
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE

exitCode
specifies a numeric number. if /B is specified, sets
ERRORLEVEL that number.
If quitting CMD.EXE, sets the process
exit code with that number.

Windows users and groups information

Being part of a Windows administrator group, responsible for a bunch of Windows server, where there is more than one administrator can be quite challenging!

We have a bunch of scripts that does some automatic documentation of:

• Server shares
• Server scheduled tasks
• Server services with sc.exe
• Ntfs permissions of selected directories.

Now I want add a script for documentation of the server users and groups!

Here is my first thoughts of what I would like:

1) given a username, script should return:
show group membership
show username details

2) given a groupname, script must give:
show members
show username details for each member

3) given a servername, return list of:
local users and run 1) for each username
local groupnames and run 2) for each groupname

I did some Google searches:

enumerate group memberslist of members in a local group, eg. who is member
of "administrators"
backup and recovery of windows users and groups
list of users and groups on windows server
enumerate local users and their membership
enumerate windows users with wmi

I ended up with a simple vbscript that combines a good userinfomation binary with some user and group info vbscript code. The output from the script is text, easily diffable, so changes can quickly be spottet.

Someone else surely should have cooked up something smart, as this task seems like something many administrators would appreciate. If you know of such script or application, please leave a comment :-)

A thing that puzzled me for a while was how to get output from the binary into the same STDOUT where I would be starting my script with cscript.exe listusersandgroups.wsf. This was needed as I want to pipe script output to a text file for version control commit and change management :-) So this was easily worked around like this:
set objWshShell = CreateObject("WScript.Shell")
set objWshShell = objWshShell.Exec(strCommand)
Do While objWshShell.StdOut.AtEndOfStream<>True
' running a file from inside vbscript and get output in same command window
strLine=objWshShell.StdOut.ReadLine
WScript.Echo strLine
Loop

The usual way I have started programs from inside VBscript, would be to have them hidden, similar to this:
set objWshShell = objWshShell.Exec(strCommand)
intRC = objWshShell.Run(StrCommand, 0, TRUE)
' parm 1 = command line
' parm 2 = window style (1 = normal, 0 = hidden)
' parm 3 = if true, waits for command
If intRC <> 0 Then ...
' and destroy it properly:
if isObject(objWshShell) then set objWshShell = nothing

Read more about the normal .Run method.

Software Inspector for personal Windows package management

Windows package management is not an easy task, often left only to WSUS server, WPKG, group policies or simply the individual applications automatic updates.

Leaving updates to only the applications and users themselves obviously is not good enough! Although this has gotten better the last years, some sort of action and verification is needed.

For example the Java Runtime Environment does not deinstall old versions when new versions are installed. Probably as a service for you, so your old java applications can decide which one they want to use, avoiding problems with incompatibility. But this update strategy also leaves a hole for crackers to potentially abuse!

I did mention installing and updating Windows applications with win-get, but it probably is not a option for anyone else than the tech geek at home.

How much package management Microsofts new NAP service can handle is unknown to me. What I have read so far sounds like it can do limited checks, such as if Windows hotfixes are applied and Firewall is on. I need hands on to know more I guess.

Well, here is something worth trying Software Inspector from Secunia:

Online version:
http://secunia.com/software_inspector/
Secunia Software Inspector
Feature Overview - The Secunia Software Inspector:
* Detects insecure versions of applications installed
* Verifies that all Microsoft patches are applied
* Assists you in updating your system and applications
* Runs through your browser. No installation or download is required.


Offline, for installation on your PC:
https://psi.secunia.com/
Version: 0.9.0.0 / Size: 444,892 bytes / Changelog
The Secunia PSI is only free for private individuals
The Secunia PSI is available free of charge.
Secure your PC. Patch your applications. Be proactive.
Scan for Insecure and End-of-Life applications.
Track your patch-performance week by week.
Direct and easy access to security patches.
Detect more than 300,000 unique application versions

For work, it would be perfect to have a central Software Inspector server (ala WSUS server) which has info of all computers where an agent was installed. Great for reporting and verification of your Windows package management tools actually does its thing as you are expecting!

Blogger.com post editor

In my recent batch post I had to use the pipe symbol (|) in some example listings. It turned out that the blogger.com editor removes the pipe symbols when switching from HTML to wysiwyg editing.

Worse is that if you are in Wysiwyg mode and looking at the pipe symbol in your text, it will disapear from your post if you publish from there!!

I tried to escape the pipe symbol with \ and other ways, but it simply disappeared!

I looked at wikipedia "vertical bar article" and found the ASCII value for the pipe symbol:

ASCII
decimal (base-10): 124, or hexadecimal (base-16): 7C

Then i looked for HTML article on how to escape symbols, similar to the &. It was an XML guide that really putted it simple:

XML has the same syntax as HTML for escape symbols like "&"="&amp;", "<"="&lt;", ">"="&gt;", ascii(nnn)=&#nnn;", etc.

The solution was write all pipe symbols (|) as "&#124" from the HTML view of the editor, then not switching back to GUI, simply publising from HTML view at once:

For this article it looked like this when I pushed publish: (notice how the text for < is written):

And the result on blogspot.com was as i wanted:

Batch script userinput checking

I have to run a script with the runas command, but since the script is running commands toward several servers there is the danger of locking out the runas user if the password given is wrong. Simply because runas does not verify the password, it just executes the commands.

