A few days ago one of my customers complained that the boot time on several Windows XP workstations is very slow (10-15 minutes). Simple troubleshooting didn’t reveal anything so I enabled netlogon logging and started analyzing the log file.
I saw in the netlogon log file that almost the entire boot time is spent on DNS queries and no actual response care from him.
It turns out that a very old DNS Zone from the NT4 migration was still there, I removed the Zone. Once I fixed that, the login time was reduced to 20-30 seconds.
The following registry key and there log file will give you a broad view on the logon process, GPO processing and much more.
I recommend using “Baretail” to view the log files on-line; it will help you see the work in progress.
Remember, this will not solve your problems but will help you better understand why you have them.
- User Login General:
o Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
§ Name: UserEnvDebugLevel
§ Data Type: REG_DWORD
§ Data Value: 30002
o File: %windir%\debug\usermode\UserEnv.log
- Group Policy Security:
o Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GpExtensions\{827d319e-6eac-11d2-a4ea-00c04f79f83a}\
§ Name: ExtensionDebugLevel
§ Data Type: REG_DWORD
§ Data Value: 0x2
o File: %windir%\security\logs\winlogon.log
- Folder Redirection:
o Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
§ Name: FdeployDebugLevel
§ Data Type: REG_DWORD
§ Data Value: 0x0f
o File: windir%\debug\usermode\fdeploy.log
- Software Installation via GPO:
o Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
§ Name: Appmgmtdebuglevel
§ Data Type: REG_DWORD
§ Data Value: 0000009b
o File: %windir%\debug\usermode\appmgmt.log
- Netlogon:
o Registry (delete the current value is exist): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
§ Name: DBFlag
§ Data Type: REG_DWORD
§ Data Value: 2080FFFF (hexadecimal)
o File: %windir%\debug\netlogon.log
- GPP:
o Done via GPO:
Computer Configuration\Policies\Administrative Templates\System\Group Policy\Logging and Tracing
* The GPO is writing to the Registry in the following location (for example Printers Mapping): HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF9D}
o In the GPO you determine the log creation, the default on XP systems is “%SYSTEMDRIVE%\Documents and Settings\All Users\Application Data\GroupPolicy\Preference\Trace\user.log”.
On Vista OS the location is : “%systemdrive%\ProgramData\GroupPolicy\Preference\Trace\user.log”
- Special Vista GPO Tracing:
o Event Logs:
Applications and Services Logs\Microsoft\Windows\Group Policy\Operational
You can use gplogview with “-m” to view online status of the GPO processing
o Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics
§ Name: GPSvcDebugLevel
§ Data Type: REG_DWORD
§ Data Value: 00030002
o File: C:\Windows\debug\UserMode\gpsvc.log
References:
GPO Registry Explained: http://support.microsoft.com/kb/216358/EN-US/
GPO Troubleshooting via Event log: http://technet.microsoft.com/en-us/library/cc749336(WS.10).aspx
GPO Troubleshooting via Logs :http://technet.microsoft.com/en-us/library/cc775423(WS.10).aspx
Netlogon Debug flags and their values: http://support.microsoft.com/kb/109626
Baretail: http://www.baremetalsoft.com/baretail/
GPLogView (for Vista only): http://go.microsoft.com/fwlink/?LinkId=75004
.jpg)
