開始使用安裝與開機事件集合Get started with Setup and Boot Event Collection

適用於︰Windows ServerApplies To: Windows Server


「安裝與開機事件集合」是 Windows Server 2016 中的新功能,可讓您指定「收集器」電腦,這部電腦會收集其他電腦開機或進行設定程序時所發生的各種重要事件。Setup and Boot Event Collection is a new feature in Windows Server 2016 that allows you to designate a "collector" computer that can gather a variety of important events that occur on other computers when they boot or go through the setup process. 您隨後可以使用事件檢視器、訊息分析器、Wevtutil 或 Windows PowerShell Cmdlet 來分析收集到的事件。You can then later analyze the collected events with Event Viewer, Message Analyzer, Wevtutil, or Windows PowerShell cmdlets.

先前,由於在電腦經過設定之前,收集事件所需的基礎結構並不存在,因此無法監視這些事件。Previously, these events have been impossible to monitor because the infrastructure needed to collect them doesn't exist until a computer is already set up. 您可以監視的安裝與開機事件類型包括:The kinds of setup and boot events you can monitor include:

  • 載入核心模組和驅動程式Loading of kernel modules and drivers

  • 列舉裝置和初始化其驅動程式 (包括像 CPU 類型這樣的「裝置」)Enumeration of devices and initialization of their drivers (including "devices" such as CPU type)

  • 驗證和掛接檔案系統Verification and mounting of file systems

  • 啟動可執行檔Starting of executable files

  • 開始和完成系統更新Starting and completions of system updates

  • 在系統可供登入的時間點上會建立與網域控制站的連線、完成服務啟動,以及提供網路共用。The points when the system becomes available for logon, establishes connection with a domain controller, completion of service starts, and availability of network shares

收集器電腦必須正在執行 Windows Server 2016 (可以在具備桌面體驗的伺服器或是 Server Core 模式的伺服器中)。The collector computer must be running Windows Server 2016 (it can be in either Server with Desktop Experience or Server Core mode). 目標電腦必須正在執行 Windows 10 或 Windows Server 2016。The target computer must be running either Windows 10 or Windows Server 2016. 您也可以在裝載於執行 Windows Server 2016 之電腦中的虛擬機器上執行這項服務。You can also run this service on a virtual machine which is hosted on a computer that is not running Windows Server 2016. 下列虛擬化收集器與目標電腦的組合是已知可正常運作的組合:The following combinations of virtualized collector and target computers are known to work:

虛擬化主機Virtualization host 收集器虛擬機器Collector virtual machine 目標虛擬機器Target virtual machine
Windows 8.1Windows 8.1 yes yes
Windows 10Windows 10 yes yes
Windows Server 2016Windows Server 2016 yes yes
Windows Server 2012 R2Windows Server 2012 R2 yes no

安裝收集器服務Installing the collector service

從 Windows Server 2016 開始,事件收集器服務是做為選用功能來提供。Starting with the Windows Server 2016, the event collector service is available as an optional feature. 在此版本中,您可以在提升權限的 Windows PowerShell 命令提示字元中透過此命令,使用 DISM.exe 來進行安裝:In this release, you can install it using DISM.exe with this command at an elevated Windows PowerShell prompt:

dism /online /enable-feature /featurename:SetupAndBootEventCollection

此命令會建立名為 BootEventCollector 的服務,並使用空白設定檔啟動此服務。This command creates a service called BootEventCollector and starts it with an empty configuration file.

檢查 get-service -displayname *boot* 以確認安裝成功。Confirm that the installation succeed by checking get-service -displayname *boot*. 開機事件收集器應該正在執行。The Boot Event Collector should be running. 它會在網路服務帳戶下執行,並在 %SystemDrive%\ProgramData\Microsoft\BootEventCollector\Config 中建立空白設定檔 (Active.xml)。It runs under the Network Service Account and creates an empty configuration file (Active.xml) in %SystemDrive%\ProgramData\Microsoft\BootEventCollector\Config.

您也可以使用伺服器管理員中的 [新增角色及功能精靈] 來安裝「安裝與開機事件集合」服務。You can also install the Setup and Boot Event Collection service with the Add Roles and Features wizard in Server Manager.


您需要設定兩個項目來收集安裝與開機事件。You need to configure two items to collect setup and boot events.

  • 在傳送事件的目標電腦 (也就是,您要監視其安裝與開機的電腦),啟用 KDNET/EVENT-NET 傳輸並啟用事件轉送。On the target computers which will send the events (that is, the computers whose setup and boot you want to monitor), enable the KDNET/EVENT-NET transport and enable the forwarding of events.

  • 在收集器電腦上,指定要接受來自哪些電腦的事件及其儲存位置。On the collector computer, specify which computers to accept events from and where to save them.


您無法將電腦設定為傳送啟動或開機事件給其本身。You cannot configure a computer to send the startup or boot events to itself. 但要是您想監視兩部電腦,則可以設定彼此傳送事件給對方。But if you want to monitor two computers, you can configure them to send the events to each other.

設定目標電腦Configuring a target computer

在每部目標電腦上,先啟用 KDNET/EVENT-NET 傳輸,再啟用透過此傳輸傳送 ETW 事件,然後重新啟動目標電腦。On each target computer, you first enable the KDNET/EVENT-NET transport, then enable sending of ETW events through the transport, and then restart the target computer. EVENT-NET 是類似於 KDNET (核心偵錯通訊協定) 的核心內傳輸通訊協定。EVENT-NET is an in-kernel transport protocol which is similar to KDNET (the kernel debugger protocol). EVENT-NET 只會傳輸事件,而不允許偵錯工具存取。EVENT-NET only transmits events and doesn't allow debugger access. 這兩個通訊協定彼此互斥;您一次只能啟用其中一個。These two protocols are mutually exclusive; you can only enable one of them at a time.

您可以啟用從遠端 (使用 Windows PowerShell) 或在本機事件傳輸。You can enable event transport remotely (with Windows PowerShell) or locally.

若要從遠端啟用事件傳輸To enable event transport remotely
  1. 如果您已設定對目標電腦的 Windows PowerShell 遠端執行功能,請跳至步驟 3。If you have already set up Windows PowerShell Remoting to the target computer, skip to Step 3. 如果沒有,則在目標電腦上開啟命令提示字元,並執行下列命令:If not, then on the target computer, open a command prompt and run the following command:

    winrm quickconfigwinrm quickconfig

  2. 回應提示,然後重新啟動目標電腦。Respond to the prompts and then restart the target computer. 如果目標電腦與收集器電腦不在相同網域中,您可能需要將這些電腦定義為受信任的主機。If the target computers are not in the same domain as the collector computer, you might need to define them as trusted hosts. 做法如下:To do this:

  3. 在收集器電腦上,執行下列任一命令:On the collector computer, run either of these commands:

    • 在 Windows PowerShell 命令提示字元:Set-Item -Force WSMan:\localhost\Client\TrustedHosts "<target1>,<target2>,...",後面接著 Set-Item -Force WSMan:\localhost\Client\AllowUnencrypted true,其中 <target1> 等等是目標電腦的名稱或 IP 位址。In a Windows PowerShell prompt: Set-Item -Force WSMan:\localhost\Client\TrustedHosts "<target1>,<target2>,...", followed by Set-Item -Force WSMan:\localhost\Client\AllowUnencrypted true where <target1>, etc. are the names or IP addresses of the target computers.

    • 或者,在命令提示字元:winrm set winrm/config/client @{TrustedHosts="<target1>,<target2>,...";AllowUnencrypted="true"}Or in a command prompt: winrm set winrm/config/client @{TrustedHosts="<target1>,<target2>,...";AllowUnencrypted="true"}


      這會設定未加密的通訊,因此不要在實驗室環境外部執行此命令。This sets up unencrypted communication, so don't do this outside of a lab environment.

  4. 移至收集器電腦並執行下列其中一個 Windows PowerShell 命令,以測試遠端連線:Test the remote connection by going to the collector computer and running one of these Windows PowerShell commands:

    如果目標電腦與收集器電腦位於相同網域,請執行If the target computer is in the same domain as the collector computer, run New-PSSession -Computer <target> | Remove-PSSession

    如果目標電腦不在相同網域中,則執行 New-PSSession -Computer <target> -Credential Administrator | Remove-PSSession,這會提示您提供認證。If the target computer is not in the same domain, run New-PSSession -Computer <target> -Credential Administrator | Remove-PSSession, which will prompt you for credentials.

    如果命令沒有傳回任何項目,遠端執行功能即已成功。If the command doesn't return anything, remoting was successful.

  5. 在目標電腦上,開啟提升權限的 Windows PowerShell 命令提示字元並執行此命令:On the target computer, open an elevated Windows PowerShell prompt and run this command:

    Enable-SbecBcd -ComputerName <target_name> -CollectorIP <ip> -CollectorPort <port> -Key <a.b.c.d>

    其中 <target_name> 是目標電腦的名稱。<ip> 是收集器電腦的 IP 位址。Here <target_name> is the name of the target computer, <ip> is the IP address of the collector computer. <port> 是收集器執行所用的連接埠號碼。<port> is the port number where the collector will run. 金鑰 <a.b.c.d> 是通訊所需的加密金鑰,包含四個以點分隔的英數字元字串。The Key <a.b.c.d> is a required encryption key for the communication, comprising four alphanumeric strings separated by dots. 收集器電腦上會使用這同一個金鑰。This same key is used on the collector computer. 如果您沒有輸入金鑰,系統會產生隨機金鑰;收集器電腦將需要此金鑰,因此請記下。If you don't enter a key, the system generates a random key; you'll need this for the collector computer, so make a note of it.

  6. 如果您已設定收集器電腦,請以新目標電腦的資訊來更新收集器電腦上的設定檔。If you already have a collector computer set up, update the configuration file on the collector computer with the information for the new target computer. 如需詳細資訊,請參閱「設定收集器電腦」一節。See the "Configuring the collector computer" section for details.

若要在目標電腦本機啟用事件傳輸To enable event transport locally on the target computer
  1. 啟動提升權限的命令提示字元,然後執行下列命令:Start an elevated command prompt, and then run these commands:

    bcdedit /event yesbcdedit /event yes

    bcdedit /eventsettings net hostip: port:50000 key:a.b.c.dbcdedit /eventsettings net hostip: port:50000 key:a.b.c.d

    其中 "" 是範例,請將此取代為收集器電腦的 IP 位址。Here "" is an example; replace this with the IP address of the collector computer. 此外,也將 "50000" 取代為收集器用來執行的連接埠號碼,並將 "a.b.c.d" 取代為通訊所需的加密金鑰。Also replace "50000" with the port number where the collector will run and "a.b.c.d" with the required encryption key for the communication. 收集器電腦上會使用這同一個金鑰。This same key is used on the collector computer. 如果您沒有輸入金鑰,系統會產生隨機金鑰;收集器電腦將需要此金鑰,因此請記下。If you don't enter a key, the system generates a random key; you'll need this for the collector computer, so make a note of it.

  2. 如果您已設定收集器電腦,請以新目標電腦的資訊來更新收集器電腦上的設定檔。If you already have a collector computer set up, update the configuration file on the collector computer with the information for the new target computer. 如需詳細資訊,請參閱「設定收集器電腦」一節。See the "Configuring the collector computer" section for details.

現在事件傳輸本身已啟用,您必須讓系統可以實際透過該傳輸傳送 ETW 事件。Now that event transport itself is enabled, you must enable the system to actually send ETW events through that transport.

若要啟用透過傳輸從遠端傳送 ETW 事件的功能To enable sending of ETW events through the transport remotely
  1. 在收集器電腦上,開啟提升權限的 Windows PowerShell 命令提示字元。On the collector computer, open an elevated Windows PowerShell prompt.

  2. 執行 Enable-SbecAutologger -ComputerName <target_name>,其中 <target_name> 是目標電腦的名稱。Run Enable-SbecAutologger -ComputerName <target_name>, where <target_name> is the name of the target computer.

如果您無法設定 Windows PowerShell 遠端執行功能,則可以一直在目標電腦上啟用事件傳送。If you aren't able to set up Windows PowerShell Remoting, you can always enable sending of events directly on the target computer.

若要啟用透過傳輸在本機傳送 ETW 事件的功能To enable sending of ETW events through the transport locally
  1. 在目標電腦上,啟動 Regedit.exe 並尋找此登錄機碼:On the target computer, start Regedit.exe and find this registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger. 各種記錄工作階段會列為此機碼底下的子機碼。Various log sessions are listed as sub-keys under this key. [Setup Platform][NT Kernel Logger][Microsoft-Windows-Setup] 都可能選擇來與「安裝與開機事件集合」搭配使用,但建議的選項是 [EventLog-System]Setup Platform, NT Kernel Logger, and Microsoft-Windows-Setup are possible choices for use with Setup and Boot Event Collection, but the recommended option is EventLog-System. 這些機碼在設定和啟動自動記錄工具工作階段中有詳細說明。These keys are detailed in Configuring and Starting an AutoLogger Session.

  2. 在 EventLog-System 機碼中,將 LogFileMode 的值從 0x10000180 變更為 0x10080180In the EventLog-System key, change the value of LogFileMode from 0x10000180 to 0x10080180. 如需有關這些設定詳細資料的詳細資料,請參閱記錄模式常數For more information about the details of these settings, see Logging Mode Constants.

  3. 或者,您也可以啟用轉送錯誤檢查資料給收集器電腦的功能。Optionally, you can also enable forwarding of bug check data to the collector computer. 若要這樣做,請尋找登錄機碼 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager,並建立值為 0x1Debug Print Filter 機碼。To do this, find the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager and create the key Debug Print Filter with a value of 0x1.

  4. 重新啟動目標電腦。Restart the target computer.

選擇網路介面卡Choosing the network adapter

如果目標電腦有多個網路介面卡,KDNET 驅動程式將會選擇列出的第一個支援的介面卡。If the target computer has more than one network adapter, the KDNET driver will choose the first supported one listed. 您可以使用下列步驟指定要用於轉送安裝程式事件的特定網路介面卡:You can specify a particular network adapter to use for forwarding setup events with these steps:

若要指定網路介面卡To specify a network adapter
  1. 在目標電腦上,開啟 [裝置管理員]、展開 [網路介面卡]、尋找您要使用的網路介面卡,然後在其上按一下滑鼠右鍵。On the target computer, open Device Manager, expand Network Adapters, find the network adapter you want to use, and right-click it.

  2. 在開啟的功能表中按一下 [內容],然後按一下 [詳細資料] 索引標籤。展開功能表中的 [屬性] 欄位,捲動以尋找 [位置資訊] (此清單可能不是依字母順序排列),然後按一下此項目。In the menu that opens, click Properties, and then click the Details tab. Expand the menu in the Property field, scroll to find Location information (the list is probably not in alphabetical order), and then click it. 這個值將會是格式如 PCI 匯流排 X, 裝置 Y, 功能 Z 的字串。請記下 X.Y.Z;這些是下列命令所需的匯流排參數。The value will be a string of the form PCI bus X, device Y, function Z. Make note of X.Y.Z; these are the bus parameters you need for the following command.

  3. 執行下列任一命令:Run either one of these commands:

    從提升權限的 Windows PowerShell 命令提示字元:From an elevated Windows PowerShell prompt: Enable-SbecBcd -ComputerName <target_name> -CollectorIP <ip> -CollectorPort <port> -Key <a.b.c.d> -BusParams <X.Y.Z>

    從提升權限的命令提示字元:bcdedit /eventsettings net hostip:aaa port:50000 key:bbb busparams:X.Y.ZFrom an elevated command prompt: bcdedit /eventsettings net hostip:aaa port:50000 key:bbb busparams:X.Y.Z

驗證目標電腦設定Validate target computer configuration

若要檢查目標電腦上的設定,請開啟提升權限的命令提示字元並執行 bcdedit /enumTo check settings on the target computer, open an elevated command prompt and run bcdedit /enum. 完成此命令後,接著執行 bcdedit /eventsettingsWhen this is finished, then run bcdedit /eventsettings. 您可以仔細檢查下列值:You can double-check the following values:

  • 機碼Key

  • Debugtype = NETDebugtype = NET

  • Hostip = <收集器 IP 位址>Hostip = <IP address of the collector>

  • Port = <您指定所要使用之收集器的連接埠號碼>Port = <port number you specified for the collector to use>

  • DHCP = yesDHCP = yes

由於 /debug/event 彼此互斥,因此也要確認您已啟用 bcdedit /eventAlso check that you have enabled bcdedit /event, since /debug and /event are mutually exclusive. 您只能執行這一個或另一個。You can only run one or the other. 同樣地,您不能將 /eventsettings 與 /debug,或是 /dbgsettings 與 /event 混用。Similarly, you can't mix /eventsettings with /debug or /dbgsettings with /event.

另請注意,如果您將事件收集設定至序列埠,則此作業無法運作。Note also that event collection doesn't work if you set it to a serial port.

設定收集器電腦Configuring the collector computer

收集器服務會接收事件,並將這些事件儲存在 ETL 檔案中。The collector service receives the events and saves them in ETL files. 這些 ETL 檔案然後可以由事件檢視器、訊息分析程式、Wevtutil 和 Windows PowerShell Cmdlet 等其他工具讀取。These ETL files can then be read by other tools, such as Event Viewer, Message Analyzer, Wevtutil, and Windows PowerShell cmdlets.

由於 ETW 格式不允許您指定目標電腦名稱,必須將每一部目標電腦的事件儲存到不同的檔案。Since the ETW format doesn't allow you to specify the target computer name, the events for each target computer must be saved to a separate file. 顯示工具可能會顯示電腦名稱,但這是執行此工具的電腦名稱。The display tools might show a computer name but it will be the name of the computer on which the tool runs.

更確切地說,會將一個循環索引序列的 ETL 檔案指派給每部目標電腦。More exactly, each target computer is assigned a ring of ETL files. 每個檔案名稱都包含從 000 到您所設定之最大值 (最多 999) 的索引。Each file name includes an index from 000 to a maximum value that you configure (up to 999). 當檔案達到設定的大小上限時,就會切換到下一個檔案寫入事件。When the file reaches the maximum configured size, it switches writing events to the next file. 檔案到了可能的最高索引值之後,將會切換回檔案索引 000。After the highest possible file it switches back to file index 000. 如此一來,將檔案都將自動回收,並限制磁碟空間使用量。In this way, the files are automatically recycled, limiting usage of disk space. 您也可以設定其他外部保留原則,進一步限制磁碟使用量;例如,您可以刪除超過設定天數的檔案。You can also set additional external retention policies to further limit disk usage; for example, you can delete files older than a set number of days.

收集的 ETL 檔案通常保留在目錄 c:\ProgramData\Microsoft\BootEventCollector\Etl (這可能還有其他子目錄)。Collected ETL files are typically kept in the directory c:\ProgramData\Microsoft\BootEventCollector\Etl (which might have additional subdirectories). 您可依上次修改時間將記錄檔排序,以便尋找最新的檔案。You can find the most recent log file by sorting them by the last modification time. 也有狀態記錄檔 (通常位於 c:\ProgramData\Microsoft\BootEventCollector\Logs),每當收集器切換寫入新檔案時,就會進行記錄。There is also a status log (typically in c:\ProgramData\Microsoft\BootEventCollector\Logs), which records whenever the collector switches writing to a new file.

此外還有收集器記錄檔,這會記錄關於收集器本身的資訊。There is also a collector log, which records information about the collector itself. 您可依 ETW 格式建立此記錄 (若使用此格式,則會向 Windows 記錄服務通報事件;這是預設值),或將其保留於檔案 (通常在 c:\ProgramData\Microsoft\BootEventCollector\Logs 中)。You can keep this log in the ETW format (in which events are reported to the Windows log service; this is the default) or in a file (normally in c:\ProgramData\Microsoft\BootEventCollector\Logs). 如果您想要啟用產生大量資料的詳細資訊模式,使用檔案可能會很有用。Using a file could be useful if you want to enable verbose modes that produce a lot of data. 您也可以從命令列執行收集器,將記錄設定成寫入至標準輸出。You can also set the log to write to a standard output by running the collector from the command line.

建立收集器設定檔Creating the collector configuration file

當您啟用的服務時,會在c:\ProgramData\Microsoft\ BootEventCollector\Config 中建立並存放三個 XML 設定檔:When you enable the service, three XML configuration files are created and stored in c:\ProgramData\Microsoft\ BootEventCollector\Config:

  • Active.xml:這個檔案包含收集器服務的目前作用中設定。Active.xml This file contains the current active configuration of the collector service. 安裝之後,這個檔案的內容與 Empty.xml 的相同。Right after installation, this file has the same contents as Empty.xml. 設定新的收集器設定時,您會將它儲存到這個檔案。When you set a new collector configuration you save it to this file.

  • Empty.xml:這個檔案包含至少需要的以其預設值設定的設定元素。Empty.xml This file contains the minimum configuration elements needed with their default values set. 這不會啟用任何收集作業;只是允許收集器服務在閒置模式下啟動。It does not enable any collection; it only allows the collector service to start in an idle mode.

  • Example.xml:這個檔案會提供可能的設定元素的範例及說明。Example.xml This file provides examples and explanations of the possible configuration elements.

選擇檔案大小限制Choosing a file size limit

您必須做的其中一項決定是設定檔案大小限制。One of the decisions you have to make is to set a file size limit. 最佳的檔案大小限制取決於事件及可用磁碟空間的預計數量。The best file size limit depends on the expected volume of events and available disk space. 從清除舊資料的觀點來看,檔案愈小就愈方便。Smaller files are more convenient from the standpoint of cleaning the old data. 不過,每個檔案本身都有 64KB 標頭的額外負荷,而讀取許多檔案來取得合併歷程記錄,可能有所不便。絕對的最低檔案大小限制為 256 KB。However, each file carries with it the overhead of a 64KB header and reading many files to get the combined history might be inconvenient.The absolute minimum file size limit is 256 KB. 合理可行的檔案大小限制應在 1 MB 以上,而 10 MB 可能是一般適當的值。A reasonable practical file size limit should be over 1 MB, and 10 MB is probably a good typical value. 如果您預計會有許多事件,較高的限制可能比較合理。A higher limit might be reasonable if you expect many events.

關於設定檔,有幾個詳細資料要牢記:There are several details to keep in mind regarding the configuration file:

  • 目標電腦位址。The target computer address. 您可以使用其 IPv4 位址、MAC 位址或 SMBIOS GUID。You can use its IPv4 address, a MAC address, or a SMBIOS GUID. 選擇要使用的位址時,請記住下列因素:Keep these factors in mind when choosing the address to use:

    • IPv4 位址最適合搭配靜態指派的 IP 位址使用。The IPv4 address works best with static assignment of the IP addresses. 不過,即使是靜態 IP 位址,也必須透過 DHCP 才能使用。However, even static IP addresses must be available through DHCP.

    • MAC 位址或 SMBIOS GUID 在已預先得知,而 IP 位址是動態指派的情況下,比較方便使用。A MAC address or SMBIOS GUID is convenient when they are known in advance but the IP addresses are assigned dynamically.

    • EVENT-NET 通訊協定不支援 IPv6 位址。IPv6 addresses are not supported by the EVENT-NET protocol.

    • 您可以指定多種方式來識別電腦。It is possible to specify multiple ways to identify the computer. 例如,即將更換實體硬體時,您可以輸入同時舊的和新的 MAC 位址,兩者都會被接受。For example, if the physical hardware is about to be replaced, you can enter both the old and the new MAC addresses, and either will be accepted.

  • 用於與收集器電腦通訊的加密金鑰The encryption key used for the communication with the collector computer

  • 目標電腦的名稱。The name of the target computer. 您可以使用 IP 位址、主機名稱或任何其他名稱做為電腦名稱。You can use the IP address, host name, or any other name as the computer name.

  • 所要使用之 ETL 檔案的名稱,以及其循環索引序列大小設定The name of the ETL file to use and the ring size configuration for it

若要建立設定檔To create the configuration file
  1. 開啟提升權限的 Windows PowerShell 命令提示字元,並將目錄變更至 %SystemDrive%\ProgramData\Microsoft\BootEventCollector\Config。Open an elevated Windows PowerShell prompt and change directories to %SystemDrive%\ProgramData\Microsoft\BootEventCollector\Config.

  2. 輸入 notepad .\newconfig.xml 並按 ENTER。Type notepad .\newconfig.xml and press ENTER.

  3. 將此範例設定複製到 [記事本] 視窗:Copy this example configuration into the Notepad window:

    <collector configVersionMajor="1" statuslog="c:\ProgramData\Microsoft\BootEventCollector\Logs\statuslog.xml">  
        <collectorport value="50000"/>  
        <forwarder type="etl">  
          <set name="file" value="c:\ProgramData\Microsoft\BootEventCollector\Etl\{computer}\{computer}_{#3}.etl"/>  
          <set name="size" value="10mb"/>  
          <set name="nfiles" value="10"/>  
          <set name="toxml" value="none"/>  
          <ipv4 value=""/>  
          <key value="a.b.c.d"/>  
          <computer value="computer1"/>  
          <ipv4 value=""/>  
          <key value="d1.e2.f3.g4"/>  
          <computer value="computer2"/>  


    根節點是 <collector>。The root node is <collector>. 其屬性會指定設定檔語法的版本以及狀態記錄檔的名稱。Its attributes specify the version of the configuration file syntax and the name of the status log file.

    <common> 元素將多個目標群組在一起,並指定這些目標的通用設定元素,非常像是使用者群組可以用來為多個使用者指定通用權限。The <common> element groups together multiple targets specifying the common configuration elements for them, very much like a user group can be used to specify the common permissions for multiple users.

    <collectorport> 元素定義收集器接聽連入資料所用的 UDP 連接埠號碼。The <collectorport> element defines the UDP port number where the collector will listen for incoming data. 這與 Bcdedit 目標組態步驟所指定的連接埠相同。This is the same port as was specified in the target configuration step for Bcdedit. 收集器僅支援一個連接埠,而所有的目標都必須連線至同一個連接埠。The collector supports only one port and all the targets must connect to the same port.

    <forwarder> 元素指定如何轉送從目標電腦接收到的 ETW 事件。The <forwarder> element specifies how ETW events received from the target computers will be forwarded. 只有一種類型的轉寄站,這會將事件寫入 ETL 檔案。There is only one type of forwarder, which writes them to the ETL files. 參數會指定檔案名稱模式、循環索引序列中每個檔案的大小限制,以及每部電腦的循環索引序列大小。The parameters specify the file name pattern, the size limit for each file in the ring, and the size of the ring for each computer. 設定 "toxml" 會指定,收到 ETW 事件時,以二進位格式將其寫入,而不轉換為 XML。The setting "toxml" specifies that the ETW events will be written in the binary form as they were received, without conversion to XML. 如需有關決定是否將事件轉換為 XML 的詳細資訊,請參閱「XML 事件轉換」一節。See the "XML event conversion" section for information about deciding whether to confer the events to XML or not. 檔案名稱模式包含下列替代位置:{computer} 代表電腦名稱,而 {#3} 代表循環索引序列中的檔案索引。The file name pattern contains these substitutions: {computer} for the computer name and {#3} for the index of file in the ring.

    此範例檔案使用 <target> 元素定義兩部目標電腦。In this example file, two target computers are defined with the <target> element. 每項定義都使用 <ipv4> 來指定 IP 位址,但您也可以使用 MAC 位址 (例如,<mac value="11:22:33:44:55:66"/> 或 <mac value="11-22-33-44-55-66"/>) 或 SMBIOS GUID (例如,<guid value="{269076F9-4B77-46E1-B03B-CA5003775B88}"/>) 來識別目標電腦。Each definition specifies the IP address with <ipv4>, but you could also use the MAC address (for example, <mac value="11:22:33:44:55:66"/> or <mac value="11-22-33-44-55-66"/>) or SMBIOS GUID (for example, <guid value="{269076F9-4B77-46E1-B03B-CA5003775B88}"/>) to identify the target computer. 另請記下加密金鑰 (與之前使用 Bcdedit 在目標電腦上所指定或產生的一樣) 和電腦名稱。Also note the encryption key (the same as was specified or generated with Bcdedit on the target computer), and the computer name.

  4. 分別輸入每部目標電腦的詳細資料做為設定檔中的個別 <target> 元素,然後儲存 Newconfig.xml 並關閉 [記事本]。Enter the details for each target computer as a separate <target> element in the configuration file, and then save Newconfig.xml and close Notepad.

  5. 使用 $result = (Get-Content .\newconfig.xml | Set-SbecActiveConfig); $result 套用新的設定。Apply the new configuration with $result = (Get-Content .\newconfig.xml | Set-SbecActiveConfig); $result. 輸出應該會傳回顯示 "true" 的 [成功] 欄位。The output should return with the Success field "true." 如果您收到其他結果,請參閱本主題的「疑難排解」一節。If you get another result, see the Troubleshooting section of this topic.

您隨時都可以使用 (Get-SbecActiveConfig).text 來檢查目前的作用中設定。You can always check the current active configuration with (Get-SbecActiveConfig).text.

您可以使用 $result = (Get-Content .\newconfig.xml | Check-SbecConfig); $result 對設定檔執行驗證檢查。You can perform a validity check on the configuration file with $result = (Get-Content .\newconfig.xml | Check-SbecConfig); $result.

雖然套用新設定的 Windows PowerShell 命令會自動更新服務,並不需要您重新啟動服務,但是您隨時都可以使用下列任一命令自行將服務重新啟動:Though the Windows PowerShell command to apply a new configuration automatically updates the service without requiring you to restart it, you can always restart the service yourself with either of these commands:

  • 使用 Windows PowerShell:With Windows PowerShell: Restart-Service BootEventCollector

  • 在一般命令提示字元:sc stop BootEventCollector; sc start BootEventCollectorIn an ordinary command prompt: sc stop BootEventCollector; sc start BootEventCollector

將 Nano 伺服器設定為目標電腦Configuring Nano Server as a target computer

Nano 伺服器提供的基本介面有時使其發生的問題難以診斷。The minimal interface offered by Nano Server can sometimes make it hard to diagnose issues with it. 您可以將 Nano 伺服器映像設定成自動參與「安裝與開機事件集合」,並傳送診斷資料給收集器電腦而不需要您進一步介入。You can configure your Nano Server image to participate in Setup and Boot Event Collection automatically, sending diagnostic data to a collector computer without further intervention from you. 若要這樣做,請執行下列步驟:To do this, follow these steps:

若要將 Nano 伺服器設定為目標電腦To configure Nano Server as a target computer

  1. 建立基本 Nano 伺服器映像。Create your basic Nano Server image. 如需詳細資訊,請參閱開始使用 Nano 伺服器See Getting Started with Nano Server for details.

  2. 設定收集器電腦,如本主題「設定收集器電腦」一節所示。Set up a collector computer as in the "Configuring the collector computer" section of this topic.

  3. 新增自動記錄工具登錄機碼以啟用傳送診斷訊息功能。Add AutoLogger registry keys to enable sending diagnostic messages. 若要這樣做,您可以掛接步驟 1 所建立的 Nano Server VHD、載入登錄區,然後新增特定登錄機碼。To do this, you mount the Nano Server VHD created in Step 1, load the registry hive, and then add certain registry keys. 在本範例中,Nano 伺服器映像位於 C:\NanoServer;您的路徑可能不同,請相應調整步驟。In this example, the Nano Server image is in C:\NanoServer; your path might be different, so adjust the steps accordingly.

    1. 在收集器電腦上,複製 .\Windows\System32\WindowsPowerShell\v1.0\Modules\BootEventCollector 資料夾,然後在您要用來修改 Nano Server VHD 的電腦上,將該資料夾貼到 .\Windows\System32\WindowsPowerShell\v1.0\Modules 目錄中。On the collector computer, copy the ..\Windows\System32\WindowsPowerShell\v1.0\Modules\BootEventCollector folder and paste it into the ..\Windows\System32\WindowsPowerShell\v1.0\Modules directory on the computer you are using to modify the Nano Server VHD.

    2. 以提升的權限啟動 Windows PowerShell 主控台,並執行 Import-Module BootEventCollectorStart a Windows PowerShell console with elevated permissions and run Import-Module BootEventCollector .

    3. 更新 Nano Server VHD 登錄以啟用自動記錄工具。Update the Nano Server VHD registry to enable AutoLoggers. 若要這樣做,請執行 Enable-SbecAutoLogger -Path C:\NanoServer\Workloads\IncludingWorkloads.vhdTo do this, run Enable-SbecAutoLogger -Path C:\NanoServer\Workloads\IncludingWorkloads.vhd. 這會新增最常見安裝與開機事件的基本清單;您可以在控制事件追蹤工作階段上研究其他事件。This adds a basic list of the most typical setup and boot events; you can research others at Controlling Event Tracing Sessions.

  4. 更新 Nano 伺服器映像中的 BCD 設定以啟用事件旗標,並設定收集器電腦以確保診斷事件傳送至正確的伺服器。Update BCD settings in the Nano Server image to enable the Events flag and set the collector computer to ensure diagnostic events are sent to the right server. 記下您在收集器 Active.XML 檔案中設定的收集器電腦 IPv4 位址、TCP 連接埠及加密金鑰 (已於本主題其他位置述及) 。Note the collector computer's IPv4 address, TCP port, and encryption key you configured in the collector's Active.XML file (described elsewhere in this topic). 在提升權限的 Windows PowerShell 主控台中使用此命令:Use this command in a Windows PowerShell console with elevated permissions: Enable-SbecBcd -Path C:\NanoServer\Workloads\IncludingWorkloads.vhd -CollectorIp -CollectorPort 50000 -Key a.b.c.d

  5. 將 Nano 伺服器的 IPv4 位址範圍、特定 IPv4 位址或 MAC 位址新增至收集器電腦上的 Active.XML 檔案 (請參閱本主題「設定收集器電腦」一節),更新收集器電腦以接收 Nano 伺服器電腦所傳送的事件。Update the collector computer to receive event sent by the Nano Server computer by adding either the IPv4 address range, the specific IPv4 address, or the MAC address of the Nano Server to the Active.XML file on the collector computer (see the "Configuring the collector computer" section of this topic).

啟動事件收集器服務Starting the event collector service

將有效的設定檔儲存在收集器電腦並設定好目標電腦之後,只要重新啟動目標電腦,就會立即對收集器進行連線並開始收集事件。Once a valid configuration file is saved on the collector computer and a target computer is configured, as soon as the target computer is restarted, the connection to the collector is made and events will be collected.

收集器服務本身的記錄 (這不同於服務所收集的安裝與開機資料) 可以在 Microsoft-Windows-BootEvent-Collector/Admin 底下找到。The log for the collector service itself (which is distinct from the setup and boot data collected by the service) can be found under Microsoft-Windows-BootEvent-Collector/Admin . 如需事件的圖形化介面,請使用事件檢視器。For a graphical interface for the events, use Event Viewer. 建立新的檢視;展開 [應用程式及服務記錄檔],然後展開 [Microsoft][Windows]Create a new view; expand Applications and Services Logs, then expand Microsoft and then Windows. 找到 [BootEvent-Collector]、將其展開,然後尋找 [Admin]Find BootEvent-Collector, expand it, and find Admin.

  • 使用 Windows PowerShell:With Windows PowerShell: Get-WinEvent -LogName Microsoft-Windows-BootEvent-Collector/Admin

  • 在一般命令提示字元:wevtutil qe Microsoft-Windows-BootEvent-Collector/AdminIn an ordinary command prompt: wevtutil qe Microsoft-Windows-BootEvent-Collector/Admin


功能安裝疑難排解Troubleshooting installation of the feature

錯誤Error 錯誤描述Error description 問題Symptom 潛在問題Potential problem
Dism.exeDism.exe 8787 功能名稱選項在此內容中無法辨識The feature-name option is not recognized in this context - 如果拼錯功能名稱,即可能發生此情況。- This can happen if you misspell the feature name. 確認您的拼字正確無誤,然後再試一次。Verify that you have the correct spelling and try again.
- 確認此功能可在您使用中的作業系統版本上使用。- Confirm that this feature is available on the operating system version you are using. 在 Windows PowerShell 中,執行 dism /online /get-features | ?{$_ -match "boot"}In Windows PowerShell, run dism /online /get-features | ?{$_ -match "boot"}. 如果沒有傳回相符項目,您可能執行的是不支援此功能的版本。If no match is returned, you're probably running a version that doesn't support this feature.
Dism.exeDism.exe 0x800f080c0x800f080c 功能 <name> 未知。Feature <name> is unknown. 與上述相同Same as above

收集器疑難排解Troubleshooting the collector

收集器將其本身的事件記錄為 ETW 提供者 Microsoft-Windows-BootEvent-Collector。The Collector logs its own events as ETW provider Microsoft-Windows-BootEvent-Collector. 對收集器發生的問題進行疑難排解時,這是您應該尋找的第一個地方。It's the first place you should look for troubleshooting problems with the collector. 您可以在事件檢視器的 [應用程式及服務記錄檔] > [Microsoft] > [Windows] > [BootEvent-Collector] > [Admin] 下找到它們,或者也可以在命令視窗中使用下列任一命令來讀取:You can find them in Event Viewer under Applications and Services Logs > Microsoft > Windows > BootEvent-Collector > Admin, or you can read them in a command window with either of these commands:

在一般命令提示字元:wevtutil qe Microsoft-Windows-BootEvent-Collector/AdminIn an ordinary command prompt: wevtutil qe Microsoft-Windows-BootEvent-Collector/Admin

在 Windows PowerShell 命令提示字元:Get-WinEvent -LogName Microsoft-Windows-BootEvent-Collector/Admin (您可附加 -Oldest,以傳回依時間先後順序第一個列出最早事件的清單)In a Windows PowerShell prompt: Get-WinEvent -LogName Microsoft-Windows-BootEvent-Collector/Admin (you can append -Oldest to return the list in chronological order with oldest events first)

您可以從「錯誤」到「警告」、「資訊」(預設)、「詳細資訊」及「偵測」,調整記錄檔的詳細等級。You can adjust the level of detail in the logs from "error," through "warning," "info" (the default), "verbose," and "debug." 比「資訊」更詳細的等級有助於診斷未連線目標電腦發生的問題,但可能會產生大量的資料,因此要小心使用。More detailed levels than "info" are useful for diagnosing problems with target computers not connecting, but they might generate a large amount of data, so use them with care.

您可以在設定檔的 <collector> 元素中設定基本記錄層級。You set the minimum log level in the <collector> element of the configuration file. 例如:<collector configVersionMajor="1" minlog="verbose">。For example: <collector configVersionMajor="1" minlog="verbose">.

詳細資料等級會記錄每個在處理時所收到封包的記錄。The verbose level logs a record for every packet received as it is processed. 偵錯等級會新增更多處理詳細資料,也會傾印所有收到的 ETW 封包的內容。The debug level adds more processing detail and dumps the contents of all received ETW packets as well.

使用偵錯等級時,將記錄寫入檔案而不嘗試在一般記錄系統中檢視記錄,可能會很有用。At the debug level, it might be useful to write the log into a file rather than trying to view it in the usual logging system. 若要這樣做,請在設定檔的 <collector> 元素中新增其他元素:To do this, add an additional element in the <collector> element of the configuration file:

<collector configVersionMajor="1" minlog="debug" log="c:\ProgramData\Microsoft\BootEventCollector\Logs\log.txt"><collector configVersionMajor="1" minlog="debug" log="c:\ProgramData\Microsoft\BootEventCollector\Logs\log.txt">

建議的收集器疑難排解方法:A suggested approach to troubleshooting the Collector:

  1. 首先,確認收集器已接收到目標的連線 (只有在目標開始傳送訊息時,才會建立檔案)First of all, verify that the collector has received the connection from the target (it will create the file only when the target starts sending the messages) with
    如果傳回的訊息應表示有來自此目標的連線,則問題可能出在自動記錄工具設定。If it returns that there is a connection from this target then the problem might be in the autologger settings. 如果沒有傳回任何訊息,問題在於要開始使用的 KDNET 連線。If it returns nothing, the problem is with the KDNET connection to start with. 若要診斷 KDNET 連線問題,請嘗試檢查兩端的連線 (亦即來自收集器和來自目標的連線)。To diagnose KDNET connection problems, try checking the connection from both ends (that is, from the collector and from the target).
  1. 如需查看收集器的加長版診斷,請將下列項目新增至設定檔的 <collector> 元素:To see extended diagnostics from the Collector, add this to the <collector> element of the configuration file:
    <collector ... minlog="verbose"><collector ... minlog="verbose">
    這會允許提供有關每個收到封包的訊息。This will enable messages about every received packet.
  2. 檢查是否任何封包都收到了。Check whether any packets are received at all. 或者,您可能還需要在詳細資訊模式下將記錄直接寫入記錄檔,而不是透過 ETW 來查看。Optionally, you might want to write the log in verbose mode directly to a file rather than through ETW. 若要這樣做,請將下列項目新增至設定檔的 <collector> 元素:To do this, add this to the <collector> element of the configuration file:
    <collector ... minlog="verbose" log="c:\ProgramData\Microsoft\BootEventCollector\Logs\log.txt"><collector ... minlog="verbose" log="c:\ProgramData\Microsoft\BootEventCollector\Logs\log.txt">

  3. 檢查事件記錄檔是否有關於所收到封包的資訊。Check the event logs for any messages about the received packets. 檢查是否任何封包都收到了。Check whether any packets are received at all. 如果封包已收到但不正確,請檢查事件訊息以取得詳細資料。If the packets are received but incorrect, check event messages for details.

  4. KDNET 會從目標端將一些診斷資訊寫入至登錄。From the target side, KDNET writes some diagnostic information into the registry. 查看Look in
    HKLM\SYSTEM\CurrentControlSet\Services\kdnet 是否有訊息。HKLM\SYSTEM\CurrentControlSet\Services\kdnet for messages.
    KdInitStatus (DWORD) 在成功時為 0,而錯誤時,則顯示錯誤碼KdInitStatus (DWORD) will = 0 on success and show an error code on error
    KdInitErrorString = 錯誤的說明 (如果沒有錯誤,也會包含參考訊息)KdInitErrorString = explanation of the error (also contains informational messages if no error)

  5. 對目標執行 Ipconfig.exe,並檢查其回報的裝置名稱。Run Ipconfig.exe on the target and check for the device name it reports. 如果 KDNET 正確載入,裝置名稱應該類似 "kdnic" 這樣,而不是原始廠商的介面卡名稱。If KDNET loaded properly, the device name should be something like "kdnic" instead of the original vendor's card name.

  6. 檢查是否已為目標設定 DHCP。Check whether DHCP is configured for the target. KDNET 絕對需要 DHCP。KDNET absolutely requires DHCP.
  7. 確認收集器與目標位於相同網路。Confirm that the collector is on the same network as the target. 如果不是,請檢查是否正確設定路由,特別是 DHCP 的預設閘道設定。If not, check whether the routing is configured correctly, especially the default gateway setting for DHCP.

連線狀態Connection status

您可以使用 Get-SbecForwarding 來檢查目前已建立連線的清單以及資料要轉送到的位置。You can check the current list of established connections and information on where the data is being forwarded with Get-SbecForwarding.

您還可以使用 Get-SbecHistory 來取得最新的連線狀態變更歷程記錄。You can also get the recent history of status changes in connections with Get-SbecHistory.

有關設定新設定的疑難排解Troubleshooting setting a new configuration

如果您使用 Windows PowerShell 命令 $result = (Get-Content .\newconfig.xml | Set-SbecActiveConfig); $result 來套用設定,則變數 $result 將包含部署的相關資訊。If you applied the configuration with the Windows PowerShell command $result = (Get-Content .\newconfig.xml | Set-SbecActiveConfig); $result, then the variable $result will contain information about the deployment. 您可以查詢此變數以從中取得其他資訊:You can query this variable to get different information out of it:

使用 $result.ErrorString 取得錯誤的相關資訊。Get information about errors with $result.ErrorString. 如果其中報告了任何錯誤,則不會套用新設定,而舊設定將保持不變。If any errors are reported here, the new configuration will not have been applied and the old configuration will be unchanged.

使用 $result.WarningString 取得警告。Get warnings with $result.WarningString.

使用 $result.InfoString 取得有關組態設定詳細資料的資訊。Get information on the details of the configuration with $result.InfoString.

您可以使用 $result | fl * 取得完整的結果。You can get the complete result with $result | fl *.
或者,如果您不想要將結果儲存在變數中,也可以使用 Get-Content .\newconfig.xml | Set-SbecActiveConfig | fl *Alternately, if you don't want to save the result in a variable, you can use Get-Content .\newconfig.xml | Set-SbecActiveConfig | fl *.

目標電腦疑難排解Troubleshooting target computers

錯誤Error 錯誤描述Error description 問題Symptom 潛在問題Potential problem
目標電腦Target computer 目標未連線至收集器Target is not connecting to the Collector - 目標電腦無法在進行設定之後重新啟動。- The target computer didn't get restarted after it was configured. 重新啟動目標電腦。Restart the target computer.
- 目標電腦的 BCD 設定不正確。- The target computer has incorrect BCD settings. 檢查「驗證目標電腦設定」一節中的設定。Check the settings in the "Validate target computer settings" section. 視需要進行修正,然後再重新啟動目標電腦。Correct as necessary, and then restart the target computer.
- KDNET/EVENT-NET 驅動程式無法連線至網路介面卡,或已連線至錯誤的網路介面卡。- The KDNET/EVENT-NET driver was not able to connect to a network adapter or connected to the wrong network adapter. 在 Windows PowerShell 中,執行 gwmi Win32_NetworkAdapter,並檢查輸出是否有一個 ServiceName 為 kdnic 的介面卡。In Windows PowerShell, run gwmi Win32_NetworkAdapter and check the output for one with the ServiceName kdnic. 如果選取了錯誤的網路介面卡,請重新執行「若要指定網路介面卡」中的步驟。If the wrong network adapter is selected, re-do the steps in "To specify a network adapter." 如果完全沒有出現網路介面卡,可能是驅動程式不支援您的任何網路介面卡。If the network adapter doesn't appear at all, it could be that the driver doesn't support any of your network adapters.
另請參閱前述「建議的收集器疑難排解方法」,特別是步驟 5 到 8。See also "A suggested approach to troubleshooting the Collector" above, especially Steps 5 through 8.
收集器Collector 移轉裝載收集器的 VM 之後,我再也無法查看事件。I am no longer seeing events after migrating the VM my collector is hosted on. 確認收集器電腦的 IP 位址沒有變更。Verify that the IP address of the collector computer has not changed. 如果已變更,請檢閱「若要啟用透過傳輸從遠端傳送 ETW 事件的功能」。If it has, review "To enable sending of ETW events through the transport remotely."
收集器Collector 未建立 ETL 檔案。The ETL files are not created. Get-SbecForwarding 顯示已連線至目標、沒有發生錯誤,但是未建立 ETL 檔案。shows that the target has connected, with no errors, but the ETL files are not created. 目標電腦可能尚未傳送任何資料,只有在接收到資料時,才會建立 ETL 檔案。The target computer has probably not sent any data yet; ETL files are only created when data is received.
收集器Collector 有事件未顯示在 ETL 檔案中。An event is not showing in the ETL file. 目標電腦已傳送事件,但是當使用訊息分析程式的事件檢視器讀取 ETL 檔案時,事件卻不存在。The target computer has sent an event but when the ETL file is read with Event Viewer of Message Analyzer, the event is not present. - 事件可能仍然在緩衝區中。- The event could still be in the buffer. 除非收集到 64 KB 緩衝區已滿,或因 10-15 秒沒有新事件而發生逾時之前,系統不會將事件寫入 ETL 檔案。Events aren't written to the ETL file until a full 64 KB buffer is collected or a timeout of about 10-15 seconds with no new events has occurred. 等待逾時過期,或是使用 Save-SbecInstance 排清緩衝區。Either wait for the timeout to expire or flush the buffers with Save-SbecInstance.
- 事件資訊清單無法在收集器電腦上,或在執行事件檢視器或訊息分析程式的電腦上使用。- The event manifest is not available on the collector computer or the computer where the Event Viewer or Message Analyzer runs. 在此情況下,收集器可能無法處理事件 (檢查收集器記錄檔),或檢視器可能無法顯示事件。In this case, the Collector might not be able to process the event (check the Collector log) or the viewer might not be able to show it. 最好是將所有的資訊清單都安裝在收集器電腦,並且先將更新安裝在收集器電腦上,再安裝到目標電腦。It is a good practice to have all the manifests installed on the collector computer and install updates on the collector computer before installing them on the target computers.