I recently ran into an internal virus outbreak at my place of work. We were receiving a lot of virus/worm messages during the outbreak many, many, times the normal message volume, lucky enough all the virus messages had a subject line of “Here you have”.  As soon as we realized what was going on a transport rule was put into place to block the messages on the Hub Transport servers. After several days we were still seeing infected end point on our network sending these messages. We needed a way to identify the infected users, here comes the simple PowerShell one-liner for the day:

Get-TransportServer | % { get-messagetrackinglog -Server "$_" -EventID "FAIL" -MessageSubject "Here you have" -Start "9/12/2010 12:00:01 AM" -ResultSize Unlimited } | Select Sender, Timestamp, MessageSubject | Export-Csv C:\09122010-current.csv

It gets all the Hub Transport Servers then on each HT servers gets the message tracking logs for any messages with match the EventID FAIL. This EvenID is used when a messages matches a transport rule and is dropped. Since we only need the senders Select is used to limit the output to only the senders SMTP address, time and messages subject then send it all to a CSV file.  This CSV file can be opened in Excel and you can see how many messages have been dropped and who your top senders are. Once you have that it’s time to go look at their workstations, scan and clean or reimage.

The other day my boss came over and asked me how many users are using Exchange Active Sync (EAS) for mobile email. Since we are in the process of moving to Exchange 2010 I tried to see if he could wait a few months since Get-ActiveSyncDevice or Get-ActiveSyncDeviceStatistics would have the info I was looking for, but he wanted it by the end of the week, so I got to work. 

2010-06-25 00:00:00 W3SVC1 OWAServerName x.x.x.x POST /Microsoft-Server-ActiveSync User=UserSAMAccountName&DeviceId=ApplXXXXXXXXXX&DeviceType=iPad&Cmd=MoveItems&Log=V4TNASNC:0A0C0D0FS:0A0C0D0SP:1C7I18230S462834R0S0L0H0P 443 domain\samaccountname x.x.x.x HTTP/1.1 Apple-iPad/702.367 - - ourwebmailaddress m 200 0 0 436 542 156

$searchdir = "\\Server1\c$\WINDOWS\system32\LogFiles\W3SVC1\", "\\Server2\c$\WINDOWS\system32\LogFiles\W3SVC1\"

############################################################################# 
# Filename: CollectEASInfo.ps1 
# Searches Exchange 2003 IIS log files for EAS user and Device info and 
#  writes it to a CSV
# 
# Created by Chad Manzer
#   phillyexug.org
#
# Version 1.0 
#           (7/15/2009) - CM Inital relase
#
# DISCLAIMER 
# ========== 
# THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE  
# RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER. 
#############################################################################  

$startTime = Get-Date
$outfile = "e:\APPL.csv" #Where to save the results
$searchdir = "e:\OWAIIS\" #Directories to search for Exchange 2003 IIS logs
$Files = get-childitem $searchdir |%{$_.FullName}
[Hashtable]$Hash = @{} #defining the Hash table for use later

#Write-Progress -activity "Processing" -status "Getting content of the files..."
Get-Content $Files|%{
	if ($_ -match " User=(.+)&DeviceID=(.+)&DeviceType=(.+)&Cmd")
	{
		$User = $Matches[1]
		$DeviceID = $Matches[2]
		$DeviceType = $Matches[3]
		
		#if the item is already in the hash table do not try to add it again
		if ($Hash.ContainsKey("$DeviceID,") -eq $False)
			# adding commas between items so we can export as a CSV later on
			{$Hash.Add("$DeviceID,", "$User, $DeviceType")}
		
		#Show some type of progress, it drives me nuts staring at a blinking cursor
		if ($i -lt 100) 
			{$i++
			Write-Progress -activity "Reading in Files" -status "User: $User DeviceType $DeviceType DeviceID $DeviceID" -percentcomplete $i
			}
		else {$i=0}
	}
}

#Write the hash file to out output file
Write-Progress -activity "Processing" -status "Writing to $outfile "
$Hash | out-file $outfile -Encoding ascii

#Clean up the output file since the hash table add's extra spaces in the csv we don't need 
Write-Progress -activity "Processing" -status "Cleaning up output file $outfile "
(Get-Content $outfile) -replace ' ','' | Set-Content $outfile

#All done.
Write-Progress -Activity "Processing" -Completed -Status "All done."
Write-Host "Output file is located at: $outfile"
$Endtime = Get-Date
$RunTime = $Endtime - $startTime
Write-Host "Run time: "
$RunTime

We would all like to thank Ed Wilson (The Scripting Guy) for sharing PowerShell best practices with all of us.  We have the video of the presentation up for anyone who may have missed it or would like to refer back to it. Enjoy.

If you would like to view this on your mobile device, for watching on the go, you can go to the viemo page at http://vimeo.com/13395119

As many of you know, PowerShell is not only a powerful language that changes how you script and automate, it is essential when it comes to managing Exchange 2007, Exchange 2010 and if you are not familiar with PowerShell, you can't ignore it anymore.

Since PowerShell is such a key for Exchange Administrators, we would like to invite Ed Wilson (The Scripting Guy) to share best practices with us in July 13th session.

This is absolutely amazing opportunity for the User Group members but before we extend our invite to Ed we want to make sure we will have good participation as after all not making best of the session like Ed's is terrible thing to do.

We have opened a poll to guage your interest in the session and we invite you to please take the poll or reply to us using contact form so we can decide in coming weeks if Ed should be invited to share valuable insight on PowerShell with us in July 13th meeting.

We look forward to your valuable participation.