Techibee.com

The purpose of this article is to explain how event forwarding works, different types of event forwarding methods and step-by-step guide for implementing them.

In this part-1 of How to configure event forwarding in windows 7/2008, I will cover some basics about event forwarding, different components involved in the forwarding and their functionality.

Windows 7 and windows 2008 R2 OS supports forwarding event log message to a central defined server. The purpose of this is very simple, you have all required events in one place and you can do auditing, archival, or any other operation you want from single place. You need not depend on external scripts to collect windows event logs from different computers and place them at single place.

There are two main components involved in Event Forwarding.

1) Collector:

Collector is a windows computer which collects events logs from computers from your network and places locally. In other words, this is where all events are saved.

2) Forwarder/Source Computer:

This is a windows computer that forwards the events from local computer to a central computer which is designated as Collector.

The definition of source computer and collector are pretty clear and I believe there is no need to explain them in details. If you are still in doubt, the below picture should definitely clarify that.

Now we know what is source computer and what is a collector computer in event forwarding. The next question you might get is, whether source computer will initiate the event forwarding or the collector will do that. Based on which component is initiating the event forwarding request, the windows event log forwarding is divided into two types. They are called subscriptions.

1) Collector initiated subscription:

In this type of subscription, the collector will go and ask the remote computer to send events to it. It is the job of collector to frequently poll the source computers and get events logs from them. This kind of subscription is best suited when you have limited set of computers. This doesn’t scale well if the source computer base increases.

2) Source initiated subscription:

In this type of subscription, the source computer will send the events logs to collector computer. The job of the collector computer is to just save whatever the source computer sends.

For either collector initiated forwarding or source initiated forwarding a subscription needs to be created at the collector side. A subscription is nothing but a configuration which tells you what eventlogs/events ID should be forwarded. Also the destination of log of the forwarded events will be configured in subscription.

To make event forwarding work, the collector and source computer should be configured do that. I will cover this in detail when I talk about each type of subscription in my next posts.

Another information that is worth sharing is, what type of operating systems can act as source computer and what type of operating systems can play collector role.

Source Computer:

1. Windows XP with Service Pack 2 (SP2)
2. Windows Server 2003 with Service Pack 1 (SP1)
3. Windows Server 2003 with Service Pack 2 (SP2)
4. Windows Server 2003 R2, Windows Vista
5. Windows Vista with SP1
6. Windows 7
7. Windows Server 2008
8. Windows 2008 R2

Collector Computer:

1. Windows Vista with SP1
2. Windows 7
3. Windows Server 2008
4. Windows 2008 R2

One point to note here is, WS-Management 1.1 is not installed by default for computers running on Windows XP with SP2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, or Windows Server 2003 R2, so you must install WS-Man 1.1 to use these platforms as event sources before you set up a source-initiated event subscription. For more information about how to install, WS-Management 1.1, see http://go.microsoft.com/fwlink/?LinkId=100895.

In my next posts I will talk about how to configure source initiated subscription and collector initiated subscription in details.

While researching for some material to prepare my previous article, I stumbled on one of the posts of “Microsoft at work” blog. The post is about best practices to give good life to your battery. The points discussed in the article are interesting and I felt worth sharing it.

You can read the article at http://www.microsoft.com/atwork/maintenance/battery.aspx

Are you looking for a way to change power plan on local or remote computer? You are at the right place. The script discussed in this article will help you in changing the power plans in PowerShell way. MS built-in tool(powercfg.exe) is available that can also help you to do this job. But I am not using that tool in my script by building a wrapper around it. I am simply relying on WMI class to change the power plan. I recommend WMI way because using executables inside script is not a good practice and it should be our last resort when it is not possible through WMI or dotnet class or some API.

The Win32_Powerplan WMI class will return list of power plans available in the computer. This list includes built-in power plans like”Power Saver”, “Balanced” and “high performance” plus any custom power plans that user has created. Each returned power plan a again  a object which will have a method called Activate() to activate the current power plan. This power plan object also contains a proper called IsActive which will be set to $true if is the active power plan that system is using currently.

