By Tomas Dabasinskas, on October 18th, 2011, 
Sometimes you may face an issue when logging on to the workstation/server which is joined to the domain, logon process at step “Applying user settings” takes a lot of time. The procedures defined below might help you to locate the cause of this problem.
Enable USERENV logging
By default logging of domain user actions (apply of group policies, profile loading etc.) are not being logged anywhere in retail builds of “Windows” operating system. Despite that, that log information is essential when troubleshooting slow logons problems, so you can enable the logging doing those steps:
- Open REGEDIT
- Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- Create a DWORD (DWORD (32-bit) on x64 OSes) named UserEnvDebugLevel
- Enter hex value 0x00030002.
- Close REGEDIT
After doing modifications above, NO computer reboot is required. Just navigate to %Systemroot%\Debug\UserMode and look for a file Userenv.log.
There are two important things to notice about USERENV logging:
- When Userenv.log file reaches 300KB in size, it will be automatically renamed to Userenv.bak so if you want to monitor system for longer period of time you should make file Userenv.bak read-only.
- After you found the problem, you should disable the logging (by deleting the registry value or setting its value to zero)
Making use of the Userenv.log file
When you have the logging enabled, try logoff and logon to the computer again to generate some entries in the log. After successfully logging on, open Userenv.log log file. It should contain all the actions related to your domain (accessing domain controller, getting group policies, applying them, searching for your local user profile, creating it if it’s first time you logged on and so on). I won’t go deep into explanation of everything that is being reported in that log. Just try for some return codes, errors and keyword “failed” in that log. If you find any error codes in the log, you can check them with Microsoft’s ERR.EXE utility (ignore the title saying it’s for Exchange). Of course, you can search the error text, code or some other lines from the log in search engines. The results should be more useful than just searching for “windows slow logon”.
Also, be aware that there’s a timestamp in the log before each event. Using it you can find the exact steps where logging on takes too much time.
Using PORTQRY to find connectivity issues
If the USERENV log doesn’t help finding exact problem (for example, bad group policy or permissions problem), you suspect there might be connectivity problems (firewall blocking connections) or you see errors such as “There are no more endpoints available from the endpoint mapper” in the Event Log, you could try using PORTQRY.EXE tool from Microsoft.
Try running the following command:
PORTQRY -n %LOGONSERVER:~2% -e 135
After running this command, you should see a list of all available mappers. If you any other message (for example that the port is filtered), that means that a firewall (on the computer, domain controller or between them) is blocking this port. This port (both UDP and TCP) should be opened.
When you have a list of those mappers, you should find some ports on the DC that are being used. Those ports are provided between brackets after DC names in the mappings list. Try to check those ports using the same tool:
PORTQRY -n %LOGONSERVER:~2% -o PORT1,PORT2
You should see status “LISTENING” for all of them. If you get any other status, there’s probably the problem with a firewall. According to Microsoft, TCP ports 1024-65535 should be available for those RPC connections and firewalls shouldn’t block them.
Final notes
The problem of slow logon might be cause by many different things. Steps provided above are not definitive solution to fix any slow logon issue. Anyhow, those steps should be the first ones you should try when dealing with that sort of problem. Good luck!
Recent Comments