Solved

Server hang at usrlogon.cmd. Unable to start / run any msc application or end currently running ones

Posted on 2014-01-27
3
1,197 Views
Last Modified: 2014-02-11
Hello


We had a bizzarre issue today with one of our managed servers and this question is really to see if anyone has experienced similar behaviour or seen similar issues


Basically the server was very slow to respond, but we were able to log into it and run task manager, etc


The server was running a multitude of services, mostly from a managed service account - and we couldnt end any of the processes, via task manager or taskkill /f


We ended up restarting the server, to which the server restarted and came back online. Connectivity and functionality restored to the server and we were able to log back in remotely as the administrator


Once we had logged in, the usrlogon.cmd process was stuck for some time, but we were able to spawn an instance of explorer.exe to get past it to perform other tasks. However, we found that we were unable to load server management, or any msc on the server (it would just end up as not responding). We were unable to end any process / msc from task manager either. We tried logging in as another administrator user and ending the other remote session


The other remote session ended, however all processess spawned by that user were still running. We were unable to end the processes via task manager or taskkill /f.


Symptoms:

Spawned instances / applications not being able to run properly

Spawned instances / MSC applications not being able to be ended properly

usrlogon.cmd causing the system to hang


Remedy:

We had to hard reset the system to restore functionality. Restarting the server from windows had the system hung at 'shutting down' for over 10 minutes and due to the nature of the site operation, had to be interupted and hard reset (was taking too long to shutdown)
0
Comment
Question by:HeronTech
3 Comments
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 39815259
Pray the infection isn't too bad!
TDSSKiller: http://usa.kaspersky.com/downloads/tdsskiller
Roguekiller: http://tigzy.geekstogo.com/roguekiller.php
Both are standalones that won't do anything until you tell it to.
0
 
LVL 23

Accepted Solution

by:
Coralon earned 100 total points
ID: 39816674
I wrote an article on how this process works, and something is likely hung up in it.  Article - http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/Citrix/A_9235-How-USRLOGON-CMD-processing-works.html

A few key questions:
1. Did you comment out the if _setlevel == FAIL line towards the top.
2. Are you using usrlogn1.cmd?
3. Are you using usrlogn2.cmd?
4. If you are using usrlogn2.cmd, did you set the root drive letter?

I would also start adding some echo lines into all of these batch files, including your custom scripts.  The idea is to catch which step is actually hanging.

Create a directory on the root, and at each stage of your batch file, add echo lines like these:
echo changing to c:\windows\application compatibility scripts\logon >> c:\temp\usrlogon.log
pushd "%systemroot%\application compatibility scripts\logon"
echo Starting usrlogn1.cmd >> c:\temp\usrlogon.log

Open in new window


Next time it hangs, you'll be able to see the last successful step, and the last step that actually hung, to see what it is doing.   For example, if you had a drive mapping in one of your custom scripts that didn't exist, it could hang on trying to time out, etc.

Coralon
0
 
LVL 1

Author Closing Comment

by:HeronTech
ID: 39852013
The server itself hasnt had a reocurrance of the issue, so we are just chalking it up to a once off issue. The server has rebooted serveral times as part of its scheduled settings without incident.

DavisMcCarn - there hasnt been any infection on this server which has caused this particular issue
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now