[SDP 3][df8807f4-2327-4c3b-94fa-c8d6c14c3db4] Firewall Diagnostic

Applies to: Windows 8Windows Server 2012 DatacenterWindows Server 2012 Datacenter

Summary


The Firewall Diagnostic collects data when troubleshooting Firewall related issues.

More Information


The Firewall Diagnostic collects data either statically or interactively.

The Static Data Collection option collects static data configuration information.

The Interactive Data Collection option allows the user to collect data while the issue is reproduced, and then also collects static configuration data.

Interactive data collection enables tracing with the NetConnection netsh trace scenario and WFP logging (netsh wfp capture logging).

Information Collected


_Firewall Diagnostic: Interactive Data Collection
DescriptionFile name
NetConnection Scenario Tracing: The file "netshtrace.cab" contains the compressed version of netshtrace.etl and several other static files.
netshtrace.cab
NetConnection Scenario Tracing: The file "netshtrace.etl" contains the ETL output from this command: "netsh.exe trace start scenario=NetConnection tracefile=netshtrace.etl capture=yes"
netshtrace.etl
Problem Steps Recorder output: The file "IssueSteps.zip" contains the output from Problem Steps Recorder (PSR.EXE).
IssueSteps.zip
WFP Tracing: The file "wfpdiag.cab" contains the output from this command: "netsh.exe wfp capture start"
wfpdiag.cab

Certificates Information
DescriptionFile name
Certutil command to show certificates in the machine store: certutil -silent -store my
{ComputerName}_Certificates-machinestore.TXT
Certutil command to show certificates in the user store: certutil -silent -user -store my
{ComputerName}_Certificates-userstore.TXT
HKLM\SYSTEM\CurrentControlSet\services\CertPropSvc
HKLM\SYSTEM\CurrentControlSet\services\crypt32
HKLM\SYSTEM\CurrentControlSet\services\CryptSvc
HKLM\SYSTEM\CurrentControlSet\services\SCardSvr
HKLM\SYSTEM\CurrentControlSet\services\SCPolicySvc
{ComputerName}_Certificates_reg_.TXT
Microsoft-Windows-CAPI2/Operational
{ComputerName}__evt_*.*

Firewall
DescriptionFile name
[W8/WS2012] Get-NetFirewallProfile
[W8/WS2012] Get-NetFirewallRule
[W8/WS2012] Get-NetIPsecMainModeSA
[W8/WS2012] Get-NetIPsecQuickModeSA
[W8/WS2012] Show-NetFirewallRule
[W8/WS2012] Show-NetIPsecRule -PolicyStore ActiveStore
{ComputerName}_Firewall_info_pscmdlets.TXT
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
HKLM\SYSTEM\CurrentControlSet\Services\BFE
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT
HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
{ComputerName}_Firewall_reg_.TXT
Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity
Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose
{ComputerName}__evt_*.*
netsh advfirewall consec show rule all any dynamic verbose
netsh advfirewall consec show rule all any static verbose
{ComputerName}_Firewall_netsh_advfirewall-consec-rules.TXT
netsh advfirewall export
{ComputerName}_Firewall_netsh_advfirewall-export.wfw
netsh advfirewall firewall show rule name=all
{ComputerName}_Firewall_netsh_advfw-firewall-rules.TXT
netsh advfirewall monitor show consec verbose
{ComputerName}_Firewall_netsh_advfirewall-consec-rules-active.TXT
netsh advfirewall monitor show firewall verbose
{ComputerName}_Firewall_netsh.TXT
netsh advfirewall show allprofiles
netsh advfirewall show allprofiles state
netsh advfirewall show currentprofile
netsh advfirewall show domainprofile
netsh advfirewall show global
netsh advfirewall show privateprofile
netsh advfirewall show publicprofile
netsh advfirewall show store
{ComputerName}_Firewall_netsh_advfirewall.TXT
netsh wfp show boottimepolicy file=
{ComputerName}_Firewall_netsh_wfp-show-boottimepolicy.XML
netsh wfp show filters file=
{ComputerName}_Firewall_netsh_wfp-show-filters.XML
netsh wfp show netevents file=
{ComputerName}_Firewall_netsh_wfp-show-netevents.XML
netsh wfp show options optionsfor=keywords
{ComputerName}_Firewall_netsh_wfp-show-options-optionsforkeywords
netsh wfp show options optionsfor=netevents
{ComputerName}_Firewall_netsh_wfp-show-options-optionsfornetevents
netsh wfp show security netevents
{ComputerName}_Firewall_netsh_wfp-show-security-netevents.TXT
netsh wfp show state file=
{ComputerName}_Firewall_netsh_wfp-show-state
netsh wfp show sysports file=
{ComputerName}_Firewall_netsh_wfp-show-sysports.XML

General Information
DescriptionFile name
Basic System Information including machine name, service pack, computer model and processor name and speed
resultreport.xml

List of Installed Updates and Hotfixes installed
{ComputerName}_Hotfixes.*
List of user SID, group memberships, and privileges via the 'Whoami /all' output
{ComputerName}_Whoami.txt
Resultant Set of Policy (RSoP) generated by gpresult.exe utility
{ComputerName}_GPResult.*
System Information - MSInfo32 tool output
{ComputerName}_msinfo32.nfo
{ComputerName}_msinfo32.txt

Group Policy Client
DescriptionFile name
Microsoft-Windows-GroupPolicy/Operational
{ComputerName}__evt_*.*

Internet Explorer
DescriptionFile name
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings
{ComputerName}_InternetExplorer_reg_output.TXT

IPsec
DescriptionFile name
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec
HKLM\SYSTEM\CurrentControlSet\Services\IKEEXT
HKLM\SYSTEM\CurrentControlSet\Services\IPsec
HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent
{ComputerName}_IPsec_reg_.TXT
IPsec information from command: netsh dynamic show all
{ComputerName}_IPsec_netsh_dynamic.TXT
IPsec information from command: netsh ipsec static exportpolicy
{ComputerName}_IPsec_netsh_LocalPolicyExport.ipsec
IPsec information from command: netsh static show all
{ComputerName}_IPsec_netsh_static.TXT
W8/WS2012 powershell output for the IPsec.
{ComputerName}_IPsec_info_pscmdlets.TXT

Kerberos tickets and TGT
DescriptionFile name
Kerberos Information from klist.exe output
{ComputerName}_Kerberos_klist.txt

Network Adapters
DescriptionFile name
W8/WS2012 powershell output for Network Adapter information
{ComputerName}_NetworkAdapters_info_pscmdlets.TXT

Network Connections
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\Netman
{ComputerName}_NetworkConnections_reg_.TXT
W8/WS2012 powershell output for Network Connections
{ComputerName}_NetworkConnections_info_pscmdlets.TXT

Network LBFO
DescriptionFile name
W8/WS2012 powershell output for Network LBFO
{ComputerName}_NetworkLBFO.TXT

Network List
DescriptionFile name
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
HKLM\SYSTEM\CurrentControlSet\services\netprofm
{ComputerName}_NetworkList_reg_.TXT
Microsoft-Windows-NetworkProfile/Operational
{ComputerName}__evt_*.*

Network Location Awareness
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc
{ComputerName}_NetworkLocationAwareness_reg_.TXT
Microsoft-Windows-NlaSvc/Operational
{ComputerName}__evt_*.*

Network Store Interface
DescriptionFile name
HKLM\SYSTEM\CurrentControlSet\services\nsi
HKLM\SYSTEM\CurrentControlSet\services\nsiproxy
{ComputerName}_NetworkStoreInterface_reg_.TXT

Proxy Configuration
DescriptionFile name
Copies PAC files from Internet Explorer locations
Network Isolation Policy registry information
Proxy Configuration: Firewall Client Proxy Configuration (ISA/TMG)
Proxy Configuration: IE System
Proxy Configuration: IE User
Proxy Configuration: WinHTTP

TCPIP
DescriptionFile name
HKLM\SOFTWARE\Policies\Microsoft\Windows\TCPIP
HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc
HKLM\SYSTEM\CurrentControlSet\services\TCPIP
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6
HKLM\SYSTEM\CurrentControlSet\Services\tcpipreg
{ComputerName}_TCPIP_reg_output.TXT
Microsoft-Windows-Iphlpsvc/Operational
{ComputerName}__evt_*.*
TCP OFFLOAD information from netstat output
{ComputerName}_TCPIP_OFFLOAD.TXT
TCPIP Information from commands like: hostname, ipconfig, route, netstat etc.
{ComputerName}_TCPIP_info.TXT
TCPIP information from netsh output
{ComputerName}_TCPIP_netsh_info.TXT
TCPIP Services File located at: windir\system32\drivers\etc\services
{ComputerName}_TCPIP_ServicesFile.TXT
W8/WS2012 powershell output for TCPIP
{ComputerName}_TCPIP_info_pscmdlets_net.TXT

WinHTTP
DescriptionFile name
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc
{ComputerName}_WinHTTP_reg_output.TXT
WinHTTP proxy settings from command: netsh winhttp show proxy
{ComputerName}_WinHTTP_netsh_proxy-settings.txt
WinHTTP proxy settings from proxycfg.exe output
{ComputerName}_WinHTTP_proxycfg.txt

WinSock
DescriptionFile name
Microsoft-Windows-Winsock-AFD/Operational
Microsoft-Windows-Winsock-WS2HELP/Operational
{ComputerName}__evt_*.*
HKLM\SYSTEM\CurrentControlSet\services\AFD
HKLM\SYSTEM\CurrentControlSet\services\WinSock
HKLM\SYSTEM\CurrentControlSet\services\WinSock2
Registry Information for WinSock and AFD:
{ComputerName}_WinSock_reg_.TXT
Winsock information from netsh winsock output
{ComputerName}_WinSock_netsh.TXT


In addition to collecting the information that is described earlier, this diagnostic package can detect one or more of the following symptoms:

  • Event Logs Messages
  • A %Component% Event Trace Log file was collected

References

For more information about the Microsoft Automated Troubleshooting Services and about the Support Diagnostics Platform, please open the following Microsoft Knowledge Base article:


2598970 Information about Microsoft Automated Troubleshooting Services and Support Diagnostic Platform