[SSC Serv] Terminal Services monitoring on Windows Server 2008

Florian Forster octo at ssc-serv.com
Tue Nov 4 20:21:31 CET 2008

Hi Wayne,

sorry for my late reply, it took me some time to figure this out :/
Thanks again for providing the Windows 2008 login, I wouldn't have been
able to get behind this without it :)

On Wed, Oct 01, 2008 at 12:41:02AM +0200, Florian Forster wrote:
> On Mon, Sep 29, 2008 at 04:04:47PM -0700, Wayne Tucker wrote:
> > utils_pdh: translate_pdh_counter (\Terminal Services\Inactive Sessions) failed.

As I mentioned in an earlier mail, due to the fact that counters are
identified by localized(!) strings, I have to do this
  english name -> ID -> localized name

This translation works to the point that I get the ID, for example for
`Terminal Services'. I then call `PdhLookupPerfNameByIndex' with the
found ID. The problem is that this function returns `ERROR_SUCCESS'
(indicating that everything went well) but does not write anything into
the buffer I passed to it.

So, for some reason translating IDs to a string works for all
identifiers except the terminal services. In my opinion it's a but in
PDH, but what might it be caused by? The only suspicious thing I've
found is the following:

Deep in the registry, there's a key that holds those `ID <-> names'
mappings. It looks somewhat like this:
     2  System
     4  Memory
     6  % Processor Time
     :  :
  3986  Processor State Flags
  2262  Terminal Services
     :  :

I can see two possible reasons why the translation may be confused:
1) The IDs *should* be sorted. If a search algorithm within PDH depends
   on this sorting, it *may* come to the conclusion that the needed
   value does not exist.
2) The shown ID `3986' is also the highest ID used on your system. This
   value is stored as `Last Counter'. A search algorithm *may* check the
   current index against this number and abort when it thinks to have
   reached the last ID.

I'd love to check my hypothesis. For that, I've created a sorted version
of that `ID <-> names' mapping which I would install in the registry.
Without your permission, I won't touch anything though, since I don't
know if and how this might affect your system. I don't expect any
problems, though. What do you say?

Florian octo Forster
Hacker in training
GnuPG: 0x91523C3D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.verplant.org/pipermail/ssc-serv/attachments/20081104/3cfcef35/attachment.pgp 

More information about the SSC-Serv mailing list