SBS server disappeared off the network

By Nicolas BlankUncategorized

As I came into the office this morning I was told that my SBS server had gone off the radar for hours.

I RDP' d (Remote Desktop) into the box and managed to get a task manager up for long enough to see that mmc.exe was hogging the processor. After that task manager itself became rather unresponsive. Seeing that I've been preaching the Powershell and remote management message, I thought this is a perfect example to blog about.  I saw from task manager that the process was called "mmc.exe".

I fired up PowerShell and used the get-wmiobject command - abbreviated gwmi - locally to see where I would find the name of the EXE. So on my machine I typed

PS C:\> gwmi win32_process

I could see that the "name" and "processname" properties carried the name of the exe. I then issued a get-method command to see what I could do TO the process. one of the methods was cunningly named "terminate()", which gave me a clue that I could kill the process from the command line. Since my server was unresponsive, I didn't want to waste any time time by making a remote call to interrogate the server for all running processes.  This is why I looked to my local machine for property names and methods.

In order to call the method I assigned a variable "$S" containing a reference to the process on my server called "2003server".

In English the line below reads: Declare a variable called "S@". Get a GMI object called "win32_process" from a machine named "2003server". Take the result of that and pipe it "|" to the command that only selects a process by the name "mmc.exe"

I waited a few minutes for the command to execute - my machine was locked up THAT badly!

I then called the terminate method of the wmi object containing the reference to mmc.exe -  "$s.terminate()"

My server responded immediately and started serving mail requests. The entire command line session is pasted below:

PS C:\> $S = gwmi win32_process -computername 2003server | where {$_.Processname -eq "mmc.exe"}
PS C:\> $s.Terminate()

__GENUS : 2
__CLASS : __PARAMETERS
__SUPERCLASS :
__DYNASTY : __PARAMETERS
__RELPATH :
__PROPERTY_COUNT : 1
__DERIVATION : {}
__SERVER :
__NAMESPACE :
__PATH :
ReturnValue : 0

In conclusion, by understanding a bit about WMI and using Powershell to interrogate the methods available to the WMI object, I was able to regain control of my server while the GUI remained unresponsive.