deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

acrolinx-windows-security

Browse Source
This commit is contained in:
ShannonLeavitt
2020-11-04 16:03:03 -07:00
parent 14ca51d3fb
commit d2680934b6
3 changed files with 37 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
View File

@ -26,9 +26,9 @@ Debugging and tracing smart card issues requires a variety of tools and approach
- [Certutil](#certutil)
- [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
- [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
- [Kerberos protocol, KDC, and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
- [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
- [Smart Card service](#smart-card-service)
@ -42,22 +42,22 @@ For a complete description of Certutil including examples that show how to use i
### List certificates available on the smart card
To list certificates that are available on the smart card, type certutil -scinfo.
To list certificates that are available on the smart card, type `certutil -scinfo`.
> [!NOTE]
> Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
### Delete certificates on the smart card
Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.
Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate.
To find the container value, type certutil -scinfo.
To find the container value, type `certutil -scinfo`.
To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
## Debugging and tracing using WPP
Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
### Enable the trace
@ -65,21 +65,21 @@ Using WPP, use one of the following commands to enable tracing:
- **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
- **logman start** &lt;*FriendlyName*&gt; **-ets -p {**&lt;*GUID*&gt;**} -**&lt;*Flags*&gt; **-ft 1 -rt -o .\\**&lt;*LogFileName*&gt;<em>**.etl -mode 0x00080000</em>*
- **logman start** &lt;*FriendlyName*&gt; **-ets -p {**&lt;*GUID*&gt;**} -**&lt;*Flags*&gt; **-ft 1 -rt -o .\\**&lt;*LogFileName*&gt;<em>**.etl -mode 0x00080000</em>**
You can use the parameters in the following table.
| Friendly name | GUID | Flags |
|-------------------|--------------------------------------|-----------|
| scardsvr | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
| winscard | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
| basecsp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
| scksp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
| msclmd | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
| credprov | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
| certprop | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
| scfilter | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
| wudfusbccid | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
| `scardsvr` | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
| `winscard` | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
| `basecsp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
| `scksp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
| `msclmd` | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
| `credprov` | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
| `certprop` | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
Examples
@ -119,7 +119,7 @@ You can use these resources to troubleshoot these protocols and the KDC:
- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit).  You can use the trace log tool in this SDK to debug Kerberos authentication failures.
To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
### NTLM
@ -143,7 +143,7 @@ To stop tracing for Kerberos authentication, run this command:
### KDC
To enable tracing for the Key Distribution Center (KDC), run the following command on the command line:
To enable tracing for the KDC, run the following command on the command line:
- **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
@ -166,7 +166,7 @@ You can also configure tracing by editing the Kerberos registry values shown in
| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos<br>Value name: LogToFile<br>Value type: DWORD<br>Value data: 00000001<br><br>HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters<br>Value name: KerbDebugLevel<br>Value type: DWORD<br>Value data: c0000043<br><br>HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters<br>Value name: LogToFile<br>Value type: DWORD<br>Value data: 00000001 |
| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc<br>Value name: KdcDebugLevel<br>Value type: DWORD<br>Value data: c0000803 |
If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
@ -176,7 +176,7 @@ If you used the registry key settings shown in the previous table, look for the
- KDC: %systemroot%\\tracing\\kdcsvc 
To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [Tracefmt](https://msdn.microsoft.com/library/ff552974.aspx).
To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](https://msdn.microsoft.com/library/ff552974.aspx).
## Smart Card service
@ -198,11 +198,11 @@ The smart card resource manager service runs in the context of a local service.
2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
3. At the command prompt, type **net stop SCardSvr**.
3. At the command prompt, type `net stop SCardSvr`.
4. At the command prompt, type **net start SCardSvr**.
4. At the command prompt, type `net start SCardSvr`.
You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
The following code sample is an example output from this command: