ETW (Event Tracing for WIndows) is said to be powerful by Microsoft, but the setup of the various providers can be tedious because the documentation often lacks examples for the specific provider you desesperately need.
Here is a script to start recording NTLM authentication traces on a Domain Controller, in the existing directory of your choice
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
@echo off if "%1"=="" goto :usage if not exist %1 goto :usage ECHO These commands will enable tracing: @echo on logman create trace "ds_ds" -ow -o %1\%computername%_ds.etl -p {1C83B2FC-C04F-11D1-8AFC-00C04FC21914} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets logman update trace "ds_ds" -p {8E598056-8993-11D2-819E-0000F875A064} 0xffffffffffffffff 0xff -ets logman update trace "ds_ds" -p {F33959B4-DBEC-11D2-895B-00C04F79AB69} 0xffffffffffffffff 0xff -ets logman update trace "ds_ds" -p {24DB8964-E6BC-11D1-916A-0000F8045B04} 0xffffffffffffffff 0xff -ets @echo off echo ECHO Reproduce your issue and enter any key to stop tracing @echo on pause logman stop "ds_ds" -ets @echo off echo Tracing has been captured and saved successfully at c:\ds_ds.etl pause goto :eof :usage echo %~nx0 directory echo records the NTLM ETW trace in the existing directory as %computername%_ds.etl |
Hello
I am using the script and imported the results into event view for windows
However although I get lots of events with Event ID 0 there is no data in any of the events
For example I ran it on the domain controller then from a non domain joined computer I mapped tried to map a drive to e.g. \\10.10.10.10\c$ (where the IP address is the IP address of the DC) using an incorrect username and password combination so I know it would error
However then I stopped the trace and looked a the log I just saw lots of event ID 0 with no data in any of them, that am I doing wrong please
Since the code was written on Windows 2008R2, you may want to check if the providers are still available under the same GUID.
Do the GUIDs in the batch file show up when you run “logman query providers”.