How to read Userenv Log - Part 1 Machine Policy

本文涉及的产品
日志服务 SLS,月写入数据量 50GB 1个月
简介:

Refer to the following article:

http://blogs.technet.com/b/askds/archive/2008/11/11/understanding-how-to-read-a-userenv-log-part-1.aspx 



First, what is Userenv logging? This is short for “UserEnvironment.” How do I enable the logging? You can reference the following KBarticle:

 

221833 How to enable user environment debug logging inretail builds of Windows

http://support.microsoft.com/kb/221833

 

Note that Userenv logging per this article does not work onany version of Windows Vista or Windows Server 2008. It will work only onWindows 2000, 2003 or XP.

Open Regedit onthe problem computer and drill down to:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon.

Create a REG_DWORDwith the value called UserEnvDebugLevel thenset the value to 0x10002 inhexadecimal. The value is not case sensitive.

Logging will start immediately to the Userenv.log filelocated in the %SystemRoot%\Debug\UserModefolder (no reboot or restart of services is required). If the Userenv.log fileis larger than 300 KB, the file is renamed Userenv.bak, and a new Userenv.log file is created. Thisaction occurs when a user logs on locally or by using Terminal Services, andthe Winlogon process starts. However, because the size check only occurs when auser logs on, the Userenv.log file may grow beyond the 300 KB limit. If youneed to read the log or .bak files then you can simply open them with Notepad.Since you want to see what the computer is doing when it starts, reboot theclient computer.

 

One problem with Userenv logging, especially on a busyterminal server with lots of logon activity, is that the log is overwrittenbefore you get a chance to find the useful information in it. While there is noway to increase the 300 KB limit on the log file, if you make Userenv.bakread-only, Winlogon can’t rename Userenv.log to Userenv.bak, so it just keepslogging to the Userenv.log indefinitely. If you decide to use this method, itis critical that you monitor the size of the Userenv.log to make sure it doesnot fill up the drive. Then remove the read-only attribute as soon as you aredone troubleshooting.

 

After a reboot and once you are logged onto the clientcomputer, open the Userenv log; you should notice information such as this:

USERENV(78c.790)22:00:04:218 LoadUserProfile: lpProfileInfo->lpUserName =<NetworkService>

Or

USERENV(78c.790)22:00:04:546 LoadUserProfile: lpProfileInfo->lpUserName =<LocalService>

 

This is normal as there are profiles for the Network Serviceand Local Service. These accounts have to logon just as a normal user accountsince they are used to start services that are running on the local computer.You may see a line in the log such as this:

 

USERENV(78c.790)22:00:04:515 GetUserDNSDomainName: Domain name is NT Authority. No DNS domainname available.

 

No need to worry if it is associated with one of theservices logging on. This is due to if you look at the SID (SecurityIdentifier) for either the Network Service (S-1-5-20) or the Local Service(S-1-5-19) these are what we call Well Known Security Identifiers (SID’s). Youcan see a list of them in:

 

243330 Well-known security identifiers in Windows operatingsystems

http://support.microsoft.com/kb/243330

 

These accounts are not associated to a domain such as a useror computer account would be. So these can be ignored. Once the services havestarted up or still in the process of starting you will see the following:

 

USERENV(750.280)22:00:43:203 ProcessGPOs: Starting computer Group Policy (Background)processing...

 

This signifies that the group policy for the computer isabout to start processing. First we ping the server to determine if we are on afast link or not. We do this to determine if we are on a slow link whereprocessing group policies could be done in a different fashion. So if ICMP isnot allowed through any routers and in order to ping a DC, if we go through arouter, then do not expect policies to get applied.

 

USERENV(750.280)22:00:43:203 PingComputer: PingBufferSize set as 2048

USERENV(750.280)22:00:43:203 PingComputer: Adapter speed 100000000 bps

USERENV(750.280)22:00:43:203 PingComputer: First time: 0

USERENV(750.280)22:00:43:203 PingComputer: Fast link. Exiting.

 

Next we have to determine where this computer accountresides in Active Directory.

USERENV(750.280)22:00:53:953 ProcessGPOs: User name is: CN=Machine,OU=Workstations,OU=TX,OU=USA,DC=Domain,DC=com,Domain name is: Domain

USERENV(750.280)22:00:53:953 ProcessGPOs: Domain controller is: \\DC1.DOMAIN.COM Domain DN isDOMAIN.COM

 

Notice that we print out the LDAP path to the computeraccount. This is done so that we know where to check for the policies at the OUlevels. It will also report which DC that the computer has contacted in orderto pull the policies from.

Next the client side extensions are checked where the GUIDbetween the {} will be different.

USERENV(750.280)22:00:53:968 ReadExtStatus: Reading Previous Status for extension{25537BA6-77A8-11D2-9B6C-0000F8080861}

Once we have all that we start checking for policies thatmight be linked at an OU level, domain level or site level . We first start atthe OU that the computer is located at or if the computer lies in a containerthe next level up that a policy can be linked at.

 

USERENV(750.280)22:00:54:000 GetGPOInfo: Server connection established.

USERENV(750.280)22:00:54:031 GetGPOInfo: Bound successfully.

USERENV(750.280)22:00:54:046 SearchDSObject: Searching<OU=Workstations,OU=TX,OU=USA,DC=Domain,DC=com >

USERENV(750.280)22:00:54:046 SearchDSObject: No GPO(s) for this object.

USERENV(750.280)22:00:54:046 SearchDSObject: Searching < OU=TX,OU=USA,DC=Domain,DC=com >

USERENV(750.280)22:00:54:046 SearchDSObject: Found GPO(s): <[LDAP://CN={PolicyGUID},CN=Policies,CN=System, DC=Domain,DC=com;0]>

USERENV(750.280)22:00:54:046 SearchDSObject: Searching < OU=USA,DC=Domain,DC=com >

USERENV(750.280)22:00:54:046 SearchDSObject: Searching < DC=Domain,DC=com >

USERENV(750.280)22:00:54:046 SearchDSObject: Searching <CN=MYSite,CN=Sites,CN=Configuration,DC=Domain,DC=com >

 

At any point in this time the log may show something likethis:

 

USERENV(750.280) 22:00:54:046 SearchDSObject: Found GPO(s):

 

Then the log shows a list of GPO’s that are linked to thatparticular OU/Domain/Site. Note that you could run across this in the output:

 

USERENV(750.280) 22:00:54:046SearchDSObject: Found GPO(s): <[LDAP://CN={PolicyGUID},CN=Policies,CN=System, DC=Domain,DC=com;0]>

 

Note the 0 at the end, this is the default setting, 1 meansthe policy is set to disabled which means the policy is linked to thatparticular OU / domain or site level but is disabled. If the value is set to 2this means that the policy has been set to “No Override” also known as“Enforced.” A setting of “No Override” means that if 2 separate GPOs have thesame setting are defined but hold different values, the one that is set to nooverride wins out on what is actually applied to the client. If a policy is setto “No Override” or “Enforced” at an OU/domain level then an OU below that isset to block inheritance, the policy set for “No Override” will still apply.You cannot block a policy from applying if the “No Override” or “Enforce” hasbeen set on a policy.

 

Once we have gone all the way through we start actuallyapplying the policies:

 

USERENV(750.280)22:00:54:093 ProcessGPO: Searching <CN={GPO GUID},CN=Policies,CN=System,DC=Domain,DC=com >

 

The path above is where in AD the particulars of the policyare stored.

 

USERENV(750.280)22:00:54:093 ProcessGPO: Machine has access to this GPO.

 

We need to check and see if the computer has access to thepolicy if we do then the computer can apply the policy; if we do not haveaccess then we cannot apply it.

 

USERENV(750.280)22:00:54:109 FilterCheck: Found WMI Filter id of: <[DOMAIN.COM;{PolicyGUID};0]>

 

If a policy has a WMI filter being applied we have to checkit and see if the policy is going to apply to this computer or not. The WMIfilter can be seen if you go to the properties of the policy then to the WMItab. If you are using GPMC then this can be found in the right hand pane at thevery bottom box after highlighting the policy.

 

USERENV(750.280)22:00:54:093 ProcessGPO: GPO passes the filter check.

 

Or

 

USERENV(750.280)22:00:55:250 ProcessGPO: The GPO does not pass the filter check and so will notbe applied.

USERENV(750.280)22:00:54:093 ProcessGPO: Found functionality version of: 2

 

Functionality version has to be a 2 for a Windows 2000 orlater OS to apply the policy.

 

USERENV(750.280)22:00:54:093 ProcessGPO: Found file system path of: \\DOMAIN.com\SysVol\DOMAIN.com\Policies\{GPOGUID}

 

This above is the path of the policy in the file system on aDC.

 

USERENV(750.280)22:00:54:109 ProcessGPO: Found common name of: <{GPO GUID}>

USERENV(750.280)22:00:54:109 ProcessGPO: Found display name of: <MY Domain Policy>

USERENV(750.280)22:00:54:109 ProcessGPO: Found machine version of: GPC is 77, GPT is 77

 

Here is where we check the GPC (Group Policy Container) andthe GPT (Group Policy Template) for the version numbers. We check the versionnumbers to determine if the policy has changed since the last time it wasapplied. If the version numbers are different then we either have an ADreplication or File replication latency problem.

 

USERENV(750.280)22:00:54:109 ProcessGPO: Found flags of: 0

USERENV(750.280)22:00:54:109 ProcessGPO: Found extensions:[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]

 

The extensions above refer to the CSE (client-sideextensions) and will vary from policy to policy. For a list of the CSE’s see:

 

216357 IdentifyingGroup Policy Client-Side Extensions

http://support.microsoft.com/kb/216357

 

943729 Informationabout new Group Policy preferences in Windows Server 2008

http://support.microsoft.com/kb/943729

 

Moving right along now we come to the part where we processCSE’s for particular settings such as Folder Redirection, Disk Quota, etc. Ifthe particular extension is not being used then you can simply ignore thissection.

 

USERENV(750.280)22:00:56:359 ProcessGPOs: Processing extension Folder Redirection

USERENV(750.280)22:00:56:359 CompareGPOLists: The lists are the same.

USERENV(750.280)22:00:56:359 CheckGPOs: No GPO changes but couldn't read extension FolderRedirection's status or policy time.

USERENV(750.280)22:00:56:359 ProcessGPOs: Extension Folder Redirection skipped with flags 0x7.

 

Now we have pretty much come to the end of the computerprocessing which we know by the following:

 

USERENV(750.280)22:00:56:390 SetFgRefreshInfo: Previous Machine Fg policy Synchronous, Reason:SyncPolicy.

USERENV(750.280)22:00:56:390 SetFgRefreshInfo: Next Machine Fg policy Synchronous, Reason:SyncPolicy.

USERENV(750.280)22:00:56:390 ProcessGPOs: No WMI logging done in this policy cycle.

USERENV(750.280)22:00:56:390 LeaveCriticalPolicySection: Critical section 0x6d0 has beenreleased.

USERENV(750.280)22:00:56:390 ProcessGPOs: Computer Group Policy has been applied.

USERENV(750.280)22:00:56:390 ProcessGPOs: Leaving with 1.

USERENV(750.280)22:00:56:390 ApplyGroupPolicy: Leaving successfully.

USERENV(750.860)22:00:56:640 GPOThread: Next refresh will happen in 115 minutes

 

This is telling us that we will be refreshing the policy inthe foreground and the next one will occur the same way in 115 minutes and weare leaving successfully.

 

Now for a note about the next blog for the user processing,no one runs a pure Microsoft environment and almost every Userenv log I haveever seen had something in the order of this showing up:

 

USERENV(6e4.6d4)22:00:56:890 GetUserNameAndDomain Failed to impersonate user

USERENV(6e4.6d4)22:00:56:890 GetUserDNSDomainName: Domain name is NT Authority. No DNS domainname available.

 

So what is this? Note that the very first of all the samplelines that I have added so far has started with:

 

USERENV(750.280), the first number, 750, is the processidentifier (PID) and the second number is the thread identifier (TID). You canopen Calc and change the View to Scientific. Change the type to Hex then enter750 and hit the Decimal radio button. Now you have a number of 1872, this isthe PID for the process. Open Task Manager, go to View – Select Columns and puta check mark in the box for PID and hit OK. Now in the column next to the ImageName will be the PID. Sort the PID’s and look for the process associated withthe number 1872 and that is the process that the Userenv logging is referringto. In this case the PID of 1872 was Winlogon.exe. If we do the same for theproblem PID (6e4) we get 1764. That PID resolved to a third-party service thatwas causing problems.

 

I hope this helps in understanding how to read part of theUserenv logging that we can enable to help in determining issues when bootingup, applying group policies, etc. I will complete the User processing in Part2. Also, you can find additional information on this topic at InterpretingUserenv Log Files on TechNet


Also, there is a good tool to examine the log:

http://www.sysprosoft.com/policyreporter.shtml   


本文转自 zhangfang526 51CTO博客,原文链接:http://blog.51cto.com/zhangfang526/1713446


相关实践学习
日志服务之使用Nginx模式采集日志
本文介绍如何通过日志服务控制台创建Nginx模式的Logtail配置快速采集Nginx日志并进行多维度分析。
相关文章
|
15天前
|
XML 安全 Java
【日志框架整合】Slf4j、Log4j、Log4j2、Logback配置模板
本文介绍了Java日志框架的基本概念和使用方法,重点讨论了SLF4J、Log4j、Logback和Log4j2之间的关系及其性能对比。SLF4J作为一个日志抽象层,允许开发者使用统一的日志接口,而Log4j、Logback和Log4j2则是具体的日志实现框架。Log4j2在性能上优于Logback,推荐在新项目中使用。文章还详细说明了如何在Spring Boot项目中配置Log4j2和Logback,以及如何使用Lombok简化日志记录。最后,提供了一些日志配置的最佳实践,包括滚动日志、统一日志格式和提高日志性能的方法。
128 30
【日志框架整合】Slf4j、Log4j、Log4j2、Logback配置模板
|
1月前
|
XML JSON Java
Logback 与 log4j2 性能对比:谁才是日志框架的性能王者?
【10月更文挑战第5天】在Java开发中,日志框架是不可或缺的工具,它们帮助我们记录系统运行时的信息、警告和错误,对于开发人员来说至关重要。在众多日志框架中,Logback和log4j2以其卓越的性能和丰富的功能脱颖而出,成为开发者们的首选。本文将深入探讨Logback与log4j2在性能方面的对比,通过详细的分析和实例,帮助大家理解两者之间的性能差异,以便在实际项目中做出更明智的选择。
231 3
|
3月前
|
Kubernetes Ubuntu Windows
【Azure K8S | AKS】分享从AKS集群的Node中查看日志的方法(/var/log)
【Azure K8S | AKS】分享从AKS集群的Node中查看日志的方法(/var/log)
131 3
|
1月前
|
存储 缓存 关系型数据库
MySQL事务日志-Redo Log工作原理分析
事务的隔离性和原子性分别通过锁和事务日志实现,而持久性则依赖于事务日志中的`Redo Log`。在MySQL中,`Redo Log`确保已提交事务的数据能持久保存,即使系统崩溃也能通过重做日志恢复数据。其工作原理是记录数据在内存中的更改,待事务提交时写入磁盘。此外,`Redo Log`采用简单的物理日志格式和高效的顺序IO,确保快速提交。通过不同的落盘策略,可在性能和安全性之间做出权衡。
1636 14
|
1月前
|
Python
log日志学习
【10月更文挑战第9天】 python处理log打印模块log的使用和介绍
34 0
|
1月前
|
数据可视化
Tensorboard可视化学习笔记(一):如何可视化通过网页查看log日志
关于如何使用TensorBoard进行数据可视化的教程,包括TensorBoard的安装、配置环境变量、将数据写入TensorBoard、启动TensorBoard以及如何通过网页查看日志文件。
199 0
|
1月前
|
存储 分布式计算 NoSQL
大数据-136 - ClickHouse 集群 表引擎详解1 - 日志、Log、Memory、Merge
大数据-136 - ClickHouse 集群 表引擎详解1 - 日志、Log、Memory、Merge
42 0