January 30th, 2015 - by Walker Rowe
Unlike Linux, which belongs to everyone, Windows belongs to Microsoft. It is not an open operating system. So most of the tools the system administrators need are built by Microsoft. Many of them are already included when you install Windows 2008 or 2012, or you can download them from microsoft.com or sysinternals.com. In addition there are free tools plus commercial tools, like GFI Languard, which help the system administrator manage a Windows environment.
Here we look at some of the most important tools for the Windows system administrator.
The Windows Performance Monitor is different from the more straightforward Task Manager that you see when you right click the system tray. The Performance Monitor is rather more complicated to master, as it does so much. You can use it in conjunction with the Windows Resource Monitor to see what resources each program and process are using.
As with other performance monitoring tools, this is only useful if the administrator has taken the time to understand the metrics that the tool displays. It would be useful for any system administrator to read a book on performance monitoring (there are plenty) or just to read up online. Many people run performance tools as a reflex without really understanding what they are looking at. So don’t do that!
This tool allows you to manage roles and features on remote servers. In other words, it lets you control what services are installed on remote Windows machines, since these are the roles and features being referred to.
With Windows, most people are comfortable using menus, i.e., graphic screens. But it’s also worth taking time to learn how to use the commands available in the Windows Power Shell.
The Power Shell has been included in Windows for some years now, but not every administrator uses it. Most haven’t learned it but that’s a shame as it can be a full-blown programming language if you want. Or it can do simpler tasks with one command.
One thing the Windows Power Shell does especially well is provide Unix-like commands to the administrator. For example, it provides the ls command, just like Linux. Ls is an alias for the Power Shell command Get-ChildItem. Select-String is the UNIX equivalent of grep, except that it can also read the contents of files.
Like UNIX, you can pipe Power Shell commands to hook to one another, to make them much more useful.
For example, you can search for files based on their name and, for text files, the contents of the file. The command below searches the current folder for any file that includes the string “targetType.” The string can be a regular expression or an ordinary string.
Windows Power Shell Troubleshooting Pack
The Windows power shell commands are called cmdlets. The cmdlets are specific to the systems administrator in the TroubleshootingPack module. You can ask it for instructions by typing:
TCP View is a tool provided by Microsoft that shows you what network connections each running program is making. This should be part of any system administrator’s toolkit to use as a means of auditing machines. You can look here to see if your computer is connecting to IP addresses you do not know, which could be a hacker. It also reveals what software is on your machine that you might want to remove since it is just taking up bandwidth and CPU without providing anything useful to you. Examples of this include Adobe update and many of the other update tools that vendors install without telling you.
Wireshark is a packet sniffer tool. You cannot sniff network traffic from other machines on the network unless your routers are set up in promiscuous mode, which they will not be. But you can plug in a laptop to a router and see all traffic on the network. This is good for troubleshooting application issues. And it makes something which is otherwise relatively difficult to grasp (network traffic) more immediately understandable with a graphic interface.
Microsoft invented virtual machines and then VMware took over the market. So most people use VMware Workstation. But you have to pay for it. Hyper-V is included with Windows 2008 and Windows 2012. Use it for free for setting up a lab for troubleshooting or installing test versions of applications into a separate OS on your Windows machine. Other than that you can use Oracle Virtual Box for free.
Here is how to enable Hyper-V on Windows 2012: http://technet.microsoft.com/en-us/library/hh846766.aspx.
Snare is a tool that outputs Windows event logs to a syslog server. Why is this important? Most intrusion detection and other logging systems process logs in syslog format, which is a UNIX format. Syslog is not a file, but a pipe. As such you can send the data to a syslog server, which reads it as if it were a file, except in real time.
The Windows Process Monitor is another tool from Microsoft. It gives you extremely detailed process information right down to which .dll a program is loading and which memory addresses these DLLs are loaded into. It looks at each step of a running program, so it generates millions of events per minute.
You can download it from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
In the example below, you can see every registry key it has read, every file it has opened, created, or closed.
This screen shows what .dlls the program is loading and into which memory addresses. This is probably more information than the average person needs, but it can still be useful on occasion for troubleshooting errors and performance.
GFI Languard is not a free product. It is, however, one of the better vulnerability and patch management tools. It also provides auditing tools. You’d characterize it as a system management and security tool. It scans for security patches and installs those that are absent. You can use it to push out software. sIt also works on Linux, so you could use the same tool for both platforms to standardize around a single tool.
The Windows Reliability Monitor is included in Windows 2008 and later versions of Windows. The red Xs in the screen show below show critical operating system events. You can click on the X to get detailed information drawn from the Windows event log. To run it type ‘reliability’ in the Start menu.
I’m going to add Microsoft Access to this list and, optionally, Visual Basic. Access is an easy-to-use powerful database that Microsoft used to bundle with Microsoft Office. But it is not included anymore, probably because people weren’t much interested in learning it. Instead they learned how to make Pivot Tables in Excel. But you can do so much more with Access than Pivot Tables and it is not difficult.
What makes Access so powerful, is its ability to import data and run SQL commands against that. You do not need to know SQL as there is a wizard to guide you.
With Access, you could, for example, import the Windows event log or any other data and then use the graphical interface to count and total record types, show the maximum or minimum record, or show records in a sort list. You can generate reports and export data to text, Excel, or other formats.
The other thing about Access is that it, like Word and Excel, includes the Visual Basic programming language, formally known as Visual Basic for Applications. If you are a programmer there is no end to the possibilities of what you can do to automate system administration tasks if you have a programming tool at your disposal. Some Visual Basic programs can be run from the Windows command program using Cscript, as shown below. This is called VB Script (VB Script could not, for example, read a database since that scripting tool cannot load external .dlls in that way).