Event Id: 4005 on RDS Server.

Hi,

I am continuously getting event id: 4005 on RDS server.  

Server OS: Microsoft Windows Server 2012 R2 Standard.

The Winlogon process terminates unexpectedly and prevents new logins from processing.  However, the only way to get login process work after the power cycle the server.

Webroot antivirus agent is installed on the server.

==================================================================
Event Logs:
==================================================================
Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          10/9/2017 4:30:19 PM
Event ID:      4005
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      
Description:
The Windows logon process has unexpectedly terminated.

Below mentioned steps which I have performed on the server:

-- Ran SFC /Scannnow command and successfully repaired the Windows Resource Protection corruption.
-- Ran DISM ScanHealth command on the server and no component store corruption detected.
-- Installed latest Microsoft released updates on the server.

==================================================================
SFC /Scannnow command Result:
==================================================================
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32 sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired
them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.
--------------------------------------------------------------------
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32 cd\

C:\ findstr /c:"[SR]" %windir%\logs\cbs\cbs.log sfcdetails.txt

C:\ sfcdetails.txt

2017-10-10 11:34:01, Info                  CSI    0000093e [SR] Repairing 1 components
2017-10-10 11:34:01, Info                  CSI    0000093f [SR] Beginning Verify and Repair transaction
2017-10-10 11:34:01, Info                  CSI    00000940 [SR] Repairing corrupted file [ml:520{260},l:154{77}]"\??\C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"\[l:36{18}]"Server Manager.lnk" from store
2017-10-10 11:34:01, Info                  CSI    00000941 [SR] Repairing corrupted file [ml:520{260},l:154{77}]"\??\C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"\[l:34{17}]"Control Panel.lnk" from store
2017-10-10 11:34:01, Info                  CSI    00000942 [SR] Repair complete
2017-10-10 11:34:01, Info                  CSI    00000943 [SR] Committing transaction
2017-10-10 11:34:01, Info                  CSI    00000948 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction  have been successfully repaired

==================================================================
DISM ScanHealth command Result:
==================================================================
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32 dism /online /cleanup-image /scanhealth

Deployment Image Servicing and Management tool
Version: 6.3.9600.17031

Image Version: 6.3.9600.17031

[==========================100.0%==========================]
No component store corruption detected.
The operation completed successfully.

Regards,
Vikrant Wakchaure...
Vikrant WakchaureAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vikrant WakchaureAuthor Commented:
Addition in the Previous comment:

Tried to install the below-mentioned update on the server but is shows not applicable. It looks like this update is superseded with other update(s).

November 15, 2016:-  (Preview of Monthly Rollup)
https://support.microsoft.com/en-us/kb/3197875

Regards,
Vikrant Wakchaure...
William MillerIT SpecialistCommented:
I found an almost identical issue with an environment using Webroot. It seems this is a confirmed issue with Webroot, but I've yet to find a notable fix. You may want to contact Webroot support to see if they can point you to an update that may fix the issue.

I also came across this in my quick research:

https://support.microsoft.com/en-us/help/3197875/november-2016-preview-of-monthly-quality-rollup-for-windows-8-1-and-wi

This appears to be a fix that could solve this issue as well. However, this fix doesn't pertain to the Webroot issue that I was able to find.
William MillerIT SpecialistCommented:
It looks like we were on the same track at least with the update. You got it just a few seconds before I could post it, haha. Look to Webroot as the possible cause, then.
Vikrant WakchaureAuthor Commented:
Hi,

Webroot released the new agent (9.0.18.34 -  October 2th 2017).

Added

•Efficacy improvements when making determinations for critical system processes
•Enabled installation where TLS version is 1.1 or greater
•Data gathering for phase 1 of malicious scripts shield
•Extended data set transmitted for use with Machine Learning
•Further optimization of cloud communications
•Handle /disable command line option correctly
•Improvements to hash calculation for non-PE files
•In Product Messaging ( IPM ) displays special characters correctly
•Select IPMs can trigger re-acceptance of EULA
•Update WSA copyright message to 2017
•Support for Windows 10 Fall Creators release
•Support for Windows 2016 Server
•Enable installation and removal of DNS-P Agent

Fixed

•Integration with Mozilla Firefox no longer causes a browser crash in certain circumstances
•Internet connectivity is not lost when removing WSA
•Protect against WSA driver being written to disk with zero-byte file size
•Prevent agent crash when Backup & Sync is being used
•Addresses a memory leak resulting in 4005 event on Terminal Servers
•Ensured plugins are removed smoothly during un-installation
•Ensured journaling files are always present at the time of WSA installation
•Send data back for GSM to clear 'Needs Attention' from devices in a timely manner
•When System Analyzer is running, ensure that files can be restored from Quarantine

Reference link of Webroot: http://answers.webroot.com/Webroot/ukp.aspx?pid=10&app=vw&vw=1&login=1&json=1&solutionid=2234

Unable to install November 15, 2016 (Preview of Monthly Rollup) update on the server as it shows not applicable. It looks like this update is superseded with other update(s).

Regards,
Vikrant Wakchaure...
William MillerIT SpecialistCommented:
Have you version matched your webroot to make sure you got this update? If yes, then you'll need to find out which update the monthly rollup got rolled into and make sure you have that one as well. If yes to both, then please inform us here so we can move forward.
Vikrant WakchaureAuthor Commented:
Sure, I will post my findings and research here and the webroot antivirus agent is updated with the latest released version on my server.  

Right now I doing some research on installed updates and the November Monthly Preview Update.

Regards,
Vikrant Wakchaure...
Vikrant WakchaureAuthor Commented:
Hello,

As per the testing purpose, I am going to uninstall the Webroot antivirus agent from the server and will keep the server under observation.

If the issue does not occur then update you with the status accordingly.

Regards,
Vikrant Wakchaure...
Vikrant WakchaureAuthor Commented:
Hi,

I have not uninstalled the Webroot Antivirus Agent from the server. However, I have added the Winlogon.exe in the exclusion list of Webroot antivirus agent.

Hope so this step will resolve my issue.

Regards,
Vikrant Wakchaure...
William MillerIT SpecialistCommented:
Keep us posted, as this issue is known with Webroot and a supposed fix doesn't always fix all cases of the issue.
Vikrant WakchaureAuthor Commented:
Hi,

Known issues with below 2 updates.
 
Update for Windows Server 2012 R2 (KB3172614)
Update for Windows Server 2012 R2 (KB3179574)

Symptoms

After you apply this update on a Remote Desktop Session (RDS) host, some new users cannot connect to an RDP session. Instead, those users see a black screen, and they are eventually disconnected. This issue occurs at unspecified intervals.
 
The following events are usually logged when this issue occurs:
 
Event Logs : Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Event Source: Microsoft-Windows-TerminalServices-LocalSessionManager
ID: 36
Description: An error occurred when transitioning from CsrConnected in response to EvCsrInitialized. (ErrorCode 0x80004005)
 
Event Logs: Application
Event Source: Microsoft-Windows-Winlogon
ID: 4005
Description: The Windows logon process has unexpectedly terminated.

Cause

During virtual channel management, a deadlock condition occurs that prevents the RDS service from accepting new connections.


Resolution

To fix this issue, install November 2016 Preview of Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2 (KB3197875).

Regards,
Vikrant Wakchaure....

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vikrant WakchaureAuthor Commented:
The issue got resolved after performing the given steps.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Webroot

From novice to tech pro — start learning today.