Posted on January 10, 2017 · Posted in Windows 7, Windows Server 2008 R2

GPO Logging Using Gpsvc.log in Windows 7

The debug log Userenv.log  (%Systemroot%\Debug\UserMode\Userenv.log) could be used to thoroughly analyze the application of GPO in Windows XP and Windows Server 2003. Using this Group Policy logging, you could track the order and time of applying group policies, find the policies that slow down the booting and solve other GPO related problems.

In Windows 7 (or higher), Microsoft developers decided to stop using Userenv.log as the main debugging tool of GPO processing. The majority of events related to the  Group Policy  are now available in the Event Viewer (eventvwr) log in Applications and Services Logs –> Microsoft -> Windows -> Group Policy -> Operational. gpo operational event log

Tip. For example, the events with the Event ID 4016 and 5016 will help to find the time when the GPO has started and finished to be processed. The latter event shows how long this policy has been applied.

The Event 5312 contains the list of policies to be applied and the Event 5317 lists the filtered policies.

However, the events contained in this log are not as detailed as Userenv.log file in Windows XP.

You can also enable a similar debug log of Group Policy Client Service (GPSVC) in Windows 7. This undocumented feature of enabling an extended log of GPO usage is also available in Windows 8, 10 and Windows Server 2008/2012.

You can enable the GPO debug logging in the registry. Create a DWORD parameter with the name GPSvcDebugLevel and the value 00030002 in the key  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics. (Probably, you will have to create the Diagnostics branch manually)

GPSvcDebugLevel

Note. Also you can create this parameter using this command:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v GPSvcDebugLevel /t REG_DWORD /d 0x00030002 /f

Update your policies using the command gpupdate /force (or restart the computer if you want  to debug the policies applied when booting).

After the restart, Group Policy Client service will record the extended debug information to the file gpsvc.log (WINDIR%\debug\usermode\gpsvc.log)

For reference, here is an piece of gpsvc.log:

gpsvc.log


..........
GPSVC(3a8.ce8) 12:24:32:494 MaxTimeToWaitForNetwork: 120000ms
GPSVC(3a8.ce8) 12:24:32:494 TimeRemainingToWaitForNetwork: 0ms
GPSVC(3a8.ce8) 12:24:32:494 UserPolicy: Waiting for machine policy wait for network event with timeout 0 ms
GPSVC(3a8.ce8) 12:24:32:541 GPLockPolicySection: Sid = (null), dwTimeout = 30000, dwFlags = 65538
GPSVC(3a8.ce8) 12:24:32:541 LockPolicySection called for user
GPSVC(3a8.ce8) 12:24:32:541 Sync Lock Called
GPSVC(3a8.ce8) 12:24:32:541 Reader Lock got immediately. m_cReadersInLock : 1
GPSVC(3a8.ce8) 12:24:32:541 Lock taken successfully
GPSVC(3a8.ce8) 12:24:32:541 UnLockPolicySection called for user
GPSVC(3a8.ce8) 12:24:32:541 Found the caller in the ReaderHavingLock List. Removing it...
GPSVC(3a8.ce8) 12:24:32:541 Setting lock state as notLocked
GPSVC(3a8.ce8) 12:24:32:541 UnLocked successfully
GPSVC(3a8.ce8) 12:24:32:556 Opened Existing Registry key
GPSVC(3a8.ce8) 12:24:32:556 UncPath :'\\CORP.DOMAIN.COM\SYSVOL'
............

The manual analysis of gpsvc.log is quite time-consuming. A free tool Policy Reporter (http://www.sysprosoft.com/policyreporter.shtml) can make it easier and represent the GPO debug log as a tree grouped by time.

Policy Reporter

The data from gpsvc.log and the results obtained using GPResult can be used to perform a detailed analysis of applying GPO on the clients.

Note. To disable debug logging, change the value of GPSvcDebugLevel to 0.

Previous:
Next:
Related Articles