Tag Archive: slow logons

Reference and script:


Analyze GPOs load time: http://www.controlup.com/script-library/Analyze-GPO-Extensions-Load-Time/ee682d01-81c4-4495-85a7-4c03c88d7263/

other reference about logon process: http://fr.slideshare.net/ControlUp/understanding-troubleshooting-the-windows-logon-process

Logon Phases

The following table summarizes the logon phases the script covers and the Windows events used for calculating the start and end time for each phase:

Logon Phase Name Logon Phase Description Start Event End Event
Network Providers A Network Provider is a DLL that is responsible for a certain type of connection protocol1. On each logon Winlogon notifies these Network Providers so they can collect credentials and authenticate the user for their network2. Citrix PnSson is a common network provider found on XenApp and XenDesktop VM’s. Log name: SecurityEvent Id: 4688 (mpnotify.exe start) Log name: SecurityEvent Id: 4689(mpnotify.exe end)
Citrix Profile Management During logon, Citrix UPM copies the users’ registry entries and files from the user store to the local profile folder. If a local profile cache exists, the two sets are synchronized3. Log name: ApplicationEvent Id: 10(User X path to the user store is…) Log name:User Profile Service Event Id: 1(Received user logon notification on session X.)
User Profile During logon, the system loads the user’s profile, and then other system components configure the user’s environment according to the information in the profile4. Log name:User Profile Service Event Id: 1(Received user logon notification on session X.) Log name:User Profile Service Event Id: 2(Finished processing user logon notification on session X.)
Group Policy**See also a detailed Group Policy load time script. Enforce the domain policy and settings for the user session, in the case of synchronous processing the user will not see their desktop at logon until user GP processing is completed5. Log name: GroupPolicyEvent Id: 4001(Starting user logon Policy processing for X.) Log name: GroupPolicyEvent Id: 8001(Completed user logon policy processing for X.)
GP Scripts Running the logon scripts configured in the relevant GPO’s, in the case of synchronous logon scripts Windows Explorer does not start until the logon scripts have finished running6. Log name: GroupPolicyEvent Id: 4018(Starting Logon script for X.) Log name: GroupPolicyEvent Id: 5018(Completed Logon script for X.)
Pre-Shell (Userinit) Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface7. On RDSH sessions, Userinit.exe also executes the Appsetup8 entries such as cmstart.exe which in-turn calls wfshell.exe Log name: SecurityEvent Id: 4688(userinit.exe start) Log name: SecurityDesktop session:Event Id: 4688(explorer.exe start)Published Apps:Event Id: 4688(icast.exe start)
Shell**Only available when running the script via ControlUp. The interval between the beginning of desktop initialization and the time the desktop became available to the user, also includes the Active Setup9 Phase. Log name: SecurityEvent Id: 4688(explorer.exe start) ControlUp argument – “Desktop Load Time

Troubleshooting slow logons:



Logon process: http://fr.slideshare.net/ControlUp/understanding-troubleshooting-the-windows-logon-process

Tools for troubleshooting:



And powershell:


Analyze GPOs load time: http://www.controlup.com/script-library/Analyze-GPO-Extensions-Load-Time/ee682d01-81c4-4495-85a7-4c03c88d7263/


How to use Xperf, Xbootmgr, Procmon, WPA?

xperf;xbootmgr;xperfview comes from Windows ADK (Windows performance toolkit sub part). Procmon is a sysinternal tool.




Other interesting articles:






Windows Performance Analyzer (wpa.exe) youtube: https://www.youtube.com/watch?v=HGTlc_gWH_c

Xperf data collection tool: https://xperf123.codeplex.com/releases/view/66888


For boot tracing:


xbootmgr -trace boot -traceFlags BASE+CSWITCH+POWER -resultPath C:\TEMP

with boot phases:
xbootmgr -trace boot -traceflags base+latency+dispatcher -stackwalk profile+cswitch+readythread 
       -notraceflagsinfilename -postbootdelay 120 -resultPath C:\TEMP

For shutdown tracing:

xbootmgr -trace shutdown -noPrepReboot -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

For Standby+Resume:

xbootmgr -trace standby -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

For Hibernate+Resume:

xbootmgr -trace hibernate -traceFlags BASE+CSWITCH+DRIVERS+POWER -resultPath C:\TEMP

replace C:\TEMP with any temp directory on your machine as necessary to store the output files

Analyses of the boot trace:


To start create a summary xml file, run this command (replace the name with the name of your etl file)

xperf /tti -i boot_BASE+CSWITCH+POWER_1.etl -o summary_boot.xml -a boot

Analyses of the shutdown trace:

The shutdown is divided into this 3 parts:


To generate an XML summary of shutdown, use the -a shutdown action with Xperf:

xperf /tti -i shutdown_BASE+CSWITCH+DRIVERS+POWER_1.etl -o summary_shutdown.xml -a shutdown