Click on the Category button to get more articles regarding that product.
Enhancing Outlook Debug Logging for Troubleshooting
Mike Butsch, www.butsch.ch
What we want to do and why
Outlook debug logging is a valuable tool for diagnosing and resolving issues within Microsoft Outlook. By enabling advanced logging, you gain deeper insights into the application’s behaviour, allowing for more effective troubleshooting. In this blog post, we will explore the process of enabling global and advanced logging for Outlook, along with additional steps to enhance the logging capabilities.
In conclusion, by enabling and leveraging Outlook debug logging, you can gain valuable insights into the behaviour of Microsoft Outlook and efficiently troubleshoot any issues that may arise. Remember to exercise caution when modifying the Windows Registry and follow the necessary steps outlined in this blog post.
Some key points in this paper:
* Attention: Do not make user you analyser Local Administrator
* How to make the KEY under another user Registry hive
* Your are admin or user how to generate the Registry Key
* How to find something or for what to search for in the Debug Logfiles you made:
* Analyse WPA and ETL files
* Outlook 2010 Debug Logfiles
* Outlook 2013 and Outlook 2016 Debug Logfiles
* What if you want to enable this for some computers automatic in your Windows Domain on-premise with GPO?
in addition to the steps mentioned in the documentation, there is an additional parameter that can be enabled to gather more detailed information. This parameter involves modifying a specific subkey in the Windows Registry. Please note that the following steps require careful attention to avoid unintended issues:
| 1. Launch the Windows Registry Editor by opening “regedit.exe”.
2. Navigate to the following subkey path: “HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\xx.0\Outlook\Options\Shutdown”. 3. In the specified subkey, create a new “DWORD (32-bit) Value” named “FastShutdownBehavior”. 4. Double-click on the newly created “FastShutdownBehavior” value and set its value data to 2. By following these steps, you will successfully create the DWORD (32-bit) value “FastShutdownBehavior” with a value of 2 in the Windows 10 Registry. |
Attention: Do not make user you analyser Local Administrator, this will produce problem related to Exchange, ActiveSync GPO and Azure sync (Info’s not Synced back to local Domain from Azure for that user)
Note: If the user experiencing the issue does not have sufficient permissions to create the key, it is important not to grant them local admin privileges without addressing the “ADMINSholder” flag attribute. Granting local admin privileges without correcting the “ADMINSholder” flag may lead to further complications. Refer to these resources for more information on the “ADMINSholder” flag:
Attention: https://www.butsch.ch/post/Activesync-with-Exchange-2013-does-not-work-ADMINSHOLDER-Flag-(an-old-bad-friend) or https://www.butsch.ch/post/Exchange-Activesync-1053-Event-4003-Error-2007201020132016-Adminsholder
Again a sample why you should not make the user Local Admin to explain: Also be aware that if you are in M365 Azure Hybrid Mode those account with ADMINS Holder Flag Set wan’t sync back or to Azure.
Target what we need for the USER who has the OUTLOOK.EXE Problem. That may be a different user than the LOGGED on s non domain joined machine.
How to set key for another user?
It’s important to note that the user encountering the “OUTLOOK.EXE” problem may not be the same as the one logged on to the non-domain joined machine. Therefore, we need to set the key for the relevant user. Here is a brief explanation of how to set the key for another user:
1. Create a CMD shortcut on the desktop.
2. Right-click on the shortcut while holding down the SHIFT key and choose “Run as different user.”
3. A command prompt (CMD.exe) will open.
4. Launch the Registry Editor (regedit.exe) from the command prompt.
5. Locate the appropriate registry hive for the user you want to debug in Outlook.
INFO: Why not make him local Admin again because most don’t understand impact if not corrected afterwards! Please read careful above IF you have that idea.
How to make the KEY under another user Registry hive Explanation #1
Solution you need to run regedit.exe under a separate LOCAL ADMIN or Service account to have the permission to CREATE that missing key structure per user. Also keep in MIND that existing POLICY/GPO will overwrite the settings within 15-X minutes if you may have those set in Domain enviroment.
| How to make a REGISTRY KEY under ANOTHER user hive |
| If the user experiencing the issue does not have sufficient permissions to create the registry key, it is important to take the following precautions:
1. Avoid granting the user local admin privileges without addressing the “ADMINSholder” flag attribute. 2. Granting local admin privileges without correcting the “ADMINSholder” flag can lead to additional complications and should be avoided. To proceed with modifying the registry for the affected user: 1. Request access to the user’s registry hive or have the affected user provide it to you. 2. Open the Windows Registry Editor (“regedit.exe”). 3. In the Registry Editor, click on “HKEY_USERS” and then go to “File” -> “Load Hive.” 4. Browse to the user’s registry hive file (NTUSER.DAT) located in their profile folder (e.g., C:\Users\Username). 5. Enter a name (e.g., “UserHive”) for the loaded hive. 6. Navigate to “UserHive\Software\Policies\Microsoft\Office\xx.0\Outlook\Options\Shutdown” in the loaded hive. 7. Create a new “DWORD (32-bit) Value” named “FastShutdownBehavior” and set its value to 2. 8. Unload the loaded hive by selecting the loaded hive (“UserHive”) and clicking on “File” -> “Unload Hive.” By following these steps, you can modify the registry using the hive of the affected user, without granting them local admin privileges. Remember to exercise caution and address the “ADMINSholder” flag issue if encountered, as granting local admin privileges without correcting it can lead to further complications. |
Find the office version “SHORTY” the user has as exmaple “15.0”, “16.0” etc.
Your are admin or user and how to generate the Registry Key Explanation #2
When troubleshooting Outlook issues for a specific user, there are two options to access the user’s registry hive.
By following either of these options, you can access the user’s registry hive and make necessary
modifications to troubleshoot the Outlook.exe problem. Remember to exercise caution and ensure you
have the appropriate permissions and authority to access the user’s registry hive.
|
Option 1: User Logged On to the System If the user experiencing the problem is currently logged on to the system, you can utilize the following method: 1. Open the Command Prompt (cmd.exe) with administrative privileges. 2. Execute the “regedit.exe” command using the “RUNAS” trick. This allows you to run the Registry Editor as a different user. 3. Skip to the next step if you can already see the user’s registry hive in the Registry Editor. This occurs when the user is logged on to the system and you are accessing the Registry Editor using the “RUNAS” trick or a remote session, such as Dameware or another remote support tool. |
|
Option 2: Administrator/IT Logged On If you are logged on as an administrator or IT personnel and know the username of the user experiencing the Outlook.exe problem, follow these steps: 1. Launch the Registry Editor (“regedit.exe”) with administrative privileges. 2. Click on “HKEY_USERS” in the Registry Editor. 3. Go to “File” -> “Load Hive” in the menu. 4. Browse to the user’s registry hive file (NTUSER.DAT) located in their profile folder (e.g., C:\Users\Username). 5. Provide a name (e.g., “UserHive”) for the loaded hive. This name will be used to identify the user’s registry hive in the Registry Editor. |
FastShutdownBehavior
Once you have made the necessary changes to the registry, log off and log back on to apply the settings. Launch Outlook, and you should now see the logging in action. This allows you to identify any problematic areas or errors that may be occurring.
Check the key again under the HKCU > OK
Start Outlook, yes login active and you see warning
Check the things that don’t work to produce logs. Click around and open things and other Calendar from OAB adressbook as example.
Check the logs generates
Folders:
To gather relevant log files for troubleshooting purposes, you can focus on specific folders or actions that are not functioning as expected. These log files can be shared with Microsoft Support to assist in resolving the issue. To convert the log files (ETL format) into a more readable format, you can use the PowerShell command `tracerpt.exe FILENAME.ETL -lr`. You can then preview the converted files or open them using the Event Viewer (`eventvwr.exe`) to examine the events more closely.
Convert in PowerShell to some TEXT/XML.
ETL > Event Viewer 😉 ???
You can then preview the converted files or open them using the Event Viewer (`eventvwr.exe`) to examine the events more closely.
Filter may help if there are any error?
How to find something or for what to search for in the Debug Logfiles you made:
When analyzing ETL or XML files for debug information related to free/busy functionality in Outlook, you can look for specific events and data related to free/busy operations. Here are some key points to consider:
1. Event ID: Look for events with specific event IDs that pertain to free/busy operations. These event IDs can vary depending on the version of Outlook and the specific scenario. Typically, you may find events with IDs such as 2000, 2007, or 2016, which are commonly associated with free/busy processing.
2. Provider Names: Look for events associated with providers or services related to free/busy functionality. These providers can include Autodiscover, Exchange Web Services (EWS), Availability Service, or any other components involved in free/busy data retrieval and processing.
3. Timestamps: Pay attention to the timestamps of the events and their sequencing. This can help you understand the flow and timing of free/busy operations. Look for patterns, delays, or any inconsistencies that might indicate potential issues.
4. Error Codes and Messages: Take note of any error codes or error messages associated with the free/busy events. These can provide valuable information about the nature of the problem or any specific errors encountered during free/busy processing.
5. Data Fields: Look for specific data fields or attributes that contain information related to free/busy functionality. These can include user identifiers, calendar data, availability status, or any other relevant data that helps in understanding the free/busy operations.
To locate this debug information within the ETL or XML file, search for the relevant event IDs, provider names, error codes, or specific data fields mentioned above. Use the search functionality in your text editor or XML viewer to locate and analyze the corresponding events. Additionally, you can filter the events based on the time range or other criteria to focus on the relevant information.
By carefully examining these events and data within the ETL or XML file, you can gain insights into the free/busy operations, identify any errors or delays, and troubleshoot any issues affecting the free/busy functionality in Outlook.
Analyse WPA and ETL files
Also read following KB on how to process the files further with WPA
https://learn.microsoft.com/en-us/windows-hardware/test/wpt/opening-and-analyzing-etl-files-in-wpa
https://learn.microsoft.com/en-us/message-analyzer/message-analyzer-tutorial
If you are specifically working with ETL files generated from Outlook.exe debug mode the files are binary files containing event traces, and parsing them requires specific tools and techniques.
To analyze ETL files generated from Outlook.exe debug mode, you can use Microsoft Message Analyzer (MMA) or Windows Performance Analyzer (WPA), which are powerful tools for analyzing event traces. These tools allow you to load the ETL file and apply filters to extract specific information or errors related to Outlook.exe.
Here’s a high-level overview of the steps involved in using Microsoft Message Analyzer to analyze Outlook.exe ETL files:
-
Download and install Microsoft Message Analyzer from the Microsoft Download Center.
https://learn.microsoft.com/en-us/message-analyzer/installing-and-upgrading-message-analyzer
2. Launch Microsoft Message Analyzer.
3. Go to the “File” menu and select “New Session” to create a new session.
4. In the “New Session” window, click on the “Live Trace” tab.
5. Select the “Microsoft-Windows-Diagnostics-Performance” provider from the list.
6. Click on the “Capture” button to start capturing events.
7. Reproduce the issue or scenario for which you want to capture the event trace.
8. Once the desired events have been captured, click on the “Stop” button to stop capturing.
9. Go to the “File” menu and select “Save As” to save the captured events as an ETL file.
10. Open the saved ETL file in Microsoft Message Analyzer.
11. Use the filtering and analysis capabilities of Microsoft Message Analyzer to locate the specific errors or information related to free/busy or any other aspect of Outlook.exe.
Please note that analyzing ETL files can be a complex task, and familiarity with Microsoft Message Analyzer or similar tools is recommended for effective analysis. The steps provided above are a general guideline, and the exact steps may vary based on the version of Microsoft Message Analyzer or other tools you are using.
Remember to always exercise caution when analyzing ETL files and ensure you have the necessary permissions to access and analyze the files.
What if you want to enable this for some computers automatic in your Windows Domain on-premise with GPO?
Be carefull with the GPO. The Debug Mode of Outlook will generate 50MB+ Files maybe per minute. That is
why we want to target that Policy to a ADS-Group with Computer accounts. If you are unsure hot wo do that leave it and do it manual.
| In addition to enabling Outlook debug logging using Group Policy Objects (GPO), you can further refine the application of the GPO by creating an Active Directory security group and assigning the GPO only to computers that are members of that group. This allows you to control which computers have the debug logging enabled. Here’s how you can do it: |
| Step 2: Add Computers to the Security Group:
1. Locate the computers that you want to enable Outlook debug logging for. 2. Select the desired computers, right-click, and choose “Add to a group” or “Add to a security group” (depending on your Active Directory administrative tools). 3. Search for and select the “Outlook Debug Users” security group you created in Step 1. 4. Click “OK” to add the selected computers to the security group. |
| Step 3: Assigning the GPO to the Security Group:
1. Return to the Group Policy Management Console. 2. Right-click on the GPO that configures the Outlook debug logging settings and select “Properties”. 3. In the “Properties” window, navigate to the “Security” tab. 4. Click the “Add” button to add a new permission entry. 5. In the “Select User, Computer, or Group” dialog box, enter the name of the security group (“Outlook Debug Users”) and click “OK”. 6. Back in the “Properties” window, select the added security group from the permission entries list. 7. Under the “Permissions for [Group Name]” section, check the “Read” and “Apply Group Policy” checkboxes. 8. Click “OK” to save the changes. |
| By following these steps, you have created an Active Directory security group, added the desired computers to that group, and assigned the GPO to the security group. This ensures that the Outlook debug logging settings will only be applied to computers that are members of the specified security group, allowing you to control the scope of the debug logging feature. |
Take a peek at our tool Crlcheck which helps you to find blocked CRL or OCSP WAN address behind Enterprise Proxy or application firewalls:
CRLcheck.exe Certificate Revocation List Check Tool to verify all CRL and OCSP on Windows client
Some links regarding this:
Outlook Debug Logging
MS Learn:
Logfiles reference for different Outlook version:
Note The log files are created in multiple folders. These folders vary, depending on the version of Outlook that you’re running.
Outlook 2010 Debug Logfiles
| Log files in the %temp% folder | File name |
| Outlook RPC log | OLKRPCLOG_date-time.etl |
| AutoDiscover log | olkdisc.log |
| Outlook/SharePoint synchronization logs | .htm and .xml files |
| Log files in the %temp%\OlkAS folder | File name |
| Availability Service, OOF, and Meeting Suggestion log files | date-time -AS.log |
| Protection Rules log files | date-time -PB4S.log |
| Unified messaging log files | date-time -UM.log |
| Unified Messaging configuration log files | date-time .UMCFG.log |
| Log files in the %temp%\OlkCalLogs folder | File name |
| Outlook calendar log files | OlkCalLog_date_time.etl |
Log files in the folder
| %temp%\Outlook Logging | File name |
| Outlook advanced ETW log | Outlook-########.etl |
| MailTips log | date-time-mailtips.log |
| OOF log | date-time-oof.log |
| Transport log file | opmlog.log |
| Outlook profile logs | Prof_OUTLOOK_PID_OutlookStart_date_time.txt Prof_OUTLOOK_PID_OutlookStart_date_time.txt |
| SMTP log files | emailaddress-Outgoing-date_time.log |
| POP3 log files | emailaddress-Incoming-date_time.log |
| IMAP log files | IMAP-emailaddress-Incoming-date_time.log |
| HTTP DAV log files | HTTP-emailaddress-date_time.log |
| Outlook Hotmail Connector log files | OLC-emailaddress-date_time.log OLC-date_time.log emailaddress.txt |
| Outlook Sharing Engine log files | SharingEngine date.log |
| Outlook-Windows Desktop Search indexing log files | data file name.log |
| Outlook first-run process log file | firstrun.log |
Outlook 2013 and Outlook 2016 Debug Logfiles
| Log files in the %temp% folder | File name |
| Outlook/SharePoint synchronization logs | .htm and .xml files |
| Log files in the %temp%\EASLogFiles | File name |
| EAS logs for Hotmail accounts | .bin and .xml folders |
| Log files in the %temp%\OlkCalLogs folder | File name |
| Outlook calendar log files | OlkCalLog_date_time .etl |
Log files in the folder
| %temp%\Outlook Logging | File name |
| Advanced ETW log | Outlook-########.etl |
| Transport log file | opmlog.log |
| Outlook profile logs | Prof_OUTLOOK_PID_xxxxxxxx_date_time.txt
Prof_OUTLOOK_PID_LoggingStart_date_time.txt |
| SMTP log files
Note The log files are only logged in Outlook 2016 and earlier versions. |
emailaddress-Outgoing-date_time.log |
| POP3 log files
Note The log files are only logged in Outlook 2016 and earlier versions. |
emailaddress-Incoming-date_time.log |
| IMAP log files
Note The log files are only logged in Outlook 2016 and earlier versions. |
IMAP-emailaddress-Incoming-date_time.log |
| Outlook Sharing Engine log files | SharingEngine date.log |
| Outlook-Windows Desktop Search indexing log files | data file name.log |
| Outlook first-run process log file | firstrun.log |
Note You can sort by Date modified to find the files that were created most recently.