How to trace Winlogon activity in Windows Server 2003, Windows XP, Windows 2000, and Windows NT (232575)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
This article was previously published under Q232575

SUMMARY

The checked version of Winlogon.exe, in conjunction with a modification in Win.ini, creates a log file useful in troubleshooting problems related to Winlogon.

For example, you can track all messages exchanged between GINA and Winlogon.

MORE INFORMATION

To enable the log file:
  1. Restart the computer in Safe Mode, and then log on to the computer using an account that has administrative permissions.
  2. Rename the Winlogon.exe file in the %SystemRoot%\System32 folder. For example, you can use Winlogon.old or another unique name of your choice.
  3. Copy the checked version of Winlogon.exe to the %SystemRoot%\System32 folder of the client computer that you want to debug. If you intend to debug a terminal server, then this operation must be completed on the server.

    The checked version of the Winlogon.exe file must match the version of the operating system being used, including the service pack. For example, if you have Windows NT 4.0 Service Pack 4 installed on the computer, then you need the checked version of Winlogon.exe for Service Pack 4.
  4. Modify Win.ini in the %SystemRoot% folder and add the following section: 
    [WinlogonDebug]
DebugFlags=Error,Warning,Trace,Timeout,Init,Sas,State
LogFile=c:\temp\winlogon.log
    Replace the log file name accordingly. The following is a list of all possible debug flags:

    Error, Warning, Trace, Init, Timeout, Sas, State, MPR, CoolSwitch, Profile, DebugLsa, DebugSpm, DebugMpr, DebugGo, Migrate, DebugServices, Setup, SC, Notify, and Job.
  5. Restart the computer.
A sample Winlogon log file from WTS and based on the above information is shown below:
18:26:56.812: 44.43> Winlogon-Trace: Log file 'c:\temp\winlogon2.log' begins<BR/>
18:26:56.859: 44.43> Winlogon-Trace: ProfileUserMapping Refs = 0<BR/>
18:26:57.093: 44.43> Winlogon-Trace: ProfileUserMapping Refs = 0<BR/>
18:26:57.109: 44.43> Winlogon-Trace: Actually opening user mapping.  User is not logged on<BR/>
18:26:57.125: 44.43> Winlogon-Trace: ProfileUserMapping Refs = 1<BR/>
18:26:57.234: 44.43> Winlogon-Trace: Actually closing user mapping<BR/>
18:26:57.250: 44.43> Winlogon-Trace: ProfileUserMapping Refs = 0<BR/>
18:26:57.390: 44.43> Winlogon-Trace-Init: Boot Password Check<BR/>
18:26:57.406: 44.43> Winlogon-Trace-Init: Execute system processes:<BR/>
18:26:58.562: 44.43> Winlogon-Trace-Init: Done with system processes:<BR/>
18:27:25.125: 44.43> Winlogon-Trace-State: InitGina:  State is 2 NoOne<BR/>
18:27:25.140: 44.43> Winlogon-Trace-State: Setting state to NoOne_Display<BR/>
18:27:25.156: 44.43> Winlogon-Trace-Timeout: Enabling timeout after 0 seconds<BR/>
18:27:26.562: 44.43> Winlogon-Trace: Received SAS from winsrv, code 1 (Ctrl-Alt-Del)<BR/>
18:27:26.578: 44.43> Winlogon-Trace: ChangeStateForSAS: Went from 3 (NoOne_Display) to 4 (NoOne_SAS)<BR/>
18:27:26.593: 44.43> Winlogon-Trace-State: SASRouter:  In state NoOne_SAS<BR/>
18:27:26.609: 44.43> Winlogon-Trace: Sending SAS code 1 to window 1002c () <BR/>
18:27:26.640: 44.43> Winlogon-Trace-Timeout: Disabling timeouts<BR/>
18:27:26.859: 44.43> Winlogon-Trace-Timeout: Enabling timeout after 120 seconds
The same output is also displayed in the Kernel Debugger.
Modification Type:MajorLast Reviewed:10/26/2005
Keywords:kbinfo KB232575
©2004 Microsoft Corporation. All rights reserved.