NT4.0 Migration to Windows 2003: DCOM Compatibility Evaluator

崬城衞

1.1        DCOM Compatibility Evaluator
Overview
Windows DCOM Compatibility Evaluator is a command-line tool that detects attributes of DCOM-enabled applications that may potentially be blocked by changes introduced in Windows XP with Service Pack 2.  This tool is designed to be deployed to multiple computers within a corporation and the logs created are then viewed using Microsoft Application Analyzer.  The Application Analyzer database provides you with guidance detailing how to mitigate any issues that have been identified.
SECURITY NOTE: Log files contain sensitive data.  For more information on how to protect your log file data, see the help file on DCOM Logging.
1.1.1           Supported Environments
The DCOM Compatibility Evaluator is supported on the following operating systems:
·         Windows 2000 Professional
·         Windows 2000 Server
·         Windows XP Professional
·         Windows Server 2003
1.1.2           Deploying DCOM Compatibility Evaluator
　　Windows DCOM Compatibility Evaluator is an executable (.exe) file that runs as a console application.  Like Collector, it writes information about applications to a log file.  It can be deployed using the same methods used to deploy Collector.  For more information see Deploying Collector.
NOTE: Before DCOM Compatibility Evaluator sends its results to a network share, it will run Collector and send Collector log files to the share first.
1.1.3           DCOM Event Logs
If the Windows DCOM Compatibility Evaluator encounters a problem, it will exit with an error code and write an event to the computer's Application event log.  
To view error messages for the Windows DCOM Compatibility Evaluator using Event Viewer:

• Click Start, right-click My Computer, and then click Manage.  
  
• Under System Tools, expand Event Viewer.  
  
• In the right pane, double-click Applications.  
  

All error messages for DCOM Compatibility Evaluator will have a Source of MWACT.

• Double-click the error to view details.  
  

The following error codes are recorded in the DCOM Compatibility Evaluator event logs:

Error Message	Additional Information
Failed to get inventory component interface pointers.	The DCOM Compatibility Evaluator was unable to establish a connection to the Collector component.
Inventory component failed.	Collector component failed.
Failed to get XML produced by inventory component.	Failed to get XML from Collector component.
Failed to save log file.	Failed to save issue log.
Cannot find the specified path.	User-specified "/o" output folder does not exist.
Failed to get XML containing tool options.	Get options formatted in XML.
Failed to create output file.	Failed to create the issue log file.
Failed to assign inventory component properties.	Failed to assign Collector component properties.
Error reading from registry.	Unspecified error reading from the registry.
Memory allocation error.	Unspecified memory allocation error.

3.9.4   DCOM Options
Windows DCOM Compatibility Evaluator looks for switch settings in the configuration file and the argument string passed to it when it is called.  It exits if there are any invalid command line settings.  Switch settings in the argument string take precedence over settings in the configuration file.
3.9.5   DCOM Command Line Options
The following command line options are available for DCOM Compatibility Evaluator:

Option	Description
/o	Output path.  Specifies a directory to save the log, typically a network share on your intranet.  If no output path is specified, the log will output to the desktop of the current user.
/f	Filename.  Specifies a name for the log file.  If no filename is provided, the file will be named COMPUTERNAME.ISSUE.{GUID}.cab.  (The string ISSUE is appended after COMPUTERNAME to differentiate these log files from Collector logs.) Typically the output file name option is used only by testers who must have recognizable file names.
/q	This option specifies that when DCOM Compatibility Evaluator is run, the console window that it is hosted in will be hidden.
/i	Input filename.  Specifies the name of a configuration file to run.

NOTE: Since DCOM Compatibility Evaluator does not run as a service, it does not have all of the options that Windows Firewall Compatibility Evaluator has.
The following is an example command line:
dcomce.exe /o \\servername\collector\logs
The following is an example of a log file name generated by DCOM Compatibility Evaluator:
salescomputer1.ISSUE.{A445FF37-0BD5-4CAF-8848-73499A41CBB0}.cab
3.9.6   Using Configuration (.ini) Files
Although Collector and the Compatibility Evaluators have different .ini file formats, it is possible (and recommended) to use a single .ini file for all three.  Using a single .ini file reduces the possibility of data loss from occurring in your Analyzer database.  
For example: When DCOM Compatibility Evaluator is run, Collect.exe is automatically called.  When this Collector log is merged into Analyzer database, it will overwrite any data that was merged from a previous Collector log.  If Collector was previously run with a custom value set to gather the department name, the department name information will be lost from your Analyzer reports when the DCOM Compatibility Evaluator issue log (and its new Collect.exe log) is merged into the database.  However, if DCOM calls Collector with the same .ini file used for Collecor, and that file contains the settings that specify department name should be gathered, then this data loss will not occur.
The following is an example configuration file (.ini) for DCOM Compatibility Evaluator:
[dcomce.exe]
CommandLine=/O c:\temp
See the Collector Options help topic for more information on configuration files.  
3.9.7   DCOM Logging
After Windows DCOM Compatibility Evaluator has run, any potential issues found are documented in an issue log.  This log is compressed into a .cab file and sent to the location specified in your command-line arguments.  The log contains file data that can be used in Microsoft Application Analyzer to link detailed information about different compatibility issues with the specific applications that are potentially affected.  The information includes instructions for mitigating the issues.
The following are some DCOM issues that may be detected:
·         A COM interface is configured with launch permissions set either to deny all or to allow none.  Typically, this COM interface is used for call-back only.  After installing the service pack, activation will have the same permissions as launch and will be blocked.  Any COM interface that was intended to allow activation but not launch will be blocked after the service pack is installed.  
·         A COM interface is configured with launch permissions set to allow anonymous launch.  This is blocked after the service pack is installed.  
3.9.8   Security Considerations
The log files created by DCOM Compatibility Evaluator contain sensitive data, such as DCOM interface security settings.  Because the DCOM Compatibility Evaluator is often configured to send the logs to a netwark share, it is important to know that these logs are in clear text and could be read by network sniffing tools.
One way to protect your data is to secure the network connections (for example, using IPSec) from the client computers where the DCOM Compatibility Evaluator is run to the share that it copies logs to, and also from the share to the computer that Merger is running on.  For more information on IPSec, follow this link and read the article: What is IPSec?.
Alternatively, you can reduce the exposure of your sensitive data by having the DCOM Compatibility Evaluator write the logs locally, and employ a systems management application that uses encryption (such as SMS) to copy the files from the client computers.  In this case, you would still need to secure the connection from Merger to the share containing the files copied by SMS.
3.9.9   DCOM FAQ
Q   Can the Windows DCOM Compatibility Evaluator detect all DCOM-enabled application issues?   
A   No.  The DCOM Compatibility Evaluator can only detect issues that can be inferred from COM-interface launch permissions settings.  It cannot detect runtime issues, such as when an application is being remotely called anonymously, or when an application is being remotely activated and/or launched by a non-administrator.  
Q   What can I do to detect these other types of issues?
A   To detect run-time issues you must install Service Pack 2 and then turn on logging and evaluate the results.  
Q   Should I deploy this tool in a lab setting or in my production environment?
A   The DCOM Compatibility Evaluator is designed for use in a production environment where it can detect and log potential issues in DCOM-enabled applications.