It is possible to leverage two Microsoft utilities from the Sysinternals Suite in order to troubleshoot issues encountered during Logon.
ProcMon:
https://live.sysinternals.com/Procmon.exePsExec:
https://live.sysinternals.com/psexec.exe1) Download and copy these items to the
root of the C:\ drive on the host which is being investigated.
2) In an elevated command prompt, run the following:
psexec -sd -i 0 c:\procmon.exeAs soon as this command is run, a window titled
Interactive Services Detection should appear in the Windows taskbar. If this is not seen, then it is necessary to start the service which looks for applications in Session 0. This can be done by running the following command:
net start ui0detectIn Windows 8 and related operating systems, it is necessary to perform a registry edit prior to running the above "net start" command, as this service is disabled by default:
Hive: HKLM
Path: SYSTEM\CurrentControlSet\Control\Windows
DWORD: NoInteractiveServices
Change value
1 to
03) Change to Session 0 using the
Interactive Services Detection window, accept the ProcMon EULA and then ensure that the application is configured as desired.
4) Switch back to the regular Windows session by clicking
Return Now in the Interactive Services Detection window.
5) Log off and reproduce the action of interest.
6) Log back in to a Windows session. In order to make the
Interactive Services Detection window appear again, stop and then start the service, using the following in an elevated command prompt:
net stop ui0detect net start ui0detect7) Use the
Interactive Services Detection window to return to Session 0, stop the capture in ProcMon, save it, and then exit the program. Return to the regular Windows session as previous.
The results from ProcMon will show which process is access which resource on your system. This will allow you to see such things as what applications are touching the Credential Provider registry hive located at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\