You are here:

## Welcome to my blog, quickest way to find articles is usually to search for them.

Search in All Title Contents

## How to run Microsoft Network Monitor in WinPE

Jul 31 2017

In this guide you learn how to run the Microsoft Network Monitor in WinPE, for example for advanced debugging of OS Deployment issues. This guide is based on the following KB article from Microsoft: https://support.microsoft.com/en-us/help/4034393/how-to-get-network-captures-from-a-task-sequence-in-windows-pe. But I’ve added some clarification steps, as well as PowerShell scripts to make the process easier (and automated).

To run Microsoft Network Monitor in WinPE you basically have to do three things:

• Extract the Network Monitor files
• Add the Network Monitor files, and driver, to WinPE
• Start Network Monitor after WinPE has booted

## Step 1 – Extract the Network Monitor files

To add Network Monitor to WinPE (x64 in this example), you need to download Network Monitor 3.4 from the below link, and then extract the installation files. In my example I downloaded network monitor to the C:\Setup\Microsoft Network Monitor 3.4 folder.

To extract the Network Monitor 3.4 installation files, use this PowerShell script:

```# Set path and verify it exist
\$NetmonFile = "C:\Setup\Microsoft Network Monitor 3.4\NM34_x64.exe"
If (!(Test-Path \$NetmonFile)){ Write-Warning "Network Monitor setup file not found, aborting..."; Break }

# Get the netmon.msi file
Start-Process -FilePath \$NetmonFile -Wait -ArgumentList "/T:C:\Windows\Temp /C"

# Extract netmon files from the netmon.msi file
Start-Process msiexec -Wait -ArgumentList "/A C:\Windows\Temp\netmon.msi /qb targetdir=C:\Windows\Temp\Netmon"
```

The extracted network monitor files.

## Step 2 - Add the Network Monitor files, and driver, to WinPE

The next step is to copy the various network monitor files to WinPE, and also add the network monitor driver. Here is a PowerShell that does that for you:

Note: Still working on getting the parsers to work in WinPE even though Microsoft KB article claims they won’t work :) Will update the post once I figure it out. In the mean time, simply capture the network in WinPE, save the result, and open it on a Windows machine with Network Monitor installed.

```# Note:
# To service a newer version of WinPE than the OS you are servicing from.
# For example service WinPE v1703 from a Windows Server 2016 server, you need a newer DISM version.
# Solution: Simply install the latest ADK, and use DISM from that version

# If your Windows OS already have a newer version of dism, uncomment the below line, and comment out line 10 and 11
# \$DISMFile = 'dism.exe'

# Select DISM version to use
\$DISMFile = 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\dism.exe'

# Mount boot image
\$Bootimage = "E:\Sources\OSD\Boot\Zero Touch WinPE 10 v1703 x64\winpe.wim"
\$MountDir = "C:\Mount"
If (!(Test-Path \$MountDir)){ Write-Warning "Mount directory not found, creating it..."; New-Item -Path "C:\Mount" -ItemType Directory }
If (!((Get-ChildItem -Force \$MountDir) -eq \$Null)) { Write-Warning "The \$MountDir folder is not empty, aborting... Please cleanup manually" }
Mount-WindowsImage -ImagePath \$Bootimage -Index 1 -Path \$MountDir

If (!(Test-Path "C:\Windows\Temp\Netmon\PFiles\Microsoft Network Monitor 3\netmon.exe")){ Write-Warning "Netmon files not found, aborting..."; Break }
Copy-Item "C:\Windows\Temp\Netmon\PFiles\Microsoft Network Monitor 3" "\$MountDir\Microsoft Network Monitor 3" -Recurse

# Add netmon driver (and copy nm3.sys since netnm3.inf is missing Copyfiles instructions)
Copy-Item "C:\Windows\Temp\Netmon\windir\System32\drivers\nm3.sys" "\$MountDir\Windows\System32\Drivers"

# Save the changes to the boot image
Dismount-WindowsImage -Path \$MountDir -Save
```

## Step 3 - Start Network Monitor after WinPE has booted

The final step is to boot into WinPE, navigate to the X:\Microsoft Network Monitor 3 folder, and run the following commands:

nmconfig.exe /install

netmon.exe

Done! :)

Microsoft Network Monitor running in WinPE.

A saved trace in WinPE, opened on another machine with Network Monitor installed.

Written by Johan Arwidmark