The Windows Directory Consumes a Lot of Disk Space

I got a call from a colleague who was asking why the Windows directory on a Windows Server 2008 R2 machine was taking up almost 40GB of disk space.  I checked one of my servers and noticed almost the same – about 30GB on mine.  He noticed more readily than I did because his Windows install was on a partitioned drive where the C volume was only 60GB.  I, however, do not practice partitioning drives.  If I want more volumes, I get more drives. 

After some research, we noticed that the WinSXS fold was the culprit.  He was about to delete the folder when I asked him to stop.  I found it hard to believe this folder was so large just for the fun of it so I did some research.  I found many blogs and so forth that “tried” to explain the WinSXS folder, but most failed horribly.  As always, if you want the low down you have to go to the source.  I found this post on the Microsoft Ask The Core Team blog that did a fantastic job of explaining the WinSXS folder.  I highly recommend giving this post a full read.  You should also subscribe to the Ask The Core Team blog.

There are some things you can do to combat this problem.  I recommend the following:

  • Do not partition out a single drive into multiple partitions.  If you want your OS on one volume and your data on another volume, then get multiple drives and place one set of drives in one volume for the OS and the rest of the drives in a volume for data.  For example, you could do a RAID 1 for the OS and a RAID 5 for data.  This way, you’ll always have plenty of room for the OS.  Partitioning one drive into multiple volumes, in my opinion, makes little sense any more.
  • Install only those applications you need on the computer.  The more applications you install, the more your C drive will fill up.  The same is true for Windows features.  Install only those you need.
  • Run the disk cleanup wizard.
  • You can free up some space by removing the roll back files for the last service pack you installed.

That last point bears some discussion.  When you install a service pack for Windows, you can always uninstall it.  This is made possible by the fact that Windows stores copies of the original files replaced by the service pack in the WinSXS folder.  If you have been running the service pack for a while and are very confident you will never need to uninstall it, you can remove the backup files which will make the service pack permanent (you can’t remove it).  On one of my systems, this freed up 10GB of disk space.

For Windows Server 2008 and Windows Vista after installing Service Pack 1:
Open a command prompt and run the command VSP1CLN.EXE.  This file is found in the %windir%\system32\ directory.

For Windows Server 2008 and Windows Vista after installing Service Pack 2:
Open a command prompt and run the command COMPCLN.EXE. This file is found in the %windir%\system32\ directory.

For Windows Server 2008 R2 and Windows 7 after installing Service Pack 1:
Open a command prompt and run the command DSIM.exe /online /Cleanup-Image /spsuperseded

Again, be reminded that should you run any of the commands above, the service pack will become permanent.  You will not be able to uninstall it.  However, you will free up some pretty significant disk space.  Be certain to test on a test machine before running this on a production computer.


Recovering from a Lost SUSDB

Imagine the following scenario:

  • You installed the Windows Internal Database role on Server 2008 64-bit.
  • You installed the WSUS role on the same server and set it to use the Windows Internal Database.
  • One day, you notice WSUS is not giving out updates and you cannot start the WSUS management console.  It tells you that SQL may not be started on the machine.

If your SUSDB has become corrupt, you cannot access WSUS.  Furthermore, you cannot uninstall WSUS.  And, as if matters can’t get even worse, you cannot uninstall the Windows Internal Database since WSUS is dependent on it.  Fortunately, you can resolve this issue by re-creating the SUSDB.  First, log on to your Windows Internal database using SQL Server Management Studio Express 2005 or higher.  If the SUSDB is listed, then delete it.  You will then need to go to the following location to remove the files:


Delete the SUSDB database and log file.

Next, open up the following SQL file in SQL Server Management Studio Express and execute it to recreate the database:

%windir%\program files\update services\database\createdatabase.sql

This file will create and empty SUSDB database.  Once this is done, you can now remove WSUS from your server and re-install it if you need it back.  I recommend reinstallation as that will put your settings back in place like you had them.  Remember, the SUSDB you just created is empty with no tables in it.

I hope this information helps.  If anyone has a better solution, please add it to the comments section.


Raymond Chen: The TEMP Directory

Mr. Raymond Chen of Microsoft has made an interesting post on his blog regarding the TEMP directory in Windows.  In his post, he states that “The TEMP directory is a dumping ground of random junk.”  He’s quite correct.  Many programs, including installers, use the TEMP directory for storing temporary data.  Unfortunately, there are many programs who use the TEMP directory for permanent storage. 

Obviously, as time moves on, some of these programs are bound to bump heads as they copy files with the same name, etc. to that same directory.  The most common issue I have seen is installations failing because of stuff left behind from previous installs.

Fortunately, there is a fix that I have found works often.  Use the disk cleanup tool in Windows.  Open up Windows Explorer, go to My Computer, and then right-click your C drive and choose Properties.  You should see a button called Disk Cleanup right there on the General tab.  You will want to change some of the options for the Disk Cleanup tool to make sure it does get temporary files. 

Once you run the wizard, you should have a few Gigs back on your drive and the issue with files in the TEMP folder interfering with new installs should be mitigated.



SharePoint 2010 Foundation–The Website Declined to Show This Webpage

After doing an in-place upgrade of SharePoint 3.0 to SharePoint Foundation 2010, you may receive this error on both your SharePoint site and the Central Administration Tool. 

The cause of this problem for me was the application pools in IIS not being set properly after the upgrade.

In IIS 7.0, expand your web server and go to Application Pools.


As the picture above indicates, both the SharePoint Central Administration v3 and the SharePoint – 80 application pools are set to “No Managed Code.”  They should be set to .NET Framework version 2.0.50727.  Once you make the change your SharePoint sites should come up.  Do note that it may take a moment for the site to display since the .Net runtime has to be spun up.


Setting Up Multiple VLAN’s in the Juniper SRX

By default, the Juniper SRX100 and SRX210 set up fe-0/0/0 as your Internet connection interface and the rest of the interfaces (fe-0/0/1 – fe-0/0/7 on the SRX100) as switching ports on a single vLAN.  It is not uncommon for a network to require more than one vLAN for either political or technical reasons.  For my home, in which I am using a SRX100, I have the reason in that I want my family computers on one vLAN and my Dell T310 server with all my test virtual machines on other vLANs.  This way issues such as my test Small Business Server 2003 machine, with its own DHCP server, will not interfere with other computers which belong to my family (my wife has a mini-laptop, we also have an XBox).  Furthermore, I could go further by setting up a Windows Server 2012 Essentials machine with its own DHCP server as well and it would not interfere with the SBS 2003 virtual machine nor the family machines.  As long as everyone is on their own vLAN, all should be well.

First, type in edit interfaces vlan in the SRX to get to the vLAN interface.  Remember that each physical interface can have many logical interfaces.  Obviously, the vlan interface is not a physical interface (it doesn’t represent a physical interface on the front of the machine) yet the same rule applies nonetheless.  Type the following to create three more vLANs for this interface:

set unit 1 family inet address

set unit 2 family inet address

set unit 3 family inet address

When you type show you should see the following for the current config of your vlan interface (note that unit 0 is the default that was already there):


Now, we need to go to the actual vlan settings of the SRX.  Type top to get out of interfaces and back to the top of the configuration tree, then type edit vlans.  Type the following three set commands to create new vlans we will tie into our interface.

set vlan-trust2 vlan-id 4 l3-interface vlan.2

set vlan-trust3 vlan-id 5 l3-interface vlan.3

set vlan-trust4 vlan-id 6 l3-interface vlan.4

If you type show your configuration for vlans should now look like this:


Now we must set three interfaces to our new vlans – one to each vlan.  Type top to go to the top of the configuration tree and then type edit interfaces to get back in to the interface list.  For my configuration, I’m going to assign fe-0/0/7 to my fourth vlan, fe-0/0/6 to my third vlan, and fe-0/0/5 to my second vlan.  Type the following:

delete fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust

set fe-0/0/7 unit 0 ethernet-switching vlan members vlan-trust4

delete fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust

set fe-0/0/6 unit 0 ethernet-switching vlan members vlan-trust3

delete fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust

set fe-0/0/5 unit 0 ethernet-switching vlan members vlan-trust2

Our last step is to configure DHCP for one of the vlans.  I need DHCP for only one of the vlans as the other two with have a server such as Windows Server 2012 Essentials as the DHCP server.  Type top to make sure you are at the top of the configuration tree.  Then type edit system services dhcp.

Type the following commands to create a new DHCP scope and assign it to the last vlan:

delete router

set pool router

set pool address-range low high

set pool router

set pool propagate-settings fe-0/0/0

Notice we had to delete the original router entry since it was outside the scope of any given pool and, therefore, would have propagated that router setting out to all DHCP scopes.  If you received an error typing that delete command, don’t worry, just type show to see where the router settings entry is.  If is it already in the first first pool, then skip that command and finish setting up the second pool.  After typing show your DHCP should look like this:



Once you are done with that, do a commit confirmed 5 which will commit your settings but give you 3 minutes to type confirmed again before rolling you back.  This way, if a mistake is made, you will get back to your last known good configuration and can try again.  While waiting your 5 minutes, be sure to connect a computer to the other interfaces on the device to see if they get connectivity.  For those interfaces without DHCP, you’ll need to statically assign an IP address.  Once you verify all is well, type commit again to make the changes permanent before you are rolled back.

We now have three vLANs on our SRX. One vLAN with interfaces fe-0/01 through fe-0/0/4 with DHCP, one at fe-0/0/5 without DHCP, one at fe-0/0/6 without DHCP, and one at fe-0/0/7 with DHCP.  The table below summarizes.



IP Address


0 fe-0/0/1 Yes
1 fe-0/0/5 No
2 fe-0/0/6 No
3 fe-0/0/7 Yes


As far as security goes, all the vLANs belong to the trust zone and follow all the policies of that zone.  Later on we will look at putting vLANs into their own zones so we can have more granular control over security.


How Windows Handles Applying Service Packs and Patches

My programming god, Raymond Chen, has written an article on TechNet Magazine about how everything is kept straight and organized when you apply security patches and service packs to Windows 7.  It’s a great read.  He doesn’t cover all the details, but he does cover some interesting bits.  Check out the article here:


SSIS: Dealing With Temporary Tables in Access

When using temporary tables in SQL Server, all you have to do is prefix the table during creation with a “#” (pound sign) and SQL Server knows to delete the table after the session closes.  Example of creating a temporary table in SQL Server:

ID int IDENTITY(1,1),
firstName nvarchar(30),
lastName nvarchar(30)

Again, if you close your session in SQL Server, the above table will be dropped then and there.  This makes temporary tables in SQL Server very useful to SSIS as they clean up after themselves.

Unfortunately, there are many of us who are still having to deal with all those pesky Access 200x databases running around.  And, unfortunately, Access does not support temporary tables like SQL Server does.  When you create a table in Access, it is there to stay unless you specifically drop it by executing a DROP TABLE statement.

In SSIS, this leads to a bit of a problem.  Let’s say your package fails for whatever reason (lost connection to server, power went out, etc.) before it gets to the step where you clean up all those temporary Access tables (i.e. you have an Execute SQL step that has one or more DROP TABLE statements in it).  The next time that same package is scheduled to run it’s just going to fail again when it gets to the step where you create your temporary tables in your Access database because those tables already exist.

In order to combat this problem, and provide yourself a sanity check as I’m certain that like me you always forget to delete your temp tables while testing which means you get the “table already exists” error a lot, we can put a step in that checks for temp tables in Access and drops them.  Before the step that creates your temp tables, insert a Script Task that runs the following code:

OleDbConnection conn = null;
OleDbCommand comm = null;
public void Main()
    conn = new OleDbConnection(Dts.Connections["Connection Manager"].ConnectionString);
    comm = new OleDbCommand("", conn);

    if (checkForTable("Demographics"))
        comm.CommandText = "DROP TABLE Demograhpics";
    if (checkForTable("newBills"))
        comm.CommandText = "DROP TABLE newBills";
    if (checkForTable("newTrans"))
        comm.CommandText = "DROP TABLE newTrans";
    Dts.TaskResult = (int)ScriptResults.Success;
private bool checkForTable(string tableName)
    string[] restrictions = new string[3];
    restrictions[2] = tableName;
    DataTable dt = conn.GetSchema("Tables", restrictions);
    if (dt.Rows.Count == 0)
        return false;
        return true;

Notice that this code checks for three tables:  Demograhpics, newBills, and newTrans.  You can, of course, keep adding “if” statements to check for your temporary tables or you can pass in an object variable that you can loop through that checks for a list of tables.  This way, if your packages fails for some reason during one run, on the next run any temporary tables in Access will be dropped before the task that creates them executes.

There may be other more elegant ways to handle this problem.  If I think of any, I’ll post them.  You, of course, are welcome to mention other ways in the comments section.


R. I. P. ISA/TMG Server and SBS Server

As I’m certain many of you know, Microsoft has announced the discontinuation of Internet Security and Acceleration (ISA) Server, which was later renamed to Threat Management Gateway (TMG) Server, and Small Business Server.  You can find those announcements here and here respectively.

I must admit I’m of mixed feelings about all this.  I had a fond love of both products.  In fact, I thought Small Business Server 2003 was one of the best products MS ever made.  You had so much cool stuff in one box. 

  • Windows Server 2003
  • Exchange Server 2003
  • SQL Server 2005
  • ISA Server 2004

While that all seemed like such a great idea all those years ago, having all that stuff on one box – especially a 32-bit box – turned out to be a bad idea.  It didn’t take much to fill up those four gigs of RAM with Exchange and SQL Server assuming you used both of them significantly.  Microsoft eventually broke SBS up into two servers with SBS 2008 and SBS 2011, however.  Another issue is that, while I knew what I was doing with SBS, a lot of other “IT Pros” did not.  It wasn’t uncommon at all for me to find an SBS box that was completely hosed and barely functioning – with the client constantly wondering why things sucked so much all the time.  The biggest issue was that most IT people attempted to manually configure all the features rather than using the wizards.  Even Susan Bradley, the SBS Diva, had something to say about that after someone posted a rogue article about configuring SBS – using the completely wrong approach.

This brings me to ISA/TMG.  Again, a great product.  The biggest problem with ISA/TMG was expense.  Today you can get Juniper’s SRX100 fully loaded for less than $1000 with great performance for the majority of small businesses.  The cheapest ISA/TMG computer I ever saw was just over $3000.  No one is going to pay that for a firewall.  Not to mention the fact that I don’t think as many people plugged into ISA/TMG via addon’s as MS had hoped. 

Lastly, of course, as to why these products are going the way of the dinosaur, is The Cloud.  Everyone who knows me knows that I am NOT a big fan of the cloud.  To me its just another round of outsourcing.  Another round of CEO’s and CIO’s stupidly expecting top notch Cadillac quality performance and service out of some people who do not work for them.  We tried it in the 90’s when we fired our IT staff and asked another company to send in theirs to run the show and we tried it again in 2003 when we sent everything to outsource companies in India.  Neither case has worked thus far – at least not to expectation.

Of course, the only thing we know for certain is that the only constant is change.  It’s time to grab some new skills and move forward.  The glory days of having 2 – 3 dozen or so small business clients using SBS 2003 and making a decent living off of them by providing customized service at a great price are long over.  Today we have the “one size fits all” Cloud.  Today, we move our stuff to big servers hosted by faceless people that have no idea who we are or what we need.  Today, we move back to the mainframe. 

Welcome to the future.


Exploring the Juniper SRX Default Configuration

In Part III of our quick start series, we went through the Juniper set up screens to set some initial configuration settings for our new device.  Today, we are going to use the CLI to explorer the default configuration given to us by those initial configurations.

To access the SRX CLI, you need Telnet.  Please note that on Windows 7 and Windows Server 2008 R2 the Telnet client is not installed by default.  You may follow these instructions to install Telnet.

Once you have Telnet installed, if you needed to install it, open a command prompt and type TELNET 


Once you hit enter, you will be presented with a username prompt.  Use the Administrator account that we created in Part III of the Quick Start series to log in.  Note that both user names and passwords are CASE SENSITIVE.  Once logged in, you’ll see a prompt like this.


At the command prompt, type the word configure and press Enter to enter configuration mode.  There are two modes to the SRX, we will investigate them both in future posts.  Suffice to say the mode you enter into when first logging on is Operation Mode used for monitoring and the like.  Configuration Mode is where you configure the device.  Your prompt should now look like this.


Notice that the prompt changed from using a “>” symbol to using a “#” symbol.  The “#” symbol means you are in configuration mode.  The “>” means Operational Mode. 

In Configuration Mode, there are certain commands you use to navigate the configuration tree.  The following shows most, but not all, of the configuration tree:


We will be investigating many of the parts of the configuration tree in future posts.  To navigate the tree, we do have certain commands to use.

show – shows the configuration of the part of the tree you are at.  If you are at the configuration root, the show command will show you the entire tree which can take a long time if there are lots of things configured.  If, however, you have navigated to, say, System | Name-server then the show command will show you only what is in that section.  If there is more information to show than what your window will allow, the show command will fill the window and stop until you press the spacebar for the next page.  The percentage you have seen thus far is shown at the bottom.


edit – use this command to tell the CLI what part of the tree you wish to edit.  For example, if you type edit system then you will enter the system stanza of the tree.  Do notice that the prompt tells you were you are.


up – use this command to navigate up levels of the tree.  edit brings you down to levels you specify, up brings you up the next level above where you are.


top – if you want to go straight up to the configuration root, use top.

Now that we know how to move around a bit, let’s take a look at certain parts of the tree, called Stanzas.  First, type the word top to make sure you are at the top of the configuration root in case you have been playing around.  Next, type the following:

edit system name-server

This will place you in the System part of the tree in the name-server stanza.  Now type show.


You should see the IP addresses of the name servers you typed in while following along in Part III of the quick intro.  Type top to go back to the top of the configuration tree (refer to the diagram above when needed).

Now type the following commands:

edit interfaces fe-0/0/0

If you are using the SRX210, replace the fe with ge.  Otherwise, you should see this:


Notice where the arrow is pointing.  If in the initial configuration screen you unchecked the DHCP box and entered a static IP, that IP is here.  Otherwise, you’ll see DHCP.  This interface is the one that should be plugged in to your ISP.  In my case, it is plugged into my Linksys router which allows my other computers to get on the Internet as well.  Later on, we are going to make some configuration changes to make the SRX my router for my network and we will remove the cheap Linksys.  Type up to go up one level and then type show:


Notice that we are now looking at all the interfaces.  The show command as I mentioned earlier shows you everything in the current position of the tree, including sub-branches of that position.  Since we are at the interface level, it is showing us all the interfaces along with their configurations.  Notice you have the —(more)— at the bottom for scrolling.  Use the space bar to scroll on down.

Notice also that while fe-0/0/0 is assigned a static IP address, or DHCP depending on your choice in the initial configuration screen, the other interfaces are all assigned to a VLAN.  You also have interface lo0 which is, of course, the loopback adapter.  At the bottom, you should see the interface for the VLAN and the IP address it is assigned which is the IP address range of your internal network with the SRX.


Let’s take a look a the VLAN itself.  Type top to get to the configuration root.  Then type:

edit vlans

Notice we have a Virtual LAN called “vlan-trust” defined and that the interface we saw above is assigned to it.  Also, notice the shorthand for which unit to refer to.  Instead of typing the name of the VLAN then the name of the unit, we just do vlan.0 where the zero is the unit.  If you have more units, such as 10, 11, and 12, you could do vlan.10, vlan.11, vlan.12, etc. 


So what we have is an logical interface that defines the IP address range of the VLAN, which is assigned to the VLAN itself, which is in turn assigned to the other interfaces (except fe-0/0/0).  This allows us a great deal of flexibility.  Think about.  You could literally have each port on the front of the SRX assigned to a completely independent VLAN.  Let us continue.  Type top to get to the configuration root again.  Now type the following:

edit security zones

We are now looking at the default zones created by the SRX.  One is called trust and the other is called untrust.  Typically, trust is your internal LAN and untrust is the Internet.  Notice what we are doing:

  • For inbound traffic to the trust zone, we are pretty much allowing everything to go to the SRX.  All protocols.  And we assigned our VLAN, vlan.0, to this zone.
  • For the untrust zone, we assigned fe-0/0/0 and notice that we allow only dhcp and tftp.  Normally I remove these.  Do keep in mind that if you remove DHCP and you chose DHCP as the way for fe-0/0/0 to get IP address from the ISP, you will no longer be able to get on the Internet should your ISP change IP addresses on you (assuming you don’t have a static address).

This all should make sense.  fe-0/0/0 is plugged into our Internet connection and our vlan.0 is our internal network as we examined earlier.  Although, in a true production environment we may place more limitations than this even on the Internal network instead of just allowing everything.


At the CLI prompt, type up to go up one level the type edit policies then type show.

We are now looking at our one and only default security policy.  Should be pretty straight forward.  We have one policy called “trust-to-untrust” that pretty much allows anything from the internal network to go out to the Internet.  Since there is no policy allowing traffic from the Internet to the internal LAN, that means anything from the Internet is blocked.


Type up one more time then type edit nat then type show.  We are now looking at our Network Address Configuration.  We have one rule translating addresses for traffic that goes out regardless of IP address.  We do not translate any traffic coming to us since, thanks to our policy, we have no traffic coming in.


So what we have is this:


This is straight from the book I recommend on my Books I’m Reading page for learning the Juniper SRX Security Services Gateway.  This diagram gives a decent idea of how traffic is processed by the SRX. 

And this is the default configuration you are given after completing the initial setup wizard. 

To exit the CLI of the Juniper SRX, type the exit command until your telnet session is closed.

Next up, we are going to add some VLANs and assign other ports to them.  In my home network, I have my wife’s computer which will go on one VLAN, my computer which will go on another, and a Dell PowerEdge T310 server running several virtual machines that will all be on yet another VLAN.

Do keep in mind that my quick overviews and instructions on how to perform certain tasks are meant to show you how I’m using the SRX.  If you really wish to learn the device properly, I recommend the book Junos Security found here at for paper back or you can go Kindle edition.


WSUS Connection Error

If you get a screen on your WSUS server that looks like this:


Or when trying to connect you get this error:


The problem is most likely with your WsusPool in IIS 7.x.  Open the IIS 7 Manager and go to Application Pools.  Then double-click the WsusPool.  The .Net framework version should be set to v2.0.50727 (mine was set to unmanaged).  Make certain all settings, including .Net Framework version, are set to what you see here:


Click OK then restart IIS 7.  Your WSUS console should connect now.  I have seen this problem come up after fresh installs.  Apparently the installer does not set this setting correctly sometimes.