So to avoid problems I would like to ask the user for the password, verify the password, and only actually run the runas command if the password is as expected.

At a first glance this sounded good, I just had to put in the checksum of the expected userinput in the script, then calculate the checksum of the userinput, and compare the two inside the script.

At second thought this solution was not really acceptable, because if the users password changes, you would have to update the script! Not very robust or elegant. So instead a colleague pointed out the obvious, which of course is to check errorlevel of a single run of runas. That should not lock out the user:
runas /user:domain\username net >nul 2>&1
if not errorlevel 0 (set status=failure & goto exiting)

To make any of above approaches work, we needed a method of getting users input, and a method of sending that input to runas.

Getting the users input in a .batch file was solved by using a special .com file:
echo hP1X500P[PZBBBfh#b##fXf-V@`$fPf]f3/f1/5++u5>%inputfile%
echo Enter a string (it will not echo here):
for /f "tokens=*" %%i in ('%inputfile%') do set userinput=%%i
if "%userinput%"=="" (set status=stringempty & goto exiting)
if "%userinput%"=="^C" (set status=stringcancel & goto exiting)

Sending the %userinput% content back to runas could not be done with a redirection like <, so a mini vbscript for pasting a string was made: Set oArgs=wscript.Arguments
WScript.sleep(1000)
Set WshShell = CreateObject("WScript.Shell")
WshShell.SendKeys oArgs(0)&VBCRLF

Others have been discussing how to pipe passwords into runas, but i dont want to use the approaches described.

So problem was solved without using hardcodet md5 or sha256 checksums! But just to have the hardcoded approach for optional other use, here is how it was done:
FOR /F "usebackq" %%A IN (`echo %userinput% ^| md5deep.exe`) DO set md5hash=%%A
echo debug: md5hash of userinput is: %md5hash%
if "%md5hash%" == "77e2d91aa21a4158d889fb9836f38288" (set status=ok_string_is_hej & goto dosomething)
if "%md5hash%" == "291013bf3a3c543625a2777073f91799" (set status=ok_string_is_password & goto dosomething)

In the above i used md5deep to calculate a checksum of the batch string, and it could easily have been sha256deep.exe which is part of md5deep package.

I would have used Microsofts own Windows checksum util FCIV (FILE CHECKSUM INTEGRITY VERIFIER), but there are at least 2 problems with the current version 2.05:

First, fciv.exe does not take input from STDIN, which means you can not run like this:
echo foobar | fciv.exe

You have to echo into a file and then calculate the checksum:
echo foobar > foobar.txt
fciv.exe foobar.txt
//
// File Checksum Integrity Verifier version 2.05.
//
5e963b88334c3c4487572cce68496989 foobar.txt

So I used md5deep package, which actually does calculate checksum of input from stdin, useful for strings:
echo foobar | sha256deep.exe
791132eb55910a285d5bfeae94b49ead8d5184d7ecf70bccdeafd0e456c2916d
echo foobar | md5deep.exe
5e963b88334c3c4487572cce68496989

The second problem with fciv.exe is the output: it is too verbose! I would need only the checksum so I can put it into a variable. So md5deep it is!

The trick to actually get the output from external md5deep command into a batch variable, is to use a for loop, and escape the pipe () with a ^ instead of a \ which was what I tried first.

Apparently the hat (^) is the dos char for escaping, eg. used if you want to echo the following characters from a .batch file into another file: ^@, ^> and ^&. For example:
echo ^@echo off > c:\tempscript.bat
echo dir c:\ ^> c:\dirlist.txt >> c:\tempscript.bat
echo del c:\tempfile.log /F /Q >> c:\tempscript.bat
echo exit >> c:\tempscript.bat

Another md5 sum checker, built in java (source available), which can check a dir and subdirs, like md5deep.exe can be found here.

Secure data handling - the power to raid!

When I read that another laptop with personal data was missing, in Britain again, I remembered reading TaoSecurity predictions for 2008, there was something about an initiative about giving power to raid Governmen departments. It looks like that initiative really needs to get going!

I really hope this power is moving toward companies as well. If you handle personal data, you should be suspect to unexpected tests! Much similar to internal revision and penetration testing.

But should the results from such a new "data protection department" be public, similar to the smiley for restaurents and cafes? If so, should it be public before or after problems are fixed? Like full disclosure, it has it pros and cons. But customers would know if a particular company took data security and handling seriously! Maybe if something is a bit more expensive, but has a better "data handling smiley", I as a customer could make the choice myself. Opposed to now, I really dont know how good or bad companies handle my personal data!

The Information Commissioner’s Office (ICO), which polices the security of the nation’s data, is to be given the power to raid Government departments suspected of breaching protection laws.

The move, announced today by Gordon Brown, comes in response to the loss by HM Revenue & Customs (HMRC) of personal details of some 25 million Britons. The Prime Minister said the ICO would be given extra powers to carry out “spot checks” of government departments.

He added: "For some time I have been pressing the government to give my Office the power to audit and inspect organisations that process people’s personal information without first having to get their consent."

Defensible Network Architecture 2.0

Taosecurity starts off 2008 with another great "tasks/topics to consider for IT administrations", similar to "IT security - determine your score of the game".

Once again, any administrator should read his blog :-)

This time its a version 2.0 of how to have a network architecture that gives you "the best chance to resist intrusion, since perfect intrusion prevention is impossible":

A Defensible Network Architecture is an information architecture that is:

1. Monitored. The easiest and cheapest way to begin developing DNA on an existing enterprise is to deploy Network Security Monitoring sensors capturing session data (at an absolute minimum), full content data (if you can get it), and statistical data. If you can access other data sources, like firewall/router/IPS/DNS/proxy/whatever logs, begin working that angle too. Save the tougher data types (those that require reconfiguring assets and buying mammoth databases) until much later. This needs to be a quick win with the data in the hands of a small, centralized group. You should always start by monitoring first, as Bruce Schneier proclaimed so well in 2001.


2. Inventoried. This means knowing what you host on your network. If you've started monitoring you can acquire a lot of this information passively. This is new to DNA 2.0 because I assumed it would be already done previously. Fat chance!


3. Controlled. Now that you know how your network is operating and what is on it, you can start implementing network-based controls. Take this anyway you wish -- ingress filtering, egress filtering, network admission control, network access control, proxy connections, and so on. The idea is you transition from an "anything goes" network to one where the activity is authorized in advance, if possible. This step marks the first time where stakeholders might start complaining.


4. Claimed. Now you are really going to reach out and touch a stakeholder. Claimed means identifying asset owners and developing policies, procedures, and plans for the operation of that asset. Feel free to swap this item with the previous. In my experience it is usually easier to start introducing control before making people take ownership of systems. This step is a prerequisite for performing incident response. We can detect intrusions in the first step. We can only work with an asset owner to respond when we know who owns the asset and how we can contain and recover it.


5. Minimized. This step is the first to directly impact the configuration and posture of assets. Here we work with stakeholders to reduce the attack surface of their network devices. You can apply this idea to clients, servers, applications, network links, and so on. By reducing attack surface area you improve your ability to perform all of the other steps, but you can't really implement minimization until you know who owns what.


6. Assessed. This is a vulnerability assessment process to identify weaknesses in assets. You could easily place this step before minimization. Some might argue that it pays to begin with an assessment, but the first question is going to be: "What do we assess?" I think it might be easier to start disabling unnecessary services first, but you may not know what's running on the machines without assessing them. Also consider performing an adversary simulation to test your overall security operations. Assessment is the step where you decide if what you've done so far is making any difference.


7. Current. Current means keeping your assets configured and patched such that they can resist known attacks by addressing known vulnerabilities. It's easy to disable functionality no one needs. However, upgrades can sometimes break applications. That's why this step is last. It's the final piece in DNA 2.0.

Event log ID to description and vice versa

Where do you go for event log id information? Google it - as anything else :-) Today i wanted to know the event ID for a Windows 2003 server rebooting, how do i find that?

Besides google it, I could look in an event log around the time of a reboot for a server.

I can not search it on Microsofts Events and Errors Message Center. It is useful if you have the event id, but not really for free text search.

I came closer when looking at Ultimate Windows Security website, but the lists are not complete and I didnt see an option for search.

512

All Versions

Windows NT is starting up

513

Win2003 XP

Windows NT is shutting downI

I thought EventID.net would be the place, but i can also only look up know ID numbers. They do require a registration fee for the more exotic search options, so perhaps I need to go there, I dont know. Besides that looking up info about eg. event id 513 gives really useful information:

Source	Security
Type	Success Audit
Description	Windows NT is shutting down. All logon sessions will be terminated by this shutdown.
English please!	Request a translation of the event description in plain English! An example of "English please" is available here.
Details	Comments and links for event id 513 from source Security

I will give the 3 scripts evtstats.pl/lsevt2.pl/lsevt.pl from Windows Security Analysis a try, as with that i can run a query toward a Windows 2003 server and grep for the word reboot. Perhaps this is the best way :-)

Other than this, i am not sure how to find this information, besides Googling of course :-)

Oh, while I am at it, i will leave a link to Stephen Bunting guide of repairing event log files.

Book review: Windows Forensic Analysis

I finally had a chance to finish reading Windows Forensic Analysis. From the start I was happy with the way the book is written, and I give it 5 of 5 possible. I am not working with forensics in my daily administration work, but I learned a lot about security methods and tools in general, something that can be of great help for normal administration too.

The book is flooded with tools worth trying, and with examples usage. The examples illustrates the topic really well, and the tools are perfect to get started on your own.

In addition to tool suggestions the author provides the reader with many perl scripts, which further helps in better understanding of the topic, and makes you want to learn more! The scripts are also simply useful and saves you a lot of time when you want to try the stuff discussed in the book. I just loooved the scripts!

I consider myself an okay experienced Windows administrator (since 1999), and many of the topics was not new. But I liked another explanation of the topics, and I also learned a lot of totally new stuff.

I recommend all Windows administrators reading this book! And dont forget to read Richard Bejtlichs review (TaoSecurity), he knows how to wrote really useful reviews!

Apache, disable debugging functions

I want to disable debugging function TRACE as recommended by Nessus rule 11213.

The Nessus rule has very precise guide for disabling:

Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACETRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

So in my Apache main config file I putted TraceEnable off.

