Dissecting Logons

Transcript

1. DISSECTING LOGONS Guy Leech (@guyrleech) CTA UK Citrix User Group,

   March 2019

2. DETERMINING WHAT HAS RUN & WHY • SysInternals Process Monitor

   • Event logs • Standard Entries • Process Creation Auditing • Gpresult • Scheduled Tasks • Logon scripts • Users • Group & Local policy • … and don’t forget device drivers, especially file system filters, & services

3. SYSINTERNALS PROCESS MONITOR • Capture start/stop on single user OS

   • Sethc / utilman hijack (crude & AV products now stopping) • Remote PowerShell session (elegant) • SysInternals psexec (old fashioned but not WinRM dependent) • Process Tree • Look at creation times, command lines, parent processes & durations • Filter out unwanted & noise, e.g. other sessions (but not session zero)

4. EVENT LOGS • There are more than 4 event logs!

   Yes, really • 464 on my Win10 1809 laptop with 151 containing events • Search them all during the logon period • PowerShell to the rescue (again) • Push into csv or grid view for further filtering

5. CONTROLUP LOGON ANALYSIS SCRIPT • Doesn’t need ControlUp to run

   • Download from script library • Needs logon and process creation/termination auditing in place • Just need to pass domain\user • Splits out phases including group policy, logon script & printer mappings

6. ACTIVE SETUP • Designed for one time app setup for

   users (or if app version changes) • Controlled via HKLM\Software\Microsoft\Active Setup (& Wow6432node) • Runs command in “StubPath” value • Copies keys run to HKCU • Can disable by removing some or all HKLM keys

7. OTHER USEFUL THINGS TO LOOK AT • GPSvcDebugLevel • %systemroot%\inf\setupapi.dev.log

   • SysInternals AutoRuns • Base/Default Profile • Security software/Anti Virus • User profile persistence (e.g. “Roman” profiles, UPM, Ivanti EM, etc.) • AppSetup value in Winlogon reg key (e.g. usrlogon.cmd) • Appinit_dlls • Local & hypervisor performance counters & network/storage load • Persistent image bloat – e.g. GPO cache, temp folders • Disk fragmentation! But don’t defrag PVS .avhdx delta disks • The internet – many articles about logon optimisation e.g. @james____rankin 7

8. PARTING THOUGHTS …. • Is it already fast enough? •

   Is it worth the effort/cost to try & make it any faster? • Is it consistent? • Do you really need to do everything at logon for every user every time? • Maintainability • Documentation • Future Proofing • Logon analysis is available as a bespoke consultancy service from @guyrleech