Link to home
Start Free TrialLog in
Avatar of creativecoop
creativecoop

asked on

Random Windows 7 Professional Desktops freeze before login

Hey Experts and Gurus,

I am experiencing a rather odd issue in which a Windows 7 desktop computer will halt / freeze before the Ctrl-Alt-Del login prompt.  Only a hand full of our desktops do this out ~100 but those few randomly have this happen.

A power off and on seems to fix the problem until it randomly occurs again.

Background:
OS - Windows 7 Professional OS
OEM - Dell, Lenovo, and white box (custom builds) - Note mostly happens to Dell and Lenovos
Domain - Yes (2 DCs working together)- running in mix mode to service 2003 and 2008 DCs and servers
Network - 2 main Class C subnets routed between a Sonicwall NSA 2400 - note the issue occurs both inside the network and external.  All the cases in the internal network have been on the same subnet as the DC.
Switches - Netgear ProSafe(s) and Cisco(s) - note the users that have this problem are all on different switches

Reviewing the Error log we can see the event with an ID 100, but not much more than that.

I have seen this kind of issue occur before when the machine is looking for the domain controller, which unplugging the ethernet would let the login prompt through, but this has not worked in this case.

Furthermore I have googled quite a bit on the issue which blame too many profiles, but these machines have no more than 5 profiles on them, and occur with as little as 2 profiles.  Also we have tried fresh reload of the OS via images, but no success.

Thank you for any help you may be able to give.
ASKER CERTIFIED SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of McKnife
Describe at what exact point it happens and what exactly happens. Does the cursor remain movable?
Avatar of creativecoop
creativecoop

ASKER

Thank you guys for your responses.

@John Hurst - We use Symantec Endpoint as well.  Also how can you limit a profile to use only one DC?  

@McKnife - It happens mostly on the Please Wait screen and you can see the loading spinning wheel (god I hate that they changed it from an hour glass because what the heck do you call this thing)  As for the cursor, I can not remember if we still had control of that or not.
Please note I would like to add to this issue that it happens on:  Please Wait which is loading before login and the after login on the Welcome screen.
Please turn on group policy verbose mode: http://support.microsoft.com/kb/325376 (works for win7, too)
Lord I think I may have ran into the issue.  

We currently are running our DCs (all for the same domain) in mix-mode which one of the DC is 2003 R2 and the other 2008 R2.  I am now seeing the following Events on the 2003 R2 DC Event 27 on Source KDC, which has to do with Kerbose key generation.

I found a hot fix available to install on the Windows 2008 R2 DC, but I don't see anything for the 2003 R2 DC (which is where the Event 27 is occuring.

I've not patched anything yet, but still reading, as these servers have been online for years, however earlier this year our 2003 R2 DC had some Active Directory/DNS issues and had to be fixed (not via backup) and had to issue some Active Directory repair commands which I've forgotten and would have to lookup in my ticket system.

Does this sounds like this could be the thorn in my side?
Well the hotfix KB978055 would not install on the Windows Server 2008 R2 with the message:  "The update is not applicable to your computer." even though it met all the requirements.   *Sighs*

Some people say that Event 27 can be ignored, but I see another Warning event that occurs on our 2008 R2 DC that has to do with is and it is Event 29 "The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.".

So I am now looking at Event 27 and Event 29 things on the internet.  FYI our kerbose is not set to use DEC but is using RC4-HMAC(NT)
Actually, after reading and testing the Events 27 and Event 29 are not causing a login issue.  The error/warnings can be ignored until we upgrade out of 2003 DC mode, which I hope is soon.  But you know how that goes... all comes down to money.

So back to the drawing board.
Look at this possible solution on a Microsoft forum.:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/24ac15a3-cc65-409d-8cd9-24e9b97d473e/restrict-computers-to-use-specific-domain-controllers?forum=winserverGP

and disable fast logon optimization, and further down to the Domain Controller locator link.
We have confirmed both Domain controllers are successfully authenticating the machine (of course when it goes come up).  We turned on verbose logging, but nothing shows up when the machine is stuck at "Please wait" which we did wait about 24 hours, but it never went through and required a power off and on.

