Home / HomePage / Scripts / SystemChecks

SystemChecks

Systemcheck script will:

  1. scan last 7 days of System, Application, Security, printing out all error, warning and failure events 
  2. scriptfully check for windows updates
  3. perfmon
  4. AV checks
  5. backup system checks. c:\documents and settings\username\Local Settings\Application Data\Microsoft\Windows NT\NTbackup\data\backup##.log
    where username is the user under whose acocunt the backups run; ## is 01-10.
  6. disk sizes and frags via defrag /a
  7. scheduled tasks completion status

Here is the script so far. Because of the complexity, I have broken it down into several component scripts, and called a few utilities to simplify life. All of these scripts, and the included utilities, need to be within the same directory, or on the system path. Personally, I like to stake out the c:\batch directory. It will include:

  • check.cmd
  • eventlogs.cmd
  • disks.cmd
  • WindowsUpdateCheck.vbs
  • ScheduledTasks.cmd
  • colors.exe
  • eldump.exe
  • timemath.exe

First we have check.cmd:

@echo off
call eventlogs.cmd
Colors black yellow
echo.
echo Disk space and fragmentation
echo.
Colors black lightgreen
Call disks.cmd
Colors black yellow
echo.
Echo Check Windows Update
echo.
colors black lightgreen
call cscript /nologo WindowsUpdateCheck.vbs
colors black yellow
echo.
echo Scheduled Tasks information
echo.
colors black lightgreen
call ScheduledTasks.cmd

Note that it uses the rather nice little colors utility; hats off to Mr. Westlake! Otherwise this first script is very straightforward. Moving along, now, to the eventlog checking script, called eventlogs.cmd ... I've tried writing this in vbscript, using a WMI call. But it is quite slow, taking 2-30 minutes to return events which eldump can return in 30 seconds or less. Still working on the problem!

  1. @echo off
  2. ::read last 7 days worth of logs, only the error, warning, failure audits
  3. :: uses the following:
  4. :: eldump.exe - http://www.ibt.ku.dk/jesper/ELDump/default.htm
  5. :: timemath.exe - http://www.geocities.com/fp.westlake/nt/timemath.zip
  6. :: colors.exe - http://www.geocities.com/fp.westlake/xp/colors.zip
  7. setlocal
  8. colors black lightgreen
  9. set repeatcounter=0
  11. ::get todays date and date minus 7 days into yyyymmdd format
  12. for /f "tokens=2-4 delims=/ " %%a in ('date /t') do set today=%%c%%a%%b
  13. for /f "tokens=1-3 delims=. " %%a in ('timemath day-7') do set lastweek=%%a%%b%%c
  15. ::Print error, warning, auditfail entries from several system logs
  16. set args=-T Error Warning AuditFailure -a %lastweek% -Y -O dtTSes -c ;
  17. echo.
  18. colors black yellow
  19. echo System logs between %lastweek% and %today% on %computername%
  20. echo Date;Time;Type;Source;EventID;Message
  21. colors black lightgreen
  22. echo.
  23. for /f "tokens=*" %%a in ('"eldump -l system %args%"') do call :PARSEEVENT %%a
  24. echo.
  25. colors black yellow
  26. echo Application logs between %lastweek% and %today% on %computername%
  27. echo Date;Time;Type;Source;EventID;Message
  28. colors black lightgreen
  29. echo.
  30. for /f "tokens=*" %%a in ('"eldump -l application %args%"') do call :PARSEEVENT %%a
  31. echo.
  32. colors black yellow
  33. echo Security logs between %lastweek% and %today% on %computername%
  34. echo Date;Time;Type;Source;EventID;Message
  35. colors black lightgreen
  36. echo.
  37. for /f "tokens=*" %%a in ('"eldump -l Security %args%"') do call :PARSEEVENT %%a
  38. echo.
  39. goto :eof
  40. endlocal
  42. :PARSEEVENT
  43. ::print each error found unless it's a dupe of prior event. dupes are counted
  44. ::and the count is printed at ::DONEREPEATING
  45. set event=%*
  46. for /f "tokens=4,5 delims=;" %%a in ("%event%") do set sourceID="%%a%%b"
  47. if {%priorsourceID%} == {%sourceID%} (
  48.         set /a repeatcounter=%repeatcounter% + 1
  49.         ) else echo %event% && if %repeatcounter% GTR 0 call :DONEREPEATING %event%
  50. set priorsourceID=%sourceID%
  51. set sourceID=
  52. goto :eof
  54. :DONEREPEATING
  55. ::print errorcount from :PARSEEVENT errors that repeat themselves in RED
  56. colors black lightred
  57. echo -repeats %repeatcounter% times
  58. colors black lightgreen
  59. set repeatcounter=0 

