Log Entries for Terminal Services in Event Viewer?

Similar Messages

• [ALSB] turning on/off logging/tracing for proxy services

  Hi all,
  do you have any snippet for turning on/off logging/tracing for proxy services using WLST or JMX ?
  I've seen a previous thread about Enable/Disable Proxy Service using JMX and I'm looking for something similar.
  Regards
  ferp

  Thanks, but I mean using WLST or JMX code and not by ALSB console
  regards
  ferp

• Persistent event 9005 (TF53010) entries for TFS Services

  Hi all,
  earlier this morning i had users complaining that they couldn't connect to TFS. I had a look in IIS on our TFS Server and the app pool for the TFS site had stopped. There was then an issue with our TFSService service account being authenticated. I reset
  the service account password and all seemed to be ok.
  During my investigation of why this happened in the first place i noticed that i am getting constant event 9005 entries in event viewer on the server. I have included the contents of these events below (omitting keys and server names)
  TF53010: The following error has occurred in a Team Foundation component or extension:
  Date (UTC): 05/02/2015 11:54:33
  Machine: ------
  Application Domain: TfsJobAgent.exe
  Assembly: Microsoft.TeamFoundation.Framework.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken= --------------
  Service Host:
  Process Details:
    Process Name: TFSJobAgent
    Process Id: 8468
    Thread Id: 12532
    Account name: ---\TFSService
  Detailed Message: There was an error initializing a JobRunner. The job will be rescheduled for execution five minutes from now. QueueEntry: [JobSource: 814e9815-2c9a-4bbe-8651-6e0be28e202d, JobId: 564c51ae-decb-4bf3-8b44-cfb82b1c4bdb, QueueTime: 05/02/2015
  11:54:33, ExecutionStartTime: 05/02/2015 11:54:33, State: Running, AgentId: -----, QueuedReasons: Scheduled, PreviousExecutionResult, Priority: 7, NextRun: 0, StateChangeTime: 01/01/0001 00:00:00].
  Exception Message: TF53001: The database operation was canceled by an administrator. (type DatabaseOperationCanceledException)
  This event will pop up 4-5 times every minute occurring at the same time (5 times at 11:54:33 then 5 times at 11:55:20 or so)
  Has anyone got any ideas or possibly seen this before?
  There is also an Error event which pops up every 30 minutes on the minute (event id:3305) with the following details:
  TF53010: The following error has occurred in a Team Foundation component or extension:
  Date (UTC): 05/02/2015 10:49:28
  Machine: --------
  Application Domain: TfsJobAgent.exe
  Assembly: Microsoft.TeamFoundation.Framework.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=---------------
  Service Host:
  Process Details:
    Process Name: TFSJobAgent
    Process Id: 8468
    Thread Id: 9448
    Account name: ACL\TFSService
  Detailed Message: TF221122: An error occurred running job Common Structures Warehouse Sync for team project collection or Team Foundation server TEAM FOUNDATION.
  Exception Message: TF53001: The database operation was canceled by an administrator. (type DatabaseOperationCanceledException)
  Exception Stack Trace:    at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSqlResourceComponent.TranslateException(SqlException sqlException)
     at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSqlResourceComponent.MapException(SqlException ex, QueryExecutionState queryState)
     at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSqlResourceComponent.HandleException(Exception exception)
     at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSqlResourceComponent.Execute(ExecuteType executeType, CommandBehavior behavior)
     at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSqlResourceComponent.ExecuteNonQuery(Boolean bindReturnValue)
     at Microsoft.TeamFoundation.Warehouse.WarehouseBatchedDataAccessComponent.ExecuteNonQuery()
     at Microsoft.TeamFoundation.Warehouse.WarehouseDataAccessComponent.GetProperty(String scope, String key)
     at Microsoft.TeamFoundation.Warehouse.CommonStructureWarehouseAdapter.UpdateCssFromCatalogData()
     at Microsoft.TeamFoundation.Warehouse.CommonStructureWarehouseAdapter.MakeDataChanges()
     at Microsoft.TeamFoundation.Warehouse.WarehouseSyncJobExtension`1.MakeDataChanges(TeamFoundationRequestContext requestContext, TeamFoundationJobDefinition jobDefinition, String& resultMessage)
     at Microsoft.TeamFoundation.Warehouse.WarehouseSyncJobExtension`1.RunInternal(TeamFoundationRequestContext requestContext, TeamFoundationJobDefinition jobDefinition, DateTime queueTime, String& resultMessage)
     at Microsoft.TeamFoundation.Warehouse.WarehouseJobExtension.Run(TeamFoundationRequestContext requestContext, TeamFoundationJobDefinition jobDefinition, DateTime queueTime, String& resultMessage)
  Inner Exception Details:
  Exception Message: The target principal name is incorrect.  Cannot generate SSPI context. (type SqlException)
  SQL Exception Class: 11
  SQL Exception Number: 0
  SQL Exception Procedure: GenClientContext
  SQL Exception Line Number: 0
  SQL Exception Server: ----------
  SQL Exception State: 0
  SQL Error(s):
  Exception Data Dictionary:
  HelpLink.ProdName = Microsoft SQL Server
  HelpLink.EvtSrc = MSSQLServer
  HelpLink.EvtID = 0
  HelpLink.BaseHelpUrl = ----------
  HelpLink.LinkId = 20476
  Exception Stack Trace:    at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
     at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
     at System.Data.SqlClient.TdsParser.TdsLogin(SqlLogin rec, FeatureExtension requestedFeatures, SessionData recoverySessionData)
     at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover)
     at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer
  timeout)
     at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance)
     at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance,
  SqlConnectionString userConnectionOptions, SessionData reconnectSessionData)
     at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
     at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions)
     at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
     at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
     at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)
     at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
     at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
     at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
     at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry)
     at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)
     at System.Data.SqlClient.SqlConnection.Open()
     at Microsoft.TeamFoundation.Framework.Server.TeamFoundationSqlResourceComponent.Execute(ExecuteType executeType, CommandBehavior behavior)
  Thanks for any help!!!
  Martyn

