Capturing the Authentication Trace

1 year ago

Ruian Ding

3 minutes

Auth traces are valuable for resolving various problems, including those related to Windows Hello for Business, device registration, and Active Directory authentication. When troubleshooting, it is often essential to capture concurrent Auth traces based on the specific issue at hand. The following text can be copied and inserted into emails sent to the customer, with possible modifications to the wording depending on the necessary steps for reproducing the problem.

If the affected user has administrative privileges on the machine, you can follow these steps:

1. Download the Auth PowerShell script files from the following link:

https://aka.ms/authscripts

2. Extract the contents of the downloaded zip file to a folder of your preference.

3. Open PowerShell as administrator on your Windows 10/11 client and navigate to the directory where the script files were extracted.

4. Execute the command: start-auth.ps1 -acceptEULA -v to initiate the trace.

5. Reproduce the issue you are experiencing (e.g., lock and unlock the device for scenarios related to PRT issuance issues).

6. Run the command stop-auth.ps1 to stop the trace.

7. Compress the AuthLogs folder, including all the captured data.

8. Use the provided secure case files link to upload the zipped AuthLogs folder.

If the affected user does not have administrative privileges on the machine, you can follow these steps:

1. Ensure that the affected user is signed out of the PC.

2. Sign into the PC using an admin account.

3. Download the Auth PowerShell script files from the following link:

https://aka.ms/authscripts

4. Extract the contents of the downloaded zip file to a folder of your choice.

5. Open an elevated PowerShell prompt by right-clicking on PowerShell and selecting “Run as administrator”.

6. Change the directory to where the extracted script files are located.

7. Execute the command: start-auth.ps1 -acceptEULA -v to initiate the trace.

8. Click the “Switch User” button in the Start menu and switch to the affected user account. Sign in with the affected user account.

9. Attempt to sign in. If it fails or if it reaches the desktop, switch back to the admin account.

Note: It may take up to 2 minutes to capture the PRT request.

10. From the admin PowerShell prompt, run stop-auth.ps1 to stop the trace. Wait for the trace to finish.

11. Switch back to the affected user and open a regular command prompt.

12. Change the directory (CD) to the location where the AuthLogs folder is located.

13. Run the following extra commands to capture the necessary data:

dsregcmd /status > dsregcmd-USER.txt
whoami > whoami-USER.txt
whoami /upn > whoami-USERUPN.txt
whoami /all > whoami-All.txt

14. Use the provided secure case files link to upload the zipped AuthLogs folder.

The Windows commend shell version Auth Scripts could be downloaded in the below link:

https://github.com/raycrew5080/AuthScript-cmdversion/archive/refs/heads/main.zip