Microsoft KB Archive/232575

= How to trace Winlogon activity in Windows Server 2003, Windows XP, Windows 2000, and Windows NT =

Article ID: 232575

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition

-



This article was previously published under Q232575



SUMMARY
The checked version of Winlogon.exe, in conjunction with a modification in Win.ini, creates a log file useful in troubleshooting problems related to Winlogon.

For example, you can track all messages exchanged between GINA and Winlogon.



MORE INFORMATION
To enable the log file:  Restart the computer in Safe Mode, and then log on to the computer using an account that has administrative permissions. Rename the Winlogon.exe file in the %SystemRoot%\System32 folder. For example, you can use Winlogon.old or another unique name of your choice. Copy the checked version of Winlogon.exe to the %SystemRoot%\System32 folder of the client computer that you want to debug. If you intend to debug a terminal server, then this operation must be completed on the server.

The checked version of the Winlogon.exe file must match the version of the operating system being used, including the service pack. For example, if you have Windows NT 4.0 Service Pack 4 installed on the computer, then you need the checked version of Winlogon.exe for Service Pack 4.

  Modify Win.ini in the %SystemRoot% folder and add the following section: [WinlogonDebug] DebugFlags=Error,Warning,Trace,Timeout,Init,Sas,State LogFile=c:\temp\winlogon.log Replace the log file name accordingly. The following is a list of all possible debug flags:

Error, Warning, Trace, Init, Timeout, Sas, State, MPR, CoolSwitch, Profile, DebugLsa, DebugSpm, DebugMpr, DebugGo, Migrate, DebugServices, Setup, SC, Notify, and Job.  Restart the computer.

A sample Winlogon log file from WTS and based on the above information is shown below: 18:26:56.812: 44.43> Winlogon-Trace: Log file 'c:\temp\winlogon2.log' begins<BR/> 18:26:56.859: 44.43> Winlogon-Trace: ProfileUserMapping Refs = 0<BR/> 18:26:57.093: 44.43> Winlogon-Trace: ProfileUserMapping Refs = 0<BR/> 18:26:57.109: 44.43> Winlogon-Trace: Actually opening user mapping. User is not logged on<BR/> 18:26:57.125: 44.43> Winlogon-Trace: ProfileUserMapping Refs = 1<BR/> 18:26:57.234: 44.43> Winlogon-Trace: Actually closing user mapping<BR/> 18:26:57.250: 44.43> Winlogon-Trace: ProfileUserMapping Refs = 0<BR/> 18:26:57.390: 44.43> Winlogon-Trace-Init: Boot Password Check<BR/> 18:26:57.406: 44.43> Winlogon-Trace-Init: Execute system processes:<BR/> 18:26:58.562: 44.43> Winlogon-Trace-Init: Done with system processes:<BR/> 18:27:25.125: 44.43> Winlogon-Trace-State: InitGina: State is 2 NoOne<BR/> 18:27:25.140: 44.43> Winlogon-Trace-State: Setting state to NoOne_Display<BR/> 18:27:25.156: 44.43> Winlogon-Trace-Timeout: Enabling timeout after 0 seconds<BR/> 18:27:26.562: 44.43> Winlogon-Trace: Received SAS from winsrv, code 1 (Ctrl-Alt-Del)<BR/> 18:27:26.578: 44.43> Winlogon-Trace: ChangeStateForSAS: Went from 3 (NoOne_Display) to 4 (NoOne_SAS)<BR/> 18:27:26.593: 44.43> Winlogon-Trace-State: SASRouter: In state NoOne_SAS<BR/> 18:27:26.609: 44.43> Winlogon-Trace: Sending SAS code 1 to window 1002c <BR/> 18:27:26.640: 44.43> Winlogon-Trace-Timeout: Disabling timeouts<BR/> 18:27:26.859: 44.43> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds The same output is also displayed in the Kernel Debugger.

Additional query words: SC

Keywords: kbinfo KB232575

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.