  Hi Adatis,  
  Thanks for your post. 
  Do you mean that after you reset the account in TFS app pool and TFS site, your TFS Server works fine now?
  What’s the version of your SQL Server? If you’re using SQL Server 2014, please ensure you installed the
  CU4 for your SQL Server 2014. You can refer to the discussions in this post:
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/50bc5da9-435a-41ff-be5a-7f002ec0347c/tf53001-the-database-operation-was-canceled-by-an-administrator?forum=tfsgeneral. 
  And you need ensure the TFS Service account works fine in your TFS Admin Console, 
  TFS site and TFS app pool both  started in IIS.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• My Microsoft WSUS Update Services Issues/Event Viewer Service Issues

  Hello,
  So yesterday I began investigating why my PC's that were pointed to the WSUS weren't recieveing patches for their particular group. I checked to make sure it was approved and the client was in my client group. When I went to continue my troubleshooting today
  Update Services within the WSUS role gives me an Error: Connection Error. My Clients when I force them to check for updates also fail. I went to review my Event Viewer logs and it tells me to start the Event Viewer services. When I try to start the
  services it tells me Error 5 Access Is Denied. I've verfied that the policies allow my domain admin account access to the modify services and I've also rebooted it, still no joy.
  Any help anyone can offer with these series of issues would be greatly appreciated!
  -Russ Engelman
  P.S. I'm not very coinfident with registry edits so if you suggest I try to modify the registry, please make it barney style. Thanks.

