What are Slow Logons and Where Do They Come From?
Considering the importance of fast logons for a good user experience there is surprisingly little information on the subject. Windows does not even record the total logon time, let alone where it is spent. Administrators wishing to analyze their users’ logons are left in the dark. But that can be changed.
What is in a Logon?
A logon is the act of preparing a session for a user. It consists of several phases, each of which can take between mere milliseconds and several minutes:
- User profile loading
- Group policy processing
- Logon script processing
- Shell startup
A session can only be initiated after the user’s credentials have been verified. This typically happens by talking to an Active Directory domain controller over the network. Delays during this phase can typically be traced back to DNS issues, as can most AD problems.
User Profile Loading
Once users are authenticated the operating system can start to create their sessions. First, a user profile is needed. All of the following phases require the user profile to be set up and the user’s registry hive to be loaded.
If the user does not already have a profile a new one is created. This slows down the initial logon quite a bit compared to subsequent logons. The main reason is that Active Setup runs the IE/Mail/Theme initialization routines.
Problems with the loading of user profiles are legendary; however, if this takes very long then probably a huge roaming profile needs to be copied over the network.
Group Policy Processing
Many corporations use Group Policy to manage their Windows PCs. Built on top of Active Directory, policies rely on the directory service’s infrastructure for their operation. As a consequence, DNS and AD issues may affect Group Policies severely. One could say that if an AD issue does not interfere with authentication at the very least it will hamper group policy processing.
Logon Script Processing
Although considered a legacy technology by some logon scripts are still used extensively to set up the user environment. Many logon scripts are ancient, dating back to the days of NT4. Administrators often are reluctant to change anything for fear of breaking the age-old construct, so they just add something new to the end. Always adding, never deleting – that cannot be good for performance, and consequently bloated logon scripts are a common cause for slow logons.
During the last logon phase the user shell, typically Explorer.exe, is initialized. Loading Explorer itself is typically fast, but a large number of autoruns can make this phase seem to stretch forever.
Measuring Logon Performance
As mentioned earlier Windows does not have any counters for measuring logon performance. Administrators wishing to analyze slow logons need to bring in additional tools. Among the most helpful for troubleshooting individual logons are Sysinternals Process Monitor and the Windows Performance Toolkit (WPT, containing the xperf tools). Both work in a similar way: the administrator starts a tracing session, tries to reproduce the problem by logging on, stops the trace, and then goes to work sifting through the trace looking for cues – a very time-consuming process that requires skilled personnel and is only performed when the pressure is already high.
Would it not be great to have the total duration of every single logon, optionally broken down into phases? That way it would be a snap to spot trends and see the effects of GPO changes. Today’s slow logons could be traced to yesterday’s failed domain controller or last week’s logon script change.
uberAgent gives you all that. It has averages, it shows trends, giving you the big picture and it displays as much detail as you could possibly want:
uberAgent is an innovative Windows and macOS user experience monitoring (UXM) and endpoint security analytics (ESA) product.
uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.
uberAgent ESA excels with a sophisticated activity monitoring engine, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative user experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.
Your email address will not be published. Required fields are marked *
Does UberAgent supports App-v platforms?
Absolutely, uberAgent supports both App-V 4.x and 5.x.
Is it possible to analyze application or connection errors in greater detail? e.g. http response status codes
HTTP status codes are tracked by uberAgent as part of the web app metrics. The resulting data can be viewed in the Browser Web App Performance dashboard. Please find the related documentation here: https://uberagent.com/docs/uberagent/latest/metrics/browsers/browsers-web-app-metrics/
This is what I got for my clients ( one sample)
USER HOST Logon Time Total Duration User Profile Group Policy AD logon script GP logon script Shell start
[dummyUser] [dummyHost] 2020-03-13 08:20:59 8.07 0.14 0.00 45.22 5.76
How can be possible that Total Duration is < than GP logon scripts?
Most likely your group policy logon scripts are not configured to run synchronously. Please take a look at the following post: https://uberagent.com/docs/uberagent/latest/kb/logon/gp-logon-script-is-longer-than-total-duration/
Default install of uberAgent doesn't log logon metrics. Do I need to enable it?
The collection of logon metrics is enabled by default. Please check dashboard Sessions => User Logon Duration. If not, please feel free to open a support case by sending an email to [email protected].
I rebooted my pc 3 times. 2 out of 3 the GPO time is less than 10 secs. In 1 is more than 60 seconds.
In the details it seems that some GPOs are not applied ( the CSE "registry" group is missing ) is that possibile?
May I ask you to open a support case by sending an email to [email protected] as we need to look into the log file which contains sensitive information?