{"id":276,"date":"2011-04-28T23:47:01","date_gmt":"2011-04-28T22:47:01","guid":{"rendered":"http:\/\/www.autoitconsulting.com\/site\/?p=276"},"modified":"2025-07-14T23:05:21","modified_gmt":"2025-07-14T22:05:21","slug":"windows-performance-toolkit-simple-boot-logging","status":"publish","type":"post","link":"https:\/\/www.autoitconsulting.com\/site\/performance\/windows-performance-toolkit-simple-boot-logging\/","title":{"rendered":"Windows Performance Toolkit: Simple Boot Logging"},"content":{"rendered":"\n

Overview<\/h2>\n\n\n\n

Troubleshooting slow boots and logons are a common request. In this post I will show you how to perform boot logging using the Windows Performance Toolkit (WPT) on a Windows 7 machine and perform some basic analysis of it.<\/p>\n\n\n\n

Preparation<\/h2>\n\n\n\n

First, you need to install the WPT<\/a> on the machine you wish to examine.<\/p>\n\n\n\n

\"\"
Sysinternals Autologon<\/figcaption><\/figure>\n\n\n\n

Secondly, we will be tracing the boot process all the way until the user has logged in and the desktop is shown. If we rely on quickly and manually logging in we introduce inconsistencies to any timings we do. The simplest solution is to use the Sysinternals Autologon<\/strong> tool available from the Sysinternals site<\/a> and to configure it with the local or domain user we will be using for testing.<\/p>\n\n\n\n

Performing the Boot Trace<\/h2>\n\n\n\n
    \n
  1. \n
      \n
    1. Logon to the machine as an administrative user.<\/li>\n\n\n\n
    2. Use AutoLogon<\/strong> to setup the test user that will be used to automatically login during the trace. The test user need not be an administrator, but if not you will need to respond to any UAC prompts during the process to allow the tools to elevate to complete the trace.<\/li>\n\n\n\n
    3. Create a local folder, for example C:\\PerfTrace, to store the boot trace.<\/li>\n\n\n\n
    4. Open an Administrator command prompt and change to the trace folder created above (cd C:\\PerfTrace).<\/li>\n\n\n\n
    5. Run the command:<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
      xbootmgr -trace boot<\/pre>\n\n\n\n
        \n
      1. The machine will automatically shutdown, reboot and finally login.<\/li>\n\n\n\n
      2. A “Delaying for boot trace” message will appear and the system will pause for 120 seconds to capture post-logon events.
        \"\"<\/figure><\/li>\n\n\n\n
      3. The tool will now elevate and a UAC consent box or prompt for credentials will appear.<\/li>\n\n\n\n
      4. The trace will be completed and the trace files will be written into C:\\PerfTrace\\boot_BASE+CSWITCH_1.etl<\/strong>.
        \"\"<\/figure><\/li>\n<\/ol>\n\n\n\n
        Analysing the Boot Trace<\/h2>\n\n\n\n
        You can look at the boot trace in two main ways. The first way is to export the trace into XML which allows you to see the main timing points and the second is using the xperfview GUI.<\/p>\n\n\n\n
        Analysing using the XML Summary<\/h3>\n\n\n\n
        To export the XML summary run the following command with the trace captured in the previous section:<\/p>\n\n\n\n
        xperf -i boot_BASE+CSWITCH_1.etl -o summary.xml -a boot<\/pre>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        The resulting XML file can be opened in Internet Explorer (or your favourite XML editor). In order to expand and contract the individual nodes in IE you will need to allow active content by clicking on the yellow information warning box at the top of the screen.  Contract all nodes apart from the those in the \u201ctiming\u201d node to show the following view:<\/p>\n\n\n\n
        The two most immediately useful metrics are:<\/p>\n\n\n\n
          \n
        • bootDoneViaExplorer<\/strong> \u2013 Duration of the boot (in milliseconds) until the start of Explorer.exe<\/li>\n\n\n\n
        • bootDoneViaPostBoot<\/strong> \u2013 Length of the boot transition including PostBoot. This metric represents the total time of a boot transition.<\/li>\n<\/ul>\n\n\n\n
          In this example, bootDoneViaPostBoot<\/strong> would seem to indicate that the total boot time was 50 seconds (50094 millseconds). However, a boot trace waits for 10 seconds (postBootRequiredIdleTime) at the end of a boot until the system reaches an idle state. Therefore to get the actual total boot time we must subtract 10 seconds, in this example the adjusted boot time was 40 seconds<\/strong>.<\/p>\n\n\n\n
          Analysing using the xperfview GUI<\/h3>\n\n\n\n
          To use a GUI to examine the boot trace open the trace in xperfview with the following command:<\/p>\n\n\n\n
          xperfview boot_BASE+CSWITCH_1.etl<\/pre>\n\n\n\n
          There are many different views to look at in the xperfview GUI, but for this post we will concentrate on the main boot and logon processes (similar to the XML summary). Scroll down to the Winlogon<\/strong> section:<\/p>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
          <\/p>\n\n\n\n
          There are many different checkpoints here but some useful ones are:<\/p>\n\n\n\n
            \n
          • GP Client<\/strong> – This checkpoint occurs at a number of different points. Before the user logs in (Computer Group Policy) and after logon (User Group Policy). It is very useful to identify any GPO related problems.<\/li>\n\n\n\n
          • CreateSession Notification<\/strong> – This checkpoint occurs when the user enters their credentials and starts the logon process.<\/li>\n\n\n\n
          • Profiles<\/strong> – This checkpoint occurs when the user’s profile is being loaded.<\/li>\n\n\n\n
          • StartShell Notification<\/strong> – This is the last checkpoint when the shell is ready to load and explorer.exe is about to be launched. It corresponds to the WinlogonInit endTime<\/strong> entry from the XML summary.<\/li>\n<\/ul>\n\n\n\n
            Summary<\/h2>\n\n\n\n
            This post showed how to perform boot logging using WPT at the most basic level. This can be a very complicated process and far too much to cover in a single post, future articles will go into more detail in individual areas.<\/p>\n","protected":false},"excerpt":{"rendered":"
            Overview Troubleshooting slow boots and logons are a common request. In this post I will show you how to perform boot logging using the Windows Performance Toolkit (WPT) on a Windows 7 machine and perform some basic analysis of it. Preparation First, you need to install the WPT on the machine you wish to examine. […]<\/p>\n","protected":false},"author":1,"featured_media":112,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[61,16],"class_list":["post-276","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-performance","tag-performance","tag-wpt"],"_links":{"self":[{"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/posts\/276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/comments?post=276"}],"version-history":[{"count":4,"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/posts\/276\/revisions"}],"predecessor-version":[{"id":100121,"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/posts\/276\/revisions\/100121"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/media\/112"}],"wp:attachment":[{"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/media?parent=276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/categories?post=276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.autoitconsulting.com\/site\/wp-json\/wp\/v2\/tags?post=276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}