Das Blinken Lichten

I ran into this the other day at work and thought I would share.  Hopefully this will save you some time.  I had a service on a windows box that locked up during a standard service restart.  Seeing as most people don’t like having their server rebooted during the day I had to come up with a way to deal with this.  My usual fix for this was to determine what exe the service was running, hunt it down in task manager, manually kill it, and start the service again.  However, when I looked at the service I saw that the listed executable was ‘svchost.exe’.  Knowing that I would encounter more than one svchost.exe process when I opened task manager I decided to spend some time and figure out exactly what the exe was. 

What is svchost.exe?
As it turns out, not all applications and services in windows have the ‘exe’ file extension.  Some of them are actually DLLs (Dynamic-Link Library) files that need a means to run.  Windows (unlike other operating systems) doesn’t have a way to run a DLL directly as a service.  Svchost acts as a platform (a separate EXE) from which to launch these DLLs are services.  So when you see a ton of svchost.exe processes running under task manager, they aren’t actually the same program. 

So which one is which?
So lets walk through an example of how to determine which svchost process is linked to a particular program.  So lets say that the DHCP client service on my windows server locked up and during the service restart the service hung in the dreaded ‘Attempting to stop’ state (Yes, I realize its highly unlikely that your DHCP client service would be a critical service on a server with a static IP, just bear with me as the concept is the same for any service).  So I open up the services MMC and check the properties of the service to find out what EXE the service is running.  The properties screen looks like this…

As you can see, the service runs under the svchost.exe process.  A look at my task manager on the server gives me this…
 

Notice that I have not one, but fifteen svchost.exe processes running.  So which one do I kill?  After some googling I found the answer.  The key to making this determination is the PID (Process ID).  If you cant see the PID in your task manager go to View – Select Columns – And Select PID (For Server 08).   You should now see the PID listed next to each process.  Now go to the command prompt and enter in this magic command…

tasklist /svc

Or if you just want to see the svchost.exe processes…

tasklist /svc /fi "imagename eq svchost.exe"

The output from the second command looks like this…

A quick review of the output reveals that DHCP is running over svchost.exe at PID 956.  Taking a look back at the task manager I locate PID 956 and kill the process.  Pretty slick huh?

Beware!
I view this way of starting and stopping windows services as a last resort.  Often times multiple services run under the same svchost which can cause issues if you start killing them.  Additionally, a lot of windows services that run as svchost.exe don’t like being killed.  For instance, the DHCP client I used in this example when killed just started right back up again.  If you can do a server reboot to clear the hung process that’s usually the best approach.  But if you can’t, and need a quick fix, use this with caution.

I have recently been purchasing some new routers for my lab and I find myself having to do the password recovery procedure to gain access.  In all truthfulness, its more of a “get access and wipe the router” sort of procedure however I usually copy off the config off before wiping just out of pure curiosity.  So here’s what I do….

1 – Connect to the router with your console cable

2 – Power up the router and start pressing the ‘Break’ key on your keyboard

3 – If the router detects you pushing the ‘Break’ key it should put the router into ROMMON

4 – When the router enters ROMMON mode you should be presented with a ‘rommon’ numbered prompt.  Enter the following commands…

monitor: command "boot" aborted due to user interrupt
rommon 1 > confreg 0×2142

You must reset or power cycle for new config to take effect

rommon 2 > reset

Essentially this tells the router to ignore its startup-config when booting.  The reset command reboots the router.

5 – When the router finishes loading you should receive the standard ‘first boot’ prompts asking you about entering the initial configuration dialog.  Say no to any prompts.

6 – At this point, I usually plug a ethernet interface on the router into my network and configure an IP address on the router so that I can copy the current config off.  Its important to note here that all we did was tell the router to ignore it’s startup config.  Its still fully intact at this point.

Router> enable
Router# config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# int faste0/0
Router(config-if)# ip address 10.20.30.23 255.255.255.0
Router(config-if)# no shut
Router(config-if)# exit
Router(config)# exit
Router# copy startup-config tftp
Address or name of remote host []? 10.20.30.51                                             
Destination filename [8772106002209363-confg]? 1841-Original-Config                                                              
.!!  
2666 bytes copied in 3.104 secs (859 bytes/sec)

7 – Now that we have a good copy of the original config I reset the config register, wipe nvram, and reload the router.  When it comes back online it will be like a brand new router.

Router# config t
Router(config)# config-register 0×2102                                              
Router(config)# exit                            
Router(config)# write erase
*May 12 23:00:00.891: %SYS-5-CONFIG_I: Configured from console by console
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]    
[OK]   
Erase of nvram: complete                                       
*May 12 23:00:10.531: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvr   
Router# reload                      

System configuration has been modified. Save? [yes/no]: n                                                        
Proceed with reload? [confirm]    

Summary                        
Im sure there are tons of documents out there that tell you how to do this, it just helps me remember when I write it all down.  It should be noted that this is usually used as a password recovery procedure.  In that case the startup-config is copied in the running-config after you enter enable mode.  Once the startup-config is loaded you can enter config mode and reset the enable and line passwords since you were in enable mode prior to loading the original config. 

I’ve been trying to spend some time lately playing with my ASA again.  I’ve recently found myself playing with NAT and DMZ functionality.  I have to admit that for what appears to be  simple concept there is a lot material to digest.  I’m also trying to look into the new ASA code release and get up to speed on the new NAT config commands.  Unfortunately my ASA doesn’t have a Security Plus license so I don’t have full DMZ functionality.

So if someone from Cisco is reading this and wants to send me a Security Plus activation code so I can blog about it that would be cool : )

For some reason there are some show commands that I just can’t remember on the spot.  The majority of the time I’m just looking for one specific piece of info and I just cant find it.  I’m sure I’ll be adding to this list as I encounter others.

Determine the number of inside hosts being used on a ASA
ASA# show local-host brief
Detected interface ‘outside’ as the Internet interface. Host limit applies to all other interfaces.
Current host count: 2, towards licensed host limit of: 50
<output ommitted>