locked
How to decrease screen unlock time in Windows 7 RRS feed

  • Question

  • This may sound like a non-issue to some, but I've found the 6-7 seconds it takes for Windows 7 Pro (on a domain) to unlock after entering your password to be incredibly annoying. I have to lock my screen frequently when I step away from my desk at work (which I do a lot) and after getting used to instant unlocks on XP this is very annoying. I know that this has to do with communication/reauthentication with the domain controller but even turning off the policy that requires checking the password with the domain controller for screen unlocks the unlock time doesn't improve.

    Is there any way to get the Windows 7 screen unlock to operate more like Windows XP Pro? This isn't the solid-color wallpaper issue, btw.

    Tuesday, July 19, 2011 1:46 AM

Answers

  • Well, I disabled the Smart card reader and the Laptop's TPM and Fingerprint reader modules, and the delay was reduced to 2 seconds. Then I uninstalled all the related software such as Dell's ControlPoint security software and the remaining delay disappeared. It's unfortunate these things slow down the login process, but I won't miss them too much.

    Thank you for your responses, and hopefully someone else finds this useful!

    • Marked as answer by Fltsimbuff Tuesday, July 19, 2011 7:10 PM
    Tuesday, July 19, 2011 7:10 PM

All replies

  • Not at all really. It's gigabit, barely utilized, low latency. I actually caught a PCAP of the activity during the unlock to verify that's what it was waiting on. I've seen a lot of windows network operations take longer than they should, not necessarily because of network speed but because they might do something like try a couple of different ways  of connecting to a share before settling on one. It's usually not too bad, but the unlock delay gets pretty irritating.
    Tuesday, July 19, 2011 4:20 PM
  • Here is what I see in the PCAP during unlock:

     

    -The workstation connects to port 445 on the PDC and starts an SMB2 negotiate request. After the response it sends a Kerberos TGS-REQ only showing AES 256 in supported encryption formats. This gets rejected with an ERR_ETYPE_NOSUPP. It responds with another request, this time with more avail formats. The PDC responds with a ticket encrypted via RC4-HMAC.

    -Next is an SMB2 Session Setup request and tree connect to IPC$ on the PDC and some communication via named pipe named srvsvc

    -Next it does an LDAP bind and some lookups.

    -Another SMB2 session is set up, this time accessing sysvol and pulling the group policy ini for 3 or 4 different policies.

    -Next another 2 LDAP binds and lookups as separate connections.

    -Then more SMB2 communication that appears to retrieve the user registry GPO settings.

    -- All the above occurred in 1 second, then there are 4 seconds of no activity. --

    -More SMB2 traffic, accessing the srvsvc named pipe again on the PDC

    -Another 2 LDAP binds and queries, another Kerberos session ticket request, more LDAP, and finally unlock

     

    There seems to be a LOT of communication for a local workstation unlock that has the GPO to reauth with the PDC on unlock disabled... I can see why it might want to update GPOs on unlock, but is there any way to disable that behavior?

    Given that those communications seem to happen very quickly, there must be something in between to two sets of queries that is causing the delay (4 seconds in the last example). In troubleshooting this, I stopped all software from loading at startup and even disabled some services such as secondary login to see if it would have any effect. Any ideas?

    Tuesday, July 19, 2011 4:51 PM
  • I am not sure what you are looking for with your question. The PDC is just a Windows 2008 (R1) server. The client is a Windows 7 Pro w/SP1 laptop that has all the Aero effects and all graphical enhancements turned off (I've found it uses a LOT less memory that way).
    Tuesday, July 19, 2011 5:09 PM
  • 8GB of RAM, Dual-core i7 and a fast SSD.
    Tuesday, July 19, 2011 5:22 PM
  • Windows uses a form of LDAP as well for Active Directory. That's where the LDAP stuff is coming from. It does not appear to be network, but the 4 second gap between network requests. All of the requests are fulfilled within milliseconds, so there's got to be some service or something on the laptop making it wait. I just disabled all non-essential services, turned off AV scanner, removed all unneeded protocol bindings from my NIC, disabled wireless and unneeded hardware and same problem...

    There are a number of other people on our network with the same issue, just since going to Windows 7. I've been pouring through event log entries to see if I can see some service waiting on something but so far nothing...

    Tuesday, July 19, 2011 5:41 PM
  • So I used Process Monitor to record access to registry keys and files during the unlock process. What I am seeing is LogonUI.exe repeatedly reading in many registry keys related to cryptography, certificates, etc. It appears to do this several times within the 4-5 second period. I am also seeing access by SVCHOST.exe to registry keys for a deviceclass that maps to my smartcard reader (the laptop has one built in.)

    It sounds like it may be trying to read a smart card and waiting on that.

    Tuesday, July 19, 2011 6:40 PM
  • Well, I disabled the Smart card reader and the Laptop's TPM and Fingerprint reader modules, and the delay was reduced to 2 seconds. Then I uninstalled all the related software such as Dell's ControlPoint security software and the remaining delay disappeared. It's unfortunate these things slow down the login process, but I won't miss them too much.

    Thank you for your responses, and hopefully someone else finds this useful!

    • Marked as answer by Fltsimbuff Tuesday, July 19, 2011 7:10 PM
    Tuesday, July 19, 2011 7:10 PM