I recently exchanged several emails with a long-time UNIX administrator who
was new to writing command shell scripts. I realized that many new Windows administrators
would benefit from a simple command shell scriptwriting Q&A. The following
information will help administrators set up their scripting environment.
I'd like to learn how to write Windows scripts, but I'm not sure which language
to use (e.g., command shell scripting, VBScript, Perl). Is there a preferable
language?
Although many scripting languages are available, command shell scripting
is a great place to start. Administrators need to be familiar with command shell
scripting because they sometimes need to modify or update legacy command shell
scripts in their environment. In addition, some applications use scripts to
start services or perform other operations that administrators need to troubleshoot.
Being able to examine command shell code and quickly determine a script's operation
is often useful. Even if shell scripting isn't your primary scripting language,
you need to be familiar with command shell scripting because it's useful to
call some utilities and commands from scripts written in other languages (e.g.,
VBScript, Perl).
I've heard that .bat files' functionality is limited. Is this statement accurate?
Many people associate .bat files with the command shell in Windows 9x, Windows
3.x, or MS-DOS. Admittedly, these OSs' command shells have limited functionality.
However, the command shell in Windows NT and later is enhanced and offers more
built-in commands and other tools. A well-written command shell script has extensive
functionality.
How do I know which commands to use for particular tasks?
You can use three types of commands in your command shell scripts: built-in commands and commands from resource kit tools and third-party tools. To obtain a command's help information, enter
command /?
or
command -?
or
command
where command is the name of the command you want to learn about.
Windows Server 2003 and Windows XP have approximately 200 built-in commands. You can use the online help to learn about these commands' usage. Select Run from the Start menu, or open a command shell window, and enter
"%windir%\hh.exe" "ms-its:
%windir%\Help\ntcmds.chm::/nt
cmds.htm"
The Windows Server 2003 Resource Kit Tools include more than 200 additional
tools that aren't installed by default. Some of these tools are GUI based but
many are command shell oriented. To download the resource kit installation file
(rktools.exe), go to http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en. (Note that the resource kit
I discuss here is the freely down-loadable software and tools, not the set of
Microsoft reference books that you must purchase, which includes the resource
kit software and tools on CD-ROM.) Consider not accepting the default installation
location, which contains spaces in the pathname. Some command shell tools are
sensitive to spaces in the path when used inside a For loop. The support tools
installation file (suptools.msi) is available in your Windows OS's installation
CD-ROM's \SUPPORT\TOOLS folder.
Third-party tools are tools that developers create to solve specific problems
in their own environments, then make available for others to use. Many third-party
tools are available as freeware. Most of the third-party tools I use are from
the following four sources:
- Sysinternals' PsTools (http://www.sysinternals.com/utilities/pstools.html)
- Joeware.net's Windows 2003 tools (http://www.joeware.net/win/free/k3.htm)
- SystemTools Software's free utilities
(http://www.systemtools.com/free.htm)
- Beyond Logic's software solutions
(http://www.beyondlogic.org/solutions)
Between the built-in tools, resource kit tools, and third-party solutions, you have 400 to 500 tools available. The number of tools continues to increase, giving you many resources for accomplishing scripting tasks.
I installed the Windows Server 2003 Resource Kit Tools, but when I enter a command at a command prompt, I receive the message ' Command' is not recognized as an internal or external command, operable program or batch file. What am I doing wrong?
When you install resource kit tools, the installation program puts an entry
in the path variable during installation. If you later rename the destination
folder and change the tools' location, you must also change the path variable
to reflect the new location. Also, if you copy the Resource Kit Tools folder
from one machine to another, you must change the path variable to reflect the
new location.
I've tried running several commands that I've seen in command shell scripting articles, but I receive error messages. What could be causing the problem?
First, ensure that you're using the same version of the tool as the article discusses. Developers generally add switches and options as they create later versions of tools. (For this reason, using the latest version of a tool is best.) Then, if the version on your machine differs from the version being discussed in the article, use your tool's online help to compare the two versions' switches and options. Not only do new switches and options get added but occasionally existing switches and options get changed. For example, an existing switch's delimiter might change from a front slash (/) to a hyphen (-). You need to modify your code to accommodate such changes.
I'm interested in command shell scripting because I've heard it can help me monitor security in my environment. How can I use shell scripts to enhance security?
You can use scripts in combination with command-line tools to increase security.
I've used scripts for the following security-related needs:
- To create a log that contains the membership of the local Administrators
group on a list of servers or an entire organizational unit (OU) of servers
- To create a report that lists all the permissions on a shared resource
- To create a log that identifies all the groups and users in a particular
OU
- To compile a list of the last users logged on to each server and workstation
- To locate all the servers in my environment that have vulnerabilities, such
as missing hotfixes or hidden payload files
- To create a log that details any membership changes to the Administrators
group or other special-privilege groups in the domain
- To determine when PCs that normally stay on 24 X 7 are being are shut down.
I once encountered a situation in which thieves were shutting down machines
and removing memory. I wrote a script that helped pinpoint the times and locations
of these unauthorized shutdowns.
Prev. page
[1]
2
next page 
