Universal Logging System

The WIN_TOOLS are the GPLv3-based ULS-agent for the Windows operating system. It gathers inventory information and configuration settings as well as runtime metrics of the operating system and checking, with applied filters, the event log for new entries.

All resulting values are sent to the ULS-server for further monitoring and analysis.

The directories used in this description are examples only, use others as you like.

• copy the WIN_TOOLS.zip to e.g. C:\ADMIN\WIN_TOOLS
• extract WIN_TOOLS.zip
• customize the *.conf files for the different WIN_TOOLS scripts
• create the directory for temporary work value files for the WIN_TOOLS scripts
• create the destination directory for ULS value files
• create the scheduled task entries

The default directories are:

Change to a directory of your choice or create one in which you want to put the WIN_TOOLS:

C:\> md C:\ADMIN\WIN_TOOLS
C:\> cd C:\ADMIN\WIN_TOOLS

Download the current version of the WIN_TOOLS to the just created directory and check the checksums.

You may need:

• to use the fciv.exe from http://support.microsoft.com/kb/841290
• or use an online service like MD5 & SHA1 Hash Generator For File

C:\ADMIN\WIN_TOOLS> md5sum.exe WIN_TOOLS_*.zip

checksums for WIN_TOOLS_2013-12-03.zip:

• md5: 7463FCC757EE51AD17B6ADA7E62CCC4E
• sha1: FF3C8A62CEDBF9B8018B18351862391C482359CC
• sha256: 01644C484905BB1B820FC94A42EF712208DB44B8C190E3F1FE64828A2AF237D2

Before unzipping, open the property page of the .zip and click the unblock button. That should prevent the message:

This file came from another computer and might be blocked to help protect this computer

Unpack the WIN_TOOLS*.zip into that directory. The password is “win_tools”, it is only set to avoid the typical virus scanners to eliminate the zip-archive because of the contained .exe and .bat files. You will find a list of files like (the output may differ slightly depending on the version/release date):

C:\ADMIN\WIN_TOOLS> dir
03.12.2013  12:22    <DIR>          .
03.12.2013  12:22    <DIR>          ..
03.12.2013  11:49               978 CHANGES.txt
06.12.2011  10:06            33.094 COPYING.txt
21.12.2011  18:29         1.472.512 libeay32.dll
03.12.2013  11:57               213 perf_counter_categories.bat
30.10.2012  14:14             7.337 perf_counter_categories.ps1
22.11.2013  09:55            81.549 send2uls.exe
21.12.2011  18:29           303.616 ssleay32.dll
30.10.2012  12:02               254 win_eventlog.bat
25.11.2013  10:52             8.796 win_eventlog.conf
03.12.2013  11:47            33.088 win_eventlog.ps1
18.09.2012  14:33               127 win_inventory.bat
22.02.2013  15:43            18.844 win_inventory.ps1
29.11.2013  10:26            13.386 win_misc.ps1
06.03.2013  15:00               232 win_watch.bat
03.12.2013  11:59             5.056 win_watch.conf
03.12.2013  11:47            49.719 win_watch.ps1
              16 Datei(en),      2.028.801 Bytes

There is a calling .bat file for each powershell script and the main scripts got configuration files.

Check your execution policy of the W*ndows machine:

c:\> powershell Get-ExecutionPolicy

“RemoteSigned” or even “Unrestricted” will allow you to execute the powershell scripts. With a “Restricted” execution policy you will not be able to execute the powershell scripts. Change it to:

c:\> powershell Set-ExecutionPolicy RemoteSigned

Alternatively, you can use the command line parameter -executionpolicy bypass

c:\> powershell.exe -executionpolicy bypass -File <script.ps1> <arguments>

when starting the win_watch powershell script.

You get scripts to check the state and performance of a running W*ndows computer, as well as event log checking with filtering and gathering of inventory information.

• win_watch: gathers W*ndows performance metrics and status information
• win_eventlog: searches all or selectable event logs
• win_inventory: collects inventory information
• send2uls: transfers files in ULS Value File Format to the ULS-server
• Performance Counter Categories: compiles all existing performance counter categories of a W*ndows computer