Capturing and analyzing system boot and resuming performance data are very useful while troubleshooting slow boot times.
In general, changes in the booting process may indicate that system has been compromised. It can detect or support our deduction of the presence of malware, as we can review suspicious activities.
Boot monitoring may also help with the performance of the system by identifying bottlenecks in the process.
Let’s start with our Introduction to Boot Monitoring.
By monitoring the boot process, one might detect a malware infection as some of the malicious executables interfere with Windows system files accessed during the system boot-up resulting in a slower start of it.
First of all, please make sure you have set up stack walking. If you have not done it yet, you can set it up with the command you can see below:
C:\xperf>REG ADD “HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management” -v DisablePagingExecutive -d 0x1 -t REG_DWORD -f
What is more, you need to have an xperf folder as well, preferably on the C Drive.
Next, by using an administrator command prompt, please type a command:
C:\xperf>xbootmgr -trace boot -traceflags latency+dispatcher -stackwalk profile+cswitch+readythread -notraceflagsinfilename -postbootdelay 180 -resultpath c:\xperf
We set the postbootdelay for 180 seconds. Also, note that we want our results to be on the C Drive directly in the Xperf folder.
After running the command, you will be signed out and your system should restart. Please log in once again and go to the desktop.
And now you should be greeted with the sign “Delaying for boot trace 1 of 1”. Please wait for more or less 10 seconds, and, afterwards, click finish.
You can see that there is a file created, called boot_1.etl. Let it save.
Next, please run the command prompt again. Let’s go to xperf folder. Here you can run a command that will convert the results to the XML file:
C:\xperf>xperf -i boot_1.etl -o summary.xml -a boot
Let’s open the summary file now:
C:\xperf>summary.xml
You should see the file. Please search in this file for a bootDoneViaPostBoot value. Do you know what this value is? This value is the total time of the start in milliseconds with 10 seconds added to time.
We can also search for interval. After this step, you are able to locate the intervals and see details of each one.
Let’s now open the file boot_1.etl in Windows Performance Analyzer. Open the command prompt and type:
C:\xperf>wpa boot_1.etl
And let’s find the Boot Phases graph in the WPA. Click right on it and click “Add a graph to Analysis View”. Here you can see the summary table of boot phases. Now you are ready to review the results.
That’s all for this episode.
Please let us know if you have any questions and we absolutely hope to see you in further episodes of the CQURE Hacks Weekly.
Do you want to receive the geekiest cybersecurity solutions, tools, and tricks, straight to your inbox?
Learn more about our offer in terms of Consulting. Our Cybersecurity Experts perform consulting work on a daily basis, hence we are fully prepared for any challenge.
Learn more about our offer in terms of Consulting. Our Cybersecurity Experts perform consulting work on a daily basis, hence we are fully prepared for any challenge.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
