Friday, November 27, 2009

Using ProcDump.exe to monitor w3wp.exe for CPU spikes

Procdump is a light weight Sysinternal's command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during such spikes which an administrator or developer can use to determine the cause or to share the dump with PSS for further analysis. It also can serve as a general process dump utility that you can embed in other scripts.

It completely eliminates the need to maintain different utilities like Debug Daig 1.1 for 32 bit processes and adplus for 64 bit processes on the same server.

The Problem

Looking at task manager we can see w3wp.exe process is spiking CPU between 49%-60% intermittently and then immediately it goes down.

In order to troubleshoot we need to capture 2 sets of dump for w3wp.exe when process reaches 50% CPU and stays there for 3 consecutive seconds or so.This, using Debug Diag 1.1 or Adplus could be a tricky task as it would require great deal of accuracy to manually generate dumps when the actual CPU spike happens or we may end up taking dumps without capturing real activity responsible for the spike.

The Savior

ProcDump.exe comes in handy in such situation to speed up the course of action and help in getting the right set of data. It would monitor the target process for CPU spike within specified time limit and take snapshot at that point.

For example:

procdump -ma -c 50 -s 3 -n 2 5844(Process Name or PID)

-ma Write a dump file with all process memory. The default dump format includes thread and handle information.

-c CPU threshold at which to create a dump of the process.

-s Consecutive seconds CPU threshold must be hit before dump written (default is 10).

-n Number of dumps to write before exiting.

The above command would monitor the w3wp.exe till CPU spikes 50% for 3 seconds and it would take full dump at least for two iterations.

C:\Users\jaskis\Downloads\procdump> procdump -ma -c 50 -s 3 -n 2 5844

ProcDump v1.1 - Writes process dump files
Copyright (C) 2009 Mark Russinovich
Sysinternals -

Process: w3wp.exe (5844)
CPU threshold: 50% of system
Duration threshold: 3s
Number of dumps: 2
Hung window check: Disabled
Exception monitor: Disabled
Dump file: C:\Users\jaskis\Downloads\procdump\w3wp.dmp

Time CPU Duration
[23:48.35] 59% 1s
[23:48.36] CPU usage below threshold.
[23:48.37] 54% 1s
[23:48.38] 55% 2s
[23:48.39] 61% 3s
Process has hit spike threshold.
Writing dump file C:\Users\jaskis\Downloads\procdump\w3wp_080309_114839PM.dmp... Dump written.

[23:48.44] 61% 1s
[23:48.45] 59% 2s
[23:48.46] 57% 3s
Process has hit spike threshold.
Writing dump file C:\Users\jaskis\Downloads\procdump\w3wp_080309_114846PM.dmp...
Dump written.

Few of other interesting switches

-64 By default Procdump will capture a 32-bit dump of a 32-bit when running on 64-bit Windows. This option overrides to 64-bit dump.

-o Overwrite an existing dump file.

Another area worth investing time would be to write a batch file and run it as window service to take dump on CPU spike even when the user logoff from the server.

Stayed tuned for more on this….

Configuring FTP 7.5 with Host Header and SSL

FTP 7.5 comes with new features like supporting Host headers (Virtual host) and SSL. For compatibility purposes, FTP clients can check whether the FTP server supports host headers by sending a FEAT command to check for supported features. An FTP server would respond with HOST being one of the extended features supported by it and from here on client can use this feature.

There are two ways of using this feature currently by the FTP clients:

1. They can send the virtual host name along with the Username while getting authenticated by the FTP server as below:

Connected to
220 Microsoft FTP Service
User (|
331 Password required for|
230 User logged in.


2. They can send the following command to connect to a specific Virtual host name as below:

ftp> quote host
220 Host accepted.
ftp> user
331 Password required for .
230 User logged in.

In this example the test is done through the default ftp.exe that comes bundled with Windows OS. Smart FTP clients can send the HOST seamlessly without the end user knowing about it.

If you are setting up your FTP site on IIS 7 over SSL using the host header there are some caveats you need to remember as discussed below.

I have an FTP site as shown below which is using a Host header and is configured to accept SSL connections.


Under FTP SSL Settings I have the following configuration as shown below:


If we try to access the FTP site using an SSL enabled FTP client it will fail as shown below:

Command: AUTH TLS
Response: 534-Local policy on server does not allow TLS secure connections.
Response: Win32 error: Access is denied.
Response: Error details: SSL certificate was not configured.
Response: 534 End
Command: AUTH SSL
Response: 534-Local policy on server does not allow TLS secure connections.
Response: Win32 error: Access is denied.
Response: Error details: SSL certificate was not configured.
Response: 534 End

*Output from Filezilla FTP client

NOTE: AUTH TLS/SSL Negotiation for Primary connection is done based on the certificate at the global level and uses the certificate installed at the site level for Data connection.

Some FTP clients like FileZilla require the same SSL certificate to be used for both the control and the data channel. If the certificates don’t match the primary connection will be established but the data transfer connection will be aborted as shown below:

Command: LIST
Response: 150 Opening BINARY mode data connection.
Error: Primary connection and data connection certificates don't match.
Error: Transfer connection interrupted: ECONNABORTED - Connection aborted
Response: 226 Transfer complete.
Error: Failed to retrieve directory listing

*Output from Filezilla FTP client

If we have the SSL Certificate only at the global level and not at the FTP site level we will see an error again as below:

Command: PROT P
Response: 431-Failed to setup secure session.
Response: Win32 error:
Response: Error details: SSL certificate hash has invalid length.
Response: 431 End
Command: LIST
Response: 534-Protection level negotiation failed.
Response: Win32 error: Access is denied.
Response: Error details: Protection negotiation failed. PROT command with recognized parameter must precede this command.
Response: 534 End
Error: Failed to retrieve directory listing

*Output from FileZilla FTP client

So overall, we need to ensure that a valid SSL certificate is set both at the global and the individual FTP site levels. It finally depends upon the FTP client whether to expect the same certificate or different ones for primary and data connections.

Thursday, November 26, 2009

How to Set Up Your Own VMware ESXi4 Server


Before you can start installing there are a couple of important pre-requisites; the server hardware and the ESXi4 software to install on it. For various reasons you can't just install ESXi4 on any old PC, although it is less picky than previous versions there are still some basic hardware requirements you must meet. A fundamental requirement is a 64bit CPU, if you only have 32bit available then you will have to limit yourself to the previous version 3.5, which is also free fortunately.

How to Set Up Your Own VMware ESXi4 Server

Easier Navigation Between Remote Desktop Sessions with Windows 7/2008 R2

In previous version of Windows, the remote desktop client, mstsc.exe, used to have a yellow tab on top of the screen, viewable when using the RDP connection in full screen. This tab could be fixed to the top of the screen, or minimized when needed.

So far, so good.

Now imagine this: You're using a Windows Server 2003 or Windows Server 2008, or even a Windows XP Pro machine as an RDP Gateway to other servers/computers on your network. This is a very common usage scenario for many organizations that need to enable remote administrators' access to their internal servers, but do not want to enable RDP access to the entire set of internal computers. In addition, this scenario is useful for administrators that do not have VPN or SSL VPN infrastructure that allows them to connect to any computers that they need on the internal network.

This way, these administrators only enable RDP access to one external computer, which could be a Windows Server 2003 or Windows Server 2008, or even a Windows XP Pro machine. From there, the connected administrator opens another RDP connection to internal machines, performing an RDP-in-RDP session.

Now, the nasty part is that when doing an RDP-in-RDP session, the yellow RDP bar or tab sits one on top of the other, making it hard to minimize one screen instead of the other.

For example, I have an XP Pro machine that has a VPN connection to a specific client's network. After connecting, I need to open an RDP session to a Windows Server 2008 machine at

Easier Navigation Between Remote Desktop Sessions with Windows 7/2008 R2

Saturday, November 7, 2009

Did you know… The default Application Pool Identity in IIS 7.5 (Windows 7) changed from NetworkService to AppPoolIdentity?

In Windows 7, IIS application pool isolation was taken yet to a different level. The new change introduced in IIS7 (Windows Server 2008) was a new option to run your application pool as AppPoolIdentiy. However, the default for an application pool identity in IIS7 remained the same – NetworkService. In IIS7.5, AppPoolIdentiy becomes a default. Thus, scripts previously expecting permissions for their application pool identity to be set to “NT Service\NetworkService” will now have to set permissions (ACLs) for “IIS AppPool\” – the user account created for each new application pool.

Thus, to set permissions for the DefaultAppPool, the scripts will need to set ACLs for “IIS AppPool\DefaultAppPool”.

The incentive behind this change was to enforce the improved concept of process isolation through separate user accounts generated for each application pool identity.

To see other options that you can choose for your application pool identity, go to IIS Manager, Application Pools and right-click on the pool you want to configure, select Advanced Settings and Identity in the dialog that opens. You can choose one of the built-in accounts for your application pool identity:


Here is a list of built-in accounts and their corresponding usernames to use when setting permissions:

LocalService: Service
LocalSystem: System
NetworkService: Network Service
ApplicationPoolIdentity: IIS AppPool\

You can also specify an existing custom account (local or domain):