krstfvndm
/
blog
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
1 Branch
0 Tags
464 KiB
 
 
 
Tree: f40b256c1b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f40b256c1b'
${ noResults }
blog/content/administration/windows_troubleshooting.md

2.8 KiB
Raw Blame History

author date draft title
Olivier De Ram 2018-08-25T22:08:15+02:00 false Windows troubleshooting

Windows troubleshooting

VRAGEN:

  • openen vanuit ticketing, wachtwoord en gebruiker
  • custom even viewer view?
  • test server?

EventViewer

run: eventvwr

  • custom views
  • windows
    • application (non windows standard, puppet, vmware, mssql, ...)
    • security, aan en afmelden
    • set-up: updates en installatie verwijderen programma's
    • system: OS meldingen
  • application and services: diep graven

--> Filter Log:

  • logged (date range)
  • event level
  • event source
  • event ID: 99,-1024,-4634

rechtsonderaan > event copy > copy as text

PowerShell

$first = 
$last = 
get-eventlog -Logname system -

 `get-winevent -LogName 'Microsoft-Windows-TaskScheduler/Operational' | Where-Object { $_.Message -like *insta* }`

Task Viewer

  • tasks
  • users
  • performance (indien gecrasht, bevestigen anders is het netwerk)

Resource monitor

(task manager > performance > open resouce monitor)

Overview > CPU (ovenste tab) app aanvinken --> filtert alles

Netstat

netstat -abo > C:\temp\log.txt

Chocolate

C:\ProgramData\chocolatey\bin\Procmon.exe --> selecteer lijn+kolom > exclude 'name' (=grep -v) / include 'name' (=grep)

Usefull programs

  • TreeView
  • VBluescreenviewer
  • Sysinternals
  • Zabbix
  • VMware events
  • BareTail
  • choco install
  • choco list -lo (view choco installed programs)
  • telnet 12.34.56.78 900
  • powershell: stop service 'name'

EventID's

  • Event ID 6005: “The event log service was started.” This is synonymous to system startup.

  • Event ID 6006: “The event log service was stopped.” This is synonymous to system shutdown.

  • Event ID 6008: "The previous system shutdown was unexpected." Records that the system started after it was not shut down properly.

  • Event ID 6009: Indicates the Windows product name, version, build number, service pack number, and operating system type detected at boot time.

  • Event ID 6013: Displays the uptime of the computer. There is no TechNet page for this id. Add to that a couple more from the Server Fault answers listed in my OP:

  • Event ID 1074: "The process X has initiated the restart / shutdown of computer on behalf of user Y for the following reason: Z." Indicates that an application or a user initiated a restart or shutdown.

  • Event ID 1076: "The reason supplied by user X for the last unexpected shutdown of this computer is: Y." Records when the first user with shutdown privileges logs on to the computer after an unexpected restart or shutdown and supplies a reason for the occurrence.

PowerShell

$filter = "*abbix*"
get-winevent -logname 'Application'  | Where-Object { $_.Message -like $filter }