Logging Windows Boot & Startup Activity

  • Thread starter Thread starter JuliusPIV
  • Start date Start date
J

JuliusPIV

Hi All
Thanks for taking a moment to read this. Before I dive into my question, a
little environment information: We're a Windows XP Pro environment (with a
few Win 7 clients) naturally running AD authenticating to Win 2003 DC's.

I'm looking for some way of logging exactly what the system is doing from
the time Windows starts to load all, to the time a user reaches their
desktop. This includes booting up until the GUI starts the load or is
loaded, the login screen & would continue until the desktop is fully loaded &
has processed Startup Programs, Run/RunOnce registry entries etc. I'm looking
for an in depth, detailed tool, something along the lines of BootLog XP,
which lists the drivers, EXE's & associated DLL's, complete with time stamps
and timing information. (Standard Windows Boot logging wasn't enough.)

Unfortunately, what BootLogXP doesn't capture is what the machine is doing
right as the GUI loads, (the moment you see the background/wallpaper), what
its doing until the login screen appears (applying computer settings,
preparing network connections etc), and what it processes during and after a
user logs on.

I've enabled verbose status messages, which work fine, but I need to be able
to log those messages to a file and capture things like:
What GPO policies is it checking & where its pulling this information from.
Which GPO policies is it applying and how long it takes for it to process
the policies.
Which DC's is it attempting to communicate with and timing communication
between the machine & said DC.

Is this possible?

If you're asking yourself 'what problem is he trying to solve?' its hard to
say because this isn't necessarily in response to a specific problem. I
suspect there are DC or DNS issues because of some information found in logs
and the way machines behave from time to time. (e.g.: a machine in
Washington D.C . used a DC in Silicon Valley; a London DC might get updated
with DNS info for a machine in Denver before the local DC.)

Also, for my own sanity, I'm looking to track what processes start & stop,
how long the machine stalls before moving onto the next directive etc. If I
can log registry queries as well, that would be great. (sounds like a job
for procmon, but how can I ensure its the first possible exe to run?)

If you've read this far, thank you kindly for taking a moment to read.
 
JuliusPIV said:
Hi All
Thanks for taking a moment to read this. Before I dive into my question, a
little environment information: We're a Windows XP Pro environment (with a
few Win 7 clients) naturally running AD authenticating to Win 2003 DC's.

I'm looking for some way of logging exactly what the system is doing from
the time Windows starts to load all, to the time a user reaches their
desktop. This includes booting up until the GUI starts the load or is
loaded, the login screen & would continue until the desktop is fully loaded &
has processed Startup Programs, Run/RunOnce registry entries etc. I'm looking
for an in depth, detailed tool, something along the lines of BootLog XP,
which lists the drivers, EXE's & associated DLL's, complete with time stamps
and timing information. (Standard Windows Boot logging wasn't enough.)

Unfortunately, what BootLogXP doesn't capture is what the machine is doing
right as the GUI loads, (the moment you see the background/wallpaper), what
its doing until the login screen appears (applying computer settings,
preparing network connections etc), and what it processes during and after a
user logs on.

I've enabled verbose status messages, which work fine, but I need to be able
to log those messages to a file and capture things like:
What GPO policies is it checking & where its pulling this information from.
Which GPO policies is it applying and how long it takes for it to process
the policies.
Which DC's is it attempting to communicate with and timing communication
between the machine & said DC.

Is this possible?

If you're asking yourself 'what problem is he trying to solve?' its hard to
say because this isn't necessarily in response to a specific problem. I
suspect there are DC or DNS issues because of some information found in logs
and the way machines behave from time to time. (e.g.: a machine in
Washington D.C . used a DC in Silicon Valley; a London DC might get updated
with DNS info for a machine in Denver before the local DC.)

Also, for my own sanity, I'm looking to track what processes start & stop,
how long the machine stalls before moving onto the next directive etc. If I
can log registry queries as well, that would be great. (sounds like a job
for procmon, but how can I ensure its the first possible exe to run?)

If you've read this far, thank you kindly for taking a moment to read.

Maybe SysInternals' Process Monitor might do it.

John
 
Hi John, thanks for the response.
Procmon and Procexp are wonderful tools and would probably capture a lot of
useful information, however, how can I force, and validate, they're the first
possible exe's to load that will log what I need? I understand I could
probably get them to load after a user logs on, or starting at a certain
point, but the bulk of what I'm looking to capture happens before a user can
do anything with the machine; pre-login screen & pre-desktop.

I'm all ears if you have a creative way of doing this.
 
JuliusPIV said:
Hi John, thanks for the response.
Procmon and Procexp are wonderful tools and would probably capture a lot of
useful information, however, how can I force, and validate, they're the first
possible exe's to load that will log what I need? I understand I could
probably get them to load after a user logs on, or starting at a certain
point, but the bulk of what I'm looking to capture happens before a user can
do anything with the machine; pre-login screen & pre-desktop.

I'm all ears if you have a creative way of doing this.

If you enable the boot logging option Process Monitor will set itself up
as a boot start device driver and it will be started in the very early
stages of the boot process long before any user processes are started.
It will record a *massive* amount of activity that will result in a log
file of more than 100MB and it will sort everything in chronological
order at a millionth of a second intervals! Along with the massive
amount of information that it records Process Monitor has excellent
filtering abilities to weed through it all and it has other options that
allow you to select only the columns and information you want to see.
Process Monitor will keep on logging until you open it up again, it can
log the whole session right through the shutdown and on to the next
restart! If you can't find what you need in the log provided by this
utility then the only thing that I can suggest is that you set up a
remote debug session!

If your aim is to control the load order of the user processes then
please elaborate or provide more details on your end goals.

John
 
Back
Top