Group Policy and profile load tshooting in Vista
In my other post I mentioned that we moved some of the events from Userenv logs to other areas, and that the new userenv logs equivalents, are no longer readable by the general public.
Many of the reasons people looked to userenv logs were to analyze slow logon issues, profile load unload issues, or group policy problems.
Profile load and unload via the new service in svhost.exe is in the previously mentioned ETW logging.
C:\Windows\System32>\debugger\tlist.exe -m profsvc.dll
c:\windows\system32\profsvc.dll - 1224 svchost.exe
For policies - it looks a lot like the XP logging but no longer in the userenv log -- it's in the Event Logs
GPLogview will assist in the GPO portion of logging.
Usage: GPLogView.exe [options]
where supported options are
-?: shows this usage message
-o [output file name]: Output file name required for text, xml or html;
not valid if -m if specified
-n: do not output the activity id
-p: dump the process id and thread id associated with each event
-a [activity id guid]: shows only events matching the given activity id
-aa: show start events and activity IDs for the whole log (cannot use with -m)
-m: runs the tool in monitor mode displaying events in real time
-x: Dumps the event in XML, the only other options allowed with this option is -m and -a
but not both together
-h: Dumps the events in HTML format, -m or -x option is not allowed,
-a and -n are allowed but not both together. Also must specify -o option
-i [EVTX file]: Use specified input file instead of the live logs.
Example: GPLogView.exe -o GPEvents.txt
Example: GPLogView.exe -n -o GPEvents.txt
Example: GPLogView.exe -a ea276341-d646-43e0-866c-e7cc35aecc0a -o GPEvents.txt
Example: GPLogView.exe -i savedlog.evtx -o GPEvents.txt
Example: GPLogView.exe -x -o GPEvents.xml
Example: GPLogView.exe -x -m
Example: GPLogView.exe -x -a ea276341-d646-43e0-866c-e7cc35aecc0a -o GPEvents.xml
Example: GPLogView.exe -h -o GPEvents.html
Example: GPLogView.exe -h -a ea276341-d646-43e0-866c-e7cc35aecc0a -o GPEvents.html
Specify an ActivityID or use -M to trace real time.
Here is a sample:
2007-04-27 21:07:09.555 5326 fe8f0485-7e97-4043-b40d-9f9a94cbfcde Group Policy successfully discovered the Domain Controller in 2480 milliseconds.
2007-04-27 21:07:09.555 5017 fe8f0485-7e97-4043-b40d-9f9a94cbfcde The LDAP call to connect and bind to Active Directorycompleted.
domain.com
The call completed in 93 milliseconds.
2007-04-27 21:07:09.555 5309 fe8f0485-7e97-4043-b40d-9f9a94cbfcde Computer details:
Computer role : 2
Network name :
2007-04-27 21:07:09.571 5311 eb901462-1f7a-49cb-9a36-926ac1813e25 The loopback policy processing mode is "No loopback mode".
2007-04-27 21:07:09.883 4017 fe8f0485-7e97-4043-b40d-9f9a94cbfcde Making system calls to access specified file.
\\domain.com\SysVol\domain.com\Policies\{FBD39965-58FB-4B86-8259-981F71A2F498}\gpt.ini
2007-04-27 21:07:09.898 4017 eb901462-1f7a-49cb-9a36-926ac1813e25 Making system calls to access specified file.
\\domain.com\SysVol\domain.com\Policies\{FBD39965-58FB-4B86-8259-981F71A2F498}\gpt.ini
2007-04-27 21:07:09.930 5017 eb901462-1f7a-49cb-9a36-926ac1813e25 The system calls to access specified file completed.
\\domain.com\SysVol\domain.com\Policies\{FBD39965-58FB-4B86-8259-981F71A2F498}\gpt.ini
The call completed in 31 milliseconds.
2007-04-27 21:07:09.930 5017 fe8f0485-7e97-4043-b40d-9f9a94cbfcde The system calls to access specified file completed.
\\domain.com\SysVol\domain.com\Policies\{FBD39965-58FB-4B86-8259-981F71A2F498}\gpt.ini
The call completed in 47 milliseconds.
2007-04-27 21:07:09.945 4017 fe8f0485-7e97-4043-b40d-9f9a94cbfcde Making system calls to access specified file.
\\domain.com\SysVol\domain.com\Policies\{BFA789E6-CE56-4011-A1D5-F5385325110E}\gpt.ini
Hrmmm not so much on profile loading.... too bad, since its all in the undecipherable new userenv log.. gah.
( Maybe there are some UPHclean type logging we can enable.. ill look into that )
Have fun!
Spatdsg