Extending your diagnostic visibility using Setup & Boot Event Collection

Have you ever asked yourself, “Why is it taking so long for my machine to boot up?” Or better yet, if your machine never fully booted, where would you start looking for answers? If it is a virtual machine, you could try mounting the image and attempting to pull up data from the logs, but what about if the problem happened during Kernel mode before any logging service had a chance to start?

Well, there is good news, Windows Server 2016 has a new feature that can be used to remotely collect setup and boot events from your Windows Server 2016 and Windows 10 client machines called “Setup and Boot Event Collection”.

Setup and Boot Event Collection is a new feature starting in Windows Server Technical Preview 2 that allows you to designate a “collector” computer that can gather a variety of important events that occur on other computers when they boot or go through the setup process. You can then later analyze the collected events with Event Viewer, Message Analyzer, Wevtutil, or Windows PowerShell cmdlets.

Here are a few of the setup and boot events you can monitor with the Setup and Boot Event Collection service:

• Loading of kernel modules and drivers
• Enumeration of devices and initialization of their drivers (including “devices” such as CPU type)
• Verification and mounting of file systems
• Starting of executable files
• Starting and completions of system updates
• The points when the system becomes available for logon, establishes connection with a domain controller, completion of service starts, and availability of network shares

With a few simple PowerShell commands and a couple lines of XML, you can have a low-level diagnostic collection system up and ready for action.

To help get you started, please check out Getting started with Setup and Boot Event Collection.