15 49.0138 8.38624 1 0 4000 1 http://kadirkozan.com.tr 300 0

Windows Client Log Collector

Active Directory domain ortamına dahil Windows client işletim sistemlerinde kimlik doğrulama sorunlarının tespit edilmesinde gerekli olan logları toplamanız için gerekli olan scirpt içeriği.

Araç 1 : Log toplamanın başlatılması (start-auth.bat)

@echo off

echo Data collection is for Authentication Scenarios.
echo.
echo Once you have reproduced the issue, please run stop-auth.bat to stop the tracing and collect the required data.
echo Data is collected in the .\logs directory.
echo.

set KerbDbFlags=0x7ffffff
set KdcDbFlags=0xfffff
set NtlmDbFlags=0x5ffDf
set SslDbFlags=0x4000ffff
set LsatraceDbFlags=0xC03E8F
set LsaDStraceDbFlags=0x200
set KerbCommDbFlags=0xffffff
set KerbClientSharedDbFlags=0xffffffff
set NtlmSharedDbFlags=0xffffffff
set LsaIsoDbFlags=0xffffffff
set VaultDbFlags=0xFFF

mkdir .\logs
del /f /q .\logs\*.*

REM **KERB Trace**
logman.exe start kerb -p {6B510852-3583-4e2d-AFFE-A67F9F223438} %KerbDbFlags% -o .\logs\kerb.etl -ets
logman.exe start KerbComm -p {60A7AB7A-BC57-43E9-B78A-A1D516577AE3} %KerbCommDbFlags% -o .\logs\KerbComm.etl -ets
logman.exe start KerbClientShared -p {FACB33C4-4513-4C38-AD1E-57C1F6828FC0} %KerbClientSharedDbFlags% -o .\logs\KerbClientShared.etl -ets

REM **KDC Trace**
logman.exe start kdc -p {1BBA8B19-7F31-43c0-9643-6E911F79A06B} %KdcDbFlags% -o .\logs\kdc.etl -ets

REM **NTLM Trace
logman.exe start ntlm -p {5BBB6C18-AA45-49b1-A15F-085F7ED0AA90} %NtlmDbFlags% -o .\logs\ntlm.etl -ets
logman.exe start NtlmShared -p {AC69AE5B-5B21-405F-8266-4424944A43E9} %NtlmSharedDbFlags% -o .\logs\NtlmShared.etl -ets

REM **SSL Trace**
logman.exe start ssl -p {37D2C3CD-C5D4-4587-8531-4696C44244C8} %SslDbFlags% -o .\logs\ssl.etl -ets

REM **LSA Trace**
logman.exe start LsaTrace -p {D0B639E0-E650-4D1D-8F39-1580ADE72784} %LsatraceDbFlags% -o .\logs\LsaTrace.etl -ets
logman.exe start LsaDs -p {169EC169-5B77-4A3E-9DB6-441799D5CACB} %LsaDStraceDbFlags% -o .\logs\LsaDs.etl -ets
logman.exe start LsaIso -p {366B218A-A5AA-4096-8131-0BDAFCC90E93} %LsaIsoDbFlags% -o .\logs\LsaIso.etl -ets

REM **Vault**
logman.exe start vault -p {7FDD167C-79E5-4403-8C84-B7C0BB9923A1} %VaultDebugFlags% -o .\logs\vault.etl -ets

REM **PRE WIN 10 LSA LOGGING**
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v SPMInfoLevel /t REG_DWORD /d 0xC03E8F /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LogToFile /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v NegEventMask /t REG_DWORD /d 0xF /f

REM **LSP Logging**
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgInfoLevel /t REG_DWORD /d 0x40400800 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgTraceOptions /t REG_DWORD /d 0x1 /f


REM **Netlogon logging**
nltest /dbflag:0x2EFFFFFF

REM **EVT LOGGING**
wevtutil.exe set-log Microsoft-Windows-CAPI2/Operational /enabled:true
wevtutil.exe clear-log Microsoft-Windows-CAPI2/Operational
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /ms:102400000

REM wevtutil.exe set-log Microsoft-Windows-Kerberos/Operational /enabled:true
REM wevtutil.exe clear-log Microsoft-Windows-Kerberos/Operational

REM netsh wfp capture start file=.\logs\wfpdiag.cab

REM **Network Trace**
netsh trace start traceFile=.\logs\netmon.etl capture=yes maxsize=2048

REM **DsRegcmd Status**
dsregcmd /status > .\logs\DsRegCmdStatus.txt

tasklist /svc > .\logs\start-tasklist.txt
sc query > .\logs\services-config-at-log-start.txt
net start > .\logs\services-started-at-log-start.txt

klist > .\logs\tickets-start.txt
klist -li 0x3e7 > .\logs\ticketscomputer-start.txt

ipconfig /flushdns

Araç 2 : Log toplamanın durdurulması (stop-auth.bat)

@echo off

echo Stopping tracing and collecting data - logs will be written to the .\sclogs directory.
echo.

logman.exe stop kerb -ets
logman.exe stop kdc -ets
logman.exe stop ntlm -ets
logman.exe stop ssl -ets
logman.exe stop KerbComm -ets
logman.exe stop KerbClientShared -ets
logman.exe stop NtlmShared -ets
logman.exe stop LsaTrace -ets
logman.exe stop LsaDs -ets
logman.exe stop LsaIso -ets
logman.exe stop vault -ets

reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v SPMInfoLevel /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LogToFile /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v NegEventMask /f
nltest /dbflag:0x0

reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgInfoLevel /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgTraceOptions /f

wevtutil.exe set-log Microsoft-Windows-CAPI2/Operational /enabled:false
wevtutil.exe export-log Microsoft-Windows-CAPI2/Operational .\logs\capi2.evtx /overwrite:true

REM wevtutil.exe set-log Microsoft-Windows-Kerberos/Operational /enabled:false
REM wevtutil.exe export-log Microsoft-Windows-Kerberos/Operational .\logs\kerb.evtx /overwrite:true

cmdkey.exe /list > .\logs\credman.txt

ipconfig /all > .\logs\ipconfig-info.txt

REM netsh wfp capture stop

echo Stopping NetTrace
netsh trace stop

copy /y %windir%\debug\netlogon.log .\logs
copy /y %windir%\debug\netlogon.bak .\logs
copy /y %windir%\system32\lsass.log .\logs
copy /y %windir%\debug\netsetup.log .\logs
copy /y %windir%\debug\lsp.log .\logs
copy /y %windir%\debug\lsp.bak .\logs

set > .\logs\env.txt

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx > .\logs\build.txt

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /s > .\logs\lsa-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" /s > .\logs\Policies-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer" /s > .\logs\lanmanserver-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" /s > .\logs\lanmanworkstation-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon" /s > .\logs\Netlogon-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /s > .\logs\schannel-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography" /s > .\logs\HKLMControl-Cryptography-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /s > .\logs\HKLMSoftware-Cryptography-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" /s > .\logs\HKLMSoftware-policies-Cryptography-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication" /s > .\logs\Authentication-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Authentication" /s > c:\logs\cred-prov-wow64.txt


wmic datafile where "name='%SystemDrive%\\Windows\\System32\\kerberos.dll' or name='%SystemDrive%\\Windows\\System32\\lsasrv.dll' or name='%SystemDrive%\\Windows\\System32\\netlogon.dll' or name='%SystemDrive%\\Windows\\System32\\kdcsvc.dll' or name='%SystemDrive%\\Windows\\System32\\msv1_0.dll' or name='%SystemDrive%\\Windows\\System32\\schannel.dll' or name='%SystemDrive%\\Windows\\System32\\dpapisrv.dll' or name='%SystemDrive%\\Windows\\System32\\basecsp.dll' or name='%SystemDrive%\\Windows\\System32\\scksp.dll' or name='%SystemDrive%\\Windows\\System32\\bcrypt.dll' or name='%SystemDrive%\\Windows\\System32\\bcryptprimitives.dll' or name='%SystemDrive%\\Windows\\System32\\ncrypt.dll' or name='%SystemDrive%\\Windows\\System32\\ncryptprov.dll' or name='%SystemDrive%\\Windows\\System32\\cryptsp.dll' or name='%SystemDrive%\\Windows\\System32\\rsaenh.dll'  or name='%SystemDrive%\\Windows\\System32\\Cryptdll.dll'" get Filename, Version | more >> .\logs\build.txt

tasklist /svc > .\logs\stop-tasklist.txt
sc query > .\logs\services-config-at-log-finish.txt
net start > .\logs\services-started-at-log-finish.txt

klist > .\logs\tickets-stop.txt
klist -li 0x3e7 > .\logs\ticketscomputer-stop.txt

echo Collecting Cert info, please wait

certutil.exe -v -silent -store my > .\logs\machine-store.txt
certutil.exe -v -silent -user -store my > .\logs\user-store.txt

wmic qfe list > .\logs\qfes_installed.txt
wevtutil.exe export-log system .\logs\sys.evtx /overwrite:true 
wevtutil.exe export-log application .\logs\app.evtx /overwrite:true 
REM wevtutil.exe export-log security .\logs\sec.evtx /overwrite:true 
nltest /dsgetdc: > .\logs\dc.txt
nltest /dclist: > .\logs\dclist.txt
nltest /dsgetsite > .\logs\site.txt

Download Link

Paylaş:
Kategori:Windows Client
ÖNCEKİ YAZI
Jenkins Kurulumu
SONRAKİ GÖNDERİ
Windows Server 2012 ve sonra RDP Server FQDN adres değiştirme Script içeği