But as always I figured I’d share this feature in case anyone else needs it.

So RDP files encrypt a password in a very specific way and details online are cagey.This is something I set about doing myself and I’m happy to annouce I’ve included it in the following Free Powershell module for your use!

The module is very simple:

Importing the module:

Import-module RDS.Password.dll

Converting a string to a password:

Get-RDPPassword -Password "SomethingSecure"

This will give you an rdp password, pre formatted for an rdp file.

Optionally, you can include -ToClipboard to copy the text to the clipboard for easy copy -> paste into an RDP file.

Get-RDPPassword -Password "SomethingSecure" -ToClipboard

And that’s it, simply import the module and off you go.

If there is anything further you want to do with this, i.e. providing an RDP file to enter it into, accepting PSCredential as an argument or anything like that, get in contact and we’ll see what we can do!

Consent:

This module is provided absolutely free of charge, using this module in a commercial product on the other hand is not condoned!

Also, don’t ask me to reverse it, i’m not going to do it.

Download:

Here:

Lots of vendors like to use version numbers including Major.Minor.Build.Revision.

An example of a vendor I was dealing with recently was Citrix themselves.

The problem is, in powershell, it’s not that easy to take a string (text) representative of these, split it up then label it yourself. you’re splitting, taking objects in an array, assigning them values… nasty.

Did you know .Net has a native ability to do this?

Introducing system.version

Now with system.version, it’s very easy to do comparisons! Just cast your string into a [system.version] as below:

After that, just compare the major, minor, build or revision at will!

Happy version comparing!

Not withstanding the issues that can occur when the cache is heavily in use, it’s a great piece of technology. One of the features you see on twitter repeatedly is trying to report on the exact size of the PVS cache in RAM.

Many blogs and scripts (Matt’s here, as an example) will take the raw performance counter details for Non Paged Pool memory and assume this is the size of the cache. This is faulty logic, but close enough. It’s like looking into a can of beans and trying to determine which one gave you gas.

The Non paged Pool is a collective pool of memory used by the system that guarantee’s the services using it (drivers, etc) that the contents will never reach the disk and will always be maintained in memory. As an example, imagine you created your own disk driver, but the disk driver tried to reference it’s memory and it had since been flushed to the disk…. Chicken and Egg stuff!

Microsoft has a fairly clear description here:

The memory manager creates the following memory pools that the system uses to allocate memory: nonpaged pool and paged pool. Both memory pools are located in the region of the address space that is reserved for the system and mapped into the virtual address space of each process. The nonpaged pool consists of virtual memory addresses that are guaranteed to reside in physical memory as long as the corresponding kernel objects are allocated.

So with this in mind, taking a total of the Non Paged Pool memory and assuming it’s PVS is “OK”… But not accurate. Many other sources can bloat that memory cache, particularly in x64 systems where limits on these pools are now enormous compared to the tiny pools we had to deal with in x86 architectures.

Nerdy digression aside, if you REALLY want accurate information on what’s going on inside of this pool. You need to grab a copy of Poolmon from the Windows Driver Kit (WDK). Download the WDK, install it and you’ll find your poolmon in:

C:\Program Files (x86)\Windows Kits\10\Tools\x64\poolmon.exe

Once you have a copy, fire up poolmon and you’ll see in all their glory.

Pro tip: Press “p” once to sort my non pooled, then “b” to sort by bytes used.

Each pool tag and the respective space they are using. Interestingly, the Citrix caching technology seems to use the “VhdR” pooltag allocation. There’s also a Microsoft Pool tag for this (http://blogs.technet.com/b/yongrhee/archive/2009/06/24/pool-tag-list.aspx) but the case sensitivity differences between VhdR and VHDr may make all the difference.

I did reach out to Citrix on this one, but they didn’t provide any further insight.

