Using XPERF to capture ETL traces for Slow Logons

Applies to:

Windows Server 2016

Note:  Also applies to Remote Desktop Servers (RDS)

Windows 10

Windows Server 2012 R2

Note:  Also applies to Remote Desktop Servers (RDS)

Windows 8.1

Windows Server 2012

Note:  Also applies to Remote Desktop Servers (RDS)

Windows 8.0

A common question that I get is:

How do you take a slow boot and slow logon etl trace on a non-persistent VDI?

The answer is, you can’t, you need to make it non-persistent, because the registry and files get wiped.

Ok, how about if you just want a slow logon etl trace?

The answer gets better, you can, but when using WPRUI or WPR, there are no pre-defined “Resource Analysis” or “Scenario Analysis” for different components (more specifically the providers) that are a part of the logon process.

The work-around would be to create a custom WPR (wprp) file.

In this scenario, we will go through using Xperf.exe since it will let us run in circular fashion until we stop it. (First-in-First-out (FIFO)).

1. Logon as an Administrator of the computer you want to trace (either a local admin or domain admin account that is a member of the local machine's administrator group will work).

2. Open an elevated command prompt and run this command from WPT Install directory (default: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit): 

xperf -on base+latency+dispatcher+NetworkTrace+Registry+FileIO -stackWalk CSwitch+ReadyThread+ThreadCreate+Profile+ProcessCreate -f C:\temp\kernel.etl -BufferSize 1024 -MinBuffers 256 -MaxBuffers 256 -MaxFile 4096 -FileMode Circular -start UserTrace -on "Microsoft-Windows-Shell-Core+Microsoft-Windows-Wininit+Microsoft-Windows-Folder Redirection+Microsoft-Windows-User Profiles Service+Microsoft-Windows-GroupPolicy+Microsoft-Windows-Winlogon+Microsoft-Windows-Security-Kerberos+Microsoft-Windows-User Profiles General+e5ba83f6-07d0-46b1-8bc7-7e669a1d31dc+63b530f8-29c9-4880-a5b4-b8179096e7b8+2f07e2ee-15db-40f1-90ef-9d7ba282188a" -f C:\temp\user.etl -BufferSize 1024 -MinBuffers 128 -MaxBuffers 128 -MaxFile 1024 -FileMode Circular

Note:  Symbolic names for the following providers:

Microsoft-Windows-Security-Netlogon (e5ba83f6-07d0-46b1-8bc7-7e669a1d31dc )

Microsoft-Windows-NlaSvc (  63b530f8-29c9-4880-a5b4-b8179096e7b8 )

Microsoft-Windows-TCPIP (2f07e2ee-15db-40f1-90ef-9d7ba282188a )

Stop the trace shortly after the slow logon of interest has completed to avoid losing data.

3. Press CTRL+ALT+DEL followed by "Switch User"

4. Logon with the user account experiencing the slow user logon or slow logoff to reproduce the issue

5. Stop the trace

While logged on with the slow user account, open an elevated CMD prompt and type:   

xperf -stop UserTrace -d c:\temp\merged.etl

Close the slow logon user session and the admin logon session opened in step 2 as required.



Comments (0)

Skip to main content