Scripting with the NT Resource Kit, part 3: Commands for local and remote servers

Richard Charrington continues his series on useful commands from the NT Resource Kit. This time, he discusses more technical commands, such as Dumpel, Pulist, Reg, Sc, and Sclist—most of which will act on both local and remote servers.

In “Scripting with the NT Resource Kit, part 1: The essentials” and “Scripting with the NT Resource Kit, part 2: More simple commands,” I introduced you to some simple but useful commands that are available with Windows NT Resource Kit. Those commands can help you to write Administration scripts. In this Daily Drill Down, I’ll describe some of the more technical commands and utilities. They will enable you to write scripts and perform tasks that you used to be able to do only through GUI applications or applets. Many of these commands will act either on the local server or on a remote server, depending on the server’s name or IP address. Dumpel extracts events from the event log on any NT machine. Pulist is similar to Tlist, except that Pulist works on remote servers. Reg works with the registry. Sc works with services. Sclist lists the services that run on a Windows NT machine.

Dumpel is a utility that allows you to extract events from the event log of a server. The syntax for this command is as follows (see Table A for definitions):
dumpel -f file [-s \\server] [-l log [-m source]] [-e n1 n2 n3...] [-r] [-t] [-d x]
Table A
-f Specifies the filename for the output file. (There’s no default for -f, so you must specify the file.)
-s Specifies the server for which you want to dump the event log.
(Leading backslashes on the server name are optional.)
-l Specifies which log (system, application, security) to dump.
If an invalid logname is specified, the application is dumped.
-m Specifies into which source (rdr, serial, etc.) to dump records. Only one source can be supplied.
If this switch isn’t used, all events are dumped.
If a source is used that isn’t in the registry, the application log will be searched for records of this type.
-e Filters for event id nn (n1 n2 n3 etc.; up to 10 can be specified).
If the -r switch isn’t used, only records of these types are dumped.
If -r is used, all records (except for records of this type) are dumped.
If this switch isn’t used, all events from the specified sourcename are selected.
You can’t use this switch without the -m switch.
-r Specifies whether to filter for specific sources or records or to filter them out.
-t Separates individual strings by tabs; if -t isn’t used, strings are separated by spaces.
-d x Dumps events for the past x days.

To dump the system event log on server \\EVENTSVR into a file named Event.out, run:
dumpel -f event.out -s eventsvr -l system
To dump the local system event log into a file named Event.out but to get only Rdr events 2013, type:
dumpel -f event.out -l system -m rdr -e 2013
To dump the local application log to a file named Event.out and to get all events except for the ones from the Garbase source, run:
dumpel -f event.out -l application -m garbase –r
Once you have a file that contains the relevant events, you can process it in the script as usual with Awk or Find. If the processing is too complicated for command-line Awk or Find, you always can write an Awk script, or you can even try a little bit of Perl.

Pulist is very similar to Tlist, which I introduced in a previous part of this series. The main difference is that Pulist can run against a remote server, as well as a local one. Unfortunately, when this command runs against a remote server, it shows that the process names and the PIDs are running on that server, but it shows the PID after the process name—completely opposite from the way in which Tlist presents the list. It’s possible to specify one or more servers as parameters to Pulist. For example, you can type:
A typical output from this command would be:
Process PID
Idle 0
System 2
amgrsrvc 95
BRAD32 159
SNMP 175
WinMgmt 190
Wuser32 200
pvlsvr 212
benser 228
nsvr 240
clisvcl 254
cpqnimgt 260
cqmghost 263
cqmgserv 268
cqmgstor 100
alertserver 277
SMSAPM32 289
cpqwmgmt 296
beserver 316
bengine 342
benetns 369
VsTskMgr 166
Mcshield 223
logon.scr 407
_Total 0
Process PID
Idle 0
System 2
amgrsrvc 91
Mcshield 97
VsTskMgr 104
BRAD32 136
patfcpq 138
PatrolAgent 149
SNMP 167
WinMgmt 197
Wuser32 209
PatrolPerf 212
pvlsvr 224
benser 225
nsvr 246
clisvcl 259
cpqnimgt 268
cqmgserv 271
cqmgstor 274
alertserver 283
SMSAPM32 226
beserver 330
bengine 356
benetns 380
cqmghost 391
cpqwmgmt 383
CMD 406
CMD 412
snmpmagt 419
TopProcs 424
ISQL 233
_Total 0
Unlike Tlist, Pulist doesn’t display any titles; it’s impossible to tell one iteration of a command from another—unless you happen to know the PID. As with Tlist, you can pipe the output of this command to Awk or Find in order to extract and process the information that you need. For example, if I wanted to find all of the servers that aren’t running McAfee, I would type:
if exist NoMcAfee.lst del NoMcAfee.lst
for /f %%i in (server.lst) do call :FindMcAfee %%i
goto :EOF

pulist \\%1 Š find "Mcshield" ŠŠ echo %1 >> NoMcAfee.lst
goto :EOF
I used a list of servers and ran Pulist against each server in the list. Later, I’ll explain how to create this list automatically. This example pipes the result through Find. If the process Mcshield isn’t found (ŠŠ means "else"), it will write the server name to a file.

One of the most common processes in the scripts that I’ve been asked to write involves modifying the registry of a server. Of course, all the usual precautions apply when you’re testing a script that alters the registry. It’s a simple matter of making a copy of anything just before you change it, especially when you use Reg. Reg has several subcommands:
  • REG BACKUP (which is identical to SAVE)

I’m not going to cover all of these subcommands—just the ones that I’ve used. If you want to check on the syntax, type the command, followed by /?.

Guess which command you use to make a copy of the hive that you’re going to change? Reg save, of course! (It involves less typing than Backup.) You should always use the following form of Reg save:
reg save HKLM\Software\MyCo\MyApp MyApp.reg {\\server}
This command saves the hive MyApp to the file MyApp.reg. If you’re working on the registry of a remote server, put the server name at the end. Then, you can make your changes by typing:
reg update HKLM\Software\MyCo\MyApp\Parameters\Timeout=10 {\\server}
Or you can run:
reg add HKLM\Software\MyCo\MyApp\Parameters\Version=1.0 {\\server}
reg delete HKLM\Software\MyCo\MyApp\Parameters\Timeout {\\server}
If you must, you can restore the original hive by running:
reg restore MyApp.reg HKLM\Software\MyCo\MyApp {\\server}
As you can see, these subcommands provide an easy way of manipulating a registry. There’s no need to specify the data types. Reg does that task for you. It might become a problem if you want to specify a particular registry data type. For more complex registry manipulation, you would use Regini (but that’s beyond the scope of this Drill Down).

Another command that I use regularly is Sc (service control). This tool provides a way of communicating with Service Controller (Services.exe) from the command prompt and of retrieving information about services. Sc is useful for testing and debugging your service program. It implements calls to all of the Windows NT service control functions. You can specify any function parameters through the command line. You can create batch files that call Sc with various command lines in order to see how your service behaves with repeated starting and stopping. Sc also displays complete status information, including state, checkpoint number, and wait hint.

The syntax for Sc is rather long, and I’m not going to list it. If you want to see it for yourself, then run sc /?. The most common use of Sc in scripting involves stopping, starting, or changing the startup parameters of services on a server. To stop a service, type:
sc {\\servername} stop MyService
If your next piece of code relies on the service being stopped, you must realize that the stop option simply sends a Stop request to the service. To ensure that the service has actually stopped, use the following code:
sc {\\servername} query MyService Š find "STOPPED" ŠŠ sleep 1 & goto
This command will query the MyService service and try to find the word Stopped. In the result of else (ŠŠ), it will wait a second and check again. Of course, if you know that this service will take a while to stop, you can increase the number of seconds that it waits between checks.

To start a service, run:
sc {\\servername} start MyService
Again, before you continue, you may want to make sure that the service has actually started. The keyword here is RUNNING. Try to work out the code for yourself.

In some instances, you may want to pause the service while you carry out some other task with which the service will interfere. To pause a service, run:
sc {\\servername} pause MyService
Then, at a later stage, you can restart the service by typing:
sc {\\servername} continue MyService
To change the startup parameters of a service, run:
sc config start= demand
sc config start= auto
sc config start= disabled
This command changes the startup parameter to Manual, Auto, or Disabled (in that order). For Manual, please note that you must type demand.

You also can display the name that’s displayed in the Services list:
sc config DisplayName= OurService
Another thing that you’ll probably need to do at some point is to change the account that the service logs in as. Run the following command:
sc config AccountName= ServiceAcc
If you change the AccountName, then you’ll also want to change the password at the same time. To do so, type:
sc config password= servicePasswordIn all instances, there’s no space between the option name and the equal sign, but there must be a space between the equal sign and the value.
There’s a remote possibility that you’ll want to remove a service. You can do so by typing:
sc {\\servername} delete MyService
This command deletes the service only from the registry. I suggest that, before you delete a service, you stop it and set the startup parameter to disabled.

Although Sc query (with no extra parameters) will list all of the services that are running, the output is better suited for looking at the status of a particular service—not all of them. If you want to see a list of all of the installed services and you want to know whether they’re running or stopped, you can use Sclist. It produces a neat list of one service per line, and it’s easy to filter and process.

These commands perform many of the same tasks as the commands that I introduced last week. These commands, however, act on both remote and local servers. I’ve also covered a couple of the less demanding commands in the Windows NT Resource Kit. In the next article in this series, I’ll take a look at more complicated and more powerful commands.

Richard Charrington’s computer career began when he started working with PCs—back when they were known as microcomputers. Starting as a programmer, he worked his way up to the lofty heights of a Windows NT Systems Administrator, and he has done just about everything in between. Richard has been working with Windows since before it had a proper GUI and with Windows NT since it was LANManager. Now a contractor, he has slipped into script writing for Windows NT and has built some very useful auto-admin utilities.

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox