Category Archives: Powershell

Powershell, Windows

Running into “The parameter is incorrect.” / “HRESULT 0x80070057” when managing scheduled tasks via powershell

Leave a comment

It took me quite some troubleshooting time, but in the end it’s a quite interessting conclusion.

After trying to create a scheduled task that runs every second Saturday per month, I ran into the following error:

Set-ScheduledTask : The parameter is incorrect.
At C:\ITX\itxWindowsUpdate.ps1:436 char:5
+     Set-ScheduledTask -InputObject $task -User $(Get-LocalUser -Name  ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Set-ScheduledTask], CimException
    + FullyQualifiedErrorId : HRESULT 0x80070057,Set-ScheduledTask

As Windows Powershell is not able to create monthly tasks I used schtasks.exe utility to create the skeleton for the task/minimal task containing the trigger-definition and afterwards manipulate it via powershell to add the missing configuration.

To do so i used Get-ScheduledTask to obtaint he object references for the task and Set-ScheduledTask to write the object again.

Turns out – the task obtained via Get-ScheduledTask contains the trigger defintion for the montly repetition which can’t be handled by powershell and therefor the task itself can not be saved again but results in the above error. 😜

As it seems there are only two ways on how to deal with that problem:
Export the task-definition as an XML and just reimport it via powershell on other systems which require the same configuration (currently untested) or run it daily and deal with the problem within the script.

Lil bit of the debugging-code as a reference for future projects.

Write-Host -ForegroundColor Yellow "Modifying the task"
$action=New-ScheduledTaskAction -Execute "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Argument '-NoProfile -command "& C:\BLUB\WindowsUpdate\WindowsUpdate.ps1 -reboot_machine 0"'
$principal = New-ScheduledTaskPrincipal -LogonType Password -RunLevel Highest -UserId "$($env:COMPUTERNAME)\Administrator"
#$principal = New-ScheduledTaskPrincipal -RunLevel Highest -UserId "$($env:COMPUTERNAME)\Administrator"

#$task=New-ScheduledTask -Action $action -Description "Daily Update Task for Monitoring and Defender Updates" -Trigger $trigger -Settings $settings -Principal $

$task=$(Get-ScheduledTask -TaskName $task_name -TaskPath \BLUB\)
#$task.Actions=$action
$task.Description="TEST_test"
#$task.Principal=$principal
#Register-ScheduledTask -TaskName $task_name -InputObject $task -TaskPath BLUB -User $(Get-LocalUser -Name Administrator) -Password $password
$task | Set-ScheduledTask -User $(Get-LocalUser -Name Administrator) -Password $password
#-User $(Get-LocalUser -Name Administrator) -Password $password 
#Set-ScheduledTask -TaskPath "BLUB" -TaskName $task_name -Action $action -Principal $principal
#-Principal $principal
# -User $(Get-LocalUser -Name Administrator)

Deployment, Powershell, Tools, Windows

WSUS Server unable to obtain updates

Leave a comment

If a WSUS server fails to obtain updates with the following error: “wsus the request failed with http status 404 not found” this might be because it still uses an old/outdated URL (https://fe2.update.microsoft.com/v6) to obtain the updates from.

This can be checked and changed with the following PS1 Snippet:

$server = Get-WsusServer
$config = $server.GetConfiguration()
# Check current settings before you change them 
$config.MUUrl
$config.RedirectorChangeNumber
# Update the settings if MUUrl is https://fe2.update.microsoft.com/v6
$config.MUUrl = "https://sws.update.microsoft.com"
$config.RedirectorChangeNumber = 4002
$config.Save()
iisreset
Restart-Service *Wsus* -v

Powershell, Windows

PowerShell AD Snippet

Leave a comment

Simple snippet to get a list when the passwort of a service user was set the last time.

Get-ADUser -Filter 'Name -like "svc*"' -Properties * | select Name,@{name ="pwdLastSet"; expression={[datetime]::FromFileTime($_.pwdLastSet)}}

Requires the Active Directory Powershell module to run.

Command must also be run in an elevated powershell session (Run as Administrator)

Otherwise the pwdLastSet attribute will not be obtained!

Sid To Username

Param
(
    [parameter(
        Mandatory=$true,
        HelpMessage="User SID"
        )
    ]
    [String]
    [alias("sid")]
    $user_sid
)
$objSID = New-Object System.Security.Principal.SecurityIdentifier $user_sid 
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount]) 
$objUser.Value

Powershell, Tools, VMware

Simply check if login on an ESXi works and return it’s license

Leave a comment

Just a simple script to test ESXi Connectivity and return the current license state of the server by using PowerCLI

param(
    [Parameter(Mandatory = $true, HelpMessage = 'Provide username for login on ESXi')]
    [String] $username,
    [Parameter(Mandatory = $true, HelpMessage = 'Provide password for login on ESXi', ParameterSetName = 'Secret')]
    [Security.SecureString] $password

)

#check user/pwd
if($username -like "" -Or $password -like "")
{
    Write-Host -ForegroundColor Red "Username/Password seems wrong"
    exit(1)
}

#define domain
$domain="forensik.justiz.gv.at"

#disable certificate checking as we have self signed certs
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

$hosts="SITE01-ESX01","SITE01-ESX02","SITE01-ESX03","SITE01-ESX04","SITE01-ESX05","SITE01-ESX06","SITE02-ESX01","SITE02-ESX02","SITE02-ESX03","SITE02-ESX04","SITE02-ESX05","SITE02-ESX06" 



foreach($var_host in $hosts)
{
    Write-Host -ForegroundColor Yellow $var_host"."$domain
    Connect-VIServer -Server $var_host"."$domain -User $username -Password ([Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)))
    $(Get-VMHost).Name
    $(Get-VMHost).Version
    $(Get-VMHost).LicenseKey
    $(Get-VMHost).Uid
    Disconnect-VIServer $var_host"."$domain -WarningAction SilentlyContinue -Confirm:$false
    Write-Host -ForegroundColor Cyan "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
}

Powershell, Security, Tools, Windows

Start PS-Admin session from an unprivileged user

Leave a comment 
 runas  /user:administrator 'powershell -command Start-Process powershell -verb runas'
Powershell, Tools, VMware

PowerCLI batch revert to Snapshot

Leave a comment

The following script-let can be used to revert a bunch of VMs/all VMs in a folder back to the first snapshot made for the VM

$vms = Get-Folder "MY_VM_FOLDER_NAME" | Get-VM
 
foreach($vm in $vms)
{
    $vm.name
    $snap = Get-Snapshot -VM $vm | Sort-Object -Property Created -Descending | Select -First 1
    Set-VM -VM $vm -SnapShot $snap -Confirm:$false
    echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
}
Monitoring, Powershell, VMware, Windows

Powershell/PowerCLI very slow execution Time

Leave a comment

Sometimes a PowerCLI-script can take quite some time till everything is executed. For example the PowerShell scripts used by Zabbix to gather the vCenter alarms into Zabbix (BlogPost) need some tuning to run fine.

So why are scripts running slow in some cases?
It seems to occur primary on systems which do not have a connection to the internet. As a matter of fact – most of the systems I’m setting up “lose” internet connection sooner, or later. :/

What exactly causes the problem?
While investigating that problem i found an interesting feature which seems to cause the problem – certificate checks!
There is an IE-setting which is named “Check for publisher’s certificate revocation ” and can be found at: Intenet Options -> Advanced -> Section: Security ->Disable: Check for publisher’s certificate revocation.

Disabling the certificate checks improves the execution time by about 60%.

certificate-check enabled:

Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 41
Milliseconds      : 536
Ticks             : 415369143
TotalDays         : 0.000480751322916667
TotalHours        : 0.01153803175
TotalMinutes      : 0.692281905
TotalSeconds      : 41.5369143
TotalMilliseconds : 41536.9143

 

certificate-check disabled:

Days : 0
Hours : 0
Minutes : 0
Seconds : 16
Milliseconds : 262
Ticks : 162628208
TotalDays : 0.000188227092592593
TotalHours : 0.00451745022222222
TotalMinutes : 0.271047013333333
TotalSeconds : 16.2628208
TotalMilliseconds : 16262.8208

 

If the script is run from a normal user account everything should be fine and we have an improved execution time, BUT …

… if the script is run from an Service (and as a matter of fact I’m using the Zabbix agent service to run the script) we got a problem.
With default settings the Zabbix Agent is installed to run as nt authority\system, so if the IE-setting is changed for the current user, its working for this user, but not for the system user. 🙁
So a quick and dirty workaround could be to disable the setting for the system user.
ATTENTION: Running the Zabbix Agent as a system user is OK for a DEV-environment, but should not be used in an production environment. For production a dedicated service user should be used.

I disabled it by becoming a system user with

[pastacode lang=”bash” message=”” highlight=”” provider=”manual”]

PSEXEC -i -s -d CMD

[/pastacode]

and launching the IE from the command prompt. Afterwards I was able to disable the setting via the above method.

Otherwise the Key could also be found in the registry at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
0x00023e00 / 146944 Check OFF
0x00023c00 / 146432 Check ON

A simple PS-Script to disable the setting would be:

[pastacode lang=”bash” message=”PowerShell to disable Publisher certificate checks” highlight=”” provider=”manual”]

Write-Host "Disable Check for publisher’s certificate Revocation"
set-ItemProperty -path "REGISTRY::\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\" -name State -value 146944

[/pastacode]