Logparser: find which computers are locking your windows accounts.

To find account lockout events on multiple domain controllers, download logparser 2.2 and execute the following command in a domain admin context (e.g. runas user:domain\administrator logparser.exe), where the part below the command is in "lockouts.sql". The account lockout event is 644 -- if you need to find others, read Microsoft's KB174074 Also, this script will access each domain controller's security event log sequentially, so if you're in a hurry, execute several different logparser processes for each domain controller.

logparser.exe file:c:\scripts\logparser\lockouts.sql -i:EVT -o:datagrid

------stick this part in lockouts.sql
SELECT
timegenerated AS LogonTime,
extract_token(strings, 0, '|') AS UserName,
message as Message
FROM \\domaincontroller1\security, \\domaincontroller2\security, \\domaincontrolle2\Security
WHERE EventID = 644
-----end here

If you want the output to go into a database instead of a datagrid (Excel-type) table, make the logparser command look like this:

logparser.exe file:c:\scripts\logparser\lockouts.sql -o:SQL -server:myDBservername driver:"SQL Server" -database:myDBname -createtable:ON

Table name will end up matching your dbname. Set -createtable to off after you run it once.

Props to: Microsoft's Log Parser Toolkit, by Gabriele Giuseppini and Mark Burnett.

If you're going to be doing anything with windows logs, buy the book. It's more useful than several log management software packages I've demo'ed.

Download Log Parser here.

Brand Dimensions' bot stops, but Brand Dimensions doesn't.

Now that I added user-agent: BDFetch, disallow / to my robots.txt, all the BDFetch bot gets is robots.txt. However, some people Brand Dimensions is now browsing my blog:

72.14.164.134 - - [08/Jun/2009:13:58:26 -0400] "GET /blog HTTP/1.1" 301 314 "-" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)"
72.14.164.133 - - [08/Jun/2009:13:58:26 -0400] "GET /blog/ HTTP/1.1" 200 57901 "-" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)"
72.14.164.196 - - [08/Jun/2009:13:58:42 -0400] "GET /blog/2009/06/comcast-is-collecting-data-on.html HTTP/1.1" 200 16335 "-" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)"

A little research reveals that they have a class C block of IPs:
CustName: Brandimensions Inc.
Address: 5090 Explorer Drive
Address: Suite 203
City: Mississauga
StateProv: ON
PostalCode: L4W-4T9
Country: CA
RegDate: 2008-06-25
Updated: 2008-06-25
NetRange: 72.14.164.0 - 72.14.164.255
CIDR: 72.14.164.0/24

Thus blocking 72.14.164.0/24 at the firewall will prevent them from seeing anything.

Update on Washington DC Television Transition: OTA channel assignments

The information below is what the FCC has for the Washington DMA. If you ask most television stations what their frequency is, they don't have a clue. The FCC also says I should receive all of these stations at my house. These stations are VHF and UHF, so your standard TV antenna should work fine (see study). I contend there is no such thing as a "high-def" antenna. Radio waves are radio waves. The frequency is the same. If you're experiencing multi-path errors, then try using a directional antenna. (How do you determine if you're reception problems are multi-path errors? Well in the analog days, multi-path was ghosting. Generally, you should be getting good reception because you're close, but you can't lock on.)

If you're wondering why you can't receive a station, here's a study by the FCC on DTV reception in Washington, DC. If you have a hundred thousand dollars in equipment you'll be able to replicate their results: You're less likely to receive DTV signals than you were analog signals. You can improve your chances with a thirty-foot mast.

For the tripod-mounted, indoor-type antennas, SPI was 86% for WUSA and 84% for WRC when the better of either the bowtie antenna or the Silver Sensor directional antenna was used. These SPIs for the combined indoor antenna types exceed the above values for mast-mounted antenna reception computed in the 1998 study.

Station	Network	Analog Channel	Digital Channel Pre Transition	Digital Channel Post Transition	Virtual Channel	Transition Date
WRC	NBC	4	48	48	4-1	6/12/2009
WTTG	FOX	5	36	36	5-1	6/12/2009
WJLA	ABC	7	39	7	7-1	6/12/2009
WUSA	CBS	9	34	9	9-1	6/12/2009
WFDC	UNIVISION	14	15	15	14-1	6/12/2009
WDCA		20	35	35	20-1	6/12/2009
WHAG	NBC	25	55	26	25-1	6/12/2009
WETA	PBS	26	27	27	26-1	6/12/2009
WWPB	PBS	31	44	44	31-1	6/12/2009
WHUT	PBS	32	33	33	32-1	6/12/2009
WVPY	PBS	42	21	21	42-1	6/12/2009
WDCW	CW	50	51	50	50-1	6/12/2009
WWPX	ION	60	12	12	60-1	6/12/2009
WFPT	PBS	62	28	28	62-1	4/16/2009
WPXW	ION	66	43	34	66-1	6/12/2009

Comcast is collecting data on my blog: How to stop Brand Dimensions

I just noticed some interesting entries in my logs from a new bot: BDFetch. Brand Dimensions is a company that collects information from the Internet, looking for bad things people say about Comcast's poor service. Apparently, they're conducting private investigations for U.S. clients from Canada by collecting files on everyone that says something about Comcast online. Personally, I'd rather not be investigated by a Canadian company in a state that requires licensing for such activities.

Here are the entries from my web server's access log. Clearly, they're looking only at content that mentions Comcast. I mention other brand names, but they're not interested in them.

72.14.164.176 - - [05/Jun/2009:16:49:17 -0400] "GET /robots.txt HTTP/1.1" 200 289 "www.brandimensions.com" "BDFetch"
72.14.164.150 - - [05/Jun/2009:16:49:39 -0400] "GET /blog/2008/11/comcast-strikes-back.html HTTP/1.1" 200 17006 "www.brandimensions.com" "BDFetch"

Since then, I have two new lines in my robots.txt file:

User-agent: BDFetch
Disallow: /

If that doesn't work, I'm going to cut off the 72.14.164.0/24 network at my firewall.

Wondering if Brand Dimension is watching you? Here's the grep command to find them:
grep BDFetch access_log
You'll need access to your web log. Also, remember that grep and unix are case-sensitive.