Category: Quest ARS

Troubleshooting slow logons:

Logon process:

Tools for troubleshooting:

And powershell:

Analyze GPOs load time:


How to use Xperf, Xbootmgr, Procmon, WPA?

xperf;xbootmgr;xperfview comes from Windows ADK (Windows performance toolkit sub part). Procmon is a sysinternal tool.

Other interesting articles:


Windows Performance Analyzer (wpa.exe) youtube:

Xperf data collection tool:


For boot tracing:

xbootmgr -trace boot -traceFlags BASE+CSWITCH+POWER -resultPath C:\TEMP

with boot phases:
xbootmgr -trace boot -traceflags base+latency+dispatcher -stackwalk profile+cswitch+readythread 
       -notraceflagsinfilename -postbootdelay 120 -resultPath C:\TEMP

For shutdown tracing:

xbootmgr -trace shutdown -noPrepReboot -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

For Standby+Resume:

xbootmgr -trace standby -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

For Hibernate+Resume:

xbootmgr -trace hibernate -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

replace C:\TEMP with any temp directory on your machine as necessary to store the output files

Analyses of the boot trace:


To start create a summary xml file, run this command (replace the name with the name of your etl file)

xperf /tti -i boot_BASE+CSWITCH+POWER_1.etl -o summary_boot.xml -a boot

Analyses of the shutdown trace:

The shutdown is divided into this 3 parts:


To generate an XML summary of shutdown, use the -a shutdown action with Xperf:

xperf /tti -i shutdown_BASE+CSWITCH+DRIVERS+POWER_1.etl -o summary_shutdown.xml -a shutdown



How to list and to install Windows feature from Powershell ?

Import-Module servermanager

Get-WindowsFeature | Where-Object {$_.installed} | Format-Table -AutoSize

Get-WindowsFeature | Where-Object {$_.Installed -match “True”} | Select-Object -Property Name

Get-WindowsFeature | Where-Object {$_.Installed -match “True”} | Select-Object -Property Name | Out-File d:\Temp\Features.txt

To install the features:

Add-WindowsFeature NetFx2-ServerCore
Add-WindowsFeature NetFx2-ServerCore-WOW64
Add-WindowsFeature NetFx3-ServerCore
Add-WindowsFeature NetFx3-ServerCore-WOW64

To automate a little bit more:

On the source server (master):

Get-WindowsFeature | Where-Object { $_.Installed } | Where-Object { $_.SubFeatures.Count -eq 0 } | Export-Clixml d:\temp\features.xml
Copy-Item d:\temp\features.xml \\remoteserver\d$\temp

On the remote server (target):

$file = Import-Clixml d:\temp\features.xml

$file | Add-WindowsFeature


Finding remote session connected to your computer?
who is running a (hidden) remote PowerShell on your machine? Here’s a simple one-liner:
Get-WSManInstance -ConnectionURI (‘http://{0}:5985/wsman’ -f $env:computername) -ResourceURI shell -Enumerate
It will return anyone connecting via port 5985 to your machine. However, if you’re not running in a domain environment,
you first have to enable non-Kerberos connections
(remember that without Kerberos, you no longer know for sure that the target computer really is the computer it pretends
to be):
Set-Item WSMan:\localhost\Client\TrustedHosts * -Force

Back in the Windows Vista days, we introduced a new security delegation module called Credential Security Service Provider (CredSSP). This was originally designed to work with Terminal Services because everything in Terminal Services is basically a second hop.

CredSSP 101:

1) On client computer, I need to use the Enable-WSManCredSSP cmdlet to enable the client role and then specify the computer to which I want to delegate my credentials. This command is shown here.

Enable-WSManCredSSP -Role Client -DelegateComputer remoteserver.mydomain.local -Force

2) Now, I also need to make a change on the remote server to permit it to use delegated credentials. This command is shown here.

Enable-WSMaCredSSP -Role Server –Force

3) Always on remote server,

Also: Note: Remoting is turned off by default and you have to run Enable-PSRemoting to turn it on.

