#StackBounty: #windows-registry #windows-server-2008-r2 #time Alter Logging Threshold for Windows Time-Service?

Bounty: 50

The Windows System Log on my machine is getting filled up with these Windows Time-Service messages (Event 50).

enter image description here

This machine is synced but isn’t always accurate to within 128 milliseconds.

enter image description here

enter image description here

I’m OK with the log messages, but I’m wondering if there is a way to increase this 128 milliseconds threshold? I.e. if I could change this to 5 seconds, this would be great. Is there any way to do this?

I read this article and searched around the Windows registry but I don’t see anything that can adjust this value.

I also saw this question (separate issue, but dealing with same event) which states:

The time service detected a time difference of greater than 5000 milliseconds for 900 seconds. 

Which makes me believe it is possible to adjust this value to 5000 milliseconds, but I don’t see anywhere in the GUI, via command line, or via registry that it can be changed.

Is this possible?


Get this bounty!!!

#StackBounty: #windows #windows-server-2008 #active-directory #windows-server-2008-r2 Multiple domain controller and SQL Login Failed w…

Bounty: 100

I have a domain test.local with 4 domain controller.

I have a SQL Server, sometime when rebooting one of my domain controller I got these error :

Description: SSIS Error Code DTS_E_OLEDBERROR. An OLE DB error has
occurred. Error code: 0x80004005.
An OLE DB record is available. Source: “Microsoft SQL Server Native Client 11.0” Hresult: 0x80004005 Description: “Login failed.
The login is from an untrusted domain and cannot be used with Windows
authentication.”.

Why authentication is not done on the other 3 DC? Normally there is load balancing when there are multiple domain controllers.

Thanks for your help


Get this bounty!!!

#StackBounty: #windows-server-2008-r2 #ntfs #disk-volume What are $Extend$Deleted file system entries and how do I get rid of them?

Bounty: 50

I’d like to shrink an NTFS data partition on one of my servers. Unfortunately, it has an “unmovable file” located at an inconvenient position.

Here is the relevant event log entry:

A volume shrink analysis was initiated on volume Daten (C:Daten). This event log entry details information about the last unmovable file that could limit the maximum number of reclaimable bytes.

Diagnostic details:
– The last unmovable file appears to be:
$Extend$Deleted:$I30:$INDEX_ALLOCATION
– The last cluster of the file is: 0x1138f943
– Shrink potential target (LCN address): 0x18a51d6
– The NTFS file flags are: —-I
– Shrink phase: <analysis>

To find more details about this file please use the “fsutil volume querycluster \?Volume{4ad80633-d2d5-415e-97b4-9ad5f648bb0c} 0x1138f943” command.

The command mentioned at the bottom of the event log entry does not yield any useful additional information:

C:> fsutil volume querycluster \?Volume{4ad80633-d2d5-415e-97b4-9ad5f648bb0c} 0x1138f943
Cluster 0x000000001138f943 used by ----I $Extend$Deleted:$I30:$INDEX_ALLOCATION

(Note (note sure if it’s relevant): The last thing I did on the drive was to delete all shadow copies.)

I am aware that $Extend is not a “regular” folder but some kind of NTFS system file. Thus, my question:

What is this $Extend$Deleted file system entry and how do I get rid of it? (Or, at least, get rid of its “unmovability” so that I can shrink my volume…)


Get this bounty!!!

#StackBounty: #windows-server-2008-r2 #ntfs #disk-volume What are $Extend$Deleted file system entries and how do I get rid of them?

Bounty: 50

I’d like to shrink an NTFS data partition on one of my servers. Unfortunately, it has an “unmovable file” located at an inconvenient position.

Here is the relevant event log entry:

A volume shrink analysis was initiated on volume Daten (C:Daten). This event log entry details information about the last unmovable file that could limit the maximum number of reclaimable bytes.

Diagnostic details:
– The last unmovable file appears to be:
$Extend$Deleted:$I30:$INDEX_ALLOCATION
– The last cluster of the file is: 0x1138f943
– Shrink potential target (LCN address): 0x18a51d6
– The NTFS file flags are: —-I
– Shrink phase: <analysis>

To find more details about this file please use the “fsutil volume querycluster \?Volume{4ad80633-d2d5-415e-97b4-9ad5f648bb0c} 0x1138f943” command.

The command mentioned at the bottom of the event log entry does not yield any useful additional information:

C:> fsutil volume querycluster \?Volume{4ad80633-d2d5-415e-97b4-9ad5f648bb0c} 0x1138f943
Cluster 0x000000001138f943 used by ----I $Extend$Deleted:$I30:$INDEX_ALLOCATION

(Note (note sure if it’s relevant): The last thing I did on the drive was to delete all shadow copies.)

I am aware that $Extend is not a “regular” folder but some kind of NTFS system file. Thus, my question:

What is this $Extend$Deleted file system entry and how do I get rid of it? (Or, at least, get rid of its “unmovability” so that I can shrink my volume…)


Get this bounty!!!

#StackBounty: #windows-server-2008-r2 #ntfs #disk-volume What are $Extend$Deleted file system entries and how do I get rid of them?

Bounty: 50

I’d like to shrink an NTFS data partition on one of my servers. Unfortunately, it has an “unmovable file” located at an inconvenient position.

Here is the relevant event log entry:

A volume shrink analysis was initiated on volume Daten (C:Daten). This event log entry details information about the last unmovable file that could limit the maximum number of reclaimable bytes.

Diagnostic details:
– The last unmovable file appears to be:
$Extend$Deleted:$I30:$INDEX_ALLOCATION
– The last cluster of the file is: 0x1138f943
– Shrink potential target (LCN address): 0x18a51d6
– The NTFS file flags are: —-I
– Shrink phase: <analysis>

To find more details about this file please use the “fsutil volume querycluster \?Volume{4ad80633-d2d5-415e-97b4-9ad5f648bb0c} 0x1138f943” command.

The command mentioned at the bottom of the event log entry does not yield any useful additional information:

C:> fsutil volume querycluster \?Volume{4ad80633-d2d5-415e-97b4-9ad5f648bb0c} 0x1138f943
Cluster 0x000000001138f943 used by ----I $Extend$Deleted:$I30:$INDEX_ALLOCATION

(Note (note sure if it’s relevant): The last thing I did on the drive was to delete all shadow copies.)

I am aware that $Extend is not a “regular” folder but some kind of NTFS system file. Thus, my question:

What is this $Extend$Deleted file system entry and how do I get rid of it? (Or, at least, get rid of its “unmovability” so that I can shrink my volume…)


Get this bounty!!!

#StackBounty: #windows-server-2008-r2 #ntfs #disk-volume What are $Extend$Deleted file system entries and how do I get rid of them?

Bounty: 50

I’d like to shrink an NTFS data partition on one of my servers. Unfortunately, it has an “unmovable file” located at an inconvenient position.

Here is the relevant event log entry:

A volume shrink analysis was initiated on volume Daten (C:Daten). This event log entry details information about the last unmovable file that could limit the maximum number of reclaimable bytes.

Diagnostic details:
– The last unmovable file appears to be:
$Extend$Deleted:$I30:$INDEX_ALLOCATION
– The last cluster of the file is: 0x1138f943
– Shrink potential target (LCN address): 0x18a51d6
– The NTFS file flags are: —-I
– Shrink phase: <analysis>

To find more details about this file please use the “fsutil volume querycluster \?Volume{4ad80633-d2d5-415e-97b4-9ad5f648bb0c} 0x1138f943” command.

The command mentioned at the bottom of the event log entry does not yield any useful additional information:

C:> fsutil volume querycluster \?Volume{4ad80633-d2d5-415e-97b4-9ad5f648bb0c} 0x1138f943
Cluster 0x000000001138f943 used by ----I $Extend$Deleted:$I30:$INDEX_ALLOCATION

(Note (note sure if it’s relevant): The last thing I did on the drive was to delete all shadow copies.)

