Friday, August 15, 2014

Adobe Reader XI Freezes

Yesterday out of the blue 2 users call me complaining that when they open Adobe Reader 11.0.7 it freezes after 5 seconds and then goes to "not responding". 

Looking in eventvwr you see:
Log Name:      Application
Event ID:      1002
Level:         Error
The program AcroRd32.exe version stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 Application Path: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe

This would occur regardless of if I just opened Reader without a document, or with a document.  I quickly found that if I unplugged the network cord and then opened it then it wouldn't crash.  So clearly it was attempting to find something on the network, likely a recent item.

I tried a number of fixes, but in the end blasting the users Adobe settings is what fixed it for me
  1. open regedit
  2. Navigate to HKCU/Software/Adobe  (ensure you are under Current User key!!)
  3. Delete the whole blasted Adobe key and subkeys.
Of course the best fix is to give Adobe the boot and use an alternative, but as many of us know that isn't always a valid option.


Tuesday, August 5, 2014

Exchange 2010 Search and Restore deleted email

Story goes something like this...  (we'll use a fictitious name of Mary Lost to protect the innocent here)
Mary: "I never got super important email".
Me: "Are you sure they sent it?"
Mary: "Definitely"
Me: Type the send or subject in the search and click "all outlook items"
Mary: "Can't, I never got it at all"
Me: "Okay, let me see what I can find, who sent it"

And so my quest began to find the "missing" email that was never received but definitely had been sent.

To start I do the simple search the users mailbox.  Attach mailbox, search, nothing...

Now we can look to see if the system ever received it.  In my case we use MXLogic (now McAfee) so to start with I could run a message audit at that level.  Yep, mxlogic shows it being delivered to the Exchange server.  Don't use MXLogic?  No problem, just go straight to the Exchange server to look.
Check Exchange for receipt:
  1. Open the EMC
  2. Toolbox
  3. Tracking Log Explorer
  4. Enter recipient, Subject, dates and look for the email.
  5. Note: I found it best to do this from the Exchange server itself.  Otherwise you have to properly populate the "server" field, and even then I got mixed results.
Once you've found the message you can see the EventID which will likely be "RECEIVE".  If you can't find it here then likely the message was never sent.

Great, now I KNOW it was delivered, perhaps it was deleted?  After some research I found that it may not be easy to tell if it was deleted, etc unless audit logging is turned on before hand.  Bleh, we don't need to know that bad.  But can we restore it...?  That's what is really important here. 

So we know:
  1. It was delivered to the mailbox
  2. It's no longer there
  3. Thus it was likely deleted
  4. Since it's not in the deleted items folder, it was either SHIFT Deleted or also deleted from deleted items or the computer monster ate it. 
  5. All that really matters is it's gone and we want it back.

Fire up the EMS (powershell)!
In this case I'm going to search Mary Lost's mailbox for the SearchQuery string (subject, from, etc) and then give it a TargetMailbox that is my mailbox so that when it's restored it goes into my email instead under a TargetFolder named "recovery".  (Targetfolder will be autocreated if it doesn't already exist)

Search-Mailbox mlost -TargetMailbox Me -TargetFolder "Recovery" -SearchQuery "" -LogLevel Full

Now Mary's missing email is in my mailbox under a folder called "Recovery".  Copy it back to her inbox and all done :)