I will check the Nessus scan results after these changes.
If you can not wait for that, you can use telnet to check if TRACE is actually off:

telnet your.server 80
TRACE / HTTP/1.1
Host: a.valid.hostname
sometext

Apache, restrict connections to SSL 3.0 and ensure strong encryption

For my Apache I wanted disable SSL 2.0 as recommended by Nessus rules 20007 , and to disable weak SSL ciphers as recommended by Nessus rule 26928.

When looking around I found a nice description at Novell:

• Use only High and Medium security cipher suites, such as RC4 and RSA.
• Remove from consideration any ciphers that do not authenticate, such as Anonymous Diffie-Hellman (ADH) ciphers.
• Use SSL 3.0, and disable SSL 2.0.
• Disable the Low, Export, and Null cipher suites.

So for Apache I did the following:
Open the /etc/httpd/conf/httpd.conf file in a text editor, then locate the SSLCipherSuite directive in the Virtual Hosts section:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Modify the plus (+) to a minus (-) in front of the ciphers you want to disable and make sure there is a ! (not) before ADH:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL

I will check Nessus scan output after the changes.

Fetchlog alternatives for Windows and 2003/2000/NT resource kit tools

I am looking for an alternative to the simple fetchlog util on unix, which tails a file and has a bookmark of how far it has checked in the file. When a string is found, i can do action, such as launch script, send mail or restart services. Works well for some simple purposes :-)

I am not looking for full blown log analysis, such as OSSEC which I really like though.

I havnt found anything that I really want to use, but here is my list of things to try:

WinTail. $49.95, with basics such as send notify mails, but can it run a script, eg. a restart of a service? That is really often needed. 30 day trial, worth a try I guess.

Some more simple tail tools:
Tail4Win. Also 30 day trial, $45, looks similar to normal tail, there seems no notify option.
MakeLogic Tail. Freeware, tails more than one file, requires JRE 5.0, has no notifications it seems.
tail.exe. Windows 2003 resource kit (see below), does not tail more than one file!
Tail Ace. Freeware, multiple logfiles, but no notifications, java based, requires JRE 6.0.
Tail XP. Freeware. Tails more than one file, but you can not see difference, and it is showing in a gui which can not be piped to a grep for example. Only takes one file from commandline -f argument, and still opens it in a gui. No notifications.

None of the above really meets what I at least need of a fetchlog tool. If I can not find a fetchlog alike tool, I would at least need a grep tool that can tail -f more than one file, and from commandline. And output must be possible to send to STDOUT for more processing and use in scripts, eg. based on errorlevel. So far I havnt found anything that does this!

Some of the more full blown tools I stumbled upon was:
http://www.xpolog.com/home/products/xpologCenter.jsp

A comprehensive loganalyzer tool overview is available at download32.com, but it is all the stuff, not just what I am looking for, this tail -f specifics overview is not much better. Perhaps using a unix tools on Windows would be better than using the simple tools above, because those tools can be piped into other commands, which i really need.

Of course a normal tail without -f wont do, but since it has so nice batch example code here it is (for more of the same, take a look here and here):

@echo off
if {%1}=={} @echo FileName parameter requied.&goto :EOF
if not exist %1 @echo %1 does NOT exist.&goto :EOF
setlocal
set file=%1
set /a number=10
if not {%2}=={} set /a number=%2
for /f %%i in ('find /v /c "" ^< %file%') do set /a lines=%%i @echo %lines% lines in file %file%. if %number% GEQ %lines% set /a start=0&goto console set /a start=%lines% - %number% :console more /e +%start% %file% endlocal  

It was a surprise to me that the Windows 2003 resource kit free tools has a tail.exe, of course it is not enough for notifications and actions, and it can not tail more than one file! For completeness, here is the Windows 2003 resource kit tool list:

