onsdag den 19. november 2014

SQL Server 2008 R2 Express bad performance

SQL Server 2008 R2 is suffering from very bad performance if there are lots of logon requests. The symptom is that the LSASS.exe will eat up to 100% of one core, blocking the system. 

The main reason for this is, that Microsoft increased security on the SQL Server 2008, and are using the PBKDF2 hash for passwords hashes and validation. This is very good, and the recommended hash to use for passwords.This hash is, by design, very slow to calculate, and it is even recommended to calculate it many times on its own output. This would make it very difficult for hackers to crack password given a hash.

Microsoft has a hotfix supposed to help on the performance, but it did not matter much for me.

I was using a 3rd party app that gave me these performance issues, and caused LSASS.EXE to be the system bottleneck.

There are three obvious solutions. And only the first will be an option for most people. And since extended support for SQL 2005 ends in April 2016, it is only a time limited solution, until the App vendor fixes their issues.

  1. Switch back to SQL Server 2005 Express. This solved the issue completely for me, and now the other processes can use all the cores, not being blocked waiting for SQL Authentication.
  2. Do like Microsoft has recommended for more than 10 years, switch to Windows integrated authentication. Problem is, that many apps do not support that.
  3. If you own the source code of the app, recoe it to keep a connection pool, and reuse SQL connections to minimize the number of logons. We can only expect logons to become more expensive.

tirsdag den 11. november 2014

Converting MKV to m4v for iTunes on Linux

Often when lookign for video, you might find MKV files on the Internet. Getting these into a format usable in iTunes / AppleTV can be a time consuming process, especially if you consider using HandBrake to convert the file.

Often you can use simple tools in Linux to convert the file from an MKV container to an MPEG-4 container, without actually reencoding the video. Often you would just need to ensure that there is a 2-channel AAC sound track.

when you get the MKV file, the first step is to see what is inside the file. For this we use mkvinfo:

mkvinfo myfile.mkv

and you will get track information about the contents:
|+ Segment tracks
| + A track
|  + Track number: 1 (track ID for mkvmerge & mkvextract: 0)
|  + Track UID: 12345
|  + Track type: video
|  + Lacing flag: 0
|  + MinCache: 1
|  + Codec ID: V_MPEG4/ISO/AVC
|  + CodecPrivate, length 42 (h.264 profile: High @L4.1)
|  + Default duration: 41.708ms (23.976 frames/fields per second for a video track)
|  + Language: swe
|  + Name: A Good Movie
|  + Video track
|   + Pixel width: 1920
|   + Pixel height: 816
|   + Display width: 1920
|   + Display height: 816
| + A track
|  + Track number: 4 (track ID for mkvmerge & mkvextract: 3)
|  + Track UID: 16248958973911107725
|  + Track type: audio
|  + Default flag: 0
|  + Codec ID: A_DTS
|  + Default duration: 10.667ms (93.750 frames/fields per second for a video track)
|  + Language: dan
|  + Name: DTS
|  + Audio track
|   + Sampling frequency: 48000
|   + Channels: 6

Here we can see, that it is a movie already encoded in H.264 High Profile Level 4.1. AppleTV 3 only supports High Profile Level 4.0 or lower. Don't worry. My AppleTV 3 played the above stream without any trouble, so it might have been compressed in 4.0 anyway. iPhone 4S / iPad 2 supports High @L4.1. If there is any trouble with the video, or the video is too large (like 5GB/hour), you can recompress using Handbrake from https://handbrake.fr/. It runs on Linux, Windows and Mac, and has good defaults.

We also have to look for the sound track, and here we find a danish soundtrack as track 4 (3 for mkvextract), in DTS format only.

DTS is not supported by AppleTV, so we need to convert that to the needed 2 channel AAC, plus we can convert it to AC3 for better surround. Other videos you find will already have AC3, and you will not need to convert the streams, just extract them.

First we need to extract the tracks we need

mkvextract tracks myfile.mkv 0:video.h264 3:audio.dts

which extracts stream 0 in video.h264 and stream 3 in audio.dts.

Now we need to convert the sound tracks. This is a lossy operation, and it takes time:

avconv -i audio.dts -acodec ac3 -ac 6 -ab 640k audio.ac3 # can be skipped if already ac3
avconv -strict experimental -i audio.dts -dmix_mode 1 -ac 2 -b:a 160k -strict experimental audio.aac

The second line should use Dolby Surround mode for the downmix.

If you found chapter markers you would like to keep, you can extract them like this:
mkvextract chapters -s myfile.mkv >chapters.txt

Now that we have all the streams we need, we can assemble (called mux) them into an MPEG-4 container.

This is done by MP4Box. Please use the FPS from the mkvinfo output, as MP4Box defaults to 25 FPS, and this would give video/audio out of sync.

MP4Box -fps 23.976 -add video.h264 -add "audio.aac:lang=dan" -add "audio.ac3:lang=dan" -chap "chapters.txt" myfile.m4v

If you want to add a subtitle for use with Apple devices, just add them like this (the hdlr option is important):

MP4Box -add myfile.srt:lang=eng:hdlr="sbtl:tx3g" myfile.m4v

And now you are done. Remember, with MP4Box you can always add missing tracks later.

If you have an MKV and wants to add subtitles to that, you need to create a new file with the tracks added, so it does not really merge:

mkvmerge  -o Subbed-Movie.mkv Unsubbed-movie.mkv --sub-charset 0:UTF8  --language 0:dan --track-name 0:Dansk Mysubtitles-utf8.srt

SSH connection thru your router

I have a router at home, running OpenWRT, and with SSH enabled (only with ssh-keys, no pasword authentication). Sometimes I want to connect to a server on the inside of the OpenWRT from the outside, to get a file or something, but I do not want to publish the inside server on the internet to minimize the risk.

This is easily done using SSL tunelling.

So at work, or elsewhere I can just run

ssh -L 2222:insidehost:22 user@openWRT-public-ip

This opens an ssh connection to the OpenWRT router and also sets up a forwarding port. So now I can open another window (I use CygWin) and do

ssh insideuser@ -p 2222

Or, to copy files:

scp -P 2222 insideuser@ .

So basicly I have access to copy files across the Internet to/from a server hidden behind a firewall. Be aware, that scp uses uppercase -P to specify port number, whereas ssh uses lower case.

The same method can be used to access internal web servers behind openWRT. If the internal server expects a hostname, you would also need to modify the local hosts file to point your internal servername to

You can also use this method to access external hosts, tunnelling through your home router. Just use an external hostname instead of insidehost in the first ssh statement. So if you can't access http://whatever.com:8888 due to company blocking non-standard ports, you can do

ssh -L 8888:whatever.com:8888 user@openWRT-public-ip

and then add whatever.com to your local hosts file, pointing to But this will kill access to port 80/443 on the same server, unless you set those up as well. This would conflict with a local webserver.

I more often use this on Windows:
ssh -L 22:internalserver.local:22 user@openWRT-public-ip

This allows me to scp files to internaluser@localhost:/dir

If working with SOCKS aware apps, you can also set up a SOCKS proxy that tunnels all traffic to the remote openWRT. This is done by

ssh -D 1080 user@openWRT

which creates a listening SOCKS proxy at port 1080, the default SOCKS proxy port.

Security info

The listening port created by ssh is only on the loopback interface, i.e., and can't be used from outside your machine.