[SDP3][39e40a31-acc6-48e6-9379-a9bbe7e99272] PFE Collector Diagnostic

Summary

The PFE Collector Diagnostic collects data that can be used to troubleshoot Windows Networking, Setup, Performance, FailoverCluster, Microsoft Exchange Server, and Microsoft SQL Server.

More Information


Information that is collected


802.1x Client
DescriptionFile name
802.1x Client netsh information from netsh.exe
{ComputerName}_8021xClient_netsh.TXT
HKLM\SOFTWARE\Microsoft\EAPOL
HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2
HKLM\SOFTWARE\Policies\Microsoft\Windows\Wireless
HKLM\SYSTEM\CurrentControlSet\Services\dot3svc
HKLM\SYSTEM\CurrentControlSet\Services\EapHost
HKLM\SYSTEM\CurrentControlSet\Services\Wlansvc
HKLM\SYSTEM\CurrentControlSet\Services\WZCSVC
{ComputerName}_8021xClient_reg_.TXT
Microsoft-Windows-EapHost/Operational
Microsoft-Windows-Wired-AutoConfig/Operational
Microsoft-Windows-WLAN-AutoConfig/Operational
{ComputerName}__evt_*.*

More information
DescriptionFile name
Volume Shadow Copy Service (VSS) information via vssadmin utility output
{ComputerName}_VSSAdmin.TXT

Applied security templates
DescriptionFile name
Applied Security Templates from windows\Security\Templates\Policies
{ComputerName}_AppliedSecTempl.txt

Audit policy
DescriptionFile name
Auditpol Audit Policy output via 'auditpol.exe /backup /file'
{ComputerName}_Auditpolicy.csv
Current Per User policy output via 'auditpol.exe /get /user'
{ComputerName}_Auditpol_UserPolicy.txt
Get Configuration output via 'auditpol.exe /get /category'
{ComputerName}_Auditpol_Configuration.txt
Per User configured accounts output via 'auditpol.exe /list /user /v 1'
{ComputerName}_Auditpol_Per-User.txt

Best practices analyzer
DescriptionFile name
Best Practices Analyzer (BPA) Report
{ComputerName}_*BPA*.htm

Boot information
DescriptionFile name
BCDEdit Output
{ComputerName}_BCDEdit.TXT
Boot.ini file
{ComputerName}_Boot.Ini

Bootloader information
DescriptionFile name
Boot.ini file
{ComputerName}_boot.ini
Output of bcdedit utility from affected machine
{ComputerName}_bcdedit.txt

DCDiag
DescriptionFile name
DCDiag DNS Health information output via 'dcdiag.exe /v /test:dns /f'
{ComputerName}_DCDiag-DNS.log
DCDiag Topology Test output via 'dcdiag.exe /v /test:topology /f'
{ComputerName}_DCDiag-Topology.log
DCDiag Verbose output via 'dcdiag.exe /v /f'
{ComputerName}_DCDiag-Verbose.log

Deployment logs
DescriptionFile name
DISM.log on Windows\logs\DISM
{ComputerName}_DISM-Windows-Logs.log
Service Pack Installation Log from %windir%\SVCPack.Log
{ComputerName}_SVCPack.Log
Setupact.log on Windows folder
{ComputerName}_setupact-windows.log
Setuperr.log on Windows folder
{ComputerName}_setuperr-windows.log
Task Sequencer Log on C:\_SMSTaskSequence
{ComputerName}_smsts_SMSTaskSequence.log
Task Sequencer Log on C:\SMSTSLog
{ComputerName}_smsts_SMSTSLog.log
Task Sequencer Log on System32\ccm\logs
{ComputerName}_smsts_ccm_logs.log
Task Sequencer Log on Temp folder
{ComputerName}_smsts_temp.log

Device drivers installation logs
DescriptionFile name
Setupapi logs located on %windir%\inf folder
{ComputerName}_SetupAPI.Log

Devices and drivers
DescriptionFile name
Devcon utility output
{ComputerName}_DevCon.txt
Fibre Channel Information Tool (FCInfo) output
{ComputerName}_FCInfo.txt
Filter Manager minifilter drivers and instances via Fltmc.exe utility output
{ComputerName}_Fltmc.TXT
Information about MS-DOS device names (symbolic links) via DOSDev utility
{ComputerName}_DOSDev.txt
Upper and lower filters information via fltrfind.exe utility
{ComputerName}_FltrFind.txt

DHCP Client
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\Dhcp
{ComputerName}_DhcpClient_reg_.TXT
Microsoft-Windows-Dhcp-Client/Operational
Microsoft-Windows-DhcpNap/Operational
Microsoft-Windows-Dhcpv6-Client/Operational
{ComputerName}__evt_*.*

DHCP Server
DescriptionFile name
DHCP Server Netsh Dump
{ComputerName}_DhcpServer_netsh_dump.TXT
DHCP Server Netsh Output
{ComputerName}_DhcpServer_netsh_info.TXT
HKLM\SYSTEM\CurrentControlSet\Services\DHCPServer
{ComputerName}_DhcpServer_reg_.TXT
Microsoft-Windows-Dhcp-Server/Admin
Microsoft-Windows-Dhcp-Server/Operational
{ComputerName}__evt_*.*

DirectAccess Client
DescriptionFile name
Collects multiple registry key contents related to the DirectAccess client.
{ComputerName}_DirectAccessClient_reg_.TXT
DNS Client netsh show state (for DirectAccess): netsh dnsclient show state
{ComputerName}_DirectAccessClient_netsh_dnsclient-show-state.TXT
W8/WS2012 powershell output for the DirectAccess client.
{ComputerName}_DirectAccessClient_info_pscmdlets.TXT

DirectAccess Diagnostic: Interactive Data Collection
DescriptionFile name
DirectAccess Scenario Tracing: The file "netshtrace.cab" contains the compressed version of netshtrace.etl and several other static files.
netshtrace.cab
DirectAccess Scenario Tracing: The file "netshtrace.etl" contains the ETL output from this command: "netsh.exe trace start scenario=DirectAccess tracefile=netshtrace.etl capture=yes"
netshtrace.etl
DirectAccess Server PowershellLogging ETL logging
DaSrvPSLogging.etl
Kerberos ETL logging [DirectAccess Server option Only]
SecurityKerberos.etl
Microsoft-Windows-CAPI2/Operational
{ComputerName}__evt_*.*
NTLM ETL logging [DirectAccess Server option only]
SecurityNTLM.etl
OTP ETL logging [DirectAccess Client and Server; if OTP is enabled]
OTP.etl
Problem Steps Recorder output: The file "IssueSteps.zip" contains the output from Problem Steps Recorder (PSR.EXE).
IssueSteps.zip
Schannel ETL logging
schannel.etl
WFP Tracing: The file "wfpdiag.cab" contains the output from this command: "netsh.exe wfp capture start"
wfpdiag.cab

Directory Services-related registry keys
DescriptionFile name
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts
HKCU\Software\Microsoft\Windows\CurrentVersion\NetCache
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Microsoft\Rpc
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication
HKLM\Software\Microsoft\Windows\CurrentVersion\NetCache
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\parameters
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\parameters
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\w32time
{ComputerName}_regentries.txt

Diskpart output
DescriptionFile name
Output of diskpart utility from affected machine
{ComputerName}_diskpart.txt

Distributed File System Replication (DFSR) information
DescriptionFile name
Information about replication groups
{ComputerName}_DFSR_Replica*.xml
DFS Management Trace Log
{ComputerName}_DFSR_Dfsmgmt*.log
DFSR Configuration Information from Dfsr Performance counters
{ComputerName}_DFSR_Info.txt
DFSR Conflicts and Deletes
{ComputerName}_DFSR_ConflictAndDeleted.xls
DFSR Current Log File
Dfsr*.log
DFSR Database GUIDs
{ComputerName}_DFSR_DBGUIDs.txt
DFSR Events Last 3 Days
{ComputerName}_DFSR_Events_Last_72_Hours.xls
DFSR File Versions
{ComputerName}_DFSR_File_Versions.txt
DFSR Hotfixes
{ComputerName}_DFSR_Hotfixes.txt
Dfsr machine configuration information from DfsrMachineConfig WMI class
{ComputerName}_DFSR_DfsrMachineConfig.XML
DFSR Performance Data from DFSReplicatedFolders performance counters
{ComputerName}_DFSR_Performance_Data.txt
DFSR Previous Log file
Dfsr*.gz
DFSR XML configuration files from \System Volume Information\DFSR\Config
{ComputerName}_DFSR_Volume*.xml
Health Report
*HealthReport*
Output of 'Dirquota Quota List'
{ComputerName}_DFSR_FSRM_Quotas.txt
Output of 'Filescrn Screen List'
{ComputerName}_DFSR_FSRM_File_Screens.txt
Output of 'reg query HKLM\System\CurrentControlSet\Services\DFSR /s'
{ComputerName}_DFSR_RegKey_DFSR.txt
Progress Log
DFSR__Progress.txt

DNS Client
DescriptionFile name
Copies the HOSTS file if it exists.
{ComputerName}_DnsClient_HostsFile.TXT
DNS Client - HOSTS file from windir\system32\drivers\etc\HOSTS
{ComputerName}_DnsClient_HostsFile.TXT
DNS Client netsh show state (for DirectAccess): netsh dnsclient show state
{ComputerName}_DnsClient_netsh_dnsclient-show-state.TXT
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
HKLM\SYSTEM\CurrentControlSet\services\Dnscache
{ComputerName}_DnsClient_reg_.TXT
IP configuration from command: Ipconfig /displaydns
{ComputerName}_DnsClient_ipconfig-displaydns.TXT
Microsoft-Windows-DNS-Client/Operational
{ComputerName}__evt_*.*
W8/WS2012 powershell output for the DNS Client.
{ComputerName}_DnsClient_info_pscmdlets.TXT

DNS Server
DescriptionFile name
DNS Server
{ComputerName}__evt_*.*
DnsCmd /enumzones
{ComputerName}_DnsServer_DnsCmd-enumzones.TXT
DnsCmd /info
{ComputerName}_DnsServer_DnsCmd-info.TXT
DnsCmd /statistics
{ComputerName}_DnsServer_DnsCmd-statistics.TXT
DnsCmd /statistics
{ComputerName}_DnsServer_DnsCmd-EnumDirectoryPartitions.TXT
HKLM\SYSTEM\CurrentControlSet\services\DNS
{ComputerName}_DnsServer_reg_.TXT

Domain controller promotion logs
DescriptionFile name
Domain Controller promotion debug log from \Windows\debug
{ComputerName}_DCPromo.log
Domain Controller promotion UI debug log from \Windows\debug
{ComputerName}_DCPromoUI.log

Driver Verifier information
DescriptionFile name
Output from Driver Verifier Manager (verifier.exe) utility
{ComputerName}_verifier.txt

DriverStore
DescriptionFile name
DriverStore Index Data File located on %windir%\system32\driverstore
{ComputerName}_drvindex.dat
DriverStore INF Cache DB located on %windir%\system32\driverstore
{ComputerName}_INFCACHE.1
DriverStore INF Pub Data File located on %windir%\system32\driverstore
{ComputerName}_infpub.dat
DriverStore INF Stor Data File located on %windir%\system32\driverstore
{ComputerName}_infstor.dat
DriverStore Strng Data File located on %windir%\system32\driverstore
{ComputerName}_infstrng.dat

Dynamic port range
DescriptionFile name
Current Port Range
{ComputerName}_CurrentPortRange.txt

Event logs
DescriptionFile name
AppEvent.evt file located in \windows\system32\config
{ComputerName}_AppEvent.evt
Contents of \Windows\System32\Winevt\Logs
{ComputerName}_EventLogs.zip
SecEvent.evt file located in \windows\system32\config
{ComputerName}_SecEvent.evt
SysEvent.evt file located in \windows\system32\config
{ComputerName}_SysEvent.evt

Event logs - BitLocker, MBAM
DescriptionFile name
BitLocker Event logs (.csv .evtx .txt)
{ComputerName}_Microsoft-Windows-BitLocker-DrivePreparationTool/Admin.*
{ComputerName}_Microsoft-Windows-BitLocker-DrivePreparationTool/Operational.*
{ComputerName}_Microsoft-Windows-BitLocker-Driver-Performance/Operational.*
{ComputerName}_Microsoft-Windows-BitLocker/BitLocker Management.*
MBAM Event logs (.csv .evtx .txt)
{ComputerName}_Microsoft-Windows-MBAM/Admin.*
{ComputerName}_Microsoft-Windows-MBAM/Diagnostic.*
{ComputerName}_Microsoft-Windows-MBAM/Operational.*

Event logs - Failover Cluster
DescriptionFile name
Microsoft-Windows-FailoverClustering* (.csv .evtx .txt)
{ComputerName}_evt_FailoverClustering.*

Event logs - General
DescriptionFile name
Application (.csv .evtx .txt)
{ComputerName}_evt_Application.*
System (.csv .evtx .txt)
{ComputerName}_evt_System.*

Event logs - Networking
DescriptionFile name
Microsoft-Windows-NetworkProfile/Operational* (.csv .evtx .txt)
{ComputerName}_evt_NetworkProfile-Operational.*

Event logs - PrintService
DescriptionFile name
Microsoft-Windows-PrintService* (.csv .evtx .txt)
{ComputerName}_evt_PrintService.*

Event logs - Setup
DescriptionFile name
Setup (.csv .evtx .txt)
{ComputerName}_evt_Setup.*

Event logs - Windows Remote Management
DescriptionFile name
Microsoft-Windows-WinRM/Operational (.csv .evtx .txt)
{ComputerName}__evt_WinRM-Operational.*

Event logs - Windows Store Apps
DescriptionFile name
Microsoft-Windows-AppModel-Runtime/Admin (.csv .evtx .txt)
{ComputerName}_evt_AppModelRuntime-Admin.*
Microsoft-Windows-AppXDeployment/Operational (.csv .evtx .txt)
{ComputerName}_evt_AppXDeployment-Operational.*
Microsoft-Windows-AppXDeploymentServer/Operational (.csv .evtx .txt)
{ComputerName}_evt_AppXDeploymentServer-Operational.*
Microsoft-Windows-AppXDeploymentServer/Restricted (.csv .evtx .txt)
{ComputerName}_evt_AppXDeploymentServer-Restricted.*
Microsoft-Windows-AppxPackaging/Operational (.csv .evtx .txt)
{ComputerName}_evt_AppxPackaging-Operational.*
Microsoft-Windows-TWinUI/Operational (.csv .evtx .txt)
{ComputerName}_evt_TWinUI-Operational.*

Exchange Server and organization baseline
DescriptionFile name
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
{ComputerName}_REG_ImageFileExecutionOptions.TXT
Reg.exe query output for HKLM\SOFTWARE\Microsoft registry keys and values where the key name contains *Exchange*
{ComputerName}_REG_SOFTWARE_EXCHANGE.TXT
Reg.exe query output for HKLM\Software\Microsoft\MosTrace registry key and values if they are present.
{ComputerName}_REG_MOSTRACE.TXT
Reg.exe query output for HKLM\SYSTEM\CurrentControlSet\Services registry keys and values where the key name contains *Exchange*
{ComputerName}_REG_SERVICES_EXCHANGE.TXT
Reg.exe query output for Windows Installer registry key and the children for the installed version of Exchange Server.
{ComputerName}_REG_INSTALLER_EXCHANGE.TXT

FailoverCluster feature
DescriptionFile name
Basic Failover Cluster information vai clusmps.exe utility (on operating Systems earlier than Windows Server 2008 R2)
{ComputerName}_cluster_mps_information.txt
Basic Failover Cluster information, including information from existing resources and groups via FailoverCluster PowerShell cmdlets (Windows Server 2008 R2 and newer)
resultreport.xml

Cluster basic Validation Report generated by Test-Cluster PowerShell cmdlet
{ComputerName}_ValidationReport.mht
Cluster Dependency Report generated by Get-ClusterResourceDependencyReport PowerShell cmdlet on Windows Server 2008 or newer
{ComputerName}_DependencyReport.mht
Cluster Logs generated by Get-ClusterLog PowerShell cmdlet on Windows Server 2008 R2, cluster.exe utility or from \windows\cluster\cluster.log on previous versions of Windows
{ComputerName}_cluster.log
Cluster reports XML files located at \Windows\Cluster\Reports\*.xml
{ComputerName}_ClusterReportXML.zip
Cluster Resources information from cluster.exe utility
{ComputerName}_ClusterResources.txt
Cluster resources properties using PowerShell Get-ClusterResource cmdlet or cluster.exe utility on previous versions of Windows
{ComputerName}_ClusterProperties.txt
Cluster validation log files from \Windows\Cluster\Reports\Validate*.log
{ComputerName}_Validate*.log
Cluster validation reports files located at \Windows\Cluster\Reports\*.mht
{ComputerName}_ClusterReportMHT.zip
Information about Cluster Shared Volume
{ComputerName}_CSVInfo.HTM

FailoverCluster information
DescriptionFile name
Cluster chkdsk files located at %windir%\Cluster\ChkDsk*.*
{ComputerName}_ClusterChkDskFiles.zip
Cluster Dump files located at %windir%\Cluster\*.dmp
{ComputerName}_ClusterDmpFiles.zip
Cluster Object Manager file located at %windir%\Cluster\cluster.oml
{ComputerName}_cluster.oml

File version information (Chksym)
DescriptionFile name
File version information from %ProgramFiles%\Microsoft iSNS Server\*.* and %windir%\system32\iscsi*.*
{ComputerName}_sym_MS_iscsi.*
File version information from %windir%\cluster\*.*
{ComputerName}_sym_ProgramFiles_sys.*
File version information from %windir%\cluster\*.*
{ComputerName}_sym_Cluster.*
File version information from %windir%\system32\*.dll
{ComputerName}_sym_System32_dll.*
File version information from %windir%\system32\*.exe
{ComputerName}_sym_System32_exe.*
File version information from %windir%\system32\*.sys
{ComputerName}_sym_System32_sys.*
File version information from %windir%\system32\drivers folder
{ComputerName}_sym_Drivers.*
File version information from %windir%\system32\Spool\*.*
{ComputerName}_sym_PrintSpooler.*
File version information from %windir%\syswow64 folder and subfolders
{ComputerName}_sym_SysWOW64_sys.*
File version information from %windir%\syswow64\drivers folder
{ComputerName}_sym_SysWOW64_sys.*
File version information from {Program Files (x86)}\*.sys folder and subfolders
{ComputerName}_sym_ProgramFilesx86_sys.*
File version information from {Program Files}\*.sys folder and subfolders
{ComputerName}_sym_ProgramFiles_sys.*
File version information from drivers currently running on the machine
{ComputerName}_sym_RunningDrivers.*
File version information from processes currently running on the machine
{ComputerName}_sym_Process.*

File version information (ChkSym)
DescriptionFile name
File version information from %windir%\SysWOW64\*.DLL *.EXE *.SYS
{ComputerName}_SysWOW64.*
File version information from %windir%\Cluster\*.*
{ComputerName}_Cluster.*
File version information from %windir%\system32\*.DLL *.EXE *.SYS
{ComputerName}_System32.*
File version information from %windir%\system32\drivers\*.*
{ComputerName}_Drivers.*
File version information from %windir%\system32\inetsrv\*.exe, *.dll
{ComputerName}_InetSrv.*
File version information from %windir%\system32\iscsi*.*
{ComputerName}_MS.*
File version information from %windir%\system32\Spool\*.*
{ComputerName}_PrintSpool.*
File version information from all drivers that are currently running on computer
{ComputerName}_RunningDrivers.*
File version information from all processes that are currently running on computer
{ComputerName}_Process.*
File version information from Exchange\*.exe, *.dll
{ComputerName}_Exchange.*
File version information from ProgramFiles(x86)\*.sys
{ComputerName}_ProgramFilesx86.*
File version information from ProgramFiles\*.sys
{ComputerName}_ProgramFiles.*
File version information from ProgramFiles\Microsoft iSNS Server\*.*
{ComputerName}_MS_iSNS.*
WSMAN and WinRM binary info from chksym output
{ComputerName}__WinRM_WSMAN_bin.*

File version information
DescriptionFile name
File Version Information from %Windir%\System32\drivers
{ComputerName}_sym_drivers.txt

Firewall
DescriptionFile name
[W8/WS2012] Get-NetFirewallProfile
[W8/WS2012] Get-NetFirewallRule
[W8/WS2012] Get-NetIPsecMainModeSA
[W8/WS2012] Get-NetIPsecQuickModeSA
[W8/WS2012] Show-NetFirewallRule
[W8/WS2012] Show-NetIPsecRule -PolicyStore ActiveStore
{ComputerName}_Firewall_info_pscmdlets.TXT
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
HKLM\SYSTEM\CurrentControlSet\Services\BFE
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT
HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
{ComputerName}_Firewall_reg_.TXT
Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity
Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose
{ComputerName}__evt_*.*
netsh advfirewall consec show rule all any dynamic verbose
netsh advfirewall consec show rule all any static verbose
{ComputerName}_Firewall_netsh_advfirewall-consec-rules.TXT
netsh advfirewall export
{ComputerName}_Firewall_netsh_advfirewall-export.wfw
netsh advfirewall firewall show rule name=all
{ComputerName}_Firewall_netsh_advfw-firewall-rules.TXT
netsh advfirewall monitor show consec verbose
{ComputerName}_Firewall_netsh_advfirewall-consec-rules-active.TXT
netsh advfirewall monitor show firewall verbose
{ComputerName}_Firewall_netsh.TXT
netsh advfirewall show allprofiles
netsh advfirewall show allprofiles state
netsh advfirewall show currentprofile
netsh advfirewall show domainprofile
netsh advfirewall show global
netsh advfirewall show privateprofile
netsh advfirewall show publicprofile
netsh advfirewall show store
{ComputerName}_Firewall_netsh_advfirewall.TXT
netsh wfp show boottimepolicy file=
{ComputerName}_Firewall_netsh_wfp-show-boottimepolicy.XML
netsh wfp show filters file=
{ComputerName}_Firewall_netsh_wfp-show-filters.XML
netsh wfp show netevents file=
{ComputerName}_Firewall_netsh_wfp-show-netevents.XML
netsh wfp show options optionsfor=keywords
{ComputerName}_Firewall_netsh_wfp-show-options-optionsforkeywords
netsh wfp show options optionsfor=netevents
{ComputerName}_Firewall_netsh_wfp-show-options-optionsfornetevents
netsh wfp show security netevents
{ComputerName}_Firewall_netsh_wfp-show-security-netevents.TXT
netsh wfp show state file=
{ComputerName}_Firewall_netsh_wfp-show-state
netsh wfp show sysports file=
{ComputerName}_Firewall_netsh_wfp-show-sysports.XML

FSMO role owners
DescriptionFile name
Output via 'netdom query fsmo'
{ComputerName}_NetdomFSMO.txt

Functional levels and Group Membership information
DescriptionFile name
Group Membership and Functional Levels information via 'net.exe localgroup' commands
{ComputerName}_DSMisc.txt

General information
DescriptionFile name
SP Catalog from windows\system32\catroot2
{ComputerName}_dberr.txt

General information
DescriptionFile name
Basic Information about processes, such as memory usage and handle count, and information about Kernel memory utilization, such as Paged Pool and Non-Paged Pool memory
{ComputerName}_ProcessesPerfInfo.htm
Basic System Information including machine name, service pack, computer model and processor name and speed
resultreport.xml

Contents of \windows\repair
{ComputerName}_Repair.zip
List of environment variables
{ComputerName}_EnvironmentVariables.txt
List of Installed Updates and Hotfixes installed
{ComputerName}_Hotfixes.*
List of User Rights (privileges) using showpriv.exe tool
{ComputerName}_UserRights.txt
List of user SID, group memberships, and privileges via the 'Whoami /all' output
{ComputerName}_Whoami.txt
Resultant Set of Policy (RSoP) generated by gpresult.exe utility
{ComputerName}_GPResult.*
Schedule Tasks information (csv and txt) generated by schtasks.exe utility
{ComputerName}_schtasks.*
Show if machine is running on a Virtual Environment and describes the virtualization environment
resultreport.xml

Sysinternals Autoruns utility output
{ComputerName}_Autoruns.*
System Information - MSInfo32 tool output
{ComputerName}_msinfo32.nfo
{ComputerName}_msinfo32.txt
Windows basic activation information via %windir%\system32\slmgr.vbs
{ComputerName}_KMSActivation.TXT
Windows Update log file (from windows folder)
{ComputerName}_windowsupdate.log
DrWatson.log from %windir%
{ComputerName}_Drwatson.log
Drwtsn32.log from %allusersprofile%
{ComputerName}_Drwtsn32.log
List of open files
{ComputerName}_OpenFiles.txt

General performance information
DescriptionFile name
Information about process and threads using pstat.exe tool
{ComputerName}_PStat.txt

General registry data collection
DescriptionFile name
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
{ComputerName}_reg_Startup.txt
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
HKCU\Software\Policies
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
HKLM\Software\Policies
{ComputerName}_reg_Policies.txt
HKLM\Software\Microsoft\Windows\CurrentVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
{ComputerName}_reg_CurrentVersion.txt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
{ComputerName}_reg_Uninstall.txt
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Windows\Windows Error Reporting
HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKLM\System\CurrentControlSet\Control\CrashControl
HKLM\System\CurrentControlSet\Control\Session Manager
HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management
{ComputerName}_reg_Recovery.txt
HKLM\SYSTEM\CurrentControlSet\Control\Print
{ComputerName}_reg_Print.txt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server Web Access
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
HKLM\SYSTEM\CurrentControlSet\Services\TermDD
HKLM\SYSTEM\CurrentControlSet\Services\TermService
{ComputerName}_reg_TimeZone.txt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
{ComputerName}_reg_TimeZone.txt

Group Policy and user environment
DescriptionFile name
Group Policy Service Debug Log (gpsvc.log) from \windows\debug\usermode
{ComputerName}_gpsvc.log
Group Policy Service Debug Log (gpsvc.log) from \windows\debug\usermode
{ComputerName}_gpsvc.log
User environment debug log (UserEnv.*) from \windows\debug\usermode
{ComputerName}_userenv.*
User environment debug log (UserEnv.log) from \windows\debug\usermode
{ComputerName}_Userenv.log
User environment debug log backup (UserEnv.bak) from \windows\debug\usermode
{ComputerName}_Userenv.bak

HTTP
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\Services\HTTP
{ComputerName}_HTTP_reg_.TXT
HTTP information from netsh output
{ComputerName}_HTTP_netsh_output.TXT

Hyper-V role
DescriptionFile name
Hyper-V Configuration and Virtual Machine Information
{ComputerName}_HyperV-Info.HTM
Hyper-V Virtual Machine Definition files from %ProgramData%\Microsoft\Windows\Hyper-V\Virtual Machines\*.xml
{ComputerName}_{VirtualMachineGUID}.xml

IIS files
DescriptionFile name
MetaBase File located at %windir%\system32\inetsrv\MetaBase.xml
{ComputerName}_MetaBase.xml

IPsec
DescriptionFile name
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT
HKLM\SYSTEM\CurrentControlSet\Services\IPsec
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent
{ComputerName}_IPsec_reg_.TXT
IPsec information from command: netsh dynamic show all
{ComputerName}_IPsec_netsh_dynamic.TXT
IPsec information from command: netsh ipsec static exportpolicy
{ComputerName}_IPsec_netsh_LocalPolicyExport.ipsec
IPsec information from command: netsh static show all
{ComputerName}_IPsec_netsh_static.TXT
W8/WS2012 powershell output for the IPsec.
{ComputerName}_IPsec_info_pscmdlets.TXT

IPv6Check
DescriptionFile name
Networking adapt configuration from WMI
{ComputerName}_Networking.TXT

IPv6To4Check
DescriptionFile name
IP configuration data from ipconfig command
{ComputerName}_Networking.TXT

iSCSI information
DescriptionFile name
iSCSI Information based on iscsicli.exe output
{ComputerName}_iSCSIInfo.txt

KList utility output
DescriptionFile name
Output of 'klist tgt' command
{ComputerName}_KList.txt

List of installed pacakges
DescriptionFile name
dism /online /get-packages output
{ComputerName}_getpackages.txt

Local files
DescriptionFile name
File System Information from fsinfo utility
{ComputerName}_FileSystemConfiguration.txt
Information about driver signature using driverquery
{ComputerName}_DriverQuery.txt
net.exe localgroup output
{ComputerName}_localgroup.txt

Logs
DescriptionFile name
Deployment Logs on \windows\temp
{ComputerName}_DeploymentLogs_Windows_Temp.zip
Deployment Logs on SystemDrive\Minint
{ComputerName}_Minint_SystemDrive.zip

Machine memory dump files
DescriptionFile name
Information about machine memory dump files, user memory dump files, and memory dump configuration
{ComputerName}_DumpReport.*
Machine Full or Kernel memory dump files (Memory.dmp)
{ComputerName}_dmp_memory.zip
Mini memory dump files from {Windows}\Minidump folder from past 30 days
{ComputerName}_dmp_*.zip

Memory dump information and files
DescriptionFile name
Information about machine memory dump files, user memory dump files, and memory dump configuration
{ComputerName}_DumpReport.*
Machine Full or Kernel memory dump files (Memory.dmp)
{ComputerName}_dmp_memory.zip
Mini memory dump files from {Windows}\Minidump folder
User dumps generated by Windows Error Reporting
{ComputerName}_dmp_*.zip

Memory dumps
DescriptionFile name
Contents of %windir%\*.dmp
{ComputerName}_memory.dmp.zip

Netlogon logs
DescriptionFile name
Netlogon.bak from \Windows\Debug
{ComputerName}_Netlogon.bak
Netlogon.log from \Windows\Debug
{ComputerName}_Netlogon.log

NetSetup log
DescriptionFile name
NetSetup Log file from \Windows\Debug
{ComputerName}_netsetup.log

Network connections
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\Netman
{ComputerName}_NetworkConnections_reg_.TXT
W8/WS2012 powershell output for Network Connections
{ComputerName}_NetworkConnections_info_pscmdlets.TXT

Network list
DescriptionFile name
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
HKLM\SYSTEM\CurrentControlSet\services\netprofm
{ComputerName}_NetworkList_reg_.TXT
Microsoft-Windows-NetworkProfile/Operational
{ComputerName}__evt_*.*

Network location awareness
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc
{ComputerName}_NetworkLocationAwareness_reg_.TXT
Microsoft-Windows-NlaSvc/Operational
{ComputerName}__evt_*.*

Networking basic information
DescriptionFile name
Basic SMB configuration information, such as output of net.exe subcommands, such as net share, net sessions, net use, net accounts, net config
{ComputerName}_SMB-Info.txt
Basic TCP/IP and networking configuration information, such as TCP/IP registry key and outputs from ipconfig, netstat, nbtstat and netsh commands
{ComputerName}_TcpIp-Info.txt

NLB
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\WLBS
{ComputerName}_NLB_reg_.TXT
NLB display information from nlb.exe output
{ComputerName}_NLB_nlb-display.txt
NLB query information from nlb.exe output
{ComputerName}_NLB_nlb-query.txt
W8/WS2012 powershell output for NLB
{ComputerName}_NLB_info_pscmdlets.TXT

NPS
DescriptionFile name
If W2003, HKLM\SYSTEM\CurrentControlSet\services\IAS
{ComputerName}_IAS_reg_.TXT
If WS2008 and later, HKLM\SYSTEM\CurrentControlSet\services\IAS
{ComputerName}_NPS_reg_.TXT
If WS2008 and later, Netsh output for IAS (W2003 and later)
{ComputerName}_IAS_netsh_output.TXT
If WS2008 and later, Netsh output for NPS
{ComputerName}_NPS_netsh_output.TXT

Panther folder
DescriptionFile name
Contents of %windir%\Panther
{ComputerName}_panther.zip

Performance Monitor Counter files
DescriptionFile name
File located at %windir%\System32\PerfStringBackup.ini
{ComputerName}_PerfStringBackup.ini
Perfmon Counter files located at %windir%\System32\*.ini
{ComputerName}_CounterINI.zip

PFE files
DescriptionFile name
DHCP Best Practices Analyzer (.htm)
{ComputerName}_DhcpServer_BPAInfo.HTM
DNS Server Best Practices Analyzer (.htm)
{ComputerName}_DnsServer_BPAInfo.HTM
FileServices Best Practices Analyzer (.htm)
{ComputerName}_FileServices_BPAInfo.HTM
NPAS Best Practices Analyzer (.htm)
{ComputerName}_NPAS_BPAInfo.HTM

Power settings
DescriptionFile name
Analysis of the system for common energy-efficiency and battery life problems via 'powercfg -energy -duration 5'
{ComputerName}_PowerCFG_Energy_Report.htm
Battery Report from 'powercfg -batteryreport' output
{ComputerName}_PowerCFG_BatteryReport.htm
PowerCfg subcommands
{ComputerName}_PowerCFG.txt

Print drivers and printers information
DescriptionFile name
Information about Print drivers and printers, including print monitors, processors, and print driver file version information
{ComputerName}_PrintInfo.*

Print registry
DescriptionFile name
Cluster Print Registry File
{ComputerName}_reg_*ClusterPrintKey.txt
HKCU\Printers
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print
HKLM\SYSTEM\CurrentControlSet\Control\Print
{ComputerName}_reg_*Print.txt

RAS component
DescriptionFile name
HKLM\Software\Microsoft\Windows\CurrentVersion
HKLM\System\CurrentControlSet\services\RasMan
{ComputerName}_reg_RasMan.TXT

Registry export files
DescriptionFile name
HKLM\Software\Microsoft\Windows NT\CurrentVersion
{ComputerName}_reg_CurrentVersion.TXT
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
HKLM\Software\Policies
{ComputerName}_reg_Policies.TXT
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
{ComputerName}_reg_Startup.TXT
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
{ComputerName}_reg_Uninstall.TXT
HKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}
HKLM\System\CurrentControlSet\Control\MPDev
HKLM\System\CurrentControlSet\Services\MPIO
HKLM\System\CurrentControlSet\Services\MSDsm
{ComputerName}_reg_Storage.TXT
HKLM\Software\Microsoft\iSCSI Target
HKLM\Software\Microsoft\Windows NT\CurrentVersion\iSCSI
HKLM\System\CurrentControlSet\Control\iSCSIPrt
HKLM\System\CurrentControlSet\Services\iScsiPrt
HKLM\System\CurrentControlSet\Services\MSiSCSI
{ComputerName}_reg_iSCSI.TXT
HKLM\System\CurrentControlSet\Control\Print
{ComputerName}_reg_Print.TXT
HKLM\System\CurrentControlSet\Control\ProductOptions
{ComputerName}_reg_ProductOptions.TXT
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Windows\Windows Error Reporting
HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKLM\System\CurrentControlSet\Control\CrashControl
HKLM\System\CurrentControlSet\Control\Session Manager
HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management
{ComputerName}_reg_Recovery.TXT
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Time Zones
HKLM\System\CurrentControlSet\Control\TimeZoneInformation
{ComputerName}_reg_TimeZone.TXT
HKLM\System\CurrentControlSet\Enum
{ComputerName}_reg_Enum.TXT
HKLM\System\CurrentControlSet\Services\LanmanServer
HKLM\System\CurrentControlSet\Services\LanmanWorkstation
HKLM\System\CurrentControlSet\Services\MRxSmb
HKLM\System\CurrentControlSet\Services\MRxSmb10
HKLM\System\CurrentControlSet\Services\MRxSmb20
HKLM\System\CurrentControlSet\Services\SMB
{ComputerName}_reg_SMB.TXT
HKLM\System\CurrentControlSet\Services\Tcpip
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
{ComputerName}_reg_TCPIPParameters.TXT
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server Web Access
HKLM\System\CurrentControlSet\Control\Terminal Server
HKLM\System\CurrentControlSet\Services\TermDD
HKLM\System\CurrentControlSet\Services\TermService
{ComputerName}_reg_TermServices.TXT
HKLM\System\CurrentControlSet\Services\VSS
{ComputerName}_reg_VSS.TXT

Registry files
DescriptionFile name
ServerManager and MMC Snapins
{ComputerName}_ServerManagerAndMMCSnapins.txt

Registry information
DescriptionFile name
Contents of %windir%\System32\Config\regback from affected machine
{ComputerName}_Regback.zip
HKLM\COMPONENTS
{ComputerName}_reg_Components.HIV
HKCU\Software\Microsoft\Microsoft SQL Server
HKCU\SOFTWARE\ODBC
HKLM\SOFTWARE\Microsoft\Microsoft SQL Native Client
HKLM\SOFTWARE\Microsoft\Microsoft SQL Native Client 10.0
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server 2005 Redist
HKLM\SOFTWARE\Microsoft\MSDTS
HKLM\Software\Microsoft\MSFTESQLInstMap
HKLM\SOFTWARE\Microsoft\MSSQLServer
HKLM\SOFTWARE\Microsoft\MSXML 6.0 Parser and SDK
HKLM\SOFTWARE\Microsoft\MSXML60
HKLM\SOFTWARE\Microsoft\OLAP Server
HKLM\SOFTWARE\Microsoft\SNAC
HKLM\SOFTWARE\Microsoft\SQLXML4
HKLM\Software\Microsoft\Vsa
HKLM\SOFTWARE\ODBC
{ComputerName}_REG_SQL.TXT
HKLM\SOFTWARE\Microsoft\Microsoft SQL Server
{ComputerName}_Microsoft_SQL_Server.HIV
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
{ComputerName}_reg_Component_Based_Servicing.HIV
HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Native Client
HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Native Client 10.0
HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server
HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server 2005 Redist
HKLM\SOFTWARE\Wow6432Node\Microsoft\MSDTS
HKLM\SOFTWARE\Wow6432Node\Microsoft\MSSQLServer
HKLM\SOFTWARE\Wow6432Node\Microsoft\SNAC
HKLM\SOFTWARE\Wow6432Node\Microsoft\SQLXML4
HKLM\Software\Wow6432Node\Microsoft\Vsa
HKLM\SOFTWARE\Wow6432Node\ODBC
{ComputerName}_Wow6432Node_REG_SQL.TXT
HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server
{ComputerName}_Wow6432Node_Microsoft_SQL_Server.HIV
HKLM\SYSTEM\CurrentControlSet
{ComputerName}_CurrentControlSet.HIV
HKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}
HKLM\System\CurrentControlSet\Control\iSCSIPRT
HKLM\System\CurrentControlSet\Control\MPDEV
HKLM\System\CurrentControlSet\Services\MPIO
HKLM\System\CurrentControlSet\Services\MSDSM
HKLM\System\CurrentControlSet\Services\MSiSCSI
HKLM\System\CurrentControlSet\Services\Tcpip
{ComputerName}_reg_Storage.txt
HKLM\SYSTEM\CurrentControlSet\Enum
{ComputerName}_reg_Enum.TXT
HKLM\SOFTWARE\Microsoft\iSCSI Target
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\iSCSI
HKLM\SYSTEM\CurrentControlSet\Services\iScsiPrt
{ComputerName}_reg_iSCSI.txt
HKLM\SYSTEM\CurrentControlSet\services\TrustedInstaller
{ComputerName}_reg_TrustedInstaller.TXT
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\System\CurrentControlSet\SessionManagers
{ComputerName}_CurrentControlSet_Reg.txt
HKLM\System\MountedDevices
{ComputerName}_reg_MountedDevices.*
Registry Hive files located at %windir%\system32\config in the afected machine
{ComputerName}_SYSTEM.HIV
{ComputerName}_SOFTWARE.HIV
{ComputerName}_SECURITY.HIV
{ComputerName}_COMPONENTS.HIV
{ComputerName}_DEFAULT.HIV
{ComputerName}_SAM.HIV
HKCU\Software\Microsoft\Windows NT\CurrentVersion
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
{ComputerName}_reg_Startup.TXT
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
HKCU\Software\Policies
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
HKLM\Software\Policies
{ComputerName}_reg_Policies.txt
HKLM\SOFTWARE\Microsoft\IE Setup
HKLM\SOFTWARE\Microsoft\IE4
HKLM\SOFTWARE\Microsoft\Ieak
HKLM\SOFTWARE\Microsoft\Internet Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
{ComputerName}_IE4.txt
HKCU\Software\Microsoft\Ieak
HKCU\SOFTWARE\Microsoft\Internet Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Explorer
HKLM\SOFTWARE\Microsoft\IE Setup
HKLM\SOFTWARE\Microsoft\IE4
HKLM\SOFTWARE\Microsoft\Ieak
HKLM\SOFTWARE\Microsoft\Internet Explorer
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
{ComputerName}_IESettings.txt
HKLM\Software\Microsoft\OLE
{ComputerName}_RegistryKey_DCOM.txt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
{ComputerName}_AppCompatFlags_Layers.txt
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib
{ComputerName}_PerformanceCounter.txt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
{ComputerName}_reg_Uninstall.TXT
HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework
{ComputerName}_NETFramework.txt
HKLM\SOFTWARE\Microsoft\Updates
HKLM\SOFTWARE\Wow6432Node\Microsoft\Updates
{ComputerName}_hotfix.txt
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Windows\Windows Error Reporting
HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKLM\System\CurrentControlSet\Control\CrashControl
HKLM\System\CurrentControlSet\Control\Session Manager
HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management
{ComputerName}_reg_Recovery.TXT
HKLM\System\CurrentControlSet\Control\Class\{4d36e97b-e325-11ce-bfc1-08002be10318}
HKLM\System\CurrentControlSet\Control\iSCSIPRT
HKLM\System\CurrentControlSet\Control\MPDEV
HKLM\System\CurrentControlSet\Services\MPIO
HKLM\System\CurrentControlSet\Services\MSDSM
HKLM\System\CurrentControlSet\Services\MSiSCSI
HKLM\System\CurrentControlSet\Services\Tcpip
{ComputerName}_reg_Storage.TXT
HKLM\SYSTEM\CurrentControlSet\Control\Print
{ComputerName}_reg_Print.HIV
HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions
{ComputerName}_reg_ProductOptions.TXT
HKCU\Control Panel\International
HKLM\SOFTWARE\MICROSOFT\OLE
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions
{ComputerName}_MiscellaneousInformation.txt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server Web Access
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server
HKLM\SYSTEM\CurrentControlSet\Services\TermDD
HKLM\SYSTEM\CurrentControlSet\Services\TermService
{ComputerName}_reg_TermServices.txt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
{ComputerName}_reg_TimeZone.txt
HKLM\SYSTEM\CurrentControlSet\Enum
{ComputerName}_reg_Enum.TXT
HKLM\SOFTWARE\Microsoft\iSCSI Target
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\iSCSI
HKLM\SYSTEM\CurrentControlSet\Services\iScsiPrt
{ComputerName}_reg_iSCSI.TXT
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
HKLM\SYSTEM\CurrentControlSet\Services\MRxSmb
HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10
HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb20
HKLM\SYSTEM\CurrentControlSet\Services\smb
{ComputerName}_reg_SMB.txt
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
{ComputerName}_reg_TCPIPParameters.TXT
HKLM\SYSTEM\CurrentControlSet\Services\VSS
{ComputerName}_reg_VSS.TXT
HKLM\System\MountedDevices
{ComputerName}_reg_MountedDevices.TXT
HKLM\System\MountedDevices
{ComputerName}_reg_MountedDevices.HIV

Registry keys
DescriptionFile name
HKLM\Cluster
{ComputerName}_reg_Cluster.hiv
HKLM\Cluster
{ComputerName}_reg_Cluster.hiv
HKLM\System\CurrentControlSet\services\CluDisk
{ComputerName}_reg_ClusDisk.txt
HKLM\System\CurrentControlSet\services\ClusSvc
{ComputerName}_reg_ClusSvc.txt
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
{ComputerName}_DFSR_RegKey_TCPIP.txt

Replication Diagnostics Tool
DescriptionFile name
Replication topology overview via 'repadmin.exe /showrepl' output
{ComputerName}_Repadmin-Showrepl.txt

RPC
DescriptionFile name
HKLM\Software\Microsoft\Rpc
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
HKLM\SYSTEM\CurrentControlSet\Services\RpcLocator
HKLM\SYSTEM\CurrentControlSet\Services\RpcSs
{ComputerName}_RPC_reg_output.TXT
RPC information from netsh rpc output
{ComputerName}_RPC_netsh_output.TXT

Secure Channel Info
DescriptionFile name
Cached values for Secure Channel info from Netlogon such as Secure Channel Information, Secure Channel Info and General Domain Information
{ComputerName}_Secure Channels.txt

Server manager and server roles information
DescriptionFile name
List of roles and features installed on Server Media (Windows Server 2008 R2 and newer)
resultreport.xml

Server Manager Installation Log from %windir%\logs
{ComputerName}_ServerManager.log
SeverCore OCList output
{ComputerName}_OptionalComponents.txt

Servicing and related Logs
DescriptionFile name
Component Update log located on %windir%\SoftwareDistribution
{ComputerName}_ReportingEvents.log
Component-Based Servicing Logs located on %windir%\Logs\CBS
{ComputerName}_CBS*.Log
Contents of %windir%\servicing\Sessions
{ComputerName}_Sessions.zip
DPX Setup Act log located on %windir%\logs\DPX
{ComputerName}_setupact.log
Pending Operations Queue Exec log located on %windir%\winsxs
{ComputerName}_poqexec.log
Sessions log located on %windir%\servicing
{ComputerName}_Sessions.xml
System Update Readiness log located on %windir%\logs\CBS
{ComputerName}_CheckSUR.log
Windows Side-by-Side Pending Bad log
{ComputerName}_pending.xml.bad
Windows Side-by-Side Pending log located on %windir%\winsxs
{ComputerName}_pending.xml

Servicing files
DescriptionFile name
List of Servicing Package Files located at %windir%\servicing\Packages
{ComputerName}_ServicingPackage.txt

Servicing logs
DescriptionFile name
reboot.xml from %windir%\winsxs folder
{ComputerName}_reboot.xml

Servicing Policy registry key
DescriptionFile name
HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing
{ComputerName}_servicing_FOD_Repair_sources.txt

SMB Client
DescriptionFile name
HKCU\Network
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider
HKLM\SYSTEM\CurrentControlSet\Control\SMB
HKLM\SYSTEM\CurrentControlSet\services\LanManWorkstation
HKLM\SYSTEM\CurrentControlSet\services\lmhosts
HKLM\SYSTEM\CurrentControlSet\services\MrxSmb
HKLM\SYSTEM\CurrentControlSet\services\MrxSmb10
HKLM\SYSTEM\CurrentControlSet\services\MrxSmb20
HKLM\SYSTEM\CurrentControlSet\services\MUP
HKLM\SYSTEM\CurrentControlSet\services\NetBIOS
HKLM\SYSTEM\CurrentControlSet\services\NetBT
HKLM\SYSTEM\CurrentControlSet\services\Rdbss
{ComputerName}_SmbClient_reg_output.TXT
SMB Client Information from Net.exe
{ComputerName}_SmbClient_info.TXT

SMB Server
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\LanManServer
HKLM\SYSTEM\CurrentControlSet\services\SRV
HKLM\SYSTEM\CurrentControlSet\services\SRV2
HKLM\SYSTEM\CurrentControlSet\services\SRVNET
{ComputerName}_SmbServer_reg_output.TXT
SMB Server Information from tools like net.exe
{ComputerName}_SmbServer_info.txt

SQL Server Agent logs
DescriptionFile name
Collects SQL Server Agent logs for all instances that are installed on the computer on which the diagnostic tool is executed, where {INSTANCE_NAME} is the name of the instance or MSSQLSERVER for default instance
{ComputerName}_{INSTANCE_NAME}_1033_SQLAGENT.[OUT | n]

SQL Server AlwaysOn configuration information
DescriptionFile name
SQL Server AlwaysOn configuration information
{ComputerName}_{INSTANCE_NAME}_1033_AlwaysOn.OUT
{ComputerName}_MSSQLSERVER_1033_AlwaysOn.OUT

SQL Server AlwaysOn health logs
DescriptionFile name
SQL Server AlwaysOn health logs
{ComputerName}_{INSTANCE_NAME}_AlwaysOn_health_XeLogs.zip
{ComputerName}_MSSQLSERVER_AlwaysOn_health_XeLogs.zip

SQL Server default system health logs
DescriptionFile name
SQL Server AlwaysOn health logs
{ComputerName}_{INSTANCE_NAME}_system_health_XeLogs.zip
{ComputerName}_MSSQLSERVER_system_health_XeLogs.zip

SQL Server error logs
DescriptionFile name
Collects SQL Server error logs for all instances that are installed on the computer on which the diagnostic tool is executed, where {INSTANCE_NAME} is the name of the instance or MSSQLSERVER for default instance
{ComputerName}_{INSTANCE_NAME}_1033_ERRORLOG[.n]

SQL Server failover cluster health logs
DescriptionFile name
SQL Server failover cluster health logs
{ComputerName}_{INSTANCE_NAME}_FailoverCluster_health_XeLogs.zip
{ComputerName}_MSSQLSERVER_FailoverCluster_health_XeLogs.zip

SQL Server minidump files
DescriptionFile name
A dump inventory report is generated and collected for each discovered instance of SQL Server, where {INSTANCE_NAME} is the name of the instance or MSSQLSERVER for default instance
{ComputerName}_{INSTANCE_NAME}_DumpInventory.log
SQL Server minidump files, where {INSTANCE_NAME} is the name of the instance or MSSQLSERVER for default instance
{ComputerName}_{INSTANCE_NAME}_1033_SqlMiniDumps.zip

SQLDIAG data collection script
DescriptionFile name
SQLDIAG script output
{ComputerName}_{INSTANCE_NAME_1033}_sp_sqldiag_Shutdown.OUT
{ComputerName}_MSSQLSERVER_1033_sp_sqldiag_Shutdown.OUT

Startup and Repair log files
DescriptionFile name
Startup repair process log files from \System32\LogFiles\Srt\SrtTrail.txt
{ComputerName}_SrtTrail.txt

Storage and disk information
DescriptionFile name
Disk Sectors information via secinspect.exe utility output
{ComputerName}_SecInspect.txt

Storage information
DescriptionFile name
Storage and SAN information via San.exe utility output
{ComputerName}_Storage_Information.txt

Storage-related event logs on System log
DescriptionFile name
Parsing of Storage related event logs (Events 6 7 9 11 15 50 51 57 and 389) on System log using evparse.exe utility
{ComputerName}_StorageEventLogs.htm

Sysprep folder
DescriptionFile name
Contents of %windir%\System32\sysprep
{ComputerName}_sysprep.zip

