Running Linux applications on Windows – over the network with Xming

I always find it interesting to
see clothes and accessories that were in fashion 30 years ago, make it back
into the mainstream. It seems like the computer industry also goes in cycles
every now and then.

Back in the early days of
computing – before the dawn of the glorious PC era – there were few powerful
servers that were accessed by dumb terminals. The emergence of the IBM PC
changed all that and eventually led to the rich clients that most of us have
under our desks today. The traditional PC desktop however causes quite a bit of
management overhead – especially in large organizations – which appears to be
leading to the re-emergence of “dumb” terminals that access a powerful – well –
terminal server. Only this time we have a fancy user interface.

xming_terminal_vt100.jpg
xming_xdm.jpg

If you have worked with Unix-like
operating systems before, then you’re probably familiar with the X windows
system
, though most people don’t know about the X Windows system’s (from now on referenced to as X11) network
transparency
. In essence, you can run
an application on host A, but
actually display and interact with the application on host B. Furthermore, you can actually utilize X11 to remotely log into a
host running X11 without the need to install additional software on that host –
provided that X11 is configured to support this. The screenshot below shows this a bit better.So what does this mean in
practice? You can install a resource-hungry application on a dedicated and
powerful Linux host, yet run and execute the application on a different, less
powerful Linux machine – even if that machine is not even running Linux. What’s
even better is that those remote applications appear just like any other
application on your desktop. Citrix calls this “application publishing”, and
Microsoft introduced “TS RemoteApp” with the Windows Server 2008 platform. Yet,
X Windows has offered this functionality for decades – from the very start.

But what makes this feature
really interesting for us windows admins (or Unix admins that, for whatever reason, have to use a Windows workstation), is the fact that you can install an X
server on your windows machine and run Linux applications “natively” on it
– thanks to the open-source project Xming).

Xming, according to the project
web site, is the “leading free unlimited
X Window Server for Microsoft Windows® (XP/2003/Vista)
”. There have been
security concerns in the past when using X11 remotely, but by tunneling X11
traffic through SSH, Xming is actually quite secure and doesn’t usually require
any configuration changes on the host running X11 (phew!).

When tasked with either cross-platform
system administration or development, the discovery of Xming opens up a door of
possibilities. For example, you can edit remote configuration files
conveniently by running your favorite Linux editor on your Windows desktop, or
run a terminal like gnome-terminal. Why run a terminal through X-Windows when
you can just use an SSH app like PuTTY? For one thing, you can launch GUI
applications directly from the terminal (e.g. ‘gedit &’) on your Windows
desktop. Of course, you can also play a Linux game on Windows that way.

If you’re a cross-platform
developer, then you can execute a Linux/Unix development studio (e.g. eclipse)
on your Windows box – and it appears just like any other Windows app. And since
it’s technically running on the Linux box, compiling on your Windows app really
compiles it on the remote platform (e.g. Linux). The responsiveness of applications is also quite good, at least over an Ethernet connection.

This technique also works for
multiple end users, so it’s also possible to connect to one Linux machine from
multiple Windows machines and run Linux apps. The Linux machine really acts
like a terminal server in this case.

Let’s look at how to run a Linux
app on a Windows desktop. I used Ubuntu 8.10 and installed Xming on a Vista laptop. So, download & install the following Xming
packages from http://sourceforge.net/project/showfiles.php?group_id=156984:

  • Xming
  • Xming-fonts

Then, start XLaunch from the
start menu and select the following options:
 

  1. Multiple Windows
  2. Start a program
  3. Start program: Enter the application you want to
    launch there. E.g. gnome-terminal,
    gedit, mahjongg
    or whichever remote application you want to run
    “locally”
  4. Run remote – using PuTTY: Select this option and
    specify the computer name, user name and password.
  5. On the next step, simply leave the default options in
    place, click “Next” and “Finish”.

xming_xlaunch.png

You should now have a little X
icon on the tray, and the application you selected should be running on your
desktop. The screenshot below shows gnome-terminal and gnome-text-editor
running on my Vista machine.

xming_desktop.jpg

Xming uses plink.exe (see also: https://www.eventsentry.com/blog/2007/12/plink-or-issuing-ssh-command-o.html)
internally to execute apps, whose display is then redirected to our local Windows
client, on the remote host. You can also save these settings in a configuration file and create a shortcut on your desktop or start menu.

If the XDMCP protocol is enabled
on the Linux/Unix host (disabled by default on most distributions for security
reasons), then you can log into the remote host for a complete remote session
similar to VNC or other remote desktop applications. But again, keep in mind
that XDMCP transmits data in clear text over the wire (using both TCP and UDP),
and as such is an insecure protocol that should only be enabled in trusted
networks. To log in remotely with Xming, select the following options after
starting XLaunch:

  • One Window
  • Open session via XDMCP
  • Specify the remote host name

xming_xlaunch_xdmcp.pngOne last tip regarding Xming: If, at some point down the line, you are unable to launch remote apps on your desktop, even though the X tray icon from Xming is present, then try to reset the X server by right-clicking the tray icon and choosing “Exit”.

Well, I hope this gives you a
starting point and helps ease the pain when maintaining heterogeneous network
environments.

Until next time,

Ingmar.

Finding a crashing TAPI driver and re-organizing svchost.exe

We recently had to troubleshoot an interesting problem on a Windows XP workstation that had just been recently installed. There was nothing unusual about that computer: It was a member of a domain, had all the latest patches, AntiVirus software and of course the EventSentry agent installed.

What happened daily was this: The computer would boot up ok without any problems, but at some point several windows-related error messages would be emailed to us by EventSentry, after which remote access (with the exception of a basic ping) to the computer was impossible. This made troubleshooting this problem particularly difficult since it was located in a remote location. The user of that workstation never actually reported any problems, but the wealth of error message we received from the event log confirmed that something was wrong on that computer. And, since we believe in preventative maintenance, we decided to take a look and get to the bottom of it.

Further investigation of the computer showed that a number of critical services (e.g. Server service) would be stopped a couple of hours after the computer had booted, explaining why we couldn’t access the computer remotely anymore. Of course we didn’t yet know why these services were stopping.

We briefly considered re-installing the computer in question, but since it had just recently (less than a month ago) been installed, the problem would probably just re-surface again later. Any search for malware also didn’t yield anything.

At this point I started to review the event log history of the computer in more detail through the EventSentry Web Reports. Since we were collecting event logs from that computer (which worked well, even when we couldn’t access it remotely), viewing and searching for events was fast and easy (even though the computer was across a WAN and essentially unreachable).

I didn’t expect to find much (critical events had already been emailed to us), but I browsed through the application and system event logs anyway and came across an interesting event:


Event Log:    Application
Event Type:   Error
Event Source: Application Error
Event ID:     1000
Message: Faulting application svchost.exe, version 5.1.2600.5512, faulting module xxTSP3x.tsp, version 1.0.0.1, fault address 0x000f1528.

Even though this was an error event, we didn’t actually receive it via email since we had earlier decided to exclude all “Application Error” events – due to the overwhelming noise that various crashing executables on workstations usually generate.

Svchost.exe is a generic host process, and Windows XP (and later) run multiple services as part of a single svchost.exe process. On Vista for example, a single svchost.exe process might host as many as 18 services – all part of a single process. Windows usually runs multiple svchost.exe processes, all “hosting” one or more services. This makes troubleshooting problems with the svchost.exe process somewhat difficult, since a faulting svchost.exe process can potentially point to dozens of services. My Vista machine runs 67 services inside only 16 svchost.exe processes. Using the tasklist.exe command, you can list all running svchost processes as well as the services running inside each of them:


tasklist /SVC /FI “IMAGENAME eq svchost.exe”

