--- author: Olivier De Ram date: 2018-08-25T22:08:15+02:00 draft: false title: Windows troubleshooting --- ## Windows troubleshooting VRAGEN: + openen vanuit ticketing, wachtwoord en gebruiker + custom even viewer view? + test server? ### *EventViewer* run: eventvwr - custom views - windows - application (non windows standard, puppet, vmware, mssql, ...) - security, aan en afmelden - set-up: updates en installatie verwijderen programma's - system: OS meldingen - application and services: diep graven --> Filter Log: - logged (date range) - event level - event source - event ID: 99,-1024,-4634 rechtsonderaan > event copy > copy as text ### *PowerShell* ``` PowerShell $first = $last = get-eventlog -Logname system - ``` ``` PowerShell `get-winevent -LogName 'Microsoft-Windows-TaskScheduler/Operational' | Where-Object { $_.Message -like ‘*insta* }` ``` ### *Task Viewer* - tasks - users - performance (indien gecrasht, bevestigen anders is het netwerk) ### *Resource monitor* (task manager > performance > open resouce monitor) Overview > CPU (ovenste tab) app aanvinken --> filtert alles ### *Netstat* `netstat -abo > C:\temp\log.txt` ### *Chocolate* C:\ProgramData\chocolatey\bin\Procmon.exe --> selecteer lijn+kolom > exclude 'name' (=grep -v) / include 'name' (=grep) ### *Usefull programs* - TreeView - VBluescreenviewer - Sysinternals - Zabbix - VMware events - BareTail - choco install - choco list -lo (view choco installed programs) - telnet 12.34.56.78 900 - powershell: `stop service 'name'` ### *EventID's* - Event ID 6005: “The event log service was started.” This is synonymous to system startup. - Event ID 6006: “The event log service was stopped.” This is synonymous to system shutdown. - Event ID 6008: "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly. - Event ID 6009: Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time. - Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id. Add to that a couple more from the Server Fault answers listed in my OP: - Event ID 1074: "The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown. - Event ID 1076: "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence. ### *PowerShell* ``` PowerShell $filter = "*abbix*" get-winevent -logname 'Application' | Where-Object { $_.Message -like $filter } ```