All posts by Frank Contreras

Throttle PowerShell scripts to not kill CPU or RAM

Having fun deploying gobs of parallel processes when suddenly things start to slow as CPU and RAM are getting clobbered.  I came up with a way to help scripts be a little more polite to clear up the logjam.  Look for the top of loops or iterative processes to inject checking utilization before proceeding.  If thresholds are exceeded, then the script can pause a bit and check back to see if thresholds came down.  Essentially, it’s a call to a function to check utilization and a small loop to hang out in until utilization comes down.   I have CPU and RAM threshold dialed in at 80%.  One can change to suit.

The function:

function highCpuRam {
 $highCpuRam = $false
 $cpuUsed = [int](gwmi win32_processor).LoadPercentage
 $memUsed = [int]((((gwmi win32_OperatingSystem).FreePhysicalMemory) / ((gwmi win32_OperatingSystem).TotalVisibleMemorySize)) * 100)
 if ($cpuUsed -gt 80) {$highCpuRam = $true}
 if ($memUsed -gt 80) {$highCpuRam = $true}
 return $highCpuRam
}

The check:

 do {
 $busy = highCpuRam
 if ($busy) {"Throttling down. CPU/RAM busy."
 Start-Sleep -m 500}
 }
 while ($busy)

Find the largest files modified today

If you’re not using fancy file auditing software to track things, it may be challenging to find out who just filled up your drive with a bunch of data.  Here’s a PowerShell script to brute force way, crawling through your network shared drive to find the largest files that were modified today.  It can take a while to run if you have many folders and files to crawl through.  Now you can have a list of your top 100 largest files and who owns them.

# Largest X files created today
$searchPath="H:\"
$limit = 100
$filesToday = Get-Childitem $searchPath * -Recurse -File -ErrorAction "SilentlyContinue" | 
 Where-Object {($_.LastWriteTime -gt (Get-Date).Date)} 
$largestFiles = $filesToday | Sort-Object -Property length -Descending | Select-Object Name, @{Name="SizeInMB";Expression={$_.Length / 1MB}},@{Name="Path";Expression={$_.directory}}, @{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}} -First $limit
$largestFiles
$largestFiles | Export-Csv (".\largestFilesToday_" + (Get-Date -Format "yyyy_MM_dd_hhmm") + ".csv")

JSON vs XML for PowerShell

It felt like XML was a bit dated for data transport.  It is/has been a bit cumbersome to parse and manage from PowerShell.  I’ve been seeing a lot more JSON everywhere and was curious to know if support for it was implemented in PowerShell.  It is.  As it turns out, it’s much easier to use.  Now to go back and update all my scripts to start using it.  Sigh…

Here’s an awesome article by June Blender on how to transition to start using it:

https://blogs.technet.microsoft.com/heyscriptingguy

 

Get-WinEvent vs. Get-EventLog

So, these two appear to be very similar at first glance.  However, depending on the data one wants to filter in on, one is significantly better than the other.  For me, the bottom line is using Get-Eventlog for filtering the Security Event Log is much faster.  That’s what I needed to know.

An article by Mark Berry was very helpful:

PowerShell: Get-WinEvent vs. Get-EventLog

Conclusions

  1. If you’re writing a PowerShell script to handle events from Vista or Server 2008, avoid the Get-WinEvent –FilterHashtable parameter; use –FilterXML instead.
  2. Even on Vista and beyond, consider using Get-EventLog if you need to filter the Security log for Audit Failures.

Need to parse a remote Event Log for a specific Event ID and text in the description

My situation is that I need to go through all the System events and look for a particular service and account for when it started and stopped.  The one way I am able to identify the specific service from a specific vendor is that they identified their software in the description.  The Event ID for services starting and stopping is 7036.  Using this script, I’m able to get all those vendor specific service stop/start events:

Get-WinEvent -ComputerName <computer> -FilterHashtable @{logname='system'; id=7036} | Where-Object {$_.message -like "*<my text to find>*"}

This may also be helpful:

Get-EventLog -ComputerName <computer> -Log "Security" | where {($_.Message -like '*<search text>*') -and ($_.EntryType -eq 'FailureAudit')}

.

What processes are listening on HTTP/HTTPS related ports?

Working in a vacuum when initially looking at a server is par for course.  My one clue is that the server for a web application of sorts.   However, one does not know what the application is or what software may be serving up HTTP/HTTPS.  Standards are that the server would be serving up on ports 80 and/or 443, respectively.   Many applications will serve up this kind of traffic on variations like 8080 or, essentially, *80 and *443.  I needed a script to quickly see what processes may be listening on those ports.  This helps me gain insight to track down pieces and help the application owner/team investigate further.  Here’s the script:

# Look for listening ports on *80 and *443 with process ID
$Processes = @{}
Get-Process -IncludeUserName | ForEach-Object {
 $Processes[$_.Id] = $_
}

Get-NetTCPConnection | 
 Where-Object { ($_.State -eq "Listen") -and ($_.LocalPort -like '*80' -or $_.LocalPort -like '*443') } |
 Select-Object LocalAddress,
 LocalPort,
 @{Name="PID"; Expression={ $_.OwningProcess }},
 @{Name="ProcessName"; Expression={ $Processes[[int]$_.OwningProcess].ProcessName }}, 
 @{Name="UserName"; Expression={ $Processes[[int]$_.OwningProcess].UserName }} |
 Sort-Object -Property ProcessName, UserName |
 Format-Table -AutoSize

Who initiated the reboot?

This Powershell one liner will check the event log of a remote computer to see what initiated the shutdown or reboot.  If the server just crashed or power was interrupted you can filter on a different Event ID.

Get-EventLog -ComputerName <servername> -LogName System | Where-Object {$_.EventID -eq 1074} | Select-Object -First 1 | FL *

Error 14098 the Component Store has been corrupted

When the OS is serviced, the component store is updated. It is part of Windows Imaging and Servicing stack. If you got the error 14098 ‘The component store has been corrupted’, it means that something went wrong with Windows updates and its packages.

To fix the component store, you can use DISM – Deployment Image Servicing and Management tool.

/RestoreHealth: This checks for component store corruption, records the corruption to C:\Windows\Logs\CBS\CBS.log and fixes the corruption using Windows Update or using your Windows installation source.

Dism /Online /Cleanup-Image /RestoreHealth

Clean up the WinSxS folder on Windows 2012 R2

Use the /AnalyzeComponentStore to analyze the size of the Component Store (WinSxS folder) in Windows. The AnalyzeComponentStore option is available in Windows 8.1 Windows Server 2012 R2.

dism.exe /online /Cleanup-Image /AnalyzeComponentStore

Dism.exe removes superseded and unused system files from a system with the /StartComponentCleanup parameter.

dism.exe /online /Cleanup-Image /StartComponentCleanup

Using the /ResetBase switch with the /StartComponentCleanup parameter of dism.exe, all superseded versions of every component in the component store is removed.  All existing service packs and updates cannot be uninstalled after this command is completed. This will not block the uninstallation of future service packs or updates.

dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase

The /SPSuperseded parameter removes any backup components needed for de-installation of a service pack. The service pack cannot be uninstalled after this command is completed.

dism.exe /online /Cleanup-Image /SPSuperseded