GPO debug logging for Windows 7

All replies

• 

  

  0

  Sign in to vote

  The userenv.log file is no longer present in Windows 7.
  But Windows 7 by default logs many events to event log. This seems to be the new strategy at Microsoft.
  For Group Policy there is a own "Operational" event log file that contains really many information.
  In addition, there is a tool called "GPLogView" that can be used to filter and export (text, html, xml) the GP related event log.
  
  Natively text based log files instead can only be created for some components.
  The required parameters to activate text based log files are not officially documented by Microsoft.
  

  In Windows 7 GPO processing is performed by a service called "Goup Policy Client" .
  A log file can be written by the service when implementing the following registry value:

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics]
  "GPSvcDebugLevel"=dword:00030002

  The resulting log file does not contain as much information as the userenv.log in Windows XP,
  but that is because all the non GP related actions (log on process, profiles, etc) are not part of this log.
  It is dedicated to group policy actions only.

  ---

  Patrick

  Thursday, January 7, 2010 10:14 AM
• 

  

  0

  Sign in to vote

  Patric, I don't see "Diagnostics" key under CurrentVersion. Do I need to create that key?

  ---

  Thanks, Sitaram http://techibee.com http://sitaram-pamarthi.com

  Thursday, January 7, 2010 10:21 AM
• 

  

  1

  Sign in to vote

  Yes, this key does exist by default and therefore you have to create it.
  You can use the 2 lines I posted as part of a .reg file and simply import it to registry.
  
  By the way, the resulting log file will be
  %WINDIR%\debug\usermode\gpsvc.log
  
  

  ---

  Patrick

  • Marked as answer by pamarths Thursday, January 7, 2010 4:03 PM

  Thursday, January 7, 2010 11:46 AM
• 

  

  0

  Sign in to vote

  Thanks much Patrick. It worked for me.
  
  To help people like me, I stashed the details to http://techibee.com/group-policies/enable-group-policy-debugging-on-windows-7/191
  
  Thanks again..!!
  
  ~Sitaram

  ---

  Thanks, Sitaram http://techibee.com http://sitaram-pamarthi.com

  Thursday, January 7, 2010 4:03 PM
• 

  

  3

  Sign in to vote

  Hi Sitaram,

   

  From Windows Vista, the Group Policy engine no longer records information in the userenv.log. Instead, detailed logging of Group Policies can be located using Event Viewer.

   

  Therefore, besides the gpsvc.log, the log for group policy processing can be found in the Event Viewer under Applications and Services Logs\Microsoft\Windows\Group Policy\Operational.

   

  For more information, please refer to:

   

  http://blogs.technet.com/askperf/comments/2975012.aspx

   

  Hope this will be helpful for you.

   

  Regards,

  Bruce

  • Marked as answer by Bruce-Liu Wednesday, January 13, 2010 7:05 AM

  Friday, January 8, 2010 7:15 AM
• 

  

  1

  Sign in to vote

  It looks like Windows 2008R2/Win7 are still missing the ability to log all logon events that usrenvdebug log did.  I really would like that functionality back as it is indispensible for trouble shooting long logon times and to verify if logon scripts are running.

  ---

  Michael Pekarik Syntax, Inc.

  Thursday, October 27, 2011 9:47 PM
• 

  

  0

  Sign in to vote

  As stated before, there is GPSVCDebugLevel

  Value Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics

  Value Name: GPSvcDebugLevel

  Value Type: REG_DWORD

  Value Data: 30002 (hex)

  Which gives enhanced Group Policy logging ---- HOWEVER

  For those looking for PROFILE LOGGING!!!!!

  Microsoft provides a mechanism for enhanced userenv debug logging. However, unfortunately you have to send it to them.

   

  To start Profile logging (from a Command Prompt):

   

  • logman -start profile -p {eb7428f5-ab1f-4322-a4cc-1f1a9b2c5e98} 255 3 -ets

   

  To stop Profile logging (from a Command Prompt):

   

  • logman -stop -profile -ets

   

  This creates a LOG File with a ETL format (in c:\windows\system32) in an encoded format which only Microsoft can read *they have an ETL viewer* - I begged them for the tool but they wouldn't give it to me.

  So basically there is profile logging (i.e. Same information as UserEnvDebug.log) for Windows 7 - however Microsoft seem to want to charge you for reading / debugging it!

   

  
  
  
  
  
  

  • Proposed as answer by Jools86 Wednesday, January 4, 2012 5:05 PM
  • Edited by Jools86 Wednesday, January 4, 2012 5:07 PM

  Wednesday, January 4, 2012 5:03 PM
• 

  

  0

  Sign in to vote

  You can read event trace log (ETL) format files with Microsoft Windows Performance Analyzer or with Microsoft Service Trace Viewer (SvcTraceViewer.exe)

   

  Check out the Windows Performance Analysis Developer Center --  http://msdn.microsoft.com/en-us/performance/cc709422

  and then download the latest Microsoft Windows SDK for Windows 7-- http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3138

  
  

  • Edited by it350 Thursday, January 26, 2012 11:57 PM

  Thursday, January 26, 2012 11:56 PM
• 

  

  0

  Sign in to vote

  thats correct as you said in Pluralsight course.
  

  Sunday, August 28, 2016 11:04 AM