Run the client analyzer on Windows

Applies to:

  1. Download the MDE Client Analyzer tool to the Windows machine you need to investigate.

  2. Extract the contents of MDEClientAnalyzer.zip on the machine.

  3. Open an elevated command line:

    1. Go to Start and type cmd.
    2. Right-click Command prompt and select Run as administrator.
  4. Enter the following command and press Enter:

    HardDrivePath\MDEClientAnalyzer.cmd
    

    Replace HardDrivePath with the path to which the tool was extracted to, for example:

    C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
    

In addition to the above, there is also an option to collect the analyzer support logs using live response..

Note

On Windows 10/11, Windows Server 2019/2022, or Windows Server 2012R2/2016 with the modern unified solution installed, the client analyzer script calls into an executable file called MDEClientAnalyzer.exe to run the connectivity tests to cloud service URLs.

On Windows 8.1, Windows Server 2016 or any previous OS edition where Microsoft Monitoring Agent (MMA) is used for onboarding, the client analyzer script calls into an executable file called MDEClientAnalyzerPreviousVersion.exe to run connectivity tests for Command and Control (CnC) URLs while also calling into Microsoft Monitoring Agent connectivity tool TestCloudConnection.exe for Cyber Data channel URLs.

All the PowerShell scripts and modules included with the analyzer are Microsoft-signed. If files have been modified in any way, then the analyzer is expected to exit with the following error:

The client analyzer error

If this error is shown, then the issuerInfo.txt output will contain detailed information about why that happened and what file was affected:

The issuer info

Example contents after MDEClientAnalyzer.ps1 is modified:

The  modified ps1 file

Result package contents on Windows

Note

The exact files captured may change depending on factors such as:

  • The version of windows on which the analyzer is run.
  • Event log channel availability on the machine.
  • The start state of the EDR sensor (Sense is stopped if machine is not yet onboarded).
  • If an advanced troubleshooting parameter was used with the analyzer command.

By default, the unpacked MDEClientAnalyzerResult.zip file will contain the following items.

  • MDEClientAnalyzer.htm

    This is the main HTML output file, which will contain the findings and guidance that the analyzer script run on the machine can produce.

  • SystemInfoLogs [Folder]

    • AddRemovePrograms.csv

      Description: List of x64 installed software on x64 OS collected from registry.

    • AddRemoveProgramsWOW64.csv

      Description: List of x86 installed software on x64 OS collected from registry.

      • CertValidate.log

        Description: Detailed result from certificate revocation executed by calling into CertUtil.

      • dsregcmd.txt

        Description: Output from running dsregcmd. This provides details about the Azure AD status of the machine.

      • IFEO.txt

        Description: Output of Image File Execution Options configured on the machine

      • MDEClientAnalyzer.txt

        Description: This is verbose text file showing with details of the analyzer script execution.

      • MDEClientAnalyzer.xml

        Description: XML format containing the analyzer script findings.

      • RegOnboardedInfoCurrent.Json

        Description: The onboarded machine information gathered in JSON format from the registry.

    • RegOnboardingInfoPolicy.Json

      Description: The onboarding policy configuration gathered in JSON format from the registry.

      • SCHANNEL.txt

        Description: Details about SCHANNEL configuration applied to the machine such gathered from registry.

      • SessionManager.txt

        Description: Session Manager specific settings gather from registry.

      • SSL_00010002.txt

        Description: Details about SSL configuration applied to the machine gathered from registry.

  • EventLogs [Folder]

    • utc.evtx

      Description: Export of DiagTrack event log

    • senseIR.evtx

      Description: Export of the Automated Investigation event log

    • sense.evtx

      Description: Export of the Sensor main event log

    • OperationsManager.evtx

      Description: Export of the Microsoft Monitoring Agent event log

See also