Any-who, if you want to see the size of your PVS cache accurately? Use PoolMon. Here’s a quick script using poolmon to get the GB value back:

$poolmonpath= "d:\poolmon.exe"
$poollog= "$env:temp\poolmon.txt"
if(test-path $poollog){Remove-Item $poollog}
Start-Process-FilePath $poolmonpath -ArgumentList "-n $poollog" -Wait
((Get-Content $poollog | ? {$_ -like "*VhdR*"}) -split "\s+")[6] /1gb
if(test-path $poollog){Remove-Item $poollog}

I needed to do this recently as the customer in question had an application that lived on a network share and after 14+ years of development in this style, everyone was afraid to move it!

Steps to use this script:

• Export an existing building block for the application you wish to authorize
• Ensure the exported building block has at least one authorized file
• Modify the $import and $exportbuildingblockpath
• Modify the $exedirpath to be the path you wish to search recursively for exe’s.

$importBuildingBlockPath = 'H:\path\bb.xml'
$exportBuildingBlockPath = 'h:\path\export.xml'
 
$alreadyauth=@()
$ExeForAuth=@()
$exedirpath = "\\servername\Share\APPS"
 
 
Get-ChildItem -Recurse $dirpath | ?{!($_.psiscontainer) -and $_.Extension -like ".exe"}  | %{
    $ExeForAuth+=$_.fullname.ToLower()
}
 
 
[xml]$bb = Get-Content $importBuildingBlockPath
 
 
$bb.respowerfuse.buildingblock.application.appguard.authorizedfiles.authfile | %{
    $alreadyauth+=$_.authorizedfile.tolower()
}
 
 
Compare-Object $alreadyauth $ExeForAuth | ? {$_.SideIndicator -eq "=>"} | % {
    $newnode=$bb.respowerfuse.buildingblock.application.appguard.authorizedfiles.authfile[0].Clone()
    $newnode.authorizedfile=$_.inputobject.tostring()                                                                                     
    $newnode.description="Auto Appended item via script"                                                                                        
    $newnode.process="*"                                                                                          
    $newnode.learningmode="no"                                                                                               
    $newnode.enabled="yes"   
    $bb.respowerfuse.buildingblock.application.appguard.authorizedfiles.AppendChild($newnode)
}
 
$bb.save($exportBuildingBlockPath)

Having been in this situation recently, I needed to audit and report on the types of files open on the file server, my hunch was a certain select number of users were running applications (like *gulp* lotus notes) from the network share.

Disappointed with the powershell scripts on the interwebs, I decided to write my own function to perform this task:

[sourcecode language=”powershell”]
function get-openfiles{
param(
$computername=@($env:computername),
$verbose=$false)
$collection = @()
foreach ($computer in $computername){
$netfile = [ADSI]"WinNT://$computer/LanmanServer"

$netfile.Invoke("Resources") | foreach {
try{
$collection += New-Object PsObject -Property @{
Id = $_.GetType().InvokeMember("Name", ‘GetProperty’, $null, $_, $null)
itemPath = $_.GetType().InvokeMember("Path", ‘GetProperty’, $null, $_, $null)
UserName = $_.GetType().InvokeMember("User", ‘GetProperty’, $null, $_, $null)
LockCount = $_.GetType().InvokeMember("LockCount", ‘GetProperty’, $null, $_, $null)
Server = $computer
}
}
catch{
if ($verbose){write-warning $error[0]}
}
}
}
Return $collection
}
[/sourcecode]

The function above (get-openfiles) has been written to accept an array of servers to the command line and it will return the following items:

• The ID of the open file.

• The server it’s open from.

• The username who has the file open.

• The amount of locks the file has.

A couple of quick examples for using this command are below:


Retrieving open files from server1:






[sourcecode language=”powershell”]get-openfiles -computername server1 | select server,itempath,lockcount[/sourcecode]



Retrieve a count of open files that end with the nsf file type (Lotus Notes):






[sourcecode language=”powershell”](get-open files -computername server1,server2 | ? {$_.itempath -like "*.nsf*"}).count()[/sourcecode]



Retrieve a report of total open files on a number of file servers:



[sourcecode language=”powershell”]get-openfiles -computername server1,server2,server3,server4,server5 | group -property server[/sourcecode]

“Your XenApp servers have very high disk queue’s and IO”

“What’s causing it?”

“dunno…”

With Server 2008, the task manager’s resource monitor feature will help you find these items. But in server 2003 this was a perilous task. The specific details for disk io per process are stored in performance monitor under each specific process running. Trying to analyse each process was a massive pain, but powershell can do some very clever work to help alleviate this!

I wrote two quick functions which act similar to “top” in linux for giving an on screen view, updating at interval of what exactly is creating IO activity. These two functions are:

get-IODataBytes:

Get-IODataOperations

The code for these functions are below:

[sourcecode language=”powershell”]
function get-iodatabytes{
$result=(get-counter -counter "Process(*)IO Data Bytes/sec" -ea 0).countersamples | ? {$_.cookedvalue -gt 0} | select instancename,@{Name="SessionID";Expression={if ($_.path.contains("#")){($_.path.split("#)"))[1]}else{"0"}}},@{Name="IO Data Bytes/sec";Expression={[math]::Round($_.cookedvalue,0)}},@{Name="IO Data KBytes/sec";Expression={[math]::Round($_.cookedvalue / 1024,0)}} | sort -Descending "IO Data Bytes/sec" | ft
$currentqueue=(((get-counter -counter "PhysicalDisk(0 C:)Current Disk Queue Length" -ea 0).countersamples) | select cookedvalue).cookedvalue
clear
write-warning "Hit [CTRL] + [C] to exit live capture"
write-host "Current Disk queue: $currentqueue"
return $Result
}

FUnction get-IODataOperations {
$result=(get-counter -counter "Process(*)IO Data Operations/sec" -ea 0).countersamples | ? {$_.cookedvalue -gt 0} | select instancename,@{Name="SessionID";Expression={if ($_.path.contains("#")){($_.path.split("#)"))[1]}else{"0"}}},@{Name="IO Data Operations/sec";Expression={[math]::Round($_.cookedvalue,0)}} | sort -Descending "IO Data Operations/sec" | ft
$currentqueue=(((get-counter -counter "PhysicalDisk(0 C:)Current Disk Queue Length" -ea 0).countersamples) | select cookedvalue).cookedvalue
clear
write-warning "Hit [CTRL] + [C] to exit live capture"
write-host "Current Disk queue: $currentqueue"
return $Result
}

[/sourcecode]

if you wish to loop one of these functions, simply use the following code:

[sourcecode language=”powershell”]
while ($true){
get-iodataoperations
start-sleep 1
}
[/sourcecode]

Log into a server / client without the EdgeSight plugin installed, and browse to the edgesight website. Once logged in, you will receive the usual prompt to install the software:

Install the software and ensure it works, then fire up a command prompt and browse down to “c:windowsdownloaded program files”. Once in this folder, a DIR will reveal the ActiveX plugin “csmdbprov.dll”.

Now simply copy this file out to shared storage:

Once done, now its scripting time!

Below are two examples in batch (.bat , .cmd) or PowerShell (.ps1) for achieving this:

(please amend h:csmdbprov.dll to the path you use)

Batch:

[sourcecode language=”text”]
copy h:csmdbprov.dll "c:windowsdownloaded program files"
regsvr32 /s "c:windowsdownloaded program files"
[/sourcecode]

Powershell:

[sourcecode language=”powershell”]
if (test-path h:csmdbprov.dll){
copy-item H:csmdbprov.dll ‘C:WindowsDownloaded Program Files’ -Force
start-process regsvr32 -ArgumentList "/s ""C:WindowsDownloaded Program Filescsmdbprov.dll""" -wait
}
[/sourcecode]

(Note: this will also work with Windows 8 Consumer Preview)

While troubleshooting an issue in windows server 8’s new Powershell Web Access, I had the need to disable the windows firewall. Normally I would use a “netsh firewall” command, but when running this in windows server 8 we receive the notification:

“In future versions of Windows, Microsoft might remove the Netsh Functionality for windows firewall with Advanced Security”

“If you currently use Netsh firewall to configure and manage Windows Firewall with advanced Security, Microsoft recommends that you transition to Windows Powershell.”

This message continues in the screenshot below:





So with the warning in mind, I decided it was time to learn the new thing for the day and off I went to find out how to quickly disable the firewall using powershell!

