Other command options let you control how the tool displays the information. You can also use Openfiles to monitor open files on remote systems that have monitoring enabled.
Users of Win2K Server Terminal Services or NT Server 4.0, Terminal Server Edition might be familiar with the Query command-line utility (query.exe). XP includes a form of Terminal Services but doesn't include Query. However, you can use other commands to get similar information (query.exe just invokes these commands, anyway). For example, to display a list of logged-on users on an XP system, use the Qwinsta command-line tool (qwinsta.exe), as Figure 3 shows. You can also use Qwinsta with the /server:servername switch and argument to query users on remote systems running Terminal Services or XP. To see a list of processes each logged-on user is running, you can run the Qprocess command-line tool (qprocess.exe). As with the Qwinsta command, you can also use Qprocess to query a remote system for processes belonging to users.
The event log is one of the most difficult areas of a Windows system to monitor. Servers running many applications or systems with security auditing enabled can generate megabytes of auditing information. Searching the information for a specific event can be difficult and time-consuming. XP's new Eventtriggers tool (eventtriggers.exe) lets you execute commands in response to events in any of the event logs. For example, to invoke the command script C:\Admin\FailLogn.cmd whenever someone fails to authenticate with the system, you can use the following command:
eventtriggers /create /l security /eid 529 /tr "catch failed logon" /tk c:\admin\faillogn.cmd /ru:administrator
The script runs under the security context of the Local System Administrator. The system will prompt you to enter the password of the user you specify through the /ru switch. If you don't specify a user context, the system uses the Local System context instead. Using Local System can lead to problems with certain commands that require a valid security context, so I suggest you use a real account. I've found that the lag between an event occurring and the trigger firing can be as much as 60 seconds. As with many of the new XP tools, you can apply the command to remote XP systems. You can also combine this command with eventcreate.exe to build triggers that fire in response to specified events.
Monitoring Your Network
If you've ever tried to troubleshoot communications problems between a client machine and a server, you've probably used the Network Monitor utility (netmon.exe), which is included in Microsoft's server OSs. XP has a command-line utility called Netcap (netcap.exe), which is installed with the XP Support Tools. As with Network Monitor, you can use Netcap to capture network traffic. The first time you run the utility, you see a message informing you that the network driver is being installed. Netcap can read filter files created by Network Monitor 2.0 or later, and Network Monitor can read the capture that Netcap produces.
Administrators who use IP Security (IPSec) on their networks might be surprised to find that Ipsecmon (ipsecmon.exe), a useful utility for monitoring IPSec associations, doesn't ship with XP. The good news is that Microsoft has replaced Ipsecmon with a Microsoft Management Console (MMC) snap-in called IP Security Monitor, which provides enhanced monitoring of both local and remote XP systems. To access the snap-in, run mmc.exe and select File, Add/Remove Snap-in. Click Add to open the Add Standalone Snap-in dialog box. Select IP Security Monitor from the list of snap-ins, then click Add. Click OK in the Add/Remove Snap-in dialog box to return to the MMC console. When you expand Local Machine, you see two nodes: Main Mode and Quick Mode. These modes correspond to Phase I and Phase II of the IPSec negotiation process. Expand the Quick Mode node, then expand the Security Associations node to see a list of established Phase II security associations (SAs), as Figure 4 shows. You can double-click an SA to get more information about it. The other nodes contain details about the filters and policies that control the SA. You can right-click the Machine node and select Statistics to see an overview of the IPSec state on that system, as Figure 5 shows.
Managing Your System
You're probably responsible for managing, as well as monitoring, your organization's systems. As with monitoring tools, Microsoft has expanded and added to the range of management tools available in XP.
In earlier Windows versions, you could use the Support Tools kill.exe utility to end a process. Microsoft replaced kill.exe with taskkill.exe and added the ability to kill processes on remote systems, to kill processes by name or window title, to kill subprocesses, and to kill processes that match a set of conditions including status, memory, CPU usage, loaded DLLs, username, and service name.
The ability to disconnect users connected to shares and close the files that they had open has been present in Windows since NT 3.1. With XP, you can now instruct the OS to close files that a remote or local user opens. To close files, use the openfiles.exe command-line utility with the /disconnect switch. As with tasklist.exe, you can specify conditions such as username, filename, and open mode. You can also use the command to close files on a remote system if you have administrative rights on the system.
If you need to log off a user on an XP system, you can use the Logoff command-line utility (logoff.exe). Although earlier Windows versions include a version of this utility, that version lets you log off only users who are connected remotely to a server. The XP version of the tool lets you log off a console user.
The security tools I describe in this article provide you with some long-needed features. Microsoft doesn't provide utilities with the XP resource kit, but the company does support the utilities that now ship with XP. This support is a welcome change for many administrators who were frustrated when the resource kit tools didn't work as described. If you were one of the administrators who used some of the more obscure resource kit tools, you'll need to do some research to find suitable alternatives. Most administrators, however, won't miss the old tools.