Sunday, February 14, 2010

Useful tool to trace Windows 7 startup - netsh trace

When debugging performance and logon issues in large corporations, where hooking up a sniffer can be just slightly less painful than pointy stick time, I've often found it 'painful' to get a full trace of Windows startup including network traffic. However Windows 7, though having taken away the useful userenvdebuglevel and userenv.log, have introduced full tracing 'out of the box' akin to but more evolved than old netcap.exe... and the wunderkind is:

NETSH TRACE START CAPTURE=YES

Drop this into a scheduled task set to run, fully elevated, at boot time, after the NIC is active and you have a full trace and log of all system actvity during the boot process. All you need do is run:

NETSH TRACE STOP (Best to run from a command prompt so you can see all the files saved extract all the contents of the NetTrace.cab and use the report.etl file as well as the NetTrace.etl)

After you've logged in with the shell loaded and you'll have all the logs you need to dig into the guts of boot and logon issues.

The only pain with this is the new .ETL network log format only works in MS Network Monitor (and you have to set the parsers to Full) and cannot be opened in WireShark... but the new MS Network Monitor is pretty good just takes a little getting used to... note there are newer parsers published on www.codeplex.com

Another useful article is here http://blogs.technet.com/netmon/archive/2010/01/04/capturing-a-trace-a-boot-up.aspx and covers using nmcap.exe to take the trace but you could just as easily replace nmcap with another capture tool e.g. winpcap

The netmon blog is a great resource for debugging...

No comments:

Post a Comment

Search Brian Hehir's sites

Loading