In the event you have something that only impacts an endpoint when it is being logged off/shutdown, you can do the following to collect declarative data.
mkdir C:\temp
cd C:\temp
netsh trace start capture=yes correlation=yes l report=no tracefile=C:\temp\netshtrace.etl
then follow it up with the instructions in this post: https://illuminati.services/2017/06/21/quick-and-dirty-collect-an-etw-shutdown-trace-on-windows-7/
This will shutdown the machine. Power it back up, your WPR recording is in Documents\WPR files\
This should let you see what processes were running, and what they were doing network-wise. If you need to view the netshtrace.etl in Wireshark, no problem: https://github.com/microsoft/etl2pcapng
If you want to view it in MMA: https://github.com/riverar/messageanalyzer-archive
Happy tracing (and happy Friday/weekend)
If you like it…
Leave a Reply