TSS : CMD based Universal Toolset for Data Collection
Short while ago Microsoft has released a cmd based toolset named TSS (TroubleShooting Script) to public. TSS is in reallity a detailed and customizable data collection script. Furthermore this script toolset provides also the easy collection of all kind of trace files. Basically its a user friendly All-In-One data collection toolset.
TSS also includes the psSDP data collection script provided by Microsoft. TSS is basically the Ultimate All-In-One package. Microsoft also provides some of its data collection tools on its own website too. The SDP tool Portable_Diagnostic.exe which is the same like psSDP can be downloaded from the following link https://home.diagnostics.support.microsoft.com/selfhelp.
On Microsoft’s /selfhelp website Microsoft also provides data collection tools for lots of Office Applications.
For a detailed list of all available parameters and usage scenarios in TSS you can take a look at https://github.com/CSS-Windows/WindowsDiag/tree/master/ALL/TSS.
Update 16.04.2021 :
Unfortunately, Microsoft has removed "TSS Tools (tss_tools.zip)"
from Github and made it Internal Only again. I realized it today. I downloaded "TSS Tools"
a few month ago and sharing it from my Personal Ondrive Share for whom, who are interested in to use it.
TSS Tools (tss_tools.zip) Download : https://1drv.ms/u/s!AkvfHRy8YWW9gZcU4C7d7pm9xC0mHg?e=sLXjMv
Usage
Copy the relevant tss_tools.zip
file and expand it to local disk, i.e. into C:\tools folder
.
Please start the script in the C:\tools
folder in elevated CMD window. For help, just run: TSS
or TSS help yourKeyword
.
C:\tools> tss [parameter list]
Examples of frequently scenarios
1. Collect logs for MS-cluster (Scenario includes Network Trace, NetFT+LBFO+Cluster ETL, Storport, Perfmon, SDP).
C:\tools> tss MsCluster
2. Collect logs for Authentication provider (Scenario includes Client SMB, SSL,HTTPsys ETL-logs, Network Trace, Gpresult, Registry, PSR, Procmon, SDP).
C:\tools> tss Auth
3. Collect DNS client logs (Scenario includes Network Trace, PSR, SDP).
C:\tools> tss DNScli
4. Collect logs for SQLtracing (Scenario includes Network Trace, Perfmon).
C:\tools> tss SQLtrace
Some of the ETL Trace options and parameters are as follows :
TSS v2020.05.09.0 (c) Microsoft CSS Syntax: Tss Param[:] argument in [brackets] for Param is optional, defaults will be used if argument is missing, the order of sub-args is mandatory, '|' means 'OR', ':' is a delimiter between params and/or args, 'def: val' stands for Default value, ' ' is placeholder Usage example: TSS General - enables general purpose logs, DNScli, Network sniff, PSR, SDP, wait for user input w/ ANY-key TSS rOn cliOn Trace Video - enables SMB-client ETL-logs, Network sniff=Trace, Problem-Step-Recorder, Video and SDP report Help [ ] - or -? /? -help /help = this help screen, + optional to search for Query - query active ETW tss ms_* Data Collector Sets (LOGMAN QUERY, LOGMAN QUERY -ets) Update - update current tss version from latest GitHub release Version - shows current tss version: v2020.05.09.0 Remove - removes/cleans-up all persistent network and ETL component tracing; clean up Registry settings; stop running PSR,ProcMon,Trace,Video; recommended to use after forced crash Enabling Tracing: usage: TSS [ |cliOn|srvOn|rOn] + see below sections '[rOn] Additional module options:' -and 'Predefined Tss scenarios:' At least one of *on: cliOn, srvOn, rOn (= ReproOn) or any predefined must be specified. cliOn - generate SMB/NFS client component ETL-logs srvOn - generate SMB/NFS/DFS server component ETL-logs rOn - collecting Repro-On data / logs, required for below options unless -+ is present. you can choose any combination of available [rOn] options and/or -+scenarios below, i.e: TSS rOn DCOM General Trace:N:scenario [rOn / ] Additional module options: AccessChk - collect Sysinternals AccessChk logs, may need adjustments in tss_config.cfg AdSAM - collect ActiveDirectory SAM client logs (on Win10) AfdTcp[:Basic|Full] - collect Afd,TcpIp,NetIO ETL-log, if :Basic is specified do Basic logging; default:Full ATA - collect ATAPort ETL-log BadPwd - collect User's bad password attempts info from all DCs BGP - collect Border Gateway Protocol (BGP) ETL-log Bluetooth - collect Bluetooth logs CDROM - collect CD/DVD ETL-log Coreinfo - collect Sysinternals Coreinfo log Crash - to be used at stop, or together with Stop trigger, Caution: this switch will force a memory.dump, open files won't save. Run 'tss off noCrash' after reboot, see KB969028 CSVspace - collect cluster CSV_space ETL-log customETL: / - collect ETL-log with list of custom providers, example: customETL:"Microsoft-Windows-DNS-Client"/{1540FF4C-3FD7-4BBA- 9938-1D1BF31573A7} DataDisk: - to specify Disk drive letter for resulting data, default is disk C; example: DataDisk:E DCOM - collect COM,COM+,COMSVCS,COMADMIN,DCOM,DCOMSCM ETL-log, Reg-settings and SecurityDescriptor info, consider also OLE32 Dedup - collect Data Deduplication and Filter ETL-log Defender - collect Defender/Operational Eventlogs and ATP Reg.keys DfsR - collect DFS replication ETL-log, Eventlog, DFSR logs DsR[: : : : ] - DriveLetter [D], BlockSize(K) [1024], Duration(Sec) [300], FileSize [10G] for DiskSpeed Repro EFS - collect encryped FS ETL-log ETLmax: [: ] - set limit of ETL file size to MB, will force chained logs, Range :100-4096, Circ: has precedence for cliOn/srvOn, [def: N=1024 (MB), NrKeep=1] Evt[:Sec|Days: ] - collect Security Eventlog, default is Sys+App Eventlogs; [def. days back for TXT/CSV convert: Days:10] Fiddler - collect Fiddler trace, to decrypt https, see https://fiddlerbook.com/fiddler/help/httpsdecryption.asp FSRM - collect FSRM drivers ETL-log FWmgr - collect Firewall Manager ETL log, consider also collecting WFP GPresult - collect GPresult, Auditing and Security logs GPsvc - collect client Group Policy GPsvc.log, netlogon.log Handle[:start|stop|both] - collect handle.exe output at stage Start or Stop [def: Stop] HttpSys - collect HTTP.SYS ETL logging, i.e. on IIS server ICS - collect ICS SharedAccess ETL-log and SharedAccess Reg key iDNA: |name[: :Full|ring|onLaunch] - collect iDNA/TTD dump for PID, service name or unique ProcessName (requires tss_tools_ttt.zip) [defaults: maxF=2048 mode=Full], separate multiple PIDs/names by '/' IPsec - collect IPsec ETL-log iSCSI - collect iSCSI ETL-log LBFO - collect LBFO teaming ETL-log (included in HypHost / WNV) LDAPcli[: ] - collect LDAP client process ETL-log, requires 'REG ADD HKLM\System\CurrentControlSet\Services\ldap\Tracing\processName.exe /f' [def: svchost.exe] LiveKd[:start|stop|both] - Execute kd/windbg memory dump on a live system at stage Start or Stop [def: Stop] LockOut - find User Account Lockout info from all DCs (EventIDs 4625,4771,4776), requires Domain Admin account Mini - collect only minimal data, no supporting information data like Sysinfo, Tasklist, Services, Registry hives/files, Evt-logs, skip ClearCaches, noPSR,noSDP,noVideo,noVerCheck MPIO - collect MPIO, MsDSM, Storport, ClassPnP ETL-logs MsDSM - collect MsDSM ETL-log MUX - collect NetworkController MUX Microsoft-Windows-SlbMux ETL-log (in SDN) NCHA - collect NetworkController.HostAgent ETL-log (in SDN / WNV) NDIS - collect NDIS ETL-log NdisWan - collect NdisWan ETL-log Netlogon - collect Netlogon debug log NetView - collect Get-NetView infos for diagnosing Microsoft Networking NFC - collect Near-field communication ETL-log NetworkUX - collect Network UI User Interface ETL-log NLA - collect NLA ETL-log NTFS - collect NTFS driver ETL-log Outlook - collect Outlook ETL-log, see kb2862843, start tss - restart Outlook - repro - stop tss OpsMgr - collect OpsMgr ETL and Eventlogs OLE - collect OLE32 ETL-log, consider also DCOM PCI - collect PCI, setupapi and msinfo32 infos PktMon[:Drop] - collect Packet Monitoring data (on RS5+ / Srv2019), PktMon:Drop will collect only dropped packets Perfmon[: : ] - collect Perfmon logs, : choose CORE|DISK|SQL|BC|DC|Biz [def: CORE], Interval: 1-59 sec [def: 30] PerfmonLong[: : ] - collect Perfmon logs, : choose CORE|DISK|SQL|BC|DC|Biz [def: CORE], Interval: 1-59 min [def: 05] persistent - Boot-scenarios: choosen ETL logs, NETSH traces, ProcMon or WPR will be activated, requires a reboot, then settings will be active after restart, stop tracing using command: TSS OFF; Note: persistent will not work in combi with Stop:*, PSR, Video PNP - collect PlugAndPlay PnP ETL-log and info PortProxy - collect PortProxy IP Helper Service ETL-log, can be used i.e. in combination with Test:psTelnet:Both:IPaddr/TCPportNr Print - collect Print Service ETL- and Event-Logs ProcDump: | [: : :Start|Stop|Both] - collect N user dumps with ProcDump.exe for process ID or service name or unique ProcessName [defaults: N=3, Int=10 sec, Stop] to combine multiple processes or service names, use '/' separator, i.e. ProcDump:Notepad.exe/dnscache/WinHttpAutoProxySvc:2 ProcMon[:Boot|Purge: [: ]] - collect ProcMon [Bootlog] trace, [Purge:N]: purge older *.pml files, keep number N [def: 9], Filter=name-of- FilterConfig.pmc ProcTrack[:module|thread] - collect process tracking ETL, [Module: with Module load activity | Thread: with Thread+Module load activity] Profile - Client Profile, WinLogon, GroupPolicy, DClocator ETL tracing PSR[: ] - default: collect Problem Step Recorder (PSR) screenshots, [def: maxsc=99], starting timedate.cpl, to deactivate use noPSR Radar: | - collect heap RADAR Leak diag for process ID or service name or unique ProcessName.exe RAmgmt - collect RemoteAccess Management ETL-log RasMan - collect RasMan service ETL-log REG[: ] - collect Registry output, : choose Hives|802Dot1x|ATP|Auth|BITS|Bluetooth|Branchcache|Cluster|CSC|DAcli|DAsrv|DFS|DCOM|DHCP|DNS| Firewall|GPsvc|Http|HyperV|ICS|LBFO|LDAPcli|MBN|MFAext|NLA|NPS|NTDS|PCI|Proxy|RAS|Rpc|SNMP|Tcp|TLS|UNChard|USB|Webclient|VPN|webClient|WLBS [def: Hives] Rpc - collect RPC, RpcSs services and DCOM ETL-logs SCM - collect Service Control Manager ETL-log of process services.exe SCCM - collect SCCM System Center Configuration Manager debug ETL-log Sddc - collect HA/Cluster PrivateCloud.DiagnosticInfo infos SignPs1 - used to selfSign PowerShell .ps1 files at first run, so that they run with any ExecutionPolicy requiring script signing SmartCard - collect SmartCard/Windows Hello for Business (WHfB) ETL-log SNMP - collect Simple Network Management Protocol (SNMP) ETL-log Stop:Evt: [:Sys|App|Sec|Other: [: ]] - stop data collection on trigger Eventlog: EventID and optional App, Sys, Sec; 'Other' for _EventlogName in tss_config.cfg Stop:Log[: ] - stop data collection on trigger Logfile: optional PollIntervall-in-sec (def pollInt=10); edit criteria in tss_config.cfg Stop:Cmd[:DFS|Smb|Svc|custom[: ]] - stop data collection on trigger tss_stop_condition_script.cmd, optional PollIntervall-in-sec [def: Stop:Cmd:custom:8] Stop:ps1[:Dfs|HTTP|PortDest|PortLoc|RDP|Smb|Svc|WINRM|custom[: ]] - stop data collection based on trigger condition defined in (adjusted) PoSh tss_stop_condition_script.ps1 [def: Port=135] Stop:Time[: ] - stop data collection after minutes, [def: Stop:Time:10] Example: stop:Evt:999:App =Stop on Event ID# 999 in Application Event log stop:Evt:40962/40961:Other:Microsoft-Windows-PowerShell/Operational:3221226599 =Stop on Event ID# 40962 or 40961 in Microsoft-Windows- PowerShell/Operational Event log stop:Log:5 =Stop on Search-string entry in specific Log file, PollInt: 5-sec, all to be defined within tss_config.cfg stop:Cmd:Svc:4 =Stop based on service stop condition given in (adjusted) tss_stop_condition_script.cmd, PollInt: 4-sec stop:ps1:PortDest:5 =Stop based on dest. TCP port 135 fail condition given in (adjusted) tss_stop_condition_script.ps1, PollInt: 5-sec stop:Time:3 =Stop after 3 minutes Storage - collect Storage drivers ETL-log StorageReplica - collect Storage Replica ETL-log StorageSpace - collect Storage Space ETL-log StorPort - collect disk/StorPort ETL-log SysInfo - collect SystemInfo (txt based msinfo32) TaskSch - collect Task Scheduler ETL-log Test[:psPing|TraceRt|NsLookup|Http|Ldap|Smb|Wmi|publicIP|psTelnet[:Start|Stop|Both[: [: : ] | / ]]] - connectivity info, separate multiple Test-scenarios names with '/', [def: psPing, TestPhase: Stop, TestDestName:www.microsoft.com|UserDomain, Nr=5, Int=2] TLS - collect Schannel TLS/SSL ETL-log, CAPI2 Evt-Log Trace[: [: [: : ]]] - capture circular NETSH trace, N: bufferSize MB, separate multiple scenario names with '/' [defaults: bufferSize=500, Scenario=InternetClient, fileMode=circular, truncate Byte=1514 for Ethernet] for available tracing scenarios, type: 'netsh trace show scenarios', [for SrvCORE def: InternetServer], scenario 'Capture' will only sniff i.e.: Trace:2048 -or- Trace:1024:NetConnection -or- Trace:4096:Capture -or- Trace:1024:InternetClient:Circular:128 TraceChn[: : : ] - capture chained NETSH trace, chunk bufferSize MB [def: 500, Scenario=InternetClient, NrKeep=10] TraceNM[: : ] - capture requires Netmon NMcap.exe, N: bufferSize MB [def: 500, truncate Byte=1514] TraceNMchn[: : : ] - chained capture requires Netmon NMcap.exe, N: bufferSize MB [def: 500, NrKeep=10, truncate Byte=1514] USB - collect Universal Serial Bus (USB) ETL-log VDS - collect VDS services ETL-log Video - collect ScreenRecorder Video ~6 MB/min, plz use max 1920x1080 (requires .NET 3.5, Feature 'Desktop Experience' on server edition; needs DeCoder or VLC for viewing) VirtualFC - collect Virtual FC info logs VML[:verbose] - collect Hyper-V host VmlTrace ETL-log [def: Standard, Verbose will restart the Hyper-V service] + FRuti.exe log VMQ - validate Hyper-V VMQ and RSS settings (USB) VmSwitch - collect VmSwitch ETL-log (included in HypHost and SDN) VSS - collect VolSnap, Volume Shadow Copy Service (VSS) reports WCM - collect Windows Connection Manager (WCM) ETL-log WebIO - collect WinInet, WinHTTP, WebIO ETL-logs, i.e. for WebClient or Outlook WfpDiag - collect WFP diag trace: netsh wfp capture WinNAT - collect WindowsNAT ETL-log WinRM - collect Windows Remote Management (WinRM) ETL-log WinUpd - collect PS Get-WindowsUpdateLog, Merges Windows Update .etl files, (included in psSDP) WmbClass - collect WmbClass,NDISuIO,PnP ETL-logs WMI - collect WMI services ETL-log WPR[: ] - collect WPR trace on Win8.0+ , : choose CPU|General|Network|Storage|Wait [def: General], TSS will use Xperf for Win2008-R2 WSB - collect Windows Server Backup modules ETL-log WWAN - collect WWAN Wireless mobile Broadband MBN ETL-log (see also MBN) Xperf[: ] - collect circular Xperf trace, : choose CPU|General|SMB2|Disk|Memory [def: General / Delay], alternatively: you may put your specific Xperf command into tss_extra_repro_steps_AtStart.cmd [for cliOn/srvOn -only] Collection options: usage on original t.cmd: T [cliOn|srvOn] [persistent][capture][core][verbose] [csv][cluster][hyperv] [circ:N] [driver:flags:level] capture - [downlevel t.cmd] in combination with cliOn, srvOn: enable packet capture (Windows 7 / 2008 R2 or newer) circ:N - generate circular logs of size N megabytes (default circular buffer size is 250 MB per log) cluster - collect Cluster event logs csv - generate cluster CSV component traces hyperv - collect Hyper-V event logs verbose - verbose mode tracing flags (defined for fskm/mup srv) driver:flags:level - specify trace flags and level for this driver (support rdbss, mrxsmb, smb20 only) flags and level must be in hex rdbss: 0x0001 error 0x0002 misc 0x0004 io 0x0008 openclose 0x0010 readwrite 0x0020 fileinfo 0x0040 oplock 0x0080 connectionobject 0x0100 fcb 0x0200 caching 0x0400 migration 0x0800 namecache 0x1000 security mrxsmb: 0x0001 error 0x0002 misc 0x0004 network 0x0008 security 0x0010 exchange 0x0020 compounding 0x0040 connectionobject 0x0080 midwindow 0x0100 multichannel smb20: 0x0001 error 0x0002 misc 0x0004 network 0x0008 security 0x0010 exchange 0x0020 io 0x0040 handle 0x0080 infocache 0x0100 dircache 0x0200 oplock level: 0x1 error 0x2 brief 0x4 verbose Disabling and ReEnabling Tracing: usage: TSS snapshot [nocab] [nobin] [rOn] more No* options: noAsk - do not ask about good/failing scenario text input before compressing data noClearCache - do not clear DNS,NetBios,Kerberos,DFS chaches at start noCluster_GetLogs - don't collect cluster infos / validation reports noCrash - do not run Crash after reboot again when using 'tss off noCrash' noGPresult - do not run GPresult, used to override setting in preconfigured TS scenarios noSDP - do not gather SDP report, i.e. when using script in scheduled tasks noPersistent - do not use predefined Persistent in scenarios noProcMon - do not run ProcMon, used to override setting in preconfigured TS scenarios noPSR - do not run PSR, used to override setting in preconfigured TS scenarios noRestart - do not restart associated service noSound - do not play attention sound noVerCheck - do not check online for latest TSS version on Github, no AutoUpdate noWait - do not wait at stage: Press ANY-Key to stop, use 'TSS OFF' noVideo - do not run Video, used to override setting in preconfigured TS scenarios noXray - do not start Xray troubleshooter You can lookup netsh trace scenarios here: dbg/wpp : HKLM\System\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\WPPTrace\HelperClasses - and normal scenarios here: HKLM\System\CurrentControlSet\Control\NetTrace\Scenarios All network traces *packetcapture|NetTrace|capture|sniff*.etl files can be converted into the corresponding .pcap files using RFLcheck Etl2Pcap Short link to tss download: https://aka.ms/getTSS Predefined Tss scenarios: (no 'Tss Off' is required, use ANY-key to stop, run: tss ), all scenarios include network trace, PSR and SDP 802Dot1x[:LAN|WLAN] -+ scenario: 802.1x,Afd,TcpIp,NDIS,RadioMgr,TLS,WCM ETL-logs, Video, for wired LAN or WiFi wireless WLAN [def: LAN] Auth -+ scenario: Authentication logs (Kerberos, Kps, Kdc, NTLM, SSL, Lsa, negoexts, pku2u, vault, Http), WFP, TLS, Procmon BITS -+ scenario: Background Intelligent Transfer Service (BITS) client logs Branchcache -+ scenario: Branchcache+BITS logs, Perfmon:BC Container -+ scenario: Afd,TcpIp,WFP,HNS,Vfp,WinNAT ETL-Logs, Docker/Containers CSC -+ scenario: OfflineFiles infos, CSC database dump, Procmon DAcli -+ scenario: DirectAccess client info, scenario=DirectAccess,Netconnection, DA client config, WFPdiag, TLS, tss_DAclient-collector.ps1 at TSS OFF DAsrv[:Restart] -+ scenario: DirectAccess server ETL-logs, trace scenario=DirectAcces,WFP-IPsec, get netlogon.log, TLS, 1-GB network trace, RAmgmt, Restart= RaMgmtSvc service, WfpDiag DFScli -+ scenario: DFS client logs, RDR, GPresult, Procmon DFSsrv -+ scenario: DFS server ETL-logs and Eventlog, [consider also DfsR] DHCPcli -+ scenario: Boot/persistent DHCP client ETL-log and DHCP Reg info, DNScli, Procmon, persistent; after Reboot run 'TSS OFF'; add noPersistent for instant logging DHCPsrv -+ scenario: DHCP server Eventlog ETL-logs PsCmdlets 'netsh dhcp server' info, includes DNScli DNScli -+ scenario: DNS client ETL-logs, Eventlog DNSsrv -+ scenario: DNS server DNScmd PsCmdlets, ETL-logs and Eventlog Firewall -+ scenario: Firewall ETL-log, Firewall REG settings and Eventlog General -+ scenario: General purpose logs, DNScli, wait for user input ANY-key HypHost -+ scenario: LBFO, HyperV-Host, HyperV-VMbus, Vmms ETL-logs, VmWp,VmConfig, VMM-debug, 1-GB network trace HypVM -+ scenario: HyperV-VirtualMachine ETL-logs IIS -+ scenario: IIS server logs, HttpSys ETL-logs IPAM -+ scenario: IPAM ETL-log and IPAM specific Event-Logs MBAM -+ scenario: Microsoft Bitlocker Administration and Monitoring ETL-logs MBN[:verbose] -+ scenario: Mobile Broadband Network/LTE: Afd,TcpIp,DNScli,GPresult,RasMan,RadioManager,VPN,WFP,WCM ETL-logs, Firewall info, Netsh Ras diag, 1-GB Trace wwan_dbg [if verbose: +,wireless_dbg], Video Miracast -+ scenario: Miracast, Video MsCluster -+ scenario: MsCluster related logs: CSV,NetFt,LBFO,Storport, Perfmon:CORE, ClusterLog, SDP:cluster NCSI -+ scenario: Afd,TcpIp,DNScli,LDAPcli,NLA,NLM,WebIO ETL-logs, GPresult, Procmon, Video, you may run tss_NCSI_detect script NetIO -+ scenario: Afd,TcpIp,NetIO,WFP ETL-logs NFScli -+ scenario: NFS client logs, GPresult, Procmon, Video NFSsrv[:perm] -+ scenario: NFS server cmds PsCmdlets, ETL-logs and Eventlogs, 'perm' will ask for NFS Folder/File path NLB -+ scenario: Afd,TcpIp,NetIO,NLB ETL-logs, NLB/Diagnostic Events, WLBS display, msinfo32 NPS[:MFAext] -+ scenario: NPS ETL-logs, Netsh Ras diag, netsh nps tracing, TLS, 1-GB network trace, Securtiy EvtLog, [optional :MFAext] Proxy -+ scenario: NCSI,WebIO,Winsock ETL-logs, Proxy settings and related Registry settings, 1-GB trace, Procmon Video RAS[:Hang] -+ scenario: Remote Access Server ETL-logs, TLS, WFP diag trace, trace scenario=VpnServer; [:Hang will collect at stop Procdumps of Rasman/RemoteAccess/RaMgmtSvc/IKEEXT/RaMgmtui.exe] RDScli -+ scenario: Remote Desktop (RDP) client ETL-logs, QWinSta, REG settings, Env-var, GPresult, event logs, Video; add Evt:Sec to collect Security Eventlog RDMA[:Basic|Full] -+ scenario: RDMA ETL-log, Event-Logs, SMB client [default=Basic] RDSsrv -+ scenario: Remote Desktop (RDP) server ETL-logs, QWinSta, REG settings, Env-var, GPresult, event logs incl Sec.EvtLog SBSL -+ scenario: Slow Boot/Slow Logon: boot/persistent logs, Profile,Netlogon,WinLogon,GroupPolicy,DCLocator,GPresult,GPsvc,Auth,WPR:Wait,Procmon:Boot, 1-GB trace; after Reboot run 'TSS OFF' SDN -+ scenario: SDN Infra Logs, see SDN\SDNLogCollect.ps1, Specify one of the NC VM and collect Logs from NC, MUX and Gateway VMs SdnNC -+ scenario: SDN NetworkController,HttpSys,MUX,LBFo,NCHA,TLS,VmSwitch ETL-logs, consider to add WFP for GW SDP[: [:noNetadapters|skipBPA|skipHang|skipNetview|skipSddc|skipTS|skipHVreplica]] - collect SDP report, choose SDP ialty Apps|CTS|Cluster|DA| Dom|HyperV|Net|Perf|Print|S2D|Setup|SQLbase|SQLconn|SQLmsdtc|SQLsetup|VSS|Mini|Nano|All [def: Net]; to combine more specs or skip-parameters, use '/' as separator i.e.: SDP:Net/HyperV:skipBPA SMBcli -+ scenario: SMB,DFS client logs, RDR, GPresult, Procmon SQLtrace -+ scenario: SQL server related logs and TraceChn, Perfmon:SQL, SDP:SQLbase UNChard -+ scenario: UNC-hardening: boot/persistent logs, Profile,Netlogon,WinLogon,GroupPolicy,DCLocator,GPresult,GPsvc,Auth,Procmon:Boot, 1-GB trace; after Reboot run 'TSS OFF' VPN -+ scenario: Afd,TcpIp,NetIO,VPN ETL-logs, WFP diag trace, 1-GB network trace VpnClient_dbg, Netsh Ras diag, Video WebClient[:Adv|Restart] -+ scenario: WebClient logs, WebIO ETL, Proxy, TLS, [def: Basic, Restart= ~ service, Adv= incl. iDNA, requires TTD], do *not* combine with Persistent WFP -+ scenario: Afd,TcpIp,NetIO,WFP Windows Filtering Platform, BFE (Base Filtering Engine), includes WfpDiag: netsh wfp capture, Procmon, Video Winsock -+ scenario: Afd,TcpIp,NetIO,NDIS,Winsock ETL-logs WIP -+ scenario: Windows Information Protection diagnostic, Procmon, Video WLAN -+ scenario: 802.1x,Afd,TcpIp,NDIS,NetworkUX,RadioMgr,TLS,WCM ETL-logs, Video for WiFi wireless WLAN WNV[:capML] -+ scenario: Network Virtualization (WNV) ETL-log, Afd,TcpIp,LBFo,NCHA,VmSwitch, network trace Virtualization,InternetClient; if capML captureMultilayer=yes WorkFolders[:Adv] -+ scenario: WorkFolders infos on Srv and Client, Perfmon, Video, if :Adv collect Advanced-Mode with restart of service - more options for controlling predefined scenarios: noSDP, noPSR, noCab, noPersistent, noProcmon, noGPresult, noRestart, noSound, noCrash, noClearCache, noAsk, noWait, noVideo, noVerCheck see also tss_config.cfg Disabling Tracing: usage: TSS off [nocab] [nobin] [noSDP] off - turn off tracing noCab - do not compress/zip trace data nobin - do not gather system binaries matching the captured traces on downlevel OS noSDP - do not gather SDP report, i.e. when using script in scheduled tasks TSS v2020.05.09.0. Check for updates on: http://aka.ms/TssTools - Download: http://aka.ms/getTss or run 'TSS update' -> see 'TSS /help' for more detailed help info -> Looking for help on specific keywords? Try e.g.: tss help
Good luck !