Shell Commands

The Windows Server 2003 command prompt still leads to a number of misunderstandings. Many users—and administrators—do not really take it seriously because it reminds them a lot of DOS. However, this former “DOS box” is a fully developed 32-bit command-line interpreter (or shell) with the option of using several language elements.

Especially with terminal servers, the command prompt options offer powerful system access that can also be automated, including direct shell commands as well as different scripting concepts. Scripts allow access to files, directories, printers, user accounts, security settings, and the registry. For older applications in particular and for terminal server–specific modifications of the user environment at logon, scripts are an essential tool. For this reason, it will definitely be worth the effort in some environments if terminal server administrators take the time to learn about the relevant technical basics—even if it is their first contact with programming.

At first glance, it does not seem likely that Windows Server 2003 comes with an especially powerful command and scripting language. Basically, the direct command-line language is a leftover of the historic MS-DOS batch language scope that was used to create batch-processing programs. Command-line options were greatly expanded when the Windows Script Host and the .NET Frameworks were introduced, as will be described later in this chapter. However, learning to apply these new concepts requires a substantial amount of time. In the following section, we will take a look at the standard shell commands and language elements that are important for operating a terminal server and managing its users.

Selected Standard Commands

Scripts are an essential concept of operating a terminal server and its applications. The most important commands for administrators that are needed at the command prompt or in a script file are listed in this table. Some of these command options must be executed by a user with administrator permissions to work properly.

Table 7.1: A Brief Description of Selected Windows Server 2003 Standard Commands
Command	Description
At	Controls the scheduling of commands and programs to run at a specified time and date.
Attrib	Displays or modifies file attributes.
Cacls	Displays or modifies file access control lists (ACLs).
Call	Calls a batch-processing program from another batch-processing program without stopping the parent batch-processing program. The Call command also accepts labels as targets for jumps within the batch- processing logic.
Comp	Compares the content of two files or sets of files byte by byte.
Date	The Date command without parameters displays the current date and prompts you to type a new date. Using the Enter key keeps the current date. The Date command supports the /T option that displays the current date without prompting for a new date.
Fc	Compares two files and displays the differences between the two.
Find	Searches for a string of text in one or more files.
Findstr	Searches for patterns of text strings in files. This command uses regular expressions and has several parameters that make it very powerful.
Net	Command group for displaying and configuring network functions.
Set	Displays, sets, or deletes environment variables for the current environment settings of the opened command interpreter.
Sort	Reads input, sorts data, and displays the result on the screen, saves it to a file, or writes it to another device.
Start	Creates a new command prompt window to execute a program or command. It is also used for determining and setting the process priority of any selected program.
Systeminfo	Displays detailed configuration information about a computer and the operating system.
Time	The Time command without parameters displays the current time and prompts you to type a new time. Using the Enter key keeps the current time. The Time command supports the /T option that displays the current time without prompting for a new time.
Type	Displays the content of a text file.
Xcopy	Copies files and directories including subdirectories. With specific parameters, the Xcopy command supports the administration of security setting.

Windows Server 2003 extensions as related to Terminal Services do not apply only to graphical tools, but also to additional command-line tools. These tools are listed and described in the following table. More detailed information can be found in the Windows Server 2003 Help and Support Center’s command-line reference A-Z.

Table 7.2: Brief Introduction of the Specific Terminal Services Commands
Command	Description
Change logon	Uses the following parameters to enable or disable client session logons and displays the current logon status. This utility is useful for system administration. The abbreviation for this command is Chlogon. /enable: Enables user logon from clients, but not from the console (default setting). /disable: Disables subsequent logons from clients. Does not affect users who are already logged on. /query: Displays the current logon status.
Change port	Changes the mapping logic for serial ports to be compatible with MS- DOS applications. The abbreviation for this command is Chgport.
Change user	Uses the following parameters to change the mapping of .ini files and the registry for the current user during application installation. The abbreviation for this command is Chguser. /execute: Enables the mapping of .ini files to the home directory (default setting). /install: Disables the mapping of .ini files to the home directory during application installation. /query: Displays the current setting.
Flattemp	Enables or disables a common (flat) temporary folder (temp mapping). /enable: Enables common temporary folders. /disable: Disables common temporary folders. /query: Displays the current setting.
Logoff	Terminates a user session.
Msg	Sends a message to one or more users.
Query process	Displays information about the processes of all user sessions on a terminal server. This command includes parameters for further specification of the desired information, such as process ID, user name, session name, session ID, program, or server name.
Query session	Displays information about the sessions running on a terminal server. This command includes parameters for further specification of the desired information, such as user name, session name, session ID, program, or server name.
Query termserver	Lists all terminal servers running on the network. This command includes parameters for further specification of the desired information, such as server name or domain.
Query user	Displays information about the users logged on to a terminal server. This command includes parameters for further specification of the desired information, such as user name, session name, session ID, program, or server name.
Query winsta	Same as the Query session command.
Reset session	Resets a user session to initial values. This command includes parameters for further specification of the desired information, such as session name, session ID, or server name.
Rwinsta	Same as the Reset session command.
Shadow	Allows the monitoring of the terminal server session of another user. This command includes parameters for further specification of the desired information, such as session name, session ID, or server name. All information displayed on the shadowed computer session is also displayed on the target computer.
Tscon	Attaches the client or user to an existing terminal server session.
Tsdiscon	Disconnects the client or user session from the terminal server.
Tskill	Terminates a selected process using its process ID or its name in combination with the server name and the session ID. Administrators can use this command for all processes; users can use it only for their own processes.
Tsprof	Copies the configuration information of a Terminal Services user to the configuration data of another user. You can also use the Tsprof command to update a user’s profile path.
Tsshutdn	Allows an administrator to shut down the terminal server in a controlled manner. After starting Tsshutdn, no programs can be executed anymore. The session of the user who started Tsshutdn is still active, but all session information will have read-only permissions.

In particular, commands starting with Query are able to transfer many functions of the Terminal Services Administration graphical tool to the command line. (See Chapter 4.)

Language Syntax

Regrettably, the command-line language at the Windows Server 2003 command prompt provides only a few options for dynamic responses and structured programming. The basic elements a script developer might use within a simple language syntax are as follows:

The For command The For command executes a command for each file that is part of a set of files.
The Goto command In a batch-processing program, the Goto command invokes a jump to a tagged line. The tag is identified by a colon (:). When the script finds the tag, it processes the commands following in the subsequent line.
The If command The If command processes expressions with conditions in a batch-processing program.

The language syntax also includes command symbols and filter commands. Redirection symbols (for instance, >, <, or >>) determine where the command obtains its information and where the information will be sent. By default, Windows Server 2003 receives input from the keyboard and sends output to the monitor. However, sometimes it can be advantageous to redirect input or output to a file or a printer. For instance, a directory list can be redirected from the monitor to a file.

Filter commands help with sorting, viewing, and selecting individual parts of the command. Information generated through a filter command is divided, extracted, or resorted. Windows Server 2003 contains three filter commands: More, Find, and Sort.

Note

Please see the Windows Server 2003 Help and Support Center command-line reference for detailed information on command-line or batch-processing programs.

Examples

The following examples take the command prompt’s language syntax to solve seemingly simple tasks. These are usually related to the runtime environment of terminal servers.

Dynamic File Names

In this example, a file is created with a dynamic name that relates to date and time. This type of file is often used for saving log data.

Listing 7-1: Creating a File with a Dynamic Name

@echo off
for /f "tokens=1,2, delims= " %%i in (‘date /t’) do (set day=%%i) & (set date=%%j)
for /f "tokens=1 delims= " %%k in (‘time /t’) do set time=%%k
for /f "tokens=1,2,3 delims=/" %%l in (‘@echo %date%’) do set file1=%%l_%%m_%%n
for /f "tokens=1,2 delims=:" %%p in (‘@echo %time%’) do set file2=%%p_%%q
set filename=%day%-%file1%-%file2%.log
@echo Command1 > %filename%
@echo Command2 >> %filename%

Lines 2 and 3 create the day, date, and time variables from the current date and time. Lines 4 and 5 use the result to create the file1 and file2 variables that replace the special characters / and : with _ to improve legibility. Line 6 creates the final file name: Filename.log, representing a summary of day, file1, and file2. The last two lines are examples for redirecting commands to the target file.

With this script, the weakness inherent to the language syntax of command-line scripts is obvious: the solution to a relatively simple problem is very complicated. Language elements are evidently not suitable for easy processing of dynamic information.

Logon Scripts

One of the most frequent terminal server requirements is creating logon scripts, often used for linking network shares or printers to a user session. It might also be necessary to write user-specific values to the registry database. Unfortunately, the options for these tasks are not very comprehensive in batch-processing scripts. Usually, the logon logic is set up around the Net command. Additional functions can be implemented only through additional command-line tools (for example, from the Windows Server 2003 Resource Kit).

Listing 7-2 shows a simple logon script.

Listing 7-2: A Simple Logon Script

if not exist u:\. net use u: \\fileserver\%username% /user:%username%
cscript login.vbs

So how is the logon script linked to the user account? The Active Directory Users and Computers tool handles the domain user, and the local user account is handled by Computer Management. On the Profile tab of the selected user account, a relative path (for example, employee\sales.cmd) is entered as the logon script.

The final question now is where to save the logon script physically on the file system. For domain users, the starting point for the relative logon path is located under %Systemroot%\SYSVOL\sysvol\<Domainname>\scripts on the server that handles authentication. For local users, the %Systemroot%\System32\Repl\Imports\scripts folder handles this task. It should be shared under the name of netlogon for all users. If the local folder does not exist yet, it is recommended that you create it exactly under the path described earlier.

Note

Users and server operators should have permissions only to read and execute in folders with logon scripts. Full access is recommended for administrators only.

Analysis Scripts

The last example is an analysis script that can be executed on a terminal server after an installation. The script archives many settings that are saved in text files. The analysis script can be executed again at a later time. The corresponding script results allow easy comparisons between installation statuses.

The analysis script performs the following tasks:

Creating a log file called Inspect.log
Writing date and time in Inspect.log
Logging the system information with the Systeminfo command
Logging the network configuration with the Ipconfig command
Logging the IP network statistics with the Netstat command
Logging the NetBIOS over TCP/IP statistics using different options of the Nbtstat command
Logging the routing table with the Netstat command
Logging the ARP cache for name resolution using the Arp command
Logging the network environment using different options of the Net command
Logging Terminal Services using different options of the Query command

The script can be supplemented by analyses relating to the registry (Regedit /e), the file structure of selected directories (Dir /s /o:n), or the security of directory trees (Cacls).

Note

The display of a text message in the command prompt can be suppressed by adding >NUL: 2>&1 to a command. >NUL: represents the redirection of the default output to the null device, that is, into nothing. 2>&1 directs all error output to the default output that points to the null device. As a result, neither default output nor error messages of the corresponding command are displayed.

Listing 7-3: The Analysis Script

@echo off
echo Processing system inspection...
echo System Inspection > %temp%\inspect.log
date /t >> %temp%\inspect.log
time /t >> %temp%\inspect.log
echo. >> %temp%\inspect.log

echo --- [ Systeminfo ] --- >> %temp%\inspect.log
systeminfo >> %temp%\inspect.log
echo. >> %temp%\inspect.log

echo --- [ IP Configuration ] --- >> %temp%\inspect.log
ipconfig /all >> %temp%\inspect.log
echo. >> %temp%\inspect.log

echo --- [ Netstat ] --- >> %temp%\inspect.log
echo [ netstat -e -s ] >> %temp%\inspect.log
netstat -e -s >> %temp%\inspect.log
echo [ netstat -a ] >> %temp%\inspect.log
netstat -a >> %temp%\inspect.log
echo. >> %temp%\inspect.log

echo --- [ Nbtstat ] --- >> %temp%\inspect.log
echo [ nbtstat -a %computername% ] >> %temp%\inspect.log
nbtstat -a %computername% >> %temp%\inspect.log
echo [ nbtstat -c ] >> %temp%\inspect.log
nbtstat -c >> %temp%\inspect.log
echo [ nbtstat -n ] >> %temp%\inspect.log
nbtstat -n >> %temp%\inspect.log
echo [ nbtstat -r ] >> %temp%\inspect.log
nbtstat -r >> %temp%\inspect.log
echo [ nbtstat -S ] >> %temp%\inspect.log
nbtstat -S >> %temp%\inspect.log
echo [ nbtstat -s ] >> %temp%\inspect.log
nbtstat -s >> %temp%\inspect.log
echo. >> %temp%\inspect.log

echo --- [ Routing ] --- >> %temp%\inspect.log
netstat -r >> %temp%\inspect.log
echo. >> %temp%\inspect.log

echo --- [ ARP Cache ] --- >> %temp%\inspect.log
arp -a >> %temp%\inspect.log
echo. >> %temp%\inspect.log

echo --- [ Net Command ] --- >> %temp%\inspect.log
echo [ net accounts ] >> %temp%\inspect.log
net accounts >> %temp%\inspect.log
echo [ net config server ] >> %temp%\inspect.log
net config server >> %temp%\inspect.log
echo [ net use ] >> %temp%\inspect.log
net use >> %temp%\inspect.log
echo [ net session ] >> %temp%\inspect.log
net session >> %temp%\inspect.log
echo [ net view ] >> %temp%\inspect.log
net view >> %temp%\inspect.log
echo. >> %temp%\inspect.log

echo --- [ Terminal Services ] --- >> %temp%\inspect.log
echo [ query termserver ] >> %temp%\inspect.log
query termserver >> %temp%\inspect.log
echo [ query session ] >> %temp%\inspect.log
query session >> %temp%\inspect.log
echo [ query user ] >> %temp%\inspect.log
query user >> %temp%\inspect.log
echo [ query process ] >> %temp%\inspect.log
query process * >> %temp%\inspect.log
echo. >> %temp%\inspect.log

echo System inspection finished >> %temp%\inspect.log

echo.
echo System inspection finished

Note

You probably wonder why you should bother with these quite obsolete batch script concepts at all. The answer lies with the compatibility scripts that are described in the following section. It is hard to believe, but despite the availability of much more advanced scripting technologies, those scripts are still based on the batch-processing mechanisms described in this section, even on Windows Server 2003.