****
*
*
*
*







*
*
                                      
*
*
Windows Server



    

How to enable and use Userenv Log on Windows    

*
*

*
*

How to enable and use Userenv Log on Windows



Jan
17

Userenv

For Information on Interpreting Userenv Log Files and tracking User Environment Creation, use the following article link(s):

Interpreting Userenv Log Files

Userenv :: Tracking User Environment Creation

How to enable Userenv log in Pre Vista / Windows Server 2008 environment

enable userenv :enable userenv log

 

"How to enable user environment debug logging in retail builds of Windows"

 

Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Entry: UserEnvDebugLevel

Type: REG_DWORD

Value data: 10002 (Hexadecimal)

 

Log Location:

%Systemroot%\Debug\UserMode\Userenv.log

 

Userenv is a diagnostic log to collect event data that occur on user logon on a Windows Client machine. It can be used to see transparently what processes and events occur on the Windows Client machine while the user logs in to the workstation client.

We can enable the Userenv log to see what is happening in the background on a Windows Client Environment. It collects useful information that reflects the events that occur during User Logon. Sometimes this information can be useful to fix / troubleshoot slow logon, No Logon, and other user login related issues.

 

+ Also not to reboot the box if issue reoccur

Please do not reboot the client machine where the issue occurred first if the issue occurs again. Please contact a support administrator and then collect logs.

 

+ Steps to collect userenv log and enable the client machine to have the file size above the limit of 304 KB.

>>>>make userenv.bak file a read only, so that it will keep on collecting events and will not over write the events

 

The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file. If the Userenv.log file is larger than 300 KB, the file is renamed Userenv.bak, and a new Userenv.log file is created. This action occurs when a user logs on locally or by using Terminal Services, and the Winlogon process starts. However, because the size check only occurs when a user logs on, the Userenv.log file may grow beyond the 300 KB limit.

Although the 300-KB limit cannot be modified, you can set the read-only attribute on the Userenv.bak file, and the Userenv.log file will grow indefinitely. You must only use this method temporarily, remove the read-only attribute on the Userenv.bak file as soon as you are finished troubleshooting.

Ø  How to enable userenv debug logging

            http://support.microsoft.com/kb/221833  

            http://technet.microsoft.com/en-us/library/cc786775.aspx 

Ø  Interpreting Userenv log files

http://technet.microsoft.com/en-us/library/cc786775.aspx

How to enable Userenv log in Vista / Windows Server 2008 environment

UserEnvDebugLevel is deprecated in Windows Vista - refer to this section for the newer mechanism.

Vista -- Userenv / Profile Tracing

Tracing Tools

*****************

The tracing tools that we have are as follows:

 

In Box

logman

tracerpt

 

Windows DDK

tracefmt

tracelog

tracepdb

traceview

 

The latest Windows DDK is available from:

x86 -

<\\winbuilds\release\winmain\latest.tst\x86fre\bin\ddk_flat\tools\tracing\*.*>

x64 -

<\\winbuilds\release\winmain\latest.tst\amd64fre\bin\ddk_flat\tools\tracing\*.*>

ia64 -

<\\winbuilds\release\winmain\latest.tst\ia64fre\bin\ddk_flat\tools\tracing\*.*>

NOTE: In order to access the latest Windows Vista builds or Windows DDK daily

build access is needed and can be requested from http://autosecure

 

Download Windows DDK here:

            Windows Driver Kit (WDK) 8.1

 

            Microsoft Windows Driver Development Kit (DDK) Solution Center

            Windows 8.1: Download kits and tools

 

Errors:

********

The following two errors can be caused by;

a) The LoggerName was typed incorrectly

b) The machine was rebooted after starting the trace in an attempt to reproduce the issue

 

NOTE: tracing does not persist across reboots unless autologger is used

 

1) Data Collector Set was not found.

 

2) Operation Status: 4201L The instance name passed was not recognized as valid by a WMI data provider.

Logger Name: profile

 

Resolution

 

Steps Needed To Obtain Equivalent Of Profile Sections Of Userenv.log

 

Gathering Data Using In Box Tools

******************************************

1) open a command prompt with an admin token

a) select the start menu

b) type cmd in "Start Search"

c) right mouse click on cmd under programs

d) select "Run as administrator"

 

2) run "logman -start profile -p {eb7428f5-ab1f-4322-a4cc-1f1a9b2c5e98} 255 3 -ets"

(without the quotes)

 

3) reproduce issue

 

4) open a command prompt with an admin token

a) select the start menu

b) type cmd in "Start Search"

c) right mouse click on cmd under programs

d) select "Run as administrator"

 

5) run "logman -stop profile -ets" (without the quotes)

 

6) profile.etl will be located in the directory that logman -start was run

 

Converting Data To Human Readable Format Using In Box Tools

 

1) open a command prompt

 

2) run "tracerpt -o profile.csv c:\profile.etl -of csv -tp

\\winbuilds\release\<builddirectory>\<buildnumber>\<architecture>\SYMBOLS.PRI\tracef

ormat\

<builddirectory> = directory containing Windows Vista builds

ex. winmain, winmain_beta1, winmain_beta2, winmain_idx01,

winmain_idx02, winmain_idx03, winmain_idx04, winmain_idx05

<buildnumber> = directory containing specific Windows Vista build

ex. 5378.0.060425-1900, 5379.0.060427-1900

<architecture> = directory containing Windows Vista build architecture

ex. amd64fre, ia64fre, x86fre

 

RTM directories I used for traceformat information

\\winbuilds\release\vista_rtm_sp_reference\x86fre\SYMBOLS.PRI\traceformat

\\winbuilds\release\vista_rtm\6000.16386.061101-2205\x86fre\SYMBOLS.PRI\traceformat

 

 

 

NOTES:

a) In order to access the Windows Vista tmf repository for converting traces to

human readable format daily build access is needed and can be requested from

http://autosecure

b) profile.etl will be located in the directory that logman -start was run

 

 

3) open profile.csv in excel

 

 

NOTE: If column A in profile.csv contains "Unknown" and column V contains

"GUID=147d65d9-40d4-7085-0f6d-f09272c92f78 (No Format Information found)." then the

etl file was not converted to human readable format successfully. This can be

caused by not having access to \\winbuilds\release or the path is incorect to the

TMF files. It is important to note that the GUID= section of column V will have

numerous GUIDS with (No Format Information found) and is not limited to just the

147d65d9-40d4-7085-0f6d-f09272c92f78 GUID.

 

 

Gathering Data Using Windows DDK Tools

 

1) open a command prompt with an admin token

a) select the start menu

b) type cmd in "Start Search"

c) right mouse click on cmd under programs

d) select "Run as administrator"

 

2) run "tracelog -start profile -f profile.etl -guid

#eb7428f5-ab1f-4322-a4cc-1f1a9b2c5e98 -level 3 -flag 255" (without the quotes)

 

3) reproduce issue

 

4) open a command prompt with an admin token

a) select the start menu

b) type cmd in "Start Search"

c) right mouse click on cmd under programs

d) select "Run as administrator"

 

5) run "tracelog -stop profile" (without the quotes)

 

6) profile.etl will be located in the directory that tracelog -start was run

 

Converting Data To Human Readable Format Using Windows DDK Tools

 

 

Using Command Line

=================

1) open a command prompt

 

2) run "tracefmt -o profile.log c:\profile.etl -p

\\winbuilds\release\<builddirectory>\<buildnumber>\<architecture>\SYMBOLS.PRI\tracef

ormat

<builddirectory> = directory containing Windows Vista builds

ex. winmain, winmain_beta1, winmain_beta2, winmain_idx01,

winmain_idx02, winmain_idx03, winmain_idx04, winmain_idx05

<buildnumber> = directory containing specific Windows Vista build

ex. 5378.0.060425-1900, 5379.0.060427-1900

<architecture> = directory containing Windows Vista build architecture

ex. amd64fre, ia64fre, x86fre

 

RTM directories I used for traceformat information

\\winbuilds\release\vista_rtm_sp_reference\x86fre\SYMBOLS.PRI\traceformat

\\winbuilds\release\vista_rtm\6000.16386.061101-2205\x86fre\SYMBOLS.PRI\traceformat

 

 

 

3) open profile.log in notepad

 

Using GUI

 

1) open traceview

 

2) select "File"

 

3) select "Open Existing Log File"

 

4) either type c:\profile.etl under "Log File Name" or select "..." to browse to

profile.etl

 

5) selelct "OK"

 

6) select "TMF (Trace Format) Files" radio button

 

7) select "OK"

 

8) select "Set TMF Search Path"

 

9) select "OK"

 

10) select "Network..."

 

11) type

\\winbuilds\release\<builddirectory>\<buildnumber>\<architecture>\SYMBOLS.PRI\tracef

ormat or browse to the network location

<builddirectory> = directory containing Windows Vista builds

ex. winmain, winmain_beta1, winmain_beta2, winmain_idx01,

winmain_idx02, winmain_idx03, winmain_idx04, winmain_idx05

<buildnumber> = directory containing specific Windows Vista build

ex. 5378.0.060425-1900, 5379.0.060427-1900

<architecture> = directory containing Windows Vista build architecture

ex. amd64fre, ia64fre, x86fre

 

RTM directories I used for traceformat information

\\winbuilds\release\vista_rtm_sp_reference\x86fre\SYMBOLS.PRI\traceformat

\\winbuilds\release\vista_rtm\6000.16386.061101-2205\x86fre\SYMBOLS.PRI\traceformat

 

12) select "Finish"

 

13) select "OK"

Increasing Userenv debug logs beyond 300KB circular limit

USERENV - Increasing userenv debug logs beyond 300KB circular limit

 

USERENV - Increasing userenv debug logs beyond 300KB circular limit

TITLE: USERENV - Increasing userenv debug logs beyond 300KB circular limit

Problem: Windows XP Professional Edition

 

Problem Description

 

Issue:

 

During troubleshooting of profile or group policy issues, Userenv debug logging has been enabled.

However, the issue does not reproduce frequently and the userenv.log and .bak are overwritten due to their small size before the data can be harvested.

 

Environment:

 

Windows 2000, Windows XP, Windows Server 2003

 

Resolution

 

# IMPORTANT CAVEAT:

 

It is critical that this workaround be done in a very controlled manner.

By preventing the circular nature of userenvdebuglevel, there is a very real risk

that the userenv.log file will grow to fill the remaining disk space.

This setting should never be put in place without a clear backout plan to undo the

changes and perfect understanding of the machines to be touched.

It should NEVER be left running at the end of a case.

It is highly discouraged to deploy this via a group policy, and should be done with

admin-executed scripts (or by hand) that can be carefully managed.

 

# Workaround:

 

1. If it does not already exist, create %systemroot%\debug\userenv.bak.

2. Set this file to READ ONLY (i.e. by using ATTRIB.EXE or checking the Read-only

attribute via Explorer | Right-click file | Properties).

3. Turn on UserEnvDebugLevel to 10002(HEX) via KB221833.

 

# Notes:

 

There is no need to set the actual permissions differently (and SYSTEM will simply revert them back if you try).

 

An alternative to this method is to use the Userenv.log Collection Script tool on http://toolbox/sites/23809

This has the advantage of controlling the amount of data collected, but the downside of potentially missing small amounts of data.

 

There is no method to control the userenv.log size (the userenv debug code does not allow for altering it beyond the default of ~300KB).

 

UserEnvDebugLevel is deprecated in Windows Vista - refer to the section above for the newer mechanism.

 

 

## PLEASE REMEMBER TO COMMENT BELOW TO SOLUTIONS THAT YOU FIND USEFUL ##

##

Interpreting Userenv log files

lpuser

     Central Profile = Terminal Server

            Profile Image Path = Roaming / Local Profile

 

The most important thing to browse the Userenv log is to check the last line where "lpuser" was used based on the time stamp as this would be the last user that logged into the machine.

 

The variable Central Profile is used whenever Userenv log is collected on a Terminal Server.

The Profile Image Path stands for the value of the SMB share that was used to load the User Profile from. It is the location where the User Profile was loaded from (be it a local Computer Folder or a network location).

It verifies whether the change in the location of User Profile is detected and updated OR Not.

As it only tells where that profile was loaded from.

 

If it matches with what is configured by the administrator then it confirms that the client is successfully able to read the value of the changed path location for the User Profile.

 

For More Information on Interpreting Userenv Log Files and tracking User Environment Creation, use the following article link(s):

Interpreting Userenv Log Files

Userenv :: Tracking User Environment Creation



No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/2931

Leave a comment








*
*

administrator
Author Bio          ★★★★★

Author Name:         administrator
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!


*
*
*
*
****



*****



    Desktop
  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
    PDA
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
    more...
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011