Event id 4005 the windows logon process has unexpectedly terminated

Hi
  • Remove From My Forums
  • Question

  • Hi

    I am struggling to find the right forum for this to go in, so please point me in the right direction if necessary.

    I have an Azure hosted Windows server, running as an RDS host for a business application and Office/Outlook for a number of users. Clients log on using RDP from mostly thin clients and some laptops. The server is running 2012 R2 Datacenter and was built
    from a standard Azure template.

    Periodically user logons are failing and I am having to reboot the server to correct the issue. Winlogon Event ID 4005 «The Windows logon process has unexpectedly terminated» is showing in the application event log each time a logon fails. I can’t
    spot any suspicious events logged between the previous most recent successful login and when logins start failing.

    Can anyone help shed any light on this?

    Thanks,

    Lindsay


    Lindsay

Greetings sysadmin!

We’re struggling with an issue on our 3 identical 2008 R2 SP1 RDS servers. They’re running on VMware 5.1, latest tools(for that version) and have VMxnet3 NICs. 6 CPUS, 24GB RAM. The servers will intermittently get a Winlogon error 4005 in the application log. When this happens, users will be unable to connect new sessions or reconnect disconnected sessions. Most of the time this happens, the Winlogon errors will continue until the server is rebooted. Rarely, it will occur one time and then the server continues to operate without issue.

This began happening about 1.5 months ago and is sporadic in nature. There are no other indications in the logs that point to any other issues that could cause this. The servers have been up and running for about 8-10 months without issue prior to this beginning.

After a reboot, the server works fine for a bit.

There were no changes to the server side when the problem developed.

Steps I’ve taken:

  • Fully patched the server with windows updates.

  • Removed Syslog sending application (No change, since added it back)

  • netsh int tcp set global chimney=disabled

  • netsh int tcp set global rss=disabled

  • netsh int ip set global taskoffload=disabled

  • netsh int tcp set global autotuninglevel=disabled

  • netsh int tcp set global congestionprovider=none

  • netsh int tcp set global ecncapability=disabled

  • netsh int tcp set global timestamps=disabled

  • The above commands have been run on servers and clients per Microsoft’s recommendation

  • Removed AV (this morning)

  • http://oasysadmin.com/tag/the-windows-logon-process-has-terminated-unexpectedly/ — I removed the 2 hotfixes as suggested here, then reinstalled them….no better

  • sfc /scannow

I also have opened a case with Microsoft, but they’re not able to determine the issue yet. They had me enable some additonal logging, and since I’ve provided the ETL files to them, but they’re not seeing any indications.

I’m stuck, not sure what else to do. Any suggestions? Anyone seen similar issues?

EDIT: Microsoft asked me to remove 4 hotfixes if they’re installed. Only 2 of these were installed so I’ll be proceeding to remove these over the next few days as I can get the users off the systems.

  • KB3046049 (not installed)

  • KB3039976 (not installed)

  • KB3002657

  • KB3035132

EDIT2:

Exact error message from app log: The Windows logon process has unexpectedly terminated.

Source Winlogon

Eveing ID 4005

EDIT3: Microsoft tech wants me to remove these 4 KBs if they exist on my terminal servers and DCs.

  • KB3046049

  • KB3039976

  • KB3002657

  • KB3035132

The last 2 are only present on the RDS servers and were just installed on 4/28 after the problem developed. The DCs don’t have any of these on them. So far I’ve only been able to remove these from 1 of the servers. I’m working to get the users shuffled around so I can remove the updates on the other 2 servers and reboot.

They also suggested I install 2959626, but that only applies to 2012.

FINAL EDIT(MAYBE) I think we have resolution. I would like to thank everyone for their time and suggestions. We landed on these last steps as the resolution:

Removed these KBs:

  • KB3002657

  • KB3035132

Added these KBs:

  • 2465772

  • 2655998

  • 2708857

  • 2775511

I haven’t had the issue in >7 days so I’m calling it good! Thanks again everyone.

EDIT (AGAIN): The issue has returned and we’ve been chasing it still. I found this message in the TerminalServices-LocalSessionManager Log — it was probably occurring when I had the issue originally, but I didn’t notice:

Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Attempt to send disconnect message to Windows video subsystem failed. The relevant status code was 0x80070102.

I can’t seem to find any good info on this error, unfortunately. We updating our thin clients to RDP version 8.1 in hopes that will help, but I can’t find definitely which clients are experiencing this. I’m going to see if I can gather these logs with PSLOGLIST, but I’ve never used it for these logs, only the main App/sec/sys logs.

EDIT:

The thin client update from RDP 7.1 to RDP 8.1 did not help, problem has returned. I’m going to contact M$ today and open another case. I’ll post more info here because I’ve gotten a few PMs about others experiencing the issue.

EDIT: New case opened with Microsoft.

Microsoft has had us run some patches, nothing worked. Last session just now with them they updated winlogon.exe to newer version.

Previous version: 6.1.7601.18540

New Version: 6.1.7601.22750

They also had me remove Webroot from this server — I guess they saw something they didn’t like after they ran this command:

fltmc.exe

Anyone have more info on this fltmc.exe and what the results of the command actually mean?

EDIT 9/16/2015:

I’ve had a few people message me about this. I’m happy to respond, but for the benefit of others, let’s try to keep this conversation going on the post here so that others who may have this problem will see what’s going on.

At this point, I still have a case open with Microsoft. The last steps we’ve done was to update Winlogon.exe to the latest version. The version I had was older so I had to remove a KB and reinstall it in order for it to update properly. No idea why it wasn’t the latest version even though I had the update installed.

I also STRONGLY suspect Webroot as I’ve had 1 other person message me about this and mentioned they suspected Webroot as well. I had it removed from one of the servers and haven’t had the issue return since then. The server that I removed it from has logged the 4005 error occasionally, but users are able to continue to logon when it happens. It seems the new version of Winlogon handles the error/exception properly.

I removed Webroot from the other 2 servers so now I’m running unprotected, unfortunately. I’ll be researching another AV to put on those 3 servers and I’m open to any suggestions you all may have.

I’ll try to post another update in a few days to report on how it is going without Webroot on these 3 RDS servers.

Содержание

  1. Fix “The Windows Logon Process has Unexpectedly Terminated”
  2. Windows Server 2003/2008
  3. Windows XP, Vista, 7
  4. The windows logon process has unexpectedly terminated
  5. Answered by:
  6. Question
  7. Answers
  8. All replies
  9. The windows logon process has unexpectedly terminated
  10. Вопрос
  11. Ответы
  12. Все ответы
  13. Event ID 4005 — Windows Logon Availability
  14. The windows logon process has unexpectedly terminated
  15. Вопрос
  16. Ответы

Fix “The Windows Logon Process has Unexpectedly Terminated”

The Windows Logon process is a complicated system process that handles the Windows logon screen, user authentication, loading the user profile, locking the computer, and much more.

There are many errors assoicated with the Windows Logon process, but there are two that I have run into on many occasions.

The Windows logon process has unexpectedly terminated.

STOP: c000021a
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000034.The system has been shutdown.

Depending on whether you are getting this error on Windows XP, Windows Server 2003, or Windows Server 2008, there are several ways to fix the problem. Basically, the Winlogon.exe or Csrss.exe processes have failed and therefore the system crashes.

In this post, I’ll try and walk you though several solutions that have worked in the past to solve this error.

Windows Server 2003/2008

If you’re getting this error on a server, the cause can probably be attributed to one of the following problems below. Scroll down if you are having the problem on Windows XP, Vista or 7.

To check for lack of system resources, check the amount of free hard drive space on the partition where Windows is installed. You can also open the Task Manager and go to the Performance tab to make sure 100% of the CPU is not being used. In the Task Manager, you can also check the amount of available RAM.

If the Windows registry is corrupt, you may not even be able to log onto the computer. In that case, you will have to try and get in using Safe Mode or use the Recovery Console to run the Startup Repair utility, which I will explain below.

If a service failed to start and that’s what is causing the problem, you can click on Start, Control Panel, Administrative Tools, and then Event Viewer. Click on the System log and look for any white exclamation points in a red circle. These indicate that a service or driver failed.

Resources

To fix the first problem of lack of resources, you can either free up some hard drive space or disable some services that are taking up large amounts of memory or CPU power.

Registry

If your Windows Registry is corrupted, you will have to repair it using Startup Repair. You can do this by booting your computer from the CD/DVD and choosing the Repair Your Computer option.

repairyourcomputer thumb

Next, choose your operating system and click Next. A list of system recovery options will appear. Here you should choose Startup Repair.

startuprepair thumb

Startup Repair will automatically find problems with your computer and try to repair it. Once it’s finished, restart your computer and see if your problem has gone away.

You can also repair a corrupt registry by using System Restore. Go to Start and type in systempropertiesprotection and press Enter. Click on the System Protection tab and click on System Restore.

Click on Choose a different restore point and click Next. Pick a restore point when your computer was working and click Next. After the registry is restored, restart your computer.

Services

Lastly, if a service has failed to start, you can manually try to start it by going to Start and typing in services.msc. In the Services dialog, find the service, right-click on it and choose Start.

Windows XP, Vista, 7

If you’re running any of these operating systems, you can try a couple of more things to try and fix the problem.

Last Known Good Configuration

Restart your computer and press F8 when it is booting up. This will get you the Advanced Boot Options.

advancedbootoptions thumb

This can help you recover from problems resulting from newly installed drivers that may not be compatible with your system.

Reinstall Windows

If that doesn’t work, then you may have to try reinstalling Windows. This is also called a repair install. It basically replaces all your system files, but keeps all your data and applications. You will have to reinstall all Windows updates after perform a repair.

You can read our previous post on how to perform a repair install (scroll to the bottom of the post).

GINA DLL

A lot of times the Winlogon.exe process fails due to a bad GINA DLL that has replaced the original Microsoft one. The GINA DLL file performs all authentication and identification tasks during the logon process.

You can check to see if the original file has been replaced by a third-party one by going to the following registry key:

If there is a key called Gina DLL and it’s value is not Msgina.dll, then the dll has been replaced with a third party program. If they key does not exist at all, then the system is using the default Msgina.dll file.

If there is a third-party file being used, you need to remove or disable the third party software. Usually, this is done by remote control software, so if you have any remote control programs installed, remove those.

Uninstall Windows Update

If you are getting this message right after installing the latest Windows updates, you can try to uninstall them using the recovery console.

Check out this forum post below for the steps to uninstall a particular update:

Hopefully one of these solutions will solve your problem! If not, post a comment here and I’ll try to help! Enjoy!

Founder of The Back Room Tech and managing editor. He began blogging in 2007 and quit his job in 2010 to blog full-time. He has over 15 years of industry experience in IT and holds several technical certifications. Read Aseem’s Full Bio

Источник

The windows logon process has unexpectedly terminated

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

trans

Answered by:

trans

Question

trans

trans

I am getting this error continuously : The Windows log on process has unexpectedly terminated.

Server Configuration is

OS:Windows Server 2008 Standard Edition 64 Bit with Service pack 2

If anyone have solution pl. share

Answers

trans

trans

Thank you for posting in Windows Server Forum.

This error might be caused by one of the following conditions:
• System resources are inadequate or unavailable.
• The Windows registry is corrupted.
• A service failed to start.

Please check below article for solution to implement in this case.

trans

trans

Thank you for posting in Windows Server Forum.

This error might be caused by one of the following conditions:
• System resources are inadequate or unavailable.
• The Windows registry is corrupted.
• A service failed to start.

Please check below article for solution to implement in this case.

trans

trans

Thank you for posting in Windows Server Forum.

This error might be caused by one of the following conditions:
• System resources are inadequate or unavailable.
• The Windows registry is corrupted.
• A service failed to start.

Please check below article for solution to implement in this case.

This is of course not the solution to the problem. This is the real solution to the problem (in my case):

1. Uninstall following Windows Updates: KB2621440 and KB2667402. Restart computer
2. scannow /sfc + restart computer again. Tada!

Источник

The windows logon process has unexpectedly terminated

trans

Вопрос

trans

trans

I am getting this error continuously : The Windows log on process has unexpectedly terminated.

Server Configuration is

OS:Windows Server 2008 Standard Edition 64 Bit with Service pack 2

If anyone have solution pl. share

Ответы

trans

trans

Thank you for posting in Windows Server Forum.

This error might be caused by one of the following conditions:
• System resources are inadequate or unavailable.
• The Windows registry is corrupted.
• A service failed to start.

Please check below article for solution to implement in this case.

Все ответы

trans

trans

Thank you for posting in Windows Server Forum.

This error might be caused by one of the following conditions:
• System resources are inadequate or unavailable.
• The Windows registry is corrupted.
• A service failed to start.

Please check below article for solution to implement in this case.

trans

trans

Thank you for posting in Windows Server Forum.

This error might be caused by one of the following conditions:
• System resources are inadequate or unavailable.
• The Windows registry is corrupted.
• A service failed to start.

Please check below article for solution to implement in this case.

This is of course not the solution to the problem. This is the real solution to the problem (in my case):

1. Uninstall following Windows Updates: KB2621440 and KB2667402. Restart computer
2. scannow /sfc + restart computer again. Tada!

Источник

Event ID 4005 — Windows Logon Availability

Event ID 4005 — Windows Logon Availability

Updated: November 30, 2007

Applies To: Windows Server 2008

Windows logon availability determines whether the Windows logon process is able to be completed successfully. The logon process is the interface between the account for a user, process, or service and the computer that establishes authenticated credentials for the account and allocates the appropriate system and network resources. Windows logon manages the use of the secure attention key (CTRL-ALT-DELETE) to initiate the login screen, load the user profile on logon, and lock the computer.

Product: Windows Operating System
ID: 4005
Source: Microsoft-Windows-Winlogon
Version: 6.0
Symbolic Name: EVENT_WINLOGON_FATAL_FAILURE
Message: The Windows logon process has unexpectedly terminated.

This error might be caused by one of the following conditions:

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

System resources are inadequate or unavailable

To determine if system resources are inadequate or unavailable:

The Windows registry is corrupted

If the Windows registry is corrupted, logon might be prevented and you will need to interrupt the startup process to boot the computer into Safe Mode or the Recovery Console. In Safe Mode, you can use System Restore to restore the Windows registry to a restore point. In the Recovery Console, you can use the Startup Repair utility. Startup Repair is a tool that automates common diagnostic and repair tasks of unbootable Windows installations, such as repairing a corrupted registry.

Note: You may need to have your operating system CD/DVD available if the Startup Repair is not a preinstalled recovery option on your computer.

If your computer will not complete the startup process, see the “Repair a corrupted registry” section.

A service failed to start

To determine if a service failed to start:

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

This computer does not have adequate system resources

This computer has a corrupted registry

Services required by the process failed to start

During Windows logon, the operating system opens the subscriber notification database and starts the user-level processes so that user accounts can log on to the system. If there are inadequate system resources for Windows logon to do this, the system may start with limited functionality.

To identify the applications or services that are using too many system resources, you can generate a System Diagnostics report by using the Reliability and Performance Monitor.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To make more resources available on the system:

During Windows logon, the operating system opens the registry and reads the list of user accounts that are configured for the computer. If that data cannot be read, the Windows logon screen is not displayed and users will be unable to log on to Windows. Whether or not Windows will be able to complete the startup process depends on the severity of the registry corruption.

If the Windows registry is slightly or moderately corrupted, you may be able to restart the computer in Safe mode and use System Restore to restore the registry of the computer to the last known good configuration. However, if the Windows registry is severely corrupted, all types of logon will be prevented. Attempting to log on to Windows causes the system to fail and then to restart. In this situation, you will need to boot the system into the Recovery Console instead of into Windows. Once in the Recovery Console, you can use the Startup Repair tool. Startup Repair automates common diagnostic and repair tasks of unbootable Windows installations.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Repair a corrupted registry by using Startup Repair

To repair a corrupted registry by using Startup Repair:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

Repair a corrupted registry by using System Restore

To repair a corrupted registry by using System Restore:

For more information about backing up and restoring the registry, including guided help, see article 322756 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=101847).

During Windows logon, Windows starts the services that support user interaction with the system.

To perform this procedure, you must have membership in Administrators, or you must have been delegated the appropriate authority.

To restart services that failed to start:

To verify that Windows logon is functioning correctly, observe one or more of the following processes:

Источник

The windows logon process has unexpectedly terminated

trans

Вопрос

trans

trans

Error 4005

The Windows logon process has unexpectedly terminated.

I got a few of them almost everyday. Can someone tell me that it is? How to fix it?

Ответы

trans

trans

This seems more of like could be due to rdpcorekmts.dll not getting updated to post SP 1 version and certain registry entries not getting created ( I don’t know what as I don’t have a working and non working machine)

DBE9B383-7CF3-4331-91CC-A3CB16A3B538 confirms it . There have been issues with following updates recently KB2621440 and KB2667402.

please uninstall these patches ( if Installed)

run sfc /scannow to confirm that theres no file level corruption
ensure that rdpcorekmts.dll file exists and is SP1 version that is it 6.1.7601.xxxx.

This is all i can think of for now as I see these events on frequent basis on my server (test machine)

Источник

Утечки памяти в ОС

Я
   TormozIT

23.07.10 — 14:00

8.1.15.14

Стали замечать, что терминальный сервер, где выполняются интенсивные обработки данных в клиентских приложениях 1С, постепенно опустошает свободную физическую память. Она не освобождается даже после завершения всех процессов и пользовательской сессии ОС. Смотрим в диспетчер задач без фильтра по пользователю — общая сумма используемой процессами памяти (Private Working Set) не превышает 1ГБ. Ну не может же ОