Tracing LDAP calls with Powershell
Spat had an eerily coincidental blog post the other day (HERE). The reason I say eerily is because the night before I was fighting trying to get a LDAP trace, this trace was to help figure out EXACTLY how SDS.ActiveDirectory got replication cursors from a Domain Controller (another joe Richards discussion.) Anyway, I digress, I found the blog entry EXTREMELY useful as it allowed me to get what I needed. I proceeded to leave a comment suggesting that this looked like a good job for Powershell as the resulting file from the tool is a CSV. This has led to a “challenge” from Spat and this is my response. I hope I did it justice.
Useful Links about Tracelog.exe
———–
Details about TraceLog.exe
LDAP tracing with TraceLog
ADSI tracing with TraceLog
Details about Script
Here are the functions in the script
Trace-Log
-flag: Hex value for the flags you want to pass (Default Value = “0×1FFFDFF3″)
-guid: GUID or File for tracing (Default Value = “LDAP”)
-SessionName: Unique Name for the actual trace (Default Value = “mytrace”)
-exe: The full name with extension of the EXE to add to registry to enable tracing. This only has to be done the first time you want to trace for an EXE.
[switch]Start: If set it enables logging. If not set, logging is disabled.
[switch]ADSI: If set it passes the ADSI GUID for tracing
[switch]LDAP: If set it passes the ADSI GUID for tracing
Convert-TraceLog
-Source: Trace (etl) file to convert to csv (Default Value = “.\ldap.etl”)
-file: File to set the results to (Default Value = “TraceResults.csv”)
[switch]$import: If set it will return a custom object with results
Below is a video that shows a demo of the script in use. I hope to do another one of these showing how to trace ADSI as well as LDAP. Make sure to read the Comments in Green. I tried to allow enough time. You can click to pause.
Download Tracelog Transcript (right click | Save Target As…)
Best Viewed Full Screen
Get the Flash Player to see this player.
Code
Download Trace Log Functions (right click | Save Target As…)
Param($file = ".\ldap.etl",
$flag = 0×1FFFDFF3,
$guid = "LDAP",
$SessionName = "mytrace",
$exe,
[switch]$start,
[switch]$ADSI,
[switch]$LDAP
)
if($ADSI){$guid = "ADSI"}
switch -exact ($guid)
{
"LDAP" {$myguid = ‘#099614a5-5dd7-4788-8bc9-e29f43db28fc’}
"ADSI" {$myguid = ‘#7288c9f8-d63c-4932-a345-89d6b060174d’}
Default {$myguid = "’$_’"}
}
Write-Host
if($start)
{
Write-Host " Action: Start" -fore Yellow
Write-Host " GUID: $GUID" -fore Yellow
Write-Host " File: $file" -fore Yellow
Write-Host " Flag: $flag" -fore Yellow
if($exe){Write-Host " Exe: $exe" -fore Yellow}
}
else
{
Write-Host " State: Disabled" -fore Red
}
Write-Host
if(!(test-Path "HKLM:\System\CurrentControlSet\Services\ldap\tracing\$exe") -and $exe)
{
new-Item -path "HKLM:\System\CurrentControlSet\Services\ldap\tracing" -name $exe | out-Null
}
if($start)
{
$cmd = "Tracelog.exe -start ‘$SessionName’ -f ‘$file’ -flag ‘$flag’ -guid ‘$myguid’"
}
else
{
$cmd = "tracelog -stop $SessionName"
}
Write-Host
Write-Host "==========================" -fore White -back black
write-Host "Running Command:" -fore White
Write-Host " ==> $cmd" -fore Yellow
invoke-Expression $cmd
Write-Host "==========================" -fore White -back black
Write-Host
}
function Convert-TraceFile{
Param($Source=".\ldap.etl",$file="TraceResults.csv",[switch]$import)
$cmd = "tracerpt.exe $Source -o $file -of CSV -y"
invoke-Expression $cmd
if($import)
{
import-Csv $file
}
}
Nice, but I recommend having a text file that has all of the text from the video so folks can read through it a little easier. Don’t post the text to your blog if you feel it is too much, but post a link to the text file.
Great feedback… I will post it soon.
Nice!
As an adjunct to your post, you can use the Windows Server 2008 Reliability and Performance Monitor to trace AD activity. I’ve covered this here:
http://www.activedir.org/Articles/tabid/54/articleType/ArticleView/articleId/49/Default.aspx
Along with the htm and xml report files that are created you also have etl trace files. If you dump these to CSV using tracerpt as Spat shows in his blog entry, you can see the LDAP search activity.
Tony
http://www.activedir.org
blog:www.open-a-socket.com