Batch clearing of logs – everyday spring cleaning.

The Issue:

Lets just say hypothetically someone likes to log things, they like to log them a lot. Lets also say as the admin of the server they are logging to you don’t like to have your server crash when it runs out of disk space, and the only thing you like less than that is to chase them and make them clean up.

The Solution :

A script scheduled to run everyday.  In this example we will be cleaning out anything in d:\syslog

date /t >>c:\scripts\deletesyslog\%date:~-10,2%%date:~-7,2%%date:~-4,4%.log”
Time /t>>c:\scripts\deletesyslog\%date:~-10,2%%date:~-7,2%%date:~-4,4%.log”
echo Scan Started>>c:\scripts\deletesyslog\%date:~-10,2%%date:~-7,2%%date:~-4,4%.log”

FORFILES -p D:\Syslog\ -s -d -10 -c “CMD /C echo @PATH@FILE>>c:\scripts\deletesyslog\%date:~-10,2%%date:~-7,2%%date:~-4,4%.log”

FORFILES -p D:\Syslog\ -s -d -10 -c “CMD /C del /F /Q @FILE”

echo SCAN Complete>>c:\scripts\deletesyslog\%date:~-10,2%%date:~-7,2%%date:~-4,4%.log”
TIME /t>>c:\scripts\deletesyslog\%date:~-10,2%%date:~-7,2%%date:~-4,4%.log”

 The first 3 lines create a log file in c:\scripts\deletesyslog and log the date and time the script was run, the 4th line logs what is about to be deleted.   The last 2 lines log the time it finished.

Line 5 is the only one that really does anything so If you don’t really care about all this sissy logging that all you need.


-p (path)

-s recurse subdirectories

-d -10 selects files with a modified date of greater than 10 days (alter the 10 if that’s not good for you, remember to alter the matching 10 on the logging line above)

“CMD /C del /F /Q @FILE” is the actual delete command


Useful Operations Manager 2007 SQL queries

Kevin Holman’s OpsMgr Blog is great, and provided me with many sql scripts from here

Of course sometimes I can’t find the right script when I want it and I will likely over time add things from other sources so I am duplicating some of his work here, and I will add to is as I personally use the scripts.

List of all management packs and version number

SELECT MPName, MPFriendlyName, MPVersion, MPIsSealed FROM ManagementPack WITH(NOLOCK) ORDER BY MPName 

Find Management Pack name from Workflow name (Change rulename)

SELECT MPName FROM ManagementPack WITH(NOLOCK) where Managementpackid = (SELECT ManagementPackID FROM Rules WHERE Rulename =’MomUIGeneratedRuleb0bac41041dc420abc0926dcdd7a8c23‘)

 Find what alerts are repeating most often

SELECT TOP 20 SUM(RepeatCount+1) AS RepeatCount, AlertStringName, AlertStringDescription, MonitoringRuleId, Name
WHERE Timeraised is not NULL
GROUP BY AlertStringName, AlertStringDescription, MonitoringRuleId, Name

Find a rule friendly name from the GUID provided on an alert.  (change out your own rule guid)

INNER JOIN LocalizedText LT ON LT.ElementName = rules.Rulename
WHERE rules.Ruleid=(SELECT ruleid FROM Rules WHERE Rulename =’MomUIGeneratedRuleb0bac41041dc420abc0926dcdd7a8c23‘)

Count the number of  discovered objects by type (from Pavlick.Net)

SELECT mt.ManagedTypeID, mt.TypeName, COUNT(*) AS NumEntitiesByType
FROM BaseManagedEntity bme WITH(NOLOCK)
LEFT JOIN ManagedType mt WITH(NOLOCK) ON mt.ManagedTypeID = bme.BaseManagedTypeID
WHERE bme.IsDeleted = 0
GROUP BY mt.ManagedTypeID, mt.TypeName

SCOM 2007 R2 – Logical Disk Free Space or Redundancy In Action (and not the good kind)

The Problem:

We want to alert on specific drives that tend to fill up quickly when something goes wrong at different levels than the defaults.

The Process:

Sounds simple enough right? An override and it’s time for Coffee.  Well being the careful person I am I decided perhaps a test is in order.  So I create a folder on the drive and put a 10 MB file in it called 1.log plus the following batch file

set Now=%time:~0,2%%time:~3,2%%time:~6,2%
copy 1.log %now%.log
PING -n 1 -w 2000 >NUL
goto 10

Simply this script copies 1.log to a new file name that has the hour, minute and second as the file name. Then it tries to ping something for 2000 ms (2 Seconds) and does it again.

Don’t wander off while this is running or use it for evil please 😉

So I let this run till my drive is about 55% full, or was that 45% empty? But I am bothered by the complete absence of any kind of alert or alarm or even status change of the server in question .

If you look up the definition of redundancy here you will find 2 things of note, The good kind of redundancy (6. Electronics Duplication or repetition of elements in electronic equipment to provide alternative functional channels in case of failure.) and the kind we are going to deal with here (2. Something redundant or excessive; a superfluity.)

I didn’t notice the first time but there is a paragraph on the properties of the Logical Disk Free Space Monitor, and although I am glad it wasn’t harder to find I am bothered by it’s content.


The Logical Disk Free Space monitoring routine is a high configurable solution that enables Operators to set varying threshold values for system and non-system logical disk volumes. In addition separate threshold values can be set for Warning and Error states.

Since logical disk volumes may vary in size from a few gigabytes to many terabytes or more the Logical Disk Free Space monitoring routine requires that an Operator indicate both the Megabyte and Percentage based threshold values that must be passed before the Warning and Error thresholds reached. This means that in order for the threshold to be reached both the Megabyte and Percentage based threshold values for the System or Non-System Drive must be breached.

So lets say like me you have several different drives of varying sizes that you want alerts on and the defaults from the table below just don’t do it for you. Like me you probably figured you could just set the Non-System Drive Error Percent Threshold and be done with it. Then like me you find that you get no alarm because although you are below the Non-System Drive Error Percent Threshold you are still over the Non-System Drive Error Mbytes Threshold that defaults to 1GB. Sadly now your option is to check the full size on each drive you are monitoring, do the math and figure out how many MB is X% of your drive and enter that value in Non-System Drive Error Mbytes Threshold in addition to the % you already set. Then an interval later you will get an alert something like this…


System Drive Free Space Thresholds (Defaults)


Default Value

System Drive Error Mbytes Threshold


System Drive Error Percent Threshold


System Drive Warning Mbytes Threshold


System Drive Warning Percent Threshold


Non-System Drive Free Space Thresholds (Defaults)


Default Value

Non-System Drive Error Mbytes Threshold


Non-System Drive Error Percent Threshold


Non-System Drive Warning Mbytes Threshold


Non-System Drive Warning Percent Threshold


The Solution :

Set overrides for both Mbytes and Percent thresholds as they both have to be breached to throw an alarm.

If you hate math perhaps you could just set the MB alarm to some unreasonably large value so that it is always breached, thus making the % monitor the only one that changes.

Update – Nov 30, 2009

Billy made some comments that started me thinking about a larger solution, and I fear it’s all in to overrides.

First create a series of groups that match your needs, like Alarm System at 100MB, Alarm non-System at 1GB, Alarm System at 100GB, Alarm System at 5%, Alarm non-System at 15%, Alarm System at 50% really whatever makes you happy. Isn’t that what we all really want? Then create a series of overrides based on the groups.  Something like for the override targeted at “Alarm System at 100MB” set the system MB to 100MB and set the system % to .01%, when creating a percentage based override the work it the other way setting the % to what you want the the MB to 1,000,000,000,000,000 or something similar. Then as you figure each new machine you just decide how you want it to work for that machine and add it to the static groups you defined earlier.  Someone please correct me if I am wrong but you may want to decide if % or MB is more important and set the enforced check box on that override just in case you ever assigned a machine to both groups. I figure this will help SCOM determine what override should apply, but I have not tested that and could be wrong there.


Hey Microsoft :

Is it not the point of a percent based alarm that you don’t need to go to every dive of a different size and figure it out for your self?  For me I would expect that a person could say send me an alarm whenever a drive is 50% full, but also at the same time may want to know when some very old small drives have less than 10GB free even if this does not constitute 50% of the drive.  I simply can’t wrap my head around the concept that because “logical disk volumes may vary in size from a few gigabytes to many terabytes or more” would cause any situation where you would want to set 2 different thresholds that both have to be triggered to cause an alarm. Does the alarm in your house only go off if a burglar had both your front and back doors open at the same time?

Last modified time: 19/11/2009 3:13:35 PM Alert description: The disk J: on computer X is running out of disk space. The values that exceeded the threshold are 52% free space and 36452 free Mbytes.

SCOM, SNMP and TRAPS or The Good, the Bad and the Ugly : Part 3

If you have followed along this far, and have not ended up with a white jacket with really long sleeves then this next bit should be no problem.

The Problem :
Although it’s nice to be able to poll a device on a regular schedule and log this for the shiny graphs and alert on it once you have all the monitors working, what we really want is a real-time alarm when something goes wrong. When your UPS goes into bypass or your HVAC fails you may not want to wait for the next polling interval.

The Solution :
Strangely this is the whole reason I started these three articles, I found SNMP traps to be inconsistent and extremely frustrating. I almost gave up and got another product more suited to handling SNMP monitoring. Of course as with most things once you get it all sorted out it’s actually quite simple.

Step 1 : SNMP Services
On your Root Management Server, Management Servers and or gateways you need to have the SNMP Services installed.
Windows 2003 – Add Remove Programs, windows Components, Management and Monitoring Tools, Simple Network Management Protocol.
Windows 2008 – in the Server Manager, Features, SNMP Services
You should have an SNMP Service and a SNMP Trap Service, make sure both are set to automatic start and are started.

Step 2 : Configure your device
On your device, appliance, server etc you will need to go in and setup SNMP and Traps. First you will need to set a community name, remember this for later, and remember this is not really a useful security measure. With luck you can configure a community name, set your device to read only (personally I don’t trust making changes via SNMP) and configure a location for traps. Here is the first trick, at a minimum you need to direct the traps at the management server that your device is going to be managed by, I configured my devices to send to my RMS and both of my management servers. You can send traps to your RMS all day long and not get an alert if your device is discovered and managed by another management server.

Step 3 : Discover your device
In the SCOM Management console, Administration tab, you can right click on any entry and pick Discovery Wizard right at the top. Click Network Devices, next, enter the IP address or address range, entry the community string you configured earlier on the device, Pick the SNMP version (if you are not sure try V1) and pick a management server. This must be the server the traps are being sent to. I send the traps to all my management servers so that just in case I need to rediscover the device on another server I don’t have to go reconfiguring the device. SCOM will not send you duplicate alarms if it received a trap on multiple management servers.
Once teh discovery is complete you shodul be abel to select the check boxes of the devices you want to manage and finish.

Step 4 : Create a Monitor.
If you are following from Part 1 and 2 we will be creating this monitor in the management pack where we have set the discover for the device type that we are monitoring. If you are adventurous and don’t expect it to get too complex you can target this monitor at snmp network device, this creating a bulk trap monitor for every device. This may make it harder to filter what you want in the future but it’s up to you.
On the authoring tab, under management Pack Objects, Right Click on Monitors and select unit monitor. We are now looking for SNMP, Trap based Detection, Simple Trap Detection, Event Monitor – Single Event and Single Event. Place this in your management pack where your discovery is.
Give your monitor a Name, a Target and a parent monitor Next. Typically you would use the discovery community string, and for this example we are going to check the box “All Traps” at the bottom. Here is the next tricky bit. The expressions, this is an example for setting a critical state for any trap and requiring a manual reset.

First Expression
parameter Name : /DataItem/SnmpVarBinds/SnmpVarBind[1]/Value
Operator : Matches wildcard
Value : *

Second Expression
parameter Name : /DataItem/SnmpVarBinds/SnmpVarBind[1]/Value
Operator : Does not match wildcard
Value : *

The first express should fire on any trap, the second should never fire, So the First Event Raised is the critical state and the second is the healthy state.

Of course you seen to configure subscriptions etc if you want email alerts but this should change the state of the device and require that you go into the device and do a reset health to get things to go back to green.

If you get fancier with the expressions comment on this post so everyone can see, I have not had to yet so I can’t say.

Edit: Nov 24, 2009

Well that didn’t last long, I had to get more specific with my trap alerting so I figured I would update the people who are following this (all 2 of them)

It’s simple enough when creating your monitor on the “FristSnmptrapProvider” screen don’t check all traps, instead put the OID you are looking for under Object Identifier. The best way for me to find the OID is wire shark. In wire shark set a filter like “” or “ and ip.addr ==” now you should be seeing just traps from the device in question. 


Here you can see the OID of the TRAP and the specific Trap of 3

This gives us a complete OID of This is what you need to put under Object Identifier  for the FirstSnmpTrapProvider, the first expression remains the same as above, but in this case I will start doing automatic recoveries or for the SecondSnmpTrapProvider you need the recovery trap, in this case the second expression changes now to match the first expression “Matches Wildcard *” These examples are for utility failure and recovery of a GE UPS SNMP card using the deltav4 MIB.


Part 1

Part 2

Part 3

Using SCOM to moniotor name resolution on a Kiosk or Schrodinger’s DNS

The Problem:
I have a number of Kiosks that are going to be used by VIP’s and I have been asked to make sure that these kiosks are working properly and to proactively respond to failures. Our monitoring tool is SCOM 2007 R2. In this entry I will cover my attempt to monitor DNS name resolution.

The Process:
First I found that there is an existing monitor that does basically exactly what I want. Of course I know this becasue it didn’t work properly at first and thanks to Kevin Holman’s OpsMgr Blog I even got an answer. Now all I need to do is leverage this existing type and life will be grand. Little did I know I was about to enter the quantum world of management pack XML.

Using an excellent little powershell script from Boris Yanushpolsky I can open sealed MP’s and have a look. So I crack open Microsoft.Windows.DNSServer.2003 and Microsoft.Windows.DNSServer.Library and quickly find that the monitor type I am looking for is Microsoft.Windows.DNSServer.Library.NSLookupAvailability

I create my own empty management pack, and add the following reference

<Reference Alias=”DNS”>


Then I export my new management pack and open it in the authoring console and basically copy everything from the monitor that I want to my new monitor.  Since I want this monitor to only specific machines I have created a group with dynamic members to target this monitor at. 

Some notes on Targeting:
You can’t target monitors, rules or tasks at dynamic groups.  If you want all the gory details then thanks to Jakub and but the bottom line is you have to pick an existing class that will be available everywhere. Best practice suggests that you pick the closest existing class that you can, don’t just pick windows computer for everything. The secret is to create whatever it is you are doing as disabled and then use an override to enable it based on the dynamic group you created.

 So now that I have my targeting issues worked out I find that this monitor is not becoming active, initially I thought this was because of my targeting but now I needed some help.  a call to Microsoft support teaches me a couple of things I will pass on here.

Within the DNS library we find the section <UnitMonitorType ID=”Microsoft.Windows.DNSServer.Library.NSLookupAvailability”

within this unit monitor type we find <ProbeAction ID=”Probe” TypeID=”Microsoft.Windows.DNSServer.Library.Probe.NSLookupTest.PropertyBag”> this links to another section <ProbeActionModuleType ID=”Microsoft.Windows.DNSServer.Library.Probe.NSLookupTest.PropertyBag” and within this section we finally have <ScriptName>NslookupAllTests.js</ScriptName>

Now that we know the actual script the will really do the work on the host is called NslookupAllTests.js then we can search for it in the library and tada there it is.  Script: NslookupAllTests.js of this is about 2 lines below the propertybag but I wanted to show the progression in case someone else is tyring to figure out something similar.

Now I am no javascript expert by any means but the following few lines are pretty clear to me

//Check if DNS service is running.  Abort script with a warning if it’s not.
if (!DNSServiceRunning())

so despite the fact that for this specific test the DNS server service does not need to be running or even installed there is a single script running for all the dns testing and it will not run unless the DNS service is running.

now I guess I could comment out these three lines reseal the management pack and cross my fingers but the risk to my existing monitors and dealing with the next MP upgrade is more than I want to deal with right now.

The Solution: NOT
Well unfortunately my development skills are haunting me today.
The final solution would be to create a new library based on Microsoft.Windows.DNSServer.Library, providing new monitor types complete with overrides and alter the underlying DNS NslookupAllTests.js script to do what I need. Unfortunately java script is not a language I have taken the time to get familiar with and beyond that the required XML to get the library and monitor working is just taking too long.

Plan B….. I will have to get back to everybody on that

The Solution : Finally

OK, so it was not 4000 lines it took only 953.

With some help from PSS and a lot of theft from the DNS library I have managed to create a management pack to monitor DNS resolution. The monitor is called DNS Resolution Check and falls under windows computer. It is disabled by default and will require that you either configure and enable it or simply create overrides. I also added an override for server so you could direct different clients at different DNS servers. The Server config \ override will take a series of IP addresses comma separated.


Hey Microsoft:

SCOM is an interesting tool, but the authoring console is sadly lacking. Something as simple as a name resolution test should be simple to create. I should not need 4000 lines of XML and JS to handle something this simple.

We should be able to use dynamic groups as Watcher Nodes for web and port monitors.

SCOM 2007 R2 Gateway now with SSL

Need to extend your SCOM environment to another domain, into a DMZ or anywhere else where the typical protocols are not available? Then you need a gateway. Actually this process is reasonably simple but you will need an SSL certificate.

Step 1 :  Certificates

 Don’t have an Certificate Authority? Well then you have 2 options, you could build one, but unless you have more needs than this I would suggest you just go and buy a cheap one.  Use the fully qualified DNS name of the server for the subject and the friendly name. Other than that not much to worry about. If you do have a CA then you may want to publish a new template, despite many other blogs talking about exactly what you need I have found that this very simple template works for me.


Either way all you need to do is install the certificate into the machine store personal folder. If  you are using your own CA you will also need to install the root certificate and any intermediate certificates as trusted root certification authorities or intermediate certification authorities on both this new gateway and on your root management server.

Now you are ready to start the gateway install so you need some files from your download or CD. May as well copy the “gateway” and “support tools” directories from the root of your install media to the new gateway server. Even with all that added security isn’t it nice to be able to copy file via RDP now?

Step 2: Installing the Gateway

Within the gateway folder you copied from the install media you will find directories for i386 and AMD64 go into the right folder based on if your OS is X32 or X64. Run MomGateway.msi (Funny how MOM keeps hanging on)


Fairly quickly you are provided with the following dialog, and if you are like me you are thinking hmmmmm what exactly was my management group name? If you remember your exact management group name then bully for you the rest of us need to go to back to our root management server and enter the registry. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Server Management Groups\  under this is another key that is your management group name. Be careful not to change anything but I like to hit F2 and copy this key name and past it into the installer.  Then enter the name of your root management server and if you are truly offended by TCP port 5723 then here is your big change to change it.  When prompted for a Gateway Action Account, well Local System works well for me but it’s your environment you can use whatever you want.  Me I will stick to the principal of least access and go with Local System.

Step 3: Linking the Certificate

Once the install is complete you need to link the certificate to the service and Herein lines perhaps the only real gotcha, in the support tools folder that you copied over earlier you will find folders for i386 and amd64  and ia64, make sure to run the one that goes with your OS. Remember that the ia64 refers to itanium that nobody uses and be aware that the x32 version will run on x64 and appears to work. The registry keys will look right and all the troubleshooting in the world won’t tell you why your shiny new gateway doesn’t work. So skip all that grief and get this right the first time.  There are lots of instructions showing you the full command line and detailing how to get the cert name etc etc but I am lazy with the command line so just run MOMCertImport.exe by double clicking on it. TADA you are prompted to pick the certificate you want to use and all you need to do is click OK, just like a nice windows program.  If you run into problems or just want to make sure this worked have a look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings the ChannelCertificateSerialNumber should contain the cert details.

Step 4: Approving the server on your RMS

This step is run from the command line on your Room Management Server. I know we are windows people we don’t DO command line….. well as our HR department would say “SUCK IT UP”.  I think we all need to get used to the idea that now there is Core Server and powershell we are all going to get much more familiar with doing everything from the command line. Thats enough resistance to change for one day so on to the command line.  From your RMS you need to run the following, have a look on your install media again in the “Support Tools” folder again being careful to get the correct version for your OS find Microsoft.EnterpriseManagement.GatewayApprovalTool.exe, and copy it to “C:\Program Files\System Center Operations Manager 2007” or wherever you installed SCOM in the first place.  Now open a command line in that location.

As as aside here is a little trick I like, save the following to a reg file and import it. This will give you a new right click context menu on folders that will allow you to quickly open a command prompt right to a folder.

Windows Registry Editor Version 5.00

@=”Open Command Prompt”

@=”cmd.exe /k \”cd %1\””

Now back to the command line

 See that’s not so bad, of course if you don’t have name resolution between your gateway and your RMS then you will likely wan to put in toms hosts entries in c:\WINDOWS\system32\drivers\etc\


=YOUR-GATEWAY-FQDN-HERE /action=creategatewayname=YOUR-RMS-FQDN_HERE /managementservername /exe.gatewayapprovaltool.enterprisemanagement.


Also if your gateway is not a member of a domain it’s likely that it’s FQDN of your gateway is just the servername and that’s just fine. Just make sure that if you ping from each side you get name resolution. Of course your security guys probably block ICMP but as Arthur Schopenhauer said “Life without pain has no meaning.” and as technical people this just adds meaning to our lives.

Now that you have created the new gateway you get to do what you like best about SCOM as a reward, take a short vacation. Did you enjoy it? Now back to work (BlackAdder)

Several minutes later you will see your new server appear in your SCOM console, on the Administration tab, under Management Servers. For a while it will appear as “Not Monitored” for a while and then move into a healthy state if everything is OK. If not probably time to crack out wireshark and look at the traffic and have a look at the event log to see if you can see any errors on either side.

 Troubleshooting: Getting an error in the logs?

The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication. The error is The credentials supplied to the package were not recognized (0x8009030D).

The fix:

1)    Once you have a certificate imported into the certificate store:

i)     From the MMC “Certificates (Local Computer)” snap-in, locate the certificate (server FQDN name) in the Personal-Certificates folder, right click it, and select “Export”.

ii)    When prompted to “Export Private Key”, select “Yes, export the private key”.

iii)   Under “Export File Format”, select “Personal Information Exchange – PKCS #12 (.pfx)” and sub-option “Export all extended properties”.

iv)   Take note of the location and file name of the pfx file you saved and password if you entered one.

2)    From an Administrator mode command prompt, enter:

MOMCertimport.exe filename.pfx

– enter password if you entered one for the pfx file

            (where filename.pfx is the exported certificate from above)


Getting something like “The OpsMgr Connector connected to sceserver, but the connection was closed immediately after authentication occured” for me I just needed to wait a little longer then look for the gateway server listed in the SCOM Console, Administration, Device Management, Pending Management. I approved it there and a few minutes later everything was working.

SCOM, SNMP and TRAPS or The Good, the Bad and the Ugly : Part 1

Recently I was encouraged to find a way to monitor many of our appliances with our shiny new deployment of  Microsoft System Center Operations Manager 2007 R2. Up until this point we had not used SCOM for SNMP monitoring little did I know the adventure I was about to embark on.


Log (SCOM Rule) various values from different SNMP appliances

Alert (SCOM Monitor) on various values from different SNMP appliances

Basic availability checks for all appliances

Receive and alert on SNMP TRAPS from all appliances


The Process : (no point in trying to skip to the solution)

The first thing I found was a lot of people in various blogs with a warning “Abandon hope all ye who enter here”. Usually I would save my ranting comments to the end but perhaps it’s best to give you a quick glimpse now. SCOM 2007 R2 is not exactly the pinacle of SNMP monitoring, but I will get into that more later 😉

In part 1 we will find a way to discover and differentiate between the different kinds of SNMP appliances so that we can target various monitors and rules at specific devices. No point is weighing down SCOM with monitoring all sorts of thinsg that don’t exist on a given device right?

Step 1: Install required tools

Here I have to start with a major and well deserved tip of the hat to 2 individuals without whom my adventures into SCOM and SNMP would have been long and likely fatal… or very short and almost painless (Hmmmm) either way, Thanks to Raphael Burry and his SNMP Discovery Provider for OpsMgr 2007 and Scott Vintinner with his Example SNMP Management Pack for SCOM 2007. Without these 2 pieces I would likely have left SCOM as an SNMP monitoring too altogether.

First download the sealed managed pack from Raphael rename it to a zip, break out the management pack and install it into you SCOM installation. This gives us the extensions to start writing out own custom management packs to start discovering different types of SNMP devices.

Second do your self a favor and download and install the iReasoning MIB browser and WireShark (formerly knows as Ethereal for those that missed the name change a while back) these tools will be invaluable shortly, trust me.

Step 2:  Figure out how to identify devices

First we need to figure out what makes this device different from any other device in our network, this is where the iReasoning MIB Browser comes in handy. After you have configured your device with an SNMP community name and allowed traffic from the machine you are running the MIB Browser from it’s time to pick an OID. Start the MIB Browser. You can load manufacturer MIB’s if you want but we don’t need them here. Enter the IP address of the device, clear anything that is in the IOD field and use the operations dropdown to pick walk. Then click GO!

Edit : Daniel Morrison makes a good comment – you may also need to hit “Advanced” and enter the SNMP community you configured on teh device for the walk operation to work. The default value is Public.  Just in caseyou missed it, you can see it below just between Address and OID. 


Now you can go down the list of OID’s that you see and find something specific that will be unique to this type of device. For this example we are looking at an SG series GE UPS.  In this case I am going to go with that provides an answer of with these noted it’s time to start editing our management pack.

Step 3: Your first custom SNMP discovering management pack!

Here again you will want a couple of tools to make life much easier.  First XML Notepad 2007 a Microsoft tool for editing XML, handy for when the next tool does not expose what you want. Second SCOM Authoring Console 2007 R2, from the AuthoringConsole directory in the root of your download or SCOM 2007 R2 CD. This is probably on the website somewhere but what isn’t anymore?

Now you are ready to download Scott Vintinner’s Example Management pack, (EDIT: or the updated version here) this is not installed just used as a framework to build our own custom pack for the device in question.  Make a copy and open it with notepad.  The first thing to notice is right near the top, <ID>RBH.Ecosaire.AC.Management.Pack</ID> we need to change this to match whatever we are doing like <ID>GEUPS.Example.Management.Pack</ID> so I do a find and replace on the whole XML from “RBH.Ecosaire.AC.” to “GEUPS.Example.” then I save and close the file. At this point you have to rename the file  to match the ID in this case GEUPS.Example.Management.Pack.xml

Now for the discovery bit. Open the XML with your preferred editor and look for <Discoveries> this section is all we plan to edit at this stage.  Within <Discoveries> you will find

<Value VariantType=”8″ />

The key to this section is the OID this is what is queried to determine if this device is a GE UPS as defined by our management pack. A few lines further down you have another important section, we will start with a simple expression first.

<Value Type=”String”></Value>

A few important things to notice in this section. First on the line with XPathQuery you see an OID, if you changed the OID in the <SnmpVarBind> section above you need to change it here as well as this is the pointer to the variable that was read and it needs to match for the compare or who knows what will happen. I of course know one thing that will happen and that is that you will never discover anything. So I guess with further thought I do know what will happen.  The second thing to note is <Operator>Equal</Operator> so this is a simple X = Y expression, we will look at another option in a second. Third <Value Type=”String”></Value> this is telling us that the data type of this variable is a string, so you can’t try and match based on > or anything like that, and the value we are looking for is, of course this is the example value and not the value we determined above so I will replace it with and save the XML.      Optionally You can look for <Interval>3600</Interval> this is the number of seconds between discoveries. This can also be altered once the MP has been imported but unless you like to wait (in which case you will get along great with SCOM) you may want to reduce this now for testing. Try not to forget to change it back later 😉

Now if a simple expression is not good enough you may need a regular expression here is an example for another device I recently used. To be honest I am still looking for a good source of documentation on all the options for e regular expression if anyone knows a good one. (EDIT – Thanks Steve for pointing out the document Regular expression support in SCOM 2007.docx from the OpsManJam website. )

Here is the sample

<Pattern>^.*SensorHawk .*$</Pattern>

With the above section of XML if the txt SensorHawk appears in the result then it’s considered a match.

Edit: Ben needed a discovery that would detect 2 different kinds of devices. Together we found the following appears to work best.



              <Pattern>^.*RICOH .*$</Pattern>

              <Pattern>^.*Canon .*$</Pattern>

As awesome as Scott Vintinner’s example one thing I believe it lacks is a view in the console so you can see whats going on.  We need to add just a bit of XML to the existing pack, to make this easy I have added it to base pack using the RBH.Ecosaire.AC naming so you can just edit it all at once if you prefer.  Download updated management pack example Here we have added a section just after the end of  </Monitoring>

<View ID=”RBH.Ecosaire.AC.Management.Pack.AlertView” Accessibility=”Internal” Enabled=”true” Target=”RBH.Ecosaire.AC.Management.Pack.SNMPDevice” TypeID=”SC!Microsoft.SystemCenter.AlertViewType” Visible=”true”>
<Criteria />
<View ID=”RBH.Ecosaire.AC.Management.Pack.EventView” Accessibility=”Internal” Enabled=”true” Target=”RBH.Ecosaire.AC.Management.Pack.SNMPDevice” TypeID=”SC!Microsoft.SystemCenter.EventViewType” Visible=”true”>
<Criteria />
<View ID=”RBH.Ecosaire.AC.Management.Pack.PerformanceView” Accessibility=”Internal” Enabled=”true” Target=”RBH.Ecosaire.AC.Management.Pack.SNMPDevice” TypeID=”SC!Microsoft.SystemCenter.PerformanceViewType” Visible=”true”>
<Criteria />
<View ID=”RBH.Ecosaire.AC.Management.Pack.StateView” Accessibility=”Internal” Enabled=”true” Target=”RBH.Ecosaire.AC.Management.Pack.SNMPDevice” TypeID=”SC!Microsoft.SystemCenter.StateViewType” Visible=”true”>
<Criteria />
<Folder ID=”RBH.Ecosaire.AC.Management.Pack.ViewFolder” Accessibility=”Internal” ParentFolder=”NetLib!Microsoft.SystemCenter.NetworkDevice.AllDevices.ViewFolder.Root” />
<FolderItem ElementID=”RBH.Ecosaire.AC.Management.Pack.AlertView” Folder=”RBH.Ecosaire.AC.Management.Pack.ViewFolder” />
<FolderItem ElementID=”RBH.Ecosaire.AC.Management.Pack.EventView” Folder=”RBH.Ecosaire.AC.Management.Pack.ViewFolder” />
<FolderItem ElementID=”RBH.Ecosaire.AC.Management.Pack.PerformanceView” Folder=”RBH.Ecosaire.AC.Management.Pack.ViewFolder” />
<FolderItem ElementID=”RBH.Ecosaire.AC.Management.Pack.StateView” Folder=”RBH.Ecosaire.AC.Management.Pack.ViewFolder” />

And a few display strings that will form our text labels for the above entries, these go in the <LanguagePacks> section just before </DisplayStrings>

        <DisplayString ElementID=”RBH.Ecosaire.AC.Management.Pack.AlertView”>
<DisplayString ElementID=”RBH.Ecosaire.AC.Management.Pack.EventView”>
<DisplayString ElementID=”RBH.Ecosaire.AC.Management.Pack.PerformanceView”>
<Name>Performance View</Name>
<DisplayString ElementID=”RBH.Ecosaire.AC.Management.Pack.StateView”>
<Name>State View</Name>
<DisplayString ElementID=”RBH.Ecosaire.AC.Management.Pack.ViewFolder”>
<Name>Ecosaire AC</Name>

Now all you have to do is install your new MP and you should see in the SCOM monitoring console


With luck now you can see your base device management pack and may have even have enough good karma to see some devices.  Of course if all you have done is followed my instructions you still won’t have anything because there is one last step.

Step 4: You need to discover the device in SNMP. This is done via the operations console, in teh Administration tab.  Right click on “Device Management” and run the “Discovery Wizard”


Simple enough, select network devices and select next.


Here enter the IP or range of IP’s that your devices user, make sure to enter the community name you configured on the device, and drop the SNMP version down to 1, unless of course you know your device is V2. Select the management server that you want to handle traps, monitors and rules and click discover.

If all goes well a couple of minutes later you will get a screen showing the devices that have been doscovered, check the box(es) of the ones you want to be managed ckick finish and you are done. Then wait a while and they should start showing up in the management console.  If things didn’t go well there is likely a problem with either the community name or the SNMP configuration on the device allowing your root management server to contact the device using SNMP. Best to configure the device to send SNMP traps to all you management servers and allow SNMP read-only from all of your management servers.

Here are the completed XML files for a few of the MP’s I created if they are of use to you. Download and rename to .XML




Stay tuned for Part 2 where we will look into createing rules and monitors for the discovered devices.

Part 1

Part 2

Part 3

Death of a Hotfix – Fun with KB973705

Ever have one of those days when the help desk calls you early and says EVERYTHING IS DOWN!!

We all know that it’s very rarely that bad, but either way you see your day evaporate.  For me yesterday was one of those times.

The Problem: Perhaps 50% of our machines that received MSKB973705 last night can’t run outlook anymore. a quick look shows that the outlook.exe is smaller, does not have a version number anymore and if you run it from the command line you get “Program too big to fit in memory”. Quickly we declined this update in WSUS to prevent the spread and then it’s on to fixing the problem machines.

 The Process: After some research and a call to Microsoft the recommendation is to remove the patch only from affected machines at least until the developers can have a look at it and determine whats really going wrong here. Sounds simple right?

First we need to determine who has the patch, I found the base of the following vbscript from Hey, Scripting Guy (skip to the end for the whole script)

Set colQuickFixes = objWMIService.ExecQuery _
(“Select * from Win32_QuickFixEngineering where HotFixID = ‘KB973507′”)

This will at least tell us if the patch is installed. If so we need a quick check to see what version is on the outlook as most people appear to have received the patch without issue.

dim filesys, a
    Set filesys = CreateObject(“Scripting.FileSystemObject”)
    a = filesys.GetFileVersion(“C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE”)

If the patch is installed and the outlook version is bad then we need to uninstall the patch using this script I hoped to just use the .uninstall() method of the Win32_QuickFixEngineering object. Sigh, this is not an option. It is an option for the Win32_Product Class but not the  Win32_QuickFixEngineering Class

After much research, , trolling the registry, google and newsgroups we finally found how a patch like this needs to be uninstalled from the command line. I can’t count the number of times I chased down a solution that looked so easy that I couldn’t believe I missed it earlier, only to find again I was looking at KB973507 and not KB973705 … Dyslexics Of The World Untie

msiexec /package {} /uninstall {} /passive /norestart”

now all we need is the product and package GUIDS, these will of course vary based on the version of Office you have installed and the patch in question).

In order to get the product GUID I found the following script WiLstPrd.vbs that gives us the Product ID, the patch ID I just found by going into Add or Remove Programs, finding the patch and clicking to get the support information.


Finally this give us  the command that actually removes the patch:

“msiexec /package {90110409-6000-11D3-8CFE-0150048383C9} /uninstall {22A15D5A-3165-4970-86BE-A5D5661E77E1} /passive /norestart”

We also find that following the uninstall of this patch some machines pick it up from the WSUS cache even though we have declined it in the console for now, so we add a “wuauclt -detectnow” to force the clients to check in with WSUS before trying to install the same patch again.

 Of course when we start testing we find that we have a number of different states

Users who have installed and patch and rebooted  – Script works

Users who have installed but not rebooted – – patch uninstall appears to work but after a reboot leaves the client in a bad state requiring that outlook be repaired from the control panel. Because of this we added a section to the script to see if the machine has been rebooted today, if not we prompt to reboot and then run the script again.

Users who have not installed the patches – script runs as expected but does not do anything

Users who have attempted to fix it themselves – isn’t it fun when this happens? we will just have to fix any of these by hand as we find them.

A few more updates to the script to do some logging and report via email on it’s usage and we are ready to deploy. We have a discussion about the pros and cons of deploying via SCCM, log-on script, GPO, user run or help desk run. We found some issues with SCCM not wanting to run the script a second time if the initial reboot is required. We decide that with out help desk assistance if required for the initial push and see what happens.

The Solution:

Have the users run the following script: (keep in mind this was a quick and dirty script, but if you see things that could be better let me know)

Download : Script

Download : User Documentation

See the alternate Script from GregP at the bottom of this post.


After seeing the logs for a few hundred users I have made a few change, like requiring that a reboot has happened in the last hour or the script will not run, and notifying the user to call the help desk if they are still having problems and the script things everything is OK.

Hey Microsoft:

Before you start, yes I know about Microsoft Connect, and I use it. I also work with my TAM at our expense to try and argue for product improvements. I suggest everyone does the same.

1) How about some standardization on patch uninstallation? I found 3 different ways for 3 different kinds of patches.

2) How about making the uninstall simple? something like you already do for some things… “C:\WINDOWS\$NtUninstallKB975025$\spuninst”

3) How about adding the Product GUID in the technical details for EVERYTHING that is installed under add remove programs.  And would it kill you if  we could cut and paste from there?

The Script :

‘—– Logging constant : 0 = off, 1 = to screen, 2 = to file, 3 = to screen and file
const conLogType = 2
const conLogPath = “c:\”
const conScriptName = “OutlookFix973705-“
Const conClearLog = 0
Const conDisplayLog = 0
Dim username,intFirstRun
Dim strLogFileName

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

logmsg “*************** OutlookFix973705 Started. *****************”

Set WshNetwork = WScript.CreateObject(“WScript.Network”)
logmsg “on Computer Name = ” & WshNetwork.ComputerName
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)

Set colOperatingSystems = objWMIService.ExecQuery (“Select * from Win32_OperatingSystem”)
For Each objOS in colOperatingSystems
    dtmBootup = objOS.LastBootUpTime
    dtmLastBootupTime = WMIDateStringToDate(dtmBootup)
    dtmSystemUptime = DateDiff(“h”, dtmLastBootUpTime, Now)
    logmsg “Last boot time: ” & dtmLastBootupTime
    logmsg “bootup: ” &dtmBootup
    logmsg “Uptime: “& dtmSystemUptime
Function WMIDateStringToDate(dtmBootup)
    WMIDateStringToDate = CDate(Mid(dtmBootup, 5, 2) & “/” & Mid(dtmBootup, 7, 2) & “/” & Left(dtmBootup, 4) & ” ” & Mid (dtmBootup, 9, 2) & “:” & Mid(dtmBootup, 11, 2) & “:” & Mid(dtmBootup, 13, 2))
end function
If dtmLastBootupTime < “14/10/2009” then
 logmsg “reboot required before script runs”
 msgbox “Please reboot and run the script again”
end if

Set colQuickFixes = objWMIService.ExecQuery _
(“Select * from Win32_QuickFixEngineering where HotFixID = ‘KB973507′”)

logmsg “WMI Query Complete”

For Each objQuickFix in colQuickFixes
  if objQuickFix.HotFixID = “KB973507” then
    dim filesys, a
    Set filesys = CreateObject(“Scripting.FileSystemObject”)
    a = filesys.GetFileVersion(“C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE”)
   if a<>”” then
  logmsg “outlook version appears to be good, patch not removed”
   end if
   if a=”” then
      logmsg “uninstall started”
      set objShell = wscript.createObject(“”)
      objShell.Run “msiexec /package {90110409-6000-11D3-8CFE-0150048383C9} /uninstall {22A15D5A-3165-4970-86BE-A5D5661E77E1} /passive /norestart”
      Set objNet = Nothing     �
    end if
 end if
      set objShell = wscript.createObject(“”)
      objShell.Run “wuauclt -detectnow”
      Set objNet = Nothing     �
logmsg “wuaudetect now started”
logmsg “script end”

‘ Procedure  : LogMsg

Sub LogMsg (strMsg)

dim objWshShell, objFileSystem
dim intLogFile
dim strTemp

 Select Case conLogType
  Case 0
  Case 1
   Set objWshShell = WScript.CreateObject(“WScript.Shell”)
   wscript.echo Now & ” – ” & strMsg
      Set objWshShell = NOTHING
  Case 2
   Set objFileSystem = CreateObject(“Scripting.FileSystemObject”)
   strTemp = Now()
   strTemp = Day(strTemp) & Month(strTemp) & Year(strTemp)
   strLogFileName = conLogPath & conScriptName & strTemp & UserName & “.log”
   If conClearLog = 1 and intFirstRun = 1 Then
    If objFileSystem.FileExists(strLogFileName) then
    End If
    intFirstRun = 0
   End if  �
   Set intLogFile = objFileSystem.OpenTextFile(strLogFileName,8,true)
   intLogFile.WriteLine(Now & ” – ” & strMsg)
   set intLogFile = NOTHING
   set objFileSystem = NOTHING
  Case 3
   Set objFileSystem = CreateObject(“Scripting.FileSystemObject”)
   strTemp = Now()
   strTemp = Day(strTemp) & Month(strTemp) & Right(Year(strTemp),2)
   strLogFileName = conLogPath & conScriptName & strTemp & username & “.log”
   If conClearLog = 1 and intFirstRun = 1 Then
    If objFileSystem.FileExists(strLogFileName) then
    End If
    intFirstRun = 0
   End if
   Set intLogFile = objFileSystem.OpenTextFile(strLogFileName,8,true)
   intLogFile.WriteLine(Now & ” – ” & strMsg)
   wscript.echo   Now & ” – ” & strMsg
   set intLogFile = NOTHING
   set objFileSystem = NOTHING
 end Select
End Sub
Function GetUserName

dim objWshShell, objWshSysEnv

 Set objWshShell = CreateObject(“WScript.Shell”)
 Set objWshSysEnv = objWshShell.Environment(“PROCESS”)

 GetUserName = objWshSysEnv(“USERNAME”)
 ‘logmsg “Username: ” &Getusername
 Set objWshShell = Nothing
 Set objWshSysEnv = Nothing

End Function

Sub SendMail
Set objMessage = CreateObject(“CDO.Message”)
objMessage.Subject = “Outlook Fix run for: ” & username & ” ” & now() & ” on ” & WshNetwork.ComputerName
objMessage.From = “outlookfix@WHATEVER.COM
objMessage.TextBody = “”
strTemp = Day(strTemp) & Month(strTemp) & Right(Year(strTemp),2)
strLogFileName = conLogPath & conScriptName & strTemp & UserName & “.log”
logmsg strlogfilename
objMessage.AddAttachment strlogfilename

‘==This section provides the configuration information for the remote SMTP server.
‘==Normally you will only change the server name or IP.
objMessage.Configuration.Fields.Item _
(““) = 2

‘Name or IP of Remote SMTP Server
objMessage.Configuration.Fields.Item _

‘Server port (typically 25)
objMessage.Configuration.Fields.Item _
(““) = 25


‘==End remote SMTP server configuration section==

end sub

 Alternate Script:

GregP commented with this option, no VBS. I have not tried it but I like the concept. Thanks Greg for the details.

REM Get patch date.
for /f “skip=4 tokens=1,2,3,4″ %%A in (‘reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9040110900063D11C8EF10054038389C\Patches\A5D51A225613079468EB5A5D66E1771E /v Installed’) do set PatchDate=%%C

if “%PatchDate%”==”” exitREM Get last boot date.

net statistics workstation > %Temp%\NetStats.txt
for /f “tokens=1,2,3,4,5 delims=/ ” %%A in (%Temp%\NetStats.txt) do if /i “%%A”==”Statistics” (if %%C LSS 10 (set BootM=0%%C) else (set BootM=%%C))
for /f “tokens=1,2,3,4,5 delims=/ ” %%A in (%Temp%\NetStats.txt) do if /i “%%A”==”Statistics” (if %%D LSS 10 (set BootD=0%%D) else (set BootD=%%D))
for /f “tokens=1,2,3,4,5 delims=/ ” %%A in (%Temp%\NetStats.txt) do if /i “%%A”==”Statistics” set BootY=%%E
set BootDate=%BootY%%BootM%%BootD%

REM UnPatch or No UnPatch?
if %PatchDate% LSS %BootDate% msiexec /package {90110409-6000-11D3-8CFE-0150048383C9} /uninstall {22A15D5A-3165-4970-86BE-A5D5661E77E1} /quiet /norestart

REM Cleanup.
for %%V in (PatchDate BootM BootD BootY BootDate) do set %%V=
del %Temp%\NetStats.txt