Skip to content

Commit 7e39294

Browse files
Malcolm-StewartMalcolm-Stewart
authored
Merge pull request #36 from microsoft/20220804_SQLTrace_LoggingUpdate
Update SQLTrace.ps1
2 parents 8c11da4 + 2391065 commit 7e39294

File tree

1 file changed

+160
-84
lines changed

1 file changed

+160
-84
lines changed

SQLTrace/SQLTrace.ps1

Lines changed: 160 additions & 84 deletions
Original file line numberDiff line numberDiff line change
@@ -69,10 +69,10 @@ Function Main
6969
ReadINIFile
7070
DisplayINIValues # TODO hide
7171

72-
if ($Setup) { DisplayLicenseAndHeader } # set BID Trace :Path registry if asked for in the INI file
72+
if ($Setup) { DisplayLicenseAndHeader; SetupTraces } # set BID Trace :Path registry if asked for in the INI file
7373
elseif ($Start) { SetLogFolderName; StartTraces } # set BID Trace registry if not already set, then pause and prompt to restart app
7474
elseif ($Stop) { GetLogFolderName; StopTraces }
75-
elseif ($Cleanup) { CleanEnvironment }
75+
elseif ($Cleanup) { CleanupTraces }
7676
else { DisplayLicenseAndHeader; DisplayHelpMessage }
7777
}
7878
}
@@ -246,12 +246,6 @@ Function GetLogFolderName
246246
LogInfo "Progress Log name: $($global:LogProgressFileName)"
247247
}
248248

249-
Function CleanEnvironment
250-
{
251-
# After we stop tracing, clear the environment variable, so we do not re-use the folder name
252-
[System.Environment]::SetEnvironmentVariable($global:LogFolderEnvName, $null, [System.EnvironmentVariableTarget]::Machine)
253-
}
254-
255249
# ================================= Class Definitions ===========================
256250

257251
class INIValueClass # contains all the INI file settings in one place
@@ -280,6 +274,77 @@ class RunningSettings
280274
[System.Diagnostics.Process] $NetmonProcess = $null
281275
}
282276

277+
# ======================================= Setup Traces =========================================
278+
279+
Function SetupTraces
280+
{
281+
SetupBIDRegistry
282+
}
283+
284+
Function SetupBIDRegistry
285+
{
286+
if($BidTrace -eq "Yes")
287+
{
288+
if (HasBIDBeenSet -eq $false)
289+
{
290+
SetBIDRegistry
291+
LogWarn "Restart the application to be traced if it is a service or desktop application."
292+
LogRaw ""
293+
}
294+
}
295+
else
296+
{
297+
LogInfo "BID Tracing is not enabled for this trace."
298+
LogRaw ""
299+
}
300+
}
301+
302+
Function HasBIDBeenSet
303+
{
304+
$BIDPath = "HKLM:\Software\WOW6432Node\Microsoft\BidInterface\Loader"
305+
$BID32Path = "HKLM:\Software\WOW6432Node\Microsoft\BidInterface\Loader"
306+
307+
# 32-bit test
308+
if ($global:INISettings.BidWow -eq "Only" -or $global:INISettings.BidWow -eq "Both")
309+
{
310+
$Path = Get-ItemProperty $BID32Path -Name ":Path"
311+
if ($Path -eq $null) { return $false }
312+
if ($Path.":Path" -ieq "MSDADIAG.DLL") { return $false } # case insensitive comparison
313+
}
314+
315+
# 64-bit test
316+
if ($global:INISettings.BidWow -eq "Both" -or $global:INISettings.BidWow -eq "No")
317+
{
318+
$Path = Get-ItemProperty $BIDPath -Name ":Path"
319+
if ($Path -eq $null) { return $false }
320+
if ($Path.":Path" -ieq "MSDADIAG.DLL") { return $false } # case insensitive comparison
321+
}
322+
323+
return $true
324+
}
325+
326+
Function SetBIDRegistry
327+
{
328+
LogInfo "Setting BID trace registry keys ..."
329+
if($global:INISettings.BidWow -eq "Only")
330+
{
331+
LogInfo "BIDTrace - Set BIDInterface WOW64 MSDADIAG.DLL"
332+
reg add HKLM\Software\WOW6432Node\Microsoft\BidInterface\Loader /v :Path /t REG_SZ /d MsdaDiag.DLL /f
333+
}
334+
elseif($global:INISettings.BidWow -eq "Both")
335+
{
336+
LogInfo "BIDTrace - Set BIDInterface MSDADIAG.DLL"
337+
reg add HKLM\Software\Microsoft\BidInterface\Loader /v :Path /t REG_SZ /d MsdaDiag.DLL /f
338+
LogInfo "BIDTrace - Set BIDInterface WOW64 MSDADIAG.DLL"
339+
reg add HKLM\Software\WOW6432Node\Microsoft\BidInterface\Loader /v :Path /t REG_SZ /d MsdaDiag.DLL /f
340+
}
341+
else ## BIDWOW = No
342+
{
343+
LogInfo "BIDTrace - Set BIDInterface MSDADIAG.DLL"
344+
reg add HKLM\Software\Microsoft\BidInterface\Loader /v :Path /t REG_SZ /d MsdaDiag.DLL /f
345+
}
346+
}
347+
283348
# ======================================= Start Traces =========================================
284349

285350
Function StartTraces
@@ -362,36 +427,25 @@ Function StartBIDTraces
362427
if($global:INISettings.BidTrace -eq "Yes")
363428
{
364429
LogInfo "Starting BID Traces ..."
365-
if($global:INISettings.BidWow -eq "Only")
366-
{
367-
LogInfo "BIDTrace - Set BIDInterface WOW64 MSDADIAG.DLL"
368-
reg add HKLM\Software\WOW6432Node\Microsoft\BidInterface\Loader /v :Path /t REG_SZ /d MsdaDiag.DLL /f
369-
}
370-
elseif($global:INISettings.BidWow -eq "Both")
371-
{
372-
LogInfo "BIDTrace - Set BIDInterface MSDADIAG.DLL"
373-
reg add HKLM\Software\Microsoft\BidInterface\Loader /v :Path /t REG_SZ /d MsdaDiag.DLL /f
374-
LogInfo "BIDTrace - Set BIDInterface WOW64 MSDADIAG.DLL"
375-
reg add HKLM\Software\WOW6432Node\Microsoft\BidInterface\Loader /v :Path /t REG_SZ /d MsdaDiag.DLL /f
376-
}
377-
else ## BIDWOW = No
378-
{
379-
LogInfo "BIDTrace - Set BIDInterface MSDADIAG.DLL"
380-
reg add HKLM\Software\Microsoft\BidInterface\Loader /v :Path /t REG_SZ /d MsdaDiag.DLL /f
381-
}
430+
431+
if (HasBIDBeenSet -eq $false)
432+
{
433+
SetBIDRegistry
434+
LogWarn "Please retart the application being traced if it is a desktop application or a service."
435+
LogWarn "Press Enter once restarted."
436+
Read-Host
437+
}
382438

383439
## Get Provider GUIDs - Add MSDIAG by default
384440
$guid = GETBIDTraceGUID("MSDADIAG")
385441
$vGUIDs.Add($guid) | out-null
386442

387443
## Add the ones listed in the INI file
388-
$global:INISettings.BidProviderList.Split(" ") | ForEach {
389-
$guid = GETBIDTraceGUID($_)
390-
$vGUIDs.Add($guid) | out-null
391-
}
444+
$global:INISettings.BidProviderList.Split(" ") | ForEach { $guid = GETBIDTraceGUID($_); $vGUIDs.Add($guid) | out-null }
392445

393-
if((Test-Path "$($global:LogFolderName)\BIDTraces" -PathType Container) -eq $false){
394-
md "$($global:LogFolderName)\BIDTraces" > $null
446+
if((Test-Path "$($global:LogFolderName)\BIDTraces" -PathType Container) -eq $false)
447+
{
448+
md "$($global:LogFolderName)\BIDTraces" > $null
395449
}
396450

397451
$cRow=0
@@ -496,7 +550,7 @@ Function StartAuthenticationTraces
496550
LogInfo "Starting Kerberos ETL Traces..."
497551

498552
# **Kerberos**
499-
$Kerberos = @(
553+
$KerberosProviders = @(
500554
'{6B510852-3583-4e2d-AFFE-A67F9F223438}!0x7ffffff'
501555
'{60A7AB7A-BC57-43E9-B78A-A1D516577AE3}!0xffffff'
502556
'{FACB33C4-4513-4C38-AD1E-57C1F6828FC0}!0xffffffff'
@@ -505,18 +559,12 @@ Function StartAuthenticationTraces
505559
'{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}!0xffffffffffffffff'
506560
)
507561

508-
##Purging Tickets
509-
klist purge | Out-Null
510-
klist purge -li 0x3e7 | Out-Null
511-
klist purge -li 0x3e4 | Out-Null
512-
klist purge -li 0x3e5 | Out-Null
513-
514562
# Kerberos Logging to SYSTEM event log in case this is a client
515563
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA\Kerberos\Parameters /v LogLevel /t REG_DWORD /d 1 /f
516564

517565
logman start "Kerberos" -o "$($global:LogFolderName)\Auth\Kerberos.etl" -ets
518566

519-
ForEach($KerberosProvider in $Kerberos)
567+
ForEach($KerberosProvider in $KerberosProviders)
520568
{
521569
# Update Logman Kerberos
522570
$KerberosParams = $KerberosProvider.Split('!')
@@ -531,7 +579,7 @@ Function StartAuthenticationTraces
531579

532580
LogInfo "Starting CredSSP/NTLM Traces..."
533581
# **Ntlm_CredSSP**
534-
$Ntlm_CredSSP = @(
582+
$Ntlm_CredSSPProviders = @(
535583
'{5BBB6C18-AA45-49b1-A15F-085F7ED0AA90}!0x5ffDf'
536584
'{AC69AE5B-5B21-405F-8266-4424944A43E9}!0xffffffff'
537585
'{6165F3E2-AE38-45D4-9B23-6B4818758BD9}!0xffffffff'
@@ -541,7 +589,7 @@ Function StartAuthenticationTraces
541589

542590
logman create trace "Ntlm_CredSSP" -o "$($global:LogFolderName)\Auth\Ntlm_CredSSP.etl" -ets
543591

544-
ForEach($Ntlm_CredSSPProvider in $Ntlm_CredSSP)
592+
ForEach($Ntlm_CredSSPProvider in $Ntlm_CredSSPProviders)
545593
{
546594
# Update Logman Ntlm_CredSSP
547595
$Ntlm_CredSSPParams = $Ntlm_CredSSPProvider.Split('!')
@@ -557,14 +605,14 @@ Function StartAuthenticationTraces
557605
{
558606
LogInfo "Starting SSL Traces..."
559607
# **SSL**
560-
$SSL = @(
608+
$SSLProviders = @(
561609
'{37D2C3CD-C5D4-4587-8531-4696C44244C8}!0x4000ffff'
562610
)
563611

564612
# Start Logman SSL
565613
logman start "SSL" -o "$($global:LogFolderName)\Auth\SSL.etl" -ets
566614

567-
ForEach($SSLProvider in $SSL)
615+
ForEach($SSLProvider in $SSLProviders)
568616
{
569617
# Update Logman SSL
570618
$SSLParams = $SSLProvider.Split('!')
@@ -586,7 +634,7 @@ Function StartAuthenticationTraces
586634
nltest /dbflag:0x2EFFFFFF 2>&1 | Out-Null
587635

588636
# **LSA**
589-
$LSA = @(
637+
$LSAProviders = @(
590638
'{D0B639E0-E650-4D1D-8F39-1580ADE72784}!0xC43EFF'
591639
'{169EC169-5B77-4A3E-9DB6-441799D5CACB}!0xffffff'
592640
'{DAA76F6A-2D11-4399-A646-1D62B7380F15}!0xffffff'
@@ -612,7 +660,7 @@ Function StartAuthenticationTraces
612660
$LSASingleTraceName = "LSA"
613661
logman create trace $LSASingleTraceName -o "$($global:LogFolderName)\Auth\LSA.etl" -ets
614662

615-
ForEach($LSAProvider in $LSA)
663+
ForEach($LSAProvider in $LSAProviders)
616664
{
617665
# Update Logman LSA
618666
$LSAParams = $LSAProvider.Split('!')
@@ -660,34 +708,12 @@ Function StopTraces
660708

661709
Function StopBIDTraces
662710
{
663-
664-
665711
if($global:INISettings.BidTrace -eq "Yes")
666712
{
667713
LogInfo "Stopping BID Traces ..."
668-
if($global:INISettings.BidWow -eq "Only")
669-
{
670-
LogInfo "BIDTrace - Unset BIDInterface WOW64 MSDADIAG.DLL"
671-
reg delete HKLM\Software\WOW6432Node\Microsoft\BidInterface\Loader /v :Path /f
672-
}
673-
elseif($global:INISettings.BidWow -eq "Both")
674-
{
675-
LogInfo "BIDTrace - Unset BIDInterface MSDADIAG.DLL"
676-
reg delete HKLM\Software\Microsoft\BidInterface\Loader /v :Path /f
677-
678-
LogInfo "BIDTrace - Unset BIDInterface WOW64 MSDADIAG.DLL"
679-
reg delete HKLM\Software\WOW6432Node\Microsoft\BidInterface\Loader /v :Path /f
680-
}
681-
else ## BIDWOW = No
682-
{
683-
LogInfo "BIDTrace - Unset BIDInterface MSDADIAG.DLL"
684-
reg delete HKLM\Software\Microsoft\BidInterface\Loader /v :Path /f
685-
}
686-
714+
# Do not clear the registry keys in case we run a second trace; use the -cleanup switch explicitly
687715
logman stop msbidtraces -ets
688-
689716
}
690-
691717
}
692718

693719

@@ -719,8 +745,6 @@ Function StopNetworkTraces
719745
LogInfo "Stopping Wireshark with PID: " + $WiresharkPID.ID
720746
Stop-Process -Name "dumpcap" -Force
721747
}
722-
723-
724748
}
725749
}
726750

@@ -755,10 +779,12 @@ Function StopAuthenticationTraces
755779
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v SPMInfoLevel /f 2>&1 | Out-Null
756780
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LogToFile /f 2>&1 | Out-Null
757781
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v NegEventMask /f 2>&1 | Out-Null
758-
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA\NegoExtender\Parameters /v InfoLevel /f 2>&1
759-
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA\Pku2u\Parameters /v InfoLevel /f 2>&1
760-
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgInfoLevel /f 2>&1
761-
reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgTraceOptions /f 2>&1
782+
783+
# Not set in the Start Traces command
784+
# reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA\NegoExtender\Parameters /v InfoLevel /f 2>&1
785+
# reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA\Pku2u\Parameters /v InfoLevel /f 2>&1
786+
# reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgInfoLevel /f 2>&1
787+
# reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v LspDbgTraceOptions /f 2>&1
762788

763789
logman stop "LSA" -ets
764790

@@ -779,20 +805,70 @@ Function StopAuthenticationTraces
779805
{
780806

781807
LogInfo "Disabling/Collecting Event Viewer Logs..."
782-
# *** Event/Operational logs
783-
wevtutil.exe set-log "Microsoft-Windows-CAPI2/Operational" /enabled:false 2>&1
784-
wevtutil.exe export-log "Microsoft-Windows-CAPI2/Operational" "$($global:LogFolderName)\Auth\Capi2_Oper.evtx" /overwrite:true 2>&1
785-
wevtutil.exe set-log "Microsoft-Windows-Kerberos/Operational" /enabled:false 2>&1
786-
wevtutil.exe export-log "Microsoft-Windows-Kerberos/Operational" "$($global:LogFolderName)\Auth\Kerb_Oper.evtx" /overwrite:true 2>&1
787-
788-
#TODO: Reduce the amount of logs of EVTX + TXT
789-
wevtutil.exe export-log SECURITY "$($global:LogFolderName)\Auth\Security.evtx" /overwrite:true 2>&1
790-
wevtutil.exe export-log SYSTEM "$($global:LogFolderName)\Auth\System.evtx" /overwrite:true 2>&1
791-
wevtutil.exe export-log APPLICATION "$($global:LogFolderName)\Auth\Application.evtx" /overwrite:true 2>&1
808+
809+
# Filter to just the last 24 hours: "/q:*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]"
810+
# Alternate filter, events after a set time. Use variables in implementation: "/q:*[System[TimeCreated[@SystemTime>='2022-08-08T10:00:00']]]"
811+
$EventLogFilter = "/q:*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]"
812+
813+
# Event/Operational logs
814+
wevtutil.exe set-log "Microsoft-Windows-CAPI2/Operational" /enabled:false 2>&1 # stop logging
815+
wevtutil.exe export-log "Microsoft-Windows-CAPI2/Operational" "$($global:LogFolderName)\Auth\Capi2_Oper.evtx" "$EventLogFilter" /overwrite:true 2>&1 # export recent events to .evtx
816+
wevtutil.exe query-events "Microsoft-Windows-CAPI2/Operational" "$EventLogFilter" /f:Text > "$($global:LogFolderName)\Auth\Capi2_Oper.txt" # export recent events to .txt
817+
818+
wevtutil.exe set-log "Microsoft-Windows-Kerberos/Operational" /enabled:false 2>&1 # stop logging
819+
wevtutil.exe export-log "Microsoft-Windows-Kerberos/Operational" "$($global:LogFolderName)\Auth\Kerb_Oper.evtx" "$EventLogFilter" /overwrite:true 2>&1 # export recent events to .evtx
820+
wevtutil.exe query-events "Microsoft-Windows-Kerberos/Operational" "$EventLogFilter" /f:Text > "$($global:LogFolderName)\Auth\Kerb_Oper.txt" # export recent events to .txt
821+
822+
# Main event logs - security, system, and application
823+
wevtutil.exe export-log SECURITY "$($global:LogFolderName)\Auth\Security.evtx" "$EventLogFilter" /overwrite:true 2>&1 # export recent events to .evtx
824+
wevtutil.exe query-events SECURITY "$EventLogFilter" /f:Text > "$($global:LogFolderName)\Auth\Security.txt" # export recent events to .txt
825+
826+
wevtutil.exe export-log SYSTEM "$($global:LogFolderName)\Auth\System.evtx" "$EventLogFilter" /overwrite:true 2>&1 # export recent events to .evtx
827+
wevtutil.exe query-events SYSTEM "$EventLogFilter" /f:Text > "$($global:LogFolderName)\Auth\System.txt" # export recent events to .txt
828+
829+
wevtutil.exe export-log APPLICATION "$($global:LogFolderName)\Auth\Application.evtx" "$EventLogFilter" /overwrite:true 2>&1 # export recent events to .evtx
830+
wevtutil.exe query-events APPLICATION "$EventLogFilter" /f:Text > "$($global:LogFolderName)\Auth\Application.txt" # export recent events to .txt
792831
}
793832
}
794833
}
795834

835+
# ======================================= Cleanup Traces =========================================
836+
837+
Function CleanupTraces
838+
{
839+
CleanEnvironment
840+
ClearBIDRegistry
841+
}
842+
843+
Function CleanEnvironment
844+
{
845+
# After we stop tracing, clear the environment variable, so we do not re-use the folder name
846+
[System.Environment]::SetEnvironmentVariable($global:LogFolderEnvName, $null, [System.EnvironmentVariableTarget]::Machine)
847+
}
848+
849+
Function ClearBIDRegistry
850+
{
851+
LogInfo "Clearing BID trace registry keys ..."
852+
if($global:INISettings.BidWow -eq "Only")
853+
{
854+
LogInfo "BIDTrace - Unset BIDInterface WOW64 MSDADIAG.DLL"
855+
reg delete HKLM\Software\WOW6432Node\Microsoft\BidInterface\Loader /v :Path /f
856+
}
857+
elseif($global:INISettings.BidWow -eq "Both")
858+
{
859+
LogInfo "BIDTrace - Unset BIDInterface MSDADIAG.DLL"
860+
reg delete HKLM\Software\Microsoft\BidInterface\Loader /v :Path /f
861+
862+
LogInfo "BIDTrace - Unset BIDInterface WOW64 MSDADIAG.DLL"
863+
reg delete HKLM\Software\WOW6432Node\Microsoft\BidInterface\Loader /v :Path /f
864+
}
865+
else ## BIDWOW = No
866+
{
867+
LogInfo "BIDTrace - Unset BIDInterface MSDADIAG.DLL"
868+
reg delete HKLM\Software\Microsoft\BidInterface\Loader /v :Path /f
869+
}
870+
}
871+
796872
# ======================================= Logging ===============================
797873

798874
Function LogMessage($Message, $LogLevel = "info")

0 commit comments

Comments
 (0)