By monitoring the boot process, one might detect a malware infection as some of the malicious executables interfere with Windows system files accessed during the system boot-up resulting in a slower start of it.
First of all, please make sure you have set up stack walking. If you have not done it yet, you can set it up with the command you can see below:
C:\xperf>REG ADD “HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management” -v DisablePagingExecutive -d 0x1 -t REG_DWORD -f
What is more, you need to have an xperf folder as well, preferably on the C Drive.
Next, by using an administrator command prompt, please type a command:
C:\xperf>xbootmgr -trace boot -traceflags latency+dispatcher -stackwalk profile+cswitch+readythread -notraceflagsinfilename -postbootdelay 180 -resultpath c:\xperf
We set the postbootdelay for 180 seconds. Also, note that we want our results to be on the C Drive directly in the Xperf folder.
After running the command, you will be signed out and your system should restart. Please log in once again and go to the desktop.
And now you should be greeted with the sign “Delaying for boot trace 1 of 1”. Please wait for more or less 10 seconds, and, afterwards, click finish.
You can see that there is a file created, called boot_1.etl. Let it save.
Next, please run the command prompt again. Let’s go to xperf folder. Here you can run a command that will convert the results to the XML file:
C:\xperf>xperf -i boot_1.etl -o summary.xml -a boot
Let’s open the summary file now:
You should see the file. Please search in this file for a bootDoneViaPostBoot value. Do you know what this value is? This value is the total time of the start in milliseconds with 10 seconds added to time.
We can also search for interval. After this step, you are able to locate the intervals and see details of each one.
Let’s now open the file boot_1.etl in Windows Performance Analyzer. Open the command prompt and type:
And let’s find the Boot Phases graph in the WPA. Click right on it and click “Add a graph to Analysis View”. Here you can see the summary table of boot phases. Now you are ready to review the results.
That’s all for this episode.
Please let us know if you have any questions and we absolutely hope to see you in further episodes of the CQURE Hacks Weekly.