Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
Winlogon is the main component that logs data to the Userenv.log file (through userenv.dll).
If Userenv debug logging is enabled as per KB 221833, the userenv.log file will include the following:
- Slow link detection
- Machine Group Policy Application
- Processes and applications which start up as part of Userinit.exe (this includes most Startup items)
- Machine startup and shutdown scripts
- Profile loading or unloading at user login/logoff
- User Group Policy Application
- Internet Explorer GPO processing
- User login and logoff scripts
- Firewall rules processing for Windows Firewall
The userenv.log file is hardcoded to be renamed to userenv.bak (and the existing userenv.bak file deleted) if the existing userenv.log file is larger than 300 Kb at logon. On a busy system this will be overwritten very quickly.
Each line in the userenv.log file will be prefixed in the format ParentProcessID.ChildProcessID, you can use this as an indicator as to what processes are doing what on the machine.This is also useful for filtering the logs as you have a large amount of data being logged by differrent threads that are running simultaneously and this can make the userenv log hard to read.
By itself, the userenv.log is of limited value for troubleshooting purposes. Noting down a timeline of what is being done at each stage is vital to make the data in it useful. Consider that a lot of external things are going on during the startup and login process that don't go through Winlogon or Userenv.dll.
An additional useful step is to capture a network trace from the authenticating DC and the client during the login operation (using port mirroring or a hub).
In Vista, most of this is logged to the System event log on the machine. You can still enable Userenv debug logging with UserenvDebugLevel and there will still be some minimal logging to userenv.log, there is however another DWORD entry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics called GpSvcDebugLevel which can be used for troubleshooting on Vista/W2k8 in a similar way.
How to enable user environment debug logging in retail builds of Windowshttp://support.microsoft.com/kb/221833
Interpreting Userenv log fileshttp://technet.microsoft.com/en-us/library/cc786775.aspx
A test case for troubleshooting group policy application – Event ID 1085 and 7016http://blogs.technet.com/askds/archive/2008/08/21/a-test-case-for-troubleshooting-group-policy-application-event-id-1085-and-7016.aspx
Windows Administration: Your Guide to Group Policy Troubleshootinghttp://technet.microsoft.com/en-us/magazine/cc162497.aspx