How do I manually collect logs if PPLOGS as User or Admin does not launch?
NOTE: PPLOGs does not magically stop working, there is always some underlying cause. Typically some sort of barrier which prevents it... pplogs or other tools used in the pplogs process (like reg.exe) from working. If there is something in your environment that is blocking the automated (pplogs) way of gathering log information you can still fetch this information by hand.
First, manually collect the information for the ADMIN Logs:
Step 1 – Login as an Administrator to the computer where the issue is occurring then gather the following:
-
Copy entire
%programdata%\PolicyPakfolder, this folder includes logs, dumps, policy store, and xmldata files.NOTE: Some of these files cannot be accessed without elevation. The easiest UI way to get them might be to copy the
%programdata%\PolicyPakfolder to Desktop and then approve the elevation when prompted.
Step 2 – Run Regedit as Administrator, then export the following registry keys if they are present, ignore any keys that do not exist.
HKLM\Software\PolicyPak\Client-Side Extensions\{1659C456-08FC-4359-B125-BB70EE34DD55}HKLM\Software\Classes\PPBRURLHKLM\Software\Classes\PPBRNURLHKLM\Software\Clients\StartMenuInternetHKLM\Software\Policies\Google\ChromeHKLM\Software\Policies\Microsoft\Windows\ExplorerHKLM\Software\Policies\Microsoft\Windows\SystemHKLM\Software\Policies\PolicyPakHKLM\Software\PolicyPakHKLM\Software\Microsoft\Windows\CurrentVersion\App PathsHKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSIDHKLM\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy \{123AA0DB-7D32-4E82-9CBB-14E096E802AF}HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensionsHKLM\Software\RegisteredApplications
Step 3 – Launch Event Viewer as Administrator:
-
Expand "Applications and Services Logs", right-click on "Netwrix Endpoint Policy Manager (formerly PolicyPak)" event log and choose "Save All Events As…", save the file as
"endpointpolicymanager.evtx" -
Expand "Applications and Services Logs" > "Microsoft" > "Windows", right-click on "GroupPolicy" event log and choose "Save All Events As…", save the file as
"GroupPolicy.evtx" -
Expand "Windows Logs" then right-click the "Application" log and choose "Save All Events As…" save the file as
"Application.evtx".
Step 4 – Lastly, zip up everything you have collected on the ADMIN side
aspplogs_as_admin_SRX#.zip(substitute your Service request number for "SRX#") then upload to the
SUPPORT INBOX on SHAREFILE:
https://endpointpolicymanager.sharefile.com/share/getinfo/rc857a57f16b4d4b9
Next, manually collect the information for the USER Logs:
Step 1 – Login as a regular (non-admin) user to the computer where the issue is occurring then gather the following:
- Copy entire
%localappdata%\PolicyPak, this folder is important for troubleshooting all and any CSE issues. - Locate and gather any Endpoint Policy Manager log files in the
%TEMP%, %USERPROFILE%,%APPDATA%, and%LOCALAPPDATA%folders.
Step 2 – Run Regedit then export the following registry keys if they are present, ignore any keys that do not exist.
HKCU\Software\Mozilla\Firefox\ExtensionsHKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{123AA0DB-7D32-4E82-9CBB-14E096E802AF}HKCU\Software\Microsoft\Internet Explorer\Main\EnterpriseModeHKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoiceHKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoiceHKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseModeHKCU\Software\Policies\Microsoft\Windows\ExplorerHKCU\Software\PolicyPak
Step 3 – Lastly, zip up everything you have collected on the USER side as
pplogs_as_user_SRX#.zip (substitute your Service request number for "SRX#") then upload to the
SUPPORT INBOX on SHAREFILE:
https://endpointpolicymanager.sharefile.com/share/getinfo/rc857a57f16b4d4b9