Have you ever wanted to see a list of all messages in a folder that are either unread or flagged for follow up?  Well… If you’re like me then you probably receive 100 + e-mails a day and just can’t read them all at once.

Here is a nifty filter that you can create in Outlook to accomplish this:

  • Make sure that you are in a mail folder (such as Inbox)
  • Go to view menu -> current view -> define views
  • Select “Unread messages in the folder”Click Copy, Enter an appropriate name such as “Unread and/or flagged messages” and leave other settings as is
  • Now select the newly created viewClick modify, then Filter
  • Go to SQL tab, check the tick box “Edit these criteria directly. All other tabs will be unavailable”
  • Paste the following into the text box:
  •  ("urn:schemas:httpmail:read" = 0) OR ("http://schemas.microsoft.com/mapi/proptag/0x10900003" > 1)
  • Click OK, OK and Close

You can now select this view in any folder you please.

This filter should show all unread messages and any message flagged for follow up that has not been completed yet.

I have not tested this extensively but have been using it for a while now and all seems to be in order with the filter.

Spyware vs Virii

posted by Sam Ravenscroft
Sep 4

Spyware and viruses are both forms of unwanted or malicious software, sometimes called “malware.” You need to protect yourself from both.

What’s the difference?

Spyware (sometimes called adware) collects information about you without appropriate notice and consent.
A computer virus spreads software, usually malicious in nature, from computer to computer.

Spyware can get installed on your computer in a number of ways. One way is through a virus. Another way is for it to be secretly downloaded and installed with other software you’ve chosen to install.

In short, spyware is a specific type of unwanted software that secretly collects your information.

A virus is a specific way software can be secretly distributed, often by e-mail or instant messaging.

Both spyware and viruses can cause damage to your computer or cause you to lose important data.

To help protect against spyware, try Super Anti-Spyware.

To help protect against viruses, try Avast (a good free-for-personal-use anti-virus) or software from another antivirus provider.

HOW TO: Debug Memory Dumps

posted by Sam Ravenscroft
Sep 4

When you get a stop error (Blue Screen of Death or BSOD), your computer generates a small file or memory dump usually referred to as a minidump. This BLOG post will explain to you how to analyse these minidump files. This may shed some light on the problem in terms of what caused a particular stop error. It may also give you the driver file name if the stop error was caused by a faulty or incorrectly installed driver.

Your first step is to download and install the Microsoft Debugging Tools found here: http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

Once you have downloaded and installed these tools, go to start, all programs, Debugging Tools For Windows, Windbg. Once you open Windbg, you will presented with a blank screen. Click on File, Symbol File Path. Here you will enter the symbols path. Symbols are needed to effectively debug.

The path will be:


Enter in this path and click OK. Now, go to File, Save Workspace so that your symbols path is saved for future use. Now what you want to do is locate your memory dumps. They are usually located in %systemroot%/minidump (in general C:/windows/minidump).

If you notice, they are usually named the date, and then a -*number* to indicate the order of minidumps that day. My example is called Mini061904-01.dmp .

Inside of Windbg, go to File, Open Crash Dump and load the file. You will get a message to save base workspace information. Choose no.

Now you will get a debugging screen. Now it takes a little bit to run it, as the symbols have to be downloaded as they are needed. Then you will see information such as:

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Microsoft (R) Windows Debugger Version 6.3.0017.0
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\Minidump\Mini061904-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp2.030422-1633
Kernel base = 0x804d4000 PsLoadedModuleList = 0x80543530
Debug session time: Sat Jun 19 19:06:57 2004
System Uptime: 0 days 1:03:36.951

Loading Kernel Symbols
Loading unloaded module list
Loading User Symbols
* *
* Bugcheck Analysis *
* *

Use !analyze -v to get detailed debugging information.