  It seems these are two different problems, with Event viewer and with WSUS.
  1. Did this system worked recently (correctly) or it is new one?
  2. Make sure that you are logged as domain administrator (or better as buil-in AD administrator with highest priviledges.)
  3. Generally services can depend on another processes (services). If these processes do no run, then you would not start process that is depending on these services.
  4. WSUS: Clients could not receive (on demand) updates, when there was no initial synchronization.
  5. WSUS: Make sure that GPO and computer group are set correctly
  6. WSUS: Detect and reconnect clients with wuauclt
  7. WSUS: Share your configuration here as well as reports.
  Regards
  Milos

• Printer for Terminal Services / Thin Clients

  Hi, Just checking on what multifunction printer you would suggest for use with a Terminal Services environment? We only require the printer to go through TS. The other features will be used locally (photo copy/fax).
  I am looking at the CM2320, a good choice?
  Terminal Services: Windows 2003
  Thin Client: T5730 using RDP 6.0
  Many thanks

  Hi,
  Thank you for posting in Windows Server Forum.
  A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. With mandatory user profiles, a user can modify his or her desktop, but the changes are not saved when the user
  logs off. The next time the user logs on, the mandatory user profile created by the administrator is downloaded. There are two types of mandatory profiles: normal mandatory profiles and super-mandatory profiles.
  User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) on the server to NTuser.man. The .man extension causes the user profile to be a read-only profile.
  User profiles become super-mandatory when the folder name of the profile path ends in .man; for example, \\server\share\mandatoryprofile.man\.
  More information:
  Mandatory User Profiles
  http://msdn.microsoft.com/en-us/library/windows/desktop/bb776895(v=vs.85).aspx
  Using User Profiles in Windows Server 2003
  http://technet.microsoft.com/en-us/library/cc776120(v=ws.10).aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• [Forum FAQ] Available updates for Terminal Services/Remote Desktop Services

  The table summarizes the available hotfixes and updates for issues that can occur in Terminal Services/Remote Desktop Services.
  Terminal Services (Remote Desktop   Services) in Windows Server 2008
  KB
  2312539
  Remote Desktop Services (Terminal   Services) on Windows Server 2008 R2 SP1
  KB 2601888
  Remote Desktop Services in Windows Server   2012
  KB 2821526
  Remote Desktop Services in Windows Server   2012 R2
  KB 2933664
  Thanks for the suggestion of
  armin19.
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  I'm interested in that issue as well as a lot of our Clients would like to deploy Adobe Creative Cloud apps in their Enterprise. As I'm a Citrix virtualization engineer I'd like to have an official Statement from Adobe whether or not their products can be licensed and installed on either Citrix XenDesktop (formerly XenApp) Servers and/or virtual Desktops (VDI Environment). This questions Needs answering from both a licensing as well as technical Point of view. So please Adobe, share your knowledge with us.
  Alex

• Licensing mode for terminal services

  Hi,
  This has been most likely asked here already but i just cannot find exactly what i'm looking for. OK, here's my situation:
  We have a windows server 2008 cd installer. We already had it running before, but we got hit with a virus that we needed to re-install. Now, we are just getting things back to work again. However, we are encountering this message on our server.
                          "The licensing mode for the terminal server is not configured"
  When i tried to configure the licensing, it's asking for the license code. But i'm not sure where to find the license code? is it in the CD installer?
  Actually, i was not the one who installed the windows server before; i just took over when the server got hit with a virus.
  Also, i'm not very sure if we really need the TS CALs. Our server has multiple users from different countries, and we access the server through remote desktop access.
  Hope you can help us with this issue.
  Thank you, i appreciate it.
  Best,
  Vanessa

  Hi,
  I forgot to inform that license server has actually been activated already. So i assumed we just need to configure the licensing mode. And so, from Terminal Services Configuration, i clicked "terminal services licensing mode" and i set it to "Per User". Now
  the message "Licensing mode still not configured.." is now gone when i logged in to server. However, i get this warning on Terminal Services Configuration window:
  "Terminal server is in Per User licensing mode, but license server does not have any Windows Server 2008 Per User TS CALs installed."
  And when i checked from the TS Licensing Manager, and selected the server name, the details are:
  TS CAL Version and type: Windows 2000 Server - Built-in TS Per Device CALs
  License Program: Built-in
  Total TS CALs: Unlimited
  Available: Unlimited
  Issued: 0
  What does this mean? Should we set the TS licensing mode to Per Device instead of Per User?
  Thank you.
  Regards,
  Vanessa

• Error in starting nidevldu and nipxirmu services (windows event viewer)

  A computer running Windows XP SP1 and a Visual basic (V6.0) application that I've developped had crashed several times. I've seen lots of errors in the Windows event viewer saying that the nidevldu and nipxirmu services were trying to start (exact french message : Le service nidevldu est en attente de démarrage et Le service nipxirmu est en attente de démarrage). These messages are real errors (not warning or informations).
  I use a 6034E PCI card, Visual basic V6.0 and NI-DAQ 7.4.
  The crashes I've seen may be linked with this problem.
  Is there a solution?

  Hi,
  I think that you are not going to be starting and stopping the devldu service in normal circumstances... due to crashes !
  The firsts steps you have to focus on is to optimize your program in order to avoid crashes, which is not a normal way of work I guess. Then you will be able to avoid these messages!
  Regards,
  David D. - Application Engineer - NI

• Deleted the Registry Entry for OracleJobScheduler service. How to recreate?

  I accidently deleted the registry entry for the OracleJobScheduler Service for my production database. I know I shouldn't have -- but I was re-creating the console and clicked on the wrong thing.
  Is there a way to recreate the service? I copied the registry entry from another database, but the service isn't showing up in the Services window. I know how to create services using the NT Kit, but I am not certain how I need to set it up.
  Thanks in advance,
  DJM

  I do not think you needed it. But in case you want to put it back, export OracleJobScheduler<SID> from any other windows database server, open and edit it in wordpad to change servicename, ImagePath and DisplayName, then import into this server.

• Multiple entries for a genre in Grid View by Genre

  The title says it. I have dozens of "Pop" icons in the Grid view by Genre. And for Rock. And for some others. I actually went through and changed the "Pop" ones to another genre, got them all into one entry in Grid view, then I changed them back to Pop and stupid iTunes put back in all those separate Pop entries. What the ****? It's been doing this for a while. On multiple computers. Why?
  I wish I could attach a screen shot of this, that would be much easier to comprehend.

  I spoke with Apple Support today and they provided a workaround:
  I had 7 entries for a person.
  Find untagged photo with person in it. Select Entry 1
  Find untagged photo with person in it. Select Entry 2
  Repeat until you have at least 1 photo tagged with each of the 7 entries
  Now go back to Faces and you'll see 7 polaroids listed.
  Select each of them and merge them.
  Problem solved.

• Creating action log entry for incident via SDK in C#

  Hi,
  Does anyone have any example code, or pointer to, of how to add an action log entry (with icon) to an incident? I can't work out what the target for the relationship should be or how to configure it...
  With Thanks,
  Rob

