Slow PC Diagnostics Collection: Standards, Scripts, and a Template

Why standardize "slow PC" diagnostics

"Slow" almost never means the same thing. For one user it may be "Word takes 40 seconds to open," for another "1С freezes at the end of the day," and for the business it's a department downtime and missed deadlines. Without a common scale and the same data set you are comparing impressions, not causes.

When checks are done "by eye," two phrases quickly appear: "it's fine for me" and "you just have an old computer." They kill comparability. One engineer looks only at Task Manager, another checks Windows events, a third starts with drivers. As a result, similar tickets get different solutions, and repeat incidents teach nothing: the input data are different each time.

A standard diagnostic collection ensures any engineer brings the same "package of facts" and that conclusions can be verified. The output should have two parts:

• a dataset (scripts, logs, a configuration snapshot, measurements),
• a short report following a single template: what was found, why it slows the system, next steps and what still needs confirmation.

A standard helps different roles work in the same rhythm. The user describes symptoms in simple terms (what is slow and when). The engineer collects data the same way and forms an initial hypothesis. The administrator confirms changes (policies, updates, permissions, access) and helps deploy the fix.

A simple example: in an organization several workstations with the same hardware are slow on only a few. A unified diagnostic package quickly shows how they differ: free disk space, logged errors, overheating, failed updates or a heavy security agent. Without a standard you get a debate about impressions and repeated visits.

What to consider the standard diagnostic set

A standard set is the same "package of facts" that can be compared across engineers and across days. The idea is simple: every slow PC case should have the same baseline data, and conclusions should start from observations, not guesses.

Start with a unified storage structure. Identical folders and clear names save time and reduce the risk of mixing machines:

• Package folder: YYYY-MM-DD_HHMM_PCName_User_Incident
• Inside: 01_Context, 02_Config, 03_Logs, 04_Perf, 05_Output
• Separately: README.txt with a short note about what and when was collected

Besides the technical files, record context. Often context explains why one PC is slow and another is not: when it happens (at login, after 20 minutes of work, after sleep), which applications (browser, 1С, Teams, CAD), what changed (updates, new antivirus, printer, VPN), and what network (office, Wi‑Fi, home, modem).

Keep the minimal artifact set short but mandatory. Usually it's enough to collect:

• a configuration snapshot (OS, hardware, drivers, startup items),
• disk data (type, free space, SMART, errors),
• basic network info (adapters, DNS, proxy/VPN),
• an export of key Windows events for a clear period (for example, the last 7 days).

Team rule: facts first, then versions. In the report list observations first (numbers, events, errors, when they appeared), then formulate hypotheses and next checks. That makes reports comparable and solutions repeatable.

Unified questionnaire: what to clarify before running scripts

Before data collection, quickly gather the same set of inputs. This saves time and makes results comparable: you will know exactly which computer was checked, under what conditions, and what the user considered the problem.

Start with device and user identification: full name, department, PC model, serial and inventory numbers. Otherwise it's easy to mix similar machines or compare measurements from different devices.

Next — system context: Windows version (and bitness), domain or workgroup, how updates are managed (automatic, scheduled, via policies, disabled). These details often explain "sudden" slowdowns after patches or policy changes.

To make the problem measurable, ask the user to describe it in time and actions:

• When it started: "always been slow" or got worse on a specific day.
• How often and when (morning, after lunch, after sleep).
• What exactly is slow: Windows startup, profile login, app launch, file operations, printing.
• Is it an error/freeze with no response or just long waits.
• How long it takes now and what was "normal" before.

Also record what has already been tried. Were Windows and drivers updated, was the antivirus changed, was startup cleaned, was chkdsk run, was the app reinstalled. This avoids repeating steps and helps interpret logs (for example, why a service is disabled or a policy changed).

A common situation: the user says "everything is slow," but the questionnaire shows only the first login in the morning is slow and only for a domain account. That narrows the investigation before any scripts run.

Scripts: rules so results are comparable

If different engineers collect data differently, comparison is nearly impossible. Agree in advance on rules for running scripts and how results are saved.

First, decide which commands and utilities are allowed in your environment. Some places prohibit third‑party portable tools; others allow only built‑in Windows tools and PowerShell. Document this: a single "allow list" for everyone, not "I always use this exe."

A second common inconsistency is run permissions. A script run as administrator sees more (services, drivers, system logs); a regular user sees less. Both are useful, but always indicate the context.

Minimal rules so reports are meaningful:

• Run context: "administrator / regular user", account name and how it was launched (locally, via remote access).
• Output format: a fixed set of files (for example, report.txt and tables.csv), UTF‑8 encoding, consistent separators (comma or semicolon).
• Locale and time: system language, time zone and current system time at collection.
• Filenames: a standard template (PC, datetime, run type) so packages don't mix.
• Script self‑logging: version, hash (or at least checksum), start and end times, list of steps and errors.

Good practice is to put everything into one folder Diag_PCName_DateTime, and add a header in the report: "script vX.Y, hash..., start..., finish..., completed successfully/with errors." Then even engineers from different branches will provide comparable packages.

Configuration snapshot: what to collect about the PC and OS

For comparable diagnostics you need a consistent device "passport." It helps quickly understand what you're working with and avoid guessing why the problem appears on one PC and not another.

Hardware: what is important to record

Hardware sets the performance ceiling and often directly explains symptoms (lack of RAM, slow disk).

Record at least:

• CPU: model, core count, base frequency, power saving modes.
• RAM: total capacity, number of modules, available memory (important with integrated graphics).
• Disks: model, type (HDD/SSD), interface, capacity and free space.
• Drive health: SMART or at least a health status.
• Network and peripherals: adapter, docking station, external drives, printers (they can slow login).

Usually output from standard Windows utilities (for example msinfo32 and disk info from PowerShell) plus a file/screenshot of drive health is enough when available.

OS and startup: what affects "slowness"

Capture system state: Windows edition and build, install date, recent updates, versions of key drivers (chipset, video, network, storage). A common story: a storage controller driver update makes boot and startup slow.

Also record what runs at login: startup items, services, security agents, backup tasks. The focus is not on a long list but on load: how many items are active and whether any are clearly heavy.

Be careful with user data. It's useful to know profile size and free system disk space, but do not collect folder contents, filenames or documents. Numbers and general paths are sufficient.

Logs and Windows events: minimum set and time window

For comparability decide in advance two things: which logs to always check and what time interval to export. Otherwise one engineer will bring logs for a week and another only the last 10 minutes and their conclusions will differ.

Which logs to check first

A basic minimum that often explains freezes, long logins and slowdowns after changes:

• System: disk and filesystem errors, driver problems, device failures (Disk, Ntfs, storahci/iaStor, WHEA‑Logger).
• Application: app crashes, hangs, .NET errors, issues with office clients.
• Microsoft‑Windows‑User Profile Service/Operational: profile load, temporary profile, read/write errors.
• Microsoft‑Windows‑GroupPolicy/Operational: long or failing GPO application on domain PCs.
• Microsoft‑Windows‑WindowsUpdateClient/Operational: update installs, rollbacks, errors.

If you suspect the slowdown began after an installation, add MsiInstaller events (in Application) and, if relevant, a Reliability Monitor summary.

How to fix the time window

The same error can be lost in too long a period. It's better to capture a window around the symptom and note it in the report:

• Before: 30–60 minutes before the first symptom (or before the user's login).
• During: the exact time when the system froze or login took unusually long.
• After: 30–60 minutes after recovery.

Example: the user reports File Explorer hung from 09:10 to 09:20. Save events from 08:30 to 10:00 and note: "symptom 09:10–09:20, actions — launching 1С and opening a network folder." Another engineer can quickly check for time coincidences: disk errors, repeated policy applications, failed updates.

Performance measurements: which metrics are needed

Measurements should answer one question: what exactly is the system hitting at the moment the user feels the slowdown. A screenshot "after lunch" won't help if the complaint occurs when launching 1С, a browser, or at login.

A minimal consistent set should be collected the same way (e.g., Task Manager plus a short performance counter log) and within the same time window:

• CPU: overall load and the top process.
• Memory: used/available, whether swapping occurs.
• Disk: active time (%), read/write throughput, disk queue depth.
• Network: current throughput and spikes (important for profiles, VDI, network folders).
• Context: what the user was doing (one short sentence).

Differentiate two similar symptoms: "disk constantly 100%" versus "disk 100% in spikes." Constant 100% usually produces long waits: the disk queue remains high and throughput can be low, and the system responds with delays of minutes. Spikes are often tied to an action: app launch, update, antivirus scan, opening a large file. In that case averages over 10 minutes can look "normal" while short peaks cause the issue.

To catch the bottleneck, take a short measurement during the complaint: 60–120 seconds with timestamps and a note of the action. If the problem is intermittent, repeat 2–3 times at different moments.

Basic interpretation rules (without deep tuning): sustained 80–100% CPU with one top process usually indicates a specific load; nearly full memory and growing swap produce "waves" of lag when switching windows; disk 100% with a high queue indicates an I/O bottleneck. If load exists but delays aren't perceived, clarify the scenario: where is it slow (login, app launch, network).

Example case: what a diagnostic package looks like

Accounting reports: PC takes a long time to start 1С and the browser, and sometimes everything freezes for 10–30 seconds. Here it's important not to guess but to collect data consistently so any engineer sees the same picture.

What went into the package

The engineer collected materials by the standard and attached one archive:

• configuration snapshot (PC model, CPU, RAM, disk, Windows version, free space, power plan),
• startup items and background tasks,
• key logs for the last 7 days (System, Application, Diagnostics‑Performance),
• quick measurements: login time, CPU/RAM/disk peaks when launching 1С and the browser,
• SMART and a basic disk check.

Logs show Diagnostics‑Performance events for slow application start, and System contains repeated storage errors (timeouts and I/O failures). Measurements show the disk going to 100% active time while CPU is low.

If the cause were not the disk the picture would differ. Profile issues more often show profile service errors (temporary profile, registry read failures), and symptoms are tied to a specific user. Network issues reveal DNS timeouts, proxy errors, or hangs when opening network resources, while local operations remain fast.

Example short conclusion (one page)

Symptoms: long startup of 1С and browser, periodic freezes.

Facts: during app startup the disk is saturated; System logs record storage errors; SMART shows degradation.

Probable cause: failing SSD/HDD.

Recommendations: replace the drive, migrate the system and profile, repeat measurements after replacement, monitor logs for 3–5 working days.

Common mistakes and traps in "slow PC" diagnostics

The most frequent reason engineers disagree is that data were collected "however it turned out." The result is a debate about impressions, not facts.

First trap — collecting at different times without recording when the issue occurred. A user complains about morning slowness but measurements were taken at midday when conditions differ. Record the context: what was open, whether VPN was active, whether an update was running, if the notebook was on battery or plugged in, how long since boot.

Second trap — missing the script version or running with different parameters. One engineer pulls 7 days of events, another only a configuration snapshot, a third enables extra tracing. From the outside it looks like the same process but the datasets differ. Minimum: version, date, key parameters and a flag "collection at idle/under load."

Third trap — mixing facts and assumptions. Instead of "Disk is failing because startup is long" separate:

• Fact: boot time 4:30, no disk errors in logs.
• Observation: during startup disk is 100% for 3–5 minutes.
• Hypothesis: bottleneck — startup items or indexer.
• Check: disable three startup apps and repeat measurement.

Fourth trap — ignoring updates, drivers and startup items. Slowdowns often begin after a Windows update, a new video/chipset driver or the deployment of a corporate agent. If these aren't recorded, you may look for a hardware fault when software is the root cause.

Short checklist: quick checks and completeness control

A short checklist doesn't replace analysis but sets a consistent start and helps avoid missing basics.

Before an onsite visit or remote session:

• Confirm access: local admin, domain account, ability to reboot.
• Check free space (at least 2–5 GB) for logs and snapshots.
• Agree the time window: when it is slow and in what tasks.
• Prepare the unified script set and an output folder with consistent filenames.
• Record the diagnostics package version (number, date).

During the incident, before attempts to "fix":

• Record the exact collection start time and the current system time on the PC.
• Assess CPU, RAM, disk and network at the time of the complaint (without killing processes).
• Check free space on the system disk and File Explorer behavior.
• Ensure no background activity is running: updates, encryption, backup, AV scan.
• Note exactly what is slow: login, app launch, printing, browser, file operations.

Afterwards — pack everything into one archive: logs, configuration snapshot, measurement results, the engineer's notes and a reproduction scenario. Completeness control is simple: another engineer should be able to repeat the analysis from the package and reach the same conclusions (or clearly see what data are missing).

Unified report template: structure and phrasing

Even good data collection loses value if reports are written in different styles. A template helps keep reports short and clear so that a week later you can see what was observed, what supports it and what to do next.

Recommended structure

A practical layout:

• Symptoms and conditions: when it started, which apps, how often, response times, what changed (updates, new software, VPN).
• Facts and evidence: measurement results (CPU/RAM/disk), key events from logs, configuration (OS, disk, RAM, PC model), what was excluded.
• Conclusion (probable cause): 1–2 unemotional sentences.
• Recommendations: 2–4 steps in execution order.
• Risk and priority: what happens if nothing is done and how urgent it is.

Phrasing that makes the report verifiable

Write so each statement can be validated:

• Observation: "When launching Excel the delay is 25–40 sec, occurring 8 out of 10 times."
• Confirmation: "During the delay the disk is 95–100% with a high queue; logs show disk errors over the last 7 days."
• Conclusion: "Most likely: storage degradation or an I/O resource shortage."

For statistics it helps to tag the root cause category: hardware / OS / software / network / policy (GPO/security) / user data (profile, caches, redirections).

How to mark escalation or replacement

Specify the trigger and the handoff:

• Escalation: "Requires L2: policy and update checks, because the issue cannot be reproduced locally / admin checks needed."
• Replacement/repair: "Recommend drive replacement (high priority): confirmed I/O errors and unstable metrics; risk of data loss."

If your organization uses locally assembled PCs and servers, include: "check warranty status and availability of a compatible replacement configuration" so the decision doesn't depend on a single executor.

Next steps: rolling out the standard and keeping it alive

A standard must be embedded in daily work, not just written down.

Quick start: pilot and retrospective

Take 10 real slow PC tickets and run them through the same process: questionnaire, scripts, configuration snapshot, logs, measurements and the unified report template. After the tenth case you'll see where the standard obstructs and where it saves hours.

After the pilot run a short retrospective (30–40 minutes). Compare reports: which fields are always filled, which are skipped, where phrasing diverges for the same conclusion, and which data are most often missing.

Minimum rollout rules:

• One source of truth for the template and scripts (only the current version).
• Any change should include a short note: what changed and why.
• Each report must include package version and collection date.
• A monthly "owner of the standard" accepts edits and maintains order.

Version control and clear updates

Store scripts and templates as versions, not as "the latest file someone has." If an engineer changes a command or adds a log, it must be visible to everyone. Otherwise results can't be compared.

The diagnostic standard should also indicate when the problem is no longer a configuration issue. If several incidents show the same picture (overheating, constant disk saturation, RAM shortage, old HDD instead of SSD), it's often better to plan workstation updates than to keep "treating" symptoms. The same applies to servers: if slowness appears only when connecting to a shared database or profiles, check infrastructure and server/network bottlenecks.

If you are in Kazakhstan and want to move from disparate checks to a clear standard, GSE.kz as a manufacturer and systems integrator can help with a fleet upgrade plan and support so the standard doesn't "die" after a month and actually works in daily incident handling.