Tag Archives: cli

Updating firewall rules with netsh

I needed to adjust the scope of a built-in firewall rule in a couple of servers, restricting the remote IPs to a list of UVM subnets in CIDR notation. The netsh documentation describes the syntax for a list as comma-separated values (no spaces). But I kept getting errors with the command:

netsh advfirewall firewall set rule name="Windows Internet Naming Service (WINS) (NB-Name-UDP-In)" remoteip="10.10.0.0/16,10.11.0.0/16,10.12.0.0/16"

Finally, I actually read the error message:

For ‘set’ commands, the ‘new’ keyword must be present and must not be the last argument provided.

And the related part of the usage text:

Values after the new keyword are updated in the rule.  If there are no values, or keyword new is missing, no changes are made.

One little three-letter keyword was all I needed:

netsh advfirewall firewall set rule name="Windows Internet Naming Service (WINS) (NB-Name-UDP-In)" new remoteip="10.100.0.0/16,10.101.0.0/16,10.102.0.0/16"

/sigh

Listing parent of AD object in PowerShell

Recently, I wanted to provide a client with a list of groups that related to some work he was doing. I wanted the group names as well as their location with AD. Although I often use the ds* commands or excellent ADfind tool for this type of task, I had been working in PowerShell on another project, so I decided to use the PowerShell ActiveDirectory module.

The Get-ADGroup Cmdlet pulled out the groups easily enough, but the there wasn’t a property representing the group object’s parent, nor is there an LDAP property that I could request (AFAIK). The object’s parent is contained within the DistinguishedName (DN) property, though.

For a group with the following DN:

CN=FOO-FileServices Administrators,OU=FOO,OU=Departments,DC=uvm,...

I just need to strip off the CN. I could split the DN on commas, remove the first element, and then reassemble what’s left to get the parent. I also needed to avoid splitting on an LDAP-escaped comma where a value actually contains a comma (e.g., CN=).

PS> $dn -split '(?<![\\]),'

Continue reading

re-enabling ESET NOD32

ESET has fixed the problem that caused widespread system hangs. If you followed my instructions to disable NOD32, you can re-enable it by repeating those steps and changing one word: replace disabled with auto.

To recapitulate:

1. Boot into safe mode

2. In either the Run dialog or the Vista Start Menu search box, type the following:

cmd /k "sc config ekrn start= auto"

(Please note that the space after start= is required; goodness knows why…)

start-run-enable

start-box-enable

3. Watch for the success message, and reboot.

ESET NOD32 making many systems hang

I’ve spent most of the day trying identify a systematic way to work around the campus antivirus solution, which is causing widespread system hangs. Our vendor has tentatively identified a problematic recent update, and is recommending that affected users temporarily disable the Eset Service service until a patch is available.

Disabling ESET NOD32 / ekrn Service.

If your system become unresponsive, in most cases soon after logging into the system, you may be affected. Please follow these instructions to disable the ESET service:

1. Restart your system in safe mode

2. In either the Run command ( Start->Run or [Windows Key]+R)

start-run

 

OR in the Vista Start menu search box…

start-box

 

3. …Enter the command below

cmd /k "sc config ekrn start= disabled"

(Please note that the space after start= is required; goodness knows why…)

 

4. Watch for the success message:

sc-success

 

Reboot and stay tuned to your friendly neighborhood technical support resources for updates.

PS. for what it’s worth, here’s my current ESET version info, which hangs my system.

eset-about

CLI configuration of network interfaces

I like GUIs, but I also like getting things done via the command line. I was hunting around to see if there was a way to change the MTU setting for my NICs without having to edit the registry, and I found that the netsh interfaces context exposes this attribute:

netsh interface ipv4 show subinterfaces
netsh interface ipv4 set subinterface "Local Area Connection" mtu=1500 store=persistent

I used this to change the MTU for my Wifi and Ethernet interfaces from 1300 — Cisco’s preferred setting from Win9x days — back to the Windows default. And now the performance problem I was having yesterday has been resolved. :-)

[ via http://www.annoyances.org/exec/forum/winvista/t1158155937]