Feature/tss offline rescue wrapper#131
Open
jdickson289 wants to merge 17 commits into
Open
Conversation
…ssessment script Adds two new pre-upgrade checks to Windows_OSUpgrade_Assessment_Validation.ps1: 1. Get-LegacyDriverBlockers: Scans the Services registry for known legacy VMware/ghost hardware drivers (vmmouse, vm3dmp, flpydisk, vmhgfs, vmrawdsk, vmusbmouse, vmvss, vmscsi, vmxnet) that are set to load (Start <= 3). These drivers cause IPU to fail with 0xC1900101-0x50016 when Windows Setup boots into SafeOS and encounters hardware unsupported by the Azure Hyper-V host. 2. Get-GlobalFlagStatus: Detects GlobalFlag enabled in Session Manager (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager). When set, this forces Windows Setup into PageHeap/debug mode, throttling memory operations and causing IPU to time out and roll back. Both checks output [Failed] checklist items with inline remediation guidance: - Disable (not Uninstall) legacy devices in Device Manager before retrying IPU - Remove GlobalFlag via reg delete and reboot before retrying IPU Addresses scenario: lift-and-shift Azure VMs from VMware/on-premises environments. Related ADO: #35892966 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a Windows PowerShell wrapper to collect troubleshooting artifacts from an offline (attached) OS disk in a rescue-VM scenario, with an option to run TSS on the rescue VM; additionally extends the existing Windows OS upgrade assessment script with extra IPU blocker checks.
Changes:
- Introduces
Invoke-TSSOfflineRescueWrapper.ps1to collect offline Windows logs/hives and optionally run TSS on the rescue VM. - Adds documentation for the new offline rescue wrapper usage and parameters.
- Enhances OS upgrade assessment validation with legacy driver and GlobalFlag detection.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| RunCommand/Windows/Windows_OSUpgrade_Assessment_Validation/Windows_OSUpgrade_Assessment_Validation.ps1 | Adds legacy driver + GlobalFlag checks intended to flag additional in-place-upgrade blockers. |
| RunCommand/Windows/TSSOfflineRescueWrapper/Invoke-TSSOfflineRescueWrapper.ps1 | New wrapper script for offline artifact collection and optional on-rescue TSS execution. |
| RunCommand/Windows/TSSOfflineRescueWrapper/readme.md | Usage examples and parameter documentation for the new wrapper script. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } | ||
| } | ||
|
|
||
| # --- Run legacy driver and GlobalFlag checks (server IPU blocker detection) --- |
Comment on lines
+36
to
+39
| # ---- Legacy driver and GlobalFlag detection ---------------------------------- | ||
| function Get-LegacyDriverBlockers { | ||
| # Known legacy VMware / ghost hardware drivers that cause 0xC1900101-0x50016 | ||
| $knownBlockers = @('vmmouse', 'vm3dmp', 'flpydisk', 'vmhgfs', 'vmrawdsk', 'vmusbmouse', 'vmvss', 'vmscsi', 'vmxnet') |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
…icit consent - Split registry hive collection into safe (SYSTEM/SOFTWARE/COMPONENTS) and credential-bearing (SAM/SECURITY/DEFAULT) - -IncludeRegistryHives now collects only safe diagnostic hives by default - New -IncludeCredentialHives switch required to collect SAM/SECURITY/DEFAULT - Added explicit warning when credential hives are collected - Updated readme with security documentation and usage examples Resolves PR #131 P1 blocker: prevents local account hashes, LSA secrets, and DPAPI material from being collected by default in support bundles.
BREAKING CHANGE: Removed TSS.ps1 execution entirely. This wrapper now performs ONLY offline static file collection from the broken disk. TSS.ps1 cannot run against offline disks, so the previous hybrid design was fundamentally flawed. **New features:** - -OutputPath parameter to override default C:\MS_DATA\TSS_PERF_OFFLINE - -IncludeMemoryDump opt-in switch for MEMORY.DMP (large + may contain secrets) - Write-Progress with per-artifact size for long copies (CBS, catroot2, dumps) - Chain-of-custody manifest (manifest.json) with SHA-256 hashes - Self-transcript (wrapper-transcript.log) saved to bundle - -WhatIf support for dry-run preview - Collection summary (items copied/skipped, total size) **Removed:** - All TSS.ps1 execution code - Parameters: -TssPath, -TssCollectLog, -TssArguments, -NoAcceptEula **Security enhancements (from P1 fix):** - MEMORY.DMP moved to opt-in (-IncludeMemoryDump) with size warning - Registry hives split: safe (SYSTEM/SOFTWARE/COMPONENTS) vs credential-bearing (SAM/SECURITY/DEFAULT) - Credential hives require explicit -IncludeCredentialHives + warning **Documentation:** - Readme completely rewritten to reflect Option A design - Clear explanation: static offline collection only, no live diagnostics - Updated examples and parameter documentation
- Removed -IncludeRegistryHives parameter - Safe diagnostic hives (SYSTEM, SOFTWARE, COMPONENTS) now collected automatically - Credential-bearing hives still require explicit -IncludeCredentialHives switch - Updated readme to reflect registry hives are always included - Updated manifest generation to remove obsolete parameter Rationale: Registry hives are essential for proper troubleshooting in rescue scenarios. Making them always-on eliminates the need to remember the switch and ensures complete diagnostic data collection.
…equivalent Added 30+ collection paths to match TSS.ps1 static file collection: **Windows Update & Servicing:** - Complete Windows\Logs\WindowsUpdate folder (was missing) - Full SoftwareDistribution folder (was only ReportingEvents.log) - WinSxS pending.xml and poqexec.log - Windows\servicing\Sessions - USOPrivate\UpdateStore - Windows\Logs\MoSetup (Modern Setup) **Setup & Upgrade:** - \.~BT\Sources\Panther (setup source) - Windows\System32\Sysprep\Panther **Drivers:** - Complete Windows\INF folder (was only two setupapi logs) - Windows\System32\DriverStore\FileRepository - Windows\Logs\DPX (device setup) **Error Reporting & Diagnostics:** - ProgramData\Microsoft\Windows\WER (Windows Error Reporting) - Windows\LiveKernelReports - Windows\System32\LogFiles (system logs) - Windows\Performance\WinSAT - Windows\Temp **System Configuration:** - Windows\System32\spp\store (activation/licensing) - Windows\System32\Tasks + Windows\Tasks (scheduled tasks) - Windows\System32\LogFiles\Firewall **Security:** - ProgramData\Microsoft\Windows Defender\Support Collection now comprehensive for Windows Update, setup, driver, and servicing troubleshooting scenarios. Expect larger collection size (several hundred MB to GB depending on system state). Updated readme to reflect expanded scope and collection size expectations.
- Added Windows\WindowsUpdate.log for Windows 7/8/Server 2012 R2 and earlier - Already collecting Windows\Logs\WindowsUpdate (ETL files for Win10+) - Updated readme to clarify: * ETL files are collected (source data) * Get-WindowsUpdateLog must be run on a live system to generate readable log * Legacy WindowsUpdate.log is collected for older OS versions Users can run Get-WindowsUpdateLog after bringing system online or on the rescue VM with the collected ETL files to generate the human-readable WindowsUpdate.log.
- Renamed Invoke-TSSOfflineRescueWrapper.ps1 -> tssofflinelogcollector.ps1 - Updated all script references in readme.md - Better reflects what the script does: offline log collection (not a wrapper around TSS.ps1)
- Only check/create MS_DATA root when using default path - Prevents undefined variable error when -OutputPath is specified - Script already creates C:\MS_DATA\TSS_PERF_OFFLINE by default (matching TSS.ps1 behavior)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Powershell wrapper script to allow TSS to run against nested VM disk to collect logs.