NetSH collection commands
- create below content on one notepad file file name start-auth.txt
set KerbDebugFlags=0x7ffffff
set KdcDebugFlags=0x23083
set KpsDebugFlags=0xff
set NtlmDebugFlags=0x15003
set NegoExtsDebugFlags=0xFFFF
set Pku2uDebugFlags=0xFFFF
set SslDebugFlags=0x0000FDFF
set DigestDebugFlags=0x000003FF
set CredsspDebugFlags=0x0000FFFF
set DpapiSrvDebugFlags=0xFF
set WebAuthDebugFlags=0xFFFF
set IdstoreDebugFlags=0x2FF
set IdcommonDebugFlags=0x2FF
set LivesspDebugFlags=0x3FF
set WlidsvcDebugFlags=0x7
set IdlistenDebugFlags=0x7FFFFFFF
set BaseCspDebugFlags=0xFFFFFFFF
set VaultDebugFlags=0xFFF
set BcryptDebugFlags=0xFFFFFFFF
set NcryptDebugFlags=0xFFFFFFFF
set CryptspDebugFlags=0xFFFFFFFF
set WinHttpDebugFlags=0x7FFFFF
set WininetDebugFlags=0x7FFFFF
set CloudAPFlags=0xfff
set HttpSysDebugFlags=0xFFFFFFFF
mkdir .\logs
del /f /q .\logs\*.*
logman.exe start LsaTrace -p {D0B639E0-E650-4D1D-8F39-1580ADE72784} 0x40141F -o .\logs\LsaTrace__%computername%.etl -ets
logman.exe start LsaAudit -p {DAA76F6A-2D11-4399-A646-1D62B7380F15} 0xffffff -o .\logs\LsaAudit__%computername%.etl -ets
logman.exe start LsaDs -p {169EC169-5B77-4A3E-9DB6-441799D5CACB} 0xffffff -o .\logs\LsaDs_%computername%.etl -ets
logman.exe start KerbComm -p {60A7AB7A-BC57-43E9-B78A-A1D516577AE3} 0xffffff -o .\logs\KerbComm_%computername%.etl -ets
logman.exe start KerbClientShared -p {FACB33C4-4513-4C38-AD1E-57C1F6828FC0} 0xffffffff -o .\logs\KerbClientShared_%computername%.etl -ets
logman.exe start NtlmShared -p {AC69AE5B-5B21-405F-8266-4424944A43E9} 0xffffffff -o .\logs\NtlmShared_%computername%.etl -ets
logman.exe start LsaIso -p {366B218A-A5AA-4096-8131-0BDAFCC90E93} 0xffffffff -o .\logs\LsaIso_%computername%.etl -ets
logman.exe start kerb -p {6B510852-3583-4e2d-AFFE-A67F9F223438} %KerbDebugFlags% -o .\logs\kerb_%computername%.etl -ets
logman.exe start kdc -p {1BBA8B19-7F31-43c0-9643-6E911F79A06B} %KdcDebugFlags% -o .\logs\kdc_%computername%.etl -ets
logman.exe start kps -p {97A38277-13C0-4394-A0B2-2A70B465D64F} %KpsDebugFlags% -o .\logs\kps_%computername%.etl -ets
logman.exe start ntlm -p {5BBB6C18-AA45-49b1-A15F-085F7ED0AA90} %NtlmDebugFlags% -o .\logs\ntlm_%computername%.etl -ets
logman.exe start negoexts -p {5AF52B0D-E633-4ead-828A-4B85B8DAAC2B} %NegoExtsDebugFlags% -o .\logs\negoexts_%computername%.etl -ets
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NegoExtender\Parameters /v InfoLevel /t REG_DWORD /d %NegoExtsDebugFlags% /f
logman.exe start pku2u -p {2A6FAF47-5449-4805-89A3-A504F3E221A6} %Pku2uDebugFlags% -o .\logs\pku2u_%computername%.etl -ets
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Pku2u\Parameters /v InfoLevel /t REG_DWORD /d %Pku2uDebugFlags% /f
logman.exe start ssl -p {37D2C3CD-C5D4-4587-8531-4696C44244C8} %SslDebugFlags% -o .\logs\ssl_%computername%.etl -ets
logman.exe start digest -p {FB6A424F-B5D6-4329-B9B5-A975B3A93EAD} %DigestDebugFlags% -o .\logs\digest_%computername%.etl -ets
logman.exe start credssp -p {6165F3E2-AE38-45D4-9B23-6B4818758BD9} %CredsspDebugFlags% -o .\logs\credssp_%computername%.etl -ets
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v SPMInfoLevel /t REG_DWORD /d 0x40141F /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LogToFile /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v NegEventMask /t REG_DWORD /d 0xF /f
nltest /dbflag:0x2000FFFF
logman.exe start dpapis -p {EA3F84FC-03BB-540e-B6AA-9664F81A31FB} %DpapiSrvDebugFlags% -o .\logs\dpapis_%computername%.etl -ets
logman.exe start idstore -p {82c7d3df-434d-44fc-a7cc-453a8075144e} %IdstoreDebugFlags% -o .\logs\idstore_%computername%.etl -ets
logman.exe start idcommon -p {B1108F75-3252-4b66-9239-80FD47E06494} %IdcommonDebugFlags% -o .\logs\idcommon_%computername%.etl -ets
logman.exe start livessp -p {C10B942D-AE1B-4786-BC66-052E5B4BE40E} %LivesspDebugFlags% 5 -o .\logs\livessp_%computername%.etl -ets
logman.exe start wlidsvc -p {3F8B9EF5-BBD2-4C81-B6C9-DA3CDB72D3C5} %WlidsvcDebugFlags% 5 -o .\logs\wlidsvc_%computername%.etl -ets
logman.exe start idlisten -p {D93FE84A-795E-4608-80EC-CE29A96C8658} %IdlistenDebugFlags% -o .\logs\idlisten_%computername%.etl -ets
logman.exe start basecsp -p {133A980D-035D-4E2D-B250-94577AD8FCED} %BaseCspDebugFlags% -o .\logs\basecsp_%computername%.etl -ets
logman.exe start vault -p {7FDD167C-79E5-4403-8C84-B7C0BB9923A1} %VaultDebugFlags% -o .\logs\vault_%computername%.etl -ets
logman.exe start bcrypt -p {A74EFE00-14BE-4ef9-9DA9-1484D5473302} %BcryptDebugFlags% -o .\logs\bcrypt_%computername%.etl -ets
logman.exe start ncrypt -p {A74EFE00-14BE-4ef9-9DA9-1484D5473301} %NcryptDebugFlags% -o .\logs\ncrypt_%computername%.etl -ets
logman.exe start cryptsp -p {A74EFE00-14BE-4ef9-9DA9-1484D5473305} %CryptspDebugFlags% -o .\logs\cryptsp_%computername%.etl -ets
wevtutil.exe set-log Microsoft-Windows-CAPI2/Operational /enabled:true
REM wevtutil.exe clear-log Microsoft-Windows-CAPI2/Operational
wevtutil.exe set-log Microsoft-Windows-Kerberos/Operational /enabled:true
rem wevtutil.exe clear-log Microsoft-Windows-Kerberos/Operational
wevtutil.exe set-log Microsoft-Windows-WebAuth/Operational /enabled:true
REM wevtutil.exe clear-log Microsoft-Windows-WebAuth/Operational
REM wevtutil.exe clear-log Microsoft-Windows-CertPoleEng/Operational
wevtutil.exe set-log Microsoft-Windows-CertPoleEng/Operational /enabled:true
rem wevtutil.exe clear-log Microsoft-Windows-IdCtrls/Operational
wevtutil.exe set-log Microsoft-Windows-IdCtrls/Operational /enabled:true
rem wevtutil.exe clear-log "Microsoft-Windows-User Control Panel"/Operational
wevtutil.exe set-log "Microsoft-Windows-User Control Panel"/Operational /enabled:true
wevtutil.exe set-log Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController /enabled:true
REM wevtutil.exe clear-log Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
wevtutil.exe set-log Microsoft-Windows-Authentication/ProtectedUser-Client /enabled:true
REM wevtutil.exe clear-log Microsoft-Windows-Authentication/ProtectedUser-Client
wevtutil.exe set-log Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController /enabled:true
REM wevtutil.exe clear-log Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
wevtutil.exe set-log Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController /enabled:true
REM wevtutil.exe clear-log Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
logman.exe start webplatform -p {2A3C6602-411E-4DC6-B138-EA19D64F5BBA} %WebAuthDebugFlags% 5 -o .\logs\webplatform_%computername%.etl -ets
logman.exe start webauth -p {EF98103D-8D3A-4BEF-9DF2-2156563E64FA} %WebAuthDebugFlags% 5 -o .\logs\webauth_%computername%.etl -ets
logman.exe start winhttp -p {B3A7698A-0C45-44DA-B73D-E181C9B5C8E6} %WinHttpDebugFlags% 5 -o .\logs\winhttp_%computername%.etl -ets
logman.exe start wininet -p {4E749B6A-667D-4c72-80EF-373EE3246B08} %WininetDebugFlags% 5 -o .\logs\wininet_%computername%.etl -ets
logman.exe start httpsys -p {20F61733-57F1-4127-9F48-4AB7A9308AE2} %HttpSysDebugFlags% 5 -o .\logs\httpsys_%computername%.etl -ets
logman.exe start cloudap -p {EC3CA551-21E9-47D0-9742-1195429831BB} %CloudAPFlags% -o .\logs\cloudAP_%computername%.etl -ets
logman.exe start aad -p {4DE9BC9C-B27A-43C9-8994-0915F1A5E24F} 0xffffff -o .\logs\aad_%computername%.etl -ets
netsh wfp capture start file=.\logs\wfpdiag_%computername%.cab
netsh trace start traceFile=.\logs\netmon_%computername%.etl capture=yes maxsize=2048 overwrite=yes
ipconfig /flushdns
klist purge
ipconfig /flushdns
klist purge
ipconfig /flushdns
klist purge
ipconfig /flushdns
klist purge
REM pre-blue LSA tracing
rem reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v SPMInfoLevel /t REG_DWORD /d 0x40141F /f
rem reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LogToFile /t REG_DWORD /d 1 /f
rem reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v NegEventMask /t REG_DWORD /d 0xF /f
tasklist /svc > .\logs\start-tasklist_%computername%.txt
______________________________________________________________________________
- create below content on one notepad file file name stop-auth.txt
logman.exe stop KerbClientShared -ets
logman.exe stop NtlmShared -ets
logman.exe stop LsaIso -ets
logman.exe stop LsaTrace -ets
logman.exe stop LsaAudit -ets
logman.exe stop LsaDs -ets
logman.exe stop KerbComm -ets
logman.exe stop kerb -ets
logman.exe stop kdc -ets
logman.exe stop kps -ets
logman.exe stop ntlm -ets
logman.exe stop negoexts -ets
reg delete HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NegoExtender\Parameters /v InfoLevel /f
logman.exe stop pku2u -ets
reg delete HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Pku2u\Parameters /v InfoLevel /f
logman.exe stop ssl -ets
logman.exe stop digest -ets
logman.exe stop credssp -ets
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v SPMInfoLevel /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LogToFile /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v NegEventMask /f
nltest /dbflag:0x0
logman.exe stop dpapis -ets
logman.exe stop idstore -ets
logman.exe stop idcommon -ets
logman.exe stop livessp -ets
logman.exe stop wlidsvc -ets
logman.exe stop idlisten -ets
logman.exe stop basecsp -ets
logman.exe stop vault -ets
logman.exe stop bcrypt -ets
logman.exe stop ncrypt -ets
logman.exe stop cryptsp -ets
wevtutil.exe set-log Microsoft-Windows-CAPI2/Operational /enabled:false
wevtutil.exe export-log Microsoft-Windows-CAPI2/Operational .\logs\capi2_%computername%.evtx /overwrite:true
wevtutil.exe set-log Microsoft-Windows-Kerberos/Operational /enabled:false
wevtutil.exe export-log Microsoft-Windows-Kerberos/Operational .\logs\kerb_%computername%.evtx /overwrite:true
wevtutil.exe set-log Microsoft-Windows-WebAuth/Operational /enabled:false
wevtutil.exe export-log Microsoft-Windows-WebAuth/Operational .\logs\webauth_%computername%.evtx /overwrite:true
wevtutil.exe set-log Microsoft-Windows-CertPoleEng/Operational /enabled:false
wevtutil.exe export-log Microsoft-Windows-CertPoleEng/Operational .\logs\certpoleng_%computername%.evtx /overwrite:true
wevtutil.exe set-log Microsoft-Windows-IdCtrls/Operational /enabled:false
wevtutil.exe export-log Microsoft-Windows-IdCtrls/Operational .\logs\_%computername%idctrls.evtx /overwrite:true
wevtutil.exe set-log "Microsoft-Windows-User Control Panel"/Operational /enabled:false
wevtutil.exe export-log "Microsoft-Windows-User Control Panel"/Operational .\logs\usercontrolpanel_%computername%.evtx /overwrite:true
wevtutil.exe set-log Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController /enabled:false
wevtutil.exe export-log Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController .\logs\AP_Fail_%computername%.evtx /overwrite:true
wevtutil.exe set-log Microsoft-Windows-Authentication/ProtectedUser-Client /enabled:false
wevtutil.exe export-log Microsoft-Windows-Authentication/ProtectedUser-Client .\logs\PU_Client_%computername%.evtx /overwrite:true
wevtutil.exe set-log Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController /enabled:false
wevtutil.exe export-log Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController .\logs\PU_Fail_%computername%.evtx /overwrite:true
wevtutil.exe set-log Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController /enabled:false
wevtutil.exe export-log Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController .\logs\PU_Success_%computername%.evtx /overwrite:true
logman.exe stop webplatform -ets
logman.exe stop webauth -ets
logman.exe stop winhttp -ets
logman.exe stop wininet -ets
logman.exe stop httpsys -ets
logman.exe stop cloudap -ets
logman.exe stop aad -ets
netsh wfp capture stop
netsh trace stop
certutil.exe -silent -store my > .\logs\machine-store_%computername%.txt
certutil.exe -silent -user -store my > .\logs\user-store_%computername%.txt
Certutil.exe -v -silent -store "Homegroup Machine Certificates" > .\logs\homegroup-machine-store_%computername%.txt
cmdkey.exe /list > .\logs\credman_%computername%.txt
klist.exe > .\logs\klist_%computername%.txt
tasklist /svc > .\logs\Stop-tasklist_%computername%.txt
ipconfig /all > .\logs\ipconfig_%computername%.txt
net config rdr > .\logs\MachineName_%computername%.txt
wmic qfe list > .\logs\Hotfix_%computername%.txt
wevtutil epl system .\logs\system_%computername%.evtx
wevtutil epl security .\logs\security_%computername%.evtx
wevtutil epl Application .\logs\application_%computername%.evtx
copy /y %windir%\debug\netlogon.log .\logs
copy /y %windir%\system32\lsass.log .\logs
copy /y %windir%\debug\netsetup.log .\logs
reg query "HKLM\Software\Microsoft\IdentityStore" /s > .\logs\idstore_config_%computername%.txt
reg query "HKLM\Software\Microsoft\IdentityCRL" /s >> .\logs\idstore_config_%computername%.txt
reg query "HKEY_USERS\.Default\Software\Microsoft\IdentityCRL" /s >> .\logs\idstore_config_%computername%.txt
set > .\logs\env_%computername%.txt
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx > .\logs\build_%computername%.txt
wmic datafile where "name='%SystemDrive%\\Windows\\System32\\kerberos.dll' or name='%SystemDrive%\\Windows\\System32\\kdcsvc.dll' or name='%SystemDrive%\\Windows\\System32\\msv1_0.dll' or name='%SystemDrive%\\Windows\\System32\\negoexts.dll' or name='%SystemDrive%\\Windows\\System32\\pku2u.dll' or name='%SystemDrive%\\Windows\\System32\\schannel.dll' or name='%SystemDrive%\\Windows\\System32\\wdigest.dll' or name='%SystemDrive%\\Windows\\System32\\tspkg.dll' or name='%SystemDrive%\\Windows\\System32\\dpapisrv.dll' or name='%SystemDrive%\\Windows\\System32\\idstore.dll' or name='%SystemDrive%\\Windows\\System32\\livessp.dll' or name='%SystemDrive%\\Windows\\System32\\wlidsvc.dll' or name='%SystemDrive%\\Windows\\System32\\idlisten.dll' or name='%SystemDrive%\\Windows\\System32\\basecsp.dll' or name='%SystemDrive%\\Windows\\System32\\scksp.dll' or name='%SystemDrive%\\Windows\\System32\\vaultsvc.dll' or name='%SystemDrive%\\Windows\\System32\\vault.dll' or name='%SystemDrive%\\Windows\\System32\\bcrypt.dll' or name='%SystemDrive%\\Windows\\System32\\bcryptprimitives.dll' or name='%SystemDrive%\\Windows\\System32\\ncrypt.dll' or name='%SystemDrive%\\Windows\\System32\\ncryptprov.dll' or name='%SystemDrive%\\Windows\\System32\\cryptsp.dll' or name='%SystemDrive%\\Windows\\System32\\rsaenh.dll' or name='%SystemDrive%\\Windows\\System32\\winhttp.dll' or name='%SystemDrive%\\Windows\\System32\\wininet.dll'" get Filename, Version | more >> .\logs\build.txt
wmic qfe list > .\logs\Hotfix_installed_%computername%.txt
tzutil /g > .\logs\TimeZone_%computername%.txt
@echo off
@echo ===============
@echo ACTION REQUIRED
@echo ===============
@echo Please share .\logs\* for analysis
REM pre-blue LSA tracing stop
rem reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v SPMInfoLevel /f
rem reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LogToFile /f
rem reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v NegEventMask /f
____________________________________________________________________________
- Please change the
extension name to .bat on both files.
- Open an elevated CMD (as
Admin).
- Run the Start Auth file
as .bat
- The runt the following
commands:
a.
netsh trace start persistent=yes capture=yes
tracefile=c:\temp\nettrace-boot.etl (I put this direction as example
<C:\temp> if you have a \temp directory use it or choose another location)
b.
ipconfig /flushdns
c.
klist purge
d.
klist -li 0x3e7 purge
- Then reproduce the
issue.
- Please run the
following command:
- netsh trace stop
- And run the Stop Auth
file as .bat to stop the script.
Comments
Post a Comment