Logon Delays… Le team PFE vous explique tout!


Super article de l’equipe PFE de Microsoft sur le forensic d’une ouverture de session trop longue…Xperf à l’attaque, que du bonheur…en anglais mais ça vaut le coup de lire jusqu’à la fin et de suivre la serie d’article en question dans le post, car vous apprendrez à diagnostiquer la plupart des problemes de performances avec ce kit d’outillage pour Windows.

Hi everyone, Randolph Reyes (Randy) here with another blog contribution. In this particular engagement, I was working doing an Active Directory Offline Security Assessment (awesome delivery), and one employee with knowledge of using Windows Performance Toolkit stopped me on my way to lunch.

Customer: Can we see how long takes an employee to type their user name and password?

Randy: Thanks to WPT, the answer is yes.

The customer provided me with the trace from the last known time the user logged on to review…

So let’s get to it.

The Before

PreSMSS

SMSSInit

WinlogonInit

ExplorerInit

Post Boot

3.973

7.433

45.502

0.998

18.800

Boot to Post Boot Activity ended: 72.734 Seconds and 734 Milliseconds = 1 Minute and 12 Seconds

Now you might be saying to yourself, 1 min and 12 seconds is not too bad. What if I told you it was a SSD (solid state drive)? Would you consider this to be an optimal value? I’ve discussed optimal times in a previous post, “Becoming an Xperf Xpert Part 7: Slow Profile Load and Our Very First Stack Walk

Since I don’t have an idea in how much memory, CPU or disk speed are in this particular host. I decided to check the specs.

In order to confirm that we are using a SSD (solid state drive) or similar, plus other specs expected to have faster boot up. We go to the tab Trace, then System and then General.

Next, Storage

After doing some research about the hardware specs looks like this machine should be booting faster.

The major delay in the boot trace can be identified in the Winlogon Phase. Many operations occur in parallel during WinLogonInit, which on many systems, this subphase is CPU bound and has large I/O demands. Services like PnP and Power, network subsystem, Computer and User Group Policy processing, CAD (CTRL+ALT+DEL) screen and credentials delay. Good citizenship from the services that start in this phase is critical for optimized boot times.

To start we are going expand the System Activity graph group and we are going to add the graph Generic Events using table only.

After arranging the tables and the golden bar, the first issue detected was under Microsoft-Windows-Winlogon provider. The Task Name Display Welcome Screen aka CTRL+ALT+DEL was available to the user at 8.764 seconds of the trace. But he enters the combination in the keyboard at 18.055 of the trace.

Subtracting these times which get 9.295 seconds just waiting for the user to press CTRL+ALT+DEL.

Next issue detected in this particular trace is located under the Task Name Request Credential. Looks like the user entered the user name and password in 3 different times. First try was at 18.692 seconds of the trace at 39.59, again at 40.951 to 48.160 and finally at 48.958 to 51.012.

Looks like either the username, the password or one of the two were incorrectly typed and the access was denied.

At this point I explain the customer between the 9.295 waiting to press CRTL+ALT+DEL and 32.392 seconds with possible wrong typed credentials. This will probably be the reason of the long delay for the user.

We requested the user to log in again and the results are in the picture below…

The After

Boot to Post Boot Activity end: 39 Seconds and 373 Milliseconds

At the end of this engagement customer was satisfied, not only because we helped them with security implementations for Active Directory, but also because we answered an important question for them… How to use the Windows Performance Toolkit to detect log in issues from the user.

Recommended Articles

Here are some other blogs for related topics by my good friend Yong Rhee and me.

Becoming an Xperf Xpert Part 8: Long Service Load, Never Jump to Conclusions

http://blogs.technet.com/b/askpfeplat/archive/2014/02/24/becoming-an-xperf-xpert-part-8-long-service-load-never-jump-to-conclusions.aspx

WPT: Updated version of “Windows Performance Toolkit” from Windows 10 Technical Preview ADK or SDK

http://blogs.technet.com/b/yongrhee/archive/2015/03/21/wpt-updated-version-of-windows-performance-toolkit-10-technical-preview-from-the-adk.aspx

List of Task Scheduler related hotfixes post SP1 for Windows 7 SP1 and Windows Server 2008 R2 SP1

http://blogs.technet.com/b/yongrhee/archive/2015/01/20/list-of-task-scheduler-related-hotfixes-post-sp1-for-windows-7-sp1-and-windows-server-2008-r2-sp1.aspx

Randy “Why, this keep happening to me” Reyes

Afficher l’article…

 

Allez, bons diags…

PierrE.

A propos Red Kaffe

IT Trainer and Consultant on Microsoft Technologies. Windows Server and Client, Service Center 2012, WSUS/MDT/ADK/WAIK, SBS 2008/2011, Office 365, etc. Fully dedicated to support and train my customers...
Cet article, publié dans business, Formation, Security, Windows10, Xperf, est tagué , , , , . Ajoutez ce permalien à vos favoris.

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s