Solved

Unable to logon to Windows XP workstation, corrupt profile?

Posted on 2010-11-23
26
1,811 Views
Last Modified: 2012-05-10
We have 4 Windows XP Pro SP3 PC's that suddenly the users are unable to log on to.  We cannot log on with the user or local Administrator accounts.  We CAN log on in Safe Mode. Two of the PC's have experienced Blue Screens.

We get the following error messages:

Source:  Userenv
Event ID:  1505
Windows cannot load the user's profile but has logged you on with the default profile for the system.
Insufficient system resources exist to complete the requested service.

Userinit.exe - Application error.
The application failed to initialize properly.

Source:  Userenv
Event ID:  1508
Windows was unable to load the registry.  This is often caused by insufficient memory or insufficient security rights.
Insufficient system resources exist to complete the requested service.  for C:\Documents and Settings\username\nyuser.dat.

Source:  Application Error
Event ID:  1000
Faulting application logonui.exe.

Source:  Service Control Mamager
Event ID:  7023
The Workstation service terminated with the following error:  
Insufficient system resources exist to complete the requested service.

-  We get these errors with either the user account or the local Administrator account.
-  The Windows XP SP3 PC's are connected to a Windows Server 2003 R2 server in a workgroup;  no Domain exists.
-  The errors occur only when logging on regularly;  we can logon in Safe Mode.
-  I scanned the hard drives for viruses in another PC and found nothing except some common adware - MyWebSearch, etc.

Any ideas what is going on?
0
Comment
Question by:narley
  • 9
  • 6
  • 6
  • +4
26 Comments
 
LVL 12

Expert Comment

by:Kent W
ID: 34200129
Are you using roaming profiles?
0
 

Author Comment

by:narley
ID: 34200142
I thought perhaps I had a corrupt User Profile.  So I logged on in Safe Mode, backed up the user profile files, deleted the User account and the profile folder in Documents and settings, created a Test user account, and rebooted.  I get the same "User Environment " error and am unable to login.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200173
All of those errors are pointing to a probable system resource issue.  Did you add anything to a login script that maybe has went awry?  Biggest question, are you in a Active Directory environment, and if so, are you using roaming profiles?
0
 
LVL 7

Expert Comment

by:Rommel Sultan
ID: 34200222
Can you try running chkdsk c: /f /r
Once there is a file corrution issue there is a good change of having a hard drive issue.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200228
This error is also caused on an AD domain if your /NETLOGON/Default_User is missing, renamed, or corrupt.
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 34200255
yea, as has been mentioned, if you are on ad, do you have other machines that can be logged onto fine or are all of them affected?

has there been any recent changes to network configuration? windows update? etc
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200331
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Make sure that nothing is jacking with the SHELL value, which should be Explorer.exe
Also, make sure that the UserInit value is "C:\windows\system32\userinit.exe,"

Whats the value for Logonui/Shell as well?

Check permissions on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList as well....
0
 

Author Comment

by:narley
ID: 34200335
Hi Mugojava.  I'm not very familiar with Roaming Profiles.  I booted into Safe Mode and checked in Windows System Properties\Advanced\User profiles and all profiles listed are Local.  I also looked on the server for shares with User Profiles and there are none.  Is there anything else to check?
0
 

Author Comment

by:narley
ID: 34200341
No Domain, no Active Directory.  Workgroup only.
 
0
 

Author Comment

by:narley
ID: 34200359
Whatever this is, it took out 4 PC's the same week.  I only yesterday took over administration of the network and so am unsure what changes could have been made previously.  Just getting familiar with the setup.
0
 
LVL 5

Expert Comment

by:chqshaitan
ID: 34200407
mm thats very weird. Has there been any power issues like spikes? since its a workgroup there is very little central management that you can do.

Is there a server?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200409
Sounds viral.... awaiting your results of the above reg keys......
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200416
You do not appear to be using RP then.

On your AD server, make sure you have a directoryuder /ADdomain/NETLOGON/Default_User
Other causes -group policies that are computer based may also be an issue, as any AD User Configuration policies (not Computer Configuration policies) would not affect Local/administrator, but that logon WOULD be affected by changes made to the AD domain Computer Config policy.  

Since this is happening on more than one workstation, I wouldn't suspect it was a hard drive or local resource issue, unless it's your AD controller having that issue.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:narley
ID: 34200477
Johnb6767:

The Winlogon and Userinit values are correct.

Where is the Logonui/Shell entry?

The ProfileList permissions are as follows:
Administrators - Full Control and Read
Creator Owner - Special (full control - Subkeys only)
Power Users - Read
System - Full Control and Read
Users - Read
0
 

Author Comment

by:narley
ID: 34200491
No Active Directory installed on Server 2003.  I thought viral too, but full scans of the affected hard drives with Symantec Endpoint Protection and Malwarebytes in a Removal PC found nothing.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200502
I'm agreeing with John, if you are using just a Workgroup, no logon servers, no AD, just XP workstations, sound like you have contracted a nasty bug, especially if multiple WS are involved.

On the latest "infected", I would try System restore and see if there were a date before it went bad you can revert to.  Make sure any mappings to shared drives on other systems are off, or you may just infect it again, if you get so lucky as to revert to a clean state in the first place.
0
 

Author Comment

by:narley
ID: 34200516
System restore seemed to work for a while, then problem came back.  That seems to indictate viral also.  
0
 

Author Comment

by:narley
ID: 34200534
I'm leaning towards wiping the PC's clean and reinstalling, but sure would like to ID the cause.
0
 
LVL 12

Expert Comment

by:Kent W
ID: 34200536
Yep, I would look first at any shared resources the infected machines have in common.  That sucks!
0
 
LVL 4

Expert Comment

by:zcrammond
ID: 34200729
some pointers found relating to MS updates etc (could explain why going back to a recovery point fixed it for a little while (until auto update kicked in again) )

See M843426 for a hotfix if you have previous installed M818133.

This problem can appear if the registry hive is corrupt or if you no longer have adequate privileges to the registry hive. See MSW2KDB for more details.

From a newsgroup post: "These error logs indicate that the user profiles in your server are either corrupted, or are not properly configured.

Suggestion 1:
This can happen if some users’ ProfileImagePath registries are duplicated with other users' ProfileImagePath. To resolve the issue, perform the following steps:
1. Run "WHOAMI /USER /SID" to determine the users’ correct SID.
If you do not have the whoami command tool, you can download and install it from the link below.
Note: By default, it will install to the C:\Program files\Resource Kit folder. To run it, go to a command prompt and change the path to C:\Program Files\Resource Kit. Then type "whoami /USER /SID" (without quotes) and press Enter. It should display the current users’ name and SID.
2. Check the ProfileImagePath value under the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>.
Note down this ProfileImagePath value.
3. Check the other ProfileList\<SID> keys for matching ProfileImagePath values and deleted those keys.
Note: Please make sure you have backed up the registry key before you delete them.
4. Test and see if the problem is fixed.
Did you manually move your users' profiles to another drive? If you have moved the Documents and Settings folder, it will lead to the issue. Microsoft does not support moving the Documents and Settings folder in Windows Server 2003 or Windows XP to another drive. Although you can try the steps in M236621, Microsoft provides it for informational purposes only.

Suggestion 2:
If the issue persists, I suggest that you create a new user and then copy the user profile. When copying, the following files should be excluded:
- Ntuser.dat
- Ntuser.dat.log
- Ntuser.ini.
See M811151 for information on how to copy user data to a new user profile. Test and see if the problem is fixed".

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200868
"Where is the Logonui/Shell entry?"

Same entry as the userinit, I gave you the wrong value though......

In "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

UIHost is the value, pointing to logonui.exe

You already confirmed that Userinit is "c:\windows\system32\userinit.exe," (notice the comma)....

Permisisons on the ProfileList look good. Might want to hith the Advanced Button, and "Replace permisisons entries on all child objects with entries shown here that apply to child objects"... Just to make sure all the subkeys are ok.

Further down the Subkeys to the actual user's subkey, they will have Special Permisisons.



0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200885
2 other suggestions, ill seperate them for ease of reading......

How to remove malware belonging to the family Rootkit.Win32.TDSS ...
http://support.kaspersky.com/viruses/solutions?qid=208280684

Had one of these today, that was preventing a full logon. User was authenticated, but nothing ever happened past that. Easy enough to fix.....

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200892
Process Monitor can enable boot logging, so you can see whats happening in EXTREME DETAIL............

Troubleshooting with Process Monitor
http://blogs.technet.com/b/askperf/archive/2007/06/01/troubleshooting-with-process-monitor.aspx

Options>Select Enable Boot Logging, and reboot.... After reboot, launch Procmon to compile the logs.....

Then you can look at the times to see if there are any hits (use the search feature) on Access Denied".... By the time you start compiling the data, youll be in a TEMP profile hopefully....

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34200907
Also, what if you created a new User on the box. Will it logon?

Make sure that the permisisons are in tact for each C:\Docs and Settings\Profilename folder as well...

Especially Default User (hidden folder).....
0
 

Author Comment

by:narley
ID: 34201820
I created a Test user and had the same error.  I'll check the permissions and respond later.  Thanks.
0
 
LVL 1

Accepted Solution

by:
CraigCal earned 500 total points
ID: 34504160
I had the same problem with windows 7.

1.      Restart your PC to release the locks on your profiles.
2.      Log on with another administrative account.
3.      Delete C:\Users\%username%
4.      Delete C:\Users\TEMP
5.      Delete the registry key matching your SID from
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList". Check the value "ProfileImagePath" to make sure you pick your own profile.

Note: you can use "whoami /all" at the cmd promt to make sure not to delete the wrong SIDs for each working profile if you do not know the SID of the corrupt profile.
6.      Restart once again and then you're done!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now