Monitoring Service In Windows

Below script would monitor the service states ( start, stop, starting , stopping, paused). This script would be useful for system engineers who are using custom utilities to monitor windows services eg: Nagios


Working Script

strComputer = “.”
‘ You need to specify the program( you can get the exe by right click the service –> path to executable.
strProgram = “lsass.exe”

Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate,authenticationLevel=Pkt}!\\” _
& strComputer & “\root\cimv2”)

‘ Below code checks the program state
Set colProcesses = objWMIService.ExecQuery _
(“SELECT * FROM Win32_Process WHERE Name = ‘” & strProgram & “‘”)
If (colProcesses.Count <> 0) Then
Wscript.Echo “The program is running on the computer”
End If


Adfind Retrieve User Information

Hi All,

Below script will retrieve user’s information from specific OU and export the data to .csv file. In order to run this script , you have to modify the DN matching to your domain
Eg: “ou=test,ou=users,ou=fin,dc=texx,dc=local

Working Script

C:\>adfind.exe -f “(&(&(|(&(ob
er=*)(mobile=*)(manager=*)(description=*))))” -b “ou=test,ou=users,ou=fin,d
c=texx,dc=local” -csv -nodn sn givenname middlename personaltitle title emp
loyeeID company department mail homepostaladdress st streetaddress postalcode te
lephonenumber mobile manager description>>c:\ldif\final.csv

You can modify the .csv file by importing into Microsoft excel.

User Mode To Kernel Mode Switching

Windows operating system is divided into user mode and kernel mode space. Applications can run either in user mode or in the kernel mode in the form of a driver.  Applications running in user mode have huge stack space and most of the times drivers are implemented in kernel mode.

The applications can communicate to the drivers either

  • Calling a dynamic link library ( dll )
  • Calling a win32 API


When an application call one of the routine exposed by the dynamic link library , the dll in-turn communicates with win32 API and then the API calls the appropriate kernel mode subroutines . When we break down more in-detail , win32 API calls kernel mode client driver which communicates to class drivers provided by Microsoft.

When performing application testing , test engineers have to consider

  • Application interfaces being debugged
  • Memory usage
  • Operating system performance
  • Calls made to the kernel mode drivers
  • Context switch rate

There might be chances that application is waiting for the instruction to complete at the driver end , but the engineer end up debugging the application


Hello World – c++

Hello World Program


I would start with the conventional “Hello World “program written in C++ language. Program snippet is below

C++ Code

//using c++ compiler

#include <iostream>

void main()


std::cout<<“hello world\n”;



The above code looks simple, and lets now analyze the above code by going one step below the High level Language or simply in Assembly language. Before doing this exercise, I would like to show the steps which invovles breaking the above c++ code in assembly.

Step1 : launch the windbg tool

Step2 : Download the appropriate symbols from msdn website and provide the path of your project ( .pdb file path of your project )

Step3 : Before you provide the break point , you should know the function onto which you give the breakpoint , in our above example , we see that there is only one function named void main() , we will insert the breakpoint at main function

Step4: Program execution stops at the breakpoint inserted which is main() in our example .

Step5 : you have to disassmble the main function using “ u “ switch .

4 00411480 push    ebp

4 00411481 mov     ebp,esp

4 00411483 sub     esp,0C0h

4 00411489 push    ebx

4 0041148a push    esi

4 0041148b push    edi

4 0041148c lea     edi,[ebp-0C0h]

4 00411492 mov     ecx,30h

4 00411497 mov     eax,0CCCCCCCCh

4 0041149c rep stos dword ptr es:[edi]

5 0041149e push    offset Breaking_Code_c__!`string’ (004166fc)

5 004114a3 mov     eax,dword ptr [Breaking_Code_c__!_imp_?coutstd (0041930c)]

5 004114a8 push    eax

5 004114a9 call    Breaking_Code_c__!ILT+325(??$?6U?$char_traitsDstdstdYAAAV?$basic_ostreamDU?$char_traitsDstd (0041114a)

5 004114ae add     esp,8

7 004114b1 xor     eax,eax

7 004114b3 pop     edi

7 004114b4 pop     esi

7 004114b5 pop     ebx

7 004114b6 add     esp,0C0h

7 004114bc cmp     ebp,esp

7 004114be call    Breaking_Code_c__!ILT+390(__RTC_CheckEsp) (0041118b)

7 004114c3 mov     esp,ebp

7 004114c5 pop     ebp

7 004114c6 ret




Removing Stale Domain Controller

Nash joined his new job as Active Directory specialist and as a part of his job he has to manage active directory infrastructure for his company. At first Nash performed the following tasks

  • Operating system versions
  • Subnet Information
  • Understood the Active Directory Namespace assignment
  • DNS Infrastructure
  • Understood the DNS namespace assignment
  • Understood the Active Directory sites
  • Understood the Group Policies assignment

Operating System Versions: This is the primary task one has to perform by noting down the server versions along with their service pack levels. ( is running windows 2003 sp2 Enterprise edition and have plans to migrate to windows server 2008 )

Subnet Information : This is the important aspect of any organization, Nash wrote down all the necessary information about the network and placement of the servers.

Active Directory Namespace: This is always the first step as an active directory engineer , one has to analyze the existing active directory namespace . The active directory engineer should understand

a)      Forest root domain

b)      Number of domains

c)       Number of child domains under each domain

d)      Number of Global catalogue servers

e)      FSMO role assignment

f)       AD replication configuration

Forest Root Domain: The forest root domain is

Number Of Domains : Telexx has configured single forest with the following domain structure. ( Forest root domain )  : This domain has only Schema and Enterprise admins

Tip: It is always advisable to have dedicated forest root domain and isolate the environment. Configure all the users , groups and delegations under child domains  ( Primary child domain ) and ( Additional child domain ) : The administrator has configured 2 domains with several OU’s for delegation.

Number of child domains under each domain : Nil

Number of Global catalogue servers : 3

FSMO role assignment : All the FSMO roles are hosted on primary child domain controller.

Monitoring Active Directory :

Nash had performed a major task of monitoring the active directory after analyzing the network infrastructure. He wanted to have a clean and error free active directory infrastructure for which he performed the following

  • Understood the Groups created under the active directory
  • Monitored the Security , Directory services, DNS services and Application event viewer logs ( ideal monitoring should be 2 month old log )
  • Ran scripts to flush stale computer accounts, invalid user accounts and groups < administrators can use inbuilt adquery option under ADUC or powershell script or custom LDAP query to perform the same.
  • Ran netdiag and dcdiag to check for any ongoing errors and resolve the same
  • Ran replmon and repadmin utilities to identify replication errors.
  • Followed Microsoft Operations Framework manual for managing active directory

Nash identified replication errors from dcdiag output , later he ran repadmin and found the existing domain controllers are having replication issues . He quickly found out from active directory users and computers à domain controllers , there were 3 domain controllers which were stale , one of the close reason would be that previous administrator has not performed successful removal of domain controllers.

Nash has remove the objects, computer object and clean up the ndts object, to perform these Nash followed the below procedure.

Step 1 : perform the meta data clean up  , follow the Microsoft article

Step 2 : Delete the server object by going to AD sites and services à sites à default-first site à serversà <dc >

Step 3 : Delete the computer object from à domain controllers à <computer object > , during the course of deletion , you will see prompt where you have to select “The domain controller is permanently offline …. “ and click Delete

Step4 : Delete DNS A record and _Msdcs.root record  from DNS servers , perform ipconfig /flushdns and ipconfig /registerdns on the server hosting dns server

In our scenario Nash had working active directory environment which tells us, the stale domain controllers were not hosting either DNS server or were configured as global catalogue server.