Using Process Monitor (ProcMon.exe) to troubleshoot FSLogix issues RRS feed

  • General discussion

  • Using Process Monitor (ProcMon.exe) to troubleshoot FSLogix issues

    How to use ProcMon to gather information to troubleshooting FSLogix issues.



    1. Get Process Monitor

    Download Procmon.exe from:

    https://docs.microsoft.com/en-us/sysinternals/downloads/procmon or https://live.sysinternals.com/


    2. Starting ProcMon

     There are two general locations to run ProcMon.

    1. If you are trying to capture something that happens during the logon process it is best to run ProcMon in another logged on users session on the same machine. Even if you are using Switch User, if you have ProcMon running in the other user session it will capture the information that happens in the new session started when you logon.
    2. If just capturing something that happens in the users session after logon, then just run in the users session.

    Once you have determined where you want it to run, start ProcMon but click the Magnifying glass icon to pause the trace until you are ready to go through the process that will cause the issue we are looking for. Note: if left on for long periods ProcMon traces can get very large. However they do compress well so don't worry to much even if it takes some time to capture the information; the log file can usually be compressed to a manageable size. Also click the second icon (Eraser) to clear the log before starting the capture of the issue.

    When prepared to reproduce the issue, click the Magnifying glass to start the trace. Then execute the steps to reproduce the issue. Make sure to have ProcMon started early enough to capture the trace information needed. For example:

    • If the error happens as part of the start up of a program, then ProcMon should be capturing before you start the program.
    • But if the error happens when you click an icon in a program, then the program should be running before you start capturing with ProcMon.
    • Of course there are always exceptions to the rules, but these are the general guidelines.

    3. Ending ProcMon and saving the log file

    Once the issue is reproduced (error message pops up, function doesn't work, etc) then click the Magnifying glass to stop the trace. Click File > Save and select All Events as highlighted. You can save wherever works best for you. Then you will generally want to zip the file to compress it and make it easier to transport. Then attach to a ticket and we will be able to review it.



    4. Measuring logon time with ProcMon

    Using Procmon you can tell approximately how long a logon is taking and what processes are happening. This doesn't give a summary or breakdown of each step in the process. It is a very granular view and shows each file and registry call. You have to explore the trace file and use filters to understand what is going on. And you may have to compare to a trace from a system you consider standard to see where the differences are in the time it takes for certain steps to occur.

     Below is a list of what I consider to be the key processes in a user logon. This is from a W2K12 R2 system.

    Direct chain for user start up (there are other processes started in between these but they are not in the direct chain to explorer.exe)


    9/12/2017 4:09:42.3144697 PM Process Start for SMss.exe (Windows Session Manager) as NT authority\System

    9/12/2017 4:09:42.7675822 PM Process Start for WinLogon.exe as NT authority\System

    9/12/2017 4:09:46.4650198 PM profileimagepath This value is read from the registry to know where the profile is located and the first time it is read by the system account

    9/12/2017 4:09:46.4658665 PM svchost -netsvcs starts reading ntuser.dat (looks for ntuser.man first)

    9/12/2017 4:09:46.4659886 PM svchost -netsvcs starts reading the registry.

    9/12/2017 4:09:53.7663272 PM Process Start for UserInit.exe as the logging on user

    9/12/2017 4:09:54.9680708 PM Process Start for Explorer.exe as the logging on user. Explorer.exe signals that the desktop has opened and is the main key that identifies when the logon is processed and the desktop is presented to the user.


    What is first process running as user id? It is called by svchost -DcommLaunch; could be random TSTheme.exe, msoia.exe,taskhostex.exe as the Windows logon process does not operate in a serial fashion except for very key processes.

    What makes first call to the users path (C:\users\<user_name>)? svchost -netsvcs

    What makes first call to users registry? There are some terminal services calls first, but first successful appears to be svchost.exe for the hive path - HKU\<SID>.


    So from the first process start (in this case SMSS.exe) to the Explorer.exe start (the Windows Shell) is the approximate time the logon is taking; in this case approximately 12 seconds. This info can be compared to the info in the FSLogix Profile and ODFC logs for a logging on user to understand what is going on.


    Some filters used in ProcMon to do this analysis are shown below:

    For cases where ProcMon needs to be started remotely (example: at logon of a single user machine where switch user is not available) do the following.

    Put ProcMon and PsExec in the c:\tools directory on the machine where running the PsExec command from (or other dir if you change the variables) and access to the Admin$ share on the machine where the ProcMon trace is to run.
    From an admin powershell prompt:​
    -----------------------------Begin code snippet ---------------
    $ComputerName = "the computer name where to run the procmon trace"​
    $PsExec = "c:\tools\psexec.exe"​
    $Procmon = "c:\tools\procmon.exe"​
    Remove-Item \\$ComputerName\admin$\Temp\Trace.pml​
    Remove-Item \\$ComputerName\admin$\procmon.exe​
    & $PsExec -s -e -d \\$ComputerName -c C:\tools\procmon.exe /backingfile /accepteula C:\Windows\Temp\Trace.pml /quiet​
    # Capture trace for 20 seconds​
    Start-Sleep -Seconds 20​
    & $PsExec -s -e \\$ComputerName "C:\Windows\procmon.exe" /terminate​
    Copy-Item \\$ComputerName\admin$\Temp\Trace.pml $pwd\Trace.pml​
    ---------End code snippet---------------------------
    This will connect to the machine, run procmon, wait for 20 seconds, terminate procmon, and then copy Trace.pml to the current working directory​
    Monday, June 24, 2019 11:07 PM