ryanmgreen
asked on
How to use Wireshark to monitor XP bootup Applying computer settings
In the past few weeks I've noticed that our computers all hang on applying computer settings for 1-2 minutes. I've checked all the DNS issues in other posts but still not finding anything wrong there. I've seen a few people recommend to use Wireshark to see what is happening during the 'applying computer settings'. However, I can't find any documentation on how to setup Wireshark to run during this period. The only thing I see is the live capture where I have to start it manually. Any help would be appreciated. Thanks!
I'm not very experienced with WireShark but maybe I can help with the other issue. Do you have any GPOs running? Make sure your clients only point to internal DNS servers. Are you getting any errors in the Event logs on the clients and server? Can you give me a quick overview of your network setup?
>However, I can't find any documentation on how to setup Wireshark to run during this period
I don't know if that's even possible... but you could get a small hub (or a switch capable of replicating traffic on a port) and capture the traffic on another machine...
the setup would be something like this:
net---[hub]---[problem computer]
|
[functional computer running wireshark]
then again, i don't know if wireshark is the tool for diagnosing that kind of problem...
I don't know if that's even possible... but you could get a small hub (or a switch capable of replicating traffic on a port) and capture the traffic on another machine...
the setup would be something like this:
net---[hub]---[problem computer]
|
[functional computer running wireshark]
then again, i don't know if wireshark is the tool for diagnosing that kind of problem...
ASKER
Dariusg-We do have GPOs running and am starting to think that may be causing the issue-although nothing was changed recently. We have one for domain computers and one for laptop computers. Seems that the laptop computers are the only ones have the lag on applying computer settings. Possibly because of the firewall disable entry being in both policies. Maybe it is conflicting there? I turned on verbose logging and attached the file. You'll notice there's almost a 2 minute delay in this area:
USERENV(470.3f4) 12:27:34:897 PolicyChangedThread: Calling UpdateUser with 1.
USERENV(470.3f4) 12:27:35:022 PolicyChangedThread: Broadcast message for 1.
USERENV(40c.410) 12:27:35:116 LibMain: Process Name: C:\WINDOWS\System32\alg.ex e
USERENV(470.3f4) 12:27:35:789 PolicyChangedThread: Leaving
USERENV(2f8.298) 12:27:41:827 LibMain: Process Name: C:\WINDOWS\system32\wbem\w miprvse.ex e
USERENV(ba0.ba4) 12:28:36:095 LibMain: Process Name: C:\WINDOWS\system32\userin it.exe
USERENV(470.e58) 12:30:44:796 IsSyncForegroundPolicyRefr esh: Synchronous, Reason: policy set to SYNC
USERENV(470.474) 12:30:46:360 LoadUserProfile: Yes, we can impersonate the user. Running as self
We don't do anything with WMI and I'm not sure why the userinit.exe would take so long. Any ideas?
startup.txt
USERENV(470.3f4) 12:27:34:897 PolicyChangedThread: Calling UpdateUser with 1.
USERENV(470.3f4) 12:27:35:022 PolicyChangedThread: Broadcast message for 1.
USERENV(40c.410) 12:27:35:116 LibMain: Process Name: C:\WINDOWS\System32\alg.ex
USERENV(470.3f4) 12:27:35:789 PolicyChangedThread: Leaving
USERENV(2f8.298) 12:27:41:827 LibMain: Process Name: C:\WINDOWS\system32\wbem\w
USERENV(ba0.ba4) 12:28:36:095 LibMain: Process Name: C:\WINDOWS\system32\userin
USERENV(470.e58) 12:30:44:796 IsSyncForegroundPolicyRefr
USERENV(470.474) 12:30:46:360 LoadUserProfile: Yes, we can impersonate the user. Running as self
We don't do anything with WMI and I'm not sure why the userinit.exe would take so long. Any ideas?
startup.txt
userinit.exe usually runs the scripts listed in the GPO. See if this link helps out.
https://www.experts-exchange.com/questions/23683948/when-logging-off-a-session-session-hangs-for-1-to-2-minutes-before-shutting-down.html
https://www.experts-exchange.com/questions/23683948/when-logging-off-a-session-session-hangs-for-1-to-2-minutes-before-shutting-down.html
ASKER
I have uphclean installed on all our laptops here. So that doesn't appear to be helping.
Also, I can't disable autocert enrollment as we do use that for email encryption and I believe that needs to be running in order for our local CA to work properly.
Also, I can't disable autocert enrollment as we do use that for email encryption and I believe that needs to be running in order for our local CA to work properly.
There is more then one post on EE and google talking about the autoenrollment fixing the issue.
ASKER
Ok well I'll look into it. Any idea if disabling Autoenrollment would mess with the Exchange encryption from our CA? I've been googling that but not having any luck.
Honestly I would think it might but I'm not for sure. You can always test.
ASKER
It does cause problems with encryption and it didn't fix the issue either. We have a computer policy and a laptop policy. In the computer policy the domain profile has the firewall disabled. In the laptop Policy the firewall is disabled on the standard profile, for some in-house wireless issues. Removing this laptop policy fixes the issue so I guess that is the problem. Maybe just trying to read from two different policies is slowing it down.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.