BugCheck 86427532, {1db, 2, 3, b} <–This is your stop code

Unable to load image pavdrv51.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for pavdrv51.sys
*** ERROR: Module load completed but symbols could not be loaded for pavdrv51.sys
Probably caused by : pavdrv51.sys ( pavdrv51+7fc0 )

Followup: MachineOwner

Now, we can already see what it was most likely caused by, in my case it was pavdrv51.sys, which is a Panda AV file.

If we want to get further in depth, we can use the command, !analyze -v at the kd> prompt to delve more info about the error:

kd> !analyze -v
* *
* Bugcheck Analysis *
* *

Unknown bugcheck code (86427532)
Unknown bugcheck description <–Its unknown, and not listed on the MS KB at all.

Arg1: 000001db
Arg2: 00000002
Arg3: 00000003
Arg4: 0000000b

Debugging Details:



BUGCHECK_STR: 0x86427532

LAST_CONTROL_TRANSFER: from f4198fc0 to 804f4103

f41f0964 f4198fc0 86427532 000001db 00000002 nt!KeBugCheckEx+0x19
WARNING: Stack unwind information not available. Following frames may be wrong.
f41f0ba0 f419920b 864db520 f419ccf0 00000000 pavdrv51+0x7fc0
f41f0c34 804ea221 865b8910 864a52c0 806ad190 pavdrv51+0x820b
f41f0c44 8055d0fe 864a5330 86305028 864a52c0 nt!IopfCallDriver+0x31
f41f0c58 8055de46 865b8910 864a52c0 86305028 nt!IopSynchronousServiceTail+0x5e
f41f0d00 80556cea 000000a4 00000000 00000000 nt!IopXxxControlFile+0x5c2
f41f0d34 8052d571 000000a4 00000000 00000000 nt!NtDeviceIoControlFile+0x28
f41f0d34 7ffe0304 000000a4 00000000 00000000 nt!KiSystemService+0xc4
00cdff70 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4

f4198fc0 ?? ???



SYMBOL_NAME: pavdrv51+7fc0

MODULE_NAME: pavdrv51

IMAGE_NAME: pavdrv51.sys



BUCKET_ID: 0x86427532_pavdrv51+7fc0

Followup: MachineOwner

Update: After the intial run of the debug process, you can use the command !analyze -v to gather more information.

Now that may be more infor than you need. This tutorial only covers minidumps, however, if needed, you could change your memory dump options to do a complete dump. This is useful, however, very cumbersome, as the file generated will be the same size as your amount of ram.

Note: Make absolutely sure that your symbol path is correct. If it isn’t, then you will get symbol errors and not likely be able to debug the dump to get the info you desire.

Author note: This article source is from a posting found on Majorgeeks.com’s forums.

I have been receiving this error on my SBS 2003 R2 server (with SP1):

Error category : Resource Errors
Error : e000fedf - A failure occurred reading an object.
For additional information regarding this error refer to link V-79-57344-65247

If you follow the link it will redirect you to Symantec’s site. Instructions found there will direct you to enable debug logging on some of the services.

The information found there will give you an example, showing the the file sfcfiles.dll as being corrupt. I followed the instructions and coincidentally found the exact same file to be corrupt on my server as per the log files generated during a backup of the system state.

I compared the version of the file on my server with another healthy server and found that the MD5 hash of the two files differed. I copied the healthy file onto my server and ran another backup of the system state, but the problem persisted.

Symantec forums directed me to re-install Windows Server – SP1 which solved the problem.

So you’re all excited… you just installed Outlook 2007 and you think it’s great… until your friends start forwarding you all those funny e-mails we all love to receive, but you can’t see the animation in animated GIF images.

This is not a bug in Outlook 2007, but rather a feature (that I am sure most will find rather frustrating).

As per Microsoft:

Other Unsupported Web-Related Features
The following is a list of all other Web-related features that Word 2007 does not support:

  • Animated GIF images. Only a static representation of the GIF image shows.
  • Flash. Only a red “X” shows in the area where the flash would display.

For full details please see:

Currently there is no known quick solution for this, but one workaround is to save the e-mail message somewhere on your hard drive and then open it using your favourite browser.

Here’s how you do it:

  • Select the message, don’t open it
  • Click file, save
  • It should be in htm / html format by default
  • Browse to a folder where you can open the mail from (I always use my desktop)
  • Double click the file on the desktop and voila your message displays in your default browser (typically Internet Explorer) and you can see all the animations.
  • Once your done reading (and hopefully laughing), close Internet Explorer
  • Rember to delete the file and folder created by saving the message – you don’t want to waste disc space or clutter your desktop

SMTP Problem solving

posted by Sam Ravenscroft
Jun 2

About 2 weeks ago I was assisting a friend of mine to upgrade her server hardware. They had also moved to a new ISP for hosting et al.

We had some problems with the outgoing mail queues in Exchange 2003. Exchange was setup to deliver mail directly (via DNS). Not all of the mail could be delivered.

The tools used to debug these kind of problems are nslookup and telnet. (There are many other tools available, but these 2 tools can be used on any out-of-the-box Windows / Server installation.)

Let’s say for example that you cannot send mail to [email protected]

Open up a command prompt (start, run, cmd)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

Default Server: UnKnown
Address: 192.*.*.*

> set type=mx
> microsoft.com
Server: UnKnown
Address: 192.*.*.*

Non-authoritative answer:
microsoft.com MX preference = 10, mail exchanger = maila.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailb.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailc.microsoft.com

microsoft.com nameserver = ns5.msft.net
microsoft.com nameserver = ns1.msft.net
microsoft.com nameserver = ns2.msft.net
microsoft.com nameserver = ns3.msft.net
microsoft.com nameserver = ns4.msft.net
maila.microsoft.com internet address =
maila.microsoft.com internet address =
mailb.microsoft.com internet address =
mailb.microsoft.com internet address =
mailc.microsoft.com internet address =
mailc.microsoft.com internet address =
ns1.msft.net internet address =
ns2.msft.net internet address =
ns3.msft.net internet address =
ns4.msft.net internet address =
ns5.msft.net internet address =
> exit


Here’s the breakdown:

nslookup // this is a command line tool to perform DNS lookups
set type = mx // this tells nslookup that we are interested in MX record (Mail eXchanger)
microsoft.com // this is the domain for which we want to do the lookup
exit // self explanatory

The results we are interested in are:

Non-authoritative answer:
microsoft.com MX preference = 10, mail exchanger = maila.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailb.microsoft.com
microsoft.com MX preference = 10, mail exchanger = mailc.microsoft.com

Basically this means that the domain Microsoft.com has 3 mail servers (or mail exchangers) and that each server has a preference of 10 (lower preference means more preferred, i.e. your backup MX server should have a higher preference that your primary MX server). When the MX records for a domain have the same preference it is used for load balancing as neither is more preferred than the other.

Ok, let’s proceed to telnet. From the list above we will use maila.microsoft.com as it is the first in the list (in a different scenario you would choose the primary MX server, i.e. the one of the lowest preference).

(once again from a command prompt)

C:\>telnet maila.microsoft.com 25

220 mail04.microsoft.com Microsoft ESMTP MAIL Service ready at Sat, 2 Jun 2007 1
0:24:12 -0700
ehlo localhost.localdomain
250-mail04.microsoft.com Hello [41.*.*.*]
250-SIZE 10485760
mail from: [email protected]
250 2.1.0 Sender OK
rcpt to: [email protected]
550 5.7.1 Email rejected because 41.*.*.* is listed by zen.spamhaus.org. Please see http://www.spamhaus.org/query/bl?ip=41.*.*.* for more information.
221 2.0.0 Service closing transmission channel

connection to host lost.

(note: some of the IP's etc. above were masked in the interest of privacy)

Here’s the breakdown

telnet maila.microsoft.com 25 // connect to remote server on port 25 (SMTP)
ehlo localhost.localdomain // ehlo command
mail from: [email protected] // who the mail is from
rcpt to: [email protected] // who the mail is for
quit // close the connection

The response:

550 5.7.1 Email rejected because 41.*.*.* is listed by zen.spamhaus.org. Please see http://www.spamhaus.org/query/bl?ip=41.*.*.* for more information

And that is how it’s done. Obviously the response code will differ according to what the problem is.

Under normal circumstances one would simply use nslookup and telnet to debug the problem, but I found this great tool called bmail from Beyond Logic it can be downloaded from http://www.beyondlogic.org/solutions/cmdlinemail/cmdlinemail.htm

Bmail is a command line mailer, you will still need to obtain the MX record using nslookup, but thereafter it is much easier to use bmail.


(from the command line)


Command Line SMTP Emailer V1.07
Copyright(C) 2002-2004 [email protected]
Date: Sat, 02 Jun 2007 21:00:47 +0200
Usage: bmail [options]
-s SMTP Server Name
-p SMTP Port Number (optional, defaults to 25)
-t To: Address
-f From: Address
-b Text Body of Message (optional)
-h Generate Headers
-a Subject (optional)
-m Filename (optional) Use file as Body of Message
-c Prefix above file with CR/LF to separate body from header
-d Debug (Show all mail server communications)

C:\>bmail -s maila.microsoft.com -t [email protected] -f [email protected] -h -a "Test message" -d

Command Line SMTP Emailer V1.07
Copyright(C) 2002-2004 [email protected]
Opening connection to maila.microsoft.com [] on port 25
220 mail04.microsoft.com Microsoft ESMTP MAIL Service ready at Sat, 2 Jun 2007 1
2:42:11 -0700
HELO localhost
250 mail04.microsoft.com Hello [41.*.*.*]
MAIL FROM:<[email protected]>
250 2.1.0 Sender OK
RCPT TO:<[email protected]>
550 5.7.1 Email rejected because 41.*.*.* is listed by zen.spamhaus.org. Please see http://www.spamhaus.org/query/bl?ip=41.*.*.* for more information.
550 5.7.1 Email rejected because 41.*.*.* is listed by zen.spamhaus.org. Please see http://www.spamhaus.org/query/bl?ip=41.*.*.* for more information.


The -d (debug switch) is obviously very important here as it shows you the full SMTP conversation.

Scheduled Disk Defrag

posted by Sam Ravenscroft
Jun 2

Credit goes out to Doug Knox for this one.

Microsoft Windows offers a built in tool for defragmenting your hard drives. Sometimes it can be hard to defragment many hard drives on remote machines regularly without the help of 3rd party tools. The following is a visual basic script which will allow for this.

Copy and paste the following text into notepad and save it as a .vbs file.

'Defrags all hard disks - Can be run as a Scheduled Task
'Modified to create an error log and display it
'© Doug Knox - 4/13/2002Option Explicit
Dim WshShell, fso, d, dc, ErrStr(), Return, X, A(), MyFile, I, MyBox, Drive
Set WshShell = WScript.CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
X = 0
Set dc = fso.Drives
For Each d in DC
If d.DriveType = 2 Then
X = X + 1
'Determine drive letter of first fixed disk
'This is the drive that the error report will be placed on
If X = 1 Then
Drive = d
End If
End If
ReDim A(X)
ReDim ErrStr(X)
X = 0
For Each d in dc
If d.DriveType = 2 Then
X = X + 1
Return = WshShell.Run("defrag " &amp; d &amp; " -f", 1, TRUE)
'Determine the Error code returned by Defrag for the current drive and save it
If return = 0 then
ErrStr(x) = ErrStr(x) &amp;  "Drive " &amp; d &amp; " Defrag completed successfully" &amp; vbCRLF
elseif return = 1 then
ErrStr(x) = ErrStr(x) &amp;  "Drive " &amp; d &amp; " Defrag aborted with error level " &amp; return &amp; " (defrag was cancelled manually) " &amp; vbCRLF
elseif return = 2 then
ErrStr(x) = ErrStr(x) &amp;  "Drive " &amp; d &amp; " Defrag aborted with error level " &amp; return &amp; " (there was a command line error. Check your command line for valid switches and drives)" &amp; vbCRLF
elseif return = 3 then
ErrStr(x) = ErrStr(x) &amp;  "Drive " &amp; d &amp; " Defrag aborted with error level " &amp; return &amp; " (there was an unknown error)" &amp; vbCRLF
elseif return = 4 then
ErrStr(x) = ErrStr(x) &amp;  "Drive " &amp; d &amp; " Defrag aborted with error level " &amp; return &amp; " (defrag could not run due to insufficient memory resources)" &amp; vbCRLF
'errorlevel 5 is not currently used
elseif return = 5 then
ErrStr(x) = ErrStr(x) &amp;  "Drive " &amp; d &amp; " Defrag aborted with error level " &amp; return &amp; " (general error)" &amp; vbCRLF
elseif return = 6 then
ErrStr(x) = ErrStr(x) &amp;  "Drive " &amp; d &amp; " Defrag aborted with error level " &amp; return &amp; "(System error: either the account used to run defrag is not an administrator, there is a problem loading the resource DLL, or a defrag engine could not be accessed. Check for proper user permissions and run Sfc.exe to validate system files)" &amp; vbCRLF
elseif return = 7 then
ErrStr(x) = ErrStr(x) &amp;  "Drive " &amp; d &amp; " Defrag aborted with error level " &amp; return &amp; " (There is not enough free space on the drive. Defrag needs 15% free space to run on a volume)" &amp; vbCRLF
ErrStr(x) = ErrStr(x) &amp;  "Drive " &amp; d &amp; " Defrag aborted with an unknown error level: " &amp; return &amp; vbCRLF
end if
End If
'Create the Error Report in the root of the first fixed disk.
Set MyFile = fso.OpenTextFile(Drive &amp; "defragreport.txt", 2, True)
MyFile.WriteLine(Date) &amp; vbCRLF
MyFile.WriteLine(Time) &amp; vbCRLF
For I = 1 to X
'Return = WshShell.Run(Drive &amp; "defragreport.txt",3,True)
Set WshShell = Nothing
Set fso = Nothing

Run task scheduler and schedule the task how often you would like and let it run.

If a user is logged on, it will display the txt file when it is done. To disable this feature all you need to do is comment out the fourth line from the bottom

'Return = WshShell.Run(Drive & "\defragreport.txt",3,True)

Here’s the script, enjoy

This information is provided “AS IS” with no warranty expressed or implied.

Enable/disable Defrag at boot time

posted by Sam Ravenscroft
Jun 2

Open Regedit (Start/Run/Regedit)

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction

Select Enable from the list on the right. Right on it and select Modify. Change the value to Y to enable and N to disable.

Reboot your computer.

(This function is enabled by default.)

Problem with Add Remove Programs

posted by Sam Ravenscroft
May 20

Whilst working on a new site this weekend I almost lost it:

Trying to open Add Remove Program (or run appwiz.cpl) results in:

Parser Message
Value creation failed ” at line 451

So after many hours of Googling, here’s the fix:

copy shellstyle.dll to system32

I located the file shellstyle.dll on a known working system.

The error was experience on an SBS 2003 R2 (Premium edition) server.

Problem could be related to custom OS installation disc created by NLite – but more on that later.

Holiday sweet holiday

posted by Sam Ravenscroft
Mar 19

Hmm, so I never did post that update.

Sorry about that, but I have been extremely busy and am currently on holiday in the beautiful Isle of Man (02/03 till 04/04).

It is such a pleasure to be in a country where the internet just always works and where there are no “planned power outages”.

I’m currently working on some new ideas (restructure my schedule etc.) and will hopefully be able to allocate a daily (or at least) weekly timeslot to update my blog.

Until then, cheers!