Archive for the Microsoft Category

Exit code -1073741502 when you run an Opalis policy with a Run Program module on a Windows Server 2008 R2

Posted in Microsoft, Opalis with tags on 2012/02/18 by CRCerr0r

Running an Opalis policy with a Run Program module against a Windows 2008 R2 server you may get an exit code of -1073741502 when the Run Program module executes. The full output of the module looks like this:


Connecting with OpExec service on SERVERNAME… Starting cmd.exe on SERVERNAME…

Executing cmd.exe on SERVERNAME…

cmd.exe started on SERVERNAME with process ID 3496. Waiting for completion…

Process completed. Obtaining the remote execution status… Disconnecting from SERVERNAME… Disconnected Return value: -1073741502; Log status: 16 (Process exited on SERVERNAME with return code -1073741502.)


The reason for this is that the Opalis Remote Execution service is setup, by default, to be able to interact with the desktop session (a check mark on the Log On tab of the service). The error code means:

The application failed to initialize properly. Usually indicates that the application has been launched on a Desktop to which current user has no access rights. Another possible cause is that either gdi32.dll or user32.dll has failed to initialize.


Unchecking the “Allow service to interact with desktop” corrects the issue.

SCOM 2007 Regular Expressions

Posted in Microsoft, Monitoring, SCOM on 2011/06/24 by CRCerr0r

One of the hardest thing to deal with in SCOM over the years (for me) has been understanding how SCOM interprets RegEx. It has been frustrating, to say the least. And for whatever reason, everything else to do with SCOM has been very well documented, expanded by the community and freely available. Not RegEx info. So today, working on a non-related issue, I came across this post that had some really good, concise info on how SCOM handles RegEx. In case the post gets deleted or lost or whatever, here is the excerpt (thanks to Dan Rogers):

Regular expression support in SCOM 2007

Many teams that are authoring management packs may need to include regular expression matching in their discoveries and groups, as well as for pattern matching in expression criteria in monitors and rules.

There are two different types of regular expression support in the SCOM product, and you have to know which element you are working in to choose the correct one.  Specifically, Group membership calculation and expression filters use distinctly different syntaxes for pattern matching.

Group Calculation matching criteria

Group calculation uses PERL regular expression syntax.  By default, the matching is case insensitive, but in the XML you can specify that an expression needs to be case sensitive by way of a special attribute dedicated to specifying that the expression content should be evaluated in a case sensitive way.

Group Calculation is found in your MP whenever you are using the Group Calc module.

The GroupCalc expression has an operator called MatchesRegularExpression that is used to create dynamic group membership based on pattern matching expressions.  The implementation of this operator passes the expression found in the MP XML to the SQL call name dbo.fn_MatchesRegularExpression.  If this call returns 0, the match is false.  If the expression returns 1, the match is true.

GroupCalc also supports two special sub-elements that abstract away a couple of common regex style queries.

GroupCalc sub element

Regex Equivalent

ContainsSubstring ^*{O}.*$                ({O} is replaced by the substring)
MatchesWildcard MP expression Regex Equivalent
? .
* .*
# [0-9]

Table 1:  GroupCalc special functions

Note:  If either of these two special operators are used, the evaluation will always be case sensitive.

Expression Filter matching criteria

Expression filters used in management packs use .NET Regex expression syntax.  A summary of the .NET regular expression syntax elements appears below.  Expression filters are present in your management pack whenever you are using the Expression Eval module.


SCOM Regex

Any Character


Character in Range

[ ]

Character not in range

[^ ]

Beginning of Line


End of Line





( )

0 or 1 matches


0 or more matches


1 or more matches


Exactly N matches


Atleast N matches

{n, }

Atmost N matches

{ , n}

N to M Matches

{n, m}

New line character


Tab character


Regular expressions via SDK

The SCOM SDK has a Matches criteria operator for filtering objects. This operator use the same functionality as MatchesCriteria in the GroupCalc case explained above.

When using the SDK to construct a criteria expression to find objects in the Ops Manager database, the following syntax elements are valid (see below).  This syntax is useful when creating a criteria expression that includes any of the following elements:

  • Comparison operators
  • Wildcard characters
  • DateTime values
  • Integer to XML Enumeration comparisons

Comparison operators

You can use comparison operators when constructing a criteria expression. The valid operators are described in the following table:

Operator Description Example(s)
=, == Evaluates to true if the left and right operand are equal. Name = ‘’
!=, <> Evaluates to true if the left and right operand are unequal. Name != ‘’
> Evaluates to true if the left operand is greater than the right operand. Severity > 0
< Evaluates to true if the left operand is less than the right operand. Severity < 2
>= Evaluates to true if the left operand is greater than or equal to the right operand. Severity >= 1
<= Evaluates to true if the left operand is less than or equal to the right operand. Severity <= 3
LIKE Evaluates to true if the left operand matches the pattern that is defined by the right operand. Use the characters in the wildcard table later in this topic to define the pattern. Name ‘LIKE SQL%’Evaluates to true if the Name value is “SQLEngine.”Name LIKE ‘%SQL%’

Evaluates to true if the Name value is “MySQLEngine.”

MATCHES Evaluates to true if the left operand matches the regular expression defined by the right operand. Name MATCHES ‘SQL*05’Evaluates to true if the Name value is “SQL2005.”
IS NULL Evaluates to true if the value of the left operand is null. ConnectorId IS NULLEvaluates to true if the ConnectorId property does not contain a value.
IS NOT NULL Evaluates to true if the value of the left operand is not null. ConnectorId IS NOT NULLEvaluates to true if the ConnectorId property contains a value.
IN Evaluates to trueif the value of the left operand is in the list of values defined by the right operand.

The IN operator is valid for use only with properties of type Guid.
Id IN (‘080F192C-52D2-423D-8953-B3EC8C3CD001’, ‘080F192C-53B2-403D-8753-B3EC8C3CD002’)Evaluates to true if the value of the Id property is one of the two globally unique identifiers provided in the expression.
AND Evaluates to true if the left and right operands are both true. Name = ‘SQL%’ AND Description LIKE ‘MyData%’
OR Evaluates to true if either the left or right operand is true. Name = ‘SQL%’ OR Description LIKE ‘MyData%’
NOT Evaluates to true if the right operand is not true. NOT (Name = ‘IIS’ OR Name = ‘SQL’)

Table 3: SDK comparison operators


The following table defines the wildcard characters you can use to construct a pattern when using the LIKE operator:

Wildcard Description Example
% A wildcard that matches any number of characters. Name LIKE 'SQL%'Evaluates to true if the Name value is “SQLEngine.”Name LIKE '%SQL%'

Evaluates to true if the Name value is “MySQLEngine.”

_ A wildcard that matches a single character. Name LIKE 'SQL200_'Evaluates to true for the following Namevalues:”SQL2000″


The expression evaluates to false for “SQL200” because the symbol _ must match exactly one character in the Name value.
[] A wildcard that matches any one character that is enclosed in the character set.

Brackets are also used when qualifying references to MonitoringObject properties. For more information, see Defining Queries for Monitoring Objects.
Name LIKE 'SQL200[05]‘Evaluates to true for the following Namevalues:”SQL2000″


The expression evaluates to false for


[^] A wildcard that matches any one character that is not enclosed in the character set. Name LIKE 'SQL200[^05]'Evaluates to truefor”SQL2003.”

The expression evaluates to false for

“SQL2000” and


Table 4:  Wildcard operators used with LIKE operator

DateTime comparisons

When you use a DateTime value in a query expression, use the general DateTime format (“G”) to convert the DateTime value to a string value. For example,


string qStr = “TimeCreated <= ‘” + myInstant.ToString(“G”) + “‘”;

ManagementPackCriteria mpCriteria = new ManagementPackCriteria(qStr);

All date values need to be converted to the G format (GMT) so that valid string comparisons can be made.

Integer value comparison to enumerations

When you use an integer enumeration value in a query expression, cast the enumeration value to an integer. For example,


string qStr = “Severity > ” + (int)ManagementPackAlertSeverity.Warning;

MonitoringAlertCriteria alertCriteria = new MonitoringAlertCriteria(qStr);

Restore TMG 2010 Exported config from one server to another

Posted in ForeFront TMG 2010, Microsoft on 2011/03/04 by CRCerr0r

Imagine this situation:

  • You have a TMG 2010 box (I have tested this with the Enterprise Edition with SP1, Rollup 1 for SP1 and Rollup 2 for SP1)
  • The TMG box is dead or for whatever other reason you have to bring up a brand new TMG server to replace the old one
  • You don’t want to recreate all objects and rules.

This is what you can do:

You need to do a rule export (or if your box is dead, hopefully you did one before) that includes all sensitive information and user permissions. To do this:

  1. Right-click on ‘Forefront TMG (SERVER_NAME)’ and choose Export (Backup)
  2. Click Next
  3. Check BOTH boxes to Export confidential information and user permission settings, put a password in
  4. Give it a path to save to and complete the wizard


After you have the config file (it will be pretty large) copy it to the new server. The new server needs to be identical to the old one, down to the naming of the NICs. If you are putting the new server side-by-side with the old one, and both will be online for a bit, the new server must have different IPs, for obvious reasons. On mine, the old one’s IPs ended with .1 on every subnet (except the External one) so I made the new one end with .2 on every subnet.

The next thing you need to do is install TMG. Make sure it is isntalled the same way, including paths (if you installed the old one on D:\Program Files\… the new one must be the same) and patched with the same patches (TMG ones, not so much OS).

Open the XML export file from the old server in Notepad. Do a ‘find and replace’ for every OLD_SERVER_NAME and OLD_SERVER_IP values and replace them with their NEW_SERVER_NAME, NEW_SERVER_IP counterparts.

Import the config file into the new server choosing the ‘Overwrite’ option in the wizard. Restart the ‘Microsoft Forefront TMG Storage’ service (that will restart all TMG services)

If you had Site-to-Site VPN you may have to re-create it on the new server. If you get an error in the event log “The user SYSTEM dialed a connection named xxxxx which has failed. The error code returned on failure is 789.” check the IPs on each endpoint of the Site-ti-Site VPN. If you get an error “The user SYSTEM dialed a connection named xxxxx which has failed. The error code returned on failure is 812.” check the Dial-In properties of the account used for the Site-ti-Site VPN and make sure it is set to Allow.

New Microsoft Attack Surface Analyzer

Posted in Malware, Microsoft, Security, Tools on 2011/03/03 by CRCerr0r

Still in Beta, but promising…

ForeFront 2010 Beta (FEP) installation hurdles

Posted in ForeFront Endpoint Protection, Microsoft on 2010/10/07 by CRCerr0r

I recently needed to troubleshoot some installation issues on a ForeFront 2010 install. During the install a few errors came up and after some digging on the net, a Microsoft Support call, some SQL and network trace digging I finally got the thing to install.

Here is a highlight of the issues, some error message excerpts and what I did to resolve them, hopefully it helps someone…

1. Issue: The installer could not figure out/acknowledge that SQL was installed on the DB server (FEP and SQL were on two separate Windows Server 2008 boxes).

Resolution: It turns out turning OFF UAC on the SQL server helped this. For some reason SQL could not execute the queries the FEP installer was asking for (via a series of stored procedures that checked installation paths, disk space, service status, registry keys, etc.)

2. Issue: Installer could not access Reporting Services even though installing user was a local administrator on Reporting Services server

Actual error message: “Verification(Verifying SQL Reporting Services prerequisite) failed
failed to communicate with the SQL reporting web service

failed to delete folder with exception: System.Web.Services.Protocols.SoapException: The item ‘/FepSetupVerificationDire382e28e-db6b-480d-b48a-9ab209f3245b’ cannot be found. —> Microsoft.ReportingServices.Diagnostics.Utilities.ItemNotFoundException: The item ‘/FepSetupVerificationDire382e28e-db6b-480d-b48a-9ab209f3245b’ cannot be found.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.Forefront.EndpointProtection.Configure.Utility.ReportService.ReportingService2005.DeleteItem(String Item)
   at Microsoft.Forefront.EndpointProtection.Configure.VerifySrsServer.ReportDeploymentVerification()”

Resolution: Added the installing account as a Content Manager on Reporting Services’ site (MS article here)

3. Issue: Installer refused to continue due to duplicate SPNs.

Actual error message: “Verification(Verifying SQL Server prerequisite) failed
Error: Setup cannot determine the SQL Integration Service version.
Microsoft Forefront Endpoint Protection 2010 requires Microsoft SQL Server Integration Services 2005 Enterprise or Standard edition with Service Pack 2 or higher or Microsoft SQL Server Integration Services 2008 Enterprise or Standard edition or higher.
Make sure that the component is installed, running and autostarted on server ‘SQLSERVERNAME’.

Error: There are one or more duplicates of the following service principal names found in the Active Directory Domain Services: mssqlsvc/SQLSERVERNAME:1433.”

Resolution: Deleted an inactive SPN tied to mssqlsvc/SQLSERVERNAME:1433 (see related post here)

I ran

setspn -Q mssqlsvc/SQLcomputername:1433

(the string mssqlsvc/SQLcomputername:1433 is what comes up in the FEP install log as an error). BTW, the -Q parameter is available on Server 2008.

The above step listed the two duplicate names and all the info to find the accounts it is associated with:

CN=First User,OU=Service Accounts,DC=MyDomainName,DC=local
CN=Second User,OU=Service Accounts,DC=MyDomainName,DC=local

I logged on to the SQLcomputername and found that it was the First User that was being used by SQL as a service account. So that leaves the Second User to be the problematic one. Then I ran:

setspn -D MSSQLSvc/SQLcomputername:1433 SecondUserID.

Hope this helps someone… 🙂

Error during install of Small Business Server 2008 – 0xc0000225

Posted in Microsoft, Small Business Server, Windows on 2010/07/24 by CRCerr0r

I was recently installing a trial version of SBS 2008 on a Sun Virtual Box (now Oracle Virtual Box) when I got a very non-descriptive error during the first few seconds – the installer would say “Windows is loading files” and then throw an unkown error 0xc0000225. It turns out the reason was that I had configured the box with less than the minimum memory – the minimum is 4 GB and I had it set with 512 MB (I know, stingy, but hey, it was a test!)

Protected: Troubleshooting SSRS 2008 and SharePoint Integration

Posted in IIS, Microsoft, MOSS 2007, SharePoint, SSRS 2008 on 2010/03/03 by CRCerr0r

This content is password protected. To view it please enter your password below: