SlideShare uma empresa Scribd logo

Understanding &Troubleshooting the Windows Logon Process

ControlUp
ControlUp

How Windows Logon process works and event tracing.

Tecnologia
1 de 21
Baixar para ler offline
Diving into the Windows Logon Process Yoni Avital (VDI Geek) Eugene Kalayev (Cloud and PowerShell Geek)
Agenda • Logon process overview • Logon process breakdown • Tools of the trade • Event log (is your friend) • Process Monitor • Advanced (Geek) stuff • Event Tracing for Windows • PowerShell Scripts • Live demo
Logon Process Overview Session Initialization Authentication User Profile Group Policy UserInit Shell
Logon Process - Optional Phases • Network Providers (RDS) • Mpnotify.exe loads network providers (e.g. pnsso) • 3rd party profile solutions (e.g. UPM) • UPM loads before the User Profile Service and can delay the logon process • Group Policy Scripts • Will affect logon duration if runs synchronously • Citrix Printer Mapping • Can delay the logon process if apps are waiting for printer mapping. Handled by wfshell.exe (part of the UserInit phase)
Session Initialization
Session Initialization
Authentication
Authentication
User Profile
Group Policy
Userinit (Pre-Shell)
Shell
Advanced (Geek) stuff • Event Tracing for Windows • PowerShell Scripts
Event Tracing for Windows • High speed kernel & user mode event tracing • Steps • Create and start new ETW trace • Reproduce the slow logon issue • Stop the trace • Convert the ETL log file to XML format • Analyze log with Notepad ++ • Example – Analyze logon processes
Event Tracing for Windows
Event Tracing for Windows
Event Tracing for Windows
PowerShell – Analyze Logon Duration Get-LogonPhaseTime -Username UserName – UserDomain Domain -CUDesktopLoadTime $args[1] User name: cuupm Logon Time: 09:46:37 PM Logon Duration: 107 seconds Logon Phase Duration (s) Start Time End Time Interim Delay ----------- ------------ ---------- -------- ------------- Network Providers 1.0 09:46:37.1 09:46:38.1 Citrix Profile Mgmt 82.3 09:46:42.0 09:48:04.2 3.815 User Profile 0.9 09:48:04.2 09:48:05.1 0 Group Policy 9.7 09:48:05.1 09:48:14.8 0.005 GP Scripts (sync) 2.4 09:48:16.2 09:48:18.6 1.398 Pre-Shell (Userinit) 2.3 09:48:18.6 09:48:20.9 0.04 Shell 3 09:48:20.9 09:48:23.9 0
PowerShell - Analyzing GP CSE Load Times Get-GPUserCSE -Username MyDomainMyUser Lists every loaded CSE by name and processing time CSE Name Time (in ms) -------- ------------ Group Policy Environment 1514 Registry 4477 Group Policy Drive Maps 936 Scripts 421 Group Policy Registry 1825 Folder Redirection 6895 Group Policy Files 2418 Group Policy Start Menu Settings 842 Citrix Group Policy 1310 Total time of 20.64 seconds Total errors: 1 Folder Redirection failed with 'ErrorCode' 1003
Live Demo • Slow logon – Group Policy • Slow Logon – Citrix UPM
Links • Xperf - http://blogs.technet.com/b/askpfeplat/archive/2012/0 6/09/slow-boot-slow-logon-sbsl-a-tool-called-xperf- and-links-you-need-to-read.aspx • Windows Logon and Authentication - https://technet.microsoft.com/en- us/library/dn169016(v=ws.10).aspx • Analyze Logon Duration PowerShell script - TBS • Analyze CSE load time PowerShell script - http://www.controlup.com/logon-gpo-analysis-via- powershell/ • ETW - https://support.microsoft.com/en- us/kb/2593157

Recomendados

Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Cours 70 410-1
Cours 70 410-1Cours 70 410-1
Cours 70 410-1
Mohamed Diallo
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
primeteacher32
 

Recomendados

Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
Conferencias FIST
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Cours 70 410-1
Cours 70 410-1Cours 70 410-1
Cours 70 410-1
Mohamed Diallo
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
primeteacher32
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
nishant24894
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Linux basic commands
Linux basic commandsLinux basic commands
Linux basic commands
MohanKumar Palanichamy
 
Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599
Erik Van Buggenhout
 
Introduction to Linux
Introduction to LinuxIntroduction to Linux
Introduction to Linux
sureskal
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
Sahil Rai
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
Michael Gough
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
Frank Boldewin
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
Michal Sedlak
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File System
Sadia Bashir
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
Will Schroeder
 
Network security
Network securityNetwork security
Network security
hajra azam
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Chapter 10
Chapter 10Chapter 10
Chapter 10
Er. Nawaraj Bhandari
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
AbhayNaik8
 
Ubuntu – Linux Useful Commands
Ubuntu – Linux Useful CommandsUbuntu – Linux Useful Commands
Ubuntu – Linux Useful Commands
University of Technology
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
jakx_
 
Complete Guide to the Citrix Logon Process
Complete Guide to the Citrix Logon ProcessComplete Guide to the Citrix Logon Process
Complete Guide to the Citrix Logon Process
John Grant
 
Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7
EAE
 

Mais conteúdo relacionado

Mais procurados

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 

Mais procurados (20)

Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Forensic Investigation of Android Operating System
Forensic Investigation of Android Operating SystemForensic Investigation of Android Operating System
Forensic Investigation of Android Operating System
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Linux basic commands
Linux basic commandsLinux basic commands
Linux basic commands
 
Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599Windows 10 CredentialGuard vs Mimikatz - SEC599
Windows 10 CredentialGuard vs Mimikatz - SEC599
 
Introduction to Linux
Introduction to LinuxIntroduction to Linux
Introduction to Linux
 
Information security & ethical hacking
Information security & ethical hackingInformation security & ethical hacking
Information security & ethical hacking
 
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
EDR, ETDR, Next Gen AV is all the rage, so why am I ENRAGED?
 
Hunting malware with volatility v2.0
Hunting malware with volatility v2.0Hunting malware with volatility v2.0
Hunting malware with volatility v2.0
 
Linux: LVM
Linux: LVMLinux: LVM
Linux: LVM
 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File System
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active Directory
 
Network security
Network securityNetwork security
Network security
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Chapter 10
Chapter 10Chapter 10
Chapter 10
 
penetration test using Kali linux ppt
penetration test using Kali linux pptpenetration test using Kali linux ppt
penetration test using Kali linux ppt
 
Ubuntu – Linux Useful Commands
Ubuntu – Linux Useful CommandsUbuntu – Linux Useful Commands
Ubuntu – Linux Useful Commands
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 

Destaque

Complete Guide to the Citrix Logon Process
Complete Guide to the Citrix Logon ProcessComplete Guide to the Citrix Logon Process
Complete Guide to the Citrix Logon Process
John Grant
 

Destaque (8)

Complete Guide to the Citrix Logon Process
Complete Guide to the Citrix Logon ProcessComplete Guide to the Citrix Logon Process
Complete Guide to the Citrix Logon Process
 
Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7Introduccion a la seguridad Windows 7
Introduccion a la seguridad Windows 7
 
Ce hv6 module 61 threats and countermeasures
Ce hv6 module 61 threats and countermeasuresCe hv6 module 61 threats and countermeasures
Ce hv6 module 61 threats and countermeasures
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
 
Group policy preferences
Group policy preferencesGroup policy preferences
Group policy preferences
 
Synergy 2015 Session Slides: SYN409 Dissecting The XenApp/XenDesktop Logon Pr...
Synergy 2015 Session Slides: SYN409 Dissecting The XenApp/XenDesktop Logon Pr...Synergy 2015 Session Slides: SYN409 Dissecting The XenApp/XenDesktop Logon Pr...
Synergy 2015 Session Slides: SYN409 Dissecting The XenApp/XenDesktop Logon Pr...
 
Active Directory
Active Directory Active Directory
Active Directory
 
Active Directory Training
Active Directory TrainingActive Directory Training
Active Directory Training
 

Semelhante a Understanding &Troubleshooting the Windows Logon Process

InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
 
Pm ix tutorial-june2019-pub (1)
Pm ix tutorial-june2019-pub (1)Pm ix tutorial-june2019-pub (1)
Pm ix tutorial-june2019-pub (1)
ewerkboy
 
Chapter -2 operating system presentation
Chapter -2 operating system presentationChapter -2 operating system presentation
Chapter -2 operating system presentation
chnrketan
 

Semelhante a Understanding &Troubleshooting the Windows Logon Process (20)

Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
Ch3 processes
Ch3 processesCh3 processes
Ch3 processes
 
DockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopDockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging Workshop
 
Managing and Monitoring TeamPage
Managing and Monitoring TeamPageManaging and Monitoring TeamPage
Managing and Monitoring TeamPage
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Analysis Of Process Structure In Windows Operating System
Analysis Of Process Structure In Windows Operating SystemAnalysis Of Process Structure In Windows Operating System
Analysis Of Process Structure In Windows Operating System
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium Emulation
 
Vinicorp: Information management with redmine
Vinicorp: Information management with redmine Vinicorp: Information management with redmine
Vinicorp: Information management with redmine
 
Cs8493 unit 2
Cs8493 unit 2Cs8493 unit 2
Cs8493 unit 2
 
Advanced troubleshooting linux performance
Advanced troubleshooting linux performanceAdvanced troubleshooting linux performance
Advanced troubleshooting linux performance
 
cse581_03_EventProgramming.ppt
cse581_03_EventProgramming.pptcse581_03_EventProgramming.ppt
cse581_03_EventProgramming.ppt
 
Pm ix tutorial-june2019-pub (1)
Pm ix tutorial-june2019-pub (1)Pm ix tutorial-june2019-pub (1)
Pm ix tutorial-june2019-pub (1)
 
Sunil phani's take on windows powershell
Sunil phani's take on windows powershellSunil phani's take on windows powershell
Sunil phani's take on windows powershell
 
Dominique
DominiqueDominique
Dominique
 
Lecture_Slide_4.pptx
Lecture_Slide_4.pptxLecture_Slide_4.pptx
Lecture_Slide_4.pptx
 
Windows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server ManagementWindows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server Management
 
Processes
ProcessesProcesses
Processes
 
Chapter -2 operating system presentation
Chapter -2 operating system presentationChapter -2 operating system presentation
Chapter -2 operating system presentation
 
Automating System Center 2012 R2 (MVP Roadshow CPH 2015)
Automating System Center 2012 R2 (MVP Roadshow CPH 2015)Automating System Center 2012 R2 (MVP Roadshow CPH 2015)
Automating System Center 2012 R2 (MVP Roadshow CPH 2015)
 
Advanced Operating Systems......Process Management
Advanced Operating Systems......Process ManagementAdvanced Operating Systems......Process Management
Advanced Operating Systems......Process Management
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Understanding &Troubleshooting the Windows Logon Process

  • 1. Diving into the Windows Logon Process Yoni Avital (VDI Geek) Eugene Kalayev (Cloud and PowerShell Geek)
  • 2. Agenda • Logon process overview • Logon process breakdown • Tools of the trade • Event log (is your friend) • Process Monitor • Advanced (Geek) stuff • Event Tracing for Windows • PowerShell Scripts • Live demo
  • 3. Logon Process Overview Session Initialization Authentication User Profile Group Policy UserInit Shell
  • 4. Logon Process - Optional Phases • Network Providers (RDS) • Mpnotify.exe loads network providers (e.g. pnsso) • 3rd party profile solutions (e.g. UPM) • UPM loads before the User Profile Service and can delay the logon process • Group Policy Scripts • Will affect logon duration if runs synchronously • Citrix Printer Mapping • Can delay the logon process if apps are waiting for printer mapping. Handled by wfshell.exe (part of the UserInit phase)
  • 12. Shell
  • 13. Advanced (Geek) stuff • Event Tracing for Windows • PowerShell Scripts
  • 14. Event Tracing for Windows • High speed kernel & user mode event tracing • Steps • Create and start new ETW trace • Reproduce the slow logon issue • Stop the trace • Convert the ETL log file to XML format • Analyze log with Notepad ++ • Example – Analyze logon processes
  • 15. Event Tracing for Windows
  • 16. Event Tracing for Windows
  • 17. Event Tracing for Windows
  • 18. PowerShell – Analyze Logon Duration Get-LogonPhaseTime -Username UserName – UserDomain Domain -CUDesktopLoadTime $args[1] User name: cuupm Logon Time: 09:46:37 PM Logon Duration: 107 seconds Logon Phase Duration (s) Start Time End Time Interim Delay ----------- ------------ ---------- -------- ------------- Network Providers 1.0 09:46:37.1 09:46:38.1 Citrix Profile Mgmt 82.3 09:46:42.0 09:48:04.2 3.815 User Profile 0.9 09:48:04.2 09:48:05.1 0 Group Policy 9.7 09:48:05.1 09:48:14.8 0.005 GP Scripts (sync) 2.4 09:48:16.2 09:48:18.6 1.398 Pre-Shell (Userinit) 2.3 09:48:18.6 09:48:20.9 0.04 Shell 3 09:48:20.9 09:48:23.9 0
  • 19. PowerShell - Analyzing GP CSE Load Times Get-GPUserCSE -Username MyDomainMyUser Lists every loaded CSE by name and processing time CSE Name Time (in ms) -------- ------------ Group Policy Environment 1514 Registry 4477 Group Policy Drive Maps 936 Scripts 421 Group Policy Registry 1825 Folder Redirection 6895 Group Policy Files 2418 Group Policy Start Menu Settings 842 Citrix Group Policy 1310 Total time of 20.64 seconds Total errors: 1 Folder Redirection failed with 'ErrorCode' 1003
  • 20. Live Demo • Slow logon – Group Policy • Slow Logon – Citrix UPM
  • 21. Links • Xperf - http://blogs.technet.com/b/askpfeplat/archive/2012/0 6/09/slow-boot-slow-logon-sbsl-a-tool-called-xperf- and-links-you-need-to-read.aspx • Windows Logon and Authentication - https://technet.microsoft.com/en- us/library/dn169016(v=ws.10).aspx • Analyze Logon Duration PowerShell script - TBS • Analyze CSE load time PowerShell script - http://www.controlup.com/logon-gpo-analysis-via- powershell/ • ETW - https://support.microsoft.com/en- us/kb/2593157