Useful Sysadmin Commands for Azure VM troubleshooting

Scenario:

• Client calls/emails/texts/screams that one of their Azure Windows Server machines isn't letting anyone RDP or Bastion into it, but it shows as "running".
• You have the VM Contributor role, because you drank some of that Four-Sigmatic 10x caffeinated mushroom coffee and remembered to PIM-up first.
• You want to try using the "Run Command" method to see if you can poke at the guest machine at the OS layer, from the Azure portal, just to see what's going on. You wrote some handy commands on a scrap of paper, but your cat dragged it to the litter box last night.

So, Now what?

Here's a few commands that seem to come up on troubleshooting calls with my team mates and on calls with Microsoft support folks, at crazy hours. These are "Run Command" friendly, using the Run PowerShell script option:

• QUser = This super-ancient command continues to be useful, even through a PowerShell session. This one lists any currently logged-on users. If a user shows State="Active", and they are your boss, be careful.

## note the session id for who you need to logoff
quser
## log off the user by their session id number
logoff <sessionid>        

• Do the same but on a remote Windows machine...

quser /server:<servername>
logoff <sessionid> /server:<servername>        

• Get-HotFix = list installed updates, or most of them anyway.
• Get-Service <name> = probe the status of a Windows service, to see if it's running or stuck in "stopping" or something weird. Also: sc.exe
• Get-CimInstance Win32_LogicalDisk = show basic logical disck volumes to see if they're out of space. A more detailed version:

Get-CimInstance Win32_LogicalDisk -Filter "DriveType = 3" | select DeviceID, VolumeName, @{l='Size'; e={[math]::Round($_.Size/1GB,2)}}, @{l='Free'; e={[math]::Round($_.FreeSpace/1GB,2)}}        

Don't worry about running this script. I have used it plenty of times in real production environments, and nobody has lived to complain about it.

• reg query <path> = to show a registry key, or set of keys and values. For example to check if the Windows Update client is pointed to some bogus WSUS instance that someone blew away in 2020...

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate /s

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\WindowsUpdate /s        

(Note: PowerShell likes HKLM:\... because it's a registered path in PSDrive, one of the Registry PSProviders. But the reg.exe command does whatever it wants and says colons aren't allowed outside of a doctor's office)

• ICACLS = show file system ACL and Share ACL information. Modify folder and file permissions if needed (carefully!). You can also use the Carbon PowerShell module.
• Get-Process = See what processes are running (or not). Use -Name to filter on a particular process such as msedge. Use -IncludeUserName to show the process owner.
• Get-WinEvent = search for event log indicators of a problem. Use the -FilterXPath param to feed a custom query. Or just a simple shotgun approach can help in a pinch...

Get-WinEvent -LogName Application | where {$_.LevelDisplayName -ne 'Information'} | select TimeCreated, Id, ProviderName, LevelDisplayName, Message -First 5        

Note: If you don't have time to cook up an XPath query, you can pipe through Where-Object{} to filter on properties, but it can run a bit slower.

• Get-WindowsOptionalFeature -Online | select FeatureName,State
• Get-ScheduledTask = review scheduled tasks

Honorable Mentions, which may depend on the Windows version:

• nslookup = Name resolution verification. Other networking commands: nslookup, tracert, arp, netsh, ipconfig and netstat

ipconfig /flushdns
ipconfig /registerdns
ipconfig /all        

• Get-BitLockerVolume = query BitLocker state. Also: manage-bde.exe
• certutil.exe = certificate review and management
• curl.exe = download web content (to memory or to file). It's not just for Linux. Also, use Invoke-WebRequest or Invoke-RestMethod, with -OutFile if you need to save the response to a file.
• dsregcmd = Directory services tools. Also: ntdsutil, dnscmd, dcdiag, repadmin
• diskpart.exe = disk partition and volume information
• All the NET commands like NET USER, NET ACCOUNTS, NET LOCALGROUP, NET VIEW, NET SHARE, NET START/STOP, NET USE...

net localgroup administrators        

• More: getmac, gpresult, gpupdate, openfiles, winrm, sfc

There are many more, but these should keep you busy long enough for me to slip out the back and run away before you ask questions.