Thursday, July 14, 2011

Get-WinEvent, EventLogs, ETL, Providers on Win7 Part III

Microsoft has exposed substantial providers since XP. With Windows 7, Microsoft has increased the number of providers substantially over previous versions of Windows and added 'netsh trace' functionality to enable tracing, conversion, batching of these kernel level counters. In the commands below, I have mixed cmd shell, powershell, cygwin cmds to parse ETL files. In  general, parsing etl files with 'get-winevent' and powershell takes a while...  You can understand 'netsh' filtering best with 'netsh trace show CaptureFilterHelp', however I recommend setting your 'netsh trace start maxSize=' parameter at 150 MB or less. (The default is an almost unworkable 250MB.)


From cmd.exe, a variable for date/time (e.g. timestamp) could be useful:

realtd.cmd
@echo off
set realdate=%date:/=.%
set realdate=%realdate:* =%
set realtime=%time::=.%
set realtime=%realtime:* =%
set timestamp=%realdate%_%realtime%


From cmd.exe we can start the trace:

netsh trace start provider=Microsoft-Windows-Kernel-Network provider=Microsoft-Windows-Kernel-Process provider=Microsoft-Windows-Security-Auditing provider=Microsoft-Windows-Security-Netlogon provider=Microsoft-Windows-TCPIP persistent=yes traceFile=%LOCALAPPDATA%\Temp\NetTraces\NetTrace%timestamp%.etl

and stop the trace:

netsh trace stop

If we choose we can covert the trace with 'netsh' we can dump it to a text or csv dump with:

netsh trace convert input=NetTrace07.07.2011_1.38.09.40.etl output=NetTrace07.07.2011_1.38.09.40.txt dump=TXT

Next we can try parsing a particular provider from Powershell. Here I choose "Microsoft-Windows-TCPIP" provider. I adjust the screen buffer size to help 'format-table' catch all of the trace line:

$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(500,1000)
$Providers="Microsoft-Windows-TCPIP"
$FileName="NetTrace07.07.2011_1.38.09.40.etl"
foreach ($ProviderName in $Providers) {get-winevent -path "$FileName" -oldest | where {$_.ProviderName -eq "$ProviderName"} | ft TimeCreated, Message| out-file -encoding ASCII -file "$FileName$ProviderName.txt"}

I find I can not make GNUWin32 gawk work as advertised inside Powershell.
The following line does not work in Powershell:

## grep -i -w "remote" "$FileName$ProviderName.txt" | tr -s ' ' | gawk '{print $1" "$2" "$3","$4" "$5" "$6" "$7" "$8" "$9}' | out-file -encoding ASCII -append "$ProviderName.csv"

But this will work just fine in Cygwin:

grep -i -w "remote" NetTrace07.07.2011_1.38.09.40.etlMicrosoft-Windows-TCPIP.txt | tr -s ' ' | gawk '{print $1" "$2" "$3","$4" "$5" "$6" "$7" "$8" "$9}' >> NetTrace07.07.2011_1.38.09.40.etlMicrosoft-Windows-TCPIP.csv

and we are looking at a spreadsheet like this:

No comments:

Post a Comment