Note:  When the machine gets stuck at "Please wait" is never goes through based on our maximum wait time of 24 hours and we allow 15 minutes between tries and watch the hard drive activity LEDs.

Furthermore we did set the company to Diagnostic start up which after many reboots we were unable to get it stuck at "Please wait" but of course this turns off networking as well, so we turned on the Networking portions and the issue appeared again.

We have not tried to disable fast logon optimization yet, but this would be odd to only cause an issue with a few select computers but the rest operate normally all using the same policies.
Make sure the verbose logging is indeed active. It should display all sorts of policies that are applied at least if those are changed.
By the way: what does eventID 100 stand for, any descriptive text for us?
We enabled the verbose logging on the PC via registry entry and nothing is displayed to the screen besides the lovely "Please wait".

EventID 100 did not have any descriptive in it, and it appears not to be apart of the problem as it is not appearing when the issue occurred during our testing.  We just thought it would be worth mentioning since we saw it throw an EventID 100 before.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
We did the registry edit but forgot about the policy changes.  Let me get those set.
@McKnife,

Okay the local group policy appeared to be what we left off for the Verbose Logging (thank goodness because I am tried of this gremlin problem).

Any who, I was able to get the computer to halt again after a few restarts and the last thing shown to the screen was "Local Session Manager"
Ok, if it's one system only, and it's apparently no GPO intereference, then resort to your last working image or do an inplace-upgrade if you would like to avoid a reinstallation.
Actually we have a hand full of systems out of about 100 nodes.  All of them using different images.  The one we are testing is fresh from Dell with OEM Windows 7 Pro installed.  We did not reload our images on it.
Ok, so...? Nevertheless the advice stands.
After some review of all the PCs we see with this issue one thing stood out... Malwarebytes Enterprise Ed..  There was an event logged with MBAMM service not being found even though it is there and will run.  We have uninstalled it on a select computer that continually has the hang issue at "Please wait" (with Verbose Logging - Local Session Manager") and after about 20 restarts/shutdowns we have been unable to make it hang.  

I am not going to claim this fix yet until after a few days with the software uninstalled, then we will reinstall and see what happens.  

*Note all our computers are running with Malwarebytes Enterprise, so its odd why it would only cause a hand full of computer to freak out but I've seen similar events in my IT life.
I asked you about Anti Virus way back at the beginning (as that has been an issue for some computers).

But you said you were using Symantec Endpoint Protection. I use this with no hanging at all.

So now, are you saying you are using TWO antivirus applications on the same computers?  I do not recommend that.
I use two security applications which attack two different problems. Ive ran with anti virus and anti malware applications for 10 plus years and it has been accepted by the community due to the nature of what each of the applications look for.

Malwarebytes is for malware protection as symantec falls short on this.

Please know the difference.
I find SEP to be very good overall, but no matter what suite, no one anti virus catches everything.

So if I need to run Malwarebytes, I install, run and uninstall again.

If is best just to have one antivirus suite running at any one time.
Malwarebytes was the culprit but it was a currupted installation.
After uninstalling the agent then reinstalling the agent there have been no more issues.

We have run Malwarebytes Pro and Enterprise Editions for years without having this issue. I would never run two true antivirus suites as that does cause issues. Malwarebytes doesn't work the way a true antivirus program does therefore I have no problem running it in conjuction with SEP.

Thanks for everyone's suggestions.
I've requested that this question be closed as follows:

Accepted answer: 0 points for creativecoop's comment #a40023775

for the following reason:

Issue resolved by following the proceedure posted
Okay the problem has been finally verified.

It appears Malwarebytes was causing the issue but a reinstallation fixed the problem.