Sometimes its useful to have during WinPE something like remote control. In Win7 I did this with VNC server running in WinPE. But there is even a nicer MS way to do it. This article here refers to a guest article (outside of Microsoft) contributing its own PowerShell code. The code is not from me so no warranty on it!
Thanks to Dan Padgett for making it and thanks to Björn making me aware of it!
So here the link to the guest article:
https://execmgr.net/2016/02/02/dart-remote-control-winpe-the-nice-way/
Translate
Tuesday, December 18, 2018
Extend and read Windows Update Log
Sometimes something went wrong during Windows Updates. So it would be helpful to know what's going wrong. Therefore we have the Windows Update Log. But where is it, how to read and how to extend to get even more out of it.
1. Open Powershell
2. Type in: Get-WindowsUpdateLog (and press Enter)
3. Last line will tell you where the WindowsUpdate.log file was written.
https://support.microsoft.com/en-us/help/902093/how-to-read-the-windowsupdate-log-file
Beware - in Windows 10 the Windows Update logfile is by default in ETL format!
This is an internal logging format from Microsoft. To "translate" it in to human readable format you need to to convert it. This is fortunatelly very simple.1. Open Powershell
2. Type in: Get-WindowsUpdateLog (and press Enter)
3. Last line will tell you where the WindowsUpdate.log file was written.
How to enable extended logging
Microsoft Product Support Services may ask you to turn on verbose logging. To turn on verbose logging, add the following registry key with two values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Value name: Flags
Value type: REG_DWORD
Value data: 00000007
Value name: Level
Value type: REG_DWORD
Value data: 00000004
This registry key turns on an extended tracing to the %systemroot%\Windowsupdate.log file. Additionally, this registry key turns on an extended tracing to any attached debuggers. Value name: Flags
Value type: REG_DWORD
Value data: 00000007
Value name: Level
Value type: REG_DWORD
Value data: 00000004
How to read and understand the log
You will find a comprehensive article on this here:https://support.microsoft.com/en-us/help/902093/how-to-read-the-windowsupdate-log-file
Windows Defender Antivirus Exclusions
As every Antivirus solution also MS had some exclusions for files not being scanned. This is mainly for performance but also for operational reasons. E.g. you have a VHD file from a VM. The VM Guest itself is already scanning itself. So no need for the host to scan an VHD file. But there a still others. Here you get a comprehensive updated list for exclusions from field MS support engineers.
Especially SCCM, SQL and IIS workloads need additional exclusions for operational reasons!
The recommendations for each section are separated between "Operational" and "Performance" levels. Operational recommendations are highly encouraged to be added to your exclusions list. Performance recommendations should only be considered if you are experiencing such issues that may be a result of your antivirus product.
The following information will cover what could be recommended for your environment.
Details on the variables referenced:
Core Exclusions for Supported Versions of Windows
ConfigMgr Core Installation Exclusions (All Versions)
ConfigMgr Core Installation Exclusions (Current Branch Versions)
ConfigMgr Content Library Exclusions
ConfigMgr Imaging Exclusions
ConfigMgr Process Exclusions
NOTE***Process Exclusions are necessary only when aggressive antivirus programs consider System Center Configuration Manager executables (.exe) to be high risk processes.
ConfigMgr Client Exclusions
SQL Server Exclusions
IIS Exclusions
WSUS Exclusions
Especially SCCM, SQL and IIS workloads need additional exclusions for operational reasons!
The recommendations for each section are separated between "Operational" and "Performance" levels. Operational recommendations are highly encouraged to be added to your exclusions list. Performance recommendations should only be considered if you are experiencing such issues that may be a result of your antivirus product.
The following information will cover what could be recommended for your environment.
Details on the variables referenced:
- <InstallDrive> can be multiple drives in some environments, so it is best to use a wildcard if possible for the antivirus solution you have deployed throughout your environment. Please refer to your vendor’s documentation for further instructions.
- <InstanceName> is the name of the SQL instance you are using in your environment. Please be aware if you use any named SQL instances or the default, "MSSQLServer".
- <SQL Version> is the version of SQL you are using in your environment. This may also differ between each SQL service referenced between versions SQL Server 2005-2008 R2 and SQL Server 2012+. Please be aware of what version you have installed. 309422 and the article below can provide you with more details.
Core Exclusions for Supported Versions of Windows
- Operational
- %allusersprofile%\NTUser.pol
- %windir%\Security\Database\*.chk
- %windir%\Security\Database\*.cmtx
- %windir%\Security\Database\*.csv
- %windir%\Security\Database\*.edb
- %windir%\Security\Database\*.jrs
- %windir%\Security\Database\*.log
- %windir%\Security\Database\*.sdb
- %windir%\Security\Database\*.xml
- %windir%\SoftwareDistribution\Datastore\Datastore.edb
- %windir%\SoftwareDistribution\Datastore\Logs\edb.chk
- %windir%\SoftwareDistribution\Datastore\Logs\edb*.jrs
- %windir%\SoftwareDistribution\Datastore\Logs\edb*.log
- %windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
- %windir%\System32\GroupPolicy\Machine\Registry.pol
- %windir%\System32\GroupPolicy\User\Registry.pol
ConfigMgr Core Installation Exclusions (All Versions)
- Operational
- <InstallDrive>\Program Files\Microsoft Configuration Manager\Inboxes\*.*
- <InstallDrive>\Program Files\Microsoft Configuration Manager\Install.map
- <InstallDrive>\Program Files\Microsoft Configuration Manager\Logs
- <InstallDrive>\Program Files\SMS_CCM\Logs
- <InstallDrive>\Program Files\SMS_CCM\ServiceData
ConfigMgr Core Installation Exclusions (Current Branch Versions)
- Applicable to 1511+
- Operational
- <InstallDrive>\Program Files\Microsoft Configuration Manager\cd.latest
- <InstallDrive>\Program Files\Microsoft Configuration Manager\EasySetupPayload
- Performance
- <InstallDrive>\Program Files\Microsoft Configuration Manager\AdminUIContentPayload
- <InstallDrive>\Program Files\Microsoft Configuration Manager\AdminUIContentStaging
- <InstallDrive>\Program Files\Microsoft Configuration Manager\CMUStaging
- Operational
- Applicable to 1602+
- Performance
- <InstallDrive>\Program Files\Microsoft Configuration Manager\CMUClient
- Performance
- Applicable to 1610+
- Performance
- <InstallDrive>\Program Files\Microsoft Configuration Manager\PilotingUpgrade
- <InstallDrive>\Program Files\Microsoft Configuration Manager\RLAStaging
- Performance
- Applicable to 1702+
- Performance
- <InstallDrive>\Program Files\Microsoft Configuration Manager\CMProviderLog
- Performance
ConfigMgr Content Library Exclusions
- Operational
- <InstallDrive>\SMS_DP$
- <InstallDrive>\SMSPKG<DriveLetter>$
- <InstallDrive>\SMSPKG
- <InstallDrive>\SMSPKGC$
- <InstallDrive>\SMSPKGSIG
- <InstallDrive>\SMSSIG$
- Performance
- <InstallDrive>\SCCMContentLib
- <InstallDrive>\<ConfigMgr Backup Directory>
- Ex. D:\SCCMBackup
- <InstallDrive>\<ConfigMgr Package Source Files>
- Ex. D:\SCCMSource
ConfigMgr Imaging Exclusions
- Operational
- <InstallDrive>\ConfigMgr_OfflineImageServicing
- %windir%\TEMP\BootImages
- Performance
- %SystemDrive%\_SMSTaskSequence
ConfigMgr Process Exclusions
NOTE***Process Exclusions are necessary only when aggressive antivirus programs consider System Center Configuration Manager executables (.exe) to be high risk processes.
- Operational
- Client Side
- %windir%\CCM\Ccmexec.exe
- %windir%\CCM\CmRcService.exe
- %windir%\CCM\Ccmrepair.exe
- %windir%\CCM\Ccmsetup.exe
- Server Side
- %windir%\CCM\Ccmexec.exe
- %windir%\SMS_CCM\Ccmexec.exe
- <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Cmupdate.exe
- <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Sitecomp.exe
- <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Smsexec.exe
- <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Smssqlbbkup.exe
- <InstallDrive>\Program Files\Microsoft Configuration Manager\bin\x64\Smswriter.exe
- <InstallDrive>\SMS_<SQLFQDN>\bin\x64\Smssqlbbkup.exe
- Client Side
ConfigMgr Client Exclusions
- Operational
- %windir%\CCM\*.sdf
- %windir%\CCM\Logs
- %windir%\CCM\ServiceData
- %windir%\CCMCache
- %windir%\CCMSetup
SQL Server Exclusions
- Operational
- SQL Server Process Exclusions
- SQLServr.exe
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>. <InstanceName>\MSSQL\Binn\SQLServr.exe
- ReportingServicesService.exe
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
- MSMDSrv.exe
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Bin\MSMDSrv.exe
- SQLServr.exe
- SQL Server data files
- *.mdf
- *.ldf
- *.ndf
- SQL Server backup files
- *.bak
- *.trn
- SQL Audit files
- *.sqlaudit
- SQL Query files
- *.sql
- SQL Trace Files
- *.trc
- Analysis Services data files
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Backup
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Data
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\OLAP\Log
- Full-Text catalog files
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\MSSQL\FTData
- Reporting Services Files
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\Reporting Services\LogFiles
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\Reporting Services\RSTempFiles
- Replication Files
- <InstallDrive>\Program Files (x86)\Microsoft SQL Server\<SQL Version>\COM
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>\COM
- Replication Snapshot Files
- <InstallDrive>\Program Files\Microsoft SQL Server\<SQL Version>.<InstanceName>\MSSQL\ReplData
- These files typically have file name extensions of the following:
- *.sch
- *.idx
- *.bcp
- *.pre
- *.cft
- *.dri
- *.trg
- *.prc
- Checkpoint and delta files
- No specific file extension for the files
- Files are present under the folder structure identified by the container of type FILE_STREAM from sys.database_files
- DBCC CHECKDB Files
- Files will be of the format <Database_data_filename.extension>_MSSQL_DBCC<database_id_of_snapshot>
- For more information, see the following article:
- 2974455 DBCC CHECKDB behavior when the SQL Server database is located on an ReFS volume
- Exception Dump Files
- *.mdmp
- Extended Event Files
- *.xel
- *.xem
- Filestream data files
- SQL 2008 and later versions
- In-memory OLTP Files
- Present in a xtp sub-folder under the DATA directory for the instance
- File formats include the following:
- xtp_<t/p>_<dbid>_<objid>.c
- xtp_<t/p>_<dbid>_<objid>.dll
- xtp_<t/p>_<dbid>_<objid>.obj
- xtp_<t/p>_<dbid>_<objid>.out
- xtp_<t/p>_<dbid>_<objid>.pdb
- xtp_<t/p>_<dbid>_<objid>.xml
- Remote Blob Storage files
- SQL 2008 and later versions
- Windows Failover Clustering (If applicable)
- <Quorum Drive> (Ex. Q:\)
- %windir%\Cluster
- MSDTC directory in the MSDTC drive
- SQL Server Process Exclusions
IIS Exclusions
- Operational
- IIS Compressed Files
- IIS 6.0:
- %SystemRoot%\IIS Temporary Compressed Files
- IIS 7.0+:
- %SystemDrive%\inetpub\temp\IIS Temporary Compressed Files
- IIS 6.0:
- IIS Worker Process
- %windir%\System32\inetsrv\w3wp.exe
- %windir%\SysWOW64\inetsrv\w3wp.exe
- IIS Compressed Files
WSUS Exclusions
- Operational
- %SystemRoot%\SoftwareDistribution\Datastore
- %SystemRoot%\SoftwareDistribution\Download
- %ProgramFiles%\Update Services\LogFiles\WSUSTemp
- <InstallDrive>\WSUS\UpdateServiceDBFiles
- <InstallDrive>\WSUS\WSUSContent
For more informations also refer to the original blog post here: https://blogs.technet.microsoft.com/systemcenterpfe/2017/05/24/configuration-manager-current-branch-antivirus-update/
Subscribe to:
Posts (Atom)