[Help] - Laptop Latency issues off of domain network

[ctrlaltdel]

We're having problems with latency on our laptops when off of the domain. In particular seperatable into three broad groups: (1) bootup: startup to login screen, (2) login, and (3) gneral while running application latencies. I'm currently working on solving (1) & (2). Laptops are built off of RIS & ADS GPOs and are connected to a domain. XP Pro SP2.

To debug this issue i turned on the UserEnvDebugLevel key in registry to log the details. Differences were taken of <h:m:s:ms> between each record pair. All the data was sorted by m, s, and ms respectively. Observations were made for what events took the most amount of time. Many of these events i'm unfamiliar with and cannot find much details on online. I was wondering if you all could help me decipher:

1) Why are they occuring (what can be done to further understand where the problems lie)

2) What do these delay causing events mean

3) What are ways around these delays.

Summary

There are some particular events that stand out when HKLM\...\Winlogon\ UserEnvDebugLevel log files are generated and the records sorted as per elapsed time. i.e. "moving from each of the below mentioned records to the next record has large time gaps".

• GetUserDNSDomainName: Domain name is NT Authority. No DNS domain name available.
  
• GetUserDNSDomainName: Failed to impersonate user
  • Latency (time) ranges: upto 1.5 minutes, multiple occurances.
    

• MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.
  • Latency (time) ranges: upto 1.1 minutes, multiple occurances, only occurs when logging in on non-domain network.
    

• GetProfileType: ProfileFlags is 0
  

• AbleToBypassCSC: tried NPAddConnection3ForCSCAgent. Error 53
  
• AbleToBypassCSC: Try to bypass CSC
  • Latency (time) ranges: upto 20 seconds, 2 occurances per login, only occurs when logging in off of domain.
    

• ProcessGPOs: A slow link was detected.
  • Latency (time) ranges: upto 1 minute.
    

• LibMain: Process Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
  • Latency (time) ranges: upto 1 minute, 2 occurances per login
    

• LibMain: Process Name: C:\WINDOWS\System32\SCardSvr.exe
  • Latency (time) ranges: upto 8 seconds, 1 occurance per login
    

• IsSyncForegroundPolicyRefresh: Asynchronous, Reason: NoNeedForSync
  • Latency (time) ranges: upto 2 seconds.
    

• EnterCriticalPolicySectionEx: Entering with timeout 600000 and flags 0x0
  
• EnterCriticalPolicySectionEx: Machine critical section has been claimed. Handle = 0x900 [, Handle = 0x98c at another session]
  
• EnterCriticalPolicySectionEx: Leaving successfully.
  • No big time issues here. However: "This is a potentially serious log message. It could indicate that certain portions of the operating system have become corrupt due to improper shut-down or system crashes. It could also indicate a system resource problem..." [MS TechNet: "Interpreting Userenv log files"]
    

What i COULD find out about each of the above mentioned events & some observations:

GetUserDNSDomainName:

... Don't have anything useful, need tonnes of help here!

MyGetUserName:

Event: <MyGetUserName: GetUserNameEx failed with 1722.> always occurs prior to the problem event (mentioned above). There's a MS support doc on "failed with 1908" but that has nothing to do with us. No doc on 1722.

GetProfileType:

The GetProfileType function retrieves the type of profile loaded for the current user. This event alone in some cases collectively takes up ~ 2 minutes. This event occurs multiple times and seems unnecacerry as such:

USERENV(6d0.700) 07:43:59:203 GetProfileType:  Profile already loaded.
	USERENV(6d0.700) 07:43:59:203 GetProfileType: ProfileFlags is 0
	USERENV(6d0.700) 07:44:41:312 GetProfileType:  Profile already loaded.
	USERENV(6d0.700) 07:44:41:312 GetProfileType: ProfileFlags is 0
	USERENV(3a4.3a8) 07:45:11:875 UnloadUserProfile: Entering, hProfile = <0x918>

[MSDN Library >... > User Profiles Functions: GetProfileType] cover's the GetProfileType funtion. However searching the web for the 'ProfileFlags' value gives me nothing. This event, and the maximum delays, often occur right in the beginning. Some questions:

• Why is it checking multiple times if the profile is loaded.
  
• (via documentation mentioned above) is a temporary profile being loaded only?
  
• Is it possible to turn it off?
  

A next step would be to use a packet sniffer to find out what excactly is happening during that gap (any views?).

AbleToBypassCSC:

... Don't have anything useful, need tonnes of help here!

ProcessGPOs: A slow link was detected:

... Don't have anything useful, need tonnes of help here!

wmiprvse.exe:

%windir%\system32\wbem\wmiprvse.exe. Windows Management Instrumentation (WMI). WMI includes an object repository, which is the database of object definitions, and the WMI Object Manager, which handles the collection and manipulation of objects in the repository and gathers information from WMI providers... Basically wmiprvse.exe cannot be closed.

Observations: The event always occurs thus,

USERENV(8d8.8dc) 12:33:02:031 LibMain: Process Name:  C:\WINDOWS\system32\wbem\wmiprvse.exe
	USERENV(3a4.570) 12:33:45:968 MyGetUserName:  GetUserNameEx failed with 1722.

on logins off of the domain (where it takes the most amount of time), i.e. with the <MyGetUserName: GetUserNameEx failed with 1722> event. [Note: the mentioned event is also discussed as a cause of delay above, however it's an event that occurs multiple times. Observations show that the occurance after the wmiprvse.exe event is not the delayed occurance. Debugging issues are discussed above as well.]

Questions that come to mind are:

• Why does it take 1 min, 40 sec, 35 sec (in different logons) when not on the domain but only ~ 1 sec when on the domain?
  
• If we can solve this problem we could save 40 seconds automatically?
  

SCardSvr.exe:

%windir%\System32\SCardSvr.exe. Microsoft Smartcard-Ressource server. The scardsvr.exe service is required by windows when working with Smart cards and Smart card readers. While ~ 8 seconds might not seem long, in a 1 - 2 minute logon session it is a major chunk of the time.

• Can we turn this off? Anticipated Answer: no.
  

IsSyncForegroundPolicyRefresh:

... Don't have anything useful, need tonnes of help here!

The sorts of events/errors/logs i'm seeing seem to be DNS settings related. I would like you all's opinions.

The log files (and sorted data) are available upon request. Help would be appreciated.

[Mr Snrub]

Wireless NICs in the laptops:

1. Do they have these?

2. Are they enabled?

3. Are they required for connecting to the corporate network?

Other networking questions:

4. What is the binding order of the network adapters in the laptop?

5. Are the NICs set to obtain all details by DHCP?

6. What are your DCs and what level is your domain? (NT, 2000/2003 mixed mode, 2000/2003 native mode)

7. Are you using roaming profiles or offline folders?

Long timeouts during laptop startup are very commonly due to failure to connect to a WLAN - if you don't use a wireless network then disable the NIC (note, the NIC and not just the transmitter - this leaves the NIC visible to Windows as a valid network device and it will still try to use it).

In some cases you can alter the binding order of the NICs so the wired adapter is used first and this helps.

[ctrlaltdel]

Wireless NICs in the laptops:

1. Do they have these?

2. Are they enabled?

3. Are they required for connecting to the corporate network?

Other networking questions:

4. What is the binding order of the network adapters in the laptop?

5. Are the NICs set to obtain all details by DHCP?

6. What are your DCs and what level is your domain? (NT, 2000/2003 mixed mode, 2000/2003 native mode)

7. Are you using roaming profiles or offline folders?

Long timeouts during laptop startup are very commonly due to failure to connect to a WLAN - if you don't use a wireless network then disable the NIC (note, the NIC and not just the transmitter - this leaves the NIC visible to Windows as a valid network device and it will still try to use it).

In some cases you can alter the binding order of the NICs so the wired adapter is used first and this helps.

(1) Yes they have Wireless NICs on these laptops. (2) yes they are enabled. (3) are they required? no. however i don't believe turning it off (or asking users to) when logging onto a non-domain environment is an option. also the problem doesn't really occur when users login on the corporate environment (i.e. on the domain). It's worth noting that the event log shows many events that when logging in on the domain takes a short duration versus when logging off of the domain... same event sequences take over a minute!

