Jump to content
JohnOne

Make sense of event log data

Recommended Posts

JohnOne

I'm thinking about writing a little diagnostic helper tool, and  I'm starting with boot up info.

So retrieving data from event log (Applications and services logs -> Microsoft -> Windows -> Diagnostics-Performance -> Operational -> Event ID 100)

I'm getting the following data...

+ System 


  + Provider 

   [ Name]  Microsoft-Windows-Diagnostics-Performance 
   [ Guid]  {CFC18EC0-96B1-4EBA-961B-622CAEE05B0A} 
 
   EventID 100 
 
   Version 2 
 
   Level 3 
 
   Task 4002 
 
   Opcode 34 
 
   Keywords 0x8000000000010000 
 
  - TimeCreated 

   [ SystemTime]  2015-05-19T09:24:44.802879600Z 
 
   EventRecordID 3059 
 
  - Correlation 

   [ ActivityID]  {86F69364-17C3-0001-D8F1-FEB31392D001} 
 
  - Execution 

   [ ProcessID]  1684 
   [ ThreadID]  4732 
 
   Channel Microsoft-Windows-Diagnostics-Performance/Operational 
 
   Computer snotrag 
 
  - Security 

   [ UserID]  S-1-4-18



- EventData 

  BootTsVersion 2 
  BootStartTime 2015-05-19T09:10:51.560801800Z 
  BootEndTime 2015-05-19T09:24:41.788707200Z 
  SystemBootInstance 626 
  UserBootInstance 423 
  BootTime 41367 
  MainPathBootTime 16967 
  BootKernelInitTime 24 
  BootDriverInitTime 395 
  BootDevicesInitTime 4064 
  BootPrefetchInitTime 43677 
  BootPrefetchBytes 403791872 
  BootAutoChkTime 0 
  BootSmssInitTime 5370 
  BootCriticalServicesInitTime 577 
  BootUserProfileProcessingTime 884 
  BootMachineProfileProcessingTime 519 
  BootExplorerInitTime 1774 
  BootNumStartupApps 4 
  BootPostBootTime 24400 
  BootIsRebootAfterInstall false 
  BootRootCauseStepImprovementBits 0 
  BootRootCauseGradualImprovementBits 0 
  BootRootCauseStepDegradationBits 192 
  BootRootCauseGradualDegradationBits 64 
  BootIsDegradation false 
  BootIsStepDegradation false 
  BootIsGradualDegradation false 
  BootImprovementDelta 0 
  BootDegradationDelta 0 
  BootIsRootCauseIdentified true 
  OSLoaderDuration 2336 
  BootPNPInitStartTimeMS 24 
  BootPNPInitDuration 4086 
  OtherKernelInitDuration 3225 
  SystemPNPInitStartTimeMS 7277 
  SystemPNPInitDuration 373 
  SessionInitStartTimeMS 7685 
  Session0InitDuration 2121 
  Session1InitDuration 369 
  SessionInitOtherDuration 2879 
  WinLogonStartTimeMS 13056 
  OtherLogonInitActivityDuration 732 
  UserLogonWaitDuration 723059

 

However I don't really know what half of that stuff really means, and I'm looking for any knowledge regarding them.

 

Edited by Melba23
Changed Quote to Text box

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites
JohnOne

Follow up question.

As you can see the event I'm looking at is 100, and it shows the time taken to boot the computer, and that is useful.

But if there are no problems during boot regarding the time it takes, then this event is not logged.

Wondering if anyone knows another consistent way to determine how long the system took to boot?

Edited by JohnOne

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites
kaesereibe

Maybe with GetTickCount?

Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.

 Call it when your PC is finished with booting. Maybe in with Startup or Logonscript.

Since I never test it this way, I can not say when GetTickCount start to count.

Edited by kaesereibe
  • Like 1

Share this post


Link to post
Share on other sites
iamtheky

Go here:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Boot

setting the bootminorthreshold and/or postbootminorthreshold to something like 1 sec.   Would think every boot after that would log as a warning.

 

Totally untested, but i assume that is what snotrag is for.

Edited by boththose
  • Like 1

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites
JohnOne

Go here:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Boot

setting the bootminorthreshold and/or postbootminorthreshold to something like 1 sec.   Would think every boot after that would log as a warning.

 

Totally untested, but i assume that is what snotrag is for.

​Unfortunately setting these to 1 and the majors too does not trigger the event to be logged.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites
iamtheky
  • Like 1

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites
JohnOne

Cheers, I'll try that, but before I do, does anyone know of a software that can log what this executable is actually doing?

My search only reveals how to install and uninstall hotfixes.

EDIT: Maybe this is what I need

http://www.nirsoft.net/utils/reg_file_from_application.html

Edited by JohnOne

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites
JohnOne

The above utility was unable to act on the hotfix, apparently the extension of the file did not fit the predefined extensions the tool allows. And the hotfix appears not to have worked anyway :(


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites
iamtheky

What is the behavior after the hotfix?  Does is it appear as though those settings are being ignored entirely?


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites
Wolfteeth
On 6/4/2015 at 6:42 PM, JohnOne said:

Yes, I have had no abnormal boot up's and the last event 100 remains the same as it was before I installed the hotfix.

HI, @Johnone, how could you read the special event 100 in Autoit? any func? I am sure _EventLog__Open doesn't work...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×