How to enable logging in WDS in Windows

This article describes how to enable logging in Windows Deployment Services (WDS) in Windows Server.

Original product version: В Windows Server 2012 R2
Original KB number: В 936625

This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see Windows registry information for advanced users.

Introduction

This article discusses how to enable logging in WDS in Windows Server. Additionally, this article describes how to gather data in WDS.

You can use this information to help troubleshoot issues that you may experience in WDS.

Overview

Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Each WDS component has a mechanism that you can enable for logging and for tracing. You can then analyze the results for troubleshooting. Use the information in the following sections to enable logging and tracing for WDS components.

General WDS server health

Type the following command to generate general server health information:

This command causes general server health information to be logged in the Application log and in the System log.

WDS server component

Type the following command to generate health information about the WDS server component:

This command causes WDS information to be logged in the Application log and in the System log.

Obtain trace logs for Windows Server

To obtain trace information for Windows Server, do the following:

1. Open Event Viewer (eventvwr).
2. Browse to Windows Logs\Applications and Services Logs\Microsoft\Windows\Deployment-Services-Diagnostics.
3. Right-click the channel and choose Enable Log.

Then, configure the components that you want to be logged by setting one or more of the following registry keys to a 0 value.

WDS servers also support the following additional tracing:

You can set these registry keys to the following values to control what is included:

• 7F0000: This value includes packet tracing and protocol tracing.
• 3F0000: This value excludes packet tracing.
• 3E0000: This value excludes packet tracing and protocol tracing. By default, this value is used.

A tracing process may affect performance. Therefore, we recommend that you disable the tracing functionality when you do not have to generate a log.

After you set this registry entry, trace information for the WDS server component is logged in the following file:%windir%\Tracing\wdsserver.log

WDS management components

Type the following command to generate management component health information:

This command causes WDS component health information to be logged in the Application log and in the System log.

Enable tracing

To obtain trace information, you must enable tracing in the WDS management component and in the WDS Microsoft Management Console (MMC) component. To do this, set the following registry entries:

For the management component

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WDSMGMT
• Name: EnableFileTracing
• Value type: REG_DWORD
• Value data: 1

For the MMC component

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WDSMMC
• Name: EnableFileTracing
• Value type: REG_DWORD
• Value data: 1

After you set these registry entries, trace information for the WDS management component is logged in the %windir%\Tracing\wdsmgmt.log file.

Additionally, trace information for the WDS MMC component is logged in the %windir%\Tracing\wdsmmc.log file.

Although the WDS MMC component and the WDSUTIL component share the same API layer, MMC sometimes adds processing and functionality. If an error occurs, it is frequently worthwhile to use WDSUTIL to try to reproduce the failure. WDSUTIL may help you determine whether the error is local to MMC or whether the error is a general management API failure. Frequently, the WDSUTIL component provides more detailed error output when tracing is not enabled. Where applicable, use the following options to obtain extra information:

WDS legacy components

If you perform legacy management functions, set the following registry entry to enable tracing in the RISetup component:

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RISetup
• Name: EnableFileTracing
• Value type: REG_DWORD
• Value data: 1

To obtain the trace log in the WDSCapture operation, follow these steps:

Start the Capture Windows PE boot image.

When the Capture Wizard starts, press SHIFT+F10 to open a command prompt.

Enable tracing in the WDSCapture component. To do this, follow these steps:

1. Start Registry Editor.
2. Set the following registry entry to enable tracing in the WDSCapture component:

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WDSCapture
• Name: EnableFileTracing
• Value type: REG_DWORD
• Value data: 1

Start a second instance of the WDSCapture component. Then, reproduce the problem by using the second instance of WDSCapture.

Don’t close the original instance of WDSCapture. If you close the original instance of WDSCapture, Windows PE restarts. Instead, press ALT+TAB to switch between the instances of WDSCapture.The following trace log file is generated: X:\Windows\Tracing\WDSCapture.log.

WDS client components

To turn on the client logging functionality, run the following command on the WDS server:

Then, run the following command on the WDS server to change which events are logged:

Each category includes all the events from the previous categories.

The following are the definitions of the logging levels:

• The NONE logging level disables the logging functionality. By default, this logging level is used.
• The ERRORS logging level logs only errors.
• The WARNINGS logging level logs warnings and errors.
• The INFO logging level logs errors, warnings, and informational events. This logging level is the highest logging level.

To view the event logs, follow these steps:

1. Open Server Manager, and then click Diagnostics.
2. Click Event Viewer.
3. Click Applications and Services Logs.
4. Click Microsoft, click Windows, and then click Deployment-Services-Diagnostics.

In the tree structure of event logs, the Admin log contains all the errors, and the Operational log contains the information messages. The following are the definitions of the architectures that are listed for some errors in these logs:

• The Architecture 0 is the x86 processor architecture.
• The Architecture 6 is the IA-64 processor architecture.
• The Architecture 9 is the x64 processor architecture.

Setup logs from the client computer

The location of the setup logs depends on when the failure occurs.

If the failure occurs in Windows PE before the disk configuration page of the WDS client is completed, you can find the logs at the X:\Windows\Panther folder. Use Shift+F10 to open a command prompt, and then change the directory to the location.