This too is fairly straightforward, with the exception of the way it checks for repeats.  I will leave that for you to figure out; use the comments section below if you have a question.

Next we check disk space and fragmentation with a slightly modified version of the Enumerate Local Drives script. It is named disks.cmd -

  1. @echo off
  2. setlocal
  3. ::Weekly defrag script; will defrag all locally attached hard disk partitions
  4. set wmiccommand=wmic logicaldisk where "Description='Local Fixed Disk'" get caption
  5. for /f "skip=1" %%a in ('%wmiccommand%') do call :DRIVECOMMANDS %%a
  6. endlocal
  7. goto :eof
  8.  
  9. :DRIVECOMMANDS
  10. ::each command here will be run against every local fixed
  11. ::disk (hard drive letter, C:, E:, etc) on the system
  12. ::CDroms, floppies, removable disks, network drives will NOT be included
  13. ::the driveletter is represented as %1
  14. for /f "tokens=*" %%a in ('"defrag %1 /a | findstr Total"') do set output=%%a
  15. echo %1 %output%

Pretty simple stuff, but it does use wmic to do the heavy lifting of finding locally attached hard drives. Now for a change of pace we'll do some vbscript to check whether the system needs any patches from WIndows Update. This next script is named WindowsUpdateCheck.cmd ...

  1. 'Windows Updates Check Script; lists updates not currently installed.
  2. 'Checks Windows Update site or WSUS, whichever is appropriate.
  3. 'thanks Scripting Guy:
  4. 'http://www.microsoft.com/technet/scriptcenter/resources/tales/sg0705.mspx#E1B
  5. 'handy API reference http://msdn2.microsoft.com/en-us/library/aa387287(VS.85).aspx  
  6. counter = 0
  7. Set objSession = CreateObject("Microsoft.Update.Session")
  8. Set objSearcher = objSession.CreateUpdateSearcher
  9. Set objResults = objSearcher.Search("IsInstalled=0")
  10. Set colUpdates = objResults.Updates
  11.  
  12. For i = 0 to colUpdates.Count - 1
  13.         Wscript.StdOut.Write "Title: '" & colUpdates.Item(i).Title & "' "
  14.         Select Case colUpdates.Item(i).Type
  15.                 Case 1
  16.                 Wscript.StdOut.Write "Update type: Software"
  17.           Case 2
  18.                 Wscript.StdOut.Write "Update type: Driver"
  19.           Case Else
  20.                 Wscript.StdOut.Write "Update type: undetermined"
  21.         End Select
  22.         Wscript.StdOut.Write vbCRLF     
  23.         Set objInstallationBehavior = colUpdates.Item(i).InstallationBehavior
  24.         If objInstallationBehavior.CanRequestUserInput = True Then
  25.                 Wscript.Stdout.Write "Can request user input... "
  26.         End If 
  27.         Select Case objInstallationBehavior.Impact
  28.             Case 0
  29.                 Wscript.Stdout.Write "Typical install... "
  30.             Case 1
  31.                 Wscript.Stdout.Write "Negligible install... "
  32.             Case 2
  33.                 Wscript.Stdout.Write "HIGH-IMPACT install... "
  34.         End Select     
  35.         Select Case objInstallationBehavior.RebootBehavior
  36.             Case 1
  37.                 Wscript.Stdout.Write "A reboot is required after installation."
  38.             Case 2
  39.                 Wscript.Stdout.Write "A reboot MIGHT be required after installation."
  40.             Case Else
  41.                 Wscript.Stdout.Write "No information about reboot available."
  42.         End Select
  43.         Wscript.StdOut.Write vbCRLF     
  44.         if not colUpdates.Item(i).MsrcSeverity = "" Then
  45.                 Wscript.Echo "Security Severity: " & colUpdates.Item(i).MsrcSeverity
  46.         End If 
  47.         Wscript.StdOut.Write "KB articles: "
  48.         For Each strArticle in colUpdates.Item(i).KBArticleIDs
  49.             Wscript.StdOut.Write strArticle & ", "
  50.         Next
  51.         Wscript.StdOut.Write vbCRLF     
  52.         Wscript.Echo
  53.         counter = counter + 1
  54. Next
  55.  
  56. if counter = 0 Then Wscript.Echo "The system is fully up to date!"

