Guessing the locale of a logfile

I got a question about my DNS Debug script, which parses the DNS logfile so it is easier to find what is happening in the DNS. A nice guy was having issues with a log file. So he sent over a few row.

Okey lets be honest it took me to get around to it. There is a thing called Corona making all the headlines right now ūüôĀ

Anyway since he sent it in on the 6 of March 2020.. I had good guess about the date formatting being dd-MM-yyyy. But that didn’t really help me. So I sent Marc a message, but then I thought.. I know that Windows knows about 428 locales. I’m in a quarantine anyway, I can do this. Then I thought again, I have a computer with Powershell.

And this is the 52 entries i got:

az-CyrlAzerbaijani (Cyrillic)dd.MM.yyyy
az-Cyrl-AZAzerbaijani (Cyrillic, Azerbaijan)dd.MM.yyyy
az-LatnAzerbaijani (Latin)dd.MM.yyyy
az-Latn-AZAzerbaijani (Latin, Azerbaijan)dd.MM.yyyy
cs-CZCzech (Czech Republic)dd.MM.yyyy
de-ATGerman (Austria)dd.MM.yyyy
de-CHGerman (Switzerland)dd.MM.yyyy
de-DEGerman (Germany)dd.MM.yyyy
de-LIGerman (Liechtenstein)dd.MM.yyyy
de-LUGerman (Luxembourg)dd.MM.yyyy
et-EEEstonian (Estonia)dd.MM.yyyy
fo-FOFaroese (Faroe Islands)dd.MM.yyyy
fr-CHFrench (Switzerland)dd.MM.yyyy
hy-AMArmenian (Armenia)dd.MM.yyyy
it-CHItalian (Switzerland)dd.MM.yyyy
ka-GEGeorgian (Georgia)dd.MM.yyyy
kk-KZKazakh (Kazakhstan)dd.MM.yyyy
lv-LVLatvian (Latvia)dd.MM.yyyy
nbNorwegian (Bokmål)dd.MM.yyyy
nb-NONorwegian, Bokmål (Norway)dd.MM.yyyy
nnNorwegian (Nynorsk)dd.MM.yyyy
nn-NONorwegian, Nynorsk (Norway)dd.MM.yyyy
pl-PLPolish (Poland)dd.MM.yyyy
ro-MDRomanian (Moldova)dd.MM.yyyy
ro-RORomanian (Romania)dd.MM.yyyy
ru-MDRussian (Moldova)dd.MM.yyyy
ru-RURussian (Russia)dd.MM.yyyy
sah-RUSakha (Russia)dd.MM.yyyy
sma-NOSami, Southern (Norway)dd.MM.yyyy
smj-NOSami, Lule (Norway)dd.MM.yyyy
tg-CyrlTajik (Cyrillic)dd.MM.yyyy
tg-Cyrl-TJTajik (Cyrillic, Tajikistan)dd.MM.yyyy
tt-RUTatar (Russia)dd.MM.yyyy
uk-UAUkrainian (Ukraine)dd.MM.yyyy

So when I had gotten the list I could just try with a Locale and it worked. I later learned that the server was a German with the locale de-DE.

But now I know how to easy see what locale it might be ūüôā

Overheads getting a member

A while ago I wrote a blogentry about different ways of obtaining the hostname. When I wrote that one I thought wonder how the different way of accessing the member values increases the cost. So this is a blogentry about that. There are different overheads depending on how you get your objects member. To illustrate this I have made a simple single WMI query and saved in a variable, from which we will now get the name of the computer.

First lets get the WMI object:

So now we have the wmi object in the variable $wmics. So how do we get the name. Well here there are a few ways all giving the same answer.

[Read more…]

Converting from Two’s complement using powershell

So first what is Two’s complement? Super simple simplification: It is how you can use the MSB (most significant bit) to define if the number is positive or negative. More complete and technical please read the Wikipedia article.

So why do I need this, Well in most cases you dont. But sometimes you get a int that should be unsigned but it was mangled, so you need a way to convert it to the true form. This cmdlet does that. Of course you could also just use the class System.BitConverter same way the cmdlet does.

Using the BitConverter to convert [int16] -1 to [uint16]:

For those that want to include a simple way of doing that in their profiles etc, I wrote a script.

What it does it takes input with with the name integer just the first argument and does its magic. I will show by int16 with the value -32000 but that should have been an unsigned int.


Sometimes I dont like you System.Security.AccessControl.AccessRule.FileSystemAccessRule

Im writing my own little module to help remove sidhistories on mailny fileservers. But im thinking about throwing in stuff about Sharepoint and local groups too. Many people forget to change the ACLs after using sidhistories, this means they are stuck with the sidhistory entries.

So what has that to do with FileSystemAccessRule. In my first incarnation I was manually modifying the SDDL. This worked but I felt that Powershell must be able to do this better.

So I gave it some thought. Then I tried to re implement it using Get-ACL which returns a System.Security.AccessControl.FileSystemSecurity. Perfect but there are some issues.

I have a perfect example here:

This went without a hitch.

So lets see how .NET interprets the only ACE in the ACL above:

Well that didnt really look like what I wanted. We gave it SDGXGWGR and I got -536805376.
SDGXGWGR should have given us: Delete, Generic Execute, Generic Write, Generic Read

Okey, but it perhaps is just a display glitch. Lets try to create an ACE using the data in the $ACL variable.

So now lets create a grant rule with the same permissions for the Builtin Administrators group.

So for now I will continue to parse my SDDL as strings in my Remove Sid History module.

A short story about date formats

So I was updating my script to read DNS debug logs. I had gotten some comment’s on it in the technet gallery. So I wanted to include all in the script for easier usage.

This is when I realized how many variations there are to the ShortDatePattern used in the local Cultures. Microsoft uses the local culture in the DNS debug log, big sadness. So how many cultures are there?

Okey with 428 different possible cultures I dont think I will go through them one by one. So lets just list all cultures and their ShortDatePattern. And see if we see anything [Read more…]

Formating dates with Powershell for different purposes

So Windows has lots of date formats to choose from. These are a few and functions to convert between them and Datetime.


The default timeformat that we are using in .NET and Powershell. This is probably the first date function you will learn to use. Or you can call on the .NET class.


Microsoft built time format that calculates number of 100 ns intervals since January 1, 1601. Yes this is a really large number. But even though the name suggest this is always for files it isn’t. Also in some file systems the resolution isn’t 100 ns just because the format has that as the smallest incrment.

I did a blog entry about a small discrepancy depending when creating dates using different methods and how they differed by 100ns. This was most easy to spot while looking at the time in a FileTime format.

MSDN page for FileTime structure

DMTF (Distributed Management Task Force) DateTime

As used by AD for some attributes and WMI. The format is almost easy to read.


Unix Epoch

This is the standard format used by *nix based systems. Number of seconds since January 1, 1970.

Also if you dont care about being compatible to older version you could use the [DateTimeOffset] class.

What about the other way then? That is really simpler.

From Event to Object

So I needed to do gather some information on the usage on a Fileserver so we enabled auditing but those logs aren’t that fun. Using the event viewer isn’t really an option with thousands of logentries to process. So I went to Powershell which has Get-WinEvent which returns [System.Diagnostics.Eventing.Reader.EventRecord] objects. But those still isnt that fun, they are event logs so I cant just do a Where-Object search on them as the message is a textblock. BUT I can convert them into XML which allows me to do queries on the XML with Where-Object but that still is limiting as I needed to do convertions, and depending on Powershell version you can do it different ways. So I did a cmdlet to do those for me so I dont have to in the future.

It reads the events you throw at it and create a translation map from the XML to a Powershell object.

So I created ConvertFrom-VirotEvent, a small sample below.

Sample ConvertFrom-VirotEvent
Lets see all times somebody used runas, eleveted them selfs using UAC or RDP.. Well anytime windows presented a loginbox for an already logged on user. Or other process did this to as the taskscheduler.

Or we can just group the SourceUserName




You can download the script from the Microsoft Technet Galleries.


Every function has a beginning, a middle and an end.

Okey so I used a bit of artistic freedom there, the truth is that the main parts of a function is:

  • Parameters
  • Begin
  • Process
  • End


So this is kinda¬†self-explanatory. This is where we input all our parameters that the function will use. For today this is not really an important part so for simplicity I have created an input parameter called….(drumroll).. Input.


This script-block contains things that isn’t really dependent on any parameters that you supply. Here would be a good spot to verify that you have any required modules, have write access or connect to a database.


This is the big script-block that has all the magic. All your core logic goes in here.


When you are done there might be things cleanup or close. Close any database connection that you opened in the beginning.

So whats up with text and no powershell?? Okey here we go.

How it works with code
[Read more…]

Convenience rollup KB3125574 with bonus powershell [W7 & W2K8R2]

So Microsoft has released a convenience rollup that contains loads of updates..

There are a few issues, especially one connected to vNics. So they also released a small VB Script to help remove the offending parts from the registry.
But I hate VBscript and love Powershell so I rewrote it. It went from 30 lines to 8. I know I can sqeeze it into 2 without loosing to much readability but I like it like that.

You can find information about the update at KB3125574. The download is available through the Microsoft Update Catalog (requires IE).

Finding password cheaters

So In my last blog I talked about the possibility of faking a password change, by setting the last time the password was changed.

So lets find out if somebody has been tampered with. To do this we check the last time somebody updated the pwdlastset attribute and compare to the last time somebody updated the ntPwdHistory attribute. If you change passwords the AD will update both. Also I added an allowance for 10 if you needed to check or uncheck the password must be changed checkbox. The AD does store loads of data that most people never see or have to see, One such attribute is the last time an attribute was updated.

Script to check for faked password changes

The script

[Read more…]