Category Archives: Microsoft

Microsoft related posts.

Credentials Management in PowerShell

This blog is plagiarized from the best article I’ve ever found on this subject.  Full credit to Kris Powell for this amazing article found here.

Here are my condensed notes for my use.  If you find it useful, give a shout out to Kris Powell.

We now know how to convert a SecureString to an encrypted standard string. We can take any method we like to get a SecureString, convert it to a standard string and then save it to a file. Here is an example of each:

Exporting SecureString from Plain text

"P@ssword1" | `
ConvertTo-SecureString -AsPlainText -Force | `
ConvertFrom-SecureString | `
Out-File "C:\Temp 2\Password.txt"

Exporting SecureString from Get-Credential

(Get-Credential).Password | `
ConvertFrom-SecureString | `
Out-File "C:\Temp 2\Password.txt"

Exporting SecureString from Read-Host

Read-Host "Enter Password" -AsSecureString |  `
ConvertFrom-SecureString | `
Out-File "C:\Temp 2\Password.txt"

Anyone of these examples should provide you with a Password.txt file that has an encrypted standard string the represents the password.

When you need to use this encrypted password, you simply reverse the process by importing the data from your file and use ConvertTo-SecureString. If all you need is a SecureString, you can stop there. You could even take it a step further and create a PSCredential object.

Creating SecureString object

$pass = Get-Content "C:\Temp 2\Password.txt" | ConvertTo-SecureString

Creating PSCredential object

$User = "MyUserName"
$File = "C:\Temp 2\Password.txt"
$MyCredential=New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList $User,
(Get-Content $File | ConvertTo-SecureString)

Get a certificate with Subject Alternative Names using certreq

If one needs to use certreq to obtain a certificate, but the certificate signing request does not explicitly ask for it, here’s the command to get it anyway:

certreq -f -q -submit -attrib “CertificateTemplate:WebServer\nSAN:dns=<hostname>&dns=<hostname>.mydomain.com&ipaddress=<IP Address>” -config “<Config Name>” <Certificate Request File>.csr <Certificate File>.cer

The key part is in the attrib string following the new line “\n” bit where SAN: is then defined.  In this example, three are defined: the hostname, fully qualified domain name and the IP address.

Active Directory Integrated DNS Wildcard Search

So NSLOOKUP is the typical way one may query DNS.  Ever wanted to just grab the results as objects while using a wildcard filtered search?  If your DNS is Active Directory integrated, then it’s really pretty simple.  After all, each DNS entry is essentially an AD Object.  Why not query AD like we do for so many other things?  Basically, you just need the Distinguished name for the DNS zone and tell Get-ChildItem to look at Active Directory.  For example, if you wanted to find all host records ending in “-DC” in example.com:

Get-ChildItem "AD:DC=example.com,CN=MicrosoftDNS,CN=System,DC=example,DC=com" -Filter "name=*-dc"

By the way, if you get an error stating something similar to this:

Cannot find drive. A drive with the name 'ad' does not exist.

Then you may need to import the Active Directory module.

Import-Module ActiveDirectory

A quick test is to do a change directory to AD.

cd ad:

and the prompt should read “PS AD:\>”

Get-WinEvent vs. Get-EventLog

So, these two appear to be very similar at first glance.  However, depending on the data one wants to filter in on, one is significantly better than the other.  For me, the bottom line is using Get-Eventlog for filtering the Security Event Log is much faster.  That’s what I needed to know.

An article by Mark Berry was very helpful:

PowerShell: Get-WinEvent vs. Get-EventLog

Conclusions

  1. If you’re writing a PowerShell script to handle events from Vista or Server 2008, avoid the Get-WinEvent –FilterHashtable parameter; use –FilterXML instead.
  2. Even on Vista and beyond, consider using Get-EventLog if you need to filter the Security log for Audit Failures.

Error 14098 the Component Store has been corrupted

When the OS is serviced, the component store is updated. It is part of Windows Imaging and Servicing stack. If you got the error 14098 ‘The component store has been corrupted’, it means that something went wrong with Windows updates and its packages.

To fix the component store, you can use DISM – Deployment Image Servicing and Management tool.

/RestoreHealth: This checks for component store corruption, records the corruption to C:\Windows\Logs\CBS\CBS.log and fixes the corruption using Windows Update or using your Windows installation source.

Dism /Online /Cleanup-Image /RestoreHealth

Clean up the WinSxS folder on Windows 2012 R2

Use the /AnalyzeComponentStore to analyze the size of the Component Store (WinSxS folder) in Windows. The AnalyzeComponentStore option is available in Windows 8.1 Windows Server 2012 R2.

dism.exe /online /Cleanup-Image /AnalyzeComponentStore

Dism.exe removes superseded and unused system files from a system with the /StartComponentCleanup parameter.

dism.exe /online /Cleanup-Image /StartComponentCleanup

Using the /ResetBase switch with the /StartComponentCleanup parameter of dism.exe, all superseded versions of every component in the component store is removed.  All existing service packs and updates cannot be uninstalled after this command is completed. This will not block the uninstallation of future service packs or updates.

dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase

The /SPSuperseded parameter removes any backup components needed for de-installation of a service pack. The service pack cannot be uninstalled after this command is completed.

dism.exe /online /Cleanup-Image /SPSuperseded

 

Can’t Install Roles or Features on Windows 2012 R2

I came across a really strange issue.  When going through the Add Roles and Features Wizard, I tried to click next to the Server Roles page.  The wizard then shows a red bar with the following error, “The request to list features available on the specified server failed.”

Doing an SFC /SCANNOW like so many internet searches says to do, does not clear the issue.  The reason seems that the server was in a pending reboot state for changes to be made.  Rebooting never makes any changes.  This state also prevents using DISM from fixing any corruption.

It turns out that one can boot into the repair console to get to files offline.  Navigate to the C:\Windows\WinSxS directory and rename the pending.xml file to something like pending.xml.old.  This tricks Windows into thinking that nothing else is pending a reboot and allows one to use SFC and DISM to clean up system files.

It looks like a ton of Windows updates went in, but didn’t get installed correctly.  Checking for Windows updates produced over 77 important updates as opposed to the 3 that were being presented before renaming pending.xml.

SFC and DISM fixes went in, a couple of reboots and I am now able to properly install roles and features.

Get the Microsoft SQL version query

SELECT
  CASE 
     WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) like '8%' THEN 'SQL2000'
     WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) like '9%' THEN 'SQL2005'
     WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) like '10.0%' THEN 'SQL2008'
     WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) like '10.5%' THEN 'SQL2008 R2'
     WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) like '11%' THEN 'SQL2012'
     WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) like '12%' THEN 'SQL2014'
     WHEN CONVERT(VARCHAR(128), SERVERPROPERTY ('productversion')) like '13%' THEN 'SQL2016'     
     ELSE 'unknown'
  END AS MajorVersion,
  SERVERPROPERTY('ProductLevel') AS ProductLevel,
  SERVERPROPERTY('Edition') AS Edition,
  SERVERPROPERTY('ProductVersion') AS ProductVersion