We help IT Professionals succeed at work.

Event Id: 4005 on RDS Server.


I am continuously getting event id: 4005 on RDS server.  

Server OS: Microsoft Windows Server 2012 R2 Standard.

The Winlogon process terminates unexpectedly and prevents new logins from processing.  However, the only way to get login process work after the power cycle the server.

Webroot antivirus agent is installed on the server.

Event Logs:
Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          10/9/2017 4:30:19 PM
Event ID:      4005
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
The Windows logon process has unexpectedly terminated.

Below mentioned steps which I have performed on the server:

-- Ran SFC /Scannnow command and successfully repaired the Windows Resource Protection corruption.
-- Ran DISM ScanHealth command on the server and no component store corruption detected.
-- Installed latest Microsoft released updates on the server.

SFC /Scannnow command Result:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32 sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired
them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32 cd\

C:\ findstr /c:"[SR]" %windir%\logs\cbs\cbs.log sfcdetails.txt

C:\ sfcdetails.txt

2017-10-10 11:34:01, Info                  CSI    0000093e [SR] Repairing 1 components
2017-10-10 11:34:01, Info                  CSI    0000093f [SR] Beginning Verify and Repair transaction
2017-10-10 11:34:01, Info                  CSI    00000940 [SR] Repairing corrupted file [ml:520{260},l:154{77}]"\??\C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"\[l:36{18}]"Server Manager.lnk" from store
2017-10-10 11:34:01, Info                  CSI    00000941 [SR] Repairing corrupted file [ml:520{260},l:154{77}]"\??\C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"\[l:34{17}]"Control Panel.lnk" from store
2017-10-10 11:34:01, Info                  CSI    00000942 [SR] Repair complete
2017-10-10 11:34:01, Info                  CSI    00000943 [SR] Committing transaction
2017-10-10 11:34:01, Info                  CSI    00000948 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction  have been successfully repaired

DISM ScanHealth command Result:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32 dism /online /cleanup-image /scanhealth

Deployment Image Servicing and Management tool
Version: 6.3.9600.17031

Image Version: 6.3.9600.17031

No component store corruption detected.
The operation completed successfully.

Vikrant Wakchaure...
Watch Question


Addition in the Previous comment:

Tried to install the below-mentioned update on the server but is shows not applicable. It looks like this update is superseded with other update(s).

November 15, 2016:-  (Preview of Monthly Rollup)

Vikrant Wakchaure...

I found an almost identical issue with an environment using Webroot. It seems this is a confirmed issue with Webroot, but I've yet to find a notable fix. You may want to contact Webroot support to see if they can point you to an update that may fix the issue.

I also came across this in my quick research:


This appears to be a fix that could solve this issue as well. However, this fix doesn't pertain to the Webroot issue that I was able to find.

It looks like we were on the same track at least with the update. You got it just a few seconds before I could post it, haha. Look to Webroot as the possible cause, then.



Webroot released the new agent ( -  October 2th 2017).


•Efficacy improvements when making determinations for critical system processes
•Enabled installation where TLS version is 1.1 or greater
•Data gathering for phase 1 of malicious scripts shield
•Extended data set transmitted for use with Machine Learning
•Further optimization of cloud communications
•Handle /disable command line option correctly
•Improvements to hash calculation for non-PE files
•In Product Messaging ( IPM ) displays special characters correctly
•Select IPMs can trigger re-acceptance of EULA
•Update WSA copyright message to 2017
•Support for Windows 10 Fall Creators release
•Support for Windows 2016 Server
•Enable installation and removal of DNS-P Agent


•Integration with Mozilla Firefox no longer causes a browser crash in certain circumstances
•Internet connectivity is not lost when removing WSA
•Protect against WSA driver being written to disk with zero-byte file size
•Prevent agent crash when Backup & Sync is being used
•Addresses a memory leak resulting in 4005 event on Terminal Servers
•Ensured plugins are removed smoothly during un-installation
•Ensured journaling files are always present at the time of WSA installation
•Send data back for GSM to clear 'Needs Attention' from devices in a timely manner
•When System Analyzer is running, ensure that files can be restored from Quarantine

Reference link of Webroot: http://answers.webroot.com/Webroot/ukp.aspx?pid=10&app=vw&vw=1&login=1&json=1&solutionid=2234

Unable to install November 15, 2016 (Preview of Monthly Rollup) update on the server as it shows not applicable. It looks like this update is superseded with other update(s).

Vikrant Wakchaure...

Have you version matched your webroot to make sure you got this update? If yes, then you'll need to find out which update the monthly rollup got rolled into and make sure you have that one as well. If yes to both, then please inform us here so we can move forward.


Sure, I will post my findings and research here and the webroot antivirus agent is updated with the latest released version on my server.  

Right now I doing some research on installed updates and the November Monthly Preview Update.

Vikrant Wakchaure...



As per the testing purpose, I am going to uninstall the Webroot antivirus agent from the server and will keep the server under observation.

If the issue does not occur then update you with the status accordingly.

Vikrant Wakchaure...



I have not uninstalled the Webroot Antivirus Agent from the server. However, I have added the Winlogon.exe in the exclusion list of Webroot antivirus agent.

Hope so this step will resolve my issue.

Vikrant Wakchaure...

Keep us posted, as this issue is known with Webroot and a supposed fix doesn't always fix all cases of the issue.

Known issues with below 2 updates.
Update for Windows Server 2012 R2 (KB3172614)
Update for Windows Server 2012 R2 (KB3179574)


After you apply this update on a Remote Desktop Session (RDS) host, some new users cannot connect to an RDP session. Instead, those users see a black screen, and they are eventually disconnected. This issue occurs at unspecified intervals.
The following events are usually logged when this issue occurs:
Event Logs : Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
Event Source: Microsoft-Windows-TerminalServices-LocalSessionManager
ID: 36
Description: An error occurred when transitioning from CsrConnected in response to EvCsrInitialized. (ErrorCode 0x80004005)
Event Logs: Application
Event Source: Microsoft-Windows-Winlogon
ID: 4005
Description: The Windows logon process has unexpectedly terminated.


During virtual channel management, a deadlock condition occurs that prevents the RDS service from accepting new connections.


To fix this issue, install November 2016 Preview of Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2 (KB3197875).

Vikrant Wakchaure....


The issue got resolved after performing the given steps.