How to troubleshoot window updates and OS related issues.

The article here addresses the issue how to get rid of a specific KB (Update) and shows some more DISM commands to fix broken Windows online images. With a few tricks in the Windows Deployment Image Servicing and Management command utility, admins can solve some of the most common Windows 10 update problems plaguing their users.

DISM is really powerful and is well documented in the official Microsoft docs, which you can find right here. There is an unofficial GUI utility for it in case you’re not really a friend of the command line which is called DISM++ developed by a Chinese guy since several years but it’s not really needed because the command line parameters are very easy to understand and as already mentioned, well documented,

Identify the installed cumulative updates (KB)

First, we need to find the list of packages installed on the PC with the issue by performing this command

• dism /online /get-packages /format:table

Alternative you can use this to get a better view

• dism /online /get-packages /format:table > patches.txt

This will generate a list called ‘patches.txt’ were you can see all installed updates or hotfixes.

Remove the problematically KB

Let’s say you want to remove the Package_for_KB2870699~31bf3856ad364e35~amd64~~6.2.1.1 package, then use the following command to silently remove it:

• DISM.exe /Online /Remove-Package /PackageName:Package_for_KB2870699~31bf3856ad364e35~amd64~~6.2.1.1 /quiet /norestart

You could use this command in a batch script in case you want to remove more than one update, the hardest process is to find the exact name but with the given method you just need to look at KB number to identify which package you need to remove. If you want to get rid of a hotfix this is a little bit more complicated because there is no specific identification given and the names are random, so before you install a hotfix, ensure you make a list of the currently installed updates and compare it against the list after you installed the hotfix.

Other useful commands

Displays a basic Help and stores it into a file

• dism /? dism /mount-wim /? >C:\dismhelp.txt

Display a list of all the Windows images contained:

• dism /get-wiminfo /wimfile:

Mount an Windows image:

• dism /mount-wim /wimfile: /index:1 /mountdir:c:\mount

Image status/cleanup:

• dism /get-mountedwiminfo if okay remount the image dism /remount-wim /mountdir: dism /cleanup-wim

Add all drivers from a folder:

• dism /image:c:\mount /add-driver /driver:c:\drivers

Add all drivers from top-level folders and all folders below:

• dism /image:c:\mount /add-driver /driver:c\drivers /recurse

Add specific driver:

• dism /image:c:\mount /add-driver /driver:c:\drivers\mydriver.inf

Add unsigned driver:

• dism /image:c:\mount /add-driver /driver:c:\drivers\mydriver.inf /forceunsigned

List of all drivers:

• dism /image:c:\mount /get-drivers dism /image:c:\mount /get-drivers /format:table

Get a specific driver info:

• dism /image:c:\mount /get-driverinfo /driver:c:\drivers\usb\usb.inf

Remove a driver:

• dism /image:c:\mount /remove-driver /driver:oem1.inf

Remove multiple drivers:

• dism /image:c:\mount /remove-driver /driver:oem1.inf /driver:oem2.inf

For large drivers (eg nVidia)

• dism /image:c:\mount /add-driver /driver:c:\drivers\nvidia /forceunsigned /scratchdir:c:\temp dism /image:c:\mount /add-driver /driver:c:\drivers\ /recurse /scratchdir:c:\temp

Add specific Packages:

• dism /get-wiminfo /wimfile: dism /mount-wim /wimfile: /name:”Windows 7 HomeBasic” /mountdir:c:\mount dism /image:c:\mount /add-package /packagepath:c:\packages\package1.cab /packagepath:c:\packages\package2.cab dism /unmount-wim /mountdir:c:\mount /commit

Add an MSU update (replace the XXXXX with your KB number of the update you like to install)

• dism /image:c:\mount /add-package /packagepath:c:\updates\xxxxx.msu

Add all updates from a folder:

• dism /image:c:\mount /add-package /packagepath:c:\updates

Manage Windows features:

• dism /online /get-features | more dism /online /enable-feature /featurename: dism /online /disable-feature /featurename:<add-you-feature-you'll-like-to-remove-here>

Fix SFC problems and scan your image for problems:

DISM /Online /Cleanup-Image /RestoreHealth

There are a lot of more useful command lines which you could use but I think these are the most used ones which help to fix or modify your image.

Steps to Crash Machine using NMI Switch and configure DUMP

 

Below are steps to configure custom paging file (Restart required) :

 

1. Go to System Properties or type Sysdm.cpl in run command & open system properties directly.
2. Or from System Properties, please click on Advanced System Settings.
3. Under Performance, click on Settings
4. Click on Advanced Tab and then under Virtual Memory , click on Change.
5. Uncheck the “Automatically manage paging file size for all drives”
6. Select Custom Size on C: drive and then set the Initial size and Maximum Size to RAM size in MB + 1024 MB i.e. 66560

 

Below are steps to configure Complete memory dump settings.

 

1. In the same Advanced System Settings.
2. Under Startup and Recovery, click on Settings
3. Under Writing debugging information select Complete memory dump.
4. Under Dump file, keep %SystemRoot%\MEMORY.DMP
5. Uncheck options Automatically restart
6. Click OK to save.

 

Configure NMI switch.

 

Below are the steps to configure the server to take the dump using NMI switch when the issue occurs. The NMI switch should be present on the server.

 

Below is the registry entry that must be made to allow NMI memory dumps to be invoked (reboot required).

 

HKLM\System\CurrentControlSet\Control\CrashControl

    Value Name: NMICrashDump

    Value Type: REG_DWORD

    Value Data: 1 (Decimal)

 

 

Restart the server after configuring the above settings to take effect of the changes.

 

Step to crash the system through HP ILO & capture Memory dump.

Procedure (Login to HP ILO)

              1. Click Information in the navigation tree, and then click the Diagnostics tab.

              2. Click Show System Diagnostics.

              3. Click Generate NMI.

iLO prompts user to confirm the request.

CAUTION: Generating an NMI to the system might cause data loss and data corruption.

Click Yes, generate NMI.

How to Spike CPU to 100% in Windows

1)     Open Notepad

2)    Type below commands and save the file as loop.vbs

While True

Wend

3)    Now run that vbs file 4 times to reach 100 % CPU usage.

4)    Once done, kill the script process in task manager.

WPR/Xperf - Steps to collect logs

 Collect X-perf logs : 

Please capture traces while the issue is happening. Please note, we would need time stamp and details of what was done while capture of trace. Also, a PSR while the trace is being captured or a recording of screen with a running Timer could be captured.

WPR capture should be started once the issue is observed, please run it for 3 – 5 minutes and stop.

X-perf is an intensive tool and collect huge amount of data. So, collecting it continuously for a long duration would cause performance issues on the machine so I don’t recommend running it more than 2-3 minutes.

If needed, you can run it for few minutes, stop it if the issue not reproduced/ or reoccurs, wait for some time and try another attempt. Follow this until you capture the trace covering the issue.

Important Note: While collecting data for performance issues, we need a detailed and clear description that explains what exactly we should analyze or which delay is noticed in the situation and when?

1.What were the symptoms observed during the time of capture of Xperf for the issue?

2.Any abnormal machine behavior observed, or alerts generated on or during the issue?

3.What components were slow?

4.For how long were the observed components slow?

5.How did the system recover?

 We need this detail with the .etl file to backtrace the issue.

=> Here is an example of collecting the details: Starting X-perf trace with Windows Performance Toolkit at the time of issue and describe what is the slowness that have been noticed with time stamps, example below:

13:48:10 X-perf started.

13:49:17 Tried opening notepad by typing notepad.exe from run

13:59:55 Notepad opened ~10 sec delay (you can note down any other component which is facing slowness)

PID of the notepad instance is 12345

 Collect X-perf logs

1.     Download the latest version of the Windows Performance Tools Kit from the link below.

Download and install the Windows ADK | Microsoft Docs . 

1.     Create an elevated command prompt window.

a.    Navigate to the Start menu, then All Programs, then Accessories.

b.    Find the Command Prompt entry in Accessories.

c.     Right mouse click on the Command Prompt item and select “Run as administrator”.

2.     In the new command prompt window, Change the path to point to the folder containing xperf.exe. Type in the following command line : 

o   cd C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit

·        Xperf -on Latency+DISPATCHER -stackWalk CSwitch+ReadyThread+ThreadCreate+Profile -BufferSize 64 -MaxBuffers 1024 -MaxFile 1024 -FileMode Circular

 After 2- 3 minutes, please run:

 ·       Xperf -d WaitAnalysis.etl  

 The trace file (.etl file) should be available in the same folder where the executable is present for further investigation.

 

Steps to collect Perfmon logs

 Collect Perfmon logs

 In order to troubleshoot the issue we need to capture a Performance Monitor log.

·    Click on Start

·         In the start/search/run box, type  "CMD.exe" w/o the quotation marks and then press Enter.

·         Copy and paste the following commands into the command prompt window:

 

Logman.exe create counter PerfLog-Long -o "c:\perflogs\\%computername%_PerfLog-Long.blg" -f bincirc -v mmddhhmm -max 500 -c "\LogicalDisk(*)\*" "\Memory\*" "\Cache\*" "\Network Interface(*)\*" "\Paging File(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\Process(*)\*" "\Redirector\*" "\Server\*" "\System\*" "\Server Work Queues(*)\*" "\Terminal Services\*" -si 00:00:30

 

Logman.exe create counter PerfLog-Short -o "c:\perflogs\\%computername%_PerfLog-Short.blg" -f bincirc -v mmddhhmm -max 500 -c "\LogicalDisk(*)\*" "\Memory\*" "\Cache\*" "\Network Interface(*)\*" "\Paging File(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\Process(*)\*" "\Redirector\*" "\Server\*" "\System\*" "\Server Work Queues(*)\*" "\Terminal Services\*" -si 00:00:01

 

·        Start the logs with the following commands:

Logman.exe start PerfLog-Long

Logman.exe start PerfLog-Short

 

·        Please stop the performance logs with the following commands:

Logman.exe stop PerfLog-Long

Logman.exe stop PerfLog-Short

 

Share the logs with me for analysis.: (C:\perflogs)

Note: Please make sure that we keep this tool running till the time the issue is reproduced and then upload the logs. These performance logs will need to be started again if the machine is rebooted as they do not automatically restart on boot.

How to configure complete memory Dump, also how to crash using keyboard

 Complete memory dump:

Please make sure that the machine is setup to get a complete memory dump: 

1) In Control Panel...double click the System Applet

2) Select the Advanced tab

3) Click the "Startup and Recovery" button

4) Under the "Write Debugging Information" section select:

"Complete Memory Dump" from the pulldown menu

If you don’t have complete memory dump option available in the list then please change the registry entry as below.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl

CrashDumpEnabled REG_DWORD 0x1 = Complete memory dump

5) Make sure a check mark is placed on:

"Overwrite any existing file"

6) Make sure you uncheck the options: Send an administrative alert and Automatically restart

7) Disable the option “Automatic Server Recovery (ASR)” feature in BIOS settings

8) Make sure that there is a paging file (pagefile.sys) on the System Drive and that it is at least 200MB more than the total RAM size (please have the initial and maximum size for pagefile set to same size and reboot).

9) Make sure you have enough space available on C:\ to accommodate Paging File size and Memory Dump. Else, change to location to another LOCAL drive where we have enough space. This can be done by specifying the dump location under System Properties – Advanced – Startup and Recovery Settings – “Dump File”

Second, configure the system to dump memory:

 

Option 1:

With PS/2 keyboards ATTACHED DIRECTLY TO THE SERVER (WITHOUT KVM), you must enable the keyboard-initiated crash in the registry. In the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters, create a value named CrashOnCtrlScroll , and set it equal to a REG_DWORD value of 0x01.

  

Option 2:

With USB keyboards, you must enable the keyboard-initiated crash in the registry. In the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters, create a value named CrashOnCtrlScroll, and set it equal to a REG_DWORD value of 0x01.

 

Steps to configure the system to crash using keyboard (for keyboard which does not have Scroll Lock Key):

================================================

Open registry and navigate to registry location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt

Note: If keyboard type is USB, then navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kbdhid

 

Create a registry key under this called CrashDump

Select HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\CrashDump

(or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kbdhid\CrashDump if keyboard type is USB)

Create following entries

Name: Dump1Keys

Data: REG_DWORD

Value: 20 (hexa decimal) (this is for Left CTRL Key in place of right CTRL key)

Name: Dump2Key

Data: REG_DWORD

Value: 3d (Hexadecimal)( this is for Space Bar in place of scroll lock)

 Once we configure this we need to restart the machine to apply the changes. (unplug and plug back in if the Keyboard is USB)

To trigger the system crash with above configurations, hold down Left CTRL key and press Space Bar key two times.

The system will bugcheck with following code.

       *** STOP: 0x000000E2 (0x00000000,0x00000000,0x00000000,0x00000000)

If the system is configured for memory dump, memory.dmp will be generated with Bugcheck code E2 as above.

UXtrace - how to collect UXtrace with Procmon

 UXTrace:

Download UXTrace

 

1. Login using a affected user account and check if issue reproduces. If yes, then follow the below steps to capture logs.
2. Download the Procmon tool from this hyper link and extract it to a C:\Temp folder.
3. Download the UXTrace powershell script file from the file transfer link and place the UXTrace.ps1 file in the same C:\Temp folder.
4. Open Powershell as admin from Taskmanager.
5. Navigate to C:\Temp folder.
6. Run the below command to start tracing:

 .\UXTrace.ps1 -Start -AppX -Shell -COM -Procmon -ProcmonPath C:\temp

 

If you get any error that script cannot be run and permissions required. Then to grant the trace permissions to run below Powershell command

Set-ExecutionPolicy Bypass

 Type Y for yes

 Then run the above Powershell command for script again.

 

7. You will the prompt to start reproducing the issue.
8. From here, left click on the Start menu, Action center date/time, Right click on taskbar, action center 2 times each with 2 seconds interval in between.
9. Now, Go back to the Powershell window where script is executing.
10. Press "Enter" to stop the log capture.
11. The script will now start saving the logs. It will take 10 mins.
12. The logs will be saved on Desktop with the name MSLOGS folder.
13. Compress the folder to zip for further analysis.

Procdump - How to collect dumps of any process

There are different ways to collect procudmp depending upon scenario.

In case the system is freezed and you want to collect dump of a specific process, for example explorer.exe: 

• Download Procdump first only from below link
• https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
• Extract it to C:\Temp before the issue repro.
• When the issue occurs, follow the below steps to trigger dump of Explorer process
• Send Ctrl+AltDel and click on Task manager
• In Task manager > File > Run new task > CMD (Check run as admin) > Navigate to C:\temp using CD C:\temp
• Type below command and enter. Right-click on Task bar and enter.
• Procdump.exe -ma -s 3 -n 5 Explorer.exe
•  It will generate complete dump of explorer exe 

______________________

 

1. Run the procdump (Download from: https://docs.microsoft.com/en-gb/sysinternals/downloads/procdump)  with following parameter. Make sure you run it from the directory where you have copied the procdump.exe and also open the command prompt as an “Administrator”
2. command will look like following:

procdump –ma <PID of worker process(w3wp.exe)> -C 60 -s 5 -n 3

• c is CPU usage (in this case 60%)
• s is the time it stays high (in this example 5 seconds)
• n is number of dumps (in this example 3)

 Therefore, this command simply means If CPU consumption is 60% (or more) for 5 seconds (or more), then capture 3 Full user dumps 

3. The dump file will be created in the same location as procdump.exe

How to find Activation Key in Windows OS

There are 3 easy ways to find the Activation Key in Windows.

 1) Open CMD as Administrator > Type below command:

wmic path softwareLicensingService get OA3xOriginalProductKey

2) Open Powershell as administrator > Type below command:

powershell "(Get-WmiObject -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey"

3) Open registry and go to this path:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform