WinNT Workstations Locking with NULL Username
Posted on 2003-03-29
I administrate a Windows NT Network of approximately 500 workstations. A problem we have started having lately is that certain workstations start locking up, when no one is logged on, with no username.
The exact message is:
"This workstation is in use and has been locked"
"This workstation can only be unlocked by \ or an administrator"
"Press Ctl + Alt + Del to unlock this workstation"
It takes between 5 to 10 minutes of one of the affected workstations to lock up in this manner. It only happens when someone has logged off completely. An administrator account will not unlock a workstation once it has locked, although if it hasn't locked up yet, a user or administrator can log in normally with no problems. Once it has locked, the only solution appears to be rebooting the workstation.
This appears to afflict workstations randomly, with approximately 20% of our workstations affected right now. The only common factor among all the workstations is that the system registry reports that the Syskey encryption has been enabled, even though no administrators or users have run the syskey.exe application, and we have a common practice of removing this application from the workstations and servers. Even when Syskey is "turned on", the local username password hashes have not changed in length, or been encrypted, so I do not believe that Syskey is truly being enabled.
Using an offline registry editor to remove the Syskey entries has had some effect, although it will usually reset itself back to "on" after a few reboots. Sometimes it does not do this. I cannot yet prove that Syskey is causing the lockup issue.
Right now, the only permanent solution I have is to low-level format the affected workstations, and reload them from scratch. Sometimes this does not work, as a workstation can later be affected by this error.
We are running Norton Antivirus, corporate edition, with the latest signatures, and nothing is reported by it. This affliction is not a virus or worm that I am aware of.
All of our Workstations are WinNT 4.0, Service pack 6a, with custom load of software applications, Security Patches, and Hotfixes. I am not completely familiar with every single patch on our network, so it is entirely possible that one of them is causing it, although I doubt that, because not every system is affected by this, but we are pretty good on staying with updates.
I am assigning this question the malximum value of points, because I have accessed every other resource on the internet, and through Microsoft that I can think of, and no one has ever had thisw problem to my knowledge. I am hoping that one of you has more knowledge about the registry than I do, and can help me fix this problem.