1. Anasayfa
  2. Windows Client

Windows Client Log Collector


Active Directory domain ortamına dahil Windows client işletim sistemlerinde kimlik doğrulama sorunlarının tespit edilmesinde gerekli olan logları toplamanız için gerekli olan scirpt içeriği.

Araç 1 : Log toplamanın başlatılması (start-auth.bat)

@echo off

echo Data collection is for Authentication Scenarios.
echo.
echo Once you have reproduced the issue, please run stop-auth.bat to stop the tracing and collect the required data.
echo Data is collected in the .\logs directory.
echo.

set KerbDbFlags=0x7ffffff
set KdcDbFlags=0xfffff
set NtlmDbFlags=0x5ffDf
set SslDbFlags=0x4000ffff
set LsatraceDbFlags=0xC03E8F
set LsaDStraceDbFlags=0x200
set KerbCommDbFlags=0xffffff
set KerbClientSharedDbFlags=0xffffffff
set NtlmSharedDbFlags=0xffffffff
set LsaIsoDbFlags=0xffffffff
set VaultDbFlags=0xFFF

mkdir .\logs
del /f /q .\logs\*.*

REM **KERB Trace**
logman.exe start kerb -p {6B510852-3583-4e2d-AFFE-A67F9F223438} %KerbDbFlags% -o .\logs\kerb.etl -ets
logman.exe start KerbComm -p {60A7AB7A-BC57-43E9-B78A-A1D516577AE3} %KerbCommDbFlags% -o .\logs\KerbComm.etl -ets
logman.exe start KerbClientShared -p {FACB33C4-4513-4C38-AD1E-57C1F6828FC0} %KerbClientSharedDbFlags% -o .\logs\KerbClientShared.etl -ets

REM **KDC Trace**
logman.exe start kdc -p {1BBA8B19-7F31-43c0-9643-6E911F79A06B} %KdcDbFlags% -o .\logs\kdc.etl -ets

REM **NTLM Trace
logman.exe start ntlm -p {5BBB6C18-AA45-49b1-A15F-085F7ED0AA90} %NtlmDbFlags% -o .\logs\ntlm.etl -ets
logman.exe start NtlmShared -p {AC69AE5B-5B21-405F-8266-4424944A43E9} %NtlmSharedDbFlags% -o .\logs\NtlmShared.etl -ets

REM **SSL Trace**
logman.exe start ssl -p {37D2C3CD-C5D4-4587-8531-4696C44244C8} %SslDbFlags% -o .\logs\ssl.etl -ets

REM **LSA Trace**
logman.exe start LsaTrace -p {D0B639E0-E650-4D1D-8F39-1580ADE72784} %LsatraceDbFlags% -o .\logs\LsaTrace.etl -ets
logman.exe start LsaDs -p {169EC169-5B77-4A3E-9DB6-441799D5CACB} %LsaDStraceDbFlags% -o .\logs\LsaDs.etl -ets
logman.exe start LsaIso -p {366B218A-A5AA-4096-8131-0BDAFCC90E93} %LsaIsoDbFlags% -o .\logs\LsaIso.etl -ets

REM **Vault**
logman.exe start vault -p {7FDD167C-79E5-4403-8C84-B7C0BB9923A1} %VaultDebugFlags% -o .\logs\vault.etl -ets

REM **PRE WIN 10 LSA LOGGING**
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v SPMInfoLevel /t REG_DWORD /d 0xC03E8F /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LogToFile /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v NegEventMask /t REG_DWORD /d 0xF /f

REM **LSP Logging**
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgInfoLevel /t REG_DWORD /d 0x40400800 /f
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgTraceOptions /t REG_DWORD /d 0x1 /f


REM **Netlogon logging**
nltest /dbflag:0x2EFFFFFF

REM **EVT LOGGING**
wevtutil.exe set-log Microsoft-Windows-CAPI2/Operational /enabled:true
wevtutil.exe clear-log Microsoft-Windows-CAPI2/Operational
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /ms:102400000

REM wevtutil.exe set-log Microsoft-Windows-Kerberos/Operational /enabled:true
REM wevtutil.exe clear-log Microsoft-Windows-Kerberos/Operational

REM netsh wfp capture start file=.\logs\wfpdiag.cab

REM **Network Trace**
netsh trace start traceFile=.\logs\netmon.etl capture=yes maxsize=2048

REM **DsRegcmd Status**
dsregcmd /status > .\logs\DsRegCmdStatus.txt

tasklist /svc > .\logs\start-tasklist.txt
sc query > .\logs\services-config-at-log-start.txt
net start > .\logs\services-started-at-log-start.txt

klist > .\logs\tickets-start.txt
klist -li 0x3e7 > .\logs\ticketscomputer-start.txt

ipconfig /flushdns

Araç 2 : Log toplamanın durdurulması (stop-auth.bat)

@echo off

echo Stopping tracing and collecting data - logs will be written to the .\sclogs directory.
echo.

logman.exe stop kerb -ets
logman.exe stop kdc -ets
logman.exe stop ntlm -ets
logman.exe stop ssl -ets
logman.exe stop KerbComm -ets
logman.exe stop KerbClientShared -ets
logman.exe stop NtlmShared -ets
logman.exe stop LsaTrace -ets
logman.exe stop LsaDs -ets
logman.exe stop LsaIso -ets
logman.exe stop vault -ets

reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v SPMInfoLevel /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LogToFile /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v NegEventMask /f
nltest /dbflag:0x0

reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgInfoLevel /f
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgTraceOptions /f

wevtutil.exe set-log Microsoft-Windows-CAPI2/Operational /enabled:false
wevtutil.exe export-log Microsoft-Windows-CAPI2/Operational .\logs\capi2.evtx /overwrite:true

REM wevtutil.exe set-log Microsoft-Windows-Kerberos/Operational /enabled:false
REM wevtutil.exe export-log Microsoft-Windows-Kerberos/Operational .\logs\kerb.evtx /overwrite:true

cmdkey.exe /list > .\logs\credman.txt

ipconfig /all > .\logs\ipconfig-info.txt

REM netsh wfp capture stop

echo Stopping NetTrace
netsh trace stop

copy /y %windir%\debug\netlogon.log .\logs
copy /y %windir%\debug\netlogon.bak .\logs
copy /y %windir%\system32\lsass.log .\logs
copy /y %windir%\debug\netsetup.log .\logs
copy /y %windir%\debug\lsp.log .\logs
copy /y %windir%\debug\lsp.bak .\logs

set > .\logs\env.txt

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v BuildLabEx > .\logs\build.txt

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /s > .\logs\lsa-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" /s > .\logs\Policies-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer" /s > .\logs\lanmanserver-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" /s > .\logs\lanmanworkstation-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon" /s > .\logs\Netlogon-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /s > .\logs\schannel-key.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography" /s > .\logs\HKLMControl-Cryptography-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /s > .\logs\HKLMSoftware-Cryptography-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography" /s > .\logs\HKLMSoftware-policies-Cryptography-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication" /s > .\logs\Authentication-key.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Authentication" /s > c:\logs\cred-prov-wow64.txt


wmic datafile where "name='%SystemDrive%\\Windows\\System32\\kerberos.dll' or name='%SystemDrive%\\Windows\\System32\\lsasrv.dll' or name='%SystemDrive%\\Windows\\System32\\netlogon.dll' or name='%SystemDrive%\\Windows\\System32\\kdcsvc.dll' or name='%SystemDrive%\\Windows\\System32\\msv1_0.dll' or name='%SystemDrive%\\Windows\\System32\\schannel.dll' or name='%SystemDrive%\\Windows\\System32\\dpapisrv.dll' or name='%SystemDrive%\\Windows\\System32\\basecsp.dll' or name='%SystemDrive%\\Windows\\System32\\scksp.dll' or name='%SystemDrive%\\Windows\\System32\\bcrypt.dll' or name='%SystemDrive%\\Windows\\System32\\bcryptprimitives.dll' or name='%SystemDrive%\\Windows\\System32\\ncrypt.dll' or name='%SystemDrive%\\Windows\\System32\\ncryptprov.dll' or name='%SystemDrive%\\Windows\\System32\\cryptsp.dll' or name='%SystemDrive%\\Windows\\System32\\rsaenh.dll'  or name='%SystemDrive%\\Windows\\System32\\Cryptdll.dll'" get Filename, Version | more >> .\logs\build.txt

tasklist /svc > .\logs\stop-tasklist.txt
sc query > .\logs\services-config-at-log-finish.txt
net start > .\logs\services-started-at-log-finish.txt

klist > .\logs\tickets-stop.txt
klist -li 0x3e7 > .\logs\ticketscomputer-stop.txt

echo Collecting Cert info, please wait

certutil.exe -v -silent -store my > .\logs\machine-store.txt
certutil.exe -v -silent -user -store my > .\logs\user-store.txt

wmic qfe list > .\logs\qfes_installed.txt
wevtutil.exe export-log system .\logs\sys.evtx /overwrite:true 
wevtutil.exe export-log application .\logs\app.evtx /overwrite:true 
REM wevtutil.exe export-log security .\logs\sec.evtx /overwrite:true 
nltest /dsgetdc: > .\logs\dc.txt
nltest /dclist: > .\logs\dclist.txt
nltest /dsgetsite > .\logs\site.txt

Download Link