In this guide you learn how to run the Microsoft Network Monitor in WinPE, for example for advanced debugging of OS Deployment issues. This guide is based on the following KB article from Microsoft: http://support.microsoft.com/en-us/help/4034393/how-to-get-network-captures-from-a-task-sequence-in-windows-pe. But I've added some clarification steps, as well as PowerShell scripts to make the process easier (and automated).
To run Microsoft Network Monitor in WinPE you basically have to do three things:
- Download and Extract the Network Monitor files
- Add the Network Monitor files, and driver, to WinPE
- Start Network Monitor after WinPE has booted
- Start a network trace and review it
Step 1 – Download and Extract the Network Monitor files
To add Network Monitor to WinPE (x64 in this example), you need to download Network Monitor 3.4 from the below link, and then extract the installation files. In my example I downloaded network monitor to the C:\Setup\Microsoft Network Monitor 3.4 folder.
Microsoft Network Monitor 3.4 download link (select the NM34_x64.exe option): http://go.microsoft.com/fwlink/?linkid=103158&clcid=0x409
Downloading the x64 version of Microsoft Network Monitor 3.4.
To extract the Network Monitor 3.4 installation files, use this PowerShell script:
# Set path and verify it exist
$NetmonFile = "C:\Setup\Microsoft Network Monitor 3.4\NM34_x64.exe"
If (!(Test-Path $NetmonFile)){ Write-Warning "Network Monitor setup file not found, aborting..."; Break }
# Get the netmon.msi file
Start-Process -FilePath $NetmonFile -Wait -ArgumentList "/T:C:\Windows\Temp /C"
# Extract netmon files from the netmon.msi file
Start-Process msiexec -Wait -ArgumentList "/A C:\Windows\Temp\netmon.msi /qb targetdir=C:\Windows\Temp\Netmon"
Step 2 – Add the Network Monitor files, and driver, to WinPE
The next step is to copy the various network monitor files to WinPE, and also add the network monitor driver. Here is a PowerShell that does that for you:
Note: Still working on getting the parsers to work in WinPE even though Microsoft KB article claims they won't work 🙂 Will update the post once I figure it out. In the mean time, simply capture the network in WinPE, save the result, and open it on a Windows machine with Network Monitor installed.
# Note:
# To service a newer version of WinPE than the OS you are servicing from.
# For example service WinPE v1703 from a Windows Server 2016 server, you need a newer DISM version.
# Solution: Simply install the latest ADK, and use DISM from that version
# If your Windows OS already have a newer version of dism, uncomment the below line, and comment out line 10 and 11
# $DISMFile = 'dism.exe'
# Select DISM version to use
$DISMFile = 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe'
If (!(Test-Path $DISMFile)){ Write-Warning "DISM in Windows ADK not found, aborting..."; Break }
# Mount boot image
$Bootimage = "E:\Sources\OSD\Boot\Zero Touch WinPE 10 v1703 x64\winpe.wim"
$MountDir = "C:\Mount"
If (!(Test-Path $Bootimage)){ Write-Warning "Boot image not found, aborting..."; Break }
If (!(Test-Path $MountDir)){ Write-Warning "Mount directory not found, creating it..."; New-Item -Path "C:\Mount" -ItemType Directory }
If (!((Get-ChildItem -Force $MountDir) -eq $Null)) { Write-Warning "The $MountDir folder is not empty, aborting... Please cleanup manually" }
Mount-WindowsImage -ImagePath $Bootimage -Index 1 -Path $MountDir
# Add netmon files
If (!(Test-Path "C:\Windows\Temp\Netmon\PFiles\Microsoft Network Monitor 3\netmon.exe")){ Write-Warning "Netmon files not found, aborting..."; Break }
Copy-Item "C:\Windows\Temp\Netmon\PFiles\Microsoft Network Monitor 3" "$MountDir\Microsoft Network Monitor 3" -Recurse
# Add netmon driver (and copy nm3.sys since netnm3.inf is missing Copyfiles instructions)
& $DISMFile /image:"$MountDir" /add-driver /Driver:"C:\Windows\Temp\Netmon\windir\inf\netnm3.inf"
Copy-Item "C:\Windows\Temp\Netmon\windir\System32\drivers\nm3.sys" "$MountDir\Windows\System32\Drivers"
# Save the changes to the boot image
Dismount-WindowsImage -Path $MountDir -SaveStep 3 – Start Network Monitor after WinPE has booted
The final step is to boot into WinPE, navigate to the X:\Microsoft Network Monitor 3 folder, and run the following commands:
nmconfig.exe /install
netmon.exe
Starting Network Monitor in WinPE.
Microsoft Network Monitor running in WinPE.
Step 4 – Start a network capture and review it
Now you're ready to capture network traffic and review the data. As mentioned in step 2, I haven't yet figured out how to install parsers in WinPE, so once the capture is completed, you need to save it to a network location, and open it on a Windows machine where Network Monitor is installed. Here are the steps:
1. Once Network Monitor is started, in the toolbar, select New Capture, and then click Start (or press F5).
2. When you captured what you want to capture, press Stop (or press F7), and save the capture to a network share.
3. On a machine running Windows (any version really), install Microsoft Network Monitor 3.4 with the Typical installation option.
4. Using Network Monitor, open the previously saved network capture.
A saved trace in WinPE, opened on another machine with Network Monitor installed.
Written by Johan Arwidmark