PS> Get-PSSessionConfiguration |fl *

If you decide you want to allow others, what you do is run the command:

PS> Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI   ; the GUI Appears, add your account you want to allow remote access and check the boxes Read(get,enumerate,suscribe) and Execute(invoke):

Are you sure you want to perform this action?
Performing operation “Set-PSSessionConfiguration” on Target “Name: Microsoft.PowerShell”.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is “Y”): y

4) Always on the remote server, stop and start winRM

net stop winrm

net start winrm

5) from the client computer, you can use the following powershell script using credssp:

  1. When making the PS Session, ensure that I use –Authentication CredSSP.
  2. When making the PS Session, ensure that I use the FQDN of the remote server. (This is true because I specified the delegate computer as * If I had specified the delegate computer as, I would not need the FQDN.)

My use CredSSP script is shown here.

$credential = Get-Credential -Credential mydomain\administrator

$session = New-PSSession -cn remoteserver.mydomain.local -Credential $credential -Authentication Credssp

Invoke-Command -Session $session -ScriptBlock { … }

Invoke-Command -Session $session -ScriptBlock { Get-WUHistory }


WinRM troubleshooting:


Finding remote session connected to your computer?
who is running a (hidden) remote PowerShell on your machine? Here’s a simple one-liner:
Get-WSManInstance -ConnectionURI (‘http://{0}:5985/wsman’ -f $env:computername) -ResourceURI shell -Enumerate
It will return anyone connecting via port 5985 to your machine. However, if you’re not running in a domain environment,
you first have to enable non-Kerberos connections
(remember that without Kerberos, you no longer know for sure that the target computer really is the computer it pretends
to be):Set-Item WSMan:\localhost\Client\TrustedHosts * -Force

wusa <update>.msu /quiet /norestart /log

example: wusa d:\hotfixes\Windows8.1-KB29456426.msu /quiet /norestart

You can use the Windows Management Instrumentation Command-line (WMIC) to view the installed updates on your computer:

wmic qfe list

Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status

Else If the WMIC output is difficult to read, you can use Systeminfo instead, as follows:

systeminfo | findstr /i /c:”KB29456426″

[18]: KB29456426

How to use WUSA with Powershell?

Get-Item .\* | %{Expand-ZipFile -FilePath $_.FullName -OutputPath d:\hotfixes}

Get-Item d:\hotfixes\* | foreach {WUSA “”$_.FullName /quiet /norestart””;while(get-process wusa){Write-Host “Installing $_.Name”}}

Get-HotFix | Where Description -match hotfix
(Get-HotFix | Where Description -match hotfix).count





From event viewer eventvwr (GUI) you can export events in a log file. EventcombMT as well.

You can use eventwatchnt, eventsentry (GUI) from

How to store events on SQL table:

How to export forwarded events using get-winevent:

write-host “Dump Quest ARS Forwarded Events (only the last hour)”
$date = Get-Date -Format ddMMyyyy
$log = “.\logs\Dump-QARS-ForwardedEvents-” + $date + “.txt”

$xml = ‘<QueryList>
<Query Id=”0″ Path=”ForwardedEvents”>
<Select Path=”ForwardedEvents”>*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[timediff(@SystemTime) &lt;= 3600000]]]</Select>

$events = Get-WinEvent -FilterXml $xml |  Select-Object ID, LevelDisplayName, LogName, MachineName, Message, ProviderName, RecordID, TaskDisplayName, TimeCreated

write-output $events >> $log

Write-host “”


To dump events from the command line you can use:

1) psloglist from

ex: psloglist -a 01/12/15 application -n 5    ; in this example I export the last 5 events from 12th Jan 2015 located on application event log.

ex: psloglist -a 01/12/15 -w -x security        ; in this example I export new security events coming with extended data

ex: psloglist -a 01/12/15 application -n 5 -s -t “\t” > c:\temp\output.txt  ; in this example I exported the last 5 application events on one line separated by tabulation and redirected to an output file. After that I can open the output.txt in Excel.

same example but using a specific event ID: psloglist -i 851 security -s -t “\t” > c:\temp\output.txt

other example:

@echo off

for /f “tokens=1,2,3,4* delims=/ ” %%i in (‘date /t’) do set TDDAY=%%i&set TDMM=%%j&set TDDD=%%k&set TDYY=%%l
for /f “tokens=1* delims=:” %%i in (‘time /t’) do set HH=%%i&set MM=%%j
echo Starting EDM server log dump (please wait it takes time)…
psloglist -accepteula \\server01,server02 -a %1 “EDM Server” -x -s -t “\t” >.\logs\Dump-Log_%TDDD%%TDMM%%TDYY%.txt


2) using wevtutil:

3) Using powershell:

4) using logparser:


Security best practices for IIS 8:

Installing IIS 7.5 on 2008 R2:

IIS 8.5 in 2012 R2:

SSL Differences between IIS6,IIS7,IIS8:

GPO troubleshooting:

In Windows 7 or Windows 2008 R2 or above, one good way of looking at all aspects of Group Policy is via the client’s event log.

  • Open the event log (eventvwr.exe from the search/command box).
  • Open Event Viewer (Local)
  • Open Applications and Services Logs
  • Open Microsoft
  • Open Windows
  • Open GroupPolicy and click on Operational

Events 4016 and 5016 show the start and end of processing of groups of policies, including how long it took to apply each one in the end event.

Event 5312 shows policies that will be applied, and 5317 shows policies that are explicitly filtered out.

Events 8000 and 8001 respectively show the total processing time for computer boot and user boot GP processing, and 8006 and 8007 show the same for interim/periodic GP processing.

How to enable GPO logging on windows 7 /2008 R2
It is similar to the User Environment Debug Logging in Windows XP/2003.

Windows 7 / 2008R2 Group Policies are located in the Event Viewer. Under
\Applications and Services Logs\Microsoft\Windows\Group Policy\Operational.

While Windows 7 logs many events to event log you sometimes need the operational additional information.

GPO is processed by the Windows service called “Group Policy Client”. You can enable a detailed diagnostic report for this services via the reg key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]

(need to reboot or restart the service).

  1. Click Start , click Run , type regedit , and then click OK .
  2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  3. On the Edit menu, point to New , and then click Key .
  4. Type Diagnostics , and then press ENTER.
  5. Right-click the Diagnostics subkey, point to New , and then click DWORD Value .
  6. Type GPSvcDebugLevel , and then press ENTER.
  7. Right-click GPSvcDebugLevel , and then click Modify .
  8. In the Value data box, type 0x00030002 , and then click OK .
  9. Exit Registry Editor.
  10. At a command prompt, type the following command, and then press ENTER:gpupdate /force
  11. View the Gpsvc.log file in the following folder:%windir%\debug\usermode

GPO Basics:

1) structure of a GPO:

Group Policy Container (GPC) which exists in Active Directory


the Group Policy Template (GPT) where the actual content of your GPOs resides.

A third component, known as Client-Side Extensions (CSEs) can be found on client devices and are necessary for them to properly process the Group Policies assigned to them.


2) GPO processing (LSDOU):


GPO management with PowerShell:

Powershell – how to translate a GPO GUID to Name?

Get-GPO -GUID “{AD7E3746-7135-496B-A1F5-B5B11871F96F}”

Powershell – how list all GPOs?

Get-GPO -all

Get-GPo -all | ft -autosize

Get-GPO -all | out-gridview

Powershell – how many GPOs?

(get-gpo -all).count

Powershell – how to translate a GPO Name to GUID?

PS Z:\ADGPO management> get-gpo -all | where {$ -like “bd9df1be-3663-4cb4-bb71-35f7e27c691f”} | select id,displayname | ft -autosize

Id                                   DisplayName
—                                   ———–
bd9df1be-3663-4cb4-bb71-35f7e27c691f Corporate-A-All-Settings-Restore