зеркало из https://github.com/microsoft/msquic.git
1171 строка
30 KiB
Batchfile
1171 строка
30 KiB
Batchfile
::
|
|
:: Copyright (C) Microsoft. All rights reserved.
|
|
::
|
|
:: THIS CODE IS PROVIDED *AS IS* WITHOUT WARRANTY OF
|
|
:: ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY
|
|
:: IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
|
|
:: PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.
|
|
::
|
|
|
|
@echo off
|
|
setlocal enabledelayedexpansion
|
|
|
|
@rem vars
|
|
set disp=
|
|
set exe=
|
|
set mode=
|
|
set tool=
|
|
set etl=
|
|
set evtx=
|
|
set bins=
|
|
|
|
@rem directories and files
|
|
set statedir=
|
|
set servicefile=
|
|
set taskfile=
|
|
|
|
@rem cli-srv shared logs
|
|
set rpcxdr=0
|
|
set sec=0
|
|
set tcp=0
|
|
|
|
@rem parsed args - on
|
|
set single=0
|
|
set capture=0
|
|
set cli=0
|
|
set srv=0
|
|
set brief=
|
|
set verbose=
|
|
set ca=
|
|
set csv=0
|
|
set hyperv=0
|
|
set cluster=0
|
|
set circ=
|
|
set circbuf=
|
|
set circargs=
|
|
set level=2
|
|
set rdbss=
|
|
set rdbssflags=
|
|
set rdbsslevel=
|
|
set mrxsmb=
|
|
set mrxsmbflags=
|
|
set mrxsmblevel=
|
|
set smb20=
|
|
set smb20flags=
|
|
set smb20level=
|
|
set quic=0
|
|
|
|
@rem parsed args - off
|
|
set nobin=
|
|
set nocab=
|
|
|
|
@rem bin groups for the defined streams
|
|
set dfsn_bins=dfssvc.exe dfs.sys
|
|
set dns_bins=dnsapi.dll dnsrslvr.dll
|
|
set fr_bins=fde.dll fdeploy.dll shell32.dll
|
|
set fskm_bins=cscobj.dll cscsvc.dll csc.sys dfsc.sys mup.sys mrxsmb10.sys mrxsmb20.sys mrxsmb.sys mrxdav.sys nfsrdr.sys rdbss.sys ccffilter.sys resumekeyfilter.sys peerdist.dll peerdistsvc.dll peerdistsh.dll wkssvc.dll wvrf.sys
|
|
set fsum_bins=cscapi.dll cscui.dll davclnt.dll davhlpr.dll webclnt.dll
|
|
set nbt_bins=netbt.sys smb.sys
|
|
set nfs_bins=msnfsflt.sys nfssvr.sys portmap.sys
|
|
set rpcxdr_bins=rpcxdr.sys
|
|
set sec_bins=kerberos.dll msv1_0.dll negoexts.dll pku2u.dll
|
|
set smbhash_bins=hashgen.exe smbgproxy.dll smbhash.exe peerdisthash.dll peerdistsh.dll
|
|
set srv_bins=srv.sys srv2.sys srvnet.sys srvsvc.dll witness.exe
|
|
set tcp_bins=tcpip.sys
|
|
set quic_bins=msquic.sys
|
|
set csvfs_bins=csvfs.sys
|
|
set csvflt_bins=csvflt.sys
|
|
set csvvbus_bins=csvvbus.sys vbus.sys
|
|
set csvnflt_bins=csvnflt.sys nflt.sys
|
|
set sr_bins=wvrf.sys
|
|
|
|
call :persistGet statedir statedir
|
|
call :detectMode %*
|
|
if errorlevel 1 (
|
|
echo.ERROR: operation mode must be specified
|
|
echo.
|
|
call :usage
|
|
exit /b 1
|
|
)
|
|
|
|
call :getCoreOnly %*
|
|
if errorlevel 1 set level=1
|
|
|
|
if /i "%mode%" equ "on" goto :nextonarg
|
|
if /i "%mode%" equ "snapshot" goto :nextsnapshotarg
|
|
@rem if /i "%mode%" equ "off" goto :nextoffarg
|
|
|
|
:nextoffarg
|
|
if "%~1" equ "" ( goto :offargfini
|
|
) else if /i "%~1" equ "off" ( echo.>NUL
|
|
) else if /i "%~1" equ "clioff" ( echo.>NUL
|
|
) else if /i "%~1" equ "srvoff" ( echo.>NUL
|
|
) else if /i "%~1" equ "nocab" ( set nocab=1
|
|
) else if /i "%~1" equ "nobin" ( set nobin=1
|
|
) else (
|
|
call :invalid %1
|
|
@rem tracing still running; don't clear persistant state
|
|
exit /b 1
|
|
)
|
|
shift /1
|
|
goto :nextoffarg
|
|
|
|
:nextsnapshotarg
|
|
if "%~1" equ "" ( goto :offargfini
|
|
) else if /i "%~1" equ "snapshot" ( echo.>NUL
|
|
) else if /i "%~1" equ "nocab" ( set nocab=1
|
|
) else if /i "%~1" equ "nobin" ( set nobin=1
|
|
) else (
|
|
call :invalid %1
|
|
@rem tracing still running; don't clear persistant state
|
|
exit /b 1
|
|
)
|
|
shift /1
|
|
goto :nextsnapshotarg
|
|
|
|
:nextonarg
|
|
if "%~1" equ "" ( goto :onargfini
|
|
) else if /i "%~1" equ "capture" ( set capture=1
|
|
) else if /i "%~1" equ "clion" ( set cli=%level%
|
|
) else if /i "%~1" equ "srvon" ( set srv=%level%
|
|
) else if /i "%~1" equ "brief" ( set brief=1
|
|
) else if /i "%~1" equ "verbose" ( set verbose=1
|
|
) else if /i "%~1" equ "ca" ( set ca=1
|
|
) else if /i "%~1" equ "core" ( @rem no-op
|
|
) else if /i "%~1" equ "csv" ( set csv=1
|
|
) else if /i "%~1" equ "single" ( set single=1
|
|
) else if /i "%~1" equ "hyperv" ( set hyperv=1
|
|
) else if /i "%~1" equ "cluster" ( set cluster=1
|
|
) else if /i "%~1" equ "quic" ( set quic=1
|
|
) else (
|
|
call :checkcirc %1
|
|
if errorlevel 1 (
|
|
call :checkdriver %1
|
|
if errorlevel 1 (
|
|
call :invalid %1
|
|
@rem clear state
|
|
goto :off_final
|
|
)
|
|
)
|
|
)
|
|
shift /1
|
|
goto :nextonarg
|
|
|
|
:offargfini
|
|
if "%statedir%" equ "" (
|
|
echo.ERROR: no tracing session in progress
|
|
echo.