• Acctinfo.dll (documented in Readme.htm)
• Adlb.exe: Active Directory Load Balancing Tool
• Admx.msi: ADM File Parser
• Atmarp.exe: Windows ATM ARP Server Information Tool
• Atmlane.exe: Windows ATM LAN Emulation Client Information
• Autoexnt.exe: AutoExNT Service
• Cdburn.exe: ISO CD-ROM Burner Tool
• Checkrepl.vbs: Check Replication
• Chklnks.exe: Link Check Wizard
• Chknic.exe: Network Interface Card Compliance Tool for Network Load Balancing
• Cleanspl.exe: Spooler Cleaner
• Clearmem.exe: Clear Memory
• Clusdiag.msi: Cluster Diagnostics and Verification Tool
• Clusfileport.dll: Cluster Print File Port
• Clusterrecovery.exe: Server Cluster Recovery Utility
• Cmdhere.inf: Command Here
• Cmgetcer.dll: Connection Manager Certificate Deployment Tool
• Compress.exe: Compress Files
• Confdisk.exe: Disk Configuration Tool
• Consume.exe: Memory Consumers Tool
• Creatfil.exe: Create File
• Csccmd.exe: Client-Side Caching Command-Line Options
• Custreasonedit.exe: Custom Reason Editor (documented in Readme.htm)
• Delprof.exe: User Profile Deletion Utility
• Dh.exe: Display Heap
• Diskraid.exe: RAID Configuration Tool
• Diskuse.exe: User Disk Usage Tool
• Dnsdiag.exe: SMTP DNS Diagnostic Tool (documented in Readme.htm)
• Dumpfsmos.cmd: Dump FSMO Roles
• Dvdburn.exe: ISO DVD Burner Tool
• Empty.exe: Free Working Set Tool
• Eventcombmt.exe: Check Replication
• Fcopy.exe: File Copy Utility for Message Queuing
• Frsflags.vbs
• Getcm.exe: Connection Manager Profile Update
• Gpmonitor.exe: Group Policy Monitor
• Gpotool.exe: Group Policy Objects
• Hlscan.exe: Hard Link Display Tool
• Ifilttst.exe: IFilter Test Suite
• Ifmember.exe: User Membership Tool
• Inetesc.adm: Internet Explorer Enhanced Security Configuration
• Iniman.exe: Initialization Files Manipulation Tool
• Instcm.exe: Install Connection Manager Profile
• Instsrv.exe: Service Installer
• Intfiltr.exe: Interrupt Affinity Tool
• Kerbtray.exe: Kerberos Tray
• Kernrate.exe: Kernel Profiling Tool
• Klist.exe: Kerberos List
• Krt.exe: Certification Authority Key Recovery
• Lbridge.cmd: L-Bridge
• Linkd.exe
• Linkspeed.exe: Link Speed
• List.exe: List Text File Tool
• Lockoutstatus.exe: Account Lockout Status (documented in Readme.htm)
• Logtime.exe
• Lsreport.exe: Terminal Services Licensing Reporter
• Lsview.exe: Terminal Services License Server Viewer
• Mcast.exe: Multicast Packet Tool
• Memmonitor.exe: Memory Monitor
• Memtriage.exe: Resource Leak Triage Tool
• Mibcc.exe: SNMP MIB Compiler
• Moveuser.exe: Move Users
• Mscep.dll: Certificate Services Add-on for Simple Certificate Enrollment Protocol
• Nlsinfo.exe: Locale Information Tool
• Now.exe: STDOUT Current Date and Time
• Ntimer.exe: Windows Program Timer
• Ntrights.exe
• Oh.exe: Open Handles
• Oleview.exe: OLE/COM Object Viewer
• Pathman.exe: Path Manager
• Permcopy.exe: Share Permissions Copy
• Perms.exe: User File Permissions Tool
• Pfmon.exe: Page Fault Monitor
• Pkiview.msc: PKI Health Tool
• Pmon.exe: Process Resource Monitor
• Printdriverinfo.exe: Drivers Source
• Prnadmin.dll: Printer Administration Objects
• Qgrep.exe
• Qtcp.exe: QoS Time Stamp
• Queryad.vbs: Query Active Directory
• Rassrvmon.exe: RAS Server Monitor
• Rcontrolad.exe: Active Directory Remote Control Add-On
• Regini.exe: Registry Change by Script
• Regview.exe (documented in Readme.htm)
• Remapkey.exe: Remap Windows Keyboard Layout
• Robocopy.exe: Robust File Copy Utility
• Rpccfg.exe: RPC Configuration Tool
• Rpcdump.exe
• Rpcping.exe
• RPing: RPC Connectivity Verification Tool
• Rqc.exe: Remote Access Quarantine Client
• Rqs.exe: Remote Access Quarantine Agent
• Setprinter.exe: Spooler Configuration Tool
• Showacls.exe
• Showperf.exe: Performance Data Block Dump Utility
• Showpriv.exe: Show Privilege
• Sleep.exe: Batch File Wait
• Sonar.exe: FRS Status Viewer
• Splinfo.exe: Print Spooler Information
• Srvany.exe: Applications as Services Utility
• Srvcheck.exe: Server Share Check
• Srvinfo.exe: Remote Server Information
• Srvmgr.exe: Server Manager
• Ssdformat.exe: System State Data Formatter
• Subinacl.exe
• Tail.exe
• Tcmon.exe: Traffic Control Monitor
• Timeit.exe (documented in Readme.htm)
• Timezone.exe: Daylight Saving Time Update Utility
• Tsctst.exe: Terminal Server Client License Dump Tool
• Tsscalling.exe: Terminal Services Scalability Planning Tools
• Uddicatschemeeditor.exe: UDDI Services Categorization Scheme Editor
• Uddiconfig.exe: UDDI Services Command-line Configuration Utility
• Uddidataexport.exe: UDDI Data Export Wizard
• Usrmgr.exe: User Manager for Domains
• Vadump.exe: Virtual Address Dump
• Vfi.exe: Visual File Information
• Volperf.exe: Shadow Copy Performance Counters
• Volrest.exe: Shadow Copies for Shared Folders Restore Tool
• Vrfydsk.exe: Verify Disk
• Winexit.scr: Windows Exit Screen Saver
• Winhttpcertcfg.exe: WinHTTP Certificate Configuration Tool
• Winhttptracecfg.exe: WinHTTP Tracing Facility Configuration Tool
• Winpolicies.exe: Policy Spy
• Wins.dll: WINS Replication Network Monitor Parser
• Wlbs_hb.dll & Wlbs_rc.dll: Windows Load Balancing Server Network Monitor Parsers

Now that we are looking at Windows 2003, I am reminded that i have previously gotten help (RMTSHARE.EXE) from Windows NT resource kit tools! So here is that list. Some of the Windows NT resource kit tools can be downloaded from Microsoft.

