The other day I was upgrading exchange, and it kept complaining that the system needed a reboot even after a reboot. I rebooted over and over and over and over a…. you get the idea. After googling a while, I found the solution was inside a registry key. A file name was needing to be changed, but the os just wasn’t doing it upon reboot. It’s a common bug with exchange apparently. So, to fix it, I just had to clear the key. Thus, i was like, what other keys do I know that are useful. So, here is 10 Useful Registry Keys.
Pending Reboot
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
If this key exists, just clear it out and it will save you some time.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations
This one was the key that was giving me issues. It’s useful to just clear the data in this key.
Trouble shooting
The next few keys are great for troubleshooting. The first sets the startup and shutdown to verbose so you can see what is happening on both.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\VerboseStatus
DWORD = 1
The next one sets Group Policy Client to detailed logs. and creates a log in the %systemRoot%\Debug\UserMode\GPsvc.log. This is great for troubleshooting slow logins.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics\GPSvcDebugLevel
DWORD = 0x30002
The next one does user processing. So, if a user pofile has issues, use this one. It will create a detailed log in the %systemRoot%\Debug\UserMode\Userenv.log
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics\UserEnvDebugLevel
DWORD = 0x30002
Another Logging one for kerberos, in case you have some app giving you troubles. These logs are under system/security in the event viewer
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\LogLevel
DWORD = 1
As before the netlogon can do the same. These are stored %SystemRoot%\Debug\netlogon.log. It’s funky looking but it works
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag
DWORD = 0x2080ffff
As any admin knows Powershell and TLS will make you mad with 2016. Wow, that was almost 10 years ago… Anyways, So, lets log TLS better. I think i’m getting old.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Events\EventLogging
DWORD = 7
When we install MSI things, those logs will fall off the earth. So, lets find them as well. This will put all of the logs into the %TEMP% folder.
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\Logging
REG_SZ = voicewarmupx
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\Debug
DWORD = 7
I discovered the next one when I was tracking down a rouge DHCP Server. Enabling these logs will show which server it tried to connect to and when. These logs live %SystemRoot%\System32\dhcp and in the event viewer as well.
HKLM\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\EnableDhcpDebugLogging
DWORD = 1
SMB1 shouldn’t exist, but if something is calling to it, you can see what is still using it. Useful in older environments like a factory. I got stories. Just know when a robotic arm stops, people freak.
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AuditSMB1Access
DWORD = 1
Finally why a service times out. This one helps avoid those 7009/7011 logs.
HKLM\SYSTEM\CurrentControlSet\Control\ServicePipeTimeout
DWORD = 60000
Powershell troubleshooting logs
I would be admist if I didn’t give you a powershell.
New-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics' -Name GPSvcDebugLevel -PropertyType DWord -Value 0x30002 -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics' -Name UserEnvDebugLevel -PropertyType DWord -Value 0x30002 -Force
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters' -Name LogLevel -PropertyType DWord -Value 1 -Force
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' -Name DBFlag -Value 0x2080FFFF
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Events' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Events' -Name EventLogging -PropertyType DWord -Value 7 -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name FileLogEnabled -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name FileLogName -PropertyType String -Value '%SystemRoot%\w32time.log' -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name FileLogSize -PropertyType DWord -Value 0x100000 -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config' -Name FileLogEntries -PropertyType String -Value 'All' -Force
New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' -Name Logging -PropertyType String -Value 'voicewarmupx' -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' -Name Debug -PropertyType DWord -Value 7 -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters' -Name EnableDhcpDebugLogging -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters' -Name AuditSmb1Access -PropertyType DWord -Value 1 -Force
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name ServicesPipeTimeout -PropertyType DWord -Value 60000 -Force
What can we learn as a person today
Go take a break and drink some water. That 9th cup of coffee can wait. We need sleep yall.