How to use process monitor to view or log a windows login?

Question

We're having some issues with Windows 7 Roaming profiles and I was reading here that the login process can be monitored using process monitor.

"There are a couple of ways to configure Process Monitor to record logon operations: one is to use Sysinternals PsExec to launch it in the session 0 so that it survives the logoff and subsequent logon and another is to use the boot logging feature to capture activity from early in the boot, including the logon."

How does one do either of these options using process monitor to find out what is happening during a user login?

score 5 · Accepted Answer · answered Sep 28 '12 at 15:31

"There are a couple of ways to configure Process Monitor to record logon operations: one is to use Sysinternals PsExec to launch it in the session 0 so that it survives the logoff and subsequent logon and another is to use the boot logging feature to capture activity from early in the boot, including the logon."

I don't believe that either of the above are valid for Windows 7 for the following reasons:

There's no session 0 in Windows 7, as far as I know.
User environment debug logging (which is what it sounds like they're recommending) has been replaced/supplanted with the Group Policy event log.

So, my suggestion would be to start by looking at the Group Policy event log on one of the problem machines.

Yes. You should be able to find it at: Event Viewer>Applications and Services Logs>Microsoft>Windows>GroupPolicy>Operational — joeqwerty, Sep 28 '12 at 15:45

score -1 · Answer 2 · answered Sep 29 '15 at 18:15

-1

procmon - options - enable boot logging or login as admin - start procmon - ctrl alt delete - switch user - login as user switch back to admin and stop tracing

answered Sep 29 '15 at 18:15

bimar

1

What does this work ??? – RolandoMySQLDBA Sep 30 '15 at 16:53

How to use process monitor to view or log a windows login?

2 Answers2

Linked