TSS (Microsoft TroubleShooting Script)

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche


Manual

TSS v2020.08.13.0 (c) Microsoft CSS
DISCLAIMER:
TSS is a collection of cmd/powershell scripts that mainly utilize the built-in Windows OS logging mechanisms or other Microsoft tools (like process monitor, procdump, ...) to collect static (like Event Logs, registry outputs, configuration outputs and similar) or dynamic repro logs (like network traces, user/kernel mode memory dumps, perfmon logs, Process monitor logs, ETL traces from various Windows OS components and similar) to troubleshoot various Windows OS or other Microsoft product related problems dispatched to Microsoft Support. TSS has been developed and maintained by Microsoft Support Platform Escalation Team. For more details on TSS please visit https://aka.ms/TssTools
 Syntax: Tss Param[:<argument>] argument in [square brackets] for Param is optional, defaults will be used if argument is missing, the order of sub-args is mandatory, '|' means 'OR', ':' is a delimiter between params and/or args, 'def: val' stands for Default value, '<name>'  in angle brackets is placeholder.
Usage examples: TSS General               - enables general purpose log(s), DNScli, Network sniff, PSR, SDP, wait for user input w/ ANY-key
                TSS rOn cliOn Trace Video - enables SMB-client ETL log(s), Network sniff=Trace, Problem-Step-Recorder, Video and SDP report


Enabling Tracing:
 usage: TSS [<ScenarioName>|cliOn|srvOn|rOn] + see below sections '[rOn] Additional module options:' -and 'Predefined Tss scenarios:'
  At least one of *on: cliOn, srvOn, rOn (= ReproOn) or any predefined <ScenarioName> must be specified. 
   cliOn      - generate SMB/NFS client component ETL log(s)
   srvOn      - generate SMB/NFS/DFS server component ETL log(s)
   rOn        - collecting Repro-On data / log(s), required for below options unless -+<ScenarioName> is present.
     you can choose any combination of available [rOn] options and/or -+scenarios below, i.e: TSS rOn DCOM General Trace:N:scenario
 CONTROLS
   AcceptEula      - do not ask at first run to accept Disclaimer 
   DataDisk:<letter> - to specify Disk drive letter for resulting data, default is disk C; example: DataDisk:E
   Debug           - invoke current command with Debug facility - it will set Env variable _DbgOut=1
   Discard         - can be used at OFF, to dismiss and delete all data collected in current Tss run
   ETLmax:<N>[:<NrKeep>] - set limit of ETL file size to <N> MB, <NrKeep> will force chained log(s), Range <N>:100-4096, Circ:<N> has precedence for cliOn/srvOn, [def: N=1024 (MB), NrKeep=1]
   Help [<keyword>] - or -? /? -help /help = this help screen, + optional <keyword> to search for
   Mini            - collect only minimal data, no supporting information data like Sysinfo, Tasklist, Services, Registry hives/files, Evt log(s), skip ClearCaches, noPSR,noSDP,noVideo,noUpdate
   persistent      - Boot-scenarios: choosen ETL log(s), NETSH traces, ProcMon, WPR or Xperf will be activated, requires a reboot, then settings will be active
                     after restart, stop tracing using command: TSS OFF; Note: persistent will not work in combi with Stop:*, PSR, Video 
   Query           - query active ETW tss ms_* Data Collector Sets (LOGMAN QUERY, LOGMAN QUERY -ets)
   Remote          - used for remote execution i.e. using psExec
   Remove          - removes/cleans-up all persistent network and ETL component tracing; clean up Registry settings; stop running PSR,ProcMon,Trace,Video; recommended to use after forced crash