|
|
call :usage
|
|
exit /b 1
|
|
)
|
|
goto :argsfini
|
|
|
|
:onargfini
|
|
if "%statedir%" neq "" (
|
|
echo.ERROR: tracing session already in progress.
|
|
echo. Stop the existing tracing session before starting another.
|
|
call :usage
|
|
exit /b 1
|
|
)
|
|
if %cluster% equ 0 set cluster=%csv%
|
|
|
|
call :mkstatedir "%TEMP%\t"
|
|
call :dopersist statedir
|
|
goto :argsfini
|
|
|
|
:argsfini
|
|
:: #########################
|
|
:: Store/Recover persisted state for binary inclusion at stop time
|
|
:: #########################
|
|
call :dopersist single
|
|
call :dopersist capture
|
|
call :dopersist cli
|
|
call :dopersist srv
|
|
call :dopersist csv
|
|
call :dopersist circ
|
|
call :dopersist circbuf
|
|
call :dopersist hyperv
|
|
call :dopersist cluster
|
|
call :dopersist verbose
|
|
call :dopersist rdbss
|
|
call :dopersist rdbssflags
|
|
call :dopersist rdbsslevel
|
|
call :dopersist mrxsmb
|
|
call :dopersist mrxsmbflags
|
|
call :dopersist mrxsmblevel
|
|
call :dopersist smb20
|
|
call :dopersist smb20flags
|
|
call :dopersist smb20level
|
|
call :dopersist quic
|
|
|
|
@rem common components enabled by both cli and srv options
|
|
if %cli% gtr 0 set rpcxdr=1
|
|
if %srv% gtr 0 set rpcxdr=1
|
|
if %cli% gtr 1 set sec=1
|
|
if %srv% gtr 1 set sec=1
|
|
if %cli% gtr 1 set tcp=1
|
|
|
|
@rem enable sec, wfp-tcp traces for Hyper-V servers even with 'core' specified
|
|
if %cli% gtr 0 if %csv% equ 0 (
|
|
set sec=1
|
|
set tcp=1
|
|
)
|
|
|
|
:: #########################
|
|
:: OS-specific checks...
|
|
:: #########################
|
|
|
|
for /f "tokens=2 delims=[]" %%i in ('ver') do @set OSVERTEMP=%%i
|
|
for /f "tokens=2" %%i in ('echo %OSVERTEMP%') do @set OSVER=%%i
|
|
for /f "tokens=1 delims=." %%i in ('echo %OSVER%') do @set OSVER1=%%i
|
|
for /f "tokens=2 delims=." %%i in ('echo %OSVER%') do @set OSVER2=%%i
|
|
for /f "tokens=3 delims=." %%i in ('echo %OSVER%') do @set OSVER3=%%i
|
|
|
|
:: #########################
|
|
::Detect Vista/LH OS Versions
|
|
:: #########################
|
|
set HasNDISCap=
|
|
|
|
if %OSVER1% equ 5 (
|
|
goto :knownos
|
|
) else if %OSVER1% equ 6 (
|
|
if %OSVER2% geq 1 set HasNDISCap=1
|
|
if %OSVER2% geq 2 set nobin=1
|
|
|
|
if %OSVER2% leq 3 goto :knownos
|
|
goto :unknownos
|
|
) else if %OSVER1% equ 10 (
|
|
set HasNDISCap=1
|
|
set nobin=1
|
|
if %OSVER3% equ 10240 goto :knownos
|
|
if %OSVER3% equ 10586 goto :knownos
|
|
if %OSVER3% equ 14393 goto :knownos
|
|
goto :unknownos
|
|
) else (
|
|
@rem Win9x, Win ME, NT 3-4
|
|
echo. ERROR: Unsupported OS version [%OSVER%]
|
|
exit /b 1
|
|
)
|
|
|
|
:unknownos
|
|
echo. WARNING : Unknown OS version [%OSVER%]
|
|
echo.
|
|
|
|
:knownos
|
|
|
|
::
|
|
:: Check if NetSH has the trace context installed,
|
|
:: which signifies ndiscap support.
|
|
:: (Win7 build of WinPE does not)
|
|
::
|
|
netsh trace >NUL 2>&1
|
|
if errorlevel 1 (
|
|
set HasNDISCap=
|
|
)
|
|
|
|
if %capture% gtr 0 (
|
|
if not defined HasNDISCap (
|
|
set capture=0
|
|
echo. Packet capture is only supported on Windows 7 / 2008 R2
|
|
echo. or newer operating systems.
|
|
echo.
|
|
call :invalid capture
|
|
exit /b 1
|
|
)
|
|
for %%i in (sc.exe) do (set exe=%%~$PATH:i)
|
|
if "!exe!" equ "" (
|
|
set capture=0
|
|
echo. Packet capture requires sc.exe to be present in order
|
|
echo. to start the filter driver.
