Solved

Unable to logon to Windows XP workstation, corrupt profile?

Posted on 2010-11-23
26
1,815 Views
Last Modified: 2012-05-10
We have 4 Windows XP Pro SP3 PC's that suddenly the users are unable to log on to.  We cannot log on with the user or local Administrator accounts.  We CAN log on in Safe Mode. Two of the PC's have experienced Blue Screens.

We get the following error messages:

Source:  Userenv
Event ID:  1505
Windows cannot load the user's profile but has logged you on with the default profile for the system.
Insufficient system resources exist to complete the requested service.

Userinit.exe - Application error.
The application failed to initialize properly.

Source:  Userenv
Event ID:  1508
Windows was unable to load the registry.  This is often caused by insufficient memory or insufficient security rights.
Insufficient system resources exist to complete the requested service.  for C:\Documents and Settings\username\nyuser.dat.

Source:  Application Error
Event ID:  1000
Faulting application logonui.exe.

Source:  Service Control Mamager
Event ID:  7023
The Workstation service terminated with the following error:  
Insufficient system resources exist to complete the requested service.

-  We get these errors with either the user account or the local Administrator account.
-  The Windows XP SP3 PC's are connected to a Windows Server 2003 R2 server in a workgroup;  no Domain exists.
-  The errors occur only when logging on regularly;  we can logon in Safe Mode.
-  I scanned the hard drives for viruses in another PC and found nothing except some common adware - MyWebSearch, etc.

Any ideas what is going on?
0
Comment
Question by:narley
  • 9
  • 6
  • 6
  • +4
26 Comments
 
LVL 12

Expert Comment

by:Kent W
ID: 34200129
Are you using roaming profiles?
0
 

Author Comment

by:narley
ID: 34200142
I thought perhaps I had a corrupt User Profile.  So I logged on in Safe Mode, backed up the user profile files, deleted the User account and the profile folder in Documents and settings, created a Test user account, and rebooted.  I get the same "User Environment " error and am unable to login.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200173
All of those errors are pointing to a probable system resource issue.  Did you add anything to a login script that maybe has went awry?  Biggest question, are you in a Active Directory environment, and if so, are you using roaming profiles?
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 7

Expert Comment

by:Rommel Sultan
ID: 34200222
Can you try running chkdsk c: /f /r
Once there is a file corrution issue there is a good change of having a hard drive issue.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200228
This error is also caused on an AD domain if your /NETLOGON/Default_User is missing, renamed, or corrupt.
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 34200255
yea, as has been mentioned, if you are on ad, do you have other machines that can be logged onto fine or are all of them affected?

has there been any recent changes to network configuration? windows update? etc
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200331
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Make sure that nothing is jacking with the SHELL value, which should be Explorer.exe
Also, make sure that the UserInit value is "C:\windows\system32\userinit.exe,"

Whats the value for Logonui/Shell as well?

Check permissions on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList as well....
0
 

Author Comment

by:narley
ID: 34200335
Hi Mugojava.  I'm not very familiar with Roaming Profiles.  I booted into Safe Mode and checked in Windows System Properties\Advanced\User profiles and all profiles listed are Local.  I also looked on the server for shares with User Profiles and there are none.  Is there anything else to check?
0
 

Author Comment

by:narley
ID: 34200341
No Domain, no Active Directory.  Workgroup only.
 
0
 

Author Comment

by:narley
ID: 34200359
Whatever this is, it took out 4 PC's the same week.  I only yesterday took over administration of the network and so am unsure what changes could have been made previously.  Just getting familiar with the setup.
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 34200407
mm thats very weird. Has there been any power issues like spikes? since its a workgroup there is very little central management that you can do.

Is there a server?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200409
Sounds viral.... awaiting your results of the above reg keys......
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200416
You do not appear to be using RP then.

On your AD server, make sure you have a directoryuder /ADdomain/NETLOGON/Default_User
Other causes -group policies that are computer based may also be an issue, as any AD User Configuration policies (not Computer Configuration policies) would not affect Local/administrator, but that logon WOULD be affected by changes made to the AD domain Computer Config policy.  

Since this is happening on more than one workstation, I wouldn't suspect it was a hard drive or local resource issue, unless it's your AD controller having that issue.
0
 

Author Comment

by:narley
ID: 34200477
Johnb6767:

The Winlogon and Userinit values are correct.

Where is the Logonui/Shell entry?

The ProfileList permissions are as follows:
Administrators - Full Control and Read
Creator Owner - Special (full control - Subkeys only)
Power Users - Read
System - Full Control and Read
Users - Read
0
 

Author Comment

by:narley
ID: 34200491
No Active Directory installed on Server 2003.  I thought viral too, but full scans of the affected hard drives with Symantec Endpoint Protection and Malwarebytes in a Removal PC found nothing.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200502
I'm agreeing with John, if you are using just a Workgroup, no logon servers, no AD, just XP workstations, sound like you have contracted a nasty bug, especially if multiple WS are involved.

On the latest "infected", I would try System restore and see if there were a date before it went bad you can revert to.  Make sure any mappings to shared drives on other systems are off, or you may just infect it again, if you get so lucky as to revert to a clean state in the first place.
0
 

Author Comment

by:narley
ID: 34200516
System restore seemed to work for a while, then problem came back.  That seems to indictate viral also.  
0
 

Author Comment

by:narley
ID: 34200534
I'm leaning towards wiping the PC's clean and reinstalling, but sure would like to ID the cause.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200536
Yep, I would look first at any shared resources the infected machines have in common.  That sucks!
0
 
LVL 4

Expert Comment

by:zcrammond
ID: 34200729
some pointers found relating to MS updates etc (could explain why going back to a recovery point fixed it for a little while (until auto update kicked in again) )

See M843426 for a hotfix if you have previous installed M818133.

This problem can appear if the registry hive is corrupt or if you no longer have adequate privileges to the registry hive. See MSW2KDB for more details.

From a newsgroup post: "These error logs indicate that the user profiles in your server are either corrupted, or are not properly configured.

Suggestion 1:
This can happen if some users’ ProfileImagePath registries are duplicated with other users' ProfileImagePath. To resolve the issue, perform the following steps:
1. Run "WHOAMI /USER /SID" to determine the users’ correct SID.
If you do not have the whoami command tool, you can download and install it from the link below.
Note: By default, it will install to the C:\Program files\Resource Kit folder. To run it, go to a command prompt and change the path to C:\Program Files\Resource Kit. Then type "whoami /USER /SID" (without quotes) and press Enter. It should display the current users’ name and SID.
2. Check the ProfileImagePath value under the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>.
Note down this ProfileImagePath value.
3. Check the other ProfileList\<SID> keys for matching ProfileImagePath values and deleted those keys.
Note: Please make sure you have backed up the registry key before you delete them.
4. Test and see if the problem is fixed.
Did you manually move your users' profiles to another drive? If you have moved the Documents and Settings folder, it will lead to the issue. Microsoft does not support moving the Documents and Settings folder in Windows Server 2003 or Windows XP to another drive. Although you can try the steps in M236621, Microsoft provides it for informational purposes only.

Suggestion 2:
If the issue persists, I suggest that you create a new user and then copy the user profile. When copying, the following files should be excluded:
- Ntuser.dat
- Ntuser.dat.log
- Ntuser.ini.
See M811151 for information on how to copy user data to a new user profile. Test and see if the problem is fixed".

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200868
"Where is the Logonui/Shell entry?"

Same entry as the userinit, I gave you the wrong value though......

In "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

UIHost is the value, pointing to logonui.exe

You already confirmed that Userinit is "c:\windows\system32\userinit.exe," (notice the comma)....

Permisisons on the ProfileList look good. Might want to hith the Advanced Button, and "Replace permisisons entries on all child objects with entries shown here that apply to child objects"... Just to make sure all the subkeys are ok.

Further down the Subkeys to the actual user's subkey, they will have Special Permisisons.



0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200885
2 other suggestions, ill seperate them for ease of reading......

How to remove malware belonging to the family Rootkit.Win32.TDSS ...
http://support.kaspersky.com/viruses/solutions?qid=208280684

Had one of these today, that was preventing a full logon. User was authenticated, but nothing ever happened past that. Easy enough to fix.....

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200892
Process Monitor can enable boot logging, so you can see whats happening in EXTREME DETAIL............

Troubleshooting with Process Monitor
http://blogs.technet.com/b/askperf/archive/2007/06/01/troubleshooting-with-process-monitor.aspx

Options>Select Enable Boot Logging, and reboot.... After reboot, launch Procmon to compile the logs.....

Then you can look at the times to see if there are any hits (use the search feature) on Access Denied".... By the time you start compiling the data, youll be in a TEMP profile hopefully....

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200907
Also, what if you created a new User on the box. Will it logon?

Make sure that the permisisons are in tact for each C:\Docs and Settings\Profilename folder as well...

Especially Default User (hidden folder).....
0
 

Author Comment

by:narley
ID: 34201820
I created a Test user and had the same error.  I'll check the permissions and respond later.  Thanks.
0
 
LVL 1

Accepted Solution

by:
CraigCal earned 500 total points
ID: 34504160
I had the same problem with windows 7.

1.      Restart your PC to release the locks on your profiles.
2.      Log on with another administrative account.
3.      Delete C:\Users\%username%
4.      Delete C:\Users\TEMP
5.      Delete the registry key matching your SID from
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList". Check the value "ProfileImagePath" to make sure you pick your own profile.

Note: you can use "whoami /all" at the cmd promt to make sure not to delete the wrong SIDs for each working profile if you do not know the SID of the corrupt profile.
6.      Restart once again and then you're done!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you build your web application in Visual Studio you'll get at least a few binaries, or .DLL, files in your bin folder. However, there is more compiling to be done. Normally this would happen when an ASP.NET resource within the web site is request…
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question