Hyper-V 2016 PowerShell Commands

Here are the PowerShell commands that I found useful when studying for the Windows Server 2016 MCSE. I hope you … Continue reading “Hyper-V 2016 PowerShell Commands”

Here are the PowerShell commands that I found useful when studying for the Windows Server 2016 MCSE. I hope you find them useful. If you do please let me know.

Here is the PowerShell command to create a new Hyper-V virtual hard disk image file.

new-vhd –path c:\filename.vhd|c:\filename.vhdx –fixed|-dynamic|-differencing –sizebytes size [-blocksizebytes blocksize] [-logicalsectorsizebytes 512|4096]

The following command creates a 500 GB fixed VHDX image file with a logical sector size of 4 KB:
new-vhd –path c:\diskfile.vhdx –fixed –sizebytes 500gb -logicalsectorsizebytes 4096

To create a VHD set in Windows PowerShell, you use the New-VHD cmdlet, just as you would to create any virtual disk file, except that you use VHDS for the extension of the file you are creating, as in the following example:
new-vhd –path c:\diskfile.vhds –dynamic –sizebytes 1tb

To create a differencing disk using Windows PowerShell, you must run the New-VHD cmdlet with the Differencing parameter and the ParentPath parameter, specifying the location of the parent disk, as in the following example:
new-vhd –path c:\disks\diffdisk.vhdx –sizebytes 1tb –differencing -parentpath c:\disks\parentdisk.vhdx

You can also mount and dismount a VHD or VHDX file by using the Mount-VHD and
Dismount-VHD PowerShell cmdlets, as in the following examples:
mount-vhd -path c:\disks\server1.vhdx
dismount-vhd -path c:\disks\server1.vhdx

To install a Windows role or feature to an offline virtual disk, you add the Vhd parameter
to the Install-WindowsFeature command, as in the following example:
install-windowsfeature -vhd c:\disks\server1.vhdx -name web-server

To compact a virtual hard disk file (mounted as a read-only disk), you use
the Optimize-VHD cmdlet, as in the following example:
optimize-vhd -path c:\disks\server1.vhdx -mode full

To convert a virtual hard disk file, you use the Convert-VHD cmdlet, as in the following examples that converts a fixed VHD file to a dynamic VHDX:
convert-vhd -path c:\disks\server1.vhd -destinationpath c:\disks\server1.vhdx -vhdtype dynamic

To expand or shrink a virtual disk, you use the Resize-VHD cmdlet with the SizeBytes parameter, as in the following example. The same command can expand or shrink a disk, depending on its original size. To shrink a disk to is smallest possible size, you can add the ToMinimumSize parameter.
resize-vhd -path c:\disks\server1.vhdx -sizebytes 500gb

To merge a differencing disk into its parent disk, you use the Merge-VHD cmdlet, as in the following command. If there are multiple generations of child disks involved, merging the youngest child disk into the parent merges all of the intervening child disks as well.
merge-vhd -path c:\disks\child.vhdx -destionationpath c:\disks\parent.vhdx

To apply a checkpoint with PowerShell, you use the Restore-VMCheckpoint cmdlet, as in the following example.
restore-vmcheckpoint -name checkpoint1 -vmname server1

You can display a list of all the checkpoints for a specific VM, including their names, by using the Get-VMCheckpoint cmdlet.

To modify the checkpointing defaults in PowerShell, you use the Set-VM cmdlet, as in the following example:
set-vm -name server1 -checkpointtype standard

To configure these settings with Windows PowerShell, you use the Set-VMHardDiskDrive cmdlet, as in the following example. The ControllerType and ControllerNumber parameters specify which drive to configure, and the MinimumIOPS and MaximumIOPS parameters specify the QoS settings.
set-vmharddiskdrive -vmname server1 -controllertype scsi -controllernumber 0 -minimumiops 10 -maximumiops 500

After enabling resource metering on the VM, you can use the Measure-VM
cmdlet to display its current disk usage, as shown in the following examples. The output of the Measure-VM cmdlet is shown in Figure 3-54. After checking the IOPS under workload of the VM, you can zero in on appropriate QoS settings.
enable-vmresourcemetering -vmname server1
measure-vm -vmname server1 | fl

To create a network adapter with PowerShell, you use the Add-VMNetworkAdapter cmdlet, as in the following example:
add-vmnetworkadapter -vmname server1 -switchname private1

To remove a network adapter with PowerShell, you use the Remove-
VMNetworkAdapter cmdlet, as in the following example:
remove-vmnetworkadapter -vmname server1 -vmnetworkadapter nic1

To create a new virtual switch with Windows PowerShell, you use the New-VMSwitch cmdlet,
as in the following examples:
new-vmswitch -name lan1 –netadaptername "ethernet 2"
new-vmswitch -name private1 –switchtype private

You can also enable VMQ on a specific adapter by running a PowerShell command like the following:
enable-netadaptervmq -name nic1

To discover whether your physical network adapters support VMQ, run the Get-Net-AdapterVmq

cmdlet in a PowerShell window with Administrator privileges. A blank response indicates that your adapters do not support VMQ.

use the Get-NetAdapterVmqQueue cmdlet to see which queues are assigned to which logical processors.

To modify the default VMQ settings, you use the Set-NetAdapterVmq PowerShell cmdlet.

Splunk REGEX for WinEventLog TerminalServices-LocalSessionManager

Splunk REGEX for RDP Session Logs

Ever want to get info on Terminal Services Local Session Manager Operations logs on your Windows servers to see who attempts to RDP into your Windows servers? Well here is a Splunk REGEX Field Extraction to get the RDP session info since Splunk was not able to figure out the field/value pairs on its own. For this REGEX to be useful you need to make sure that you are ingesting the WinEventLog for Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. This Event Log captures all the events around RDP session creation, usage, and tear down. It is useful to tell who logged in using RDP and if any errors occurred during the session from start to finish.

In case you are wondering how I got to the below REGEX it is because Splunk’s REGEX engine has it’s own personality and the other REGEX tools online output “standard” REGEX that Splunk did not like.

WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational : EXTRACT-TSOpsLog_Domain_UserName