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                    912 DcomLaunch, PlugPlay
svchost.exe                   1008 RpcSs
svchost.exe                   1072 WinDefend
svchost.exe                   1148 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe                   1180 AudioEndpointBuilder, CscService, hidserv,
                                   Netman, PcaSvc, SysMain,
                                   TabletInputService, TrkWks, UxSms,
                                   WdiSystemHost, Wlansvc, WPDBusEnum, wudfsvc
svchost.exe                   1216 AeLookupSvc, BITS, Browser, EapHost,
                                   IKEEXT, iphlpsvc, LanmanServer, MMCSS,
                                   ProfSvc, RasMan, Schedule, seclogon, SENS,
                                   SharedAccess, ShellHWDetection, Themes,
                                   Winmgmt, wuauserv
svchost.exe                   1364 gpsvc
svchost.exe                   1480 EventSystem, FDResPub, LanmanWorkstation,
                                   netprofm, nsi, SSDPSRV, SstpSvc, TBS,
                                   upnphost, W32Time, WebClient
svchost.exe                   1600 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
                                   TermService

svchost.exe                   1872 BFE, DPS, MpsSvc
svchost.exe                    856 BthServ
svchost.exe                   2228 Net Driver HPZ12
svchost.exe                   2280 Pml Driver HPZ12
svchost.exe                   2304 PolicyAgent
svchost.exe                   2364 stisvc
svchost.exe                   2788 WerSvc

Note that the grouping of services varies from OS to OS – Windows Server 2003 combines different services than Windows XP does for example.

Back to our problem, the error event fortunately contains additional information, such as the module where the process crashed: xxTSP3x.tsp. If you are a bit familiar with TAPI, the Microsoft Telephony API, then you might know that files with the .tsp extension are TAPI Service Providers, essentially drivers that communicate directly with the phone hardware. Bingo – it was a problem with that TSP driver that caused the svchost.exe process to fail, which in turn killed all other services that run inside that same process. On a Vista machine for example, a crashing Telephony (tapisrv) service would mean that the CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv and TermService would all terminate. What solitarity.

Coincidentally, the computer(s) in question where running a VoIP application that was utilizing this TSP driver, and was in fact having problems. No kidding you might say, if the underlying driver crashes. Fortunately we were able to get an update from the developers which ultimately resolved this problem.

Now, I couldn’t help but wonder whether I could change the grouping of services. Let’s just pretend that we wouldn’t have been able to get an update for the driver quickly and would need to isolate the Telephony service, so that a crash of a TSP driver wouldn’t affect the LanmanServer service (on XP the Telephony service is in a group with most critical system services, something that was changed in Vista). All I would have to do was create a new group that would only include the telephony service, and finally change the telephony service itself to point to that group. Turns out that this is possible!

As always, you might want to backup any registry keys that you modify before you make such substantial changes like the ones listed below:

1. Create a new svchost group called Telephony

  • Open regedit and navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\svchost.
  • Create a new Multi-string value (REG_MULTI_SZ) with a descriptive name, I will use telephony in our example.
  • Associate the Tapisrv service with that group, so add that as the only value.
  • Find the existing group that is hosting this service (netsvcs on Windows XP), and remove Tapisrv from that list.
  • Create a new subkey with the name of the group (telephony)
  • Add the same values to this new key as are present from the original group. In our case I added two REG_DWORD values:

    AuthenticationCapabilities = 12320
    CoInitializeSecurityParam = 1

2. Change the service to utilize the telephony group
Now that the group has been created, we can change the service itself to point to the new svchost group. In the registry editor, navigate to HKLM\System\CurrentControlSet\Services\TapiSrv and edit the ImagePath value. Change it from


%SystemRoot%\System32\svchost.exe -k netsvcs

to


%SystemRoot%\System32\svchost.exe -k telephony

Note that we are changing the value that is passed through the -k parameter to reflect the name of the svchost group that we created earlier.

I rebooted the computer after the change, though this is probably not even be necessary. Voila, the telephony service now runs in its own svchost.exe process.


Image Name                   PID Services
========================= ====== =============================================
svchost.exe                  916 DcomLaunch, TermService
svchost.exe                 1000 RpcSs
svchost.exe                 1092 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
                                 dmserver, ERSvc, EventSystem, helpsvc,
                                 LanmanServer, lanmanworkstation, Netman,
                                 Nla, Schedule, seclogon, SENS, SharedAccess,
                                 ShellHWDetection, srservice, Themes, TrkWks,
                                 W32Time, winmgmt, wuauserv, WZCSVC
svchost.exe                 1180 Dnscache
svchost.exe                 1292 LmHosts, RemoteRegistry, SSDPSRV, WebClient
svchost.exe                 2412 TapiSrv

I wouldn’t recommend making too many changes to these built-in groupings unless you have a particular problem to solve, or want to ensure that potentially unstable or vulnerable services are isolated.

Well, thanks to EventSentry we got critical errors emailed to us, and were able to review the event logs even when those computers where unreachable – speeding up the troubleshooting process significantly. And, with a little research, I learned a bit more about the svchost.exe process and how to tweak the default Windows setup in that regard.

Hope this was helpful,
Ingmar.

Cleaning up Disk Space and automatic fragmentation reports via email

Even though disk storage is cheaper and faster than ever, for some reason I still run into disk space problems on occasion. The most common disk space problems I run into is a full C drive (why would you need more than 4Gb for the OS?) or a database that grows too large.

We have found and utilized several tools over the past years and I am going to share some of my approaches to quickly identify space hogs, free up disk space and deal with fragmentation.

Once a machine is low on disk space one will usually want to find out which files use up the most space and move them to a new volume or send them to data heaven for good. There are a lot of tools out there that visualize disk space consumption on a volume, but my favorite by far is Windirstat. Windirstat uses a treemap which displays every file in a colored rectangle and was inspired by KDirStat from Linux (the original author really wants to make sure you know what the original is). The size of the rectangle is proportional to the file size, so you will either want to look for clusters of many small files (e.g. to spot lots of unneeded temp files) or for large rectangles to identify any files you might not need anymore. I find it incredibly easy to spot files that can be safely deleted with Windirstat. The screenshot below shows what Windirstat looks like on my Vista laptop with a 64Gb HD.

Windirstat ScreenshotOf course, just running Windirstat alone doesn’t mean that you will be able to find files that can be safely deleted. But once you have identified files that do occupy significant amounts of disk space, you can engage in research to determine whether these files can be compressed, moved or deleted. Usual candidates are the temporary files, pagefile, IIS log files, NTBackup temp files and temporary installer MSI files (more on that below).

Windows will sometimes cache and leave installer files on your C drive, even when the application is no longer installed or has been upgraded. Depending on how long ago the OS was installed, this can be between a few hundred megabytes or nothing at all. You can delete those so-called “orphaned cached Windows Installer data files” with the msizap.exe utility, using the G command-line switch. Using msizap has been the last resort for me a few times, freeing up significant space on the C drive of servers when nothing else could be moved or deleted. Msizap is part of the Windows Installer 4.5 SDK which can be downloaded from http://www.microsoft.com/downloads/details.aspx?FamilyId=6A35AC14-2626-4846-BB51-DDCE49D6FFB6&displaylang=en. The screenshot below shows msizap in action.

Msizap ScreenshotNow, after cleaning up all the space we’d want to defragment our drive as well, right? Disk defragmentation software has been around since MS-DOS, but people are still debating whether defragmentation software, especially commercial one, is worth the effort. It is sort of like taking multivitamins – it most likely doesn’t hurt but there is no clear indicator that it cures diseases or makes you feel better after taking them.

MS-Dos DefragSome operating systems, most notably Linux and Mac OS X attempt to prevent fragmentation as much as possible and don’t even include defragmentation software, but the Windows software market is awash with both free and commercial defrag software. If you are interested in learning more about fragmentation and its cause, then Wikipedia has an article about defragmentation.

So is it worth it to use or invest in commercial defragmentation software? I think it depends. I have used various defragmentation programs over the last 10 years or so, and have seen one case where a MSSQL database on an extremely badly fragmented partition had became so slow that it was essentially unusable (yes, the database was for EventSentry 🙂 ). Defragging this partition with PerfectDisk solved the problem and the database was performing well after defragmentation. So yes, fragmentation can be bad if it gets out of control, though this is the only time I remember a defragmentation having such a significant impact. If you have a partition with little disk space available and lot write activity, then it will probably make sense to continuously defrag the partition to ensure optimal performance. Otherwise I think it is a luxury and will not yield significant disk performance benefits.

You can also use the -a switch of the defrag.exe utility that ships with Windows to analyze a drive and get basic metrics as to whether the drive should be defragmented or not. However, if you have a lot of machines then running defrag.exe on all of them manually can be tedious, especially since you would need to do that on a regular basis (e.g. monthly). Fortunately, you can use EventSentry‘s application scheduler feature to automate this task in three simple steps (in this example we will focus only on the system drive). Since the application scheduler logs output from any command-line utility you run to the event log, we can actually get an email when Windows thinks that a drive is fragmented.

  1. Create an embedded script (e.g. DefragCheck.cmd) that runs “defrag.exe %Systemdrive% -a -v
  2. Create a system health package and add a new application scheduler object to it – making sure that both check boxes in regards to error levels are checked. Pick the embedded script @DefragCheck.cmd and schedule it to run. Everytime defrag.exe is executed, EventSentry will log an event to the event log with the output of defrag.exe.
  3. Create a new event log package and add a filter that matches the events generated (Log=Application, Source=EventSentry, EventID=10200) and additionally looks for the string *You should defragment this volume*.

Voila – now you will get an email every time defrag.exe determines that a drive is fragmented – and only if it’s fragmented.

Defrag.exe is of course only one of the many utilities out there that can determine fragmentation, and you will likely get different results from different utilities. For example, it’s very likely that defrag.exe tells you that a drive is not fragmented, when a different software (e.g. PerfectDisk) will tell you otherwise.

One scenario where you definitely do NOT want to use defragmentation software is on SSD drives, as they usually don’t suffer from the same random access delays and defragging will reduce the lifespan of the drive.

Best,
Ingmar.

Announcing AutoAdministrator v2.0

After launching version 2.90 of EventSentry just a few months ago, we’re excited to announce yet another major software release coming from NETIKUS.NET ltdAutoAdministrator v2.0.

The last update of the 1.x series was released more than four years ago, so we decided to completely re-build it from scratch and add all the features that have been requested by our users since the last release. The result is a powerful tool that makes it unbelievably easy to apply changes to remote workstations and servers. Whether a change or query needs to be applied to one or 100 computers makes little difference with AutoAdministrator.

In a nutshell, AutoAdministrator lets you query or update a variety of Windows settings and services across any number of servers and/or workstations, without the need to create a script or perform the actions manually. Simply select the feature, computers (it integrates with Active Directory) and click start.

Let’s say, for example, that you needed to obtain or set the value of a registry entry across 30 machines. By just using regedit, it would probably take you a total of 15 minutes to connect, retrieve the value, and paste it to an editor/spreadsheet and move on to the next machine. The same task, using AutoAdministrator, could be done in as little as 1 minute.

aa_v20_1.jpg

Querying the “Remote Registry” service status across multiple computers

This is just one example of course, as AutoAdministrator can control services, read/set registry values, query file information, copy/delete files, manage passwords, shutdown/reboot, query logged on users, ping hosts and manage ODBC connections.

As previously mentioned, AutoAdministrator integrates with ActiveDirectory, making it a breeze to manage computers that are part of a Windows domain. You can also pull computers from the Microsoft Windows Network or create custom groups to organize computers inside AutoAdministrator. If you need to connect to remote computers using alternate (administrative) credentials, then you can assign those credentials to any Active Directory OU, group or individual computer item.

The update process itself is fully threaded, making it possible to push updates in a very short time, even to a large amount of computers.

aa_v20_2.jpg

File Management dialog, mirror / copy the
C:\Batch directory to remote computers


Another new feature is the ability to create presets, making it a snap to repeat common tasks. Simply configure the feature (e.g. query service W3SVC), select the computers and save it as a preset. The next time you open AutoAdministrator, you can simply select the preset and click “Update”.

We think that AutoAdministrator is an incredible time-saver for anybody who manages more than 10 computers, whether they are servers or workstations.

Here is a complete list of all features in the new AutoAdministrator:

Ping
Ping computers to retrieve ping statistics.

ODBC
Query, copy or delete System DSNs on remote hosts.

Passwords
Verify, update or reset passwords of user accounts on remote hosts.

Shutdown / Reboot

Shutdown, reboot or cancel a pending shutdown on remote hosts. You can optionally send a message as well.

