Here at Sysnative Forums as well as TSF Forums, Bleeping Computer and MBAM Forums (and some other forums as well), a BSOD OP attaches a file to their post called SysnativeFileCollectionApp.zip. This is mandatory.
The output contains a treasure trove of information besides the mini kernel memory dump files. I will try my best to explain the contents of the ~30 files below and what the information can be used for.
To date, the output directory contains 29 output system/OS related files plus all BSOD mini-kernel memory dump files.
There is NO personal related information found in any of these files.
Here is a DIR listing of the Sysnative output zip file -
Rich (BB code):
01/01/1980 12:00 AM 448,108 112019-10093-01.dmp
01/01/1980 12:00 AM 460,300 112019-10859-01.dmp
01/01/1980 12:00 AM 495,348 112019-8140-01.dmp
01/01/1980 12:00 AM 569,908 112019-8796-01.dmp
01/01/1980 12:00 AM 569,916 112019-9031-01.dmp
01/01/1980 12:00 AM 2 Autoruns.txt
01/01/1980 12:00 AM 1,275 BSODPostingInstructions.txt
01/01/1980 12:00 AM 49,208 DriverqFo.txt
01/01/1980 12:00 AM 14,258 DriverqSi.txt
01/01/1980 12:00 AM 97,662 DriverqV.txt
01/01/1980 12:00 AM 107,427 DxDiagx86.txt
01/01/1980 12:00 AM 934,549 EvtxAppDump.txt
01/01/1980 12:00 AM 967,196 EvtxSysDump.txt
01/01/1980 12:00 AM 752 HKCUSoftMSWinCVUninstall.txt
01/01/1980 12:00 AM 7,261 HKLMSoftMSA-SInstalledComponents.txt
01/01/1980 12:00 AM 29,195 HKLMSoftMSWinCVUninstall.txt
01/01/1980 12:00 AM 824 Hosts.txt
01/01/1980 12:00 AM 4,913 IPconfigAll.txt
01/01/1980 12:00 AM 15,986 Jcgriff2Log.txt
01/01/1980 12:00 AM 1,517 KernelDumpList.txt
01/01/1980 12:00 AM 2,115,736 MSInfo32.nfo
01/01/1980 12:00 AM 4,542 NetSHLAN1.txt
01/01/1980 12:00 AM 15,766 NetstatJcgriff2
01/01/1980 12:00 AM 0 NetstatJcgriff2.StdErr
01/01/1980 12:00 AM 19,556 RAMInfo.html
01/01/1980 12:00 AM 3,914 SetEnvironmentVar.txt
01/01/1980 12:00 AM 302,549 SysList.txt
01/01/1980 12:00 AM 2,955 SystemInfo.txt
01/01/1980 12:00 AM 340,497 TasklistSVCHOST.txt
01/01/1980 12:00 AM 1,191 Tracert.txt
01/01/1980 12:00 AM 13,095 WERALL.txt
01/01/1980 12:00 AM 744 WERLocalAppData
01/01/1980 12:00 AM 13,656 WERProgramData
01/01/1980 12:00 AM 1,318 WMICRecoveros.txt
I wrote the original app that generates the above in 2008 and kept tweaking it through the years. It is now a general troubleshooting tool in addition to a mandatory app for BSOD OPs.
Tens, if not hundreds of thousands of people have run some form/version of this app over the last 12+ years. It DOES NOT get installed; it is a stand-alone executable; it does NOT write to the Registry; it DOES create a folder in Documents called SysnativeFileCollectionApp, which can be deleted at any time.
Here is a table naming each file, a brief description of it, followed by a spoiler that if clicked on, will reveal a sample of the output file/ report.
Autoruns.txt
The text output of SysInternals Autoruns. It rarely works; not sure why, but we're doing away with it in the next release. The text version of AutoRuns is just too difficult to read. I used to obtain the ARN version, which was fabulous. Will try for that one again.
BSODPostingInstructions.txt
Instructions that appear on the OP's screen at the conclusion of the Sysnsative BSOD Dump + File Processing App's execution.
DriverqFo.txt
A listing of drivers - basic info - sorted alphabetically
DeviceName InfName IsSigned Manufacturer
============================== ============= ======== =========================
Generic volume volume.inf TRUE Microsoft
Generic volume shadow copy volsnap.inf TRUE Microsoft
Generic volume volume.inf TRUE Microsoft
Generic volume volume.inf TRUE Microsoft
Volume Manager machine.inf TRUE (Standard system devices)
Microsoft Virtual Drive Enumer machine.inf TRUE (Standard system devices)
Fintek(R) 501 oem51.inf TRUE Fintek ,Inc.
DAEMON Tools Lite Virtual USB oem41.inf FALSE Disc Soft Ltd
UMBus Enumerator umbus.inf TRUE Microsoft
UMBus Root Bus Enumerator umbus.inf TRUE Microsoft
HID-compliant consumer control hidserv.inf TRUE Microsoft
HID-compliant mouse msmouse.inf TRUE Microsoft
HID Keyboard Device keyboard.inf TRUE (Standard keyboards)
HID Keyboard Device keyboard.inf TRUE (Standard keyboards)
HID-compliant mouse msmouse.inf TRUE Microsoft
Corsair composite virtual inpu oem18.inf TRUE Corsair
Corsair Bus oem19.inf TRUE Corsair
RAS Async Adapter netrasa.inf TRUE Microsoft
Plug and Play Software Device machine.inf TRUE (Standard system devices)
CD-ROM Drive cdrom.inf TRUE (Standard CD-ROM drives)
DAEMON Tools Lite Virtual SCSI oem40.inf FALSE Disc Soft Ltd
Terminal Server Mouse Driver machine.inf TRUE (Standard system devices)
Terminal Server Keyboard Drive machine.inf TRUE (Standard system devices)
Windscribe VPN oem58.inf FALSE Windscribe.com
WAN Miniport (SSTP) netsstpa.inf TRUE Microsoft
WAN Miniport (PPTP) netrasa.inf TRUE Microsoft
WAN Miniport (PPPOE) netrasa.inf TRUE Microsoft
WAN Miniport (IPv6) netrasa.inf TRUE Microsoft
WAN Miniport (IP) netrasa.inf TRUE Microsoft
WAN Miniport (Network Monitor) netrasa.inf TRUE Microsoft
WAN Miniport (L2TP) netrasa.inf TRUE Microsoft
DriverqV.txt
Extremely detailed listing of drivers and execution status
Code:
Module Name Display Name Description Driver Type Start Mode State Status Accept Stop Accept Pause Paged Pool Code(bytes BSS(by Link Date Path Init(bytes
============ ====================== ====================== ============= ========== ========== ========== =========== ============ ========== ========== ====== ====================== ================================================ ==========
1394ohci 1394 OHCI Compliant Ho 1394 OHCI Compliant Ho Kernel Manual Stopped OK FALSE FALSE 4.096 200.704 0 20/11/2010 8:44:56 C:\Windows\system32\drivers\1394ohci.sys 4.096
ACPI Microsoft ACPI Driver Microsoft ACPI Driver Kernel Boot Running OK TRUE FALSE 90.112 176.128 0 10/02/2018 15:21:53 C:\Windows\system32\drivers\ACPI.sys 12.288
AcpiPmi ACPI Power Meter Drive ACPI Power Meter Drive Kernel Manual Stopped OK FALSE FALSE 4.096 4.096 0 20/11/2010 7:30:42 C:\Windows\system32\drivers\acpipmi.sys 4.096
adp94xx adp94xx adp94xx Kernel Manual Stopped OK FALSE FALSE 0 438.272 0 05/12/2008 21:54:42 C:\Windows\system32\drivers\adp94xx.sys 4.096
adpahci adpahci adpahci Kernel Manual Stopped OK FALSE FALSE 0 311.296 0 01/05/2007 14:30:09 C:\Windows\system32\drivers\adpahci.sys 4.096
adpu320 adpu320 adpu320 Kernel Manual Stopped OK FALSE FALSE 0 151.552 0 27/02/2007 21:04:15 C:\Windows\system32\drivers\adpu320.sys 4.096
AFD Ancillary Function Dri Ancillary Function Dri Kernel System Running OK TRUE FALSE 307.200 81.920 0 04/04/2017 11:53:16 C:\Windows\system32\drivers\afd.sys 16.384
agp440 Filtro de barramento I Filtro de barramento I Kernel Manual Stopped OK FALSE FALSE 28.672 16.384 0 18/04/2019 23:11:34 C:\Windows\system32\drivers\agp440.sys 4.096
aliide aliide aliide Kernel Manual Stopped OK FALSE FALSE 0 4.096 0 13/07/2009 20:19:47 C:\Windows\system32\drivers\aliide.sys 4.096
amdide amdide amdide Kernel Manual Stopped OK FALSE FALSE 0 4.096 0 13/07/2009 20:19:49 C:\Windows\system32\drivers\amdide.sys 4.096
AmdK8 AMD K8 Processor Drive AMD K8 Processor Drive Kernel Manual Stopped OK FALSE FALSE 28.672 16.384 0 12/06/2019 11:35:08 C:\Windows\system32\drivers\amdk8.sys 8.192
AmdPPM AMD Processor Driver AMD Processor Driver Kernel Manual Stopped OK FALSE FALSE 28.672 12.288 0 12/06/2019 11:35:08 C:\Windows\system32\drivers\amdppm.sys 4.096
amdsata amdsata amdsata Kernel Manual Stopped OK FALSE FALSE 0 90.112 0 18/03/2010 21:45:17 C:\Windows\system32\drivers\amdsata.sys 4.096
amdsbs amdsbs amdsbs Kernel Manual Stopped OK FALSE FALSE 0 172.032 0 20/03/2009 15:36:03 C:\Windows\system32\drivers\amdsbs.sys 4.096
amdxata amdxata amdxata Kernel Boot Running OK TRUE FALSE 8.192 8.192 0 19/03/2010 13:18:18 C:\Windows\system32\drivers\amdxata.sys 4.096
AppID AppID Driver AppID Driver Kernel Manual Stopped OK FALSE FALSE 40.960 8.192 0 12/06/2019 11:42:51 C:\Windows\system32\drivers\appid.sys 8.192
arc arc arc Kernel Manual Stopped OK FALSE FALSE 0 69.632 0 24/05/2007 18:27:55 C:\Windows\system32\drivers\arc.sys 4.096
arcsas arcsas arcsas Kernel Manual Stopped OK FALSE FALSE 0 77.824 0 14/01/2009 17:27:37 C:\Windows\system32\drivers\arcsas.sys 4.096
ASMMAP64 ASMMAP64 ASMMAP64 Kernel Auto Running OK TRUE FALSE 4.096 4.096 0 02/07/2009 6:13:26 \??\C:\Program Files (x86)\ASUS\ATK Package\ATKG 4.096
AsyncMac RAS Asynchronous Media RAS Asynchronous Media Kernel Manual Stopped OK FALSE FALSE 0 16.384 0 13/07/2009 21:10:13 C:\Windows\system32\DRIVERS\asyncmac.sys 4.096
atapi Canal de IDE Canal de IDE Kernel Boot Running OK TRUE FALSE 0 12.288 0 13/07/2009 20:19:47 C:\Windows\system32\drivers\atapi.sys 4.096
athr Atheros Extensible Wir Atheros Extensible Wir Kernel Manual Running OK TRUE FALSE 0 2.170.880 0 12/06/2012 3:52:12 C:\Windows\system32\DRIVERS\athrx.sys 8.192
ATKWMIACPIIO ATKWMIACPI Driver ATKWMIACPI Driver Kernel System Running OK TRUE FALSE 4.096 8.192 0 06/09/2011 22:44:52 \??\C:\Program Files (x86)\ASUS\ATK Package\ATK 4.096
b06bdrv Broadcom NetXtreme II Broadcom NetXtreme II Kernel Manual Stopped OK FALSE FALSE 0 184.320 0 13/02/2009 20:18:07 C:\Windows\system32\drivers\bxvbda.sys 4.096
b57nd60a Broadcom NetXtreme Gig Broadcom NetXtreme Gig Kernel Manual Stopped OK FALSE FALSE 8.192 212.992 0 26/04/2009 8:14:55 C:\Windows\system32\DRIVERS\b57nd60a.sys 4.096
Beep Beep Beep Kernel System Running OK TRUE FALSE 0 4.096 0 13/07/2009 21:00:13 C:\Windows\system32\drivers\Beep.sys 4.096
blbdrive blbdrive blbdrive Kernel System Running OK TRUE FALSE 4.096 36.864 0 13/07/2009 20:35:59 C:\Windows\system32\DRIVERS\blbdrive.sys 4.096
bowser Browser Support Driver Browser Support Driver File System Manual Running OK TRUE FALSE 65.536 16.384 0 18/07/2018 12:18:04 C:\Windows\system32\DRIVERS\bowser.sys 8.192
DxDiagx86.txt
DirectX Kernel Diagnostics/Info Report
NOTE: You can obtain PCI Hardware Device Information from this report as well as device driver info for video, audio, wifi (if applicable), Ethernet, and other device drivers as well.
Up to 50,000 Event Viewer Application Log entries are dumped and stored in this file.
Often, the EVTX entries go back to the day when the system was first booted or when Windows was last reinstalled.
Code:
Event[0]:
Log Name: Application
Source: Microsoft-Windows-LoadPerf
Date: 2019-08-13T15:13:23.614
Event ID: 1000
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: AUTORIDADE NT\SISTEMA
Computer: Abi-PC
Description:
Performance counters for the WmiApRpl (WmiApRpl) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service.
Event[1]:
Log Name: Application
Source: Microsoft-Windows-LoadPerf
Date: 2019-08-13T15:13:23.481
Event ID: 1001
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: AUTORIDADE NT\SISTEMA
Computer: Abi-PC
Description:
Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.
Event[2]:
Log Name: Application
Source: Windows Error Reporting
Date: 2019-08-13T15:11:05.000
Event ID: 1001
Task: N/A
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Fault bucket X64_0x3B_c000001d_nt!ObpCloseHandle+14, type 0
Event Name: BlueScreen
Response: Not available
Cab Id: 0
Problem signature:
P1:
P2:
P3:
P4:
P5:
P6:
P7:
P8:
P9:
P10:
Attached files:
C:\Windows\Minidump\081319-34647-01.dmp
C:\Users\Abi\AppData\Local\Temp\WER-68203-0.sysdata.xml
C:\Users\Abi\AppData\Local\Temp\WER511B.tmp.WERInternalMetadata.xml
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Kernel_0_0_cab_0bfc73d7
Analysis symbol: X64_0x3B_c000001d_nt!ObpCloseHandle+14
Rechecking for solution: 0
Report Id: 081319-34647-01
Report Status: 0
Event[3]:
Log Name: Application
Source: Microsoft-Windows-Security-SPP
Date: 2019-08-13T15:09:41.000
Event ID: 902
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
The Software Protection service has started.
6.1.7601.17514
Event[4]:
Log Name: Application
Source: Microsoft-Windows-Security-SPP
Date: 2019-08-13T15:09:41.000
Event ID: 1003
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
The Software Protection service has completed licensing status check.
Application Id=55c92734-d682-4d71-983e-d6ec3f16059f
Licensing Status=
1: 022a1afb-b893-4190-92c3-8f69a49839fb, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
2: 436cef53-8387-4692-bb4a-9492cd82260e, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
3: 57a232fe-0931-48fe-9389-e4586967c661, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
4: 7cfd4696-69a9-4af7-af36-ff3d12b6b6c8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
5: 8ec16e01-e86f-415f-b333-1819f4145294, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
6: a0cde89c-3304-4157-b61c-c8ad785d1fad, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
7: ac96e1a8-6cc4-4310-a4ff-332ce77fb5b8, 1, 1 [(0 )(1 )(2 [0x00000000, 0, 1], [(?)( 5 0x00000000 30 40200)( 1 0x00000000 0 0 msft:rm/algorithm/flags/1.0 0x00000000 0)(?)(?)(?)])]
8: b2c4b9f6-3ee6-4a2a-a361-64ad3b61ded5, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
9: bba42084-cacd-4ad4-b606-9f3d6c93b2c5, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
10: c619d61c-c2f2-40c3-ab3f-c5924314b0f3, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
11: cfb3e52c-d707-4861-af51-11b27ee6169c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
12: 4a8149bb-7d61-49f4-8822-82c7bf88d64b, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
13: afd5f68f-b70f-4000-a21d-28dbc8be8b07, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
Event[5]:
Log Name: Application
Source: Microsoft-Windows-Security-SPP
Date: 2019-08-13T15:09:41.000
Event ID: 1066
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Initialization status for service objects.
C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000
Event[6]:
Log Name: Application
Source: SecurityCenter
Date: 2019-08-13T15:09:38.000
Event ID: 1
Task: N/A
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
The Windows Security Center Service has started.
Event[7]:
Log Name: Application
Source: Microsoft-Windows-Security-SPP
Date: 2019-08-13T15:09:36.000
Event ID: 900
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
The Software Protection service is starting.
Event[8]:
Log Name: Application
Source: gupdate
Date: 2019-08-13T15:09:36.000
Event ID: 0
Task: None
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
N/A
Event[9]:
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 2019-08-13T15:09:13.000
Event ID: 10
Task: N/A
Level: Error
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Event[10]:
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 2019-08-13T15:09:13.000
Event ID: 5617
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Windows Management Instrumentation Service subsystems initialized successfully
Event[11]:
Log Name: Application
Source: Microsoft-Windows-Search
Date: 2019-08-13T15:07:34.000
Event ID: 1003
Task: Search service
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
The Windows Search Service started.
Event[12]:
Log Name: Application
Source: ESENT
Date: 2019-08-13T15:07:32.000
Event ID: 302
Task: Logging/Recovery
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Windows (3440) Windows: The database engine has successfully completed recovery steps.
Event[13]:
Log Name: Application
Source: ESENT
Date: 2019-08-13T15:07:32.000
Event ID: 301
Task: Logging/Recovery
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Windows (3440) Windows: The database engine has begun replaying logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log.
Event[14]:
Log Name: Application
Source: ESENT
Date: 2019-08-13T15:07:32.000
Event ID: 300
Task: Logging/Recovery
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Windows (3440) Windows: The database engine is initiating recovery steps.
Event[15]:
Log Name: Application
Source: ESENT
Date: 2019-08-13T15:07:32.000
Event ID: 102
Task: General
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Windows (3440) Windows: The database engine (6.01.7601.0000) started a new instance (0).
Event[16]:
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 2019-08-13T15:07:20.000
Event ID: 5611
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
The Windows Management Instrumentation service has detected an inconsistent system shutdown.
Event[17]:
Log Name: Application
Source: Microsoft-Windows-WMI
Date: 2019-08-13T15:07:19.000
Event ID: 5615
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Windows Management Instrumentation Service started sucessfully
Event[18]:
Log Name: Application
Source: NvStreamSvc
Date: 2019-08-13T15:07:18.000
Event ID: 2003
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
Expected event (Started [0]).
Event[19]:
Log Name: Application
Source: NVNetworkService
Date: 2019-08-13T15:07:17.000
Event ID: 0
Task: None
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: Abi-PC
Description:
N/A
EvtxSysDump.txt
Up to 50,000 Event Viewer System Log entries are dumped and stored in this file.
Often, the EVTX entries go back to the day when the system was first booted or when Windows was last reinstalled.
Code:
Event[0]:
Log Name: System
Source: Microsoft-Windows-Application-Experience
Date: 2019-08-09T21:47:45.949
Event ID: 206
Task: N/A
Level: Information
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: User-PC
Description:
The Program Compatibility Assistant service successfully performed phase two initialization.
Event[1]:
Log Name: System
Source: Microsoft Antimalware
Date: 2019-08-09T21:47:45.000
Event ID: 2010
Task: N/A
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
Microsoft Antimalware used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
Current Signature Version: 1.299.1672.0
Signature Type: AntiSpyware
Current Engine Version: 1.1.16200.1
Dynamic Signature Type: Signature update
Persistence Path: C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\RtSigs\data\a0b32bce52ebf31c374e1c53157eb74cbd13a9bd
Dynamic Signature Version: 0.0.0.0
Dynamic Signature Compilation Timestamp: ?8/?10/?2019 4:47:38 AM
Persistence Limit Type: Duration
Persistence Limit: 288000000
Event[2]:
Log Name: System
Source: Microsoft Antimalware
Date: 2019-08-09T21:47:45.000
Event ID: 2010
Task: N/A
Level: Information
Opcode: Info
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
Microsoft Antimalware used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
Current Signature Version: 1.299.1672.0
Signature Type: AntiVirus
Current Engine Version: 1.1.16200.1
Dynamic Signature Type: Signature update
Persistence Path: C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\RtSigs\data\a0b32bce52ebf31c374e1c53157eb74cbd13a9bd
Dynamic Signature Version: 0.0.0.0
Dynamic Signature Compilation Timestamp: ?8/?10/?2019 4:47:38 AM
Persistence Limit Type: Duration
Persistence Limit: 288000000
Event[3]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:47:44.661
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Multimedia Class Scheduler service entered the running state.
Event[4]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:45:13.071
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Multimedia Class Scheduler service entered the stopped state.
Event[5]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:44:23.085
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Intel(R) SUR QC Software Asset Manager service entered the stopped state.
Event[6]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:43:52.850
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Intel(R) SUR QC Software Asset Manager service entered the running state.
Event[7]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:43:52.828
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Intel(R) SUR QC Software Asset Manager service entered the running state.
Event[8]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:23.146
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The WMI Performance Adapter service entered the stopped state.
Event[9]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:13.626
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Windows Update service entered the running state.
Event[10]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:12.826
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Security Center service entered the running state.
Event[11]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:12.532
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Software Protection service entered the running state.
Event[12]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:12.430
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Intel(R) Rapid Storage Technology service entered the running state.
Event[13]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:12.222
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Portable Device Enumerator Service service entered the stopped state.
Event[14]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:12.158
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Google Update Service (gupdate) service entered the stopped state.
Event[15]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:12.144
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Google Update Service (gupdate) service entered the running state.
Event[16]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:12.087
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Microsoft .NET Framework NGEN v4.0.30319_X64 service entered the running state.
Event[17]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:11.894
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Microsoft .NET Framework NGEN v4.0.30319_X86 service entered the running state.
Event[18]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:42:11.687
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The Background Intelligent Transfer Service service entered the running state.
Event[19]:
Log Name: System
Source: Service Control Manager
Date: 2019-08-09T21:40:22.800
Event ID: 7036
Task: N/A
Level: Information
Opcode: N/A
Keyword: Classic
User: N/A
User Name: N/A
Computer: User-PC
Description:
The WMI Performance Adapter service entered the running state.
HKCUSoftMSWinCVUninstall.txt
From HKCU Registry - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\
Contains info, including the "uninstall strings" for certain programs/apps
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
A log of the jcgriff2/Sysnative App's execution, including execution time and WHOAMI command; a directory listing of the output (helpful in catching OPs who tamper with the output (and there have been quite a few!))
This report performs a DIR command on both the sole file \windows\memory.dmp as well as \windows\minidump sub-directory to allow the BSOD Analyst to check if in fact any dumps were written by a BSOD and are available.
The reason for this file is that occasionally the jcgriff2/Sysnative BSOD App does not properly copy the mini kernel dump files. No idea why this happens on these very rare occasions.
Also, sometimes dumps are listed in this file but not included in the zip file output, it could be because the OP deleted the dump files so that we could not analyze them. This has happened quite a few times.
Most of the OPs involved in this type of activity were trying to cover up the fact that they had a copy of patched Windows (non-genuine) and knew that we would pick up on that fact while processing the dumps. And we have....
Code:
10/08/2019 21:09:31.09
LISTING OF MINI KERNEL DUMP FILES
LISTING OF MINI KERNEL DUMP FILES
Volume in drive C is OS
Volume Serial Number is D273-1481
Directory of C:\WINDOWS\minidump
10/08/2019 08:43 PM BUILTIN\Administrators .
10/08/2019 08:43 PM NT SERVICE\TrustedInsta..
10/08/2019 08:35 PM 1,178,260 081019~4.DMP BUILTIN\Administrators 081019-33015-01.dmp
10/08/2019 08:44 PM 1,037,988 08C2FD~1.DMP BUILTIN\Administrators 081019-34078-01.dmp
10/08/2019 05:53 PM 3,045,252 081019~1.DMP BUILTIN\Administrators 081019-45390-01.dmp
10/08/2019 08:27 PM 0 081019~3.DMP BUILTIN\Administrators 081019-48046-01.dmp
10/08/2019 08:22 PM 0 081019~2.DMP BUILTIN\Administrators 081019-55187-01.dmp
5 File(s) 5,261,500 bytes
2 Dir(s) 461,436,878,848 bytes free
_______________________________________________________
10/08/2019 21:09:31.10
FULL KERNEL DUMP FILE
FULL KERNEL DUMP FILE
Volume in drive C is OS
Volume Serial Number is D273-1481
Directory of C:\WINDOWS
10/08/2019 08:43 PM 1,148,785,769 BUILTIN\Administrators MEMORY.DMP
1 File(s) 1,148,785,769 bytes
0 Dir(s) 461,436,878,848 bytes free
_______________________________________________________
E O J
E O J
10/08/2019 21:09:31.11
MSInfo32.nfo
This is one of the most comprehensive reports available from Windows and I highly recommend that you spend time getting to know it. The information it contains will definitely come in handy as you continue your learning of BSOD processing.
Bring up your own msinfo32 - bring up a search box or a CMD Prompt screen and type msinfo32.exe and press ENTER. Look over the information carefully.
Windows Networking Report showing wifi signal strength and wifi driver name and info.
This is a very helpful while troubleshooting network problems.
Code:
*********************************************************************
*********************************************************************
*********** B E G I N *** N E T W O R K *** I N F O ***********
*********** B E G I N *** N E T W O R K *** I N F O ***********
*********************************************************************
*********************************************************************
by John C. Griffith, Microsoft MVP
***************** WIFI WLAN NETSH WLAN SHOW ALL ******************
***************** WIFI WLAN NETSH WLAN SHOW ALL ******************
Wireless System Information Summary
(Time: 13/08/2019 15:20:34 E. South America Standard Time)
=======================================================================
============================== SHOW DRIVERS ===========================
=======================================================================
Interface name: Conexao de Rede sem Fio
Driver : Atheros AR9485WB-EG Wireless Network Adapter
Vendor : Atheros Communications Inc.
Provider : Atheros Communications Inc.
Date : 11/06/2012
Version : 9.2.0.504
INF file : C:\Windows\INF\oem7.inf
Files : 2 total
C:\Windows\system32\DRIVERS\athrx.sys
C:\Windows\system32\drivers\vwifibus.sys
Type : Native Wi-Fi Driver
Radio types supported : 802.11b 802.11g 802.11n
FIPS 140-2 mode supported : Yes
Hosted network supported : Yes
Authentication and cipher supported in infrastructure mode:
Open None
Open WEP-40bit
Shared WEP-40bit
Open WEP-104bit
Shared WEP-104bit
Open WEP
Shared WEP
WPA-Enterprise TKIP
WPA-Personal TKIP
WPA2-Enterprise TKIP
WPA2-Personal TKIP
Vendor defined TKIP
WPA2-Enterprise Vendor defined
Vendor defined Vendor defined
WPA-Enterprise CCMP
WPA-Personal CCMP
WPA2-Enterprise CCMP
Vendor defined CCMP
WPA2-Enterprise Vendor defined
Vendor defined Vendor defined
WPA2-Personal CCMP
Vendor defined Vendor defined
Authentication and cipher supported in ad-hoc mode:
Open None
Open WEP-40bit
Open WEP-104bit
Open WEP
WPA2-Personal CCMP
Vendor defined Vendor defined
IHV service present : Yes
IHV adapter OUI : [00 03 7f], type: [00]
IHV extensibility DLL path: C:\Program Files (x86)\Qualcomm Atheros WiFi Driver Installation\AthIhvWlanExt.dll
IHV UI extensibility ClSID: {00000000-0000-0000-0000-000000000000}
IHV diagnostics CLSID : {00000000-0000-0000-0000-000000000000}
=======================================================================
============================= SHOW INTERFACES =========================
=======================================================================
There is 1 interface on the system:
Name : Conexao de Rede sem Fio
Description : Atheros AR9485WB-EG Wireless Network Adapter
GUID : cb1e3989-a580-43e2-81d3-9810ee708d01
Physical address : 24:fd:52:b5:16:2e
State : connected
SSID : Hotel Faro
BSSID : 02:27:22:d5:cc:75
Network type : Infrastructure
Radio type : 802.11n
Authentication : Open
Cipher : None
Connection mode : Auto Connect
Channel : 11
Receive rate (Mbps) : 72.2
Transmit rate (Mbps) : 72.2
Signal : 64%
Profile : Hotel Faro
Hosted network status : Not available
=======================================================================
=========================== SHOW HOSTED NETWORK =======================
=======================================================================
Hosted network settings
-----------------------
Mode : Allowed
Settings :
Hosted network status
---------------------
Status : Not available
=======================================================================
============================= SHOW SETTINGS ===========================
=======================================================================
NetstatJcgriff2
Windows NETSTAT file output.
Again, this app and its output is used for much more than BSOD troubleshooting.
Code:
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨ 13/08/2019 15:21:22,13 ¨¨¨¨ NETSTAT ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨ 13/08/2019 15:21:22,13 ¨¨¨¨ NETSTAT ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨ 13/08/2019 15:21:22,13 ¨¨¨¨ NETSTAT ¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨
Interface Statistics
Received Sent
Bytes 377518955 27909860
Unicast packets 304690 207090
Non-unicast packets 20560 1010
Discards 0 0
Errors 0 0
Unknown protocols 0
Interface Index = 1
Description = Type = 24
Mtu = 1500
Speed = 1073741824
Physical Address = Administrative Status = 1
Operational Status = 1
Last Changed = 0
Output Queue Length = 0
Interface Index = 2
Description = Type = 131
Mtu = 4091
Speed = 1073741824
Physical Address = Administrative Status = 1
Operational Status = 1
Last Changed = 0
Output Queue Length = 0
Interface Index = 3
Description = Type = 131
Mtu = 1460
Speed = 1073741824
Physical Address = Administrative Status = 1
Operational Status = 1
Last Changed = 0
Output Queue Length = 0
Interface Index = 4
Description = Type = 131
Mtu = 1464
Speed = 1073741824
Physical Address = Administrative Status = 1
Operational Status = 1
Last Changed = 0
Output Queue Length = 0
Interface Index = 5
Description = Type = 23
Mtu = 1494
Speed = 1073741824
Physical Address = Administrative Status = 1
Operational Status = 1
Last Changed = 0
Output Queue Length = 0
NetstatJcgriff2.StdErr
NETSTAT Errors
Code:
NO DATA AVAILABLE
RAMInfo.html
RAM Info is a WMI command that reports on RAM. Unfortunately, it does not work for every OP and the file is sometimes empty.
Code:
NO DATA AVAILABLE
SetEnvironmentVar.txt
The SET command is issued during execution to show the environment variables and their values.
Basic system info + a full listing of all Windows Updates installed (kb numbers) + active network
Code:
Host Name: ABI-PC
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Organization:
Product ID: 00426-292-0000007-85267
Original Install Date: 11/08/2019, 14:23:53
System Boot Time: 13/08/2019, 15:06:14
System Manufacturer: ASUSTeK COMPUTER INC.
System Model: K46CB
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 58 Stepping 9 GenuineIntel ~1801 Mhz
BIOS Version: American Megatrends Inc. K46CB.207, 17/05/2013
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-03:00) Brasilia
Total Physical Memory: 3.982 MB
Available Physical Memory: 981 MB
Virtual Memory: Max Size: 7.961 MB
Virtual Memory: Available: 4.067 MB
Virtual Memory: In Use: 3.894 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\ABI-PC
Hotfix(s): 181 Hotfix(s) Installed.
[01]: KB2849697
[02]: KB2849697
[03]: KB2849696
[04]: KB2849696
[05]: KB2841134
[06]: KB2841134
[07]: KB2670838
[08]: KB971033
[09]: KB2479943
[10]: KB2491683
[11]: KB2506014
[12]: KB2506212
[13]: KB2506928
[14]: KB2532531
[15]: KB2533552
Network Card(s): 2 NIC(s) Installed.
[01]: Dispositivo Bluetooth (Rede Pessoal)
Connection Name: Conexao de Rede Bluetooth
Status: Media disconnected
[02]: Atheros AR9485WB-EG Wireless Network Adapter
Connection Name: Conexao de Rede sem Fio
DHCP Enabled: Yes
DHCP Server: 192.168.96.1
IP address(es)
[01]: 192.168.99.135
[02]: fe80::917e:45ac:2cf4:f051
TasklistSVCHOST.txt
Windows current running tasklist detailing all SVCHOST jobs
Code:
Image Name PID Services
========================= ======== ============================================
svchost.exe 772 DcomLaunch, PlugPlay, Power
svchost.exe 880 RpcEptMapper, RpcSs
svchost.exe 976 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc
svchost.exe 1008 AudioEndpointBuilder, CscService, hidserv,
Netman, PcaSvc, TrkWks, UxSms,
WdiSystemHost, Wlansvc, wudfsvc
svchost.exe 128 EventSystem, FontCache, netprofm, nsi,
WdiServiceHost, WinHttpAutoProxySvc
svchost.exe 300 AeLookupSvc, Appinfo, BITS, EapHost, gpsvc,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
Schedule, SENS, ShellHWDetection, Themes,
Winmgmt, wuauserv
svchost.exe 1092 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
svchost.exe 1656 BFE, DPS, MpsSvc
svchost.exe 1116 DiagTrack
svchost.exe 2328 stisvc
svchost.exe 2352 SysMain
svchost.exe 2756 bthserv
svchost.exe 3600 SSDPSRV, upnphost
svchost.exe 4704 WinDefend
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================
System Idle Process 0 Services 0 24 K Unknown NT AUTHORITY\SYSTEM 0:52:26 N/A
System 4 Services 0 8.792 K Unknown N/A 0:00:46 N/A
smss.exe 284 Services 0 996 K Unknown AUTORIDADE NT\SISTEMA 0:00:00 N/A
csrss.exe 428 Services 0 4.272 K Unknown AUTORIDADE NT\SISTEMA 0:00:00 N/A
csrss.exe 544 Console 1 23.912 K Running AUTORIDADE NT\SISTEMA 0:00:02 N/A
wininit.exe 552 Services 0 4.268 K Unknown AUTORIDADE NT\SISTEMA 0:00:00 N/A
winlogon.exe 600 Console 1 6.104 K Unknown AUTORIDADE NT\SISTEMA 0:00:00 N/A
services.exe 648 Services 0 10.536 K Unknown AUTORIDADE NT\SISTEMA 0:00:02 N/A
Tracert.txt
Windows TRACERT command
Code:
Tracing route to sysnative.com [104.247.78.250]
over a maximum of 30 hops:
1 33 ms 36 ms 36 ms 192.168.96.1
2 2 ms 2 ms 2 ms 189.127.3.145.nipcable.com [189.127.3.145]
3 2 ms 2 ms 3 ms 186.236.65.17.nipbr.com [186.236.65.17]
4 47 ms 6 ms 4 ms 100g.200.220.128.45.nipcable.com [200.220.128.45]
5 43 ms 47 ms 47 ms 187-51-232-209.customer.tdatabrasil.net.br [187.51.232.209]
6 8 ms 21 ms 23 ms 152-255-155-218.user.vivozap.com.br [152.255.155.218]
7 56 ms 66 ms 59 ms 213.140.39.93
8 117 ms 115 ms 119 ms 5.53.3.145
9 * * * Request timed out.
10 * * * Request timed out.
11 217 ms 215 ms 243 ms 4.79.22.110
12 * * * Request timed out.
13 * * * Request timed out.
14 220 ms 219 ms 218 ms eccomp4-havp6.inmotionhosting.com [104.193.140.55]
15 219 ms 220 ms 245 ms vps32419.inmotionhosting.com [104.247.78.250]
Trace complete.
WERALL.txt
Windows WER Reports, their directory names and locations
No Eula popup visible so it hangs. Back in the day I manually triggered and agreed to the Eula before triggering the file collection app., the file collection included the then-expected .ARN.
Must ask, everything it's collecting along with IP + router versions and a lot more
this just seems way to weird to post on a forum due to the fact that whoever can goes trough these and have malicious intentions.
Do you guys reconcile with this at all? Or do you go by the "the external IP is not shown therefor it's safe"?
The files generated aren't specifically for BSOD problems even though that's a main purpose of the tool. The files can also, and have in the past, been used for other problems which include network related problems.
Whether some files are still needed these days, I don't know. I believe updating the tool is on the todo list by those who created it but it's not a priority.
You're not the first to ask about this though, but, as far as I know, there haven't been any incidents with the files that consequently requires updating the tool.
The files generated aren't specifically for BSOD problems even though that's a main purpose of the tool. The files can also, and have in the past, been used for other problems which include network related problems.
Whether some files are still needed these days, I don't know. I believe updating the tool is on the todo list by those who created it but it's not a priority.
You're not the first to ask about this though, but, as far as I know, there haven't been any incidents with the files that consequently requires updating the tool.
At least practice good safety for the users who need help, if there is a handler that is deemed trustworthy let him get the files seperately instead of having your entire system details posted on a open forum.
At least practice good safety for the users who need help, if there is a handler that is deemed trustworthy let him get the files seperately instead of having your entire system details posted on a open forum.
I don't understand your point at all, the reason for the sysnative collection tool to exist is to know your system both hardware and applications and not just that but other things such as net related configuration. This by itself is a reason concern if anyone want to play around and poke around how bad one can mess up your system.
I'm not saying it's a usual thing someone would come here just to do this, I'm simply stating that the load of data that is required to post for specific problems is just stupid.
I have problem with my mouse someone comes in saying "Yeah don't do anything just post me sysnative collection data" and acting like it's not any problem by it.
And again, i think the practice of actually just sending the data to someone who's there to help is fine, but the practice of asking one to upload everything for the entire forum / net to see is honestly weird.
I'm not against the application I'm against the practice of it on help forums like this and others, It would maybe be good to have an anonymized version of it, like a light-scan which exclude your network configuration and things that is making you an easy target.
It's not a point, it's a question and examples of how one is vulnerable by browsing the internet.
I'm not trying to be contrary either. I appreciate your input.
The thing is, when one is troubleshooting a computer issue, the more info we have, the better to target the issue accurately. Sharing the info on the forum also opens it up to more brains, hence further drilling down to a solution. It also puts it out there for others with similar issues and has helped solve issues in that manner. It also enables learning to others who want to learn.
Sharing this info on the forum is always up to the user posting. We never force anyone to share.
If I had to make a point I guess it would be that the info put out is no more a honeypot for bad actors than the info that already available to a bad actor.
If you look around the plethora of tech sites, it's not weird, it's common practice. Otherwise, no fixes would be found.
There is no personal information shared in those files and most - if not all - the network configuration data is trivial and would change upon a reboot. There has been no problems reported by users with the log collection tool and it is used by most of the "big" tech support forums.
There is a reference to Geek Police in the script - it would seem that this batch file may be using some of their code which is not something we would want to do.
There is a reference to Geek Police in the script - it would seem that this batch file may be using some of their code which is not something we would want to do.
The current log collection tool provides most of that information though. Do we need all their network configuration? We rarely - if ever - use it in dump file analysis. It's always best to ask for minimum amount of information as possible especially if the user asks for justification.
The current log collection tool provides most of that information though. Do we need all their network configuration? We rarely - if ever - use it in dump file analysis. It's always best to ask for minimum amount of information as possible especially if the user asks for justification.
Thank you, but we will continue to use ours - originally written by me in 2007/8 and updated by several others since then. We all are very used to it by now.
The Sysnative/jcgriff2 Kernel Dump and System File Collection App has over 1 million downloads to date -- all versions combined and works just fine for us.
Besides, Sysnative Forums being its home base, Bleeping Computers, TechSupportForun (TSF), Malwarebytes (MBAM) and others use it for BSOD threads as well as for general troubleshooting purposes as well.
John
`
Has Sysnative Forums helped you? Please consider donating to help us support the site!
