What is logged to the Userenv.log file?




Winlogon is the main component that logs data to the Userenv.log file (through userenv.dll).

If Userenv debug logging is enabled as per KB 221833, the userenv.log file will include the following:

-       Slow link detection

-       Machine Group Policy Application

-       Processes and applications which start up as part of Userinit.exe (this includes most Startup items)

-       Machine startup and shutdown scripts

-       Profile loading or unloading at user login/logoff

-       User Group Policy Application

-       Internet Explorer GPO processing

-       User login and logoff scripts

-       Firewall rules processing for Windows Firewall

The userenv.log file is hardcoded to be renamed to userenv.bak (and the existing userenv.bak file deleted) if the existing userenv.log file is larger than 300 Kb at logon.  On a busy system this will be overwritten very quickly.

Each line in the userenv.log file will be prefixed in the format ParentProcessID.ChildProcessID, you can use this as an indicator as to what processes are doing what on the machine.

This is also useful for filtering the logs as you have a large amount of data being logged by differrent threads that are running simultaneously and this can make the userenv log hard to read.

By itself, the userenv.log is of limited value for troubleshooting purposes.  Noting down a timeline of what is being done at each stage is vital to make the data in it useful.  Consider that a lot of external things are going on during the startup and login process that don't go through Winlogon or Userenv.dll.

An additional useful step is to capture a network trace from the authenticating DC and the client during the login operation (using port mirroring or a hub).

In Vista, most of this is logged to the System event log on the machine.  You can still enable Userenv debug logging with UserenvDebugLevel and there will still be some minimal logging to userenv.log, there is however another DWORD entry underHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics called GpSvcDebugLevel which can be used for troubleshooting on Vista/W2k8 in a similar way

Comments

Popular posts from this blog

altiris software key

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

Troubleshooting Netlogon Error Codes