  Anton,
  Thanks for your response! I think the problem may be in how I'm creating "WorkItemMP". In the method below I'm trying to pass in an issue Id parameter to add an action log item to an Issue. 
  How are you creating the  "WorkItemMP"?
  public
  void
  UpdateActionLog(string
  nsId)
  EnterpriseManagementGroup
  emg1 = new
  EnterpriseManagementGroup("server01.xyx.com"
  ManagementPackClass
  classIncident = emg1.EntityTypes.GetClass(new
  Guid(SYSTEM_WORKITEM_INCIDENT_CLASSS));
  // A604B942-4C7B-2FB2-28DC-61DC6F465C68
  EnterpriseManagementObjectProjection
  incidentProjection = new
  EnterpriseManagementObjectProjection
  (emg1, classIncident);
  ManagementPack
  WorkItemMP = emg1.ManagementPacks.GetManagementPack(new
  Guid("DD26C521-7C2D-58C0-0980-DAC2DACB0900"));
  //System.WorkItem.Incident.Library MP
  CreatableEnterpriseManagementObject
  cemoIncident = new
  CreatableEnterpriseManagementObject(emg1,
  classIncident);
  cemoIncident[classIncident,
  "Id"
  ].Value = nsId;
  ManagementPackClass
  typeActionLog = emg1.EntityTypes.GetClass("System.WorkItem.TroubleTicket.ActionLog"
  , WorkItemMP);
  CreatableEnterpriseManagementObject
  objectActionLog = new
  CreatableEnterpriseManagementObject
  (emg1, typeActionLog);
  objectActionLog[typeActionLog,
  "Id"].Value
  = Guid
  .NewGuid().ToString();
  objectActionLog[typeActionLog,
  "Description"].Value
  = "Incident updated via SDK.\n"
  objectActionLog[typeActionLog,
  "Title"].Value
  = "Incident updated via SDK"
  objectActionLog[typeActionLog,
  "EnteredBy"].Value
  = "Administrator"
  objectActionLog[typeActionLog,
  "EnteredDate"].Value
  = DateTime
  .Now.ToUniversalTime();
  ManagementPackEnumeration
  enumeration6 = WorkItemMP.GetEnumerations().GetItem("System.WorkItem.ActionLogEnum.TaskExecuted"
  objectActionLog[typeActionLog,
  "ActionType"
  ].Value = enumeration6.Id;
  ManagementPackRelationship
  relationship2 = emg1.EntityTypes.GetRelationshipClass("System.WorkItem.TroubleTicketHasActionLog"
  , WorkItemMP);
  if
  (incidentProjection != null
  incidentProjection.Add(objectActionLog, relationship2.Target);
  incidentProjection.Commit();

• Search for records in the event viewer after the last run (not the entire event log), remove duplicate - Output Logon type for a specific OU users

  Hi,
  The following code works perfectly for me and give me a list of users for a specific OU and their respective logon types :-
  $logFile = 'c:\test\test.txt'
  $_myOU = "OU=ABC,dc=contosso,DC=com"
  # LogonType as per technet
  $_logontype = @{
      2 = "Interactive" 
      3 = "Network"
      4 = "Batch"
      5 = "Service"
      7 = "Unlock"
      8 = "NetworkCleartext"
      9 = "NewCredentials"
      10 = "RemoteInteractive"
      11 = "CachedInteractive"
  Get-WinEvent -FilterXml "<QueryList><Query Id=""0"" Path=""Security""><Select Path=""Security"">*[System[(EventID=4624)]]</Select><Suppress Path=""Security"">*[EventData[Data[@Name=""SubjectLogonId""]=""0x0""
  or Data[@Name=""TargetDomainName""]=""NT AUTHORITY"" or Data[@Name=""TargetDomainName""]=""Window Manager""]]</Suppress></Query></QueryList>" -ComputerName
  "XYZ" | ForEach-Object {
      #TargetUserSid
      $_cur_OU = ([ADSI]"LDAP://<SID=$(($_.Properties[4]).Value.Value)>").distinguishedName
      If ( $_cur_OU -like "*$_myOU" ) {
          $_cur_OU
          #LogonType
          $_logontype[ [int] $_.Properties[8].Value ]
  #Time-created
  $_.TimeCreated
      $_.Properties[18].Value
  } >> $logFile
  I am able to pipe the results to a file however, I would like to convert it to CSV/HTML When i try "convertto-HTML"
  function it converts certain values . Also,
  a) I would like to remove duplicate entries when the script runs only for that execution. 
  b) When the script is run, we may be able to search for records after the last run and not search in the same
  records that we have looked into before.
  PLEASE HELP ! 