ADDUSERS.EXE: AddUsers - Command-line utility, creates or writes user accounts to a comma delimited file.
(Updated) ANIEDIT.EXE: Animated Cursor Creator - Windows-based tool for drawing and editing animated cursors.
APIMON.EXE: API Monitor
ASSOCIATE.EXE
(Updated) ATANALYZR.EXE: AppleTalk network device ANaLYZeR
AUDITCAT.HLP: Audit Categories Help
(New) AUDITPOL.EXE: AuditPol
AUTOEXNT.EXE: AutoExNT Service - Enables you to start a batch file, AUTOEXNT.BAT, at boot time without having to log on to the computer on which it will run.
(Updated) AUTOLOG.EXE: Windows NT Auto Logon Setter

BREAKFTM.EXE: Automated Mirror Break/Restore Utility
BROWMON.EXE: Browser Monitor - Windows-based tool, shows browser status.
BROWSTAT.EXE: Browser Status - Command-line utility, diagnoses browser problems and shows browser status.

C2CONFIG.EXE: Windows NT C2 Configuration Manager
CHOICE.EXE: Input from Batch Files - (MS-DOS 6.0 utility).
(Updated) CLIP.EXE: Clip
(New) CLIPSTOR.EXE
CMDHERE.EXE: Command Prompt Here
COMPREG.EXE - A Win32 character-based/command-line "Registry DIFF" that enables you to compare any two local and/or remote Registry keys in both Windows NT and Windows 95.
COMPRESS.EXE: File Compress - Command-line utility, compresses files. Needed for Setup customization.
(Updated) COUNTERS.HLP : Windows NT Performance Counters Help
Crystal Reports Event Log Viewer - Provides an easy way to extract, view, save, and publish information from the Windows NT system, application, and security event logs in a variety of formats.

dbWeb
(New) DEFPTR.EXE: Default Printer
DELPROF.EXE: User Profile Deletion Utility
DELSRV.EXE
(New) DEPENDS.EXE: Dependency Walker
Desktop Themes for Windows NT 4.0
DESKTOPS.EXE: DeskTops
DFLYDIST.EXE: Compound File Layout User Tool
(Updated) DH.EXE - Command-line utility, enables you to lock heaps, tags, stacks, and objects.
DHCPCMD.EXE: DHCP Administrator's Tool - Command-line utility.
(Updated) DHCPLOC.EXE: DHCP Server Locator Utility - Command-line utility, detects unauthorized DHCP servers on a subnet.
(Updated) DIRUSE.EXE: Directory Disk Usage - Command-line utility, shows disk space used per directory.
DISKMAP.EXE
DISKSAVE.EXE - Enables you to save the Master Boot Record and Boot Sector as binary image files.
DISKUSE.EXE - Command-line utility, scans directories on a hard disk and reports on space used by each user.
(New) DNSCMD.EXE
DOMMON.EXE: Domain Monitor - Windows-based tool, gives status on domains, domain controllers, trust relationships.
DRIVERS.EXE: Device Driver Information - Command-line utility, shows what drivers have loaded.
DSKPROBE.EXE: DiskProbe
DUMPEL.EXE: Dump Event Log - Command-line utility, dumps the event log to a file.

EM2MS.EXE
EMWAC Server CGI Gateway Scripts
ENUMPRN.EXE
EXCTRLST.EXE: Extensible Performance Counter List
EXETYPE.EXE: Finding the Executable Type - Command-line utility, identifies the hardware platform of a .EXE file.
EXPNDW32.EXE: File Expansion Utility - File Expansion utility, expands the compressed files on Windows NT distribution media.

FILEVER.EXE: FileVer - Command-line utility, examines the version resource structure of a file or a directory of files and displays information on the versions of executable files.
(New) FILEWISE.EXE
FINDGRP.EXE: Find Group - Command-line utility, finds all group memberships of a specified user.
(Updated) FIXACLS.EXE: Reset System File Permissions
FLOPLOCK.EXE: Lock Floppy Disk Drives - Command-line utility or service that restricts access to floppy drives.
FORFILES.EXE
FREEDISK.EXE
FTEDIT.EXE: FT Registry Information Editor - Windows-based tool, enables you to create, edit, and delete fault tolerance sets for disk drives and partitions of local and remote computers.

GETMAC.EXE
GETSID.EXE
GFLAGS.EXE
(Updated) GLOBAL.EXE
GRPCPY.EXE: Group Copy

HCLNT4.HLP: Hardware Compatibility List - HCL in online Help format
(Updated) HEAPMON.EXE

IFMEMBER.EXE - Command-line utility, checks whether the current user is a member of a specified group
. IMAGEDIT.EXE: Image Editor - Windows-based tool, enables the creation of icons and cursors, and also used by the Animated Cursor Creator.
Index Server
INSTALLD.CMD (NTDETECT.COM): Startup Hardware Detector
INSTSRV.EXE: Service Installer - Installs any service.

KERNPROF.EXE: Kernel Profiler
KILL.EXE: Task Killing Utility - Command-line utility, use to end one or more tasks, or processes.
KIX32.EXE: KiXtart 95
(New) KIXGRP.EXE

LAYOUT.DLL
LEAKYAPP.EXE: LeakyApp
LINKCK.EXE: Link Checker
(Updated) LOCAL.EXE
LOGEVENT.EXE: Event Logging Utility
(New) LOGOFF.EXE
LOGTIME.EXE

MIBCC.EXE: SNMP MIB compiler
MONITOR.EXE: Performance Data Logging Service and Configuration Tool
(Updated) MUNGE.EXE

NETCLIP.EXE: Remote Clipboard Viewer
NETCONS.EXE: Net Connections
(New) NETDOM.EXE
NETSVC.EXE: Command-line Service Controller - Command-line utility, remotely starts, stops, and queries the status of services.
(Updated) NetTime for Macintosh
NETWATCH.EXE: Net Watcher - Windows-based tool, shows who is connected to shared directories.
NLMON.EXE
NLTEST.EXE
NOW.EXE: Now - Displays the current date and time on STDOUT, followed by any command-line arguments you add.
(Updated) NTCARD40.HLP: Adapter Help - Describes settings for hardware supported under Windows NT.
NTDETECT.COM (INSTALLD.CMD): Startup Hardware Detector
(Updated) NTEVNTLG.MDB
(Updated) NTIMER.EXE
(Updated) NTMSG.HLP
(New) NTRIGHTS.EXE
NTUUCODE.EXE: 32-Bit UUDecode and UUEncode Utility

OH.EXE
OLEVIEW.EXE: OLE/COM Object Viewer
OS2API.TXT - List of compatible APIs in the OS/2 subsystem.

PASSPROP.EXE
(Updated) PATHMAN.EXE: Pathman
(Updated) PERF2MIB.EXE: Performance Monitor MIB Builder Tool
(Updated) PerfLog: Performance Data Log Service
PERFMTR.EXE: Performance Meter - Text-mode utility, provides performance information.
(Updated) Performance Tools
Perl 5 Scripting Language
PERMCOPY.EXE
PERMS.EXE: File Access Permissions per User - Command-line utility.
PFMON.EXE: Page Fault Monitor
PMON.EXE: Process Resource Monitor - Command-line utility.
POLEDIT.EXE: Windows NT System Policy Editor
POSIX Utilities
Power Toys
PSTAT.EXE: Process and Thread Status - Command-line utility, shows process statistics. Useful for debugging problems.
PULIST.EXE
PVIEWER.EXE: Process Viewer - Windows-based tool, shows the processes running in the system and allows ending processes and boosting priority.

QSLICE.EXE: CPU Usage by Processes - Windows-based tool.
QUICKRES.EXE: Quick Resolution Changer

RASLIST.EXE
RASUSERS.EXE: Enumerating Remote Access Users - Command-line utility.
RCMD.EXE: Remote Command Service - Remotely administers and runs command-line programs, client program. Used with RCMDSVC.EXE.
(New) REG.EXE
REGBACK.EXE: Registry Backup - Command-line utility, backs up Registry hives to files without the use of tape.
REGDMP.EXE
(Updated) REGENTRY.HLP: Windows NT Registry Entries - Online Help file
REGFIND.EXE
Regina REXX Scripting Language
REGINI.EXE: Registry Change by Script - Command-line utility, good for Setup programs.
REGKEY.EXE: Logon and FAT File System Settings - Windows-based tool, sets new Registry settings without actually editing the Registry. (Not on PPC RISC-based computers)
REGREST.EXE: Registry Restoration - Command-line utility, restores Registry hives from files.
Remote Access Manager
(Updated) Remote Console
(Updated) REMOTE.EXE: Remote Command Line - Command-line utility, runs command-line programs on remote computers.
Remote Kill
RIPROUTE.WRI: Routing with Windows NT Server
RMTSHARE.EXE: Remote Share - Command-line utility, sets up or deletes shares remotely and can grant and remove ACLs on those shares.
ROBOCOPY.EXE: Enhanced Network File-Copying Utility - Command-line utility.
RSHSVC.EXE: TCP/IP Remote Shell Service
RSHXMENU.EXE: Security Power Toy
RUNEXT: Run Extension

SC.EXE
SCANREG.EXE - A Win32 character-based/command-line "Registry GREP" that enables you to search for any string in keynames, valuenames, and/or valuedata in local or remote Registries keys in both Windows NT and Windows 95.
SCLIST.EXE
SCOPY.EXE: File Copy with Security - Command-line utility.
SECADD.EXE
SECEDIT.EXE
(Updated) SETEDIT.EXE
SETUPMGR.EXE: Setup Manager - Windows-based tool, enables Windows NT to be installed or upgraded remotely.
SETX.EXE
ShareUI
SHORTCUT.EXE
(Updated) SHOWACLS.EXE
SHOWDISK.EXE
SHOWGRPS.EXE
SHOWMBRS.EXE
SHUTDOWN.EXE and SHUTGUI.EXE: Remote Shutdown - Command-line and GUI utilities, remotely shut down a server.
(New) SIPANEL.EXE: Soft Input Panel
SLEEP.EXE: Batch File Wait - Command-line utility, waits for a specified amount of time. Useful in batch files.
SNMPMON.EXE: SNMP Monitor
SNMPUTIL.EXE: SNMP Browser
SOON.EXE: Near-Future Command Scheduler
SRVANY.EXE: Applications as Services Utility
SRVCHECK.EXE
SRVINFO.EXE
SRVINSTW.EXE: Service Installer Wizard
(New) SRVMON.EXE: Service Monitor
(Updated) SU.EXE - Enables you to start a process running as an arbitrary user.
(Updated) SUBINACL.EXE: SubInAcl
SYSDIFF.EXE

