Getting Working Processes within IIS App Pools - scripting

I am looking for a way to enumerate through the Virtual Directories (Windows Server 2003) in an App Pool and get diagnostic data (specifically WorkingSet, Private Bytes, and Virtual Bytes).
I've found plenty on how to enumerate through a server's App Pools, and getting the Virtual Directories within, but what do I need to do in order to obtain diagnostic data?
Basically I want to add a script that grabs this data for a monitoring app (NAGIOS). We have a script that already grabs the top 2 running worker processes on the server, but we don't know what app pool they belong to.
Thanks.

As you've discovered, it's a two-step process: you need to look up resource utilization for every worker process, and you also need to know which app pool corresponds to each worker process.
You've already figured out the first part. Here's how to do the other part: in Windows Server 2003, there's a command-line script available in Windows Server 2003 called iisapp.vbs. See the documentation for more details. The output from this command-line tool will look like this:
W3wp.exe PID: 2232 AppPoolID: DefaultAppPool
W3wp.exe PID: 2608 AppPoolID: MyAppPool
Simply parse the output from this script and you'll be able to tie process IDs to App Pools. Then look up each process by ID or filter your existing list of enumerated processes to find the matching Process ID.
There may be additional restrictions too around security and specific IIS configuration needed. See the documentation link above.
Note that Windows Server 2008 uses a different command, appcmd list wp, and it has different output format, so this solution is specific to Windows Server 2003.

Related

Source Computer name in custom logs collected by Azure Monitor Agent

I have set up Azure Monitor custom log collection on my Linux VM by following the tutorial and all works fine, except that the Computer Name column in my custom table does not get populated. This means I have no easy way to distinguish between similar logs sourced from multiple VMs.
I could probably hack in the hostname into the log file itself and get Azure to parse it into a field, but on one hand I don't want to customize the log file if possible, I believe the agent should be capable of propagating this information somehow.
Is there anything that needs to be configured outside of the tutorial, or is it a current limitation of the Azure Monitor Agent?
Fixed in 2023 Feb by Microsoft: https://learn.microsoft.com/en-us/answers/questions/951629/custom-logs-hostname-field-azure-monitoring-agent

IIS Multiple process Issue

IIS creates another worker process (w3wp.exe) for an application pool. When there are two worker processes working at the same time and you try and load the the web application, it will just hang and not load at all. On a rare occasion, the server clears down one of the IIS worker process, it then regains normal working order and you can load the website again. However, 8 times out of 10, they need to reboot their server in order to clear the process and gain working use of the website.
Has anyone seen something like this before or have any ideas as to what this could be and how we can get round it? We are using Windows Authentication for the website.

How to determine whether a file has passed anti-virus detection?

We have to develop a Java web service that is running on WebLogic Server 12.2.1 on a Windows Server 2008 R2 server. The web service allows clients to send files to it in BASE64 format, which the web service will then decode and then create actual files on the server with the decoded binary.
The server has Trend Micro OfficeScan Client installed, which I was told that it will scan for any file that is copied to the server. If the binary that I am writing to disk contains a virus, would the IO write fail immediately by the virus detection? I am not exactly sure when the virus scanning will take place. Is it immediately while a file is in the midst of being created on the server, or after a file has already been created on the server?
I need to know this because we want the web service to send an alert back to the client if the file that he sent contains a malware. Therefore how can the web service determine that no virus has been detected by Trend Micro OfficeScan Client?
Thanks.
If "realtime protection" option is enabled in the AV, then it will immediately detect the virus "after" the writing operation is completed.
The best way I can think of for your scenario, is to programmatically invoke the AV to scan the file, using command line options of the AV. Then, you'll know for sure that the AV has finished the scanning and get the scanning results as well.

Windows Server 2008 VM - network services failing

I would really appreciated another perspective on an issue we have been experiencing.
The environment:
We have a small subset of VMs (5 Windows Server 2008 R2 VM's) hosted on a Windows Server 2012 Cluster of 8 Physical Hosts which supports 100's over VMs across various OS (2008/2012 etc).
The issue:
Servers within the subset of VMs experience widespread network SERVICE failures. The failure presents itself as a loss in connectivity for a large number of network related services operating on the VMs (including certain critical network dependant applications).
The impacts:
Server remains online.
Inability to RDP to the servers via Domain Accounts (Local accounts are fine).
Windows event logs associated with Netlogon Failure: Event ID 5719 - This computer was not able to set up a secure session with a domain controller in domain DOWNERGROUP due to the following:
The RPC server is unavailable. This may lead to authentication problems.
Windows event logs assocaited with Group Policy Failure:
Event ID 1054:The processing of Group Policy failed. Windows could not
obtain the name of a domain controller. This could be caused by a name
resolution failure. Verify your Domain Name System (DNS) is configured
and working correctly
Widespread Agent Failure (AV, Monitoring, Application) - Lack of connectivty to centralised management servers.
The resolution(s). Stopping an agent service. Strange however its not limited to a specific agent however if we stop agent A, the server comes back to life, however if we also stop agent B, the server comes back to life with Agent A still running. Restarting the VM also resolves the issue.
Note that these events do not appear on other VMs hosted off the same host at the time of the outage. Also note that the guest is located on the same host prior to, during and after the outage.
We have investigated the suspicion that their may be issues with Dynamic Range Port Allocation with the server possibly getting into a bottleneck state. We have implementedthe "MaxUserPort" and "TCPTimedWaitDelay" registry parameters and have set them to 65k and 30 respectively.
Also note that when an outage occurs, it does not always occur on the same VMs in the group. Often times it is 2, 3, 4 or all servers.
Im really just asking if anyone can see these symptoms and relate to possible causes for our situation.
Any help/discussion would be appreciated.
Well, this turned out to be an interesting resolution.
We discovered that one of our server agents, while not actually showing open ports in Netstat, had over 40,000 handles growing linearly over time.
Had to enable the "handles" column in task manager to be able to see this info.
This was the miracle post...
http://blogs.technet.com/b/kimberj/archive/2012/07/06/sever-quot-hangs-quot-and-ephemeral-port-exhaustion-issues.aspx

What is w3wp.exe?

I have a WCF service running under a service user on my local system. Every time I try to debug it is giving me a message Attach Security warning.
In Visual Studio, by default (even without attaching), I get this error:
Attaching to this process can potentially harm your computer. If the
information below looks suspicious or you are unsure, do not attach to
this process
Name: C:\Windows\System32\inetsrv\w3wp.exe
What is w3wp.exe? According to a Google search, I think it is related to IIS. But what does it do? What setting should be changed so that this won't give this message everytime I try to debug on my local system?
An Internet Information Services (IIS) worker process is a windows
process (w3wp.exe) which runs Web applications, and is responsible for
handling requests sent to a Web Server for a specific application
pool.
It is the worker process for IIS. Each application pool creates at least one instance of w3wp.exe and that is what actually processes requests in your application. It is not dangerous to attach to this, that is just a standard windows message.
Chris pretty much sums up what w3wp is. In order to disable the warning, go to this registry key:
HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\10.0\Debugger
And set the value DisableAttachSecurityWarning to 1.
A worker process runs as an executables file named W3wp.exe
A Worker Process is user mode code whose role is to process requests,
such as processing requests to return a static page.
The worker process is controlled by the www service.
worker processes also run application code, Such as ASP .NET
applications and XML web Services.
When Application pool receive the request, it simply pass the request
to worker process (w3wp.exe) . The worker process“w3wp.exe” looks up
the URL of the request in order to load the correct ISAPI extension.
ISAPI extensions are the IIS way to handle requests for different
resources. Once ASP.NET is installed, it installs its own ISAPI
extension (aspnet_isapi.dll)and adds the mapping into IIS.
When Worker process loads the aspnet_isapi.dll, it start an
HTTPRuntime, which is the entry point of an application. HTTPRuntime
is a class which calls the ProcessRequest method to start Processing.
For more detail refer URL
http://aspnetnova.blogspot.in/2011/12/how-iis-process-for-aspnet-requests.html
w3wp.exe is a process associated with the application pool in IIS. If you have more than one application pool, you will have more than one instance of w3wp.exe running. This process usually allocates large amounts of resources. It is important for the stable and secure running of your computer and should not be terminated.
You can get more information on w3wp.exe here
http://www.processlibrary.com/en/directory/files/w3wp/25761/