QEDeh
asked on
2 minute logon delays via rundll32.exe
looking through userenv i get this
USERENV(438.3d8) 14:57:46:916 GetProfileType: ProfileFlags is 0
USERENV(2ac.f88) 14:57:48:360 ImpersonateUser: Failed to impersonate user with 5.
USERENV(2ac.f88) 14:57:48:360 GetUserNameAndDomain Failed to impersonate user
USERENV(2ac.f88) 14:57:48:360 GetUserDNSDomainName: Domain name is NT Authority. No DNS domain name available.
USERENV(5cc.5a8) 14:57:48:966 LibMain: Process Name: C:\WINDOWS\system32\rundll 32.exe
USERENV(2ac.f88) 14:59:48:211 UserPolicyCallback: Setting status UI to Applying your personal settings...
USERENV(2ac.f88) 14:59:49:112 UserPolicyCallback: Setting status UI to Applying your personal settings...
USERENV(2ac.f88) 14:59:49:112 ProcessGPOList: Extension Internet Explorer Branding returned 0x0.
USERENV(2ac.f88) 14:59:49:112 ProcessGPOList: Extension Internet Explorer Branding was able to log data. RsopStatus = 0x0, dwRet = 0, Clearing the dirty bit
USERENV(2ac.f88) 14:59:49:127 ProcessGPOs: -----------------------
USERENV(2ac.f88) 14:59:49:127 ProcessGPOs: -----------------------
USERENV(2ac.f88) 14:59:49:127 ProcessGPOs: Processing extension EFS recovery
note the excact 2 minute gap???
it doesnt always happen, it happens on every 1 of our 400 machines all being different in hardware and software. its not a virus, disabling the file for a laugh gets round the problem. and this has been going on for about a year.
USERENV(438.3d8) 14:57:46:916 GetProfileType: ProfileFlags is 0
USERENV(2ac.f88) 14:57:48:360 ImpersonateUser: Failed to impersonate user with 5.
USERENV(2ac.f88) 14:57:48:360 GetUserNameAndDomain Failed to impersonate user
USERENV(2ac.f88) 14:57:48:360 GetUserDNSDomainName: Domain name is NT Authority. No DNS domain name available.
USERENV(5cc.5a8) 14:57:48:966 LibMain: Process Name: C:\WINDOWS\system32\rundll
USERENV(2ac.f88) 14:59:48:211 UserPolicyCallback: Setting status UI to Applying your personal settings...
USERENV(2ac.f88) 14:59:49:112 UserPolicyCallback: Setting status UI to Applying your personal settings...
USERENV(2ac.f88) 14:59:49:112 ProcessGPOList: Extension Internet Explorer Branding returned 0x0.
USERENV(2ac.f88) 14:59:49:112 ProcessGPOList: Extension Internet Explorer Branding was able to log data. RsopStatus = 0x0, dwRet = 0, Clearing the dirty bit
USERENV(2ac.f88) 14:59:49:127 ProcessGPOs: -----------------------
USERENV(2ac.f88) 14:59:49:127 ProcessGPOs: -----------------------
USERENV(2ac.f88) 14:59:49:127 ProcessGPOs: Processing extension EFS recovery
note the excact 2 minute gap???
it doesnt always happen, it happens on every 1 of our 400 machines all being different in hardware and software. its not a virus, disabling the file for a laugh gets round the problem. and this has been going on for about a year.
ASKER
i ran a netdiag /l /debug on a machine that has this issue and the only problems that came up are;
Opening \Device\NwlnkIpx failed
[WARNING] Failed to query SPN registration on DC 'athena.int.gillingham-dor set.co.uk' .
[WARNING] Failed to query SPN registration on DC 'athena.int.gillingham-dor set.co.uk' .
[WARNING] Failed to query SPN registration on DC 'gill-sch-02.int.gillingha m-dorset.c o.uk'.
everything else passed with flying colours
ive attached the original log
NetDiag.log
Opening \Device\NwlnkIpx failed
[WARNING] Failed to query SPN registration on DC 'athena.int.gillingham-dor
[WARNING] Failed to query SPN registration on DC 'athena.int.gillingham-dor
[WARNING] Failed to query SPN registration on DC 'gill-sch-02.int.gillingha
everything else passed with flying colours
ive attached the original log
NetDiag.log
ASKER
Ok after even more investigating using bootvis and userenv logs i came accross this.
ive attached a picture.
at the exact time of the 2 minute delay system (4) runs for 0.13 secs. and then aboslutly nothing. its like a complete freeze. the start time is 105.01, it then ends at 105.13 and then the next thing to run is rdpclip.exe at 227.36. so to me its as if its not a actual program thats taking 2 mins to delay.
bootvis.jpg
ive attached a picture.
at the exact time of the 2 minute delay system (4) runs for 0.13 secs. and then aboslutly nothing. its like a complete freeze. the start time is 105.01, it then ends at 105.13 and then the next thing to run is rdpclip.exe at 227.36. so to me its as if its not a actual program thats taking 2 mins to delay.
bootvis.jpg
ASKER
sry heres a better log that shows the rundll32.exe
bootvis.jpg
bootvis.jpg
ASKER
my feeling now is that rundll32.exe is loading a dll into memory that seems to take 2 mins / or timesout after 2 mins.
is there a way to trace and log what rundll32.exe is up to?
is there a way to trace and log what rundll32.exe is up to?
ASKER
ok ive tracked the problem down. when logging on the rundll32.exe loads iedkcs32.dll. however this dll causes a 2 minute delay. the brnlog shows this delay -
02/15/2008 10:22:26 Registering download URLs as safe for updating IE...
02/15/2008 10:22:26 Done.
02/15/2008 10:22:26 Refreshing browser settings...
02/15/2008 10:22:26 Broadcasting "Windows settings change" to all top level windows...
02/15/2008 10:24:25 Done processing group policy.
reinstalling the dll makes no difference. denying the system to use this dll gets over the problem but there will be knock on effects as it configurs ie7. im wondering if there is corruption in the gpo settings for internet explorer and if so anyone got any idea how to tell or fix that
also my problem is not related to kb941158 from microsoft.
02/15/2008 10:22:26 Registering download URLs as safe for updating IE...
02/15/2008 10:22:26 Done.
02/15/2008 10:22:26 Refreshing browser settings...
02/15/2008 10:22:26 Broadcasting "Windows settings change" to all top level windows...
02/15/2008 10:24:25 Done processing group policy.
reinstalling the dll makes no difference. denying the system to use this dll gets over the problem but there will be knock on effects as it configurs ie7. im wondering if there is corruption in the gpo settings for internet explorer and if so anyone got any idea how to tell or fix that
also my problem is not related to kb941158 from microsoft.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
can i have my points refunded?
<<start source paste>>
That is typically dns misconfiguration. Make sure that computer is pointing only to
an AD domain controller running dns as it's preferred dns server in tcp/ip
properties. Running netdiag on it may also be helpful looking for failed tests
pertaining to dns, domain membership, dclist, and trust relationship test.
<<end source paste>>
source: http://www.tutorials-win.com/Networking/Login-delay/