I want to subscribe my script to ETW to Microsoft-Windows-Kernel-Process => Process Start event.
But I can't find any way to get the Command line parameters and working directory how my process has started.
Any provider can offer this information?
e.g. Process Start / Fields required: Working Directory, Command Line, and Process description
Any help I would appreciate
Related
I have a scenario where i need to execute .exe after IIS reset. In windows task scheduler we can get option to run execitable file for some condition where we can select IIS configuration/ log and can provide event id to match.
I search couple of option but did not find any.
Can anybody suggest - how can i run my executable file after IIS reset happens using task scheduler.
As per this link,
3201 is start
3202 is stop
3201 IIS start command received from user %1. The logged data is the status code.
3202 IIS stop command received from user %1. The logged data is the status code.
Since, IISReset is a stop and start operation, you can have the trigger based on the start event, i.e., 3202.
Your task trigger will be like this:
You can cross-check the event viewer for the events from IISReset
We're using robocopy in monitor mode to copy files between web servers in Azure in a daisy-chain fashion. The command is invoked as an Administrator at startup.
The process works beautifully, but every now and then it will stop without error. We recently enabled history in Task Scheduler to get more insights into what was happening. But it simply reveals two steps: Action Completed and Task Completed.
The output of Action Completed:
Task Scheduler successfully completed task "\Robocopy Content From VM1" , instance "{some-vm-guid}" , action "C:\Windows\system32\robocopy.EXE" with return code 2147942408.
The output of Task Completed:
Task Scheduler successfully finished "{some-vm-guid}" instance of the "\Robocopy Content From VM1" task for user "HCVMHOST-2\SomeAdminUser".
The robocopy command:
robocopy "\\vm-1\c$\Content\SomeFolder" "c:\Content\SomeFolder" /mon:1 /FFT /MIR /s /zb /copyall /mt:4 /ns /nc /nfl /xd OutputCache Temp /LOG:"d:\RobocopyLogs.txt" /b
I suspect it may have something to do with either latency or a VM rebooting. But I'm not convinced this is the reason, and I want to make sure that my command isn't missing a param or has a param it shouldn't. As far as I can tell, it works fantastically, until it doesn't.
Anyone experience this before?
After a bunch of digging, and some random luck (my past attempts to Google the return code were fruitless because of a simple formatting different, 2,147,942,408 versus 2147942408). It turns out that the return code actually has significance, indicating that:
Not enough storage is available to process this command.
It is a curious response though, given each of the VMs has plenty of remaining disk space on all drives. I will raise a support ticket with Azure, and post back if any relevant info comes up.
How do I configure Web Deploy Command Line to Force Log every activity in Event Log of Source / Destination / Remote Server.
Please mention any other suggestions you might have for Logging of Web Deploy.
I don't believe you can log the activities to the event log, but what you can do is use the -xml parameter to output the changes in XML format. You could then use this to log to the event log via a Powershell script, for example.
I need to be able to monitor requests from IIS w3wp processes.
How can I see IIS worker process Requests?
To trace all requests currently executing in IIS worker processes
Open a command window and type logman startsession name–p "IIS:
Request Monitor" -ets and press ENTER.
Event Tracing for Windows prints to the screen details about the
trace session you just started, including the name of the session,
the file name where the trace data will be collected (session
name.etl by default), and whether or not the command was successful
Allow the trace session to run until you have reproduced the problem
or until your sites have processed enough requests to produce a
manageable data set
From the command prompt, type logman stopsession name-ets and press
ENTER.
I'm not as experienced on Windows vs Linux so Ravindra's answer seems interesting (is this just scheduling a particular event viewer style session or actually logging out deeper?).
As you particularly ask about 'IIS worker process Requests' you have two options.
GUI
Open inetmgr, go to the root server level, go to Worker Processes and double-click the worker process of your choice. A new screen will load and you will see anything that worker is currently processing.
Command-line
Rather than just give you a single command to copy and paste this article is a great starter - http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
The particular command you want is under the section 'INSPECTING CURRENTLY EXECUTING REQUESTS'
I am working with Event Tracing for Windows API, and from time to time, I run my application and it does not manage to close the ETW trace controller session after opening it.
Basically I do ::StartTrace([out] handle...) and do not close that handle when I'm finished with it (closing done by using ::StopTrace() function)
I'm looking for a tool that shows me the active sessions so I can close it manually. Without it I have to restart my PC in order for the controller session to be closed at shutdown.
Also, i the same ETW area (on Win 7), I understand that I should be able to see the data layouts for public MOF descriptions using wbemtest.exe. There I am supposed to enter in
- Connect -> Namespace = \\root\wmi\EventTrace
to see MOF data. But I get "The RPC server is unavailable". Using in that screen the dafaults values: IWBemLocator(Namespaces), How to interpret passsword = null, Authentication level = packet.
In the credentials area I have user and Password (which I tried) but there is another empty field - Authority. Is there a way to see MOF data ? I runed this elevated under Win 7.
You can use the command logman query -ets to see a list of currently running Trace Event Sessions.
For example, on Windows 10, you will see something like this:
C:\>logman query -ets
Data Collector Set Type Status
-------------------------------------------------------------------------------
AppModel Trace Running
FaceRecoTel Trace Running
FaceUnlock Trace Running
LwtNetLog Trace Running
Microsoft Security Client WMI Providers Trace Running
NtfsLog Trace Running
TileStore Trace Running
WiFiSession Trace Running
SCM Trace Running
UserNotPresentTraceSession Trace Running
CldFltLog Trace Running
SHS-05042018-095434-7-5f Trace Running
WDSC-05042018-095434-7-20 Trace Running
Diagtrack-Listener Trace Running
8696EAC4-1288-4288-A4EE-49EE431B0AD9 Trace Running
Cloud Files Diagnostic Event Listener Trace Running
The command completed successfully.
If you have created you own session, for example by using Microsoft.Diagnostics.Tracing.Session.TraceEventSession,
you will have given the session a unique name, and if it is running, you should see it in the list.
To kill an existing session, do this, as an administrator:
logman stop <SessionName> -ets
There are also some PowerShell Cmdlets, that can do similar things.
The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions started on the computer for which the caller has permissions to query.
May I suggest to post the second part of your question as a seperate question?
The tracelog command line utility that comes along the Windows SDK allows you to do the same thing as QueryAllTraceswith the tracelog -l command.