   Stop:Evt:<ID>[:Sys|App|Sec|Other:<EventlogName>[:<EventData>[:Partial]]] - stop data collection on trigger classic (Sys, App, Sec) Eventlogs <EventID> and/or 'Other' for non-classic EventlogNames (or _EventlogName in tss_config.cfg)
   Stop:Log[:<pollInt>] - stop data collection on trigger Logfile: optional PollInterval-in-sec (def pollInt=10); edit criteria in tss_config.cfg
   Stop:Cmd[:DFS|Smb|Svc|custom[:<pollInt>]] - stop data collection on trigger tss_stop_condition_script.cmd, optional PollInterval-in-sec [def: Stop:Cmd:custom:8]
   Stop:ps1[:BC|Branchcache|Dfs|HTTP|LDAP|PortDest|PortLoc|Process|RDP|Smb|Svc|WinRM|Share|custom[:<pollInt>]] - stop data collection based on trigger condition defined in (adjusted) PoSh tss_stop_condition_script.ps1 [def: Port=135] and/or tss_config.cfg
   Stop:Time[:<min>] - stop data collection after <min> minutes, [def: Stop:Time:10]
     Example: stop:Evt:999:App    =Stop on Event ID# 999 in Application Event log
              stop:Evt:40962/40961:Other:Microsoft-Windows-PowerShell/Operational:3221226599 =Stop on Event ID# 40962 or 40961 in Microsoft-Windows-PowerShell/Operational EventLog with STATUS_FILE_NOT_AVAILABLE
              Stop:Evt:31010:Other:Microsoft-Windows-SMBClient/Security:Access/Denied:Partial =Stop on Event ID# 31010 in Microsoft-Windows-SMBClient/Security EventLog with Partial Message 'Access' or 'Denied'
              stop:Log:5          =Stop on Search-string entry in specific Log file, PollInt: 5-sec, all to be defined within tss_config.cfg
              stop:Cmd:Svc:4      =Stop based on service stop condition given in (adjusted) tss_stop_condition_script.cmd, PollInt: 4-sec 
              stop:ps1:PortDest:5 =Stop based on dest. TCP port < default =135> fail condition given in tss_config.cfg or (adjusted) tss_stop_condition_script.ps1, PollInt: 5-sec
              stop:ps1:LDAP:10    =Stop based on failing LDAP test 'nltest /DSGETDC:$DomainName /LDAPONLY', PollInt: 10-sec
              stop:ps1:Share:3    =Stop based on \\<server>\<share> availability condition; adjust server+share name in tss_config.cfg, see also tss_stop_condition_script.ps1, PollInt: 3-sec 
              stop:ps1:Branchcache:300 =Stop when CurrentActiveCacheSize exceeds <percent> % of configured BC size limit [default 120%]
              stop:Time:3         =Stop data-collection after 3 minutes elapsed
   Update          - update current tss version from latest GitHub release
   Version         - shows current tss version: v2020.08.13.0
 TOOLS
   AccessChk       - collect Sysinternals AccessChk log(s), may need adjustments in tss_config.cfg
   Crash           - to be used at stop, or together with Stop trigger, Caution: this switch will force a memory.dump, open files won't save. Run 'tss off noCrash' after reboot, see KB969028
   Coreinfo        - collect Sysinternals Coreinfo log
   DsR[:<Drive>:<BlockSize>:<Sec>:<FS>] - DriveLetter [D], BlockSize(K) [1024], Duration(Sec) [300], FileSize [10G] for DiskSpeed Repro
   Fiddler         - collect Fiddler trace, to decrypt https, see https://fiddlerbook.com/fiddler/help/httpsdecryption.asp
   GPresult        - collect GPresult, Auditing and Security log(s)
   Handle[:start|stop|both] - collect handle.exe output at stage Start or Stop [def: Stop]
   iDNA:<PID>|name[:<maxF>:Full|ring|onLaunch] - collect iDNA/TTD dump for PID, service name or unique ProcessName (requires tss_tools_ttt.zip) [defaults: maxF=2048 mode=Full], separate multiple PIDs/names by '/'
   LiveKd[:start|stop|both] - Execute kd/windbg memory dump on a live system at stage Start or Stop [def: Stop]
   NetView         - collect Get-NetView infos for diagnosing Microsoft Networking
   Perfmon[:<spec>:<int>] - collect Perfmon -max 1024 log(s), <spec>: choose CORE|DISK|SQL|BC|DC|Biz [def: CORE], Interval: 1-59 sec [def: 30]
   PerfmonLong[:<spec>:<int>] - collect Perfmon -max 1024 log(s), <spec>: choose CORE|DISK|SQL|BC|DC|Biz [def: CORE], Interval: 1-59 min [def: 05]
   PktMon[:Drop]   - collect Packet Monitoring data (on RS5+ / Srv2019), PktMon:Drop will collect only dropped packets
   PoolMon         - collect PoolMon snap at start and stop
   ProcDump:<PID>|<name>[:<N>:<Int>:Start|Stop|Both] - collect N user dumps with ProcDump.exe for process ID or service name or unique ProcessName [defaults: N=3, Int=10 sec, Stop]
                   to combine multiple processes or service names, use '/' separator, i.e.  ProcDump:Notepad.exe/dnscache/WinHttpAutoProxySvc:2
   ProcMon[:Boot|Purge:<N>[:<Filter>]] - collect ProcMon [Bootlog] trace, [Purge:N]: purge older *.pml files, keep number N [def: 9], Filter=name-of-FilterConfig.pmc
   PSR[:<maxsc>]   - default: collect Problem Step Recorder (PSR) screenshots, [def: maxsc=99], starting timedate.cpl, to deactivate use noPSR
   Radar:<PID>|<name> - collect heap RADAR Leak diag for <process ID> or <service name> or unique <ProcessName>.exe
   RASdiag         - collect trace: Netsh Ras diagnostics set trace enable
   REG[:<spec>]    - collect Registry output, <spec>: choose Hives|802Dot1x|ATP|Auth|BITS|Bluetooth|Branchcache|Cluster|CSC|DAcli|DAsrv|DFS|DCOM|DHCP|DNS|Firewall|GPsvc|Http|HyperV|ICS|LBFO|LDAPcli|MBN|MFAext|NLA|NPS|NTDS|PCI|Proxy|RAS|Rpc|SNMP|Tcp|TLS|UNChard|USB|Webclient|VPN|webClient|WLBS [def: Hives]
   Sddc            - collect HA/Cluster PrivateCloud.DiagnosticInfo infos
   SDP[:<spec>[:noNetadapters|skipBPA|skipHang|skipNetview|skipSddc|skipTS|skipHVreplica]] - collect SDP report, choose SDP <spec>ialty Apps|CTS|Cluster|DA|Dom|HyperV|Net|Perf|Print|S2D|Setup|SQLbase|SQLconn|SQLmsdtc|SQLsetup|VSS|Mini|Nano|All [def: Net]; to combine more specs or skip-parameters, use '/' as separator i.e.: SDP:Net/HyperV:skipBPA
   SignPs1         - used to selfSign PowerShell .ps1 files at first run, so that they run with any ExecutionPolicy requiring script signing
   SysInfo         - collect SystemInfo (txt based msinfo32)
   SysMon[:<config.xml>] - collect System Monitor (Sysmon) log [def: sysmonConfig.xml]
   Test[:psPing|TraceRt|NsLookup|Http|Ldap|Smb|Wmi|publicIP|psTelnet[:Start|Stop|Both[:<TestDestName>[:<Nr>:<Int>] | <IPaddr>/<Port>]]] - connectivity info, separate multiple Test-scenarios names with '/', [def: psPing, TestPhase: Stop, TestDestName:www.microsoft.com|UserDomain, Nr=5, Int=2]
   Trace[:<N>[:<scenario>[:<fileMode>[:<Byte>]]]] - capture circular NETSH trace, N: bufferSize MB, separate multiple scenario names with '/' [defaults: bufferSize=1024, Scenario=InternetClient, fileMode=circular, truncate Byte=1514 for Ethernet]
                   for available tracing scenarios, type: 'netsh trace show scenarios', [for SrvCORE def: InternetServer], scenario 'Capture' will only sniff
     i.e.: Trace:2048 -or-  Trace:1024:NetConnection -or- Trace:4096:Capture -or- Trace:1024:InternetClient:Circular:128
   TraceChn[:<N>[:<NrKeep>]] - capture chained network sniff, chunk bufferSize MB [def: 1024, NrKeep=10]
   TraceNM[:<N>[:<Byte>]] - capture requires Netmon NMcap.exe, N: bufferSize MB [def: 1024, truncate Byte=1514]
   TraceNMchn[:<N>[:<NrKeep>[:<Byte>]]] - chained capture requires Netmon NMcap.exe, N: bufferSize MB [def: 1024, NrKeep=10, truncate Byte=1514]
   Video           - collect ScreenRecorder Video ~6 MB/min, plz use max 1920x1080 (requires .NET 3.5, Feature 'Desktop Experience' on server edition; needs DeCoder or VLC for viewing)
   VMQ             - validate Hyper-V VMQ and RSS settings (USB)
   WFPdiag         - collect trace: netsh wfp capture
   WinUpd          - collect PS Get-WindowsUpdateLog, Merges Windows Update .etl files, (included in psSDP)
   WPR[:<spec>]    - collect WPR trace on Win8.0+ , <spec>: choose CPU|General|Network|Storage|Wait [def: General], TSS will use Xperf for Win2008-R2
   Xperf[:<spec>]  - collect circular Xperf trace, <spec>: choose CPU|Disk|General|Memory|Pool|SMB2|SBSL [def: General / Delay], alternatively: you may put your specific Xperf command into tss_extra_repro_steps_AtStart.cmd
 MODULES options: [with rOn or <ScenarioName>]
   ADcore          - collect Active Directory Domain Services: Core ETL log(s) (kb2826734)
   ADdiag          - collect Active Directory Diagnostics on DC, running for max 5 minutes, \ADDS\report.html
   ADsam           - collect ActiveDirectory SAM client ETL log(s) (on Win10)
   AfdTcp[:Basic|Full] - collect Afd,TcpIp,NetIO ETL log(s), if :Basic is specified do Basic logging; default:Full
   AppV            - collect Application Virtualization (App-V) ETL log(s) and Registry settings
   ATA             - collect ATAPort ETL log(s)
   BadPwd          - collect User's bad password attempts info from all DCs
   BGP             - collect Border Gateway Protocol (BGP) ETL log(s)
   Bluetooth       - collect Bluetooth ETL log(s)
   CDROM           - collect CD/DVD ETL log(s)
   certCA          - Certification Authority Service Tracing
   certEnroll      - Client Certificate Enrollment Tracing
   CSVspace        - collect cluster CSV_space ETL log(s)
   customETL:<Provider1>/<Provider2> - collect ETL log(s) with list of custom providers, example: customETL:"Microsoft-Windows-DNS-Client"/{1540FF4C-3FD7-4BBA-9938-1D1BF31573A7}
   DCOM            - collect COM,COM+,COMSVCS,COMADMIN,DCOM,DCOMSCM ETL log(s), Reg-settings and SecurityDescriptor info, consider also OLE32
   Dedup           - collect Data Deduplication and Filter ETL log(s)
   Defender        - collect Defender/Operational EventLogs and ATP Reg.keys
   DfsR            - collect DFS replication ETL log(s), Eventlog, DFSR log(s)
   EFS             - collect encryped FS ETL log(s)
   Evt[:Sec|Days:<N>] - collect Security Eventlog, default is Sys+App EventLogs; [def. days back for TXT/CSV convert: Days:10]
   FSLogix         - collect FSLogix log and registry outputs
   FSRM            - collect FSRM drivers ETL log(s)
   FWmgr           - collect Firewall Manager ETL log(s), consider also collecting WFP
   GPsvc           - collect client Group Policy GPsvc.log, netlogon.log
   HttpSys         - collect HTTP.SYS ETL log(s), i.e. on IIS server
   ICS             - collect ICS SharedAccess ETL log(s) and SharedAccess Reg key
   IPsec           - collect IPsec ETL log(s)
   iSCSI           - collect iSCSI ETL log(s)
   LBFO            - collect LBFO teaming ETL log(s) (included in HypHost / WNV) 
   LDAPcli[:<ProcName>] - collect LDAP client process ETL log(s), requires 'REG ADD HKLM\System\CurrentControlSet\Services\ldap\Tracing\processName.exe /f' [def: svchost.exe]
   LDAPsrv         - collect LDAP server NTDSA ETL log(s)
   LockOut         - find User Account Lockout info from all DCs (EventIDs 4625,4771,4776), requires Domain Admin account
   MPIO            - collect MPIO, MsDSM, Storport, ClassPnP ETL log(s)
   MsDSM           - collect MsDSM ETL log(s)
   MUX             - collect NetworkController MUX Microsoft-Windows-SlbMux ETL log(s) (in SDN)
   NCHA            - collect NetworkController.HostAgent ETL log(s) (in SDN / WNV)
   NDIS            - collect NDIS ETL log(s)
   NdisWan         - collect NdisWan ETL log(s)
   Netlogon        - collect Netlogon debug log 
   NFC             - collect Near-field communication ETL log(s)
   NetworkUX       - collect Network UI User Interface ETL log(s)
   NLA             - obsolete, -> plz use NCSI scenario
   NTFS            - collect NTFS driver ETL log(s)
   Outlook         - collect Outlook ETL log(s), see kb2862843, start tss - restart Outlook - repro - stop tss
   OpsMgr          - collect OpsMgr ETL and EventLogs
   OLE             - collect OLE32 ETL log(s), consider also DCOM
   PCI             - collect PCI, setupapi and msinfo32 infos
   PNP             - collect PlugAndPlay PnP ETL log(s) and info
   PortProxy       - collect PortProxy IP Helper Service ETL log(s), can be used i.e. in combination with Test:psTelnet:Both:IPaddr/TCPportNr
   PowerShell      - collect PowerShell ETL log(s) and EventLogs
   Print           - collect Print Service ETL- and EventLogs
   ProcTrack[:module|thread] - collect process tracking ETL, [Module: with Module load activity | Thread: with Thread+Module load activity]
   Profile         - Client Profile, WinLogon, GroupPolicy, DClocator ETL log(s) 
   RAmgmt          - collect RemoteAccess Management ETL log(s)
   RasMan          - collect RasMan service ETL log(s)
   Rpc             - collect RPC, RpcSs services and DCOM ETL log(s)
   SCM             - collect Service Control Manager ETL log(s) of process services.exe
   SCCM            - collect SCCM System Center Configuration Manager debug ETL log(s)
   SmartCard       - collect SmartCard/Windows Hello for Business (WHfB) ETL log(s), this is only a subset of Auth; prefer using Auth switch for authentiction issues
   SNMP            - collect Simple Network Management Protocol (SNMP) ETL log(s)
   Storage         - collect Storage drivers ETL log(s)
   StorageReplica  - collect Storage Replica ETL log(s)
   StorageSpace    - collect Storage Space ETL log(s)
   StorPort        - collect disk/StorPort ETL log(s)
   TaskSch         - collect Task Scheduler ETL log(s)
   TLS             - collect Schannel TLS/SSL ETL log(s), CAPI2 Evt-Log
   UEV             - collect User Experience Virtualization ETL log(s)
   USB             - collect Universal Serial Bus (USB) ETL log(s)
   VDS             - collect VDS services ETL log(s)
   VirtualFC       - collect Virtual FC info ETL log(s)
   VML[:verbose]   - collect Hyper-V host VmlTrace ETL log(s) [def: Standard, Verbose will restart the Hyper-V service] + FRuti.exe log
   VmSwitch        - collect VmSwitch ETL log(s) (included in HypHost and SDN)
   VSS             - collect VolSnap, Volume Shadow Copy Service (VSS) ETL log(s)
   WCM             - collect Windows Connection Manager (WCM) ETL log(s)
   WebIO           - collect WinInet, WinHTTP, WebIO ETL log(s), i.e. for WebClient or Outlook
   WinNAT          - collect WindowsNAT ETL log(s)
   WinRM           - collect Windows Remote Management (WinRM) ETL log(s)
   WmbClass        - collect WmbClass,NDISuIO,PnP ETL log(s)
   WMI             - collect WMI services ETL log(s)
   WSB             - collect Windows Server Backup modules ETL log(s)
   WWAN            - collect WWAN Wireless mobile Broadband MBN ETL log(s) (see also MBN)
 [for cliOn/srvOn  -only] Collection options:
 usage on original t.cmd: T [cliOn|srvOn] [persistent][capture][core][verbose] [csv][cluster][hyperv] [circ:N] [driver:flags:level]
   capture         - [downlevel t.cmd] in combination with cliOn, srvOn: enable packet capture (Windows 7 / 2008 R2 or newer)
   circ:N          - generate circular log(s) of size N megabytes (default circular buffer size is 250 MB per log)
   cluster         - collect Cluster EventLogs
   csv             - generate cluster CSV component traces
   hyperv          - collect Hyper-V EventLogs
   verbose         - verbose mode tracing flags (defined for fskm/mup srv)
   driver:flags:level - specify trace flags and level for this driver (support rdbss, mrxsmb, smb20 only)
                        flags and level must be in hex
       rdbss:  0x0001 error     0x0002 misc     0x0004 io        0x0008 openclose
               0x0010 readwrite 0x0020 fileinfo 0x0040 oplock    0x0080 connectionobject
               0x0100 fcb       0x0200 caching  0x0400 migration 0x0800 namecache
               0x1000 security
       mrxsmb: 0x0001 error     0x0002 misc        0x0004 network          0x0008 security
               0x0010 exchange  0x0020 compounding 0x0040 connectionobject 0x0080 midwindow
               0x0100 multichannel
       smb20:  0x0001 error    0x0002 misc   0x0004 network 0x0008 security
               0x0010 exchange 0x0020 io     0x0040 handle  0x0080 infocache
               0x0100 dircache 0x0200 oplock
       level:  0x1 error 0x2 brief 0x4 verbose
Disabling and ReEnabling Tracing:
 usage: TSS snapshot [nocab] [nobin]

No* OPTIONS:

   noAsk           - do not ask about good/failing scenario text input before compressing data
   noClearCache    - do not clear DNS,NetBios,Kerberos,DFS chaches at start
   noCluster_GetLogs - don't collect cluster infos / validation reports
   noCab           - do not compress/zip trace data
   noCrash         - do not run Crash after reboot again when using 'tss off noCrash'
   noGPresult      - do not run GPresult, used to override setting in preconfigured TS scenarios
   noSDP           - do not gather SDP report, i.e. when using script in scheduled tasks
   noPersistent    - do not use predefined Persistent in scenarios
   noPoolMon       - do not run PoolMon at start and stop
   noProcMon       - do not run ProcMon, used to override setting in preconfigured TS scenarios
   noPSR           - do not run PSR, used to override setting in preconfigured TS scenarios
   noRestart       - do not restart associated service
   noSound         - do not play attention sound
   noUpdate        - do not check online for latest TSS version on Github, no AutoUpdate
   noWait          - do not wait at stage: Press ANY-Key to stop, use 'TSS OFF'
   noVideo         - do not run Video, used to override setting in preconfigured TS scenarios
   noXray          - do not start Xray troubleshooter
 You can lookup netsh trace scenarios here: dbg/wpp : HKLM\System\CurrentControlSet\Control\NetDiagFx\Microsoft\HostDLLs\WPPTrace\HelperClasses
	 - and normal scenarios here: HKLM\System\CurrentControlSet\Control\NetTrace\Scenarios	
 All network traces *packetcapture|NetTrace|capture|sniff*.etl files can be converted into the corresponding .pcap files using RFLcheck Etl2Pcap
 Short link to tss download: https://aka.ms/getTSS

 Tss SCENARIOS predefined : (no 'Tss Off' is required, use ANY-key to stop, run: tss <ScenarioName>), all scenarios include 1-GB network trace, PSR and SDP
   802Dot1x        -+ scenario: wired LAN 802.1x,Afd,TcpIp,NDIS,RadioManager,RASdiag,TLS,WCM ETL log(s), Procmon Video; for WiFi wireless please choose WLAN
   Auth[:Basic|Full] -+ scenario: Authentication ETL log(s) (Basic= LSA Ntlm_CredSSP Kerberos Kdc ; Full= + NGC BIO Sam Ssl CryptNcryptDpapi WebAuth Smartcard CredprovAuthui), Security.evt, WFPdiag TLS GPresult DCLocator NetLogon WinLogon Procmon Video [default=Full]
   BITS            -+ scenario: Background Intelligent Transfer Service (BITS) client logs
   Branchcache[:<percent>] -+ scenario: Branchcache+BITS ETL log(s), Perfmon:BC, <percent> used with Stop trigger means actual size is <percent> % over configured limit [default 120%]
   Container       -+ scenario: Afd,TcpIp,WFP,HNS,Vfp,WinNAT ETL log(s), Docker/Containers 
   CSC             -+ scenario: OfflineFiles infos, CSC database dump, Procmon
   DAcli           -+ scenario: DirectAccess client info, scenario=DirectAccess,Netconnection, DA client config, WFPdiag, TLS, tss_DAclient-collector.ps1 at TSS OFF
   DAsrv[:Restart] -+ scenario: DirectAccess server RASdiag,WfpDiag ETL log(s), trace scenario=DirectAcces,WFP-IPsec, get netlogon.log, TLS, RAmgmt, Restart= RaMgmtSvc service
   DFScli          -+ scenario: DFS client logs, RDR ETL log(s), GPresult, Procmon
   DFSsrv          -+ scenario: DFS server ETL log(s) and Eventlog, [consider also DfsR]
   DHCPcli         -+ scenario: Boot/persistent DHCP client ETL log(s) and DHCP Reg info, DNScli, Procmon, persistent; after Reboot run 'TSS OFF'; add noPersistent for instant logging
   DHCPsrv         -+ scenario: DHCP server Eventlog, ETL log(s) PsCmdlets 'netsh dhcp server' info, includes DNScli
   DNScli          -+ scenario: DNS client ETL log(s), Eventlog
   DNSsrv[:verbose] -+ scenario: DNS server DNScmd PsCmdlets, ETL log(s) and Eventlog, [if verbose: Flags=FFFFFFFF]
   Firewall        -+ scenario: Firewall ETL log(s), Firewall REG settings and Eventlog
   General         -+ scenario: General purpose logs, Video, wait for user input ANY-key
   HypHost         -+ scenario: LBFO, HyperV-Host, HyperV-VMbus, Vmms ETL log(s), VmWp,VmConfig, VMM-debug
   HypVM           -+ scenario: HyperV-VirtualMachine ETL log(s)
   IIS             -+ scenario: IIS server logs, HttpSys ETL log(s)
   IPAM            -+ scenario: IPAM ETL log(s) and IPAM specific EventLogs
   MBAM            -+ scenario: Microsoft Bitlocker Administration and Monitoring ETL log(s)
   MBN[:verbose]   -+ scenario: Mobile Broadband Network/LTE: Afd,TcpIp,DNScli,GPresult,NetworkUX,RasMan,RadioManager,RASdiag,VPN,WFP,WfpDiag,WCM ETL log(s), Firewall info, Netsh Ras diag, Trace wwan_dbg [if verbose: +,wireless_dbg], Video
   Miracast        -+ scenario: Miracast or 'Wi-Fi Direct', Video
   MsCluster       -+ scenario: MsCluster related logs: CSV,NetFt,LBFO,Storport ETL log(s), Perfmon:CORE, ClusterLog, SDP:cluster
   NCSI            -+ scenario: includes NLA, wireless_dbg,internetclient_dbg, Microsoft-Windows-PrimaryNetworkIcon, WFPdiag, GPresult, Procmon, Video, you may run tss_NCSI_detect script
   NetIO           -+ scenario: Afd,TcpIp,NetIO,WFP ETL log(s)
   NFScli          -+ scenario: NFS client ETL log(s), GPresult, Procmon, Video
   NFSsrv[:perm]   -+ scenario: NFS server cmds PsCmdlets, ETL log(s) and EventLogs, 'perm' will ask for NFS Folder/File path
   NLB             -+ scenario: Afd,TcpIp,NetIO,NLB ETL log(s), NLB/Diagnostic Events, WLBS display, msinfo32
   NPS[:MFAext]    -+ scenario: NPS RASdiag ETL log(s), netsh nps tracing, TLS, Securtiy EvtLog, [optional :MFAext]
   Proxy           -+ scenario: NCSI,WebIO,WinInet,WinHTTP,Winsock ETL log(s), Proxy settings and related Registry settings, Procmon, Video
   RAS[:Hang]      -+ scenario: Remote Access Server RASdiag,WFPdiag ETL log(s), TLS, trace scenario=VpnServer; [:Hang will collect at stop Procdumps of Rasman/RemoteAccess/RaMgmtSvc/IKEEXT/BFE/RaMgmtui.exe]
   RDMA[:Basic|Full] -+ scenario: RDMA ETL log(s), EventLogs, SMB client [default=Basic]
   RDScli          -+ scenario: Remote Desktop (RDP) client ETL log(s), QWinSta, REG settings, Env-var, GPresult, EventLogs, Video; add Evt:Sec to collect Security Eventlog
   RDSsrv          -+ scenario: Remote Desktop (RDP) server ETL log(s), QWinSta, REG settings, Env-var, GPresult, EventLogs incl Sec.EvtLog
   SBSL            -+ scenario: Slow Boot/Slow Logon: Profile,Netlogon,WinLogon,GroupPolicy,DCLocator,GPresult,GPsvc,Auth,WPR:Wait ETL log(s),Procmon; if persistent: after Reboot run 'TSS OFF'
   SDN             -+ scenario: SDN Infra Logs, see SDN\SDNLogCollect.ps1, Specify one of the NC VM and collect Logs from NC, MUX and Gateway VMs
   SdnNC           -+ scenario: SDN NetworkController,HttpSys,MUX,LBFo,NCHA,TLS,VmSwitch ETL log(s), consider to add WFP for GW
   SMBcli          -+ scenario: SMB,DFS client ETL log(s), CliOn/RDR, GPresult, Procmon
   SMBsrv          -+ scenario: SMB server ETL log(s), SrvOn, Procmon
   SQLtrace        -+ scenario: SQL server related logs and TraceChn, Perfmon:SQL, SDP:SQLbase
   UNChard         -+ scenario: UNC-hardening: boot/persistent logs, Profile,Netlogon,WinLogon,GroupPolicy,DCLocator,GPresult,GPsvc,Auth ETL log(s) Procmon:Boot; after Reboot run 'TSS OFF'
   VPN[:dbg]       -+ scenario: Afd,TcpIp,NetIO,RASdiag,VPN,WFP,WFPdiag ETL log(s), VpnClient, Procmon, Video; [:dbg will collect scenario=VpnClient_dbg]
   WebClient[:Adv|Restart] -+ scenario: WebClient logs, WebIO, Proxy, TLS ETL log(s), GPresult, Procmon, Video [def: Basic, Restart= ~ service, Adv= incl. iDNA, requires TTD]
   WFP             -+ scenario: Afd,TcpIp,NetIO,WFP Windows Filtering Platform, BFE (Base Filtering Engine), includes WfpDiag: netsh wfp capture, Procmon, Video
   Winsock         -+ scenario: Afd,TcpIp,NetIO,NDIS,Winsock ETL log(s)
   WIP             -+ scenario: Windows Information Protection diagnostic, Procmon, Video
   WLAN            -+ scenario: wireless 802.1x,Afd,TcpIp,NDIS,NetworkUX,RadioManager,RASdiag,TLS,WCM ETL log(s), Procmon Video for WiFi wireless connection
   WNV[:capML]     -+ scenario: Network Virtualization (WNV) ETL log(s), Afd,TcpIp,LBFo,NCHA,VmSwitch, network trace Virtualization,InternetClient; if capML captureMultilayer=yes
   WorkFolders[:Adv] -+ scenario: WorkFolders ETL log(s) on Srv and Client, Perfmon, Video, if :Adv collect Advanced-Mode with restart of service
    - more options for controlling predefined scenarios: noSDP,noPSR,noCab,noPersistent,noProcmon,noPoolMon,noGPresult,noRestart,noSound,noCrash,noClearCache,noAsk,noUpdate,noWait,noVideo see also tss_config.cfg
Disabling Tracing:
 usage: TSS off [nocab] [nobin] [noSDP] [Discard]
   off          - turn off tracing
   noCab        - do not compress/zip trace data
   nobin        - do not gather system binaries matching the captured traces on downlevel OS
TSS v2020.08.13.0. Check for updates on: http://aka.ms/TssTools - Download: http://aka.ms/getTss
     or run 'TSS update'
 -> see 'TSS /help' for more detailed help info
 -> Looking for help on specific keywords? Try e.g.: tss help <my_keyword>