  If you just want to look for the new events since the last run, I suggest to record the EventRecordID of the last event you parsed and use it as a reference in your filter. For example:
  <QueryList>
    <Query Id="0" Path="Security">
      <Select Path="Security">*[System[(EventID=4624 and
  EventRecordID>46452302)]]</Select>
      <Suppress Path="Security">*[EventData[Data[@Name="SubjectLogonId"]="0x0" or Data[@Name="TargetDomainName"]="NT AUTHORITY" or Data[@Name="TargetDomainName"]="Window Manager"]]</Suppress>
    </Query>
  </QueryList>
  That's this logic that the Server Manager of Windows Serve 2012 is using to save time, CPU and bandwidth. The problem is how to get that number and provide it to your next run. You can store in a file and read it at the beginning. If not found, you
  can go through the all event list.
  Let's say you store it in a simple text file, ref.txt
  1234
  At the beginning just read it.
  Try {
  $_intMyRef = [int] (Get-Content .\ref.txt)
  Catch {
  Write-Host "The reference EventRecordID cannot be found." -ForegroundColor Red
  $_intMyRef = 0
  This is very lazy check. You can do a proper parsing etc... That's a quick dirty way. If I can read
  it and parse it as an integer, I use it. Else, I just set it to 0 meaning I'll collect all info.
  Then include it in your filter. You Get-WinEvent becomes:
  Get-WinEvent -FilterXml "<QueryList><Query Id=""0"" Path=""Security""><Select Path=""Security"">*[System[(EventID=4624 and EventRecordID&gt;$_intMyRef)]]</Select><Suppress Path=""Security"">*[EventData[Data[@Name=""SubjectLogonId""]=""0x0"" or Data[@Name=""TargetDomainName""]=""NT AUTHORITY"" or Data[@Name=""TargetDomainName""]=""Window Manager""]]</Suppress></Query></QueryList>"
  At the end of your script, store the last value you got into your ref.txt file. So you can for example get that info in the loop. Like:
  $Result += $LogonRecord
  $_intLastId = $Event.RecordId
  And at the end:
  Write-Output $_intLastId | Out-File .\ref.txt
  Then next time you run it, it is just scanning the delta. Note that I prefer this versus the date filter in case of the machine wasn't active for long or in case of time sync issue which can sometimes mess up with the date based filters.
  If you want to go for a date filtering, do it at the Get-WinEvent level, not in the Where-Object. If the query is local, it doesn't change much. But in remote system, it does the filter on the remote side therefore you're saving time and resources on your
  side. So for example for the last 30 days, and if you want to use the XMLFilter parameter, you can use:
  <QueryList>
  <Query Id="0" Path="Security">
  <Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) &lt;= 2592000000]]]</Select>
  </Query>
  </QueryList>
  Then you can combine it, etc...
  PS, I used the confusing underscores because I like it ;)
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• Since applying Feb 2013 Sharepoint 2010 CUs - Critical event log entries for Blob cache and missing images

  Hi,
  Since applying the February 2013 SharePoint 2010 updates, we are getting lots of entries in our event logs along the following:
  Content Management     Publishing Cache         
  5538     Critical 
  An error occurred in the blob cache.  The exception message was 'The system cannot find the file specified. (Exception from HRESULT: 0x80070002)’
  In pretty much all of these cases the image/ file in question that is reported in the ULS logs as missing is not actually in the collaboration site, master page / html etc so the fix needs to go back to the site owner to make the correction to avoid
  the 404 (if they make it!). This has only started happening, I believe since feb 2013 sp2010 cumulative updates updates
  I didn’t see this mentioned as a change / in the Fix list of the February updates. i.e. it flags up a critical error in our event logs. So with a lot of sites and a lot of missing images your event log can quickly fill up.
  Obviously you can suppress them in the monitoring -> web content management ->publishing cache = none & none which is not ideal.
  So my question is... are others seeing this and was a change made by Microsoft to flag a 404 missing image / file up a critical error in event log when blob cache is enabled?
  If i log this with MS they will just say, you need to fix it up the missing files in the site but would be nice to know this had changed prior! I also deleted and recreated the blob cache and this made no diffference
  thanks
  Brad

  I'm facing the same error on our SharePoint 2013 farm. We are on Aug 2013 CU and if the Dec CU (which is supposed to be the latest) doesn't solve it then what else could be done.
  Some users started getting the message "Server is busy now try again later" with a corelation id. I looked up ULS with that corelation id and found these two errors in addition to hundreds of "Micro Trace Tags (none)" and "forced
  due to logging gap":
  "GetFileFromUrl: FileNotFoundException when attempting get file Url /favicon.ico The system cannot find the file specified. (Exception from HRESULT: 0x80070002)"
  "Error in blob cache. System.IO.FileNotFoundException: The system cannot find the file specified. (Exception from HRESULT: 0x80070002)"
  "Unable to cache URL /FAVICON.ICO.  File was not found" 
  Looks like this is a bug and MS hasn't fixed it in Dec CU..
  &quot;The opinions expressed here represent my own and not those of anybody else&quot;

• Thousands of log entries for systemd-tmpfiles-clean.timer on boot

  I'm running a 32 bit Arch install as a VMware ESXi 5.1 guest. Whenever the guest boots up, I get several thousand of the following entries in the system log:
  Feb 18 12:49:01 squid systemd[1]: systemd-tmpfiles-clean.timer: time change, recalculating next elapse.
  The most recent boot had almost 20,000 entries within 5 seconds:
  $ sudo journalctl -b | grep systemd-tmpfiles-clean.timer | wc -l
  19693
  $ sudo journalctl -b | grep systemd-tmpfiles-clean.timer | sed -n '1p;$p'
  Feb 18 12:49:01 squid systemd[1]: systemd-tmpfiles-clean.timer: time change, recalculating next elapse.
  Feb 18 12:49:06 squid systemd[1]: systemd-tmpfiles-clean.timer: time change, recalculating next elapse.
  I've pasted the entry into Google but have not come up with anything helpful.
  I have disabled host-guest time sync:
  $ vmware-toolbox-cmd timesync status
  Disabled
  There is a NTP daemon running that syncs time with a single windows server (which is also a guest on the same ESXi host).
  As far as I'm aware there shouldn't be anything else playing with the time, but theres obviously something going on.
  Can anyone please help me troubleshoot?

  I've had the same problem and I don't know what's going wrong. But I have a workaround:
  If you're booting into a graphical environment you can disable the vmtoolsd service
  # systemctl disable vmtoolsd
  and add the following line to your ~/.xinitrc:
  vmware-user-suid-wrapper
  The ~/.xinitrc will start the vmtoolsd service then.
  This solved two problems for me:
  1. No more messages like you posted in my log file.
  2. The virtual machine shuts down promptly (see vmtoolsd not stopping)
  Last edited by BertiBoeller (2013-03-14 13:40:21)

• How to disable updates for terminal services.

  We have installed firefox on our terminal servers. but currently it is set for auto updates. We need to disable auto updates on a server level so that we have consitancy of version across the board. The solutions I've searched via Google all are solutions for Firefox 2.x but now version 9.0 is out the same methodolgy doesn't apply.

  Use a mozilla.cfg file in the Firefox program folder to lock prefs or specify default values.
  Place a file local-settings.js in the defaults\pref folder where you also find the file channel-prefs.js to specify using mozilla.cfg.
  pref("general.config.filename", "mozilla.cfg");
  pref("general.config.obscure_value", 0); // use this to disable the byte-shift
  See:
  * http://kb.mozillazine.org/Locking_preferences
  You can use these functions in mozilla.cfg:
  defaultPref(); // set new default value
  pref(); // set pref, but allow changes in current session
  lockPref(); // lock pref, disallow changes
  lockPref("app.update.enabled", false);