As above the first clue is in the message, a new module seems to be available on both Windows 8 and Server 8. So with a quick get-module -listavailable I can see netsecurity listed:





“So what commands can I use with the netsecurity module” I asked myself. I ran a quick “Get-Command -module NetSecurity” and was overwhelmed with a large list of potential candidates as below:





So I used the trusted “Import-Module NetSecurity” command and set about reading the help files. Or so I thought…





As with PowerShell 3.0, the helpfiles for Powershell are not completely installed by default, we need to run update-help to download the powershell help files. This is causing quite a debate in the powershell community, so I’m not going to get into this, personally I think its a good idea.

Anyway, so off I went to update the help, or so I thought:





Bugger…

I’ll admit, this list had me scratching my head for some time, but I soon enough stumbled across the important command on this list for my objective. “Get-NetFirewallProfile”.

Get-NetFirewallProfile lists out the firewall profiles for your machine. The profiles are separated out into Domain, Public and Private as you can see in the screen-shot below:





Now that we’re aware of where the profiles live, its just a simple task of piping the current profiles, into a “Set-NetFirewallProfile” command to turn the profiles off.

Below is a quick on-liner to disable the windows firewall in Server 8 or Windows 8 completely:



[sourcecode language=”powershell”]
Import-Module NetSecurity -ea Stop ; Get-NetFirewallProfile | Set-NetfirewallProfile -Enabled False
[/sourcecode]



And that’s it!





And once finished troubleshooting, you can turn it back on as below:



[sourcecode language=”powershell”]
Import-Module NetSecurity -ea Stop ; Get-NetFirewallProfile | Set-NetfirewallProfile -Enabled True
[/sourcecode]

So with his much improved code I set about writing a script to query the Program Neighbourhood Agent’s applications and launching them too with powershell.

By default, when Program Neighbourhood Agent launches, it populates the Application Model key(s) in HKEY_CURRENT_USERSoftwareCitrixPNAgent.

After the launch, we can use powershell to convert these binary keys into useable data, stick them all together then pull the application details.

With the below script, you can:

Query applications published:


Filter query published applications:



Launch Published applications:



And if you’re crazy, auto launch all applications:



The script can be found after the jump below:

[sourcecode language=”powershell”]
function get-pnapplication {
param(
[switch]$showdisabled)

$bytesin=@()
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("CurrentUser", [String]::Empty)
# Read our Key (with write access)
$key = $Reg.OpenSubKey("SoftwareCitrixPNAgent", $true)

# Read value as Byte Array
$key.GetValueNames() | where {$_ -like "application model*"} | %{
$bytesIn += $Key.GetValue("$_")}

# Copy the Bytes to a String
$encode = New-Object System.Text.ASCIIEncoding
$rawData = $Encode.GetString($bytesIn)

# Replace spaces in element names with underscores
$data = $rawData | Foreach-Object {
[regex]::replace($_,‘<([^>]+)>’,{$args[0] -replace ‘ ‘,‘ ’})
}

# Add dummy Root element
$data = "<root>$data</root>"

# Load the data into XML Object
$xml = New-Object Xml.XmlDocument
$xml.LoadXml($data)

foreach ($app in $xml.root.appdata){

if ($app.details.settings.appisdesktop -eq "true"){$type="Desktop"}
Else{$type="Application"}
if ($showdisabled -ne $true){
if ($app.details.settings.appisdisabled -eq $true){continue}
}
$item=new-object PSObject -Property @{
Name=$app.FName;
InName=$app.inname;
Description=$app.details.settings.Description
Type=$type
}#end report
$report+=@($item)
}#end for

return $report
}#end function

function start-pnapplication{
param(
[Parameter(
Position=0,
Mandatory=$true,
ValueFromPipeline=$true,
ValueFromPipelineByPropertyName=$true)]
[string]$InName,
[string]$PnAgentPath="C:Program Files (x86)CitrixICA Clientpnagent.exe")

if (!(test-path $Pnagentpath)){write-warning "cannot find Pnagent, breaking"}

start-process $pnagentpath -ArgumentList "/qlaunch ""$inname"""
}

[/sourcecode]

This really inst a huge issue to most environments, as users will probably want to enumerate their printers at one stage or another. But in a RES Workspace manager environment, RES provide a much better interface for printer management which really defunct’s and eliminates the need for the windows method.

The culprit can be seen below:

This problem for me, all stems from the “NoSetFolders” chestnut, anyone who’s tried to lock down a Terminal services environment from Windows Server 2000 onwards will be aware that this “handy” group policy removes the users ability to use [Windows Key] and [E] to open explorer. This issue still isn’t fixed in 2008 R2 and I’m beginning to think Microsoft just wont fix it. Hey no big deal right? Yes, quite a big deal if you ask pedantic users.

Anyway, I digress. Once you remove the NoSetFolders key, the user has the ability to see the devices and printers as below on the start menu, hence my situation.

To remove this folder view for all users, its time to hack the registry!

The Class ID belonging to this start menu item can be found here:

HKEY_CLASSES_ROOTCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}

This dastardly key also has a 32bit relation that can be found here:

HKEY_CLASSES_ROOTWow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}

As with my previous post about removing screen resolution and personalise, its just a matter of removing the users ability to see this registry key.

So below you will find the steps to take to remove this item:

1. Take a backup of this key, you’ll thank me if you get it wrong!
2. Browse down to HKEY_CLASSES_ROOTCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
3. right click this key, choose permissions, click advanced then owner
4. Select administrators from the list, then choose “Apply”.
5. browse to the permissions tab and remove the “users” group. (you may need to remove inheritance)
6. Click “apply”, then “ok”.
7. Repeat step 2 to 6 on HKEY_CLASSES_ROOTWow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}
8. Tada! go grab a coffee to celebrate your domination over the windows operating system.

And that’s it, even if the user tries to view the option theres a blank place on the start menu where devices and printers should be. Check back next week and I’ll show you how to replace this shell icon with PowerPrint from RES software.

PS: You can also quite easily script this, Remko provided me with a great script that I’ve modified below to suit this purpose.

[sourcecode language=”Powershell”]

## #############################################################################
## Restrict certain Explorer items via registry key.
## #############################################################################
if (!(get-psdrive hkcr -ea 0)){New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT | out-null}

function get-elevatedprivileges{
$definition = @"
using System;
using System.Runtime.InteropServices;

namespace Win32Api
{

public class NtDll
{
[DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
}
}
"@
Add-Type -TypeDefinition $definition -PassThru | out-null

$bEnabled = $false

# Enable SeTakeOwnershipPrivilege
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)
}

function take-ownership{
param(
[Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
[string]$regkey)
$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey($regkey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")

#taking ownership first
$key.SetAccessControl($acl)

#my bit – give admin full access
$rule = New-Object System.Security.AccessControl.RegistryAccessRule("Administrators","FullControl","allow")
$acl.addaccessrule($rule)
$key.SetAccessControl($acl)
#end bit

}#end ownership function.

function remove-useracl{
param(
[Parameter(Mandatory = $true,Position = 0,valueFromPipeline=$true)]
[string]$regkey)
write-host "$regkey"
#remove inheritance
$acl = Get-Acl $regkey
$acl.SetAccessRuleProtection($true, $true)
set-acl $regkey -aclobject $acl

#Remove users
$acl = Get-Acl $regkey
foreach ($rule in $acl.access){if ($rule.identityreference -eq "BUILTINUsers"){$acl.RemoveAccessRuleSpecific($rule)}}
set-acl $regkey -AclObject $acl
}#end acl function.

#define keys to be restricted
$keys=@("CLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}", # printers and devices
"Wow6432NodeCLSID{A8A91A66-3A7D-4424-8D24-04E180695C7A}" # 32bit Printers and devices
)

#elevate priviledges

get-elevatedprivileges

#restrict each key
foreach ($key in $keys){
if (test-path "hkcr:$key"){
take-ownership -regkey $key
remove-useracl -regkey "hkcr:$key"
}
}
[/sourcecode]