Everyone knows you can’t have a pagefile larger than 4 GB per volume, right?  WRONG!  See Microsoft article 237740.

The current algorithm Windows uses to set the default paging file size is:

• If total physical RAM is less than 2 gigabytes (GB), the paging file is set to 1.5 times the amount of RAM or 2 GB, whichever is smaller.
• If total physical RAM is equal to or more than 2 GB, the default size is set to 2 GB.

If you want to create multiple 4 GB pagefiles on the same volume:

First, you have to be using /PAE
And you have to use /MAXMEM if you want to get a complete memory dump
Create multiple folders on your drive to hold the pagefiles (ex: c:\pagefile1, etc)
Edit the MemoryManagement key
Edit the PagingFiles key and associate the files to the folders you created (c:\pagefile1\pagefile.sys 3000 4000)
Reboot

Now when you look at the virtual memory settings in the control panel applet you’ll see the new configuration.  Be cautious if you do this… performance could be impacted significantly.

I recently watched a webcast on windows crash dumps presented by Mark Russinovich.  Not only is he a great presenter, but his sessions are always jam-packed with useful information.  If you can’t find the webcast, go get Windows Internals 4th Edition and peruse Chapter 10.  You should also check out the help file in WindDbg which is uncharacteristcally good.  Finally, there are special knowldgebase articles at microsoft.com/ddk/debugging.

There were a lot of great tips in this webcast, but here are some of my favorites:

- First, you can manually crashdump a system by setting the crashonctrlscroll key in the registry… but if that doesn’t work for you you can forcefully crash a system by using the NMI button installed on some servers.  If you don’t have a server with an NMI button you can create one with an PCI interface.  See this link for the instructions: http://www.microsoft.com/whdc/system/CEC/dmpsw.mspx

- Something I always forget to do: if you are looking at a crash dump from a multiprocessor system make sure you check all CPUs by using the ~ command to change which CPU you’re looking at.  For example: ~1 to change to the 2nd processor, etc.

- Speaking of not forgetting… don’t forget to set your symbols folder to go here: srv*c:\symbols*http://msdl.microsoft.com/download/symbols

- Use the !thread command to see the drivers that are loaded - and check the dates of each driver.  If you see one that seems old, go find a new one and replace it.

- Use LMKV command on the thread to get detailed info on the thread

- Use !analyze -v to get the automated analysis.  If the “probably caused by” doesn’t seem right, it could be buffer corruption that happened some time long before the error appeared.  Most likely it’s not an nt!xxxx processor a native Microsoft OS file that is causing the crash. 

- Use !locks to look for deadlocks

- Use a live dump to analyze your system without a crash.  Get LiveKD from sysinternals and do a .dump to look at the live system (or dump /f to generate a full dump). 

- Remote debugger (F8 during boot) can be useful but don’t use it with default setting over serial port at 19200… either change it to 115200 or USB2 (Vista) or Firewire (Windows 2003).  This loads the kernel debugger at boot time and does not affect performance.  If a remote system is set up to do a remote debug session and it BSODs it will wait until you connect to it with the remote debugger before it does anything else. 

- Use Driver Verifier to check 3rd party and unsigned drivers (enables ’special pool’).  You won’t find it on the Start menu - go find verifier.exe (use create custom settings option) and then select individual settings from a full list.  Select everything except ‘low resource simulation’.  Next select ’select drivers from list’ and select ones you think are suspicious.  If that doesn’t yield good results in getting good crash dumps, go back and change the settings to “all 3rd party and unsigned drivers.  If that doesn’t yield good crash dumps you might have to go through several iterations of selecting drivers in groups of 10-20 at a time. 

- Don’t forget to run the Windows Memory Diagnostic tool

Frequently you need to process files in a folder but don’t want to deal with 0-byte files… so how do delete these pesky files in your script? Easy - in one line:

for /f “tokens=* delims=” %%F in (’dir /s/b/a-d d:\folder’) do (if 0 equ %%~zF del “%%F”)

You can use the same technique for files that are smaller than a certain size, or bigger than a certain size by replacing EQU with LSS or GTR.

I love MAME and have wanted to build my own MAME cabinet for a long time. The closest I’ve gotten is an X-Arcade joystick mounted to a bakers rack at a comfortable height. I ran across this the other day and thought it was a nice look - retro gaming in an ultramodern shell:

And how about this one for the inspiration from 1971:

Source: http://www.retrothing.com/2008/08/retro-space-21s.html

By the way, in case you didn’t know, Microsoft is offering free support
on SP1… business hours only:

Free unlimited installation and compatibility support is available for
Windows Vista, but only for Service Pack 1 (SP1). This support for SP1
is valid until March 18, 2009. Availability of chat or e-mail support
differs depending on your geographic location. For customers residing in
North America or Canada, chat and e-mail support is available. Some
issues may require more advanced support for which there is a charge.

No-charge Unlimited support requests: (866) 234-6020

Microsoft publishes these numbers at support.microsoft.com/gp/oemphone
so you can get in touch with your manufacturer if you have an oem
windows license installed:

Acer (800) 816-2237
IBM (800) 426-7378
Averatec (877) 462-3462
Lenovo (866) 96-THINK (968-4465)
Compaq (800) 652-6672
Maxdata (626) 935-0050
Dell (888) 560-8324
EMachines (408) 273-0888
Medion (866) 633-4660
Fujitsu (800) 831-3183
NEC Corp (800) 338-9549
Panasonic (800) 527-8675
Gateway (800) 846-2301
Sharp (800) 237-4277
Hewlett Packard (800) 474-6836
Sony (888) 476-6972
Toshiba (800) 457-7777
Samsung www.samsung.com
Hitachi www.hitachi.com

Speaking of learning something new every day… we all know that command
line tools and spaces don’t get along… but the way to make them behave
is to surround values containing spaces in quotes, right?

So the other day I’m writing this query to extract all users in my
active directory (easy enough: dsquery user -name * -limit 50000 | sort
> users.txt).

But all the names had spaces in them and my next query, to list all the
groups each user was in (for /f “delims=~” %%i in (users.txt) do echo
%%i >> foreachuser-showgroupmembership.txt && cscript //nologo
EnumGroup.vbs %%i >> foreachuser-showgroupmembership.txt) kept bombing
out on the spaces.

So after banging my head against the wall for a couple hours, it dawns
on me to look at the help file for the FOR command.

The trick is to define a delimiter that the program will never find…
so since I knew there weren’t any ~s in the names, I set the delimiter
to ~ and re-ran the command.

This may come in handy again someday.

Get all groupnames (short):
dsquery group -limit 50000 -o samid | sort

Get all groupnames (distinguished name):
dsquery group -limit 50000 | sort

Get all users:
dsquery user -name * -limit 50000 | sort

Get all users in each group:
for /f “delims=~” %%i in (groups-SHORT.txt) do echo %%i >>
foreachgroup-showitsmembers.txt && dsquery group -name “%%i” | dsget
group -members >> foreachgroup-showitsmembers.txt && type crlf.txt >>
foreachgroup-showitsmembers.txt

Get all groups that each user is in:
for /f “delims=~” %%i in (users.txt) do echo %%i >>
foreachuser-showgroupmembership.txt && cscript //nologo EnumGroup.vbs
%%i >> foreachuser-showgroupmembership.txt && type crlf.txt >>
foreachuser-showgroupmembership.txt

So, just like hosts and lmhosts, there is a file in
\windows\sytem32\drivers\etc names ’services’.

Now I’ve been building and maintaining PCs and networks for about 20
years and have never had to touch this file… but last week I finally
needed it.

There was an application trying to talk to a service named OLCCA… what
the hell is OLCCA? Beats me, but the developer told me it used tcp port
8562.

But how does “OLCCA” get translated to 8562? I’m glad you asked… by
defining it in the services file like this:

OLCCA 8562/tcp

You learn something new every day… if you’re paying attention.

Ran in to an interesting problem last week… the firewall on a Vista
machine wouldn’t start. Every time you tried to start it it would fail
with a “service specific error code 5″.

With not much to go on I scoured Google and support.microsoft.com but
came up empty - for a while. Then I ran across this article:
http://support.microsoft.com/kb/943996 - “Some services do not start in
Windows Vista”.

The error means “Access is denied”. This may happen if the “MpsSvc”
account doesn’t have the necessary permissions for the related registry
keys.

The NT Service\MpsSvc account needs permissions for the following keys:

1) HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\
SharedAccess\ Epoch: Query Value;Set Value

2) HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\
SharedAccess\ Parameters\ FirewallPolicy: Full Control;Read

3) HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\
SharedAccess\ Defaults\ FirewallPolicy: Full Control;Read

Sounded like a long-shot, but sure enough, MpsSvc had no permissions to
one of the three keys and when I added it back in, it worked. No reboot
was necessary.