System Security settings
DescriptionFile name
System Security Settings from secedit.exe utility output
{ComputerName}_Security-settings.inf

TCPIP
DescriptionFile name
HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP
HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc
HKLM\SYSTEM\CurrentControlSet\services\TCPIP
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6
HKLM\SYSTEM\CurrentControlSet\Services\tcpipreg
{ComputerName}_TCPIP_reg_output.TXT
Microsoft-Windows-Iphlpsvc/Operational
{ComputerName}__evt_*.*
TCP OFFLOAD information from netstat output
{ComputerName}_TCPIP_OFFLOAD.TXT
TCPIP Information from commands like: hostname, ipconfig, route, netstat etc.
{ComputerName}_TCPIP_info.TXT
TCPIP information from netsh output
{ComputerName}_TCPIP_netsh_info.TXT
TCPIP Services File located at: windir\system32\drivers\etc\services
{ComputerName}_TCPIP_ServicesFile.TXT
W8/WS2012 powershell output for TCPIP
{ComputerName}_TCPIP_info_pscmdlets_net.TXT

Terminal Services query results
DescriptionFile name
Query Terminal Services results
{ComputerName}_TSQuery.TXT

Virtual Machine log files
DescriptionFile name
Integration Services Installation Log File located on Windows folder
{ComputerName}_vmguestsetup.log

W32Time
DescriptionFile name
Output of 'W32tm /monitor'
{ComputerName}_W32TM_Monitor.txt
Output of 'w32tm /testif /qps'
{ComputerName}_W32TM_TestIf_QPS.txt
W32Time Debug Log file
{ComputerName}_W32Time.log
W32Time Service Permissions via 'sc sdshow w32time'
{ComputerName}_W32Time_Service_Perms.txt
W32Time Service Status via 'sc query w32time'
{ComputerName}_W32Time_Service_Status.txt
W32TM Query Status via 'w32tm /tz'
{ComputerName}_W32TM_Query_Status.txt
W32TM Stripchart via 'w32tm /stripchart'
{ComputerName}_W32TM_Stripchart.txt

WebClient
DescriptionFile name
HKCU\Network
HKCU\Software\Microsoft\Office\14.0\Common\Internet
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider
HKLM\System\CurrentControlSet\Services\MRxDAV
HKLM\SYSTEM\CurrentControlSet\services\WebClient
{ComputerName}_WebClient_reg_output.TXT
WebClient proxy settings from command: netsh winhttp show proxy
{ComputerName}_WebClient_netsh_winhttp-proxy-settings.txt
WebClient proxy settings from proxycfg.exe output
{ComputerName}_WebClient_proxycfg.txt

Windows Firewall configuration
DescriptionFile name
netsh advfirewall show allprofiles output
netsh firewall show allowedprogram output
netsh firewall show portopening output
{ComputerName}_FirewallConfig.txt

Windows hotfix installation logs
DescriptionFile name
Windows XP and Server 2003 KB Installation Logs from Windows folder
{ComputerName}_KBInstallLogs.zip

Windows Update information
DescriptionFile name
Hofix installation logs from \windows\kb*.log
{ComputerName}_KB.log.zip

WinHTTP
DescriptionFile name
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc
{ComputerName}_WinHTTP_reg_output.TXT
WinHTTP proxy settings from command: netsh winhttp show proxy
{ComputerName}_WinHTTP_netsh_proxy-settings.txt
WinHTTP proxy settings from proxycfg.exe output
{ComputerName}_WinHTTP_proxycfg.txt

Winlogon log
DescriptionFile name
Winlogon Log file from windows\security\logs
{ComputerName}_winlogon.log

WINS Client
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\WINS
{ComputerName}_WinsClient_reg_output.TXT
WINS Client - LMHOSTS file located at: windir\system32\drivers\etc\LMHOSTS
{ComputerName}_WinsClient_LmhostsFile.TXT
WINS Client information from nbtstat output
{ComputerName}_WinsClient_nbtstat-output.TXT

WINS Server
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\WINS
{ComputerName}_WinsServer_reg_output.TXT
WINS Server information from netsh output
{ComputerName}_WinsServer_netsh_output.TXT

WinSock
DescriptionFile name
Microsoft-Windows-Winsock-AFD/Operational
Microsoft-Windows-Winsock-WS2HELP/Operational
{ComputerName}__evt_*.*
HKLM\SYSTEM\CurrentControlSet\services\AFD
HKLM\SYSTEM\CurrentControlSet\services\WinSock
HKLM\SYSTEM\CurrentControlSet\services\WinSock2
Registry Information for WinSock and AFD:
{ComputerName}_WinSock_reg_.TXT
Winsock information from netsh winsock output
{ComputerName}_WinSock_netsh.TXT


