Enabling ETW tracing for NTLM issues

ETW (Event Tracing for WIndows) is said to be powerful by Microsoft, but the setup of the various providers can be tedious because the documentation often lacks examples for the specific provider you desesperately need.

Here is a script to start recording NTLM authentication traces on a Domain Controller, in the existing directory of your choice

@echo off
if "%1"=="" goto :usage
if not exist %1 goto :usage
ECHO These commands will enable tracing:
@echo on
logman create trace "ds_ds" -ow -o %1\%computername%_ds.etl -p {1C83B2FC-C04F-11D1-8AFC-00C04FC21914} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets
logman update trace "ds_ds" -p {8E598056-8993-11D2-819E-0000F875A064} 0xffffffffffffffff 0xff -ets
logman update trace "ds_ds" -p {F33959B4-DBEC-11D2-895B-00C04F79AB69} 0xffffffffffffffff 0xff -ets
logman update trace "ds_ds" -p {24DB8964-E6BC-11D1-916A-0000F8045B04} 0xffffffffffffffff 0xff -ets
@echo off
echo
ECHO Reproduce your issue and enter any key to stop tracing
@echo on
pause
logman stop "ds_ds" -ets
@echo off
echo Tracing has been captured and saved successfully at c:\ds_ds.etl
pause
goto :eof
:usage
echo %~nx0 directory
echo records the NTLM ETW trace in the existing directory as %computername%_ds.etl

@echo off

if "%1"=="" goto :usage

if not exist %1 goto :usage

ECHO These commands will enable tracing:

@echo on

logman create trace "ds_ds" -ow -o %1\%computername%_ds.etl -p {1C83B2FC-C04F-11D1-8AFC-00C04FC21914} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets

logman update trace "ds_ds" -p {8E598056-8993-11D2-819E-0000F875A064} 0xffffffffffffffff 0xff -ets

logman update trace "ds_ds" -p {F33959B4-DBEC-11D2-895B-00C04F79AB69} 0xffffffffffffffff 0xff -ets

logman update trace "ds_ds" -p {24DB8964-E6BC-11D1-916A-0000F8045B04} 0xffffffffffffffff 0xff -ets

@echo off

echo

ECHO Reproduce your issue and enter any key to stop tracing

@echo on

pause

logman stop "ds_ds" -ets

@echo off

echo Tracing has been captured and saved successfully at c:\ds_ds.etl

pause

goto :eof

:usage

echo %~nx0 directory

echo records the NTLM ETW trace in the existing directory as %computername%_ds.etl

2 thoughts on “Enabling ETW tracing for NTLM issues”

Reply ↓

Charlie 1st November 2018 at 11:54

Hello
I am using the script and imported the results into event view for windows

However although I get lots of events with Event ID 0 there is no data in any of the events

For example I ran it on the domain controller then from a non domain joined computer I mapped tried to map a drive to e.g. \\10.10.10.10\c$ (where the IP address is the IP address of the DC) using an incorrect username and password combination so I know it would error
However then I stopped the trace and looked a the log I just saw lots of event ID 0 with no data in any of them, that am I doing wrong please

Reply ↓

Dimitri Post author 1st November 2018 at 21:12

Since the code was written on Windows 2008R2, you may want to check if the providers are still available under the same GUID.
Do the GUIDs in the batch file show up when you run “logman query providers”.

Dimitri's Wanderings

Personal and whimsical wanderings mostly about IT

Personal and whimsical wanderings mostly about IT

Enabling ETW tracing for NTLM issues 2

Leave a comment Cancel reply

2 thoughts on “Enabling ETW tracing for NTLM issues”