Make sense of event log data

JohnOne · May 26, 2015

I'm thinking about writing a little diagnostic helper tool, and I'm starting with boot up info.

So retrieving data from event log (Applications and services logs -> Microsoft -> Windows -> Diagnostics-Performance -> Operational -> Event ID 100)

I'm getting the following data...

+ System 


  + Provider 

   [ Name]  Microsoft-Windows-Diagnostics-Performance 
   [ Guid]  {CFC18EC0-96B1-4EBA-961B-622CAEE05B0A} 
 
   EventID 100 
 
   Version 2 
 
   Level 3 
 
   Task 4002 
 
   Opcode 34 
 
   Keywords 0x8000000000010000 
 
  - TimeCreated 

   [ SystemTime]  2015-05-19T09:24:44.802879600Z 
 
   EventRecordID 3059 
 
  - Correlation 

   [ ActivityID]  {86F69364-17C3-0001-D8F1-FEB31392D001} 
 
  - Execution 

   [ ProcessID]  1684 
   [ ThreadID]  4732 
 
   Channel Microsoft-Windows-Diagnostics-Performance/Operational 
 
   Computer snotrag 
 
  - Security 

   [ UserID]  S-1-4-18



- EventData 

  BootTsVersion 2 
  BootStartTime 2015-05-19T09:10:51.560801800Z 
  BootEndTime 2015-05-19T09:24:41.788707200Z 
  SystemBootInstance 626 
  UserBootInstance 423 
  BootTime 41367 
  MainPathBootTime 16967 
  BootKernelInitTime 24 
  BootDriverInitTime 395 
  BootDevicesInitTime 4064 
  BootPrefetchInitTime 43677 
  BootPrefetchBytes 403791872 
  BootAutoChkTime 0 
  BootSmssInitTime 5370 
  BootCriticalServicesInitTime 577 
  BootUserProfileProcessingTime 884 
  BootMachineProfileProcessingTime 519 
  BootExplorerInitTime 1774 
  BootNumStartupApps 4 
  BootPostBootTime 24400 
  BootIsRebootAfterInstall false 
  BootRootCauseStepImprovementBits 0 
  BootRootCauseGradualImprovementBits 0 
  BootRootCauseStepDegradationBits 192 
  BootRootCauseGradualDegradationBits 64 
  BootIsDegradation false 
  BootIsStepDegradation false 
  BootIsGradualDegradation false 
  BootImprovementDelta 0 
  BootDegradationDelta 0 
  BootIsRootCauseIdentified true 
  OSLoaderDuration 2336 
  BootPNPInitStartTimeMS 24 
  BootPNPInitDuration 4086 
  OtherKernelInitDuration 3225 
  SystemPNPInitStartTimeMS 7277 
  SystemPNPInitDuration 373 
  SessionInitStartTimeMS 7685 
  Session0InitDuration 2121 
  Session1InitDuration 369 
  SessionInitOtherDuration 2879 
  WinLogonStartTimeMS 13056 
  OtherLogonInitActivityDuration 732 
  UserLogonWaitDuration 723059

However I don't really know what half of that stuff really means, and I'm looking for any knowledge regarding them.

Edited May 27, 2015 by Melba23
Changed Quote to Text box

JohnOne · May 28, 2015

Follow up question.

As you can see the event I'm looking at is 100, and it shows the time taken to boot the computer, and that is useful.

But if there are no problems during boot regarding the time it takes, then this event is not logged.

Wondering if anyone knows another consistent way to determine how long the system took to boot?

Edited May 28, 2015 by JohnOne

kaesereibe · May 29, 2015

Maybe with GetTickCount?

Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.

Call it when your PC is finished with booting. Maybe in with Startup or Logonscript.

Since I never test it this way, I can not say when GetTickCount start to count.

Edited May 29, 2015 by kaesereibe

iamtheky · May 29, 2015

Go here:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Boot

setting the bootminorthreshold and/or postbootminorthreshold to something like 1 sec. Would think every boot after that would log as a warning.

Totally untested, but i assume that is what snotrag is for.

Edited May 29, 2015 by boththose

JohnOne · May 30, 2015

Thanks for the input folks, some things to consider there, each probably with there pro's and con's.

JohnOne · June 1, 2015

Go here:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Boot
setting the bootminorthreshold and/or postbootminorthreshold to something like 1 sec. Would think every boot after that would log as a warning.

Totally untested, but i assume that is what snotrag is for.

Unfortunately setting these to 1 and the majors too does not trigger the event to be logged.

iamtheky · June 1, 2015

https://support.microsoft.com/en-us/kb/2966921

JohnOne · June 2, 2015

Cheers, I'll try that, but before I do, does anyone know of a software that can log what this executable is actually doing?

My search only reveals how to install and uninstall hotfixes.

EDIT: Maybe this is what I need

http://www.nirsoft.net/utils/reg_file_from_application.html

Edited June 2, 2015 by JohnOne

JohnOne · June 3, 2015

The above utility was unable to act on the hotfix, apparently the extension of the file did not fit the predefined extensions the tool allows. And the hotfix appears not to have worked anyway

iamtheky · June 3, 2015

What is the behavior after the hotfix? Does is it appear as though those settings are being ignored entirely?

JohnOne · June 4, 2015

Yes, I have had no abnormal boot up's and the last event 100 remains the same as it was before I installed the hotfix.

Wolfteeth · May 26, 2016

On 6/4/2015 at 6:42 PM, JohnOne said:

Yes, I have had no abnormal boot up's and the last event 100 remains the same as it was before I installed the hotfix.

HI, @Johnone, how could you read the special event 100 in Autoit? any func? I am sure _EventLog__Open doesn't work...

Make sense of event log data

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members