57 KiB
title, description, ms.reviewer, manager, ms.author, ms.topic, ms.prod, ms.technology, author, ms.date
| title | description | ms.reviewer | manager | ms.author | ms.topic | ms.prod | ms.technology | author | ms.date |
|---|---|---|---|---|---|---|---|---|---|
| DiagnosticLog CSP | Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area. | aaroncz | vinpa | article | w10 | windows | vinaypamnani-msft | 11/19/2019 |
DiagnosticLog CSP
The table below shows the applicability of Windows:
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | Yes | Yes |
| Pro | Yes | Yes |
| Windows SE | No | Yes |
| Business | Yes | Yes |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
The DiagnosticLog configuration service provider (CSP) provides the following feature areas:
- DiagnosticArchive area. Capture and upload event logs, log files, and registry values for troubleshooting.
- Policy area. Configure Windows event log policies, such as maximum log size.
- EtwLog area. Control ETW trace sessions.
- DeviceStateData area. Provide more device information.
- FileDownload area. Pull trace and state data directly from the device.
The links to different versions of the DiagnosticLog CSP DDF files are:
The following example shows the DiagnosticLog CSP in tree format.
./Vendor/MSFT/DiagnosticLog
----EtwLog
--------Collectors
------------CollectorName
----------------TraceStatus
----------------TraceLogFileMode
----------------TraceControl
----------------LogFileSizeLimitMB
----------------Providers
--------------------ProviderGuid
------------------------Keywords
------------------------TraceLevel
------------------------State
--------Channels
------------ChannelName
----------------Export
----------------State
----------------Filter
----DeviceStateData
--------MdmConfiguration
----FileDownload
--------DMChannel
------------FileContext
----------------BlockSizeKB
----------------BlockCount
----------------BlockIndexToRead
----------------BlockData
----------------DataBlocks
--------------------BlockNumber
./Vendor/MSFT/DiagnosticLog The root node for the DiagnosticLog CSP.
Rest of the nodes in the DiagnosticLog CSP are described within their respective feature area sections.
DiagnosticArchive area
The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage.
DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
Note
DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope.
The following section describes the nodes for the DiagnosticArchive functionality.
DiagnosticArchive Added in version 1.4 of the CSP in Windows 10, version 1903. Root node for the DiagnosticArchive functionality.
The supported operation is Get.
DiagnosticArchive/ArchiveDefinition Added in version 1.4 of the CSP in Windows 10, version 1903.
The supported operations are Add and Execute.
The data type is string.
Expected value:
Set and Execute are functionality equivalent, and each accepts a Collection XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
The following example shows a Collection XML:
<Collection>
<!--NOTE: The value shown here is an example only, for more information see the ID documentation which follows the example -->
<ID>f1e20cb4-9789-4f6b-8f6a-766989764c6d</ID>
<!--NOTE: The value shown here is an example only, for more information see the SasUrl documentation which follows the example -->
<SasUrl><![CDATA[https://myaccount.blob.core.windows.net/mycontainer?sp=aw&st=2020-07-01T23:02:07Z&se=2020-07-02T23:02:07Z&sv=2019-10-10&sr=c&sig=wx9%2FhwrczAI0nZL7zl%2BhfZVfOBvboTAnrGYfjlO%2FRFA%3D]]></SasUrl>
<RegistryKey>HKLM\Software\Policies</RegistryKey>
<FoldersFiles>%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles>
<Command>%windir%\system32\ipconfig.exe /all</Command>
<Command>%windir%\system32\mdmdiagnosticstool.exe -out %ProgramData%\temp\</Command>
<FoldersFiles>%ProgramData%\temp\*.*</FoldersFiles>
<Events>Application</Events>
<OutputFileFormat>Flattened</OutputFileFormat>
</Collection>
The XML should include the following elements within the Collection element:
ID: The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
SasUrl The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
- Pass this value to the CSP on the target device through the
CollectionXML as theSasUrlvalue.