I am aware that $Extend is not a “regular” folder but some kind of NTFS system file. Thus, my question:

What is this $Extend$Deleted file system entry and how do I get rid of it? (Or, at least, get rid of its “unmovability” so that I can shrink my volume…)


Get this bounty!!!

#StackBounty: #ssh #windows-server-2008-r2 #sftp SSH Connection was slow on windows server

Bounty: 50

I try to use OpenSSH to setup SFTP on Windows Server 2008R2.
It can be used but the connection was really slow. It takes around 4+ minutes to make a connection.

By the way, I use local window users for authentication with a password.

I also try to set UseDNS to No and also change to user only IPv4 but it makes no difference at all.

It’s also slow when I try this “ssh -vvv username@localhost” on the server itself.

from the logs, I found that it takes a long time after “preauth child monitor started” line.

Does anyone have any idea about this? Thank you very much for your help.

5528 2020-05-22 19:16:25.119 debug3: unable to load module api-ms-win-security-lsapolicy-l1-1-0.dll at run time, error: 193
5528 2020-05-22 19:16:25.119 debug3: unable to load module api-ms-win-security-lsapolicy-l1-1-0.dll at run time, error: 193
5528 2020-05-22 19:16:25.119 debug3: unable to load module api-ms-win-security-lsapolicy-l1-1-0.dll at run time, error: 193
5528 2020-05-22 19:16:25.166 debug3: unable to load module api-ms-win-security-lsapolicy-l1-1-0.dll at run time, error: 193
5528 2020-05-22 19:16:25.197 debug3: unable to load module api-ms-win-security-lsapolicy-l1-1-0.dll at run time, error: 193
5528 2020-05-22 19:16:25.197 debug3: spawning "C:\Program Files\OpenSSH-Win64\sshd.exe" -y
5528 2020-05-22 19:16:25.197 debug2: Network child is on pid 8040
5528 2020-05-22 19:16:25.213 debug3: send_rexec_state: entering fd = 6 config len 602
5528 2020-05-22 19:16:25.213 debug3: ssh_msg_send: type 0
5528 2020-05-22 19:16:25.213 debug3: send_rexec_state: done
5528 2020-05-22 19:16:25.213 debug3: ssh_msg_send: type 0
5528 2020-05-22 19:16:25.213 debug3: ssh_msg_send: type 0
5528 2020-05-22 19:16:25.213 debug3: preauth child monitor started
8040 2020-05-22 19:17:33.590 debug3: recv_idexch_state: entering fd = 3
8040 2020-05-22 19:17:33.590 debug3: ssh_msg_recv entering
8040 2020-05-22 19:17:33.590 debug3: recv_idexch_state: done
8040 2020-05-22 19:17:33.590 debug2: fd 5 setting O_NONBLOCK
5528 2020-05-22 19:17:33.590 debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
5528 2020-05-22 19:17:33.590 debug3: send packet: type 20 [preauth]
5528 2020-05-22 19:17:33.590 debug1: SSH2_MSG_KEXINIT sent [preauth]


Get this bounty!!!

#StackBounty: #active-directory #windows-server-2008-r2 #kerberos #spn setspn does not affect Active Directory Users

Bounty: 50

I run the setspn command for specific user on Domain Controller.

C:>setspn -s example/username.companyname.com username
Checking domain DC=companyname,DC=com

Registering ServiceprincipalNames for CN=username,CN=Users,DC=companyname,DC=com
        example/username.companyname.com
Updated object

And immediately can see result in console.

C:>setspn -L username
Registering ServiceprincipalNames for CN=username,CN=Users,DC=companyname,DC=com
        example/username.companyname.com

But it never affects this user in “Active Directory Users and Computers”.

His attribute “servicePrincipalName” is not set.

Maybe there is some kind of cache?


Get this bounty!!!