Delen via


Winlogon, What Do You Have to Say for Yourself?

If you are having issues with slow startup, logon, logoff or shutdown, it is possible to enable extra status messages from Winlogon to help pinpoint the cause of the problem. Enabling this verbose output for Windows 2000/XP/2003 is described in these articles:

KB316243 - How to receive verbose startup, shutdown, logon, and logoff status messages
KB325376 - How To Enable Verbose Startup, Shutdown, Logon, and Logoff Status Messages in the Windows Server 2003 Family

Unfortunately, except for a brief mention at the end of the articles, it's not too clear what exactly you can expect to see once you do this. To make these articles a little more useful, I've listed below all of the status messages.

What is Winlogon?
Winlogon is an essential system process which plays a vital role during startup, logon, shutdown, etc and is started by the Session Manager Subsystem (SMSS.exe) as part of Windows startup. If Winlogon exits 'gracefully' the system shuts down, but if it fails in some way SMSS deliberately causes a bugcheck (STOP 0xC000021A). This is slightly different on Terminal Server as each session has it's own copy of Winlogon and exiting closes only that session.

After entering its WinMain() , Winlogon executes some initialisation code, then it enters a loop where it stays until a shutdown request is received, after which it runs some shutdown code, before exiting. While in its loop, Winlogon handles logon, logoff, lock, unlock and screensaver requests.

What Status Messages Can Winlogon Display?
All of the status messages shown by Winlogon occur from its main loop onward. Any messages prior to this (or other than specified below) are not Winlogon status messages. For example, during initialisation, Winlogon checks the pagefile and may display an error if it needs to create a temporary one - this is an error/warning message and not a status message.

The 'real' status messages are all of the same format: a small dialog box titled "Please wait..." with no controls and a single line of text (such as the familiar "Windows is starting up..." ). Each is generally displayed just before the action it describes and normally lasts for the duration of the action, when another message is presented. Most of these are shown only briefly and will be unreadable under normal startup, but for situations where startup is very slow or hangs the last message shown can be a good pointer to where the problem lies.

The list below is in the order they are presented from startup to shutdown, together with a description of what Winlogon is doing 'behind the scenes' when you see these (which is usually obvious from the message itself).  The order of the messages is fairly consistent, but may vary depending on such things as asynchronous processing of logon scripts, etc.

Messages in black are those seen during a normal and verbose system start and those in red are the additional messages seen only when verbose messsages are enabled.

STARTUP

"Windows is starting up..."
We check here to see if the Security Accounts Manager service is started, if not wait up to 15 seconds for it to do so (120 seconds in Safe Mode).

"The Active Directory is rebuilding indices. Please wait..."
On a Domain Controller we check to see if AD needs to rebuild its indices, if not we wait. There is no timeout on this.

"Preparing network connections..."
We wait for Netlogon service to start, up to a maximum of 120 seconds.

"RPCSS is starting..."
We check to see if the RPC service has started, and if not wait up to 120 seconds for it to do so.

"MUP is initializing..."
We check to see if the MUP service is started and wait up to 120 seconds for it to do so.

"Active Directory is starting..."
On a Domain Controller we wait up to 120 seconds for Active Directory to initialise.

"Applying computer settings..."
Process and apply any Group Policies for this system.

"Running startup scripts..."
Run any startup scripts defined for this system.

LOGON

"Executing: %s..."
Executing a notification DLL, where %s represents the DLL name.

"Loading your personal settings..."
Load the user's profile.

"Applying your personal settings..."
Process and apply any Group Policies specific to this user.

"Running logon scripts..."
Run any logon scripts specific to this user.

"Loading power profile..."
Load the power profile associated with this user. On Terminal Server, the default Console settings are used.

"Playing logon sound..."
Initialises Multi-media support and plays any logon sound defined for the user.

"Restoring network connections..."
Restores any persistent network connections specified in the registry.

If you try to logon to a remote session where a user is already logged on (e.g. Windows XP Remote Desktop), you may also receive this message:

"Remote logoff in progress..."
If the user logging on remotely is an administrator (and GPO allows it), the currently logged on user is forcibly logged off.

LOGOFF

"Executing: %s..."
Executing a notification DLL, where %s represents the DLL name.

"Running logoff scripts..."
Executes any logoff scripts defined for this user.

"Waiting for user group policies to finish..."
Wait 120 seconds for Group Policy processing to finish.

"User group policies finished."
Group Policies have stopped being processed.

"Closing network connections..."
Closes any open network connections.

"Logging off..."
Plays any logoff sound specified by the user.

"Playing logoff sound..."
Plays any logoff sound specified by the user.

"Saving your settings..."
Unloads the user's profile.

SHUTDOWN (will include LOGOFF messages if called from a user session)

"Stopping Windows File Protection..."
Windows File Protection is Stopped.

"Running shutdown scripts..."
Any shutdown scripts are executed.

"Waiting for machine group policies to finish..."
Waits 120 seconds for Group Policy processing to stop.

"Machine group policies finished."
Group Policy processing has stopped.

"Windows is shutting down..."
Unsaved data is transferred to disk.

In addition, you may also see messages regarding power saving states, the timing of which depends on the power settings:

"Preparing to Standby..."
System is entering standby.

"Preparing to Standby in order to complete eject..."
System is entering standby to complete a warm eject from docking station.

"Preparing to Hibernate..."
System is entering hibernation.