Logs de diagnóstico

Artigo
03/11/2023

Se você relatou um problema ou nosso serviço identifica um problema, talvez tenhamos que coletar certos logs de diagnóstico do dispositivo sem intervenção do usuário.

Não coletamos nenhum conteúdo gerado pelo usuário ou informações de diretórios de usuários. Coletamos apenas dados de diagnóstico e log que se referem à integridade do dispositivo e ao status.

Armazenamos todos os logs coletados por 28 dias e depois os excluímos. Processamos todos os registros coletados de um dispositivo seguindo nossos padrões de manuseio de dados.

Dados coletados

A lista a seguir inclui todas as pastas, logs de eventos, executáveis ou locais de registro dos quais a Área de Trabalho Gerenciada da Microsoft pode coletar logs de diagnóstico.

Os dados reais coletados serão um subconjunto desta lista e dependem do problema identificado.

Chaves de registro

HKLM\\SYSTEM\\CurrentControlSet\\Services HKLM\\SOFTWARE\\Microsoft\\Surface HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate HKLM\\SYSTEM\\CurrentControlSet\\Control\\MUI\\UILanguages HKLM\\Software\\Policies\\Microsoft\\WindowsStore HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel HKLM\\SYSTEM\\CurrentControlSet\\Control\\FirmwareResources HKLM\\SOFTWARE\\Microsoft\\WindowsSelfhost HKLM\\SOFTWARE\\Microsoft\\WindowsUpdate HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Superfetch HKLM\\SYSTEM\\Setup HKLM\\Software\\Microsoft\\IntuneManagementExtension HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall HKLM\\Software\\Policies HKLM\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL

Comandos

%programfiles%\\windows defender\\mpcmdrun.exe -GetFiles %windir%\\system32\\certutil.exe -store %windir%\\system32\\certutil.exe -store -user my %windir%\\system32\\Dsregcmd.exe /status %windir%\\system32\\ipconfig.exe /all %windir%\\system32\\ipconfig.exe /displaydns %windir%\\system32\\mdmdiagnosticstool.exe %windir%\\system32\\msinfo32.exe /report %temp%\\MDMDiagnostics\\msinfo32.log %windir%\\system32\\netsh.exe advfirewall show allprofiles %windir%\\system32\\netsh.exe advfirewall show global %windir%\\system32\\netsh.exe lan show profiles %windir%\\system32\\netsh.exe winhttp show proxy %windir%\\system32\\netsh.exe wlan show profiles %windir%\\system32\\netsh.exe wlan show wlanreport %windir%\\system32\\ping.exe -n 50 localhost %windir%\\system32\\powercfg.exe /batteryreport /output %temp%\\MDMDiagnostics\\battery-report.html %windir%\\system32\\powercfg.exe /energy /output %temp%\\MDMDiagnostics\\energy-report.html bitsadmin /list /allusers /verbose fltMC.exe bcdedit /enum all /v manage-bde -protectors -get Windows PowerShell commands: Get-appxpackage -allusers Get-appxpackage -packagetype bundle Get-Service wuauserv Get-NetFirewallRule Get-WmiObject -Class win32\_product Get-ComputerInfo Get-Service Get-Process Get-WmiObject Win32\_PnPSignedDriver

Logs de eventos

Application Microsoft-Windows-AppLocker/EXE and DLL Microsoft-Windows-AppLocker/MSI and Script Microsoft-Windows-AppLocker/Packaged app-Deployment Microsoft-Windows-AppLocker/Packaged app-Execution Microsoft-Windows-Bitlocker/Bitlocker Management Microsoft-Windows-SENSE/Operational Microsoft-Windows-SenseIR/Operational Setup System

Arquivos

%ProgramData%\\Microsoft\\DiagnosticLogCSP\\Collectors\\\*.etl %ProgramData%\\Microsoft\\IntuneManagementExtension\\Logs\\\*.\* %ProgramData%\\Microsoft\\Windows Defender\\Support\\MpSupportFiles.cab %ProgramData%\\Microsoft\\Windows\\WlanReport\\wlan-report-latest.html %ProgramData%\\Microsoft\\Windows\\WlanReport -SourceFileName wlan-report-latest.html %windir%\\ccm\\logs\*.log %windir%\\ccmsetup\\logs\*.log %windir%\\logs\\CBS\\cbs.log %windir%\\logs\\measuredboot\*.\* %windir%\\Logs\\WindowsUpdate\*.etl %windir%\\inf\\\*.log %windir%\\servicing\\sessions\\ActionList.xml %windir%\\servicing\\sessions\\Sessions.xml %windir%\\SoftwareDistribution\\DataStore\\Logs\\edb.log %windir%\\SoftwareDistribution\\DataStore\\DataStore.edb %windir%\\logs\\dism\\dism.log %SystemRoot%\\System32\\Winevt\\Logs\\ %appdata%\\Microsoft\\Teams\\media-stack\\\*.blog %appdata%\\Microsoft\\Teams\\skylib\\\*.blog %appdata%\\Microsoft\\Teams\\media-stack\\\*.etl %appdata%\\Microsoft\\Teams\\logs.txt %windir%\\Windows\\System32\\winevt\\\*.\*

Compartilhar via