deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 15:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Edits

Browse Source
This commit is contained in:
Teresa-Motiv 2019-10-17 17:02:52 -07:00
parent 210fc55cf9
commit 933e335f51
1 changed files with 17 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -11,14 +11,16 @@ manager: kaushika
audience: ITPro audience: ITPro
ms.collection: Windows Security Technologies\BitLocker ms.collection: Windows Security Technologies\BitLocker
ms.topic: troubleshooting ms.topic: troubleshooting
ms.date: 10/14/2019 ms.date: 10/17/2019
--- ---
# Decode Measured Boot logs to track PCR changes # Decode Measured Boot logs to track PCR changes
Platform Configuration Registers (PCRs) are memory locations in the Trusted Protection Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. In addition, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode. Tracking changes in the PCRs, and identifying when they changed, can provide insight into issues that may be occurring or explain why a device or computer entered BitLocker recovery mode. The Measured Boot logs, located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder, record PCR changes and other information. Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.
This article describes two tools that you can use to decode these logs: TBSLogGenerator and PCPTool. By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\\Windows\\Logs\\MeasuredBoot\\ folder.
This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool.
For more information about Measured Boot and PCRs, see the following articles: For more information about Measured Boot and PCRs, see the following articles:
@ -27,9 +29,9 @@ For more information about Measured Boot and PCRs, see the following articles:
## Use TBSLogGenerator to decode Measured Boot logs ## Use TBSLogGenerator to decode Measured Boot logs
Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 10 and older versions. You can install this tool on the following systems: Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems:
- A computer running Windows Server 2016, that has a TPM enabled - A computer that is running Windows Server 2016 and that has a TPM enabled
- A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM) - A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM)
To install the tool, follow these steps: To install the tool, follow these steps:
@ -37,7 +39,7 @@ To install the tool, follow these steps:
1. Download the Windows Hardware Lab Kit from one of the following locations: 1. Download the Windows Hardware Lab Kit from one of the following locations:
- [Windows Hardware Lab Kit](https://docs.microsoft.com/windows-hardware/test/hlk/) - [Windows Hardware Lab Kit](https://docs.microsoft.com/windows-hardware/test/hlk/)
- Direct Download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112) - Direct download link for Windows Server 2016: [Windows HLK, version 1607](https://go.microsoft.com/fwlink/p/?LinkID=404112)
1. Accept the default installation path. 1. Accept the default installation path.
@ -51,10 +53,10 @@ To install the tool, follow these steps:
To use TBSLogGenerator, follow these steps: To use TBSLogGenerator, follow these steps:
1. After the installation has finished, open an elevated Command Prompt window and navigate to the following folder: 1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
**C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb** **C:\\Program Files (x86)\\Windows Kits\\10\\Hardware Lab Kit\\Tests\\amd64\\NTTEST\\BASETEST\\ngscb**
The TBSLogGenerator.exe file resides in this folder. This folder contains the TBSLogGenerator.exe file.
![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png) ![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png)
@ -64,11 +66,11 @@ To use TBSLogGenerator, follow these steps:
``` ```
where the variables represent the following values: where the variables represent the following values:
- \<*LogFolderName*> = the name of the folder that contains the file to be decoded - \<*LogFolderName*> = the name of the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the the file to be decoded - \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file - \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file - \<*DecodedFileName*> = the name of the decoded text file
For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and placed in the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file: For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\\MeasuredBoot\\ folder. The figure also shows a Command Prompt window and the command to decode the **0000000005-0000000000.log** file:
```cmd ```cmd
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
@ -76,11 +78,11 @@ To use TBSLogGenerator, follow these steps:
![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png) ![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png)
The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file resides in the same folder as the original .log file. The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png) ![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png)
The content of this text file resembles the following: The content of this text file resembles the following.
![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png) ![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png)
@ -90,7 +92,7 @@ To find the PCR information, go to the end of the file.
## Use PCPTool to decode Measured Boot logs ## Use PCPTool to decode Measured Boot logs
PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file into an XML file. PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions. To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
@ -101,10 +103,10 @@ PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName
where the variables represent the following values: where the variables represent the following values:
- \<*LogFolderPath*> = the path to the folder that contains the file to be decoded - \<*LogFolderPath*> = the path to the folder that contains the file to be decoded
- \<*LogFileName*> = the name of the the file to be decoded - \<*LogFileName*> = the name of the file to be decoded
- \<*DestinationFolderName*> = the name of the folder for the decoded text file - \<*DestinationFolderName*> = the name of the folder for the decoded text file
- \<*DecodedFileName*> = the name of the decoded text file - \<*DecodedFileName*> = the name of the decoded text file
The content of the XML file resembles the following: The content of the XML file resembles the following.
![Command Prompt window that shows an example of how to use PCPTool](./images/PCPTool_Output.jpg) ![Command Prompt window that shows an example of how to use PCPTool](./images/PCPTool_Output.jpg)