TDISHOW.EXE: TDI Tracing Utility - Command-line utility, traces packets going across the TDI layer.
TELNETD.EXE: Telnet Server Beta
TEXTVIEW.EXE: TextViewer
TIMEOUT.EXE
(Updated) TIMESERV.EXE: Time Synchronizing Service - Command-line utility or service.
TIMETHIS.EXE: TimeThis
TIMEZONE.EXE
TLIST.EXE: Task List Viewer
TLOCMGR.EXE: Telephony Location Manager
TOPDESK.EXE: Multiple Desktops - Windows-based tool.
(Updated) TOTLPROC.EXE
TweakUI
TZEDIT.EXE: Time Zone Editor - Windows-based tool.

UPTOMP.EXE: Uni to Multiprocessor Upgrade Utility
USRSTAT.EXE
USRTOGRP.EXE: Add Users to Groups - Command-line utility, adds users to local or global groups from a user-specified input text file.

VDESK.EXE

(New) WAITFOR.EXE
WCAT: Web Capacity Analysis Tool
Web Administration of Microsoft Windows NT Server
WhoAmI
(Updated) WINAT.EXE: Command Scheduler
WINDIFF.EXE: File and Directory Comparison - Windows-based tool.
WINEXIT.SCR: Windows Exit Screen Saver - Logs the current user off after a specified time has elapsed.
(Updated) WINLOGO.DOC: "Designed for Windows NT and Windows 95" Logo Handbook
(Updated) WinMsdP.EXE - Command-line utility, generates a text file of all the information in WINMSD.
WINSCHK.EXE
WINSCL.EXE
WINSDMP.EXE: WinsDump
WNTIPCFG.EXE: Graphical IPConfig Utility

XCACLS.EXE

The Windows 2000 resource kit tools are equally important(jt.exe), here is a (not complete list). You can download some of the Windows 2000 resource kit tools from Microsoft.

Active Directory Sizer (adsizer.exe)
Application Programming Interface monitor (apimon.exe)
Application Security (appsec.exe)
Cluster Quorum Restore Utility (clusrest.exe)
Counter List (ctrlist.exe)
Cluster Verification Utility (clustsim.exe)
Domain Controller Diagnostic Tool (dcdiag.exe)
Delete File and Reparse Points (delrp.exe)
Delete Server (delsrv.exe)
Display Heap (dh.exe)
DHCP Database Export Import Tool (dhcpexim.exe)
Directory Disk Usage (diruse.exe)
Disk Map (diskmap.exe)
Disk Partition (diskpart.exe)
Disk Manager Diagnostics (dmdiag.exe)
List Loaded Drivers (drivers.exe)
Drive Share (drmapsrv.exe)
Dump Event Log (dumpel.exe)
Dump FSMO Roles (dumpfsmos.cmd)
Registry Size Estimator (dureg.exe)
Encrypting File System Information (efsinfo.exe)
Extensible Performance Counter List (exctrlst.exe)
Extract Cabinet (extract.exe)
FAZAM 2000
GetMAC (getmac.exe)
Get Security ID (getsid.exe)
Group Policy Verification Tool (gpotool.exe)
Group Policy Results (gpresult.exe)
GUID to Object (guid2obj.exe)
Heap Monitor (heapmon.exe)
Hard link display tool (hlscan.exe)
If Member (Ifmember.exe)
IIS Migration Wizard (IISMIGrationWizard_Setup.exe)
Installation Monitor (instaler_setup.exe)
File-In-Use Replace Utility (inuse.exe)
Internet Protocol Security Policies Tool (lpsecpol.exe)
Kerberos Tray (kerbtray.exe)
Kerberos List (klist.exe)
Network Connectivity Tester (netdiag.exe)
Now (now.exe)
NT Detect (ntdetect.com)
Open Handles (oh.exe)
OLE/COM Object Viewer (oleview.exe)
Path Manager (pathman.exe)
File Access Permissions per User (perms.exe)
Page Fault Monitor (pfmon.exe)
Process and Thread Status (pstat.exe)
PuList (pulist.exe)
File Copy (rdpclip.exe)
Relog (relog.exe)
RPC Configuration Tool (rpccfg.exe)
RPC Dump (rpcdump.exe)
RPC Connectivity Verification Tool (rpings.exe)
Manipulate Service Principal Names for Accounts (setspn.exe)
SetX (setx.exe)
Performance Data Block Dump Utility (showperf.exe)
File Replication Service (FRS) Status Viewer (sonar.exe)
Near-Future Command Scheduler (soon.exe)
Automated Installation Tool (sysdiff.exe)
Timethis (timethis.exe)
Trace Dump (tracedmp.exe)
Trace Enable (traceenable.exe)
Trace Log (tracelog.exe)
Terminal Server Capacity Planning Tools (tscpt.exe)
User State Migration Tool (usmt.exe)
Virtual Address Dump (vadump.exe)
Who Am I (whoami.exe)
WinStation Monitor (winsta.exe)
Windows NT IPConfig Utility (wntipcfg.exe)
XCacls (xcacls.exe)

Maybe someone knows of a website that does "Windows alternatives for open source tools", similar to "Open source alternative for Windows (commercial) tools"?