Tag Archives: Windows

Viewing open files on a file server from powershell.

/wp-content/uploads/2011/03/windows_powershell_icon.png?w=58&h=58&h=58So this is a situation you should all be aware of in an SBC / VDI environment, despite all warnings, you’ve redirected folders to your network drive and your file servers are screaming in agony?

Having been in this situation recently, I needed to audit and report on the types of files open on the file server, my hunch was a certain select number of users were running applications (like *gulp* lotus notes) from the network share.

Disappointed with the powershell scripts on the interwebs, I decided to write my own function to perform this task:

[sourcecode language=”powershell”]
function get-openfiles{
$collection = @()
foreach ($computer in $computername){
$netfile = [ADSI]"WinNT://$computer/LanmanServer"

$netfile.Invoke("Resources") | foreach {
$collection += New-Object PsObject -Property @{
Id = $_.GetType().InvokeMember("Name", ‘GetProperty’, $null, $_, $null)
itemPath = $_.GetType().InvokeMember("Path", ‘GetProperty’, $null, $_, $null)
UserName = $_.GetType().InvokeMember("User", ‘GetProperty’, $null, $_, $null)
LockCount = $_.GetType().InvokeMember("LockCount", ‘GetProperty’, $null, $_, $null)
Server = $computer
if ($verbose){write-warning $error[0]}
Return $collection

The function above (get-openfiles) has been written to accept an array of servers to the command line and it will return the following items:

  • The ID of the open file.
  • The server it’s open from.
  • The username who has the file open.
  • The amount of locks the file has.

A couple of quick examples for using this command are below:

Retrieving open files from server1:


[sourcecode language=”powershell”]get-openfiles -computername server1 | select server,itempath,lockcount[/sourcecode]

Retrieve a count of open files that end with the nsf file type (Lotus Notes):


[sourcecode language=”powershell”](get-open files -computername server1,server2 | ? {$_.itempath -like "*.nsf*"}).count()[/sourcecode]

Retrieve a report of total open files on a number of file servers:



[sourcecode language=”powershell”]get-openfiles -computername server1,server2,server3,server4,server5 | group -property server[/sourcecode]


Monitoring Storage disk queue’s and IO with PowerShell

/wp-content/uploads/2011/03/windows_powershell_icon.png?w=58&h=58&h=58Here’s one that used to bother me alot. The problem usually went as follows:

“Your XenApp servers have very high disk queue’s and IO”

“What’s causing it?”


With Server 2008, the task manager’s resource monitor feature will help you find these items. But in server 2003 this was a perilous task. The specific details for disk io per process are stored in performance monitor under each specific process running. Trying to analyse each process was a massive pain, but powershell can do some very clever work to help alleviate this!

I wrote two quick functions which act similar to “top” in linux for giving an on screen view, updating at interval of what exactly is creating IO activity. These two functions are:





The code for these functions are below:

[sourcecode language=”powershell”]
function get-iodatabytes{
$result=(get-counter -counter "Process(*)IO Data Bytes/sec" -ea 0).countersamples | ? {$_.cookedvalue -gt 0} | select instancename,@{Name="SessionID";Expression={if ($_.path.contains("#")){($_.path.split("#)"))[1]}else{"0"}}},@{Name="IO Data Bytes/sec";Expression={[math]::Round($_.cookedvalue,0)}},@{Name="IO Data KBytes/sec";Expression={[math]::Round($_.cookedvalue / 1024,0)}} | sort -Descending "IO Data Bytes/sec" | ft
$currentqueue=(((get-counter -counter "PhysicalDisk(0 C:)Current Disk Queue Length" -ea 0).countersamples) | select cookedvalue).cookedvalue
write-warning "Hit [CTRL] + [C] to exit live capture"
write-host "Current Disk queue: $currentqueue"
return $Result

FUnction get-IODataOperations {
$result=(get-counter -counter "Process(*)IO Data Operations/sec" -ea 0).countersamples | ? {$_.cookedvalue -gt 0} | select instancename,@{Name="SessionID";Expression={if ($_.path.contains("#")){($_.path.split("#)"))[1]}else{"0"}}},@{Name="IO Data Operations/sec";Expression={[math]::Round($_.cookedvalue,0)}} | sort -Descending "IO Data Operations/sec" | ft
$currentqueue=(((get-counter -counter "PhysicalDisk(0 C:)Current Disk Queue Length" -ea 0).countersamples) | select cookedvalue).cookedvalue
write-warning "Hit [CTRL] + [C] to exit live capture"
write-host "Current Disk queue: $currentqueue"
return $Result


if you wish to loop one of these functions, simply use the following code:

[sourcecode language=”powershell”]
while ($true){
start-sleep 1

The curious case of missing file shares on a Microsoft File Server Cluster.

I had a very unusual issue recently where, after a fail over one of my file cluster resources didn’t publish all shares to the users. Some shares did come up, but many of the shares were missing resulting in users being locked out of their network drives.

I immediately jumped to the registry HKEY_LOCAL_MACHINEClusterResources and found the resource by guid of my misbehaving file cluster. I could see all the shares missing were still published as resources as below:

Upon reviewing the event logs, each time the cluster was failed over, each missing share was logging the following event:

Log Name: System
Source: Microsoft-Windows-FailoverClustering
Date: xx/xx/xxxx 08:00:27
Event ID: 1068
Task Category: File Server Resource
Level: Warning
Computer: XXXXXXXXXXX.Domain.com
Cluster file share resource 'File Server FileServer' cannot be brought online. Creation of file share 'Vedeni' (scoped to network name Fileserver) failed due to error '5'. This operation will be automatically retried.

Upon reviewing the share permissions, an over zealous administrator had trimmed the NTFS permissions, removing the local system account. Upon each cluster resource coming online, the cluster uses the local system account to enumerate the shares and present them. Remove this account and your shares wont come online!

This  account doesnt need to be on every folder, just each folder a share is based on. E.g. if you share d:sharefinance as serverfinance, only the finance folder needs access granted to the system account.

To resolve, configure the system account to have access to the folder on “this folder only” then restart the file server resource. The resource will come on-line and your shares will be available again!

Strange “Recent Places” issue in windows 7 / Server 2008 R2.

Just a quick post about a funny little issue I saw recently.

First to give some background on this wonderful little folder. The recent places folder you see in the windows explorer Favorites menu is a collaboration of all the folders you have saved to recently. Windows compiles this folder view by first looking at your “Recent Files” in %userprofile%AppDataRoamingMicrosoftWindowsRecent and then filtering the results by directory. Leaving you with a view of all the folders you have worked in recently.

In my case, when using mandatory profiles in Server 2008 R2 and Windows 7, the Recent Places Folder in windows Explorer is spelled incorrectly. Instead of being “Recent Places”, it’s listed as “RecentPlaces” without the space.

When this issue occurs, the folder will correctly list the folders you have recently worked in, but the name will be incorrect for the duration of your session.

This will occur if active setup has not run on your profile, or as part of your profile creation. It seems despite following the Microsoft guide to the letter, active setup still needs to run on a Mandatory profile each time a user logs in…

The individual component of active setup responsible for many things including this profile adjustment is {89820200-ECBD-11cf-8B85-00AA005B4340} found in these registry locations:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftActive SetupInstalled Components

This active setup component run’s the following command:

C:WindowsSystem32regsvr32.exe /s /n /i:U shell32.dll

To fix the issue, reinstate the active setup keys you wrongfully deleted (bad admin) or run the above command.

Once you’ve done this the folder will be displayed correctly.

For a great explanation of Active setup, check out Helge’s write up over here.

If you still hate active setup (like I do) the above command can be run on  as part of a login script or better yet as part of a RES Workspace Manager “Execute Command” without the annoying active setup pause. This will then fix this issue each login before the user see’s it.

This command is actually really useful to be aware of and I’ll blog about this a little later in the week about some other applications of this seemingly routine command.

Intermittent Thin Client disconnects

We recently had a problem after a Citrix rebuild where we were seeing thin clients intermittently disconnect from the citrix servers. Nothing in the event logs, just a lovely error on the Thin Client (Igel) reporting a Driver protocol error. The users could immediately reconnect, but 10-15 disconnects a day was getting a bit annoying for poor Joe Soap.

The problem was very difficult to track down due to absolutely no logging or even acknowledgement of the problem in any event logs.

We found that the reinstall was enabling the advanced IP features in Windows server 2003 involving TCP Offloading from the Nic to the CPU, Citrix and particularly thin clients do not like this feature one bit.

To disable these options, enter the following keys into the registry and reboot.


On a side note, I’ll be disabling these keys going forward on all server builds, its not a nice feature to implement unless the application is aware of the offload.