How the EventSentry SysAdmin Tools Focus on File System Maintenance

EventSentry SysAdmin ToolsOver the past couple months, we’ve taken time to go through the various EventSentry SysAdmin Tools, one by one, and show you how they can benefit your environment in powerful ways. We’ve talked about the security tools, the networking tools, and the “check” monitoring utilities. As you know, the SysAdmin Tools offer a set of graphical and command-line utilities designed to help you with your daily administrative tasks. These tools are always being honed to provide simple yet powerful functionality.

This month, let’s take a look at the extremely beneficial file-system utilities: ADSList, CheckSum, DirMon, DirectorySize, FileReplace, PurgeTemp, and SuperDel. Here’s what they can do.

ADSList
ADSList scans a folder structure to find any alternate data streams (aka “hidden” data streams). Alternate date streams are a feature of the NTFS file system in which you can hide payload (additional files) inside existing files. The jury is still out about whether malware uses these streams, but it’s always a good idea to make sure nobody has hidden something malicious in alternate data streams, because the Windows Explorer and directory listings don’t show them.

ADSList lists any alternate data streams that are associated with a file. When the tool finds an alternate data stream, it displays the name of the stream along with the regular file the stream is associated with. The output will also show a summary that lists the number of files analyzed, the number of files that have an alternate data stream associated with them, the number of alternate data streams that have been found, and the elapsed time.

The main purpose of ADSList is to give you a command-line utility that can be run/scheduled on a regular basis to reveal any hidden streams on a server or workstation. The /s option lets you include subdirectories.

CheckSum
CheckSum generates a one-way checksum (error detection scheme) of a file with a configurable algorithm and displays it onscreen. This capability is useful for ensuring the integrity of a file and making sure that it hasn’t been modified. CheckSum not only supports the SHA set of cryptographic hash functions (e.g., SHA256, SHA512), but also less secure hash functions (e.g., MD5).

To display and create a file’s checksum, simply supply the filename as the first argument. Keep in mind that generating checksums of large files (e.g., greater than 100Mb) can take a significant amount of time and CPU time.

The CheckSum utility is also included in EventSentry as an add-on to the File Monitoring feature, which can automatically generate SHA checksums and detect file modifications based on checksum changes.

DirMon
Directory Monitor (DirMon) is a useful troubleshooting tool that monitors a directory (and optionally subdirectories) and displays all file changes in real-time. You simply run it on the command line, and it displays any file activity occurring on a given folder (or subfolder).

DirMon will show you when files are added, deleted, or modified. DirMon also lets you specifically include or exclude filters, so you can skip files that you aren’t interested in or show only files that you are interested in. The /I (/includefiles) option includes only files that match a wildcard filter, and the /e (/exclude) option does the opposite. The /s (/subdirectories) option includes subdirectories.

DirectorySize
The DirectorySize (dirsize.exe) utility calculates the current size of a directory, including subdirectories, and displays it onscreen. The output shows the number of files and directories searched, and the total size in physical (actual size taken up on the disk) and logical (actual file size) bytes.

DirectorySize will process the current directory if you pass no command-line arguments.

PurgeTemp
PurgeTemp is a new and exciting tool that lets you purge files that are older than a certain number of days. The tool traverses the %TEMP% directory (or a manually specified directory) and deletes files that have not been modified in 120 days (by default). Because it scans the temp folder by default, you can incorporate PurgeTemp into a login script or run it with Task Scheduler to clean up temp files, for example. It’s a great way to keep users’ temp folders small.

You can customize and configure all of PurgeTemp’s parameters, including /t (time in days) and /p (path). When called without arguments, PurgeTemp simply shows the configured temp directory, the number of files in the directory, and their cumulative size.

SuperDelete
SuperDelete (superdel.exe) essentially deletes all instances of a specific file. It parses a directory (including subdirectories) and deletes multiple occurrences of one file.

Suppose you have a thumbs.db file that Windows Explorer creates in every folder containing images, and you want to remove that from every folder on a drive. You can use SuperDelete for that purpose, using the <directory> variable to specify the directory to search (subdirectories are included), and the <fileToDelete> variable to find all occurrences of a file in the directory (wildcards are supported).

FileReplace
FileReplace is a command-line utility that parses a directory (including subdirectories) and replaces multiple occurrences of one template file with a template file of the same name.

Suppose you have 50 instances of various myfile.txt files scattered on your computer. You can quickly replace them all with a new myfile.txt file.

Another useful example is this: You have file C:\WebSite\Default\index.html and want to replace all other index.html files in the directory D:\WWW (including subdirectories) with C:\WebSite\Default\index.html. FileReplace lets you accomplish that with one command.

Streamline Your File System!

This is just another taste of the free, constantly evolving tools available in EventSentry SysAdmin Tools. Give them a try—they’re all free and will help you manage your IT infrastructure more effectively.

The Network Monitoring Focus of the EventSentry SysAdmin Tools

EventSentry SysAdmin ToolsWe’ve already talked about the security-focused and “check” monitoring utilities included in the freeware EventSentry SysAdmin Tools, part of the larger EventSentry network-management solution. The SysAdmin Tools offer a set of graphical and command-line utilities designed to help you with your daily administrative tasks. These tools are always being honed to provide simple yet powerful functionality.

Now let’s take a look at the extremely beneficial network monitoring utilities: Fping, Gethttp, IPMon+, Ntpclient, Pagesnpp, and WakeOnLan. Here’s what they can do.

Fast Ping (Fping)
NETIKUS.NET introduced Fast Ping (fping.exe) years ago as part of the NTToolkit. The tool was developed as a way to offer a faster way to ping remote hosts. Frankly, we were annoyed by the built-in Windows ping, which is far slower than its Linux and Apple OS X counterparts. That’s right, on non-Windows OSs pinging a remote host (especially one that is online) is a lightning-fast prospect—so why not on Windows? Fping solves the problem.

Fping also offers some fun options. For example, you can use the Solaris-style syntax, which shows you only whether a host is up or down. You can check a TCP port instead of doing an Internet Control Message Protocol (ICMP)-based ping. You can play a sound on successful or failed ping—a more useful capability than you might think! You can also see silly comments, and you can save your presets—something you can’t do with any other ping utility.

fast ping utility screenshot
fping.exe in action (fast ping utility)

The parameters of this command-line utility are straightforward: The required <host> variable identifies the host name or IP address to ping; the /brief (/b) parameter performs a quick ping and only indicates whether the host is up or down; the /count (/c) parameter determines the number of packets to send; the /defaultset (/w) parameter sets the current options as the default; the /comment (/u) parameter shows unhelpful comments when performing a brief ping; the /playok (/p) and /playfailure (/f) configure sounds; the /loop (/l) parameter pings indefinitely, allowing an abort with Control + C.

As part of the SysAdmin Tools, this utility is better than it’s ever been. In addition to those fun options, it is a fully customizable tool. You can control the number of packets, the packet size, sound, display mode, and the delay. You can even set your preferences and store them as the default. To check the TCP port, simply append a colon and the port number to the host name (e.g. fping www.eventsentry.com:80).

GetHTTP
GetHTTP (gethttp.exe) is a simple command-line utility to download files from a website through the HTTP protocol. Mostly useful for scripts, it supports HTTPS and proxy servers and shows the progress of the download in the command-line window. If you’re familiar with Curl (curl.exe), you have an idea what Get HTTP does.

GetHTTP in action
GetHTTP in action

The parameters of this command-line utility are straightforward: The /usewininet parameter utilizes the Windows proxy engine; the /proxyport parameter determines the IP port of the proxy server; the /proxyhost parameter determines the host name or IP address of the proxy server; the /quiet (/q) parameter specifies quiet output; among others, include username and password authentication parameters.

IPMon+
An excellent troubleshooting utility, IPMon+ is a GUI tool that shows all TCP, UDP, ICMP, and ARP connection endpoints between the local computer (default) and remote hosts. It’s the graphical version of IPMon, offering functionality that isn’t available in the command-line version.

IPMon+IPMon+ is terrific for troubleshooting network connections and revealing incoming and outgoing network traffic for those situations where you don’t need to see every packet detail. The tool monitors all network traffic on the specified interface and shows which hosts communicate with the local host, how much data is being transferred through the IP connection, the direction of traffic, and which UDP/TCP ports are used in the communication. If IPMon+ runs in promiscuous mode, traffic from non-local hosts is also displayed. IPMon+ and IPMon both require the free WinPcap.

NTP Client
A simple but essential tool, NTP Client (ntpclient.exe) checks the local time against an NTP server, and optionally updates the local time to match that of the server. NTP Client supports the Network Time Protocol (NTP) up to version 3 and takes network latency into consideration when setting the local time. (Note that NTP Client doesn’t run as a service, and as such will have to be called repeatedly if you want to keep the time of a computer synchronized.)

NTPClient in action
NTPClient in action

Network latency is taken into consideration when calculating the clock offset, providing precision down to milliseconds. The primary parameter of this command-line utility does all the work: The /set (/s) parameter sets the time according to the time retrieved from the NTP server.

PageSNPP
PageSNPP (pagesnpp.exe) sends a message to a pager using the internet-based Simple Network Paging Protocol (SNPP). The tool has a message limit of 1500 characters, but you can check with your paging provider to determine the maximum supported message length for your plan and device (usually less than 500). PageSNPP returns an %ERRORLEVEL% of 0 when the message was sent successfully, and an %ERRORLEVEL% greater than 0 when the message could not be sent.

The primary parameters of this command-line utility do all the work: The <SNPP_HOST> variable identifies the host name or IP address of the SNPP host, the <SNPP_PORT> variable identifies the ICP port used, and the <MESSAGE> variable displays the message to send, enclosed in quotes. (The maximum is 2,048 characters.)

WakeOnLan
The WakeOnLAN (WOL) utility sends a “magic” packet to a remote network interface card (NIC), based on the MAC address. If the NIC supports the Wake On LAN feature (and the feature is enabled in the computer BIOS of the computer), the computer will power on automatically after receiving the packet. You can also send the magic packet to a router, if the router supports direct broadcasts.

wakeonlan

The primary parameters of this command-line utility do all the work: The required <MAC Address> variable identifies the MAC address without delimiters, and the /IP Address (/ip) parameter identifies the IP address to send the packet to (usually a router) if the remote host is not in the local subnet.

More to Come!
This is just a taste of the free, constantly evolving tools available in EventSentry SysAdmin Tools. Give them a try—you won’t be able to stop with just one.

The “Check” Monitoring Utilities of the EventSentry SysAdmin Tools

EventSentry SysAdmin ToolsLast week, we talked about the security-focused utilities of the freeware EventSentry SysAdmin Tools, part of the larger EventSentry network-management solution. The SysAdmin Tools offer a set of graphical and command-line utilities designed to help you with your daily administrative tasks. These tools are constantly under development, always being honed to provide simple yet powerful functionality. Three of these tools are vital monitoring utilities: CheckDB, CheckTCP, and CheckURL. Here’s what they can do.

CheckDB verifies a database connection through the Open Database Connectivity (ODBC) interface. With this capability, you can not only verify that a database server is up and running, you can also check that a database is online. checkdbYou can optionally run a SQL statement of your choice. CheckDB is particularly useful because it doesn’t merely verify that a database server is online (e.g. through a port check), it also verifies that a SQL statement was successful. That capability improves the usability of this tool because it verifies that the SQL server is accepting logins and is working correctly (at least as far as that statement is concerned). Also, this tool will work with any database that supplies ODBC drivers, so it will work with MySQL, MSSQL, and so on. You can schedule CheckDB from within EventSentry (“Application Scheduler”), and even time it. The scheduling capability is a bit advanced, and the setup requires a few steps, but after getting it up and running, you can easily schedule a statement and configure it to notify you if it takes more than two seconds, for example. The parameters of this command-line utility are straightforward: The <DSN/Connectionstring> parameter is the DSN or connection strong to connect to; the /q (or /query) parameter is the SQL query you can run upon successful connection; the /u (or /username) parameter is the DSN unsername to connect as; and the /p (or /password) parameter is the password for “username.” CheckDB can log output either to the console or to the event log, making it easy to receive alerts from the utility through EventSentry or any other log monitoring software. The /I (/logToLog) and /c (/logToConsole) parameters take care of this functionality.

CheckTCP is another command-line application, this one letting you quickly determine whether a TCP port on a host is open. Additionally, you can receive initial data sent from the remote host through an open TCP connection, such as when connecting to most SMTP hosts. CheckTCP exists because Windows doesn’t really offer a built-in way to check whether a TCP port is open. Yes, Nmap is a powerful utility, but you probably often just want to know whether a server that you rebooted is available for remote desktop login. checktcpFor that, you can simply run “checktcp server123 3389.” It’s not fancy, but it accomplishes a vital task. If you use the /s switch, you can get only the first line of the response. For example, if you use it against a mail server, you would get this:

checktcp /s mymailserver 25
Data: 220 mx.somedomain.com Microsoft ESMTP MAIL Service ready at Fri, 25 Apr 2014 15:07:33 -0500

The parameters of this command-line utility are straightforward: The /s parameter, as mentioned, gets initial data from the remote port (for example, when connecting to an SMTP port); the <Port> parameter displays the TCP port to connect to; and <Hostname> identifies the IP address of hostname to connect to. Although you can use this utility to display any data sent by the remote host over the established connection, CheckTCP is not intended to be used as a port scanner.

CheckURL is the HTTP version of CheckDB, and it lets you detect changes in web pages (through checksums) and look for text inside web pages. With CheckURL you’ll know when a web page changes or when a particular string is or isn’t included in a page. You might use this tool to monitor your corporate pages (at least those which are static and don’t have dynamic content) and also development pages to ensure that they don’t return a HTTP error. This is beneficial because you can have CheckURL look for specific text on the pages. The checksum feature is cool, too, because it lets you know when a page changes. As with with CheckDB, you can schedule CheckURL from within EventSentry (“Application Scheduler”), and even time it.checkurl The scheduling capability is a bit advanced, and the setup requires a few steps, but after getting it up and running, you can easily schedule a statement and configure it to notify you if it takes more than two seconds, for example. At  NETIKUS.NET, we monitor our online store that way. If the store takes more than three seconds to load, we get an alert. Like CheckDB, CheckURL can log output either to the console or to the event log, making it easy to receive alerts from the utility through EventSentry or any other log monitoring software. CheckURL supports SSL as well as proxy servers.

More to Come!
This is just a taste of the free, constantly evolving tools available in EventSentry SysAdmin Tools. Give them a try—you won’t be able to stop with just one.