Data Deduplication on Windows 8 Pro

Due to the modular nature of the Windows platform, it is actually possible to move features between SKUs, and even between server and client. A user at the My Digital Life forum has experiemented with this and has extracted the necessary packages to run Windows Server 2012’s Data deduplication feature on Windows 8 Pro!

If you want to test that out have a look here: http://forums.mydigitallife.info/threads/34417-Data-deduplication-for-Windows-8-x64

image

You get no GUI and have to manage Data Dedupe with PowerShell, but that should not be a problem. I was able to save almost 300 GBs on a 500 GB drive storing virual machine images!

image

If you decide to run this on any production machines take special care when hotfixes and future service packs are released.

More info on the excellent disk deduplication feature here:

OEM/BIOS Activating a Lenovo X1

I wanted to reinstall a Lenovo X1 portable computer. While preparing to wipe the machine I used ProduKey from NirSoft to extract the product keys for the installed software. This particular machine was sold with an OEM license, for which the product key was affixed under the machine. I quickly noticed that the key printed on the label did not match the one extracted from the machine with ProduKey. That meant that the machine was BIOS or OEM activated.

I now had two choices; I could bring the OEM activation with me over to my new install or just use the key printed on the sticker. The last option would have been the easiest, but that’s not how I roll. So how to “extract” the OEM activation?

A friend of mine had previously gone through just this scenario with a bunch of HP machines so I knew that the activation was dependent on a digital certificate, distributed by Lenovo with the machine and signed by Microsoft. Unfortunately the certificate file had been deleted by Lenovo setup. But the Lenovo recovery partition (Q:) included a WIM file called cdrivebackup.wim. This WIM was used by the recovery system to reinstall the machine in the event a failure occurred. It probably included the needed certificate. But first I had to make the contents of the recovery partition visible so I could easily copy the files to another computer and mount the WIM. This was accomplished by these two commands:

  • echo y | icacls “Q:\*” /grant Administrators:F /T
  • attrib -R -A -S -H “Q:\” /S /D

I then copied the entire contents of the Q drive to a memory stick and mounted the WIM with DISM on another computer:

  • dism.exe /Mount-Wim /WimFile:h:\LenovoRecovery\FactoryRecvery\cdrivebackup.wim /index:1 /MountDir:D:\wimmount /ReadOnly

Now it was time to try and find the certificate (software license certificate have an xrm-ms extension):

  • dir d:\wimmount\*.xrm-ms /s

This command yielded many files but only the one called lenovo.xrm-ms in the d:\wimmount\swwork\OEM was of interest. I copied the file to a memory stick and proceeded to wipe the machine and reinstall Windows 7. After Windows 7 was installed I created a new folder under %windir%\system32\oem and copied the certificate into it. Now I could install the certificate and product key;

  • cscript %windir%\system32\slmgr.vbs -ilc %windir%\system32\oem\lenovo.xrm-ms
  • cscript %windir%\system32\slmgr.vbs -ipk 237XB-GDJ7B-MV8MH-98QJM-24367

Now, the product key is kind of interesting. This key will be accepted as a valid key by Windows, but will not be able to activate the machine without the certificate file. It’s kind of like a KMS client key, but instead of a KMS Host it needs a certificate. As far as I can tell this key is Lenovo specific so I hope I haven’t infringed on any copyrights etc. by posting it here.

Morgan

Script to install Remote System Administration Tools (RSAT) for Windows 7 with Service Pack 1

Here is a quick script to just install, or install and enable the Windows 7 Remote System Administration Tools (RSAT) for Windows 7 with Service Pack 1. I created it for use with the software deployment functionality in System Center Configuration Manager, but it is not limited to that.

' InstallRSAT.vbs
' v 1.0 (15.06.2011)
' by Morgan Simonsen, Atea
' 
' Detects system architecture, and installs and enables RSAT for Windows 7 with SP1, depending on submitted arguments.
'
' Usage:
' InstallRSAT.vbs <Install|InstallAndEnable>
'
' Install: just install RSAT, must be manually enabled
' InstallAndEnable: install and enable RSAT (all components)
'
' If no arguments are submitted; Install will be used.
'
' Arguments are CASE SENSITIVE!!!
 
'Enable/disable debugging
strDebug = 0
 
Set objWSHShell = WScript.CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
 
'Get script arguments
Set objArgs = WScript.arguments
 
If objArgs.Count = 0 Then
    ' No arguments submitted, defaulting to install (and not enable)
    strInstallAction = "/Install"
Else
    strInstallAction = objArgs.item(0)
    Select Case strInstallAction
        Case "/Install"
            'Install action selected
        Case "/InstallAndEnable"
            'InstallAndEnable action selected
        Case Else
            'Invalid argument submitted; quitting!
    End Select
End If
 
strScriptPath = objFSO.GetParentFolderName(WScript.ScriptFullName)
 
'Determine CPU Architecture
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
 
Set colProcessors = objWMIService.ExecQuery("Select * from Win32_Processor")
For Each objProcessor in colProcessors
    strProcessorArchitecture = objProcessor.Architecture
Next
 
'strProcessorArchitecture = objWSHShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITECTURE%")
strWinDir = objWSHShell.ExpandEnvironmentStrings("%WINDIR%")
 
strWUSA = strWinDir & "\system32\wusa.exe"
strDISM = strWinDir & "\system32\dism.exe"
strx86Package = strScriptPath & "\Windows6.1-KB958830-x86-RefreshPkg.msu"
strx64Package = strScriptPath & "\Windows6.1-KB958830-x64-RefreshPkg.msu"
 
Select Case strProcessorArchitecture
    Case "0"
        strProcessorArchitectureHumanReadable = "x86"
        strLogFile = chr(34) & strWinDir & "\Logs\RSAT Install (" & strProcessorArchitectureHumanReadable & ").log" & Chr(34)
        objWSHShell.Run (strWUSA & " " & strx86Package & " /quiet /norestart /log:" & strLogFile),0,True
        If strInstallAction = "/InstallAndEnable" Then
            Call EnableRSAT()
        End If
    Case "9"
        strProcessorArchitectureHumanReadable = "x64"
        strLogFile = chr(34) & strWinDir & "\Logs\RSAT Install (" & strProcessorArchitectureHumanReadable & ").log" & Chr(34)
        objWSHShell.Run (strWUSA & " " & strx64Package & " /quiet /norestart /log:" & strLogFile),0,True
        If strInstallAction = "/InstallAndEnable" Then
            Call EnableRSAT()
        End If
    Case Else
        'Unknown architecture; quitting!
End Select
 
Function EnableRSAT()
            objWSHShell.Run (strDISM & " /Online /Enable-Feature " &_
            "/FeatureName:IIS-LegacySnapIn " &_
            "/FeatureName:IIS-IIS6ManagementCompatibility " &_
            "/FeatureName:IIS-WebServerManagementTools " &_
            "/FeatureName:IIS-WebServerRole " &_
            "/FeatureName:IIS-Metabase " &_
            "/FeatureName:RemoteServerAdministrationTools " &_
            "/FeatureName:RemoteServerAdministrationTools-ServerManager " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices-CA " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-CertificateServices-OnlineResponder " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-SnapIns " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-AdministrativeCenter " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-DS-NIS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-LDS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-AD-Powershell " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-DHCP " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-DNS " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-Dfs " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-Fsrm " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-FileServices-StorageMgmt " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-HyperV " & _
            "/FeatureName:RemoteServerAdministrationTools-Roles-RDS " & _
            "/FeatureName:RemoteServerAdministrationTools-Features " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-BitLocker " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-Clustering " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-GP " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-LoadBalancing " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-SmtpServer " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-StorageExplorer " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-StorageManager " & _
            "/FeatureName:RemoteServerAdministrationTools-Features-Wsrm"),0,True
End Function
 
Function Debug(data)
    If strDebug = 1 Then
        WScript.Echo data
    End If
End Function

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Customizing pinned shortcuts on the Taskbar for Windows Server 2008 R2

OK, this is one way. I am sure there are several others. Can anyone say convoluted…?

(This is mainly intended for use on Remote Desktop Servers.)

  1. Create a test user.
    My user is named Bob in this example.
  2. Log on as Bob and pin the shortcuts you want on the Taskbar, and remove the ones you do not want.
  3. Log off Bob and log on as an Administrator.
  4. Load the Default User registry hive:
    reg.exe load HKU\DefaultUser c:\Users\Default\NTUSER.DAT
  5. Load Bob’s registry hive:
    reg.exe load HKU\Bob c:\Users\Bob\NTUSER.DAT
    (Your path may be different.)
  6. Export the following key:
    HKEY_USERS\Bob\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband:
    (reg.exe export HKEY_USERS\Bob\Software\Microsoft\Windows\CurrentVersion\Explorer\Taskband Taskbar.reg)
  7. Edit the Taskbar.reg file:
    1. Remove the FavoritesResolve value.
    2. Change the key path from Bob to DefaultUser (this is the name in the registry path where you mounted the Default User hive). This so we can import the changes that Bob made to his Taskbar into the loaded Default User profile registry.
    3. Save and import
      The changes should now be in the Default User registry.
  8. Unload Bob’s hive and the Default User hive:
    reg.exe unload HKU\Bob
    reg.exe unload HKU\DefaultUser
  9. Navigate to the following folder in Bob’s profile:
    <Bob’s profile root>\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
  10. Copy the entire contents of the folder into the same location in the Default User profile.
    (xcopy.exe “c:\Users\Bob\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\*.*” “c:\Users\Default\AppData\Roaming
    \Microsoft\Internet Explorer\Quick Launch”
    )
  11. Run the following commands to remove the Everyone and BUILTIN\Users security principals from the Server Manager and PowerShell shortcuts. These are copied into the User Pinned folder for every new profile, and the only way to prevent this (that I have found), is to prevent access to them. The Administrator still retains access through the remaining permissions on the shortcut files.
    1. icacls.exe “%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell” /T /inheritance:d
    2. icacls.exe “%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell” /T /remove:g *S-1-1-0 *S-1-5-32-545
    3. icacls.exe “%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk” /inheritance:d
    4. icacls.exe “%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk” /remove:g  *S-1-1-0 *S-1-5-32-545
      NOTE: These file system security settings can be propagated with Group Policy Security Policies. A template file doing just that is attached to this post.
  12. Log on as another regular user (not Bob) and verify that the pinned programs are available.
  13. Duplicate the Default User profile to other servers if necessary.

References:

Security Policy Template File

Morgan

Getting WHOIS information on Windows

WHOIS is a query/response protocol that is widely used for querying databases in order to determine the registrant or assignee of Internet resources, such as a domain name, an IP address block, or an autonomous system number. Usually WHOIS queries are performed with a command line client and such a client is almost always a part of an OS’s TCP/IP implementation. Not so with Windows. Neither Windows 7, Vista or XP includes a WHOIS utility. Recently I had some trouble with WHOIS information from one of my domains and that set me searching for utilities to perform this task on the Windows platform. These are what I found:

  • Mark Russinovich has created a WHOIS utility, you can find it on the Sysinternals TechNet Site: http://technet.microsoft.com/en-us/sysinternals/bb897435.aspx
    Mark’s implementation uses the whois-servers.net service to find the correct WHOIS server to use. whois-servers.net does not have records for all TLDs and such cannot find WHOIS info for all queries.
  • GNU-whois for Win32 is available on SourceForge (http://sourceforge.net/projects/whoiswin/)
    This utility uses a TLD list by default, contained in the file tld_serv_list. whois for Win32 is quite flexible and can query for WHOIS info using specific servers, by using the –h parameter.
  • Win32Whois is a graphical client available here: http://www.gena01.com/win32whois/
    It offers basic features as well as some GUI specific ones.

The WHOIS service uses TCP port 43. Some TLDs publish a server referral (SRV record) for the WHOIS protocol in their zone, which identifies their WHOIS server. This SRV record is of the format _nicname._tcp.<tld>. To find the WHOIS server for the TLD .no, use NSLOOKUP:

nslookup -type=srv _nicname._tcp.no
Server:  server1.domain.com
Address:  1.2.3.4

Non-authoritative answer:
_nicname._tcp.no        SRV service location:
          priority       = 0
          weight         = 0
          port           = 43
          svr hostname   = whois.norid.no

whois.norid.no  internet address = 128.39.8.42

So the server whois.norid.no with address 128.39.8.42 provides WHOIS info for the .no TLD.

Using WinPE and ImageX to recover from a failed hard drive

The hard drive storing the boot and system volumes of my main home machine failed a couple of weeks ago. The drive first started making strange noises and occasionally the machine would hang or blue screen. The hangs, which usually were recoverable, were accompanied by errors in the system log.
 
Index              : 270720
EntryType          : Error
EventID            : 11
Message            : The driver detected a controller error on \Device\Ide\IdePort0.
Category           : (0)
CategoryNumber     : 0
ReplacementStrings : {\Device\Ide\IdePort0}
Source             : atapi
TimeGenerated      : 11.01.2009 20:47:12
TimeWritten        : 11.01.2009 20:47:12
UserName           :
 
Before the drive finally gave out I was able to use ImageX to make a backup in a WIM file.
 
The first replacement drive I received, a Seagate 250GB drive, was DOA. Go figure. The second one, a Samsung 300 GB drive worked. Here are the complete steps I followed to make the backup and restore my machine.
 
  1. Download and install Windows Automated Installation Kit
    This package contains WinPE, which I use to capture and apply the WIM image, as well as the utility used; ImageX.
  2. Create a bootable WinPE CD-ROM containing ImageX.
    ImageX.exe is the only file I neede to add that was not already included in WinPE.
  3. Boot the WinPE CD.
  4. Run ImageX:
    imagex /capture c: d:\myvistabackup.wim “Emergency Vista Backup” /compress none
  5. Replace the failed drive.
  6. Boot WinPE again.
  7. Run Diskpart to create a new partition on the new drive and set it active:
    diskpart
    select disk 0
    clean
    create partition primary
    assign drive letter=c:
    active
    exit
  8. Format the new partition:
    format c: /q /y
  9. Apply the image:
    imagex /apply d:\myvistabackup.wim 1 c:\
  10. Update the Boot Configuration Database (BCD):
    bcdedit /set {bootmgr} device partiton=c:
    bcdedit /set {default} device partiton=c:
    bcdedit /set {default} osdevice partiton=c:
  11. Reboot

Installing PowerShell with Package Manager on Windows Vista

Package Manager (Pkgmgr.exe) is a new Windows Vista command-line tool that you can use offline to install, remove, or update Windows packages. You can add a package, provided as a .cab file, to an offline Windows image.  Package Manager can also enable or disable a Windows feature, either offline or on a running Windows installation. And it is this last piece of functionality that we are going to be using here.

When you install the PowerShell package (KB928439) on Windows Vista it extends the list of optional features that can be selected to enable or disable. A lot of updates behave like this, eg. the Remote Server Administration Tools (RSAT) package. You can run optionalfeatures.exe to use a GUI to enable or disable the available features. But as mentioned you can also use Package Manager (pkgmgr.exe) to enable or disable the same features. The command to enable PowerShell is:

start /w pkgmgr.exe /iu:MicrosoftWindowsPowerShell

To disable PowerShell; run:

start /w pkgmgr.exe /uu:MicrosoftWindowsPowerShell

The start /w part is necessary because the default behaviour of pkgmgr.exe is to return immediately to the command line even when it is still performing its tasks. So to have the command prompt wait for the pkgmgr.exe process to finish before returning, add start /w.

Package Manager requires elevation to run, so either start it from an elevated prompt or be prepared to approve the elevation with the UAC prompt. To check the result of the Package Manager operation run echo %errorlevel% after Package Manager has finished.

To enable or disable other features have a look here for the names:

Windows Vista packages: http://technet.microsoft.com/en-us/library/cc722041.aspx

Windows Server 2008 packages: http://technet.microsoft.com/en-us/library/cc748930.aspx

 

How to disable hibernation on a computer running Windows Vista/Server 2008

The hibernation feature in Windows, first introduces in Windows 2000, enables a computer to save its state in a hibernation file on disk. State in this context means the contents of the computer’s memory at the time of hibernation. The hibernation file, hiberfil.sys located on the boot volume, is the same size as the installed memory in a computer.
 
For portable computers, and maybe workstations, hibernation is a great feature, but probably not for servers. A server is not a machine you typically want to hibernate. As stated above the hibernation file is the same size as the installed memory, so if your server has 16 GB of memory you will see a 16 GB hiberfil.sys on your system volume. This is a big vaste of space for something you probably will never use. So how to disable the hibernation functionality and remove the hiberfil.sys file?
 
Windows Vista introduces a great new command line utility called powercfg.exe which enables you to configure every aspect of Power Management on a system. By using powercfg.exe with these parameters you can disable the hibernation feature and remove the hiberfil.sys file:
 
powercfg.exe /hibernate off
 
After this command has been execute Windows will remove the hibernation file automatically.
 
No all server systems enable hibernation, so you wil not always see the hiberfil.sys on all systems. Remember also to turn on the ability to see system files in explorer to be able to see the hiberfil.sys file.
 
This info is also documented in this KB article:
How to disable and re-enable hibernation on a computer that is running Windows Vista

Logging on through Terminal Services on a Windows Server 2003 Domain Controller

I work extensively with multi-domain forests, usually in a configuration with an empty root domain and several child domains that host users and computers etc. The other day I was trying to log on to a newly added Domain Controller in a child domain. I was going to prepare the domain for Exchange so I was trying to log on with an account that was a member of the Enterprise Admins group in the root domain. This usually works very well, because this group is always a member of the local Administrators group in any child domain. This time however I could not log on and got this error message:
To log on to this remote computer, you must be granted the Allow log on through Terminal Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted the right manually.
 
This, of course, led me to investigate. The first thing I discovered was that this Domain Controller had also been made a Terminal Server. I won’t go into how bad an idea that is here, suffice to say that I do not recommend it. From this fact it followed that someone also probably had changed the default settings of the Allow log on through Terminal Services right in some policy, and that was probably the reason I could not log on. Sure enough. The Default Domain Policy had been changed (again, not a good idea), granting the Allow log on through Terminal Services right to a global group in the domain only. Let’s call that group TSUsers. I also discovered that the same someone had also added the TSUsers group to the Remote Desktop Users group. Normally that should have been enough to allow log on through Terminal Services. Obviously it wasn’t. So I had two problems. First, why could I not log on as a member of the Administrators group when the Default Domain Policy had been changed, and second; why was it not enough to add the TSUsers group to the Remote Desktop Users group to allow them to log on through Terminal Service?
By default, the Allow log on through Terminal Services right is controlled through the Local Computer Policy, the one you can edit with gpedit.msc. The default setting for Windows Server 2003 is to grant this right to the Administrators and Remote Desktop Users local groups. If the server is promoted to a Domain Controller, the Remote Desktop Users group is removed from the Local Computer Policy, leaving only the Administrators group.  So on a Domain Controller it is not enough to be a member of the Remote Desktop Users group to log on through Terminal Services. You must be a member of the Administrators group in the domain. That is probably what confused the person who had set up the server. He had added his domain group (TSUsers) to the Remote Desktop Users group and been unable to log on, since the server was a DC. That answered my second question. To solve this problem he edited the Default Domain Policy and gave the right to his domain group. But in doing so he overrode the Local Computer Policy, which gives members of the Administrators group access. This was what made me unable to log on to the server, and the answer to my first question. Easy!
 
Interestingly enough the text in the Remote tab on a Domain Controller does not change, even if Remote Desktop Users no longer can log on through Terminal Services. It still says that members of the group has access.
 
To solve my immediate problem I added the Enterprise Admins group to the Default Domain Policy in the child domain and was able to log on and do my Exchange preparation. This setup is obviously not recommended. A DC should never be a Terminal Server and domain based policies should not be changed in such a way as to lock out administrators.
 
In researching this post I also found out another interesting thing about Terminal Services in Windows Server 2003. You no longer have to give a user or group both the Log on locally and Allow log on through Terminal Services rights to be able to log on via Terminal Services. This was needed in Windows 2000. In Windows Server 2003 it is handled this way:
  • Log on locally controls logon via the console (not RDP console, but keyboard attached to the server)
  • Allow log on through Terminal Services controls logons via Terminal Services.
You can read more about that in this KB article:
Difference in the user right “Deny log on locally” between Windows 2000 and Windows 2003
http://support.microsoft.com/kb/837954/en-us

How to remove Event Logs from Event Viewer

The Event Viewer management console has several categories depending on the roles of a server. All systems running Windows have Application, Security and System logs, or categories. These logs are represented by .evt files on disk, typically located in the %SystemRoot%\system32\config directory.
 
When a system loses a role, eg. it is demoted from Domain Controller to member server, the logs associated with that role remain in the Event Viewer console on that system. This can be quite annoying, not to mention misleading. Not only is the category retained in Event Viewer, but all the events are there as well.
 
I will not show you how you can remove these logs. The problem is that the .evt files are locked and cannot be deteled. They are locked by the the Event Log Service which cannot be stopped. The solution is to use Mark Russinovich’s excellent utilities PendMoves and MoveFile. You can find them here:
 
http://www.sysinternals.com/Utilities/pendmoves.html
 
Windows often needs to replace a file that is in use. This presents a problem when the process using the file cannot be stopped. To resolve this problem Windows has a spesial API that can tell Session Manager to delete that file, or replace it, on the next reboot. The MoveFile utility does just that. It tells Session Manager where to move, or delete, a file on the next reboot, before the system starts it’s services and applications. This info is stored in the registry key HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. You can write to this key using WMI or your own app, but I use Mark’s tool since it is already there.
 
To get rid of eg. the old File Replication Service Log from a server you would first go into Event Viewer and get the path to the .evt file by selecting properties on the log. Usually you would get C:\WINDOWS\System32\config\NtFrs.evt
 
Next, run the following command from the directory where you extracted PendMoves and MoveFile:
 
MoveFile.exe C:\WINDOWS\System32\config\NtFrs.evt “”
 
The “” indicates a NULL destination and is interpreted by Session Manager as a delete operation.
 
Now you can run PendMoves to get a list of any file move/delete operations scheduled for the next reboot.
 
But to get completely rid of the log we also will have to remove some setting in the registry, or else the Event Log Service would just recreate the file we deleted. The new file would be empty, of course, but the log would remain in Event Viewer.
 
Continuing the example with the File Replication Service Log, navigate to the key HKLM\SYSTEM\CurrentControlSer\Services\Eventlog
This is the main key for the Event Log Service and it has a subkey for each log that Event Viewer displays. Delete the entire key of the log you want to get rid of.
 
After the next reboot the logs should be gone from Event Viewer.
 
Sometimes they are not however. This usually happens because the service that uses the log is still set to Automatic startup. For example; when a DC is demoted to member server, the FRS service is not stopped and disabled. If this is the case the registry key you deleted will be recreated by FRS at startup and a new logfile created. So make sure to check all corresponding services before rebooting.