In addition to collecting the information that is described here, this diagnostic package can detect one or more of the following symptoms:
  • Event Logs Messages
  • Detect if the AD FS 2.x website is bound to 'All Unassigned'
  • Detect if the AD FS 2.x application pool identity matches the service identity
  • Detect if the AD FS 2.x application pool pipeline mode is 'Integrated'
  • Detect if the AD FS 2.x application pool properties match expected values
  • Detect if the HTTP service is running
  • Detect if the expected Net.Tcp ports are available for AD FS to use
  • Detect if the AD FS 2.x service properties contain expected values
  • Detect if the AD FS 2.x SSL certificate subject/SAN matches the Federation Service Name
  • Detect if the AD FS 2.x SSL port matches at least one website binding in IIS
  • Detect if the AD FS 2.x SSL certificate thumbprint matches the Service Communications certificate thumbprint
  • Detect if the AD FS 2.x service account properties do not matche expected values
  • Detect if the World Wide Web Publishing service is running
  • Detect if the Federation Metadata from the AD FS service and all of its trusts could be downloaded
  • Detect if the AD FS IDP-initiated sign-on web page is available
  • Detect if the Get-AdfsProperties PowerShell cmdlet returned data
  • Check for ADFS Hotfix Rollup 3
  • Detect if the AD FS Service-Communications certificate expires within 60 days
  • Detect if the AD FS Service-Communications certificate is expired
  • Detect if the AD FS Service-Communications certificate is not yet time valid
  • Detect if the AD FS Token-Signing certificate expires within 60 days
  • Detect expired AD FS signing certificate
  • Detect AD FS signing certificate which is not yet time valid
  • Detect if the AD FS SSL certificate expires within 60 days
  • Detect expired AD FS SSL certificate
  • Detect AD FS SSL certificate which is not yet time valid
  • Detect AD FS SSL certificate that does not chain to a trusted root certification authority
  • Detect failure to establish a secure connection using the AD FS host name and SSL port
  • Detect SSL certificate subject which does not match the expected host name
  • Memory Dump Related Issues
  • A %Component% Event Trace Log file was collected
  • Checking for shared PST files
  • Best Practices Analyzer errors or warnings
  • Check for Active Directory replication failures
  • It has been too long since this domain controller replicated
  • Active Directory replication is failing for one or more partitions: Status -2146893022 The target principal name is incorrect
  • Active Directory replication is failing for one or more partitions: Status 1127 - While accessing the hard disk, a disk operation failed even after retries.
  • Active Directory replication is failing for one or more partitions: Status 1256 - The remote system is not available
  • Active Directory replication is failing for one or more partitions: Status 1396 - Logon Failure: The target account name is incorrect
  • Active Directory replication is failing for one or more partitions: Status 1722 - The RPC server is unavailable
  • Active Directory replication is failing for one or more partitions: Status 1753 - There are no more endpoints available from the endpoint mapper
  • Active Directory replication is failing for one or more partitions: Status 5 - Access is denied
  • Active Directory replication is failing for one or more partitions: Status 8452 - The naming context is in the process of being removed...
  • Active Directory replication is failing for one or more partitions: Status 8453 - Replication Access Was Denied
  • Active Directory replication is failing for one or more partitions: Status 8524 - The DSA operation is unable to proceed because of a DNS lookup failure
  • Lingering objects have been detected
  • Active Directory replication is failing for one or more partitions: Status 8451 - The replication operation encountered a database error
  • Active Directory replication is failing for one or more partitions: Status 1818 - The remote procedure call was cancelled
  • Active Directory replication is failing for one or more partitions: Status 8456 or 8457: The source or destination server is currently rejecting replication requests
  • Active Directory replication is failing for one or more partitions with status 8589
  • Active Directory replication is failing for one or more partitions with status 8333 - Directory Object not Found
  • Active Directory replication is failing for one or more partitions: Status 8446 - The replication operation failed to allocate memory
  • Active Directory replication is failing for one or more partitions: Status 8240 - There is no such object on the server
  • Active Directory replication is failing for one or more partitions: Status 1783 - The stub received bad data
  • Check for potentially risky audit failure settings (CrashOnAuditFail)
  • Check for a possible STOP error caused by audit failure
  • Check for High CPU usage by Local Security Authority Subsystem Service (LSASS)
  • Check whether either SYSVOL and/or NETLOGON shares are missing on domain controller
  • Check for domain controller missing Rid Set reference attributes in Active Directory
  • Check whether DC is pointing to itself for DNS exclusively
  • Check for USN Rollback
  • Check state of Intersite Messaging service.
  • Check whether DFSR UpdateWorkerThreadCount setting is lower than 64
  • Detect if IPv6 was disabled on a domain controller
  • Detect Win32time configuration for time skew
  • Detect MaxConcurrentApi NTLM bottlenecks or delays
  • Detect Certificates with Weak RSA Keys
  • Trusted Root Certificate Authority List Size Problem
  • Check whether cluster groups are in Offline or Failed state
  • Check for errors gathering cluster information via Get-ClusterNode cmdlet
  • Check whether the state of one or more cluster nodes is down or paused
  • Check whether Cluster service is not running or offline
  • Check whether the Cluster Name Object (CNO) exists and it is enabled in Active Directory
  • Check whether Cluster Shared Volumes is configured to Redirected access
  • Check whether Cluster Shared Volumes is configured for Local Access
  • Check whether Cluster Shared Volumes is configured to Maintenance Mode
  • Check whether Cluster Shared Volumes is configured to Network Access
  • Check for third party virtualization solution from Xsigo
  • Check for LmCompatibilityLevel setting
  • Check firewall rules on cluster nodes with IPv6 enabled
  • Detect if there are no orphan resources
  • Check whether FailoverCluster Crypto resource exists
  • Check for FailoverCluster missing dependent resources
  • Detect if Cluster nodes have the correct CAU WMI namespace registered
  • Detect if Cluster nodes have the correct MSCluster WMI namespace registered
  • Check DNS Zones for top level CNAME records
  • Windows Firewall start mode check
  • Windows Firewall Running check
  • IPv6 check
  • IPv6 6To4 interface check
  • Check whether more than 32GB of Physical Memory and Operating System is Windows 2008 R2 Standard Edition
  • Check whether PMTU has been disabled on machine
  • Check for unexpected TcpIp registry settings (KB 967224)
  • Check for excessive number of 6to4 adapters which may result in decreased startup and logon performance
  • Check whether Tunnel.sys driver is missing a Windows Server 2008 R2 Server Core installation option
  • Check for problem related Microsoft DHCP Relay Agent which may cause slow boot (KB2459530)
  • Checking network adapters for an MTU of 1514.
  • Checking network adapters for low Path MTU connections.
  • Check HTTP Redirection on TSGateway
  • Check whether the SMB2 Client driver has been disabled.
  • Check whether the SMB2 Server driver has been disabled.
  • Check whether Opportunistic Locking has been disabled
  • Check whether InfoCacheLevel setting is configured to enable caching for all files and folders
  • Check whether McAfee HIPS 7.0 is installed
  • Detect Split IO Problems
  • One or more processes are using a high number of handles
  • Possible Kernel Memory performance related problem
  • This system is currently running under low System PTEs
  • This system is currently running under low Virtual Memory
  • Checks if Appsense EM 8.1 is installed on machine
  • Check for large number of Inactive Terminal Services ports
  • Checking if Registry Size Limit setting is present on the system
  • Check PoolUsageMaximum Setting
  • Check for McAfee Endpoint Encryption version which may cause slow boot issues
  • Check for terminal services licensing binary versions for Windows Server 2003
  • Check for specific version of SEP that may cause handle leak
  • Check RPC settings for allowing unauthenticated sessions
  • Check for Performance counters to see if there is an issue with NTFS metafile cache memory consumption
  • Check for ProcessorAffinityMask setting for multiprocessor Windows Server 2003 machines
  • Check for ClearPageFileAtShutdown setting which may cause slow shutdown
  • Check for NMICrashDump setting on HP ProLiant DL385 G5
  • Check state of Search Service when Lenovo Rapid Boot Software is installed
  • Check pool memory allocated for 'D2d' tag
  • Check pool memory allocated for RxM4 and SeTI tag
  • Check pool memory allocated for 'SslC' tag
  • Check pool memory allocated for 'Toke' tag on terminal services
  • Older version of MPIO.SYS was detected in this machine andNonpaged pool kernel memory leak detected on Windows Server 2003 with Multipathing solution installed
  • Check for Broadcom Advanced Server Program driver information
  • Detect Aladdin Knowledge Systems Device Drivers
  • Detect memory consumption of Mountmgr.sys driver
  • Detect Pool Memory Allocation for ALPC and Power Management
  • Check 'Ica' non-paged pool usage and file version of WDICA.SYS
  • Check the state of Application Compatibility Engine
  • Check pool memory usage from Citrix XTE process
  • Check whether Users group have permissions under HKCR\CLSID
  • Check HeapDecommitFreeBlockThreshold registry value
  • Check for specific version of wsftpsi.dll known to cause Explorer crashes
  • Detect Netapi32.dll version
  • Detect if fail to install due to an invalid Registry entry for Autoruns
  • Check for missing registry keys that can cause issues with Component Services
  • Detect version of eEye Digital Security drivers
  • Check for 3GB and PAE settings in boot.ini
  • Check the state of DCOM and DTS service and if RPC port range is configured
  • Check state of Event Log service when GPP is enabled
  • Check whether KB2480954 is installed on computers with Windows RM configured
  • Check whether DisablePagingExecutive is enabled in the registry
  • Detect presence of HKLM\SOFTWARE\Microsoft\ServerManager\MgmtProvider\FeatureInfoXml
  • Detect number prtprocs subfolders and Microsoft-Windows-PrintService event logs
  • Check version of Umpo.dll and handle count of WMI Services
  • Check for Event ID 5 from Windows Backup (KB 2182466)
  • Check for Veritas disk VXIO device states
  • Check the number of entries in FilesNotToBackup registry key
  • Check for Bitlocker Drive Encryption Fixed Data Drive Read-Only Policy
  • Detect the presence of vLite sofware though registry key
  • Check state of 'Application Compatibility Engine' policy
  • Detect Advanced Format Drives
  • Detect Native 4K drives on the system
  • KB982018 is not installed or files are outdated
  • Possible startup performance problems on Hyper-V Servers due to a large number of orphaned registry keys
  • Check whether there are any virtual machine with High CPU utilization
  • Check whether Dynamic Memory is enabled to one or more Virtual Machines
  • Check whether Dynamic Memory is enabled on one or more Virtual Machines with old Integration Services
  • Check for version mismatches of Integration Services
  • Check whether one or more Virtual Machines have virtual hard drives located on an disk with Advanced Format Drives (512e disks)
  • Check Xeon Processor 5500 Series processor erratum related with Hyper-V (KB 975530)
  • Check whether update KB2263829 is installed on Hyper-V on Windows Server 2008 R2 Service Pack 1 systems
  • Check for event ID 21203 or 21125 in the Microsoft-Windows-Hyper-V-High-Availability/Admin event log over the past 15 days.
  • Detect if the Hyper-V host machine enabled the I/O verification option
  • Check whether event 14050 exists under Microsoft-Windows-Hyper-V-VMMS/Admin during last 7 days
  • Check BIOS release date for known computer models
  • Check for Symantec Endpoint Protection MR1/MR2
  • Check whether EMC Replistor Software is on machine but KB 975759 is not installed
  • Check for unsupported versions of Windows Vista or Windows Server 2008
  • Check whether DEP and PAE is enabled on a 32-bit system
  • Check whether Ultimaco Safeware disk encryption is installed and current version
  • Check whether Telnet service is running under System account
  • Check for known issue with BIOS version of PowerEdge R910, R810 and M910
  • Check the value of 'SystemPages' in Memory Management registry key
  • Detect if this machine is a Virtual Machine running in Microsoft Azure
  • Detect Windows XP End-of-Support
  • Detect if current version of HPCISSS2.SYS is a known version that may cause blue screen issues
  • Print Drivers and Printers information
  • Check for ephemeral port usage
  • Check for ephemeral port usage

References

For more information about the Microsoft Automated Troubleshooting Services and about the Support Diagnostics Platform, please open the following Microsoft Knowledge Base article:


2598970 Information about Microsoft Automated Troubleshooting Services and Support Diagnostic Platform

Properties

Article ID: 2958274 - Last Review: 20 Jun 2014 - Revision: 1

Feedback