One or more data gathering directives, which may include any of the following:
-
RegistryKey
- Exports all of the key names and values under a given path (recursive).
- Expected input value: Registry path such as "HKLM\Software\Policies".
- Output format: Creates a .reg file, similar to the output of reg.exe EXPORT command.
- Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those paths that're under HKLM and HKCR.
-
Events
- Exports all events from the named Windows event log.
- Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational".
- Output format: Creates an .evtx file.
-
Commands
- This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
- Expected input value: The full command line including path and any arguments, such as
%windir%\\system32\\ipconfig.exe /all. - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands that may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
- %windir%\system32\certutil.exe
- %windir%\system32\dxdiag.exe
- %windir%\system32\gpresult.exe
- %windir%\system32\msinfo32.exe
- %windir%\system32\netsh.exe
- %windir%\system32\nltest.exe
- %windir%\system32\ping.exe
- %windir%\system32\powercfg.exe
- %windir%\system32\w32tm.exe
- %windir%\system32\wpr.exe
- %windir%\system32\dsregcmd.exe
- %windir%\system32\dispdiag.exe
- %windir%\system32\ipconfig.exe
- %windir%\system32\logman.exe
- %windir%\system32\tracelog.exe
- %programfiles%\windows defender\mpcmdrun.exe
- %windir%\system32\MdmDiagnosticsTool.exe
- %windir%\system32\pnputil.exe
-
FoldersFiles
- Captures log files from a given path (without recursion).
- Expected input value: File path with or without wildcards, such as "%windir%\System32", or "%programfiles%\*.log".
- Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed:
- %PROGRAMFILES%
- %PROGRAMDATA%
- %PUBLIC%
- %WINDIR%
- %TEMP%
- %TMP%
- Additionally, only files with the following extensions are captured:
- .log
- .txt
- .dmp
- .cab
- .zip
- .xml
- .html
- .evtx
- .etl
-
OutputFileFormat
- Flattens folder structure, instead of having individual folders for each directive in the XML.
- The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
DiagnosticArchive/ArchiveResults Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
The supported operation is Get.
The data type is string.
A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above:
<SyncML>
<SyncHdr/>
<SyncBody>
<Status>
<CmdID>1</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>0</CmdRef>
<Cmd>SyncHdr</Cmd>
<Data>200</Data>
</Status>
<Status>
<CmdID>2</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>1</CmdRef>
<Cmd>Get</Cmd>
<Data>200</Data>
</Status>
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>1</CmdRef>
<Item>
<Source>
<LocURI>./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults</LocURI>
</Source>
<Data>
<Collection HRESULT="0">
<ID>f1e20cb4-9789-4f6b-8f6a-766989764c6d</ID>
<RegistryKey HRESULT="0">HKLM\Software\Policies</RegistryKey>
<FoldersFiles HRESULT="0">C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles>
<Command HRESULT="0">%windir%\system32\ipconfig.exe /all</Command>
<Command HRESULT="-2147024637">%windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\</Command>
<FoldersFiles HRESULT="0">c:\ProgramData\temp\*.*</FoldersFiles>
<Events HRESULT="0">Application</Events>
</Collection>
</Data>
</Item>
</Results>
<Final/>
</SyncBody>
</SyncML>
Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, the mdmdiagnosticstool.exe command failed.
Making use of the uploaded data
The zip archive that is created and uploaded by the CSP contains a folder structure like the following example:
PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z
Directory: C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z
Mode LastWriteTime Length Name
---- ------------- ------ ----
la--- 1/4/2021 2:45 PM 1
la--- 1/4/2021 2:45 PM 2
la--- 12/2/2020 6:27 PM 2701 results.xml
Each data gathering directive from the original Collection XML corresponds to a folder in the output.
For example, the first directive was:
<Collection HRESULT="0">
<RegistryKey HRESULT="0">HKLM\Software\Policies</RegistryKey>
</Collection>
Then, folder 1 will contain the corresponding export.reg file.
The results.xml file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using results.xml the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following results.xml content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder 1. It also indicates that netsh.exe wlan show profiles command failed.
<Collection HRESULT="0">
<ID>268b3056-8c15-47c6-a1bd-4bc257aef7b2</ID>
<RegistryKey HRESULT="0">HKLM\Software\Policies</RegistryKey>
<Command HRESULT="-2147024895">%windir%\system32\netsh.exe wlan show profiles</Command>
</Collection>
Administrators can apply automation to 'results.xml' to create their own preferred views of the data. For example, the following PowerShell one-liner extracts from the XML an ordered list of the directives with status code and details.
Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++}
This example produces output similar to the following output:
DirectiveNumber DirectiveHRESULT DirectiveInput
--------------- ---------------- --------------
1 0 HKLM\Software\Policies
2 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
3 0 HKLM\Software\Microsoft\IntuneManagementExtension
4 0 HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
5 0 %windir%\system32\ipconfig.exe /all
6 0 %windir%\system32\netsh.exe advfirewall show allprofiles
7 0 %windir%\system32\netsh.exe advfirewall show global
8 -2147024895 %windir%\system32\netsh.exe wlan show profiles
The next example extracts the zip archive into a customized flattened file structure. Each file name includes the directive number, HRESULT, and so on. This example could be customized to make different choices about what information to include in the file names and what formatting choices to make for special characters.
param( $DiagnosticArchiveZipPath = "C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip" )
#region Formatting Choices
$flatFileNameTemplate = '({0:D2}) ({3}) (0x{2:X8})'
$maxLengthForInputTextPassedToOutput = 80
#endregion
#region Create Output Folders and Expand Zip
$diagnosticArchiveTempUnzippedPath = $DiagnosticArchiveZipPath + "_expanded"
if(-not (Test-Path $diagnosticArchiveTempUnzippedPath)){mkdir $diagnosticArchiveTempUnzippedPath}
$reformattedArchivePath = $DiagnosticArchiveZipPath + "_formatted"
if(-not (Test-Path $reformattedArchivePath)){mkdir $reformattedArchivePath}
Expand-Archive -Path $DiagnosticArchiveZipPath -DestinationPath $diagnosticArchiveTempUnzippedPath
#endregion
#region Discover and Move/rename Files
$resultElements = ([xml](Get-Content -Path (Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath "results.xml"))).Collection.ChildNodes | Foreach-Object{ $_ }
$n = 0
foreach( $element in $resultElements )
{
$directiveNumber = $n
$n++
if($element.Name -eq 'ID'){ continue }
$directiveType = $element.Name
$directiveStatus = [int]$element.Attributes.ItemOf('HRESULT').psbase.Value
$directiveUserInputRaw = $element.InnerText
$directiveUserInputFileNameCompatible = $directiveUserInputRaw -replace '[\\|/\[\]<>\:"\?\*%\.\s]','_'
$directiveUserInputTrimmed = $directiveUserInputFileNameCompatible.substring(0, [System.Math]::Min($maxLengthForInputTextPassedToOutput, $directiveUserInputFileNameCompatible.Length))
$directiveSummaryString = $flatFileNameTemplate -f $directiveNumber,$directiveType,$directiveStatus,$directiveUserInputTrimmed
$directiveOutputFolder = Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath $directiveNumber
$directiveOutputFiles = Get-ChildItem -Path $directiveOutputFolder -File
foreach( $file in $directiveOutputFiles)
{
$leafSummaryString = $directiveSummaryString,$file.Name -join ' '
Copy-Item $file.FullName -Destination (Join-Path -Path $reformattedArchivePath -ChildPath $leafSummaryString)
}
}
#endregion
Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse
That example script produces a set of files similar to the following set of files, which can be a useful view for an administrator interactively browsing the results without needing to navigate any subfolders or refer to results.xml repeatedly:
PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name
Length Name
------ ----
46640 (01) (HKLM_Software_Policies) (0x00000000) export.reg
203792 (02) (HKLM_Software_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg
214902 (03) (HKLM_Software_Microsoft_IntuneManagementExtension) (0x00000000) export.reg
212278 (04) (HKLM_SOFTWARE_WOW6432Node_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg
2400 (05) (_windir__system32_ipconfig_exe__all) (0x00000000) output.log
2147 (06) (_windir__system32_netsh_exe_advfirewall_show_allprofiles) (0x00000000) output.log
1043 (07) (_windir__system32_netsh_exe_advfirewall_show_global) (0x00000000) output.log
59 (08) (_windir__system32_netsh_exe_wlan_show_profiles) (0x80070001) output.log
1591 (09) (_windir__system32_ping_exe_-n_50_localhost) (0x00000000) output.log
5192 (10) (_windir__system32_Dsregcmd_exe__status) (0x00000000) output.log
Policy area
The Policy functionality within the DiagnosticLog CSP configures Windows event log policies, such as maximum log size.
The following section describes the nodes for the Policy functionality.
Policy Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log.
The supported operation is Get.
Policy/Channels Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains Event Log channel settings.
The supported operation is Get.
Policy/Channels/ChannelName
Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as Microsoft-Client-Licensing-Platform%2FAdmin. When the name is being specified in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
Supported operations are Add, Delete, and Get.
Add Channel
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type></Type>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
Delete Channel
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
Get Channel
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
Policy/Channels/ChannelName/MaximumFileSize Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments.
If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
Supported operations are Add, Delete, Get, and Replace.
The data type is integer.
Add MaximumFileSize
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>6</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
Delete MaximumFileSize
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>7</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
Get MaximumFileSize
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>5</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
Replace MaximumFileSize
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>8</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>5</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
Policy/Channels/ChannelName/SDDL Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting represents SDDL string controlling access to the channel.
Supported operations are Add, Delete, Get, and Replace.
The data type is string.
Default string is as follows:
https://learn.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype
Add SDDL
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>10</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>YourSDDL</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
Delete SDDL
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>11</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
Get SDDL
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>9</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
Replace SDDL
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>12</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>YourNewSDDL</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
Policy/Channels/ChannelName/ActionWhenFull Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting controls Event Log behavior when the log file reaches its maximum size.
Supported operations are Add, Delete, Get, and Replace.
The data type is string.
The following are the possible values:
- Truncate—When the log file reaches its maximum file size, new events aren't written to the log and are lost.
- Overwrite—When the log file reaches its maximum file size, new events overwrite old events.
- Archive—When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value isn't set, the new file is saved in the same directory as current log file.
If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
Add ActionWhenFull
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>14</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>Archive</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
Delete ActionWhenFull
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>15</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
Get ActionWhenFull
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>13</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
Replace ActionWhenFull
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>16</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>Truncate</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
Policy/Channels/ChannelName/Enabled Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies whether the channel should be enabled or disabled.
Supported operations are Add, Delete, Get, and Replace.
The data type is boolean.
The following are the possible values:
- TRUE—Enables the channel.
- FALSE—Disables the channel.
If you disable or don't configure this policy setting, the locally configured value is used as default.
Get Enabled
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>17</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
Add Enabled
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>18</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>TRUE</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
Delete Enabled
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>19</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
Replace Enabled
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>20</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>FALSE</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
EtwLog area
The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing:
The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see About Event Tracing.
Collector-based tracing
This type of event tracing collects event data from a collection of registered ETW providers.
An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
The CollectorName must be unique within the CSP and must not be a valid event channel name or a provider GUID.
The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
For each collector node, the user can:
- Start or stop the session with all registered and enabled providers.
- Query session status.
- Change trace log file mode.
- Change trace log file size limit.
The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector.
For each registered provider in this collector, the user can:
- Specify keywords to filter events from this provider.
- Change trace level to filter events from this provider.
- Enable or disable the provider in the trace session.
The changes on State, Keywords, and TraceLevel takes effect immediately while trace session is in progress.
Note
Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
Channel-based tracing
The type of event tracing exports event data from a specific channel. This method is only supported on the desktop.
Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node.
For each channel node, the user can:
- Export channel event data into a log file (.evtx).
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
- Specify an XPath query to filter events while exporting the channel event data.
For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see Diagnose MDM failures in Windows 10.
To gather diagnostics using this CSP:
-
Specify a CollectorName for the container of the target ETW providers.
-
(Optional) Set logging and log file parameters using the following options:
-
Indicate one or more target ETW providers by supplying its ProviderGUID to the Add operation of EtwLog/Collectors/CollectorName/Providers/ProviderGUID.
-
(Optional) Set logging and log file parameters using the following options:
-
Start logging using TraceControl EXECUTE command “START”.
-
Perform actions on the target device that will generate activity in the log files.
-
Stop logging using TraceControl EXECUTE command “STOP”.
-
Collect the log file located in the
%temp%folder using the method described in Reading a log file.
The following section describes the nodes for EtwLog functionality.
EtwLog Node to contain the Error Tracing for Windows log.
The supported operation is Get.
EtwLog/Collectors Interior node to contain dynamic child interior nodes for active providers.
The supported operation is Get.
EtwLog/Collectors/CollectorName Dynamic nodes to represent active collector configuration.
Supported operations are Add, Delete, and Get.
Add a collector
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
Delete a collector
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
EtwLog/Collectors/CollectorName/TraceStatus Specifies whether the current logging status is running.
The data type is an integer.
The supported operation is Get.
The following table represents the possible values:
| Value | Description |
|---|---|
| 0 | Stopped |
| 1 | Started |
EtwLog/Collectors/CollectorName/TraceLogFileMode Specifies the log file logging mode.
The data type is an integer.
Supported operations are Get and Replace.
The following table lists the possible values:
| Value | Description |
|---|---|
| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. |
EtwLog/Collectors/CollectorName/TraceControl Specifies the logging and report action state.
The data type is a string.
The following table lists the possible values:
| Value | Description |
|---|---|
| START | Start log tracing. |
| STOP | Stop log tracing. |
The supported operation is Execute.
After you've added a logging task, you can start a trace by running an Execute command on this node with the value START.
To stop the trace, running an execute command on this node with the value STOP.
Start collector trace logging
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>START</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
Stop collector trace logging
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>STOP</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
EtwLog/Collectors/CollectorName/LogFileSizeLimitMB Sets the log file size limit, in MB.
The data type is an integer.
Valid values are 1-2048. The default value is 4.
Supported operations are Get and Replace.
EtwLog/Collectors/CollectorName/Providers Interior node to contain dynamic child interior nodes for active providers.
The supported operation is Get.
EtwLog/Collectors/CollectorName/Providers/ProviderGUID Dynamic nodes to represent active provider configuration per provider GUID.
Note
Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
Supported operations are Add, Delete, and Get.
Add a provider
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
Delete a provider
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
EtwLog/Collectors/CollectorName/Providers/ProviderGUID/TraceLevel Specifies the level of detail included in the trace log.
The data type is an integer.
Supported operations are Get and Replace.
The following table lists the possible values:
| Value | Description |
|---|---|
| 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
| 2 – TRACE_LEVEL_ERROR | Severe error events |
| 3 – TRACE_LEVEL_WARNING | Warning events such as allocation failures |
| 4 – TRACE_LEVEL_INFORMATION | Non-error events, such as entry or exit events |
| 5 – TRACE_LEVEL_VERBOSE | Detailed information |
Set provider TraceLevel
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
EtwLog/Collectors/CollectorName/Providers/ProviderGUID/Keywords Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
The data type is a string.
Supported operations are Get and Replace.
Default value is 0 meaning no keyword.
Get provider Keywords
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
Set provider Keywords
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>12345678FFFFFFFF</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
EtwLog/Collectors/CollectorName/Providers/ProviderGUID/State Specifies if this provider is enabled in the trace session.
The data type is a boolean.
Supported operations are Get and Replace. This change will be effective during active trace session.
The following table lists the possible values:
| Value | Description |
|---|---|
| TRUE | Provider is enabled in the trace session. This value is the default value. |
| FALSE | Provider is disabled in the trace session. |
Set provider State
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>false</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
EtwLog/Channels Interior node to contain dynamic child interior nodes for registered channels.
The supported operation is Get.
EtwLog/Channels/ChannelName Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin"
Supported operations are Add, Delete, and Get.
Add a channel
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
Delete a channel
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
EtwLog/Channels/ChannelName/Export Node to trigger the command to export channel event data into the log file.
The supported operation is Execute.
Export channel event data
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export</LocURI>
</Target>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
EtwLog/Channels/ChannelName/Filter Specifies the XPath query string to filter the events while exporting.
The data type is a string.
Supported operations are Get and Replace.
Default value is empty string.
Get channel Filter
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
EtwLog/Channels/ChannelName/State Specifies if the Channel is enabled or disabled.
The data type is a boolean.
Supported operations are Get and Replace.
The following table lists the possible values:
| Value | Description |
|---|---|
| TRUE | Channel is enabled. |
| FALSE | Channel is disabled. |
Get channel State
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
Set channel State
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>false</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
DeviceStateData area
The DeviceStateData functionality within the DiagnosticLog CSP provides extra device information.
The following section describes the nodes for the DeviceStateData functionality.
DeviceStateData Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed.
DeviceStateData/MdmConfiguration Added in version 1.3 of the CSP in Windows 10, version 1607. Triggers the snapping of device management state data with SNAP.
The supported value is Execute.
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SNAP</Data>
</Item>
</Exec>
<Final/>
</SyncBody>
</SyncML>
FileDownload area
The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context, the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
Comparing FileDownload and DiagnosticArchive
Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they're optimized for different workflows.
- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It's used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions, the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
The following section describes the nodes for the FileDownload functionality.
FileDownload Node to contain child nodes for log file transportation protocols and corresponding actions.
FileDownload/DMChannel Node to contain child nodes using DM channel for transport protocol.
FileDownload/DMChannel/FileContext Dynamic interior nodes that represent per log file context.
FileDownload/DMChannel/FileContext/BlockSizeKB Sets the log read buffer, in KB.
The data type is an integer.
Valid values are 1-16. The default value is 4.
Supported operations are Get and Replace.
Set BlockSizeKB
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
Get BlockSizeKB
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
FileDownload/DMChannel/FileContext/BlockCount Represents the total read block count for the log file.
The data type is an integer.
The only supported operation is Get.
Get BlockCount
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
FileDownload/DMChannel/FileContext/BlockIndexToRead Represents the read block start location.
The data type is an integer.
Supported operations are Get and Replace.
Set BlockIndexToRead at 0
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
Set BlockIndexToRead at 1
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
FileDownload/DMChannel/FileContext/BlockData The data type is Base64.
The only supported operation is Get.
Get BlockData
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
FileDownload/DMChannel/FileContext/DataBlocks Node to transfer the selected log file block to the DM server.
FileDownload/DMChannel/FileContext/DataBlocks/BlockNumber The data type is Base64.
The supported operation is Get.
Reading a log file
To read a log file:
- Enumerate log file under ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel.
- Select a log file in the Enumeration result.
- Set BlockSizeKB per DM server payload limitation.
- Get BlockCount to determine total read request.
- Set BlockIndexToRead to initialize read start point.
- Get BlockData for upload log block.
- Increase BlockIndexToRead.
- Repeat steps 5 to 7 until BlockIndexToRead == (BlockIndexToRead – 1).