Temporary file from UsrClass.dat (sometime associated with NTUSER.dat)

UsrClass.dat{randomnumber}.TM.blf’s file filing up your user hard disk space ? It’s what and can we erase them is what I will talk today. (if you can’t run the diskcleanup wizard)

(or/and with those files)

A background; those files are temporary registry settings that are not yet wrote in UsrClass.dat. The OS to prevent some corruption write those files in the registry when it determine it’s ok to write them safely. The file act like a .TMP’s file.

UsrClass.dat contain : HKEY_USERS\<User SID>_Classes (HKEY_CURRENT_USER\Software\Classes) (source)

If your profile is fulled with those files it mean something broke the OS’s step. It’s a warning to check what happened to fix the real problem. We start by checking the Event Viewer;

In my case I used one file timestamp to search correctly the eventlog.

I was able to find it was caused by a scheduled restart, and that a service was giving an error.

 

For me after analyzing the why and the file I can safely remove those files. A note, running the diskcleanup tool would had been a lot more safier and faster, but in my case I wasn’t able.

 

Thanks !

 

Advertisement

How to export Event Viewer data to Excel with PowerShell

Hi everyone

Today I will give a tip on how to export event viewer data to Excel with PowerShell

– First log into your machine

– Open a PowerShell’s console

– Run

Get-EventLog -LogName Security -ErrorAction SilentlyContinue | Export-Csv output.csv

– Open the file in Excel

– Now we will add column filter to filter the file

– Erase the first line, select Filter

– Now the filter is available

 

Enjoy the tip ! 🙂

 

 

Thanks

 

 

 

 

Visual Studio 2015 on Windows Server 2012 R2

Hi everyone!

 

Today I will share a small tip if you guys come around that, it’s visual studio 2015 that throw out an error for a KB while installing, but the order of which the KB must be installed is confusing.

Error;

and if you try to directly install the KB 2919355:

 

The solution is that those KB’s must be installed in the following order: clearcompressionflag.exe, KB2919355, KB2932046, KB2959977, KB2937592, KB2938439, and KB2934018.

KB2919442 is a prerequisite for Windows Server 2012 R2 Update and should be installed before attempting to install KB2919355

 

 

Thanks !

 

 

 

Remove any trace of an Antivirus was installed (WMI)

Hi everyone

Today I will give a small tip if you get a problem re-installing an antivirus, and it complain about there is already’s one installed or if the maintenance center list one no longer there.

Sometime it can happen that a small line is still in the WMI’s database and you can confirm it by running this command;

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

If it list a product no longer installed, then you can run that script to remove any invalid’s entry there;

It will remove the entry that bug, antivirus WMI class in SecurityCenter/SecurityCenter2.

A powershell code;

Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object{$_.Delete()} 

A scripted version;

On Error Resume Next

Set shell = CreateObject("WScript.Shell")
Set getOSVersion = shell.exec("%comspec% /c ver")
version = getOSVersion.stdout.readall

Select Case True
   Case InStr(version, "n 5.") > 1 : GetOS = 0 'pre vista
   Case InStr(version, "n 6.") > 1 : GetOS = 1 'vista/post vista
   Case Else : GetOS = -1
End Select

strComputer = "."
If GetOS = 0 Then          
    Set oWMI = GetObject( _
      "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")

    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    For Each objItem In colItems
        objItem.Delete_
    Next
End If

If GetOS = 1 Then  
    Set oWMI = GetObject( _
      "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter2")

    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    For Each objItem In colItems
        objItem.Delete_
    Next

End If

Scripted method from there

 

Thanks