|
|
call :invalid capture
|
|
exit /b 1
|
|
)
|
|
)
|
|
|
|
:: ###################################
|
|
:: Check for local Admin rights, and prompt for elevation as needed
|
|
:: ###################################
|
|
|
|
call :mktemp _lua_filename %systemdrive%\lua dat
|
|
set _lua_running=false
|
|
@rem redirect 'Access Denied' error from cmd (not echo) to NUL
|
|
(echo 1>%_lua_filename%) >NUL 2>&1
|
|
if exist %_lua_filename% (
|
|
set _lua_running=true
|
|
del /q %_lua_filename%
|
|
)
|
|
if '%_lua_running%' equ 'false' (
|
|
echo. ERROR: This script requires administrator access.
|
|
echo.
|
|
echo. Please relaunch the command prompt with administrator privileges.
|
|
call :persistDelete
|
|
exit /b 1
|
|
)
|
|
|
|
if /i "%mode%" neq "on" goto :skiponchecks
|
|
set /a optionsum=cli+srv
|
|
if %optionsum% equ 0 (
|
|
echo.ERROR: At least one of the clion or srvon options must
|
|
echo. be specified in order to enable tracing.
|
|
call :persistDelete
|
|
call :usage
|
|
exit /b 1
|
|
)
|
|
|
|
:skiponchecks
|
|
set tool=
|
|
call :toolsearch logman.exe
|
|
if "!tool!" equ "" (
|
|
call :toolsearch tracelog.exe
|
|
)
|
|
if "!tool!" equ "" (
|
|
echo. No available programs available to enable tracing.
|
|
echo. One of the following must be located in a directory in the PATH:
|
|
echo. logman.exe
|
|
echo. tracelog.exe
|
|
call :persistDelete
|
|
exit /b 1
|
|
)
|
|
|
|
if defined USERDOMAIN (
|
|
set NdisCapTraceSession=NetTrace-%USERDOMAIN%-%USERNAME%
|
|
) else (
|
|
set NdisCapTraceSession=NetTrace-%USERNAME%
|
|
)
|
|
|
|
set SingleTraceFile=trace
|
|
set NdisCapTraceFile=packetcapture
|
|
if %single% geq 1 set NdisCapTraceFile=%SingleTraceFile%
|
|
|
|
:snapshot-restart
|
|
set servicefile=%statedir%\services.txt
|
|
set taskfile=%statedir%\tasklist.txt
|
|
|
|
if /i "%mode%" neq "on" goto :core
|
|
@rem initialization prior to enabling traces (includes packet capture)
|
|
|
|
@rem grab the current process list before turning on tracing
|
|
@rem and be resilient to the absence of tasklist.exe
|
|
for %%i in (tasklist.exe) do (set exe=%%~$PATH:i)
|
|
if "!exe!" equ "" (
|
|
echo tasklist.exe is not present > !taskfile!
|
|
) else (
|
|
!exe! /FO csv /svc > !taskfile!
|
|
)
|
|
|
|
@rem grab the current service list as well
|
|
for %%i in (sc.exe) do (set exe=%%~$PATH:i)
|
|
if "!exe!" equ "" (
|
|
echo sc.exe is not present > !servicefile!
|
|
) else (
|
|
!exe! query type= all state= all > !servicefile!
|
|
)
|
|
|
|
if %capture% geq 1 goto :captureon
|
|
if %single% geq 1 goto :singleon
|
|
goto :core
|
|
|
|
:captureon
|
|
set netshmode=fileMode=single
|
|
if defined circ set circargs=maxSize=%circbuf% fileMode=circular
|
|
call :doit netsh trace start capture=yes traceFile="%statedir%\%NdisCapTraceFile%.etl" %circargs% correlation=no
|
|
set circargs=
|
|
if not errorlevel 1 ( set disp=started %NdisCapTraceFile% ^<- ndiscap )
|
|
if %single% equ 0 call :disp
|
|
goto :core
|
|
|
|
:singleon
|
|
call :traceon-%tool% %NdisCapTraceSession% %SingleTraceFile%
|
|
if not errorlevel 1 ( set disp=started trace ^<- )
|
|
goto :core
|
|
|
|
:core
|
|
if %cli% gtr 0 (
|
|
call :doetl fskm
|
|
call :doetl fsum
|
|
|
|
if %cli% gtr 1 (
|
|
call :doetl dns
|
|
call :doetl fr
|
|
call :doetl nbt
|
|
)
|
|
)
|
|
|
|
if %srv% gtr 0 (
|
|
call :doetl dfsn
|
|
call :doetl srv
|
|
call :doetl smbhash
|
|
call :doetl nfs
|
|
call :doetl sr
|
|
)
|
|
|
|
if %rpcxdr% gtr 0 (
|
|
call :doetl rpcxdr
|
|
)
|
|
|
|
if %sec% gtr 0 (
|
|
@rem enabled by either cli or srv
|
|
call :doetl sec
|
|
)
|
|
|
|
if %tcp% gtr 0 (
|
|
call :doetl tcp
|
|
)
|
|
|
|
if %quic% gtr 0 (
|
|
call :doetl quic
|
|
)
|
|
|
|
if %csv% gtr 0 (
|
|
call :doetl csvfs
|
|
call :doetl csvflt
|
|
call :doetl csvvbus
|
|
call :doetl csvnflt
|
|
)
|
|
|
|
call :doevtlog
|
|
|
|
if /i "%mode%" equ "on" goto :on_final
|
|
|
|
@rem packet capture must be the last to stop
|
|
|
|
if %capture% geq 1 goto :captureoff
|
|
if %single% geq 1 goto :singleoff
|
|
goto :off
|
|
|
|
:captureoff
|
|
echo.Please be patient as NetSH retrieves the packet captures...
|
|
echo.This will take a few minutes.
|
|
call :doit netsh trace stop
|
|
set etl=!etl! %NdisCapTraceFile%.etl
|
|
@rem remove netsh report that can't be turned off
|
|
call :doit del %statedir%\%NdisCapTraceFile%.cab
|
|
goto :off
|
|
|
|
:singleoff
|
|
call :traceoff-%tool% %NdisCapTraceSession%
|
|
set etl=%SingleTraceFile%.etl
|
|
call :disp
|
|
goto :off
|
|
|
|
:invalid
|
|
echo.
|
|
echo. invalid parameter: %1
|
|
echo.
|
|
@rem fall through to usage
|
|
|
|
:usage
|
|
echo. Enabling Tracing:
|
|
echo. usage: %~n0 [clion] [srvon] [core] [verbose] [capture] [csv] [cluster] [hyperv] [circ:N] [driver:flags:level]
|
|
echo. clion - generate client component traces
|
|
echo. srvon - generate server component traces
|
|
echo. capture - enable packet capture ^(Windows 7 / Windows 2008 R2 or newer^)
|
|
echo.
|
|
echo. At least one of cli, srv, and capture must
|
|
echo. be specified.
|
|
echo.
|
|
echo. csv - generate CSV component traces
|
|
echo. cluster - collect Cluster event logs
|
|
echo. hyperv - collect Hyper-V event logs
|
|
echo. verbose - verbose mode tracing flags (defined for fskm/mup)
|
|
echo. circ:N - generate circular logs of size N megabytes
|
|
echo. (default circular buffer size is 50 MB per log)
|
|
echo. driver:flags:level - specify trace flags and level for this driver (support rdbss, mrxsmb, smb20 only)
|
|
echo. flags and level must be in hex
|
|
echo. rdbss: 0x0001 error 0x0002 misc 0x0004 io 0x0008 openclose
|
|
echo. 0x0010 readwrite 0x0020 fileinfo 0x0040 oplock 0x0080 connectionobject
|
|
echo. 0x0100 fcb 0x0200 caching 0x0400 migration 0x0800 namecache
|
|
echo. 0x1000 security
|
|
echo. mrxsmb: 0x0001 error 0x0002 misc 0x0004 network 0x0008 security
|
|
echo. 0x0010 exchange 0x0020 compounding 0x0040 connectionobject 0x0080 midwindow
|
|
echo. 0x0100 multichannel
|
|
echo. smb20: 0x0001 error 0x0002 misc 0x0004 network 0x0008 security
|
|
echo. 0x0010 exchange 0x0020 io 0x0040 handle 0x0080 infocache
|
|
echo. 0x0100 dircache 0x0200 oplock
|
|
echo. level: 0x1 error 0x2 brief 0x4 verbose
|
|
echo. Disabling Tracing:
|
|
echo. usage: %~n0 off [nocab] [nobin]
|
|
echo. off - turn off tracing
|
|
echo. nocab - do not compress traces
|
|
echo. nobin - do not gather system binaries matching the captured traces
|
|
echo. (please do not use if external to FSF/without direction)
|
|
echo.
|
|
echo. Disabling/Enabling Tracing:
|
|
echo. usage: %~n0 snapshot [nocab] [nobin]
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
@
|
|
@ tracing steps:
|
|
@
|
|
@ 1. tracepre: setup required prior to listing streams
|
|
@ 2. traceadd: add a stream to the session
|
|
@ 3. tracepost: final setup after mentioning all streams
|
|
@ 4. disp: dump rendering of what trace* did
|
|
@
|
|
|
|
:doetl
|
|
if %mode% equ on (
|
|
call :traceon %1
|
|
call :%1on
|
|
if %single% equ 0 call :disp
|
|
) else (
|
|
if %single% equ 0 (
|
|
call :traceoff %1
|
|
set etl=!etl! %1.etl
|
|
)
|
|
@rem roll up the binaries associated with this trace, if specified
|
|
if not defined nobin set bins=!bins! !%1_bins!
|
|
)
|
|
goto :eof
|
|
|
|
:doevtlog
|
|
if %mode% equ on goto :doevtlogon
|
|
if %mode% neq on goto :doevtlogoff
|
|
:goto :eof
|
|
|
|
:doevtlogon
|
|
goto :eof
|
|
|
|
:doevtlogoff
|
|
if %cli% gtr 0 (
|
|
@rem SMB Client
|
|
call :export-evtx Microsoft-Windows-SMBClient/Connectivity
|
|
call :export-evtx Microsoft-Windows-SMBClient/Operational
|
|
if %OSVER1% lss 10 call :export-evtx WitnessClientAdmin Witness-Admin.evtx
|
|
if %OSVER1% geq 10 call :export-evtx Microsoft-Windows-SMBWitnessClient/Admin Witness-Admin.evtx
|
|
)
|
|
|
|
if %cluster% gtr 0 (
|
|
@rem Cluster Nodes (Admin, Diagnostic, Operational channels)
|
|
call :export-evtx System
|
|
call :export-evtx Microsoft-Windows-FailoverClustering/Diagnostic
|
|
call :export-evtx Microsoft-Windows-FailoverClustering/Operational
|
|
)
|
|
|
|
if %hyperv% gtr 0 (
|
|
@rem Hyper-V Events
|
|
call :export-evtx Microsoft-Windows-Hyper-V-VMMS-Admin
|
|
)
|
|
if defined evtx echo.evtlog -^> %evtx%
|
|
goto :eof
|
|
|
|
:export-evtx
|
|
set "channel=%~1"
|
|
set "file=%~2"
|
|
if "%file%" equ "" set "file=%channel:/=-%.evtx"
|
|
if /i "%file:~0,18%" equ "Microsoft-Windows-" set "file=%file:~18%"
|
|
wevtutil epl "%channel%" "%statedir%\%file%" "/q:*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" >NUL 2>NUL
|
|
if %ERRORLEVEL% equ 0 set "evtx=!evtx! %file%"
|
|
exit /b
|
|
|
|
@@@@@@@@
|
|
:fskmon
|
|
|
|
if %OSVER1% lss 10 (
|
|
if defined verbose (
|
|
set flags=0xfffffff
|
|
) else (
|
|
set flags=0x3333333
|
|
)
|
|
set level=7
|
|
|
|
call :traceadd fskm 20c46239-d059-4214-a11e-7d6769cbe020 csckm/dav/dfsc/mup/rdbss/smb !level! !flags!
|
|
) else (
|
|
|
|
if not defined ca (
|
|
if defined verbose (
|
|
set flags=0xffff0f0
|
|
set level=7
|
|
) else (
|
|
set flags=0x3333030
|
|
set level=0
|
|
)
|
|
|
|
call :traceadd fskm 20c46239-d059-4214-a11e-7d6769cbe020 csckm/dav/dfsc/mup !level! !flags!
|
|
)
|
|
|
|
if defined verbose (
|
|
set level=4
|
|
) else (
|
|
set level=2
|
|
)
|
|
|
|
set flags=0xffffffff
|
|
|
|
if defined ca (
|
|
set flags=0x5
|
|
)
|
|
|
|
if defined rdbss (
|
|
call :traceadd fskm 0086eae4-652e-4dc7-b58f-11fa44f927b4 rdbss !rdbsslevel! !rdbssflags!
|
|
) else (
|
|
call :traceadd fskm 0086eae4-652e-4dc7-b58f-11fa44f927b4 rdbss !level! !flags!
|
|
)
|
|
|
|
if defined ca (
|
|
set flags=0x75
|
|
)
|
|
|
|
if defined mrxsmb (
|
|
call :traceadd fskm f818ebb3-fbc4-4191-96d6-4e5c37c8a237 mrxsmb !mrxsmblevel! !mrxsmbflags!
|
|
) else (
|
|
call :traceadd fskm f818ebb3-fbc4-4191-96d6-4e5c37c8a237 mrxsmb !level! !flags!
|
|
)
|
|
|
|
if defined smb20 (
|
|
call :traceadd fskm e4ad554c-63b2-441b-9f86-fe66d8084963 smb20 !smb20level! !smb20flags!
|
|
) else (
|
|
call :traceadd fskm e4ad554c-63b2-441b-9f86-fe66d8084963 smb20 !level! !flags!
|
|
)
|
|
)
|
|
|
|
if not defined ca (
|
|
@rem witness / ccf
|
|
call :traceadd fskm 47eba62c-87e6-4564-9946-0dd4e361ed9b witnesscli
|
|
call :traceadd fskm 17efb9ce-8cab-4f19-8b96-0d021d9c76f1 ccffilter
|
|
|
|
@rem csc
|
|
call :traceadd fskm 89d89015-c0df-414c-bc48-f50e114832bc cscservice
|
|
call :traceadd fskm 791cd79c-65b5-48a3-804c-786048994f47 fastsync
|
|
call :traceadd fskm d5418619-c167-44d9-bc36-765beb5d55f3 dcluser
|
|
call :traceadd fskm 1f8b121d-45b3-4022-a9fb-3857177a65c1 peerdist
|
|
|
|
@rem nfs
|
|
call :traceadd fskm 355c2284-61cb-47bb-8407-4be72b5577b0 nfsrdr
|
|
)
|
|
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:rpcxdron
|
|
call :traceadd rpcxdr 94b45058-6f59-4696-b6bc-b23b7768343d rpcxdr
|
|
call :traceadd rpcxdr 53c16bac-175c-440b-a266-1e5d5f38313b rpcxdr
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:secon
|
|
call :traceadd sec 6b510852-3583-4e2d-affe-a67f9f223438 kerberos 7 0x43
|
|
call :traceadd sec 5bbb6c18-aa45-49b1-a15f-085f7ed0aa90 ntlm 7 0x15003
|
|
call :traceadd sec 5af52b0d-e633-4ead-828a-4b85b8daac2b negoexts 7 0x73
|
|
call :traceadd sec 2a6faf47-5449-4805-89a3-a504f3e221a6 pku2u 7 0x1f3
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:fsumon
|
|
@rem csc
|
|
call :traceadd fsum 361f227c-aa14-4d19-9007-0c8d1a8a541b cscnet
|
|
call :traceadd fsum 0999b701-3e5d-4998-bc58-a775590a55d9 cscdll
|
|
call :traceadd fsum 19ee4cf9-5322-4843-b0d8-bab81be4e81e cscapi
|
|
call :traceadd fsum 66418a2a-72af-4c1a-9c84-42f6865563bd cscui
|
|
call :traceadd fsum 5e23b838-5b71-47e6-b123-6fe02ef573ef cscum
|
|
@rem dav
|
|
call :traceadd fsum 91efb5a1-642d-42a4-9821-f15c73064fb5 WebClnt
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:srvon
|
|
call :traceadd srv 3121cf5d-c5e6-4f37-be86-57083590c333 srvdl
|
|
|
|
if defined brief (
|
|
set level=0
|
|
) else (
|
|
set level=7
|
|
)
|
|
|
|
call :traceadd srv 2744f0b7-8455-44f8-9b64-5f589f9d163a srv2 !level!
|
|
call :traceadd srv c0183094-fdc6-493f-a3e8-697224f83f6f srvnet !level!
|
|
call :traceadd srv d8e0c67b-7d87-48b6-9290-42126e66faee srvsvc !level!
|
|
|
|
if defined brief (
|
|
set level=3
|
|
) else (
|
|
set level=7
|
|
)
|
|
|
|
call :traceadd srv c5a38574-9827-4c24-b8fb-d6635475566f resumekeyfilter !level!
|
|
|
|
if defined brief (
|
|
set level=2
|
|
) else (
|
|
set level=7
|
|
)
|
|
|
|
call :traceadd srv c73e561f-c5b4-4a82-9b63-34bde5718e61 witnesssvc !level!
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:smbhashon
|
|
call :traceadd smbhash 48be2803-12c0-4932-aa80-93372d5a9114 smbhash
|
|
goto:eof
|
|
|
|
@@@@@@@@@
|
|
:nfson
|
|
call :traceadd nfs cc9a5284-cc3e-4567-b3f6-3eb24e7cfec5 msnfsfltguid
|
|
call :traceadd nfs 3c33d8b3-66fa-4427-a31b-f7dfa429d78f nfssvrguid
|
|
call :traceadd nfs fc33d8b3-66fa-4427-a31b-f7dfa429d78f nfssvrguid2
|
|
call :traceadd nfs 57294efd-c387-4e08-9144-2028e8a5cb1a nfssvrnlmguid
|
|
call :traceadd nfs f3bb9731-1d9f-4b8e-a42e-203bf1a32300 nfs4svrguid
|
|
call :traceadd nfs e18a05dc-cce3-4093-b5ad-211e4c798a0d portmapguid
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:fron
|
|
call :traceadd fr 2955e23c-4e0b-45ca-a181-6ee442ca1fc0 fr 4 0x1f
|
|
call :traceadd fr 6b6c257f-5643-43e8-8e5a-c66343dbc650 UstCommon 7 0x0fffffff
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:dfsnon
|
|
call :traceadd dfsn 27246e9d-b4df-4f20-b969-736fa49ff6ff dfsn
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:nbton
|
|
call :traceadd nbt bca7bd7f-b0bf-4051-99f4-03cfe79664c1 nbtsmb
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:tcpon
|
|
if %cli% gtr 1 (
|
|
rem - tcp-only == flags 0x80 from the original script
|
|
set flags=0x1080
|
|
set level=7
|
|
) else (
|
|
set flags=0x1000
|
|
set level=2
|
|
)
|
|
|
|
call :traceadd tcp eb004a05-9b1a-11d4-9123-0050047759bc tcp !level! !flags!
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:quicon
|
|
call :traceadd quic ff15e657-4f26-570e-88ab-0796b258d11c quic
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:dnson
|
|
call :traceadd dns 609151dd-04f5-4da7-974c-fc6947eaa323 dnsapi 7 0x00797fc0
|
|
call :traceadd dns f230b1d5-7dfd-4da7-a3a3-7e87b4b00ebf dns
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:csvfson
|
|
call :traceadd csvfs d82dba12-8b70-49ee-b844-44d0885951d2 csvfs 5 0xffff
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:csvflton
|
|
call :traceadd csvflt b421540c-1fc8-4c24-90cc-c5166e1de302 csvflt 5 0xffff
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:csvvbuson
|
|
call :traceadd csvvbus 4e6177a5-c0a7-4d9b-a686-56ed5435a904 csvvbus 5 0xffff
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:csvnflton
|
|
call :traceadd csvnflt 4e6177a5-c0a7-4d9b-a686-56ed5435a908 csvnflt 5 0xffc3
|
|
goto :eof
|
|
|
|
@@@@@@@@@
|
|
:sron
|
|
call :traceadd sr 8e37fc9c-8656-46da-b40d-34d97a532d09 wvrfguid
|
|
call :traceadd sr 634af965-fe67-49cf-8268-af99f62d1a3e wvrsvcguid
|
|
call :traceadd sr fadca505-ad5e-47a8-9047-b3888ba4a8fc wvrcimprov
|
|
goto :eof
|
|
|
|
::
|
|
::::::::::::::::::::::::::::::::::::::::
|
|
:: Parameter Validation and Parsing
|
|
::::::::::::::::::::::::::::::::::::::::
|
|
::
|
|
:: :detectMode
|
|
:: detects operation mode
|
|
:: @return %mode%: 'on', 'off', or 'snapshot'
|
|
:detectMode
|
|
set mode=
|
|
:detectModeInnner
|
|
for %%i in (clion srvon) do (
|
|
if /i "%~1" equ "%%i" (
|
|
if "!mode!" neq "" exit /b 1
|
|
set mode=on
|
|
exit /b 0
|
|
)
|
|
)
|
|
for %%i in (off clioff srvoff) do (
|
|
if /i "%~1" equ "%%i" (
|
|
if "!mode!" neq "" exit /b 1
|
|
set mode=off
|
|
exit /b
|
|
)
|
|
)
|
|
if /i "%~1" equ "snapshot" (
|
|
if "!mode!" neq "" exit /b 1
|
|
set mode=snapshot
|
|
exit /b
|
|
)
|
|
shift
|
|
if "%~1" neq "" goto :detectModeInnner
|
|
if "%mode%" equ "" exit /b 1
|
|
exit /b 0
|
|
::
|
|
:: :getCoreOnly
|
|
:: @return 1 iff 'core' is in arugments
|
|
:getCoreOnly
|
|
if /i "%~1" equ "core" (
|
|
exit /b 1
|
|
)
|
|
shift
|
|
if "%~1" neq "" goto :getCoreOnly
|
|
exit /b 0
|
|
::
|
|
::::::::::::::::::::::::::::::::::::::::
|
|
:: Persistance Utilities
|
|
::::::::::::::::::::::::::::::::::::::::
|
|
:: :persistSet
|
|
:: Sets a value to persist in the registry
|
|
:: @param 1 registry value name
|
|
:: @param 2 registry value data
|
|
:persistSet
|
|
reg.exe add "HKCU\SOFTWARE\Microsoft\t.cmd-state" /v %1 /d %2 /f > NUL
|
|
exit /b
|
|
::
|
|
:: :persistGet
|
|
:: Creates key in registry to store settings
|
|
:: @param 1 name of environment variable to set
|
|
:: @param 2 registry value name
|
|
:: @param 3 default value (optional)
|
|
:persistGet
|
|
set %1=%3
|
|
(for /F "tokens=2*" %%a in ('reg query "HKCU\SOFTWARE\Microsoft\t.cmd-state" /v %2') do set %1=%%b) 2>NUL
|
|
exit /b
|
|
::
|
|
:: :persistClear
|
|
:: Clear a value from the registry
|
|
:: @param 1 registry value name
|
|
:persistClear
|
|
reg.exe delete "HKCU\SOFTWARE\Microsoft\t.cmd-state" /v %1 /f >NUL 2>NUL
|
|
exit /b
|
|
::
|
|
:: :persistDelete
|
|
:: Deletes all persistent registry values related to this script
|
|
:persistDelete
|
|
reg delete "HKCU\SOFTWARE\Microsoft\t.cmd-state" /f >NUL 2>NUL
|
|
exit /b
|
|
::
|
|
:: :dopersist
|
|
:: @param 1 environment variable to persist in the registry
|
|
:: @param %mode%: "on", "off", or "snapshot"
|
|
:: Stores settings in registry when %mode% is "on"; loads them otherwise
|
|
:dopersist
|
|
if /i "%mode%" equ "on" (
|
|
if defined %1 (
|
|
call :persistSet %1 !%1!
|
|
) else (
|
|
call :persistClear %1
|
|
)
|
|
) else (
|
|
call :persistGet %1 %1
|
|
)
|
|
exit /b
|
|
::
|
|
::::::::::::::::::::::::::::::::::::::::
|
|
:: File Utitlities
|
|
::::::::::::::::::::::::::::::::::::::::
|
|
::
|
|
:: :toolsearch
|
|
:: Search for a tool in %PATH% and sets the variable exe to point to its full path.
|
|
:: @param 1 Name of the tool EXE
|
|
:: @return Sets %tool% to %1 if tool is found in path; %exe% set to expanded path or
|
|
:: cleared if not found.
|
|
:toolsearch
|
|
if exist "%CD%\%1" (
|
|
set tool=%1
|
|
goto :eof
|
|
)
|
|
for %%i in (%1) do (set exe=%%~$PATH:i)
|
|
if "!exe!" neq "" (
|
|
set tool=%1
|
|
)
|
|
goto :eof
|
|
::
|
|
:: :mktemp
|
|
:: Find a non-existing temporary file with a specified prefix and extension
|
|
:: @param 1 variable to set
|
|
:: @param 2 path prefix
|
|
:: @param 3 file extension
|
|
:mktemp
|
|
set %1=%~2-!random!.%~3
|
|
if exist "!%1!" goto :mktemp
|
|
goto :eof
|
|
::
|
|
:: :mkstatedir
|
|
:: Create a temporary directory to store state files
|
|
:: Does not require delayed expansion.
|
|
:: @param 1 path prefix
|
|
:: @return %statedir%
|
|
:mkstatedir
|
|
set statedir=%~1-%random%
|
|
if exist "%statedir%" goto :mkstatedir
|
|
mkdir "%statedir%" >NUL 2>&1
|
|
if errorlevel 1 goto :mkstatedir
|
|
goto :eof
|
|
::
|
|
::::::::::::::::::::::::::::::::::::::::
|
|
:: Base interface to abstract between differences in NetSH, LogMan, and TraceLog
|
|
::
|
|
:: :traceon
|
|
:: Create a tracing session with the given name prior to adding trace providers.
|
|
:: @param 1 etl session name
|
|
::
|
|
:: :traceadd
|
|
:: Add a provider to the tracing session.
|
|
:: @param 1 etl session name
|
|
:: @param 2 guid
|
|
:: @param 3 display name
|
|
:: @param 4 optional level
|
|
:: @param 5 optional flags
|
|
::
|
|
:: :traceoff
|
|
:: Disable tracing for a given session.
|
|
:: @param 1 etl session name
|
|
::::::::::::::::::::::::::::::::::::::::
|
|
::
|
|
:traceon
|
|
if %single% equ 0 (
|
|
call :traceon-%tool% %1
|
|
if not errorlevel 1 ( set disp=started %1 ^<- )
|
|
)
|
|
goto :eof
|
|
|
|
:traceadd
|
|
setlocal
|
|
if "%~4" equ "" (
|
|
set level=7
|
|
) else (
|
|
set level=%4
|
|
)
|
|
|
|
if "%5" equ "" (
|
|
set flags=0x7fffffff
|
|
) else (
|
|
set flags=%5
|
|
)
|
|
if %single% equ 0 call :traceadd-%tool% %1 %2 %3 %level% %flags%
|
|
if %single% geq 1 call :traceadd-%tool% %NdisCapTraceSession% %2 %3 %level% %flags%
|
|
endlocal
|
|
if not errorlevel 1 ( if "%~3" neq "" set disp=!disp!%~3 )
|
|
goto :eof
|
|
|
|
:traceoff
|
|
call :traceoff-%tool% %1
|
|
if not errorlevel 1 ( echo %1 -^> %1.etl )
|
|
goto :eof
|
|
|
|
::
|
|
:: LogMan Tracing Implementation
|
|
::
|
|
:traceon-logman.exe
|
|
if defined circ set circargs=-f bincirc -max !circbuf!
|
|
set file=%~1
|
|
if "%~2" neq "" set file=%~2
|
|
call :doit logman create trace -n %1 -o "%statedir%\%file%.etl" -mode localsequence -nb 16 16 -bs 2048 -ets %circargs%
|
|
goto :eof
|
|
|
|
:traceadd-logman.exe
|
|
call :doit logman update -n %1 -p {%2} %5 %4 -ets
|
|
goto :eof
|
|
|
|
:traceoff-logman.exe
|
|
call :doit logman stop -n %1 -ets
|
|
goto :eof
|
|
|
|
::
|
|
:: TraceLog Tracing Implementation
|
|
::
|
|
:traceon-tracelog.exe
|
|
if defined circ set circargs=-cir !circbuf!
|
|
set file=%~1
|
|
if "%~2" neq "" set file=%~2
|
|
call :doit tracelog -start %1 -f "%statedir%\%file%.etl" -ls -min 16 -max 16 -b 2048 -gs %circargs%
|
|
goto :eof
|
|
|
|
:traceadd-tracelog.exe
|
|
call :doit tracelog -enable %1 -guid #%2 -level %4 -flags %5
|
|
goto :eof
|
|
|
|
:traceoff-tracelog.exe
|
|
call :doit tracelog -stop %1
|
|
goto :eof
|
|
|
|
|
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
@rem finalization / cab generator
|
|
@rem
|
|
@rem two phase, second (*_final) is termination
|
|
:off
|
|
|
|
@rem timestamp
|
|
set timestampfile=%statedir%\timestamp.txt
|
|
echo %DATE% %TIME%> "!timestampfile!"
