This document provides an overview of the Windows logon process and tools for analyzing logon performance issues. It breaks down the logon process into phases like session initialization, authentication, user profile loading, and group policy processing. It then describes tools like Event Tracing for Windows, Process Monitor, and PowerShell scripts for analyzing logon duration and determining where delays are occurring in the logon workflow. Live demonstrations are provided of using these tools to diagnose specific slow logon issues related to group policy or Citrix user profile management.

1. Diving into the
Windows Logon Process
Yoni Avital (VDI Geek)
Eugene Kalayev (Cloud and PowerShell Geek)

2. Agenda
• Logon process overview
• Logon process breakdown
• Tools of the trade
• Event log (is your friend)
• Process Monitor
• Advanced (Geek) stuff
• Event Tracing for Windows
• PowerShell Scripts
• Live demo

3. Logon Process Overview
Session Initialization Authentication User Profile
Group Policy UserInit Shell

4. Logon Process - Optional Phases
• Network Providers (RDS)
• Mpnotify.exe loads network providers (e.g. pnsso)
• 3rd party profile solutions (e.g. UPM)
• UPM loads before the User Profile Service and can delay the logon process
• Group Policy Scripts
• Will affect logon duration if runs synchronously
• Citrix Printer Mapping
• Can delay the logon process if apps are waiting for printer mapping. Handled by
wfshell.exe (part of the UserInit phase)

5. Session Initialization

6. Session Initialization

7. Authentication

8. Authentication

9. User Profile

10. Group Policy

11. Userinit (Pre-Shell)

12. Shell

13. Advanced (Geek) stuff
• Event Tracing for Windows
• PowerShell Scripts

14. Event Tracing for Windows
• High speed kernel & user mode event tracing
• Steps
• Create and start new ETW trace
• Reproduce the slow logon issue
• Stop the trace
• Convert the ETL log file to XML format
• Analyze log with Notepad ++
• Example – Analyze logon processes

15. Event Tracing for Windows

16. Event Tracing for Windows

17. Event Tracing for Windows

18. PowerShell – Analyze Logon Duration
Get-LogonPhaseTime -Username UserName –
UserDomain Domain -CUDesktopLoadTime $args[1]
User name: cuupm
Logon Time: 09:46:37 PM
Logon Duration: 107 seconds
Logon Phase Duration (s) Start Time End Time Interim Delay
----------- ------------ ---------- -------- -------------
Network Providers 1.0 09:46:37.1 09:46:38.1
Citrix Profile Mgmt 82.3 09:46:42.0 09:48:04.2 3.815
User Profile 0.9 09:48:04.2 09:48:05.1 0
Group Policy 9.7 09:48:05.1 09:48:14.8 0.005
GP Scripts (sync) 2.4 09:48:16.2 09:48:18.6 1.398
Pre-Shell (Userinit) 2.3 09:48:18.6 09:48:20.9 0.04
Shell 3 09:48:20.9 09:48:23.9 0

19. PowerShell - Analyzing GP CSE Load Times
Get-GPUserCSE -Username MyDomainMyUser
Lists every loaded CSE by name and processing time
CSE Name Time (in ms)
-------- ------------
Group Policy Environment 1514
Registry 4477
Group Policy Drive Maps 936
Scripts 421
Group Policy Registry 1825
Folder Redirection 6895
Group Policy Files 2418
Group Policy Start Menu Settings 842
Citrix Group Policy 1310
Total time of 20.64 seconds
Total errors: 1
Folder Redirection failed with 'ErrorCode' 1003

20. Live Demo
• Slow logon – Group Policy
• Slow Logon – Citrix UPM

21. Links
• Xperf -
http://blogs.technet.com/b/askpfeplat/archive/2012/0
6/09/slow-boot-slow-logon-sbsl-a-tool-called-xperf-
and-links-you-need-to-read.aspx
• Windows Logon and Authentication -
https://technet.microsoft.com/en-
us/library/dn169016(v=ws.10).aspx
• Analyze Logon Duration PowerShell script - TBS
• Analyze CSE load time PowerShell script -
http://www.controlup.com/logon-gpo-analysis-via-
powershell/
• ETW - https://support.microsoft.com/en-
us/kb/2593157