deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 23:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/client-management/data-collection-for-802-authentication.md
Kaushik Ainapure c3199a3ebf
Minor changes
2018-10-30 15:38:08 +05:30

24 KiB
Raw Blame History

title, description, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, author, ms.localizationpriority, ms.author, ms.date
title description keywords ms.prod ms.mktglfcycl ms.sitesec author ms.localizationpriority ms.author ms.date
Data Collection for Troubleshooting 802.1x Authentication Data needed for reviewing 802.1x Authentication issues troubleshooting, data collection, data, 802.1x authentication, authentication, data w10 library kaushika-msft medium mikeblodge 10/29/2018

Data Collection for Troubleshooting 802.1x Authentication

Steps to capture Wireless/Wired functionality logs

  1. Create C:\MSLOG on the client machine to store captured logs.
  2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log:

On Windows 8.1, Windows 10 Wireless Client

netsh ras set tracing * enabled

netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl

On Windows 7, Winodws 8 Wireless Client

netsh ras set tracing * enabled

netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl

On Wired network client

netsh ras set tracing * enabled

netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl
  1. Run the followind command to enable CAPI2 logging:
wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true

  1. Create C:\MSLOG on the NPS to store captured logs.

  2. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log:

On Windows Server 2012 R2, Windows Server 2016 Wireless network

 netsh ras set tracing * enabled

 netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl

On Windows Server 2008 R2, Winodws Server 2012 Wireless network

 netsh ras set tracing * enabled

 netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl

On wired network

 netsh ras set tracing * enabled

 netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl
  1. Run the followind command to enable CAPI2 logging:
  wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
  1. Run the following command from the command prompt on the client machine and start PSR to capture screen images:

Note

When the mouse button is clicked, the cursor will blink in red while capturing a screen image.

 psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100

  1. Repro the issue.

  2. Run the following command on the client machine to stop the PSR capturing:

  psr /stop
  1. Run the following commands from the command prompt on the NPS.

Stopping RAS trace log and Wireless scenario log

 netsh trace stop

 netsh ras set tracing * disabled

Disabling and copying CAPI2 log

 wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false

 wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
  1. Run the following commands from the prompt on the client machine.

Stopping RAS trace log and Wireless scenario log

  netsh trace stop

 netsh ras set tracing * disabled

Disabling and copying CAPI2 log

 wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false

 wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
  1. Save the following logs on the client and the NPS.

Client

  • C:\MSLOG%computername%_psr.zip
  • C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx
  • C:\MSLOG%COMPUTERNAME%_wireless_cli.etl
  • C:\MSLOG%COMPUTERNAME%_wireless_cli.cab
  • All log files and folders in %Systemroot%\Tracing

NPS

  • C:\MSLOG%COMPUTERNAME%_CAPI2.evtx
  • C:\MSLOG%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
  • C:\MSLOG%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
  • All log files and folders in %Systemroot%\Tracing

Steps to save environmental / configuration information

Client

  1. Create C:\MSLOG to store captured logs.
  2. Launch a command prompt as an administrator.
  3. Run the following commands.
    • Environmental information and Group Policies application status 
         gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm

   msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt

   ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt

   route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt

Event logs

**Run the following command on Windows 8 and above **

wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
            
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
            
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx

wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
           
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
           
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
           
wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
           
wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
           
wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
           
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
           
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx

Certificates Store information

certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
            
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
    
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
            
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
            
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
            
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
            
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
            
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
            
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
            
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
            
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
            
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
            
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
            
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
            
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
            
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
            
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
            
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt

Wireless LAN Client information

netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt
            
netsh wlan export profile folder=c:\MSLOG\

Wired LAN Client information

netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt
            
netsh lan export profile folder=c:\MSLOG\
  1. Save the logs stored in C:\MSLOG.

NPS 1. Create C:\MSLOG to store captured logs. 2. Launch a command prompt as an administrator. 3. Run the following commands:

Environmental information and Group Policies application status

gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
         
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
         
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
         
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt

Event logs Run the following 3 commands on Windows Server 2012 and above:

wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
            
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
            
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx

wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
            
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
            
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
            
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
            
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
            
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx

Certificates store information

certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
            
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
            
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
            
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
            
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
            
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
            
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
            
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
            
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
            
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
            
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
            
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
            
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
            
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
            
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
            
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
            
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt

NPS configuration information

netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt
            
netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES
  1. Take the following steps to save an NPS accounting log:
  2. Launch Administrative tools - Network Policy Server.
    • On the Network Policy Server administration tool, select Accounting in the left pane.
    • Click Change Log File Properties in the right pane.
    • Click the Log File tab, note the log file naming convention shown as Name and the log file location shown in the Directory box.
    • Copy the log file to C:\MSLOG.
    • Save the logs stored in C:\MSLOG.

Certificate Authority (CA) Optional

  1. On a CA, launch a command prompt as an administrator.
  2. Create C:\MSLOG to store captured logs.
  3. Run the following commands:

Environmental information and Group Policies application status

gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
            
msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
            
ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
            
route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt

Event logs

Run the following 3 lines on Windows 2012 and up:

wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
 
wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
 
wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx

wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
            
wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
            
wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
            
wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
            
wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
            
wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx

Certificates store information

certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
            
certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
            
certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
            
certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
            
certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
            
certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
            
certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
            
certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
            
certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
            
certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
            
certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
            
certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
            
certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
            
certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
            
certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
            
certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
            
certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
            
certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
            
certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
            
certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt

CA configuration information

reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv
            
reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt
            
reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv
            
reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx

  1. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf

  2. Log on to a domain controller and create C:\MSLOG to store captured logs.

  3. Launch Windows PowerShell as an administrator.

  4. Run the following PowerShell commandlets

     \* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.

Import-Module ActiveDirectory
        
Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt
  1. Save the following logs:
  • All files in C:\MSLOG on the CA
  • All files in C:\MSLOG on the domain controller