WMI Global logger

Discussion in 'other software & services' started by f3x, Dec 25, 2005.

Thread Status:
Not open for further replies.
  1. f3x

    f3x Guest

    Well, i have played with greatis's BootLog XP
    As well as with Microsoft BootVis

    After playing with them, i realise that in order to log about anything in the boot process they did not had to have a special driver or anything. They use a file called C:/logFile.Etl wich can grow 30 mb of text information for a single boot ! and multiple GB after some weeks of logging. This is a nice feature built in in windows that log pretty much anything from disk usage, process loading, dll loading, cpu utilisation etc. Unfortunately this loffile.etl is not designed to be readable by any human with a text editor.

    Micosoft itself design it to be read by an WMI Client, whatever those are. Bootvis and Bootlog Xp are two example of such client but they are designed only for a particular task. Is there any other application you know who can use that file. I really feel like it can be more than usefull for debug purpose or other security related purpose ( track virus, logfiel of laucnhed app, network access etc )

    Unfortunategly google is somehow obscure on that topic. There are some file in 2k/2k3/Xp ressource kit to translate that fiel in a readable format, but it need another file about event GUID, and i dotn know where to find that file / how to build it

    Here's some info from micosoft:
    http://msdn.microsoft.com/library/d...ng_and_starting_the_global_logger_session.asp

    Also that google search give some insight
    http://www.google.ca/search?q=logFile.Etl
     
  2. Global Force

    Global Force Guest

    fx3,

    "... in order to log about anything in the boot process they" probably need the Event Log Service running. I've never used either so don't know if they would be readable in Event Viewer. If you want something easier just enable boot-logging from XP's safe-mode option's or msconfig, it'll leave a file named ntbtlog.txt in your Windows folder.


    GF
     
Loading...
Thread Status:
Not open for further replies.