Windows 8.1 hangs after login for users but not for domain admin

Rochelle Adsitt
Rochelle Adsitt used Ask the Experts™
on
This is the 2nd computer I've had this problem with. After being in production for at least a couple of years now, all of a sudden these Windows 8.1 workstations start locking up/hanging after the user logs in. Often times the user gets a blue or black screen but can still see the cursor moving when they move the mouse. Sometimes they can get logged in as far as the desktop but the minute they try to launch an application, Windows hangs up. We have to power down the PC.

These hangups only happen for non-privileged user logins. If I login as a domain admin, I don't experience any of these lockups and can launch any and every application. (Oddly enough, the problem doesn't occur for my non-privileged user account either - only for other users.)

I've tried everything I can think of and find on the web:
- chkdsk /f
- disk cleanup
- DISM /Online /Cleanup-Image /RestoreHealth
- sfc /scannow
- deleting the user profiles and having the users login and create fresh new profiles - Windows hung while creating their new profiles and they had to power down
- giving the users' domain accounts local admin rights
- making sure it's fully patched with Windows updates
- checking for and installing driver updates (HP Softpaq download manager)
- this is an HP desktop computer and I've checked - no HP bloatware on this one
- the users typically launch a JAVA based app to do most of their work on this computer, so I've tried deleting and reinstalling this app also.

On the first workstation where it happened, I ended up reinstalling Windows 8.1 from scratch (and haven't gotten around to finishing the build and redeploying it). I would really rather not go that route for this latest incident. It's our scanning station, so I need to get it back into production as soon as possible and I don't really have a good spare to replace it with, even temporarily.

Anybody seen anything like this or have any ideas about what else I can try?

Thank you,
Rochelle
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Andrew LeniartIT Professional | Freelance Journalist | Looking for Opportunities
Distinguished Expert 2018

Commented:
Hi,

You've certainly done your due diligence with the things you've tried to resolve the issue so congrats on your efforts thus far. Couple of questions for you.

1. You mentioned this is a domain connected computer - which version of Server is it connecting to?
2. Have you checked Event Viewer for any hints as to what might be going on?

I ask the first question because there may be a couple of other topics I can add to your question for you which may attract (make your question more visible to) additional experts to help with this.

Regards, Andrew
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
In 2018, you need to do BIOS (and chipset and video) updates in order to do or maintain Windows Updates.  So try that on these problem computers.
Rochelle AdsittIT Director

Author

Commented:
Andrew,

This computer connects to a Windows 2012 level domain on Windows 2012 servers.

As for Event Viewer, I checked again and I did find that the MBAMService terminated unexpectedly shortly after the last test login we ran with one of my users. I am seeing other occurrences of the MBAMService terminating throughout the System event log, so not sure if those correlate directly with other login attempts. I'm going to go disable that service and run some more tests.
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Let us know about MBAM services and also the drivers that I pointed to.
Rochelle AdsittIT Director

Author

Commented:
John,

I let HP Softpaq Download Manager download and install ALL updates that it found, including a BIOS update.

The only update I couldn't resolve was the Intel Rapid Storage Technology driver. The one HP SDM found that it wanted to install was dated earlier (2014) than the current version (2015) but the revision number for the new one is higher (13.#.#.#) than the currently installed version (12.#.#.#). Don't know if this is why this update refuses to install but I tried multiple times and HP SDM will not install the one it thinks is newer. I've run into this before on other computers and threw up my hands trying to deal with this driver.
Andrew LeniartIT Professional | Freelance Journalist | Looking for Opportunities
Distinguished Expert 2018

Commented:
I agree with your assessment of the MBAM service. Disable Malwarebytes completely and try again - it could be interfering with the problematic users. That's the first thing I would try.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
only update I couldn't resolve was the Intel Rapid Storage Technology driver.

Try download from HP and installing it on its own
Rochelle AdsittIT Director

Author

Commented:
It's looking like it's Malwarebytes. The MBAM services (both MBAMscheduler and MBAMservice) are both disabled and my user was able to get logged all the way into our JAVA app and drill down on some data. I was also able to launch several other applications (IE, Chrome, Firefox, Adobe Reader, etc.), all without getting locked up this time.

Guess I need to spend more time getting comfortable with Event Viewer from now on.  :}

I'm going to let this one stew at least through tomorrow (since it's end-of-workday here) and then mark it resolved after I'm sure multiple users have been able to login successfully (after I go back them out of the local admin group).
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I keep Malwarebytes not real time and use it only when I need it.
Andrew LeniartIT Professional | Freelance Journalist | Looking for Opportunities
Distinguished Expert 2018

Commented:
Rochelle,

Glad it worked for you. For future reference, Eventviewer should always be your first port of call :)

Now that you've determined it's Malwarebytes, note there is no need to get rid of it completely. Once you're satisfied that it IS the cause as you've posted above and closed this question, feel free to open another question and we'll work on setting exceptions in Malwarebytes so that it doesn't interfere with your users. I've been using the product for several years and yet to strike a situation that couldn't be resolved with some configuration adjustments.

Regards, Andrew
Andrew LeniartIT Professional | Freelance Journalist | Looking for Opportunities
Distinguished Expert 2018

Commented:
@John

I keep Malwarebytes not real time and use it only when I need it.

I always keep it running in Real Time mode, along with Avast Internet Security and SuperAntiSpyware. They all work together without any issues on not just my computer, but dozens of my business clients workstations as well, including Windows 7 and Windows 10. Some of them run different Antivirus' as well. Malwarebytes is designed to run alongside other AV and security software.

You just need to know how to configure it properly and then you have the advantage of the excellent real-time protection it provides, including stopping drive by Ransomware Attempts from websites which I have tested and proven as per my article here:

https://www.experts-exchange.com/articles/29521/How-to-run-Multiple-Security-Products-with-your-Antivirus-Successfully.html

You're really doing yourself a disservice by not utilizing the real-time protecton of this excellent program.

Cheers... Andrew
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
No. I only use one real time AV. So I am not doing any disservice to myself. I have found too many conflicts with multiple AV products running
Andrew LeniartIT Professional | Freelance Journalist | Looking for Opportunities
Distinguished Expert 2018

Commented:
No. I only use one real time AV. So I am not doing any disservice to myself. I have found too many conflicts with multiple AV products running
Different strokes for different folks I guess. I disagree, but I do respect your level of IT knowledge. It may not affect you because you are clearly highly IT savvy, but you really should consider it for your less IT savvy clients. I'd be happy to assist you in the configuration if you need it, though a default install works fine 90% of the time. Anyway, that's the last I'll say on that topic.

Sorry Rochelle, didn't mean to hijack your thread to launch a different (though related) discussion :-)
Rochelle AdsittIT Director

Author

Commented:
Malwarebytes is an element of desktop management we use through Kaseya and it's working just fine on all of our other desktops and was working on this computer up until a couple of days ago. I just need to track down why it's failing on this computer all of a sudden.

Yeah, I know I should be using Event Viewer more. Just need to get past the vast number of messages it produces (some of them errors that seem to have no bearing on the performance of the computer or user) to find the one that I need. The difference this time is that I wrote down the time that the user logged in right before it locked up again and focused in on that when I went back to Event Viewer. I swear, Event Viewer should be its own area of specialty and certification in the Windows OS arena - it can be such a pain to use, find anything of value, and interpret which errors are of value and which can be ignored. (I realized last night that I probably shy away from using it due to a bad experience with a former manager in my previous IT career. :} )  What would be welcome would be a few good references to learning to use and live with Event Viewer. :)

Thanks guys!
Rochelle AdsittIT Director

Author

Commented:
Ok, well, this is just too bizarre.

Tried uninstalling and reinstalling Malwarebytes - no change.

I can login, launch, and fully utilize all applications with both my privileged and non-privileged accounts, but other users cannot, not even after completely deleting (including verifying that their Users\userID folder was deleted) and cleanly recreating their user profiles.

Is there a Malwarebytes log somewhere that I should be looking for to try to figure out why it doesn't like my users?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Did you try updating the HP Driver?  And do you have legacy (and possibly non-compliant) software installed?

Also try scrubbing for Viruses with an online Virus Scanner (all big names have them)
Andrew LeniartIT Professional | Freelance Journalist | Looking for Opportunities
Distinguished Expert 2018

Commented:
Malwarebytes is an element of desktop management we use through Kaseya and it's working just fine on all of our other desktops and was working on this computer up until a couple of days ago. I just need to track down why it's failing on this computer all of a sudden.

I strongly encourage you to continue using it. If the problems only started recently, they could be related to a recent update of the product.

Is there a Malwarebytes log somewhere that I should be looking for to try to figure out why it doesn't like my users?

Yes there is. It logs everything it blocks, so if it's blocking something that it shouldn't on that machine, create an exception.

First thing I would recommend you do is the following.  Right-click the MB icon in your SysTray and take the ticks off as per the following pic, one by one, and test after each one. If disabling one of those protections works to resolve the problem, then you're halfway home already. Report back for further help.

MB1stStep.png
Next first place to start troubleshooting. Open Malwarebytes and click Reports on the left-hand side. Go through any interesting log events by ticking them and clicking "View Report" - See below

mb1.png
Now examine both the Summary and Advanced Tabs for detailed information about the event. If you don't really understand what it's telling you, Export and save the information as well for when you need to seek further help. See below

mb2.png
Also check your Quarantine folder. Anything there that shouldn't be?

mb3.png
Once you've discovered what it is that causing the problem, create an appropriate exception in Settings and particularly the Protection and Exclusions tabs

mb4.png
I could go on and write a book here, but that really defeats the purpose and I doubt you'd appreciate it <g>  

Also, don't forget that as a Premium subscriber, you are entitled to Professional Support from Malwarebytes. Don't be afraid to use it. The first thing they will ask you for is a good description of the problem and a set of logs to generate for them, some of which I've already described how to generate above.

You can also visit and join their Community Support Forum here: https://forums.malwarebytes.com/

I've found the support is quite good when I've needed to use it, but those instances have happily been rare for me.

I hope the above info is of some use to you. If you have any specific questions on how to whitelist an application or anything else, just ask and I'll try to help. As I think I mentioned, I've been using this application for many years and it's yet to fail me or cause a conflict that couldn't be easily resolved.

But sometimes, it may be easier to get in touch with support@malwarebytes.com for expert help in finding exactly which component of it is causing you issues. The bonus of doing that is that a future update will probably include a resolution to that issue for default installs :)

Regards, Andrew

Edit: The above included screenshots are from my own Windows 10 Pro machine. Yours may differ slightly, depending on the version of Windows and which MB product you've subscribed to, however all the options in those screenshots will be there, regardless of whether you're using the Home, Server or Business version of the product.
IT Director
Commented:
I took one more stab at this, this time uninstalling Malwarebytes, restarting the computer and then removing any residual files associated with the installation (Kaseya maintains its own folder and set of files under its kworking folder for each partner application installed), so that the Malwarebytes installation from Kaseya was a completely clean install.

The computer has been back up and running with Malwarebytes installed and operational for several days now without any further lockups, so I'm hoping we're good.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial