Gathering a Network Trace During Computer Startup

The steps below can be used to gather a network trace during the computer startup. You can also achieve this by mirroring the port on the switch or moving the computer to a hub where a second computer can take the capture using promiscuous mode. If you do not have these options, here are some steps to perform the capture from the computer being rebooted. This procedure has been tested successfully on x86 versions of Windows XP, Windows Vista, and Windows 7.

1. Install Network Monitor (Netmon) on the computer. The Netmon install includes the Netcap command-line tool.
    

2. Create the folder C:\caps.
    

3. Copy SRVANY.EXE into C:\caps. SRVANY is available as part of the Windows Server 2003 Resource Kit Tools.
    

4. Use Notepad to save the text below as cap.cmd in the C:\caps folder.

   nmcap /network * /capture /file c:\caps\startup.cap /disableconversations /terminatewhen /timeafter 30 sec

   This script only generates a 30-second trace, you will want to measure the amount of time from computer startup to when the desktop is visible and modify the last part of this script accordingly.
    

5. Use the SC command to create the following service registry entries:

   sc create capservice binpath= c:\caps\srvany.exe type= own start= auto

   Note that the spaces after the equal signs are required.
    

6.  Add the following REG_SZ values entries to the registry (without the quotes):

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\capservice]
   "Group"="TDI"

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\capservice\Parameters]
   "Application"="c:\windows\system32\cmd.exe"
   "AppParameters"="/k c:\caps\cap.cmd"
    

7. Reboot the computer to generate the capture which will be saved as C:\caps\startup.cap.
    

8. After you finish troubleshooting the issue, remove the service using the following command:

   sc delete capservice