The final script is a walk in the park, and is called ScheduledTasks.cmd:

@echo off
setlocal
schtasks /query
echo.
type c:\windows\SchedLgU.Txt | findstr /i error
endlocal

And here's what it looks like when run on a Windows 2003 server. Yes, you do get the same color coding in your own output! (Except for the blue text at start; I add that for clarity.)

C:\batch>check

System logs between 20071217 and 20071224 on FS1
Date;Time;Type;Source;EventID;Message

071217;11:47:25;Warning;W32Time;50;The time service detected a time difference of greater than 5000 milliseconds for 900 seconds.
071220;13:05:01;Warning;MRxSmb;3019;The redirector failed to determine the connection type.
-repeats 5 times
071223;07:00:03;Error;VolSnap;21;The flush and hold operation for volume D: was aborted because of low available system memory.

Application logs between 20071217 and 20071224 on FS1
Date;Time;Type;Source;EventID;Message

071217;00:48:11;Warning;SRMSVC;12317;;Error-specific details:;Error: (0x80070005) Access is denied.
071220;13:28:06;Warning;System.ServiceModel.Install 3.0.0.0;0;A Web Host Script Mapping does not exist for extension .svc.
-repeats 15 times
071220;13:29:52;Warning;Userenv;1517;Windows saved user PURGATORY\quuxda registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.;This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Security logs between 20071217 and 20071224 on FS1
Date;Time;Type;Source;EventID;Message

071222;01:16:56;AuditFailure;Security;560;Object Open:;Object Server: Security;Object Type: File;Object Name: \Device\NetbiosSmb;Handle ID: -;Operation ID: {0,3128204};Process ID: 760;Image File Name: C:\WINDOWS\system32\svchost.exe;Primary User Name: LOCAL SERVICE;Primary Domain: NT AUTHORITY;Primary Logon ID: (0x0,0x3E5);Client User Name: -;Client Domain: -;Client Logon ID: -;Accesses: SYNCHRONIZE;Privileges: -;Restricted Sid Count: 0;Access Mask: 0x100003
-repeats 3 times

Disk space and fragmentation

C: 7.99 GB Total,  1.95 GB (24%) Free,  12% Fragmented (25% file fragmentation)
D: 500 GB Total,  300 GB (59%) Free,  3% Fragmented (7% file fragmentation)
E: 100.00 GB Total,  97.58 GB (97%) Free,  0% Fragmented (0% file fragmentation)

Check Windows Update

Title: 'ATI Technologies Inc. - Video - 9600 SERIES' Update type: Driver
Can request user input... Typical install... A reboot MIGHT be required after installation.
KB articles:

Title: 'Microsoft .NET Framework 3.0 Service Pack 1 (KB929300)' Update type: Software
Typical install... A reboot MIGHT be required after installation.
KB articles: 929300,

Scheduled Tasks information

TaskName                             Next Run Time            Status
==================================== ======================== ===============
ShadowCopyVolume{a5752872-14b2-41a6- 7:00:00 AM, 12/24/2007
ShadowCopyVolume{a5752872-14b2-41a6- 7:00:00 PM, 12/24/2007

C:\batch\>


Post a comment

Your Name or E-mail ID (mandatory)

 


 RSS of this page