How to use Wireshark to monitor XP bootup Applying computer settings

Posted on 2008-10-06
Last Modified: 2011-10-19
In the past few weeks I've noticed that our computers all hang on applying computer settings for 1-2 minutes.  I've checked all the DNS issues in other posts but still not finding anything wrong there.  I've seen a few people recommend to use Wireshark to see what is happening during the 'applying computer settings'.  However, I can't find any documentation on how to setup Wireshark to run during this period.  The only thing I see is the live capture where I have to start it manually.  Any help would be appreciated.  Thanks!
Question by:ryanmgreen
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22651618
I'm not very experienced with WireShark but maybe I can help with the other issue. Do you have any GPOs running? Make sure your clients only point to internal DNS servers. Are you getting any errors in the Event logs on the clients and server? Can you give me a quick overview of your network setup?

Expert Comment

ID: 22653526
>However, I can't find any documentation on how to setup Wireshark to run during this period

I don't know if that's even possible... but you could get a small hub (or a switch capable of replicating traffic on a port) and capture the traffic on another machine...

the setup would be something like this:
net---[hub]---[problem computer]
[functional computer running wireshark]

then again, i don't know if wireshark is the tool for diagnosing that kind of problem...

Author Comment

ID: 22661223
Dariusg-We do have GPOs running and am starting to think that may be causing the issue-although nothing was changed recently.  We have one for domain computers and one for laptop computers.  Seems that the laptop computers are the only ones have the lag on applying computer settings.  Possibly because of the firewall disable entry being in both policies.  Maybe it is conflicting there?  I turned on verbose logging and attached the file.  You'll notice there's almost a 2 minute delay in this area:
USERENV(470.3f4) 12:27:34:897 PolicyChangedThread: Calling UpdateUser with 1.
USERENV(470.3f4) 12:27:35:022 PolicyChangedThread: Broadcast message for 1.
USERENV(40c.410) 12:27:35:116 LibMain: Process Name:  C:\WINDOWS\System32\alg.exe
USERENV(470.3f4) 12:27:35:789 PolicyChangedThread: Leaving
USERENV(2f8.298) 12:27:41:827 LibMain: Process Name:  C:\WINDOWS\system32\wbem\wmiprvse.exe
USERENV(ba0.ba4) 12:28:36:095 LibMain: Process Name:  C:\WINDOWS\system32\userinit.exe
USERENV(470.e58) 12:30:44:796 IsSyncForegroundPolicyRefresh: Synchronous, Reason: policy set to SYNC
USERENV(470.474) 12:30:46:360 LoadUserProfile: Yes, we can impersonate the user. Running as self

We don't do anything with WMI and I'm not sure why the userinit.exe would take so long.  Any ideas?
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

LVL 59

Expert Comment

by:Darius Ghassem
ID: 22661320
userinit.exe usually runs the scripts listed in the GPO. See if this link helps out.

Author Comment

ID: 22661568
I have uphclean installed on all our laptops here.  So that doesn't appear to be helping.  

Also, I can't disable autocert enrollment as we do use that for email encryption and I believe that needs to be running in order for our local CA to work properly.  
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22661617
There is more then one post on EE and google talking about the autoenrollment fixing the issue.

Author Comment

ID: 22661923
Ok well I'll look into it.  Any idea if disabling Autoenrollment would mess with the Exchange encryption from our CA?  I've been googling that but not having any luck.
LVL 59

Expert Comment

by:Darius Ghassem
ID: 22662474
Honestly I would think it might but I'm not for sure. You can always test.

Author Comment

ID: 22689056
It does cause problems with encryption and it didn't fix the issue either.  We have a computer policy and a laptop policy.  In the computer policy the domain profile has the firewall disabled.  In the laptop Policy the firewall is disabled on the standard profile, for some in-house wireless issues.  Removing this laptop policy fixes the issue so I guess that is the problem.  Maybe just trying to read from two different policies is slowing it down.
LVL 59

Accepted Solution

Darius Ghassem earned 500 total points
ID: 22689092
Most likely a conflict.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question