How to create an Schannel log to troubleshoot issues (280729)

MORE INFORMATION

After you enable Windows to log debug information by using the checked version of Schannel.dll, Schannel sends diagnostic messages in the debugger output window to log files and to Event Viewer. To enable Schannel debugging, use the following procedure:

1. Replace Schannel.dll with the checked version.
2. Set up to three registry values.
3. Restart the computer.

Replacing Schannel.dll

When you replace Schannel.dll, note that Windows 2000 has Windows File Protection (WFP) which prevents system critical files from being overwritten; Windows 95, Windows 98, Windows Millennium Edition (Me), and Windows NT 4.0 do not have WFP. Therefore, every time the checked .dll files are copied in Windows 95, Windows 98, Windows Me, and Windows NT 4.0, they may be replaced.

To replace Schannel.dll in Windows 95, Windows 98, Windows Me, and Windows NT 4.0, follow these steps:

1. Go to Windowsfolder\system32.
2. Rename Schannel.dll to Schannel.fre.
3. Copy the checked version of Schannel.dll to Windowsfolder\system32.

To replace Schannel.dll in Windows 2000, follow these steps:

1. Ensure that WFP is not able to replace the checked version of the .dll file by using source files. To do this, confirm that:
   • the Windows 2000 CD-ROM is not in the computer
   • the Windows 2000 source files (in the i386 folder) are not available locally, by mapped drives, or by the current Uniform Naming Convention (UNC) connection.
     
     Note If a service pack is installed, the service pack Uninstall folder may contain the file.
2. Click Start, point to Search, click For files and folders, and then type schannel.dll. Normally, these files are located in Windowsfolder\System32 and Windowsfolder\System32\Dllcache.
3. Rename the files in Windowsfolder\System32\Dllcache and Windowsfolder\System32 (and in other applicable locations).
   
   Note Rename the files in Windowsfolder\system32\dllcache first, and then rename the files in Windowsfolder\system32 last.
4. Copy the checked versions to Windowsfolder\System32\Dllcache and Windowsfolder\System32 only.
5. Confirm that the checked versions are not being overwritten by the originals.

Setting registry values

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Configure the following three registry values to modify the output to the debugger log files and Event Viewer:

• LogLevel: For debug logging level flags.
• LogFile: For debugger log file names.
• EventLogging: A flag that specifies the event logging level.

To add these registry settings to Windows 95, Windows 98, Windows Me, Windows NT 4.0, and Windows 2000, follow these steps:

1. Click Start, click Run, and then type Regedit.
2. Locate and click the following registry key:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel

3. Edit the following values:
   
   Note If the value is not present, click Add Value on the Edit menu, and enter the appropriate information.
   • Value name: LogLevel
     Data type: REG_DWORD
     Value: Appropriate flags
   • Value: LogFile
     Data type: REG_SZ
     Value: Appropriate path
   • For Windows 2000:
     
     Value: EventLogging
     Data type: REG_DWORD
     Value: Desired logging level
     
     Note The checked version of Schannel.dll is not needed for this one feature.

The following list includes a description of the valid flags, log levels, and paths for the preceding registry changes:

LogLevel

When you are debugging, begin with a value of 0xffff. Use a value of 0x4000ffff when it is appropriate, but note that this value is too verbose to use all the time.

• Value: 0x00000001
  Description: SP_LOG_ERROR. This value is for error messages, and is typically fatal.
• Value:0x00000002
  Description: SP_LOG_WARNING. This value is for warning messages which are sometimes fatal and sometimes not fatal; there is an element of randomness to this value.
• Value: 0x00000004
  Description: SP_LOG_TRACE. This value is for verbose logging.
• Value: 0x00000010
  Description: SP_LOG_RES. This value displays function results. It generally only displays errors and warnings, so it is useful to have it enabled.
• Value: 0x00000040
  Description: DEB_TRACE_MAPPER. This value displays verbose logging that is relevant to certificate mapping.
• Value: 0x20000000
  Description: SP_LOG_TIMESTAMP. This value places a timestamp in front of each line of the logging output.
• Value: 0x40000000
  Description: SP_LOG_BUFFER. This value displays a hex dump of all data and token buffers.

LogFile

In Windows 2000, you must enter the LogFile entry as a path, and not an actual file name because Schannel creates a separate log file for each process that uses Schannel.

• For Windows 95, Windows 98, Windows Me, and Windows NT 4.0, enter the full path and file name, for example, "C:\Schannel.log".
• For Windows 2000, enter the path, not the file name, for example, "C:\".

EventLogging

This entry is included only in Windows 2000, and does not require the checked version of Schannel to work. This entry is set to 0x1 by default. This setting indicates that Schannel events are not logged. To enable Schannel event logging, set the entry to one of the following values and restart the computer. Note that you can require that all the criteria be met (by using AND), or that just one of the criteria be met (by using OR).

Value	Description
Value: 0x0001	Description: Log errors
Value: 0x0002	Description: Log warnings
Value: 0x0004	Description: Log informational and success events