Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2006-08-31) Using Diagnostic Logging within Windows

Posted by Jorge on 2006-08-31


Depending on the component within Windows for which you want to see verbose logging you can set a registry key that enables that for you. However, remember that diagnostic logging also may impact the performance of the machine and that it WILL consume disk space. So, as soon as you are finished make sure you disable it again!

Here is a list of all diagnostic loggings that can be enabled

  • AD Diagnostic Logging
    • HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
    • 1 Knowledge Consistency Checker (KCC)
    • 2 Security Events
    • 3 ExDS Interface Events
    • 4 MAPI Interface Events
    • 5 Replication Events
    • 6 Garbage Collection
    • 7 Internal Configuration
    • 8 Directory Access
    • 9 Internal Processing
    • 10 Performance Counters
    • 11 Initialization/Termination
    • 12 Service Control
    • 13 Name Resolution
    • 14 Backup
    • 15 Field Engineering
    • 16 LDAP Interface Events
    • 17 Setup
    • 18 Global Catalog
    • 19 Inter-site Messaging
    • 20 Group Caching (W2K3 only)
    • 21 Linked-Value Replication (W2K3 only)
    • 22 DS RPC Client (W2K3 only)
    • 23 DS RPC Server (W2K3 only)
    • 24 DS Schema (W2K3 only)
      • 0 (None): This default setting only logs critical events and error events.
      • 1 (Minimum): One message per major task.
      • 2 (Basic)
      • 3 (Extensive): Log the steps to complete a task.
      • 4 (Verbose)
      • 5 (Internal:): Log everything
  • Kerberos Logging (Enables Diagnostic Logging to the System Event Log)
    • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    • LogLevel (0 = disabled {default}, 1 = enabled)
  • NTFRS Diagnostic Logging
    • HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
    • Debug Log Severity (%windir%debugNtFrs_0000n.log)
      • 0 (None):
      • 1 (Minimum): One message per major task.
      • 2 (Basic) (DEFAULT)
      • 3 (Extensive): Log the steps to complete a task.
      • 4 (Verbose)
      • 5 (Internal:): Log everything
    • Debug Maximum Log Messages = 0x0 – 0x FFFFFFFF  (number of messages per log) (default = 0x4E20 = 50000)
    • Debug Log Files = 0x0 – 0x FFFFFFFF (maximum log files used) (default = 0x5)
  • Enabling debug logging for the Net Logon service
    • HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
    • DBFlag = 0x2080FFFF (in: %windir%debugnetlogon.log)
  • Enable all user environment event logging
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics
    • RunDiagnosticLoggingGlobal (0 = disabled {default}, 1 = enabled)
  • Enable event logging for group policies (Enables GPO Diagnostic Logging to the Application Event Log)
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics
    • RunDiagnosticLoggingGroupPolicy (0 = disabled {default}, 1 = enabled)
  • Enable event logging for application deployment (Log only events related to Software Installation Policy)
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics
    • RunDiagnosticLoggingAppDeploy (0 = disabled {default}, 1 = enabled)
  • Enable event logging for remote boot (Logs only events related to RIS Policy)
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics
    • RunDiagnosticLoggingIntelliMirror (0 = disabled {default}, 1 = enabled)
  • Enable UserEnv.Log logging of policies and profiles (This policy enables verbose logging of policy to the userenv.log file, which can be found in %SystemRoot%DebugUserMode")
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • UserEnvDebugLevel (in: %windir%debugusermodeUserEnv.log)
      • NONE 0x00000000
      • NORMAL 0x00000001
      • VERBOSE 0x00000002
      • LOGFILE 0x00010000
      • DEBUGGER 0x00020000
      • The default value is NORMAL|LOGFILE (0x00010001)
  • Enable diagnostic logging for the "security" Client Side Extension (CSE)
    • HKLM\Software\Microsof\tWindows NT\CurrentVersion\Winlogon\GpExtensions\{827d319e-6eac-11d2-a4ea-00c04f79f83a}
    • ExtensionDebugLevel = 0x2 (in: %windir%securitylogswinlogon.log
  • Enable diagnostic logging for the "Folder Redirection" Client Side Extension (CSE)
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
    • FdeployDebugLevel = 0x0f (in: %windir%debugusermodefdeploy.log)
  • Enable diagnostic logging for the "Software Installation" Client Side Extension (CSE)
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
    • Appmgmtdebuglevel = 0x9b (or 0x4b) (depends on which KB you read) (in: %windir%debugusermodeappmgmt.log)
  • Enable diagnostic logging for the Windows Installer (deployment-related actions)
    • HKLM\Software\Policies\Microsoft\WindowsInstaller
    • Logging = voicewarmup (in: %windir%tempMSI*.log)
    • Debug = 0x3
  • Enable diagnostic logging for the Windows Installer (user-initiated actions)
    • HKLM\Software\Policies\Microsoft\WindowsInstaller
    • Logging = voicewarmup (in: %temp%MSI*.log)
    • Debug = 0x3
  • Enabling of this policy logs all activity related to the GPMC. These log are kept in "%temp%GpMgmt.log" (contains all other GPMC logging information) and "%temp%GPmgmtManaged.log" (Contains logging information for the reporting functionality)
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics
    • GpMgmtTraceLevel (1 = GPMC Error Logging Only {default}, 2 = GPMC Error and Verbose Logging)
    • GpMgmtLogfileOnly (1 = Log To File only {default}, 2 = Log To File And To Debugger)
  • Enabling of this policy logs all verbose activity related to the GPO Editor – Core-specific entries.
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • GPEditDebugLevel (in: "%windir%debugusermodegpedit.log")
      • NONE 0x00000000
      • NORMAL 0x00000001
      • VERBOSE 0x00000002
      • LOGFILE 0x00010000
      • DEBUGGER 0x00020000
      • The default value is NORMAL|LOGFILE (0x00010001)
  • Enabling of this policy logs all verbose activity related to the GPO Editor – CSE-specific entries.
    • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • GPTextDebugLevel (in: "%windir%debugusermodegptext.log")
      • NONE 0x00000000
      • NORMAL 0x00000001
      • VERBOSE 0x00000002
      • LOGFILE 0x00010000
      • DEBUGGER 0x00020000
      • The default value is NORMAL|LOGFILE (0x00010001)

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2006-08-31) Using Diagnostic Logging within Windows”

  1. tomek said

    Nice job to get those all data together

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: