It is possible to leverage two Microsoft utilities from the Sysinternals Suite in order to troubleshoot issues encountered during Logon.
1) Download and copy these items to the root of the C:\ drive
on the host which is being investigated.
2) In an elevated command prompt, run the following:psexec -sd -i 0 c:\procmon.exe
As soon as this command is run, a window titled Interactive Services Detection
should appear in the Windows taskbar. If this is not seen, then it is necessary to start the service which looks for applications in Session 0. This can be done by running the following command:net start ui0detect
In Windows 8 and related operating systems, it is necessary to perform a registry edit prior to running the above "net start" command, as this service is disabled by default:
Change value 1
3) Change to Session 0 using the Interactive Services Detection
window, accept the ProcMon EULA and then ensure that the application is configured as desired.
4) Switch back to the regular Windows session by clicking Return Now
in the Interactive Services Detection window.
5) Log off and reproduce the action of interest.
6) Log back in to a Windows session. In order to make the Interactive Services Detection
window appear again, stop and then start the service, using the following in an elevated command prompt: net stop ui0detect net start ui0detect
7) Use the Interactive Services Detection
window to return to Session 0, stop the capture in ProcMon, save it, and then exit the program. Return to the regular Windows session as previous.
The results from ProcMon will show which process is access which resource on your system. This will allow you to see such things as what applications are touching the Credential Provider registry hive located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\