Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows 7 / GPO Logging Using Gpsvc.log in Windows 7

January 10, 2017 Windows 7Windows Server 2008 R2

GPO Logging Using Gpsvc.log in Windows 7

The debug log Userenv.log  (%Systemroot%\Debug\UserMode\Userenv.log) could be used to thoroughly analyze the application of GPO in Windows XP and Windows Server 2003. Using this Group Policy logging, you could track the order and time of applying group policies, find the policies that slow down the booting and solve other GPO related problems.

In Windows 7 (or higher), Microsoft developers decided to stop using Userenv.log as the main debugging tool of GPO processing. The majority of events related to the  Group Policy  are now available in the Event Viewer (eventvwr) log in Applications and Services Logs –> Microsoft -> Windows -> Group Policy -> Operational. gpo operational event log

Tip. For example, the events with the Event ID 4016 and 5016 will help to find the time when the GPO has started and finished to be processed. The latter event shows how long this policy has been applied.

The Event 5312 contains the list of policies to be applied and the Event 5317 lists the filtered policies.

However, the events contained in this log are not as detailed as Userenv.log file in Windows XP.

You can also enable a similar debug log of Group Policy Client Service (GPSVC) in Windows 7. This undocumented feature of enabling an extended log of GPO usage is also available in Windows 8, 10 and Windows Server 2008/2012.

You can enable the GPO debug logging in the registry. Create a DWORD parameter with the name GPSvcDebugLevel and the value 00030002 in the key  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics. (Probably, you will have to create the Diagnostics branch manually)

GPSvcDebugLevel

Note. Also you can create this parameter using this command:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Diagnostics" /v GPSvcDebugLevel /t REG_DWORD /d 0x00030002 /f

Update your policy settings using the command gpupdate /force (or restart the computer if you want  to debug the policies applied when booting).

After the restart, Group Policy Client service will record the extended debug information to the file gpsvc.log (WINDIR%\debug\usermode\gpsvc.log)

For reference, here is an piece of gpsvc.log:

gpsvc.log


..........
GPSVC(3a8.ce8) 12:24:32:494 MaxTimeToWaitForNetwork: 120000ms
GPSVC(3a8.ce8) 12:24:32:494 TimeRemainingToWaitForNetwork: 0ms
GPSVC(3a8.ce8) 12:24:32:494 UserPolicy: Waiting for machine policy wait for network event with timeout 0 ms
GPSVC(3a8.ce8) 12:24:32:541 GPLockPolicySection: Sid = (null), dwTimeout = 30000, dwFlags = 65538
GPSVC(3a8.ce8) 12:24:32:541 LockPolicySection called for user
GPSVC(3a8.ce8) 12:24:32:541 Sync Lock Called
GPSVC(3a8.ce8) 12:24:32:541 Reader Lock got immediately. m_cReadersInLock : 1
GPSVC(3a8.ce8) 12:24:32:541 Lock taken successfully
GPSVC(3a8.ce8) 12:24:32:541 UnLockPolicySection called for user
GPSVC(3a8.ce8) 12:24:32:541 Found the caller in the ReaderHavingLock List. Removing it...
GPSVC(3a8.ce8) 12:24:32:541 Setting lock state as notLocked
GPSVC(3a8.ce8) 12:24:32:541 UnLocked successfully
GPSVC(3a8.ce8) 12:24:32:556 Opened Existing Registry key
GPSVC(3a8.ce8) 12:24:32:556 UncPath :'\\CORP.DOMAIN.COM\SYSVOL'
............

The manual analysis of gpsvc.log is quite time-consuming. A free tool Policy Reporter (http://www.sysprosoft.com/policyreporter.shtml) can make it easier and represent the GPO debug log as a tree grouped by time.

Policy Reporter

The data from gpsvc.log and the results obtained using GPResult can be used to perform a detailed analysis of applying GPO on the clients.

Note. To disable debug logging, change the value of GPSvcDebugLevel to 0.

1 comment
0
Facebook Twitter Google + Pinterest
previous post
Remote Desktop Connection Error: Outdated entry in the DNS cache
next post
How to Block Viruses and Ransomware Using Software Restriction Policies

Related Reading

How to Enable TLS 1.2 on Windows?

January 18, 2023

How to Restore Deleted EFI System Partition in...

November 30, 2022

Outlook: Your Server Does Not Support the Connection...

October 20, 2022

Adding USB 3.0 and NVMe Drivers to Windows...

September 7, 2022

Slow Access to Shared Folders and Network Drives...

March 4, 2022

1 comment

David January 11, 2017 - 10:08 am

This is a great tip, thanks!
But note that the value of GPSvcDebugLevel should be set to 0x00030002 (HEX)

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Booting Windows 7 / 10 from GPT Disk on BIOS (non-UEFI) systems
  • Removable USB Flash Drive as Local HDD in Windows 10 / 7
  • How to increase KMS current count (count is insufficient)
  • Fixing High CPU Usage and Memory Leak Issue by Svchost.exe (wuauserv)
  • Error 0x0000007e: Windows cannot connect to network printer, Operation failed
  • Windows Update Error 0x80244022 and WsusPool Memory Limit
  • How to Delete OEM Recovery Partition Using Diskpart
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top