|
|
|
|
@rem os version data
|
|
set verfile=%statedir%\version.txt
|
|
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /t REG_SZ > "!verfile!"
|
|
|
|
if defined nocab goto :off_nocab
|
|
|
|
@rem check for makecab.exe
|
|
for %%i in (makecab.exe) do (set exe=%%~$PATH:i)
|
|
if "!exe!" equ "" (
|
|
echo.
|
|
echo.WARNING: makecab.exe not found. Proceeding as if 'nocab' was specified.
|
|
goto :off_nocab
|
|
)
|
|
|
|
@rem construct cab directive file
|
|
set dirfile=%statedir%\tracecab.ddf
|
|
set cabname=t %computername% %date:/=-% %time::=-%.cab
|
|
|
|
echo .set CabinetName1="!cabname!" > !dirfile!
|
|
echo .set CompressionType=LZX >> !dirfile!
|
|
echo .set DiskDirectory=. >> !dirfile!
|
|
echo .set DiskDirectory1=. >> !dirfile!
|
|
echo .set InfFileName=nul >> !dirfile!
|
|
echo .set RptFileName=nul >> !dirfile!
|
|
echo .set maxdisksize=0 >> !dirfile!
|
|
call :addfile "!timestampfile!"
|
|
call :addfile "!verfile!"
|
|
call :addfile "!servicefile!"
|
|
call :addfile "!taskfile!"
|
|
for %%i in (!etl! !evtx!) do call :addfile "%statedir%\%%i"
|
|
for %%i in (!bins!) do (
|
|
if exist "%systemroot%\system32\%%i" (
|
|
call :addfile "%systemroot%\system32\%%i" bin\
|
|
) else if exist "%systemroot%\system32\drivers\%%i" (
|
|
call :addfile "%systemroot%\system32\drivers\%%i" bin\
|
|
)
|
|
)
|
|
|
|
echo ---
|
|
makecab /f "!dirfile!"
|
|
if !errorlevel! neq 0 (
|
|
echo.ERROR: failed to compress trace files
|
|
goto :off_nocab
|
|
)
|
|
|
|
echo ---
|
|
if defined bins echo compressed: matching system binaries
|
|
echo.compressed: version info +!etl!
|
|
echo.
|
|
echo.Traces are in:
|
|
echo.%CD%\!cabname!
|
|
echo.
|
|
echo.done.
|
|
|
|
@rem cleanup
|
|
call :doit del "!servicefile!"
|
|
call :doit del "!taskfile!"
|
|
call :doit del "!dirfile!"
|
|
call :doit del "!verfile!"
|
|
call :doit del "!timestampfile!"
|
|
for %%i in (!etl! !evtx!) do call :doit del "%statedir%\%%i"
|
|
goto :off_final
|
|
|
|
@rem nocab or cab failure: print location of etl files.
|
|
:off_nocab
|
|
echo.
|
|
echo.
|
|
echo. Trace files were not compressed. They are located in:
|
|
echo. %statedir%
|
|
|
|
@rem finalization for off state
|
|
:off_final
|
|
if "%mode%" equ "snapshot" (
|
|
set mode=on
|
|
if defined nocab (
|
|
@rem create new statedir
|
|
call :mkstatedir "%TEMP%\t"
|
|
call :persistSet statedir "!statedir!"
|
|
)
|
|
goto :snapshot-restart
|
|
)
|
|
if not defined nocab call :doit rmdir "!statedir!"
|
|
call :persistDelete
|
|
endlocal
|
|
goto :eof
|
|
|
|
@rem finalization for on state
|
|
:on_final
|
|
if %single% geq 1 call :disp
|
|
endlocal
|
|
goto :eof
|
|
|
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
::
|
|
:: :addfile
|
|
:: Adds a file to the CAB manifest
|
|
:: Note: Files may be located in directories containing spaces,
|
|
:: but the files themselves must not have spaces in their names
|
|
:: @param 1 file to add
|
|
:: @param 2 subdirectory to place in cab file
|
|
:: (must be followed by '\' and not contain spaces)
|
|
:addfile
|
|
if exist %1 (
|
|
echo.%~s1 %~2%~nx1 >> !dirfile!
|
|
)
|
|
goto :eof
|
|
|
|
:doit
|
|
%* >nul
|
|
if errorlevel 1 ( echo failed: %* )
|
|
goto :eof
|
|
|
|
:disp
|
|
echo.!disp!
|
|
goto :eof
|
|
|
|
@rem Check for circular buffer option and buffer size.
|
|
:checkcirc
|
|
for /f "tokens=1,2 delims=:" %%i in ("%1") do (
|
|
if %%i equ circ (
|
|
|
|
set circ=1
|
|
set circbuf=%%j
|
|
if "%%j" equ "" set circbuf=50
|
|
echo Enabling circular buffer of size !circbuf! MB
|
|
exit /b 0
|
|
)
|
|
)
|
|
exit /b 1
|
|
|
|
@rem Check for specific driver, flags and level.
|
|
:checkdriver
|
|
|
|
for /f "tokens=1,2,3 delims=:" %%i in ("%1") do (
|
|
if %%i equ rdbss (
|
|
|
|
set rdbss=1
|
|
set rdbssflags=%%j
|
|
set rdbsslevel=%%k
|
|
exit /b 0
|
|
) else if %%i equ mrxsmb (
|
|
|
|
set mrxsmb=1
|
|
set mrxsmbflags=%%j
|
|
set mrxsmblevel=%%k
|
|
exit /b 0
|
|
) else if %%i equ smb20 (
|
|
|
|
set smb20=1
|
|
set smb20flags=%%j
|
|
set smb20level=%%k
|
|
exit /b 0
|
|
)
|
|
)
|
|
exit /b 1
|
|
|