The code follows…

Set-PowerPlan.ps1

[cmdletbinding()]                        

param (
[parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
[string[]]$ComputerName = $env:computername,                        

[ValidateNotNullOrEmpty()]
[parameter(Mandatory=$true)]
[ValidateSet("Power Saver", "Balanced", "High Performance")]
[string]$PowerPlan                        

)                        

begin{}                        

Process {
foreach ($Computer in $ComputerName) {
 if(Test-Connection -ComputerName $Computer -Count 1 -ea 0) {
  Write-Verbose "$Computer is online"
  $PreviousPowerPlan = Get-WmiObject -Class Win32_Powerplan -Namespace root\CIMV2\Power -ComputerName $Computer | ? {$_.IsActive -eq $true}
  $CurrentPowerPlan  = Get-WmiObject -Class Win32_Powerplan -Namespace root\CIMV2\Power -ComputerName $Computer | ? {$_.ElementName -eq $PowerPlan}
  $CurrentPowerPlan.Activate()
  $OutputObj  = New-Object -Type PSObject
  $OutputObj | Add-Member -MemberType NoteProperty -Name ComputerName -Value $Computer.ToUpper()
  $OutputObj | Add-Member -MemberType NoteProperty -Name PreviousPlan -Value $PreviousPowerPlan.ElementName
  $OutputObj | Add-Member -MemberType NoteProperty -Name CurrentPlan -Value $CurrentPowerPlan.ElementName
  $OutputObj
 } else {
  write-Verbose "$Computer is offline"
 }
}            

}                        

end {}

Save the above code into a file called “Set-PowerPlan.ps1″ and it is ready for usage. You can use -ComputerName parameter if you want to run against a computer. If this parameter is not specified, it runs on local computer.

Go through the below examples for usage instructions and let me know if you have any questions.

Hope this helps…

Hi Readers,

Before signing out today, I wanna share a quick tip that you can use in windows 7 or windows 2008 computers to open any program with administrator account. That means elevating a applications. You might want to ask, isn’t it easy to right click and say “Run As Administrator”?. Well, that option you won’t get for all applications. Give a try with Office applications if you want to observe this. In such cases, one need to open a elevated command prompt and launch the application from there which is somewhat time consuming. Instead you can use the below tip.

Hold Ctrl + Shift and then click on the application. It will automatically try to open in elevated mode.

Hope this helps and happy learning.

In my one of my recent posts, I talked about shutdown the remote computer using Powershell. Since then I started exploring the other options available in Win32_OperatingSystem class and figured out one more helpful method which can logoff users logged on remote computers.

This script helps you to logoff the remote user who is current loogged on the computer. I didn’t test this against terminal services environment where multiple users are logged in, but you can try this and let me know how it goes.

Code:

[cmdletbinding()]            

param (            

 [parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
 [string[]]$ComputerName = $env:computername,
 [switch]$Force            

)            

begin {
 $Username = $env:username            

 if($force) { $flag = 4 } else { $flag = 0 }
 $comment  = "Logoff initiated by $Username using $($MyInvocation.InvocationName). Timeout is $Timeout"
}            

process {
 foreach($Computer in $ComputerName) {            

  Write-Verbose "Working on $Computer"
  if(Test-Connection -ComputerName $Computer -Count 1 -ea 0) {
   $OS  = Get-WMIObject -Class Win32_OperatingSystem -ComputerName $Computer
   if( -not $OS.Win32ShutdownTracker(0, $comment, 0, $flag)) {
    $Status  = "FAILED"
   } else {
    $Status  = "SUCCESS"
   }
  $OutputObj = New-Object -TypeName PSobject
  $OutputObj | Add-Member -MemberType NoteProperty -Name ComputerName -Value $Computer
  $OutputObj | Add-Member -MemberType NoteProperty -Name LogOffStatus -Value $status
  $OutputObj | Add-Member -MemberType NoteProperty -Name Timeout -Value $timeout
  $OutputObj
  }
 }
}            

end {
}

Usage:

.\Logoff-Computer.ps1 -ComputerName MyPC1

Windows 7 comes with a few default themes which you can view from “Control Panel” -> “Appearance and Personalization” -> “Change the theme”. While exploring something today, I came across a hidden location where a few more window 7 themes are available.

To access the location, go to start -> Run and type “c:\Windows\Globalization\mct”. This lists the folders and here you can see the themes for “AU – Australia”, “CA- Canada”, “US – United States”, “GB – United Kingdom”,  and “ZA – South Africa”. Out of these we generally see United Stated theme only in control panel. This is because of most of us select Country/language as US during the installation. If we choose some other country during the installation, the respective theme will get added.

If you like any theme in these hidden ones, just go to that folder and execute the file inside themes folder to install and activate it. I liked ZA theme among them

I inspired from my previous post,  and decide to do some network interface related operations from command line as they helps me when managing Windows 2008 Core Operating system. Another command that I am going to provide now is to disable network connection from command line.

netsh interface set interface name=”Local Area Connection 1″ admin=DISABLED

In about command, “Local Area Connection 1″ is the name of the connection that you want to disable. You can change the value of “Admin” to “Enable” to enable back the network connection. Similarly, if you want to rename the network connection, you can use newname parameter. Below is the command.

netsh interface set interface name=”Local Area Connection 1″ newname=”My NIC1″

Above command renames “Local Area Connection 1″ network to “My NIC1″.

Hope this helps…

When you are working on Windows 2008 core, you get requirement to disable firewall functionality to allow all programs communication. The default firewall settings blocks most of the ports(including remote management) and administrator has to explicitly open them on need basis. The default Core console allows you to perform only few network operations like listing and assigning IP address, but if you want to perform advanced operations like disabling firewall functionality in all profiles(see my post http://techibee.com/windows-2008/what-is-domain-public-and-private-profiles-in-windows-2008-firewall/478 for different profiles in 2008 firewall), you need to rely on some command line options.

Netsh is one of the very useful command line utilities in windows environment. Now in this post, I will show you how to disable firewall profiles(Private, public, domain) on a windows 2008 Core. You need this command in Server Core environment because, you cannot manage firewall remotely as there is a provision and you can not manage it from local host as core supports no GUI. Only option is command line utility.

Now, let us see how we can disable firewall functionality from all profiles

netsh advfirewall set allprofiles state off

If you want to turn off the firewall for individual  profiles use the below commands

netsh advfirewall set domainprofile state off

netsh advfirewall set privateprofile state off

netsh advfirewall set publicprofile state off

You can turn on firewall back by simply replacing “off” with “on” in above commands.

Netsh utility allows us to perform more set of operations on different components of operating system. You can explore the help(netsh /?) to lean about it further.

You can also download a NetSH Technical reference guide from MS website. Refer to http://techibee.com/general/download-netsh-technical-reference-for-windows-2008windows-7/494 for more details.

Hope this helps.

I have been struggling for a while to identify why Wake On LAN is not working since I installed Windows 7 on my computer. It worked fine with Windows XP but after moving to windows 7, it never worked. After lot of testing and trying various things, I finally reached the solution.

So, here you go…

There is something called PME(Power Management Event) in Network connection properties which should be in enabled state to make your Windows 7 computer process the magic packets to wake up your computer.

To enable PME, follow the below steps.

•  Go to Start -> Run -> Type “ncpa.cpl” and click OK
• This opens up the network connections available in the computer. Here identify the NIC on which your computer will receive magic packets and go the properties of it.

• Click on Configure and Switch to advanced tab and select “Enable PME” property list and change the value to “Enable”

• Click on OK to complete the configuration.

This will make your network connection to blip briefly. Once your network connection is back your computer is ready to process the WOL packets. Shutdown your computer and try sending magic packet again. It should work without any issues.

Relavant articles:

http://www.intel.com/support/network/sb/cs-008459.htm

Feel free to post any questions that you have about WOL in windows.

Since last one and half year, I have been working on Windows 7 Operating system and in my experience “Auto Tuning” in windows 7/vista/windows 2008 R2 is the most possible culprit for any network related problems. If you see a network related problem in these operating systems and cannot determine what is the cause, I suggest you try disabling “auto tuning” first.

I know that “auto tuning” is one of the features introduced with windows 7/vista to improve OS operations on network. Basically what it does is, it adjusts the TCP window size to improve the network operations. Though it sounds good in theory, I have seen numerous amount of posts over internet where disabling “auto tuning” addressed many issues like, slow data copy, slowness in email delivery, slow outlook mail caching times, and a few application data transfer related issues. Most of these issues you will see when performing the transfer operations over a WAN link.

So, considering above all, I would like to share the procedure for disabling/enabling “Auto Tuning” in windows 7 environment which may come handy for you in troubleshooting network related issues…

Procedure:

1. Open Command prompt with elevated rights
2. Run the command netsh interface tcp set global autotuning=disabled
3. This disables the auto tuning
4. Similar to enable auto tuning back, use the command netsh interface tcp set global autotuningl=normal

 If you want to see the current status of auto tuning, use netsh interface tcp show global

Hope this helps you.