Have a problem that occurs when you log on? Wonder if that Group Policy settings are being properly applied? Got a logon script that keeps crashing?  Turn on debug logging for Windows logon events to find out what is going on.

Supported OS Versions

This solution applies to:

  • Windows 2000 Advanced Server
  • Windows 2000 Datacenter Server
  • Windows 2000 Professional Edition
  • Windows 2000 Server
  • Windows Server 2003, Datacenter Edition (32-bit x86)
  • Windows Server 2003, Datacenter x64 Edition
  • Windows Server 2003, Enterprise Edition (32-bit x86)
  • Windows Server 2003, Enterprise x64 Edition
  • Windows Server 2003, Standard Edition (32-bit x86)
  • Windows Server 2003, Standard x64 Edition
  • Windows XP Professional

I have not tested Windows 7 and Windows Vista with this solution.

The General Procedure

The process entails creating or changing a specific registry key on the target computer you are troubleshooting, and setting the key to a data value that both creates a log file for the user’s environment and writes debug-level output of the logon process.  Once this value is set, the user needs to log out and log back in.  This log file is not user-specific and logs all logon-related actions the computer takes during the logon process and everything the user does once logged in.

Enable Debug Logging of Windows Logon events


This procedure involves making changes to the Windows registry which can result in an inoperable computer.  Back up your registry before attempting this procedure.

Here are the steps:

  1. Click Start
  2. Click Run
  3. Type: regedit
  4. Click OK
  5. Open or browse down to the following location in the registry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  6. Right click in the right hand pane
  7. Select New > DWORD value
  8. Set the DWORD name to UserEnvDebugLevel
  9. Double-click the UserEnvDebugLevel value, set the data to:

This causes Windows to create the following file:


(typically C:\WINDOWS\Debug\UserMode\userenv.log)

The userenv.log file will contain debug output at the maximum verbosity–it will show every user action and every action of the system during logon. It does NOT log keystrokes, but it does show which applications were launched.   This file is renamed to automatically by Windows when it reaches 1MB, at which point it is rolled over to userenv.bak and a new file is created.

This log file is useful in troubleshooting the following problems:

  1. Windows Logon issues
  2. Group Policy issues (GPO)
  3. Logon scripts
  4. Slow replication link issues (GPO related)
  5. User Profile problems
  6. Roaming Profiles
  7. Registry issues related to the user’s profile
  8. Folder Redirection problems

Interpreting Userenv.log Messages

The Userenv.log file will contain numerous messages. Typically, you’re looking for messages with “failed” or “error” in them.

General Format

Each line in the log file is formatted as follows:

USERENV(process.code) HH:MM:SS:mmm ProcessName: Message/Statement

Note that no date is displayed.  Below is a copy of sample output from a real log file.

USERENV(2dc.2e0) 00:53:00:296 InitializePolicyProcessing: Initialised Machine Mutex/Events
USERENV(2dc.2e0) 00:53:00:296 InitializePolicyProcessing: Initialised User Mutex/Events
USERENV(2dc.2e0) 00:53:00:296 LibMain: Process Name:  \??\C:\WINDOWS\system32\winlogon.exe
USERENV(2dc.2e0) 00:53:00:609 Entering CUserProfile::Initialize ...
USERENV(2dc.2e0) 00:53:00:609 CUserProfile::Initialize called by winlogon

Here’s the link to Microsoft’s website where the list of possible errors, messages and troubleshooting steps are located.

Microsoft:  Interpreting Userenv log files