Did you ever get complaints about slow logon times for users running on a Terminal Server? Probably the answer is yes, but what is slow? And can I measure this with hard numbers? Yes you can do this… By using Process Monitor! And I will show you how.
Logon to the server with the local Administrator account and start Process Monitor.
Stop the capture and clear everything, this prevents the ProcMon from using unnecessary resources for now.
Edit the Filter as follows. Add the processes winlogon.exe, userinit.exe and explorer.exe
Also filter to only show process Start and Exit.
– Winlogon.exe: You can see the first process to kick of is the Winlogon.exe. It is starting on logon and ends when a user clicks the start => logof button.
– Userinit.exe: Next one to launch is the userinit.exe process which includes various user initializations. This process will also have a Process Exit after a while, which means the users session is fully initialized.
– Explorer.exe: When explorer.exe starts the user will first see the dialogbox saying “Loading your personal settings, ….” and he will then get his start menu, meaning he can start working.
Also in the ProcMon uncheck to show Registry, system & Network Activity
Start the capture by clicking the “Capture Events” and immediately start another rdp logon session under the user’s account. You will see ProcMon showing the processes start & exit.
So now we need the Start Time for Winlogon.exe and the Start Time for Explorer.exe. All the time between these two is the time a user is waiting for something to happen.
In this case the Logon time was exactly 41seconds
If you want to go further in to details on what was exactly running you can start the ProcMon Process Tree. This gives you very fine-grained details about all processes running during the logon.