Services

  • Control any service (Query, start, stop, continue, pause, restart)
  • Change startup type (manual, automatic, disabled)
  • Remove service
  • Change Logon (service can be automatically restarted as well)


Registry

  • Values: Read, add, delete and change
  • Keys: Add, delete
  • Copy entire keys to remote computers

File Management

  • Copy files and folders to remote computers
  • Delete files and folders from remote computers
  • Mirror local directories to remote computers

File Information

  • Query remote files to retrieve its hash, size, attributes, modification time, version, company or description
  • Remote files can be compared against a hash you provide

Logons

  • Show users that are currently logged on interactively to a computer
  • Count the number of users that are logged on (useful for terminal servers)

The scheduled release date for AutoAdministrator is January 12th 2009, and you can request a trial then at https://www.netikus.net/products_trial_request.html. If you can’t wait and would like to download the beta, then simply contact our support team at https://www.netikus.net/about_contact.html.

Happy New Year,
Ingmar.

EventSentry v2.90: Compliance Tracking for SOX, PCI, GLBA, HIPAA, FISMA, COBIT, …

This is round two in the new features available in EventSentry v2.90, and this time I’ll be covering the new compliance features.

Even though EventSentry was not originally designed to help with compliance, its event log consolidation capabilities made it an effective and economical solution to help our customers with their various compliance efforts throughout the years.

But while being able to filter and search through security events is helpful, it is not enough to quickly create reports that group information based on key elements, such as user creations, group modifications, policy changes and more.

In version 2.90 we addressed this by creating the new Compliance Tracking features which are based on the previous Tracking features.

This means that in addition to the “standard” event log consolidation that simply collects events and records them as is, compliance tracking intercepts specific events (e.g. account creation, logon/logoff, process creation), parses them, extracts the required information and records the relevant information in the EventSentry database.

Compliance Tracking covers the following auditing areas in Windows:

  1. Process Activity
  2. Console & Network Logons
  3. File Access Activity
  4. Account Management (User, Group & Computer accounts)
  5. Policy Changes
  6. Print Jobs

For example, finding out which group memberships changed over the last week is matter of two clicks in the web reports – and restricting a report to only reflect a particular group and/or action is just as easy.

But let me briefly outline the benefits of the individual tracking features:

Process Tracking
This feature records all process activity and lets you know which processes where started when, by whom, for how long and from which computer. This feature is not only useful for security purposes, but also helpful when troubleshooting or requiring statistical information (e.g. how often is PowerPoint being run).

Logon Tracking
This component tracks everything logon-related on your network, including console, successful as well as failed network logons. Using the console logon tracking for example, you can generate reports that show what time users logon and logoff, including from which computer, whether they are local admin and more details. Using the new network logon tracking, you can track successful as well as failed network logons. The included reports can reveal information such as which users logged on with a failed password, logon protocol distribution, most common reason for failed logons and more.

File Access Tracking
This feature is new in v2.90 and tracks all successful file access activity that has been enabled on files or directories. EventSentry does this by intercepting audit events that are generated when files or folders which are being audited. Since Windows Server 2003 and earlier don’t actually audit when objects are changed, but instead only audit the requested file access (click here for a related post), EventSentry can perform additional checks and verifications to complement the native auditing capabilities of the OS – such as checksum creation. Of course EventSentry also gathers additional information – such as the source computer from where a change was made.

Account Management Tracking
Also new in v2.90 is account management tracking, which encompasses user, group and computer account management tracking. This feature really makes life easier when you deal with large quantities of user, group and / or computer account changes.

For example, tracking a users group membership changes – even across computers and domains – is only a few mouse clicks away. Do you need to know which computer accounts were created in the last week in your domain? This only takes three clicks in the web reports.

Policy Change Tracking
Another feature added in v2.90, policy change tracking records the following “policy” events:

  • Domain Policy Changes
  • Audit Policy Changes
  • Kerberos Policy Changes
  • User Right Changes
  • Logon Right Changes
  • Trust Relationship Changes

Again, getting information about any of the above scenarios is extremely easy – such as seeing which user/logon rights were assigned in the last week or on which server the password policy was changed in the last 2 weeks.

Since none of tracking features are limited to hard-coded reports but instead are easily adaptable, they not only make your auditors happy – they provide you with valuable information. This allows you to utilize EventSentry not only for compliance but many other tasks, whether is security-related, for troubleshooting or something else.

As always, please see the documentation for more information. You can take a look at version history as well for a complete list of changes and new features in the 2.90 release of EventSentry.

Enjoy,
Ingmar.