If the failure occurs in Windows PE after the disk configuration page of the WDS client is completed, you can find the logs on the local disk volume at the $Windows.

BT\Sources\Panther folder. The local disk volume is usually the drive C. Use Shift+F10 to open a command prompt, and then change the directory to the location.

If the failure occurs on the first boot after the image is applied, you can find the logs in the \Windows\Panther folder of the local disk volume. The local disk volume is usually the drive C.

Get Started with User Access Logging

Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

User Access Logging (UAL) is feature in Windows Server that aggregates client usage data by role and products on a local server. It helps Windows server administrators quantify requests from client computers for roles and services on a local server.

UAL is installed and enabled by default, and collects data in nearly real-time. No administrator configuration is required, although UAL can be disabled or enabled. For more information, see Manage User Access Logging. The User Access Logging service aggregates client usage data by roles and products into local database files. IT administrators can later use Windows Management Instrumentation (WMI) or Windows PowerShell cmdlets to retrieve quantities and instances by server role (or software product), by user, by device, by the local server, and by date.

Practical applications

UAL aggregates unique client device and user request events that are logged into a local database. These records are then made available (through a query by a server administrator) to retrieve quantities and instances by server role, by user, by device, by the local server, and by date. In addition, UAL has been extended to enable non-Microsoft software developers to instrument their UAL events to be aggregated by Windows Server.

UAL can perform the following tasks:

Quantify client user requests for local physical or virtual servers.

Quantify client user requests for installed software products on a local physical or virtual server.

Retrieve data on a local server running Hyper-V to identify periods of high and low demand on a Hyper-V virtual computer.

Retrieve UAL data from multiple remote servers.

In addition, software developers can instrument UAL events that can then be aggregated and retrieved by using WMI and Windows PowerShell interfaces.

The following server roles and services can be supported by UAL:

Active Directory Certificate Services (ADВ CS)

Active Directory Rights Management Services (ADВ RMS)

Domain Name System (DNS)

UAL collects DNS data every 24 hours, and there is a separate UAL cmdlet for this scenario.

Dynamic Host Configuration Protocol (DHCP)

File Transfer Protocol (FTP) Server

UAL collects Hyper-V data every 24 hours, and there is a separate UAL cmdlet for this scenario.

To use UAL with IIS, you must use iisual.exe. For more information, see Analyzing Client Usage Data with IIS User Access Logging.

Microsoft Message Queue (MSMQ) Services

Network Policy and Access Services

Print and Document Services

Routing and Remote Access Service (RRAS)

Windows Deployment Services (WDS)

Windows Server Update Services (WSUS)

UAL is not recommended for use on servers that are connected directly to the Internet, such as web servers on an Internet-accessible address space, or in scenarios where extremely high performance is the primary function of the server (such as in HPC workload environments). UAL is primarily intended for small, medium, and enterprise intranet scenarios where high volume is expected, but not as high as deployments that serve Internet-facing traffic volume on a regular basis.

Important functionality

The following table describes key functions of UAL and their potential value.

Functionality	Value
Collect and aggregate client request event data in near real-time.	Up to three years of data can be saved. Important: Administrators need to enforce compliance of the data collected and data retention periods with the organization’s privacy policy and local regulations.
Query UAL by using WMI or Windows PowerShell interfaces to retrieve client request data on a local or remote server.	UAL enables a single view of ongoing usage data. Server and enterprise administrators can retrieve this data and coordinate with business administrators to optimize use of their volume software licenses.
Enabled by default.	Server administrators do not need to configure or otherwise set up this feature for all core functionality to be available and working.

Data logged with UAL

The following user-related data is logged with UAL.

Data	Description
UserName	The user name on the client that accompanies the UAL entries from installed roles and products, if applicable.
ActivityCount	The number of times a particular user accessed a role or service.
FirstSeen	The date and time when a user first accesses a role or service.
LastSeen	The date and time when a user last accessed a role or service.
ProductName	The name of the software parent product, such as Windows, that is providing UAL data.
RoleGUID	The UAL assigned or registered GUID that represents the server role or installed product.
RoleName	The name of the role, component, or subproduct that is providing UAL data. This is also associated with a ProductName and a RoleGUID.
TenantIdentifier	A unique GUID for a tenant client of an installed role or product that accompanies the UAL data, if applicable.

The following device-related data is logged with UAL.

Data	Description
IPAddress	The IP address of a client device that is used to access a role or service.
ActivityCount	The number of times a particular device accessed the role or service.
FirstSeen	The date and time when an IP address was first used to access a role or service.
LastSeen	The date and time when an IP address was last used to access a role or service.
ProductName	The name of the software parent product, such as Windows, that is providing UAL data.
RoleGUID	The UAL-assigned or registered GUID that represents the server role or installed product.
RoleName	The name of the role, component, or subproduct that is providing UAL data. This is also associated with a ProductName and a RoleGUID.
TenantIdentifier	A unique GUID for a tenant client of an installed role or product that accompanies the UAL data, if applicable.

Software requirements

UAL can be used on any computer running versions of Windows Server after Windows Server 2012.