windows

unexpected shutdown

• 41 — The device did not restart correctly using a clean shutdown first. This event could be caused if the computer stopped responding, crashed, or lost power unexpectedly.

• 1074 — This event is triggered when the user initiates a manual shutdown or restart. Or when the system restarts automatically to apply updates, for example. If you were using the shutdown command with a custom message, the information would be recorded in the "Comment" section.

• 6006 — This event is logged when the Event Log system has been stopped by during a good shutdown. This error usually happens after error 1074.

• 6005 — This event was logged when the Event Log system started, which can indicate when the computer was started.

• 6008 — Indicates that the previous system shutdown was unexpected. This error will usually happen after error 41.

capture => wireshark

windows  2016

netsh trace show interfaces
netsh trace start capture=yes captureinterface=XX

netsh trace start capture=yes captureinterface=XX IPv4.Address=X.X.X.X tracefile=c:\temp\capture.etl persistent=yes
netsh trace start capture=yes tracefile=c:\temp\capture.etl maxsize=512 filemode=circular overwrite=yes report=no correlation=no IPv4.SourceAddress=(192.168.1.55,192.168.1.5) IPv4.DestinationAddress=(192.168.1.55,192.168.1.5) Ethernet.Type=IPv4

netsh trace start capture=yes tracefile=c:\temp\capture.etl maxsize=512 filemode=circular overwrite=yes report=no correlation=no

netsh trace stop

C:\tools\etl2pcapng\etl2pcapng.exe C:\temp\capture.etl capture.pcapng

netsh trace stop
Etl2pcapng.exe capture.etl newfile.pcapng 

windows 2019 =>

pktmon filter add -t tcp syn -p 3389

pktmon start --capture

pktmon stop

pktmon pcapng c:\Windows\System32\PktMon.etl -o C:\temp\new_file.pcapng

Remove-Item c:\Windows\System32\PktMon.etl

pktmon filter remove 1

For /F %s in ('dir /b *.dll') do regsvr32 /s %s