deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 00:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
Teresa-Motiv d2a2ce4090 Metadata updates
2019-11-07 15:37:44 -08:00

5.7 KiB
Raw Blame History

title, description, ms.reviewer, ms.technology, ms.prod, ms.sitesec, ms.localizationpriority, author, ms.author, manager, audience, ms.collection, ms.topic, ms.date
title description ms.reviewer ms.technology ms.prod ms.sitesec ms.localizationpriority author ms.author manager audience ms.collection ms.topic ms.date
Decode Measured Boot logs to track PCR changes Provides instructions for installing and using a tool for analyzing log information to identify changes to PCRs kaushika windows w10 library medium Teresa-Motiv v-tea kaushika ITPro Windows Security Technologies\BitLocker troubleshooting 10/17/2019

Decode Measured Boot logs to track PCR changes

Platform Configuration Registers (PCRs) are memory locations in the Trusted Platform Module (TPM). BitLocker and its related technologies depend on specific PCR configurations. Additionally, specific change in PCRs can cause a device or computer to enter BitLocker recovery mode.

By tracking changes in the PCRs, and identifying when they changed, you can gain insight into issues that occur or learn why a device or computer entered BitLocker recovery mode. The Measured Boot logs record PCR changes and other information. These logs are located in the C:\Windows\Logs\MeasuredBoot\ folder.

This article describes tools that you can use to decode these logs: TBSLogGenerator and PCPTool.

For more information about Measured Boot and PCRs, see the following articles:

Use TBSLogGenerator to decode Measured Boot logs

Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 10 and earlier versions. You can install this tool on the following systems:

  • A computer that is running Windows Server 2016 and that has a TPM enabled
  • A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM)

To install the tool, follow these steps:

  1. Download the Windows Hardware Lab Kit from one of the following locations:

  2. Accept the default installation path.

    Specify Location page of the Windows Hardware Lab Kit installation wizard

  3. Under Select the features you want to install, select Windows Hardware Lab Kit—Controller + Studio.

    Select features page of the Windows Hardware Lab Kit installation wizard

  4. Finish the installation.

To use TBSLogGenerator, follow these steps:

  1. After the installation finishes, open an elevated Command Prompt window and navigate to the following folder:
    C:\Program Files (x86)\Windows Kits\10\Hardware Lab Kit\Tests\amd64\NTTEST\BASETEST\ngscb

    This folder contains the TBSLogGenerator.exe file.

    Properties and location of the TBSLogGenerator.exe file

  2. Run the following command:

    TBSLogGenerator.exe -LF <LogFolderName>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.txt

    where the variables represent the following values:

    • <LogFolderName> = the name of the folder that contains the file to be decoded
    • <LogFileName> = the name of the file to be decoded
    • <DestinationFolderName> = the name of the folder for the decoded text file
    • <DecodedFileName> = the name of the decoded text file

    For example, the following figure shows Measured Boot logs that were collected from a Windows 10 computer and put into the C:\MeasuredBoot\ folder. The figure also shows a Command Prompt window and the command to decode the 0000000005-0000000000.log file:

    TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt

    Command Prompt window that shows an example of how to use TBSLogGenerator

    The command produces a text file that uses the specified name. In the case of the example, the file is 0000000005-0000000000.txt. The file is located in the same folder as the original .log file.

    Windows Explorer window that shows the text file that TBSLogGenerator produces

The content of this text file resembles the following.

Contents of the text file, as shown in NotePad

To find the PCR information, go to the end of the file.

View of NotePad that shows the PCR information at the end of the text file

Use PCPTool to decode Measured Boot logs

PCPTool is part of the TPM Platform Crypto-Provider Toolkit. The tool decodes a Measured Boot log file and converts it into an XML file.

To download and install PCPTool, go to the Toolkit page, select Download, and follow the instructions.

To decode a log, run the following command:

PCPTool.exe decodelog <LogFolderPath>\<LogFileName>.log > <DestinationFolderName>\<DecodedFileName>.xml

where the variables represent the following values:

  • <LogFolderPath> = the path to the folder that contains the file to be decoded
  • <LogFileName> = the name of the file to be decoded
  • <DestinationFolderName> = the name of the folder for the decoded text file
  • <DecodedFileName> = the name of the decoded text file

The content of the XML file resembles the following.

Command Prompt window that shows an example of how to use PCPTool