(4) i will look into the binding order more carefully. (5) Yes NICs (have to be?) obtain details off of DHCP. (6) DCs are all Win 2003 servers. (7) The laptops don't support roaming profile (would be a terrible idea!) all contents stored locally (as should be on laptops) and backed up regularly.

We do use a WiFi network, turning it off would not be an option (i believe... or else i don't get what you implied. elaborate if u feel i misunderstood? Thanks).

I want to again point out: the same laptop:

Logging into the domain (over wireless): takes maximum 1 minute

Logging out of the domain (e.g. home wireless ADSL connection): can take max of 20 minutes!

The UserEnvDebugLevel log shows a couple of events that take take an emmense amount of time off the domain (minutes) versus when on (some milli secs). These are the events i mention above. If we can resolve these issues we would chop off atleast 80% of the time. Hence i want to understand & focus on the above mentioned events. I don't really have a 'clear' grasp of excactly what is happening in some (most) of them. Would appreciate anyone's help/insights in their regards.

[Mr Snrub]

Rather than focusing on the detailed log entries created by enabling Userenv logging, try to reduce the problem.

Clearly it is related to the unavailability of a DC, or possibly DNS server to register against dynamically, when booting up & logging on.

I would start by testing if there is an immediate significant difference with the wireless NICs disabled - even if it is not considered a solution long-term (though there may be no other solution), at least it will show you if the problem is related to wireless client behavior.

Userenv logging, if not showing explicit errors, is not necessarily going to help you resolve timeout issues - you are looking at the symptoms rather than the root cause.

I would guess that the delay during bootup is the client trying to obtain a computer GPO, the delay during logon is the client trying to obtain and apply user GPOs, but I must admit I am not sure what would cause continued delays during a logon session when not connected to the corporate network.

GPOs are refreshed periodically in a logon session, but what is the frequency & symptoms of the delays when a user is logged on?

I can only hazard a guess at shortcuts to network resources on the user desktops, or permanently mapped network drives which the client is attempting to restore...

You could also connect the client to a hub and take a network trace using Ethereal on another machine to capture the network traffic to & from the client - a comparison of these when connected to the network and at home would show you what the client last attempted to do when the delay occurs.

Another couple of tests would be to verify the problem occurs with the same AD user but on a "clean" client build (not RIS), and also to create a brand new OU and test user with no GPOs applied at all and see if the problem occurs for him too.

[ctrlaltdel]

...

You could also connect the client to a hub and take a network trace using Ethereal on another machine to capture the network traffic to & from the client - a comparison of these when connected to the network and at home would show you what the client last attempted to do when the delay occurs.

lol... i actually have had that equipment setup and sitting about for a while (about half a week) and am just too scared to venture in that direction. I would prefer diving in once i have the data gathered. I even have the first reading... (that's what scared me off )

I think i'm going to need lots of help when it comes to that...

...

Another couple of tests would be to verify the problem occurs with the same AD user but on a "clean" client build (not RIS), and also to create a brand new OU and test user with no GPOs applied at all and see if the problem occurs for him too.

This problem actually is something that iS already occuring with multiple users and on multiple machines. There is an issue with the image. I also had (still do) a haunch it is related to the unavailability of a DC, or possibly DNS server to register against dynamically, when booting up & logging on. Moreso an issue of just timing out. For example (from Userenv log):

USERENV(150.88c) 12:30:07:281 GetUserDNSDomainName: Domain name is NT Authority. No DNS domain name available.

USERENV(3a4.3a8) 12:31:44:859 InitializePolicyProcessing: Initialised Machine Mutex/Events

Why does it take >1.5 minutes between those two events?! Seems like a time out issue to me. Same thing takes milli seconds when on the corporate domain wireless network.

Edited December 28, 2005 by ctrlaltdel

[ctrlaltdel]

Here's one particular log event group that has extremely high latency and is oft occuring (in the same pattern every logon attempt). I highlight the delay (1 min 36 seconds). If some one could provide insight into what is going on here and why i'd appreciate it. I provide my case for highest latency only.

USERENV(3a8.9d0) 12:30:06:078 CSyncManager::EnterLock <S-1-5-19>

USERENV(3a8.9d0) 12:30:06:093 CSyncManager::EnterLock: No existing entry found

USERENV(3a8.9d0) 12:30:06:093 CSyncManager::EnterLock: New entry created

USERENV(3a8.9d0) 12:30:06:093 CHashTable::HashAdd: S-1-5-19 added in bucket 12

USERENV(3a8.9d0) 12:30:06:093 UnloadUserProfileP: Wait succeeded. In critical section.

USERENV(3a8.9d0) 12:30:06:093 UnloadUserProfileP: Didn't unload user profile, Ref Count is 2

USERENV(3a8.9d0) 12:30:06:093 UnloadUserProfileP: Reverted back to user <00000000>

USERENV(3a8.9d0) 12:30:06:093 CSyncManager::LeaveLock <S-1-5-19>

USERENV(3a8.9d0) 12:30:06:093 CSyncManager::LeaveLock: Lock released

USERENV(3a8.9d0) 12:30:06:093 CHashTable::HashDelete: S-1-5-19 deleted

USERENV(3a8.9d0) 12:30:06:093 CSyncManager::LeaveLock: Lock deleted

USERENV(3a8.9d0) 12:30:06:093 UnloadUserProfileP: Leave critical section.

USERENV(3a8.9d0) 12:30:06:093 UnloadUserProfileP: Leaving with a return value of 1

USERENV(3a8.9d0) 12:30:06:109 UnloadUserProfileI: returning 0

USERENV(3d4.ab4) 12:30:06:109 UnloadUserProfile: Calling UnloadUserProfileI succeeded

USERENV(3a8.3d0) 12:30:06:109 IProfileSecurityCallBack: client authenticated.

USERENV(3a8.3d0) 12:30:06:109 ReleaseClientContext: Releasing context

USERENV(3a8.3d0) 12:30:06:109 ReleaseClientContext_s: Releasing context

USERENV(3a8.3d0) 12:30:06:109 MIDL_user_free enter

USERENV(3d4.ab4) 12:30:06:109 ReleaseInterface: Releasing rpc binding handle

USERENV(3d4.ab4) 12:30:06:109 UnloadUserProfile: returning 1

USERENV(150.88c) 12:30:07:281 GetUserNameAndDomain: MyGetUserNameEx failed for NT4 style name with 1115

USERENV(150.88c) 12:30:07:281 GetUserDNSDomainName: Domain name is NT Authority. No DNS domain name available.

USERENV(3a4.3a8) 12:31:44:859 InitializePolicyProcessing: Initialised Machine Mutex/Events

USERENV(3a4.3a8) 12:31:45:062 InitializePolicyProcessing: Initialised User Mutex/Events

USERENV(3a4.3a8) 12:31:45:062 LibMain: Process Name: \??\C:\WINDOWS\system32\winlogon.exe

USERENV(3a4.3a8) 12:31:46:062 Entering CUserProfile::Initialize ...

USERENV(3a4.3a8) 12:31:46:062 CUserProfile::Initialize called by winlogon

USERENV(3a4.3a8) 12:31:46:062 CUserProfile::Initialize: critical section initialized

USERENV(3a4.3a8) 12:31:46:062 CSyncManager::Initialize: critical section initialized

USERENV(3a4.3a8) 12:31:46:062 CUserProfile::Initialize: registry key Software\Microsoft\Windows NT\CurrentVersion\ProfileList opened

[cluberti]

Are the users using local profiles, or are their domain profiles roaming profiles? The laptop is trying to get the DNS information about the user's account in the domain, that's at least what the "GetUserDNSDomainName" relates to - if you've got roaming profiles, this could be the cause. If not, we'll have to dig deeper.

[ctrlaltdel]

Are the users using local profiles, or are their domain profiles roaming profiles?

We have roaming profiles switched on for users as per machine.

i.e. when they are on Desktops their roaming profiles are active. We have made sure roaming profile is NOT enabled on the laptops (for obvious reasons).

The laptop is trying to get the DNS information about the user's account in the domain, that's at least what the "GetUserDNSDomainName" relates to - if you've got roaming profiles, this could be the cause. If not, we'll have to dig deeper.

hmmm.... (given that i've already established above user's roaming profile is ot enabled for the laptops). At the logon dialogue the user is trying to connect to a domain. i.e.:

User Name: xxxx

Password: *

Log on to: <our domain>

passwords are cached once when the user logs in while on the network (intial logon has to be while connected on the domain to cache the password). Why do we do this? User accounts are all on the domain, AD + Kerberos (we don't want to create seperate accounts to login to laptops). Plus there's they are Kerberos accounts, infact the user logs in with Kerberos credentials not AD (we've not gotten round to that yet).

What do u think about that? This is the reason it's causing the delay? User details are *related* to some domain and even off of the domain the laptop tries to obtain (obviously) the details... and in doing so has to wait till it times out (before using the cached password.. etc...) ???

(if anyone reading is wondering... we don't do mapped-network-drives on these laptops or anything CIFS based, e.g. printer queues)

Again.. we don't do roaming profiles on the laptops.

Appreciate the help!

[InTheWayBoy]

What wireless chipset are the laptops using? I have a few Intel wireless laptops in our domain, and I've had mixed results. Some weren't as drastic as you are saying (20 Minutes Logon Off Domain), but similar problems. Eventually I found that by configuring the WLAN to pre-logon (A feature of the Intel software, it's not an XP option) reduced most if not all my headaches. This may not be your problem, but something to look into.

Also, have you tried eliminating GPO from the mix? There are several policies that can effect startup and login times if they aren't proper. There is one that says to wait for the network before logging in for instance. I would either triple check your GPO's to make sure you don't have any issues, or disable them all together. Since you say it effects multiple computers in your domains then I would look at something global like this.

[ctrlaltdel]

What wireless chipset are the laptops using? I have a few Intel wireless laptops in our domain, and I've had mixed results. Some weren't as drastic as you are saying (20 Minutes Logon Off Domain), but similar problems. Eventually I found that by configuring the WLAN to pre-logon (A feature of the Intel software, it's not an XP option) reduced most if not all my headaches. This may not be your problem, but something to look into.

All our laptops are either (1) Dell Latitude 600 (2) Dell Latitude 610, or (3) HP Compaq TC 4200. All these kinds show similar latency issues - which leads me to conclude that it is definately an 'image' issue, i.e. GPO, and along those lines... (If anyone's reading these posts and knows that the mentioned machines have WLAN pre-logon features... please reply). I will look into it myself and talk to the vendors directly to find out if they have this feature.

Also, have you tried eliminating GPO from the mix? There are several policies that can effect startup and login times if they aren't proper.

This is one of the solutions i'm considering: Creating a new test OU with no GPOs applied except logging in with user credentials and comparing two fresh RISed machines in the two environments. You were thinking along those lines? @ WayBoy can you (or anyone else) list some of the policies that they *know* affects startup and login times if not properly set (what are the proper settings?)?

There is one that says to wait for the network before logging in for instance. I would either triple check your GPO's to make sure you don't have any issues, or disable them all together. Since you say it effects multiple computers in your domains then I would look at something global like this.

Can you elaborate where this GPO setting is? I can play around with that setting in my test OU.

@ WayBoy thanks for all that input. Appreciate your further responses.

Would it be useful to post one of the higher latency UserEnv Logs with delay gaps highlighted for all?

[svasutin]

Since you are using DHCP and wireless, you might want to pin to the start menu two scripts 'wi-fi on.cmd' and 'wi-fi off.cmd' I've had good luck with clients using these settings ~ tell them it's a privacy thing. While this does little to solve the issue, it should force the shutdown to realize there isn't a connection to be had.

Wi-fi Off.cmd

For XP SP2 Wi-Fi clients

%windir%\system32\ipconfig.exe /flushdns
%windir%\system32\ipconfig.exe /release
%windir%\system32\ipconfig.exe /flushdns

net stop "Wireless Zero Configuration"
net stop "Network Location Awareness (NLA)"
net stop "DNS Client"
net stop "Remote Access Auto Connection Manager"
net stop "Remote Access Connection Manager"
net stop "DHCP Client"
net stop "Application Layer Gateway Service"
net stop "Remote Access Connection Manager"

net stop "WZCSVC"
net stop "Nla"
net stop "Dnscache"
net stop "RasAuto"
net stop "RasMan"
net stop "Dhcp"
net stop "ALG"
net stop "RasMan"

%windir%\system32\ipconfig.exe /flushdns
%windir%\system32\ipconfig.exe /release
%windir%\system32\ipconfig.exe /flushdns

Wi-fi on.cmd is the above in reverse order with stops changed to starts and release to renew.

I've also had a little ~ some ~ luck with teaching the people about Fn+Fx to turn off the wi-fi adapter to save battery life. The downside is logging on to a domain is difficult; the user needs to remember to enable the adapter before (s)he selects an option from boot.ini.

Final thing, I've found slightly better throughput when using Msft's wi-fi client, than Intel or linksys.

[ctrlaltdel]

Ok, I've gathered a lot of input (Thanks, not done yet though ). I'm going to carry out some more tests; I'll post the results as i get them. In brief i will focus on looking at GPOs and their effects on this problem (i believe we all gather that may be the source of the problem). Simaltaneuously i would appreciate anyone's inputs on the following two UsrEnv event entries that (1) occur consistently and (2) are a massive percentage of the delay in any given login session (remember: when logging in off the domain). Again, i highlight the entries between which the delay is logged (in red) & enclose/include some surrounding entries that occur similarly per login (to give us a better idea of excactly what is going on).

Case 1: "AbleToBypassCSC: tried NPAddConnection3ForCSCAgent. Error 53"

USERENV(3a4.3a8) 07:45:19:734 AbleToBypassCSC: tried NPAddConnection3ForCSCAgent. Error 53

USERENV(3a4.3a8) 07:45:40:828 UnLoadUserProfileP: CSC bypassed failed. Ignoring Roaming profile path

USERENV(3a4.3a8) 07:45:40:828 GetExclusionListFromRegistry: Policy list is empty, returning user list = <Local Settings;Temporary Internet Files;History;Temp;Local Settings\Application Data\Microsoft\Outlook>

USERENV(3a4.3a8) 07:45:40:828 CSyncManager::EnterLock <S-1-5-21-1687723350-4253359750-3876547176-1152>

USERENV(3a4.3a8) 07:45:40:828 CSyncManager::EnterLock: No existing entry found

USERENV(3a4.3a8) 07:45:40:843 CSyncManager::EnterLock: New entry created

USERENV(3a4.3a8) 07:45:40:843 CHashTable::HashAdd: S-1-5-21-1687723350-4253359750-3876547176-1152 added in bucket 10

USERENV(3a4.3a8) 07:45:40:843 UnloadUserProfileP: Wait succeeded. In critical section.

USERENV(3a4.3a8) 07:45:40:843 MyRegUnLoadKey: Failed to unmount hive 00000005

USERENV(3a4.3a8) 07:45:40:843 MyRegUnLoadKey: Returning 0.

USERENV(3a4.3a8) 07:45:40:843 DumpOpenRegistryHandle: 4 user registry Handles leaked from \Registry\User\S-1-5-21-1687723350-4253359750-3876547176-1152

USERENV(3a4.3a8) 07:45:40:843 UnloadUserProfileP: Didn't unload user profile <err = 5>

USERENV(3a4.3a8) 07:45:40:859 MyRegUnLoadKey: Returning 1.

USERENV(3a4.3a8) 07:45:40:859 UnLoadClassHive: Successfully unmounted S-1-5-21-1687723350-4253359750-3876547176-1152_Classes

USERENV(3a4.3a8) 07:45:40:859 UnloadUserProfileP: Successfully unloaded user classes

USERENV(3a4.3a8) 07:45:40:859 HandleRegKeyLeak: RtlAdjustPrivilege succeeded!

USERENV(3a4.3a8) 07:45:41:546 HandleRegKeyLeak: RegSaveKey succeeded!

USERENV(3a4.3a8) 07:45:41:562 HandleRegKeyLeak: RtlAdjustPrivilege succeeded!

USERENV(3a4.3a8) 07:45:41:562 HandleRegKeyLeak: hkCurrentUser closed

USERENV(3a4.3a8) 07:45:41:562 Entering CUserProfile::WatchHiveRefCount: S-1-5-21-1687723350-4253359750-3876547176-1152, 1

USERENV(3a4.3a8) 07:45:41:562 CUserProfile::WatchHiveRefCount: In critical section

USERENV(3a4.3a8) 07:45:41:562 CUserProfile::WatchHiveRefCount: NtUnloadKeyEx succeeded for \Registry\User\S-1-5-21-1687723350-4253359750-3876547176-1152

USERENV(3a4.3a8) 07:45:41:562 Entering CUserProfile::AddWorkItem: S-1-5-21-1687723350-4253359750-3876547176-1152

USERENV(3a4.3a8) 07:45:41:562 CHashTable::HashAdd: S-1-5-21-1687723350-4253359750-3876547176-1152 added in bucket 10

USERENV(3a4.3a8) 07:45:41:562 CUserProfile::AddWorkItem: No thread available, create a new one.

USERENV(3a4.3a8) 07:45:41:562 CUserProfile::AddWorkItem: Signal event item inserted

This first example occurs right at the beginning of the login, in logins where network connectivity is available when not on the domain. Delays are ~21sec (most of the time) == ~7% of total login time in some cases. I can't find anything useful on this event anywhere (!). I'm sure *someone* out there must know something about what this means. ANY INFORMATION WOULD BE APPRECIATED!

Case 2: "LibMain: Process Name: C:\WINDOWS\system32\wbem\wmiprvse.exe"

USERENV(3a8.4c8) 12:23:12:734 LoadUserProfileI: returning 0

USERENV(3d4.2b0) 12:23:12:734 LoadUserProfile: Running as self

USERENV(3d4.2b0) 12:23:12:734 LoadUserProfile: Calling LoadUserProfileI (as user) succeeded

USERENV(3d4.2b0) 12:23:12:734 LoadUserProfile: Returning success. Final Information follows:

USERENV(3d4.2b0) 12:23:12:734 lpProfileInfo->UserName = <LocalService>

USERENV(3d4.2b0) 12:23:12:750 lpProfileInfo->lpProfilePath = <>

USERENV(3d4.2b0) 12:23:12:750 lpProfileInfo->dwFlags = 0x9

USERENV(3a8.3c0) 12:23:12:750 IProfileSecurityCallBack: client authenticated.

USERENV(3a8.3c0) 12:23:12:750 ReleaseClientContext: Releasing context

USERENV(3a8.3c0) 12:23:12:750 ReleaseClientContext_s: Releasing context

USERENV(3a8.3c0) 12:23:12:750 MIDL_user_free enter

USERENV(3d4.2b0) 12:23:12:750 ReleaseInterface: Releasing rpc binding handle

USERENV(3d4.2b0) 12:23:12:750 LoadUserProfile: Returning TRUE. hProfile = <0x3bc>

USERENV(3d4.2b0) 12:23:12:750 GetUserDNSDomainName: Domain name is NT Authority. No DNS domain name available.

USERENV(1e4.1d8) 12:23:12:875 LibMain: Process Name: C:\WINDOWS\System32\alg.exe

USERENV(160.1e0) 12:23:13:031 LibMain: Process Name: C:\WINDOWS\system32\wuauclt.exe

USERENV(324.328) 12:23:13:546 LibMain: Process Name: C:\WINDOWS\system32\ctfmon.exe

USERENV(604.408) 12:23:14:234 LibMain: Process Name: C:\Program Files\HPQ\IAM\bin\asghost.exe

USERENV(654.220) 12:23:15:625 LibMain: Process Name: C:\WINDOWS\system32\wbem\wmiprvse.exe

USERENV(3a8.56c) 12:24:15:281 MyGetUserName: GetUserNameEx failed with 1722.

USERENV(3a8.56c) 12:24:15:281 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.

USERENV(a40.a44) 12:24:28:734 LibMain: Process Name: C:\WINDOWS\system32\userinit.exe

USERENV(3e0.3f4) 12:24:28:875 ImpersonateUser: Failed to impersonate user with 5.

USERENV(3e0.3f4) 12:24:28:875 GetUserNameAndDomain Failed to impersonate user

USERENV(3e0.3f4) 12:24:28:875 ImpersonateUser: Failed to impersonate user with 5.

USERENV(3e0.3f4) 12:24:28:875 GetUserDNSDomainName: Failed to impersonate user

USERENV(3e0.3f4) 12:24:28:906 ImpersonateUser: Failed to impersonate user with 5.

USERENV(3e0.3f4) 12:24:28:906 GetUserNameAndDomain Failed to impersonate user

USERENV(3e0.3f4) 12:24:28:906 ImpersonateUser: Failed to impersonate user with 5.

USERENV(3e0.3f4) 12:24:28:906 GetUserDNSDomainName: Failed to impersonate user

USERENV(3e0.3f4) 12:24:28:921 ImpersonateUser: Failed to impersonate user with 5.

USERENV(3e0.3f4) 12:24:28:937 GetUserNameAndDomain Failed to impersonate user

USERENV(3e0.3f4) 12:24:28:937 ImpersonateUser: Failed to impersonate user with 5.

USERENV(3e0.3f4) 12:24:28:937 GetUserDNSDomainName: Failed to impersonate user

USERENV(a58.a5c) 12:24:29:765 LibMain: Process Name: C:\WINDOWS\Explorer.EXE

USERENV(a58.a70) 12:24:29:859 GetProfileType: Profile already loaded.

USERENV(a58.a70) 12:24:29:859 GetProfileType: ProfileFlags is 0

USERENV(a58.a70) 12:24:29:875 GetProfileType: Profile already loaded.

USERENV(a58.a70) 12:24:29:890 GetProfileType: ProfileFlags is 0

USERENV(adc.ae0) 12:24:34:984 LibMain: Process Name: C:\Program Files\Common Files\Symantec Shared\ccApp.exe

This second example occurs like thus almost everytime. The highlighted event concerns the Windows Management Instrumentation (WMI). Delays are ~45secs to ~1min == 10% - 30% of total login time! What i don't understand is that: (1) When logging on the domain/corporate-network the delays between this and the next even are minimal versus when logging onto a non-domain network it is (one of the most) massive; (2) I would say the delay itself can't have anything to do with the WMI app but log entries show the delay occuring always after that event; and (3) I observe that the event always occurs thus on logons in NON-DOMAIN networks:

USERENV(654.220) 12:23:15:625 LibMain: Process Name: C:\WINDOWS\system32\wbem\wmiprvse.exe

USERENV(3a8.56c) 12:24:15:281 MyGetUserName: GetUserNameEx failed with 1722.

(and that's when it takes the most amount of time), i.e. with the "MyGetUserName: GetUserNameEx failed with 1722" event. I can't find any documentation on this. Why does this occur when logging in off the domain can be answered intuitively but i feel like understanding this in more detail would help us understand ( a ) the reason for the massive delay more technically ( b ) how to turn it off - or give us a good idea if we just need to change the way we do things completely.

Does anyone have any idea why this event takes so long? Can we shut this off? (i don't think i clearly understand the need for WMI either)

Thanks

[ctrlaltdel]

We have issues with our machines when logging in on a foreign network. These are RIS built Win XP Pro, GPO & ADS maintained machines. Roaming profile IS turned off. (Dells, HPs, IBMs... physical machine doesn't matter).

Delay characteristics:

After login --> Stuck for immense time @ "Applying your personal settings..." prompt --> stuck @ blank desktop for a long time after that. --> END. (average time for logging in on foreign networks: 11 minutes!!!)

The problems seem to be DNS, DC related. We want to block just that particular DC record that comes from our normal DNS server (not even login to DC, cannot do it at firewall). Currently we handle DNS off of Unix in our environment.

There's no way to put an access list on one record (can't say, "only ip addresses in this range can get this record").

=> That's essentially the problem.

The MS recommended solution is to make it NOT respond to anything when on the foreign network. So my view is that MS Software should support (their) proposed solution.

If this is MS's recommended solution then MS DNS stuff must work better. shift domain to windows DNS. Does anyone know if MS DNS can do that: i.e. If MS DNS servers will support: *single* DNS record: serv record for windows domain controller (one entry in DNS). what needs to happen: if some one is on an IP adddr not in native range... not answer that request. Can't think of any way on Unix DNS servers to only restrict one record.

[snekul]

I've had poor results in general with the combination of notebooks and secure wireless networks or any network that doesn't have your servers on them. In our case, our WPA encrypted wireless required an AD account to connect. On both log on and log off, the authentication is no longer there, but windows acts like it should be. Using local accounts and VPN software was our solution.