Find the largest files modified today

If you’re not using fancy file auditing software to track things, it may be challenging to find out who just filled up your drive with a bunch of data.  Here’s a PowerShell script to brute force way, crawling through your network shared drive to find the largest files that were modified today.  It can take a while to run if you have many folders and files to crawl through.  Now you can have a list of your top 100 largest files and who owns them.

# Largest X files created today
$searchPath="H:\"
$limit = 100
$filesToday = Get-Childitem $searchPath * -Recurse -File -ErrorAction "SilentlyContinue" | 
 Where-Object {($_.LastWriteTime -gt (Get-Date).Date)} 
$largestFiles = $filesToday | Sort-Object -Property length -Descending | Select-Object Name, @{Name="SizeInMB";Expression={$_.Length / 1MB}},@{Name="Path";Expression={$_.directory}}, @{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}} -First $limit
$largestFiles
$largestFiles | Export-Csv (".\largestFilesToday_" + (Get-Date -Format "yyyy_MM_dd_hhmm") + ".csv")

JSON vs XML for PowerShell

It felt like XML was a bit dated for data transport.  It is/has been a bit cumbersome to parse and manage from PowerShell.  I’ve been seeing a lot more JSON everywhere and was curious to know if support for it was implemented in PowerShell.  It is.  As it turns out, it’s much easier to use.  Now to go back and update all my scripts to start using it.  Sigh…

Here’s an awesome article by June Blender on how to transition to start using it:

https://blogs.technet.microsoft.com/heyscriptingguy

 

Get-WinEvent vs. Get-EventLog

So, these two appear to be very similar at first glance.  However, depending on the data one wants to filter in on, one is significantly better than the other.  For me, the bottom line is using Get-Eventlog for filtering the Security Event Log is much faster.  That’s what I needed to know.

An article by Mark Berry was very helpful:

PowerShell: Get-WinEvent vs. Get-EventLog

Conclusions

  1. If you’re writing a PowerShell script to handle events from Vista or Server 2008, avoid the Get-WinEvent –FilterHashtable parameter; use –FilterXML instead.
  2. Even on Vista and beyond, consider using Get-EventLog if you need to filter the Security log for Audit Failures.

Need to parse a remote Event Log for a specific Event ID and text in the description

My situation is that I need to go through all the System events and look for a particular service and account for when it started and stopped.  The one way I am able to identify the specific service from a specific vendor is that they identified their software in the description.  The Event ID for services starting and stopping is 7036.  Using this script, I’m able to get all those vendor specific service stop/start events:

Get-WinEvent -ComputerName <computer> -FilterHashtable @{logname='system'; id=7036} | Where-Object {$_.message -like "*<my text to find>*"}

This may also be helpful:

Get-EventLog -ComputerName <computer> -Log "Security" | where {($_.Message -like '*<search text>*') -and ($_.EntryType -eq 'FailureAudit')}

.

What processes are listening on HTTP/HTTPS related ports?

Working in a vacuum when initially looking at a server is par for course.  My one clue is that the server for a web application of sorts.   However, one does not know what the application is or what software may be serving up HTTP/HTTPS.  Standards are that the server would be serving up on ports 80 and/or 443, respectively.   Many applications will serve up this kind of traffic on variations like 8080 or, essentially, *80 and *443.  I needed a script to quickly see what processes may be listening on those ports.  This helps me gain insight to track down pieces and help the application owner/team investigate further.  Here’s the script:

# Look for listening ports on *80 and *443 with process ID
$Processes = @{}
Get-Process -IncludeUserName | ForEach-Object {
 $Processes[$_.Id] = $_
}

Get-NetTCPConnection | 
 Where-Object { ($_.State -eq "Listen") -and ($_.LocalPort -like '*80' -or $_.LocalPort -like '*443') } |
 Select-Object LocalAddress,
 LocalPort,
 @{Name="PID"; Expression={ $_.OwningProcess }},
 @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }}, 
 @{Name="UserName"; Expression={ $Processes[[int]$_.OwningProcess].UserName }} |
 Sort-Object -Property ProcessName, UserName |
 Format-Table -AutoSize

Who initiated the reboot?

This Powershell one liner will check the event log of a remote computer to see what initiated the shutdown or reboot.  If the server just crashed or power was interrupted you can filter on a different Event ID.

Get-EventLog -ComputerName <servername> -LogName System | Where-Object {$_.EventID -eq 1074} | Select-Object -First 1 | FL *

Error 14098 the Component Store has been corrupted

When the OS is serviced, the component store is updated. It is part of Windows Imaging and Servicing stack. If you got the error 14098 ‘The component store has been corrupted’, it means that something went wrong with Windows updates and its packages.

To fix the component store, you can use DISM – Deployment Image Servicing and Management tool.

/RestoreHealth: This checks for component store corruption, records the corruption to C:\Windows\Logs\CBS\CBS.log and fixes the corruption using Windows Update or using your Windows installation source.

Dism /Online /Cleanup-Image /RestoreHealth

Clean up the WinSxS folder on Windows 2012 R2

Use the /AnalyzeComponentStore to analyze the size of the Component Store (WinSxS folder) in Windows. The AnalyzeComponentStore option is available in Windows 8.1 Windows Server 2012 R2.

dism.exe /online /Cleanup-Image /AnalyzeComponentStore

Dism.exe removes superseded and unused system files from a system with the /StartComponentCleanup parameter.

dism.exe /online /Cleanup-Image /StartComponentCleanup

Using the /ResetBase switch with the /StartComponentCleanup parameter of dism.exe, all superseded versions of every component in the component store is removed.  All existing service packs and updates cannot be uninstalled after this command is completed. This will not block the uninstallation of future service packs or updates.

dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase

The /SPSuperseded parameter removes any backup components needed for de-installation of a service pack. The service pack cannot be uninstalled after this command is completed.

dism.exe /online /Cleanup-Image /SPSuperseded

 

Can’t Install Roles or Features on Windows 2012 R2

I came across a really strange issue.  When going through the Add Roles and Features Wizard, I tried to click next to the Server Roles page.  The wizard then shows a red bar with the following error, “The request to list features available on the specified server failed.”

Doing an SFC /SCANNOW like so many internet searches says to do, does not clear the issue.  The reason seems that the server was in a pending reboot state for changes to be made.  Rebooting never makes any changes.  This state also prevents using DISM from fixing any corruption.

It turns out that one can boot into the repair console to get to files offline.  Navigate to the C:\Windows\WinSxS directory and rename the pending.xml file to something like pending.xml.old.  This tricks Windows into thinking that nothing else is pending a reboot and allows one to use SFC and DISM to clean up system files.

It looks like a ton of Windows updates went in, but didn’t get installed correctly.  Checking for Windows updates produced over 77 important updates as opposed to the 3 that were being presented before renaming pending.xml.

SFC and DISM fixes went in, a couple of reboots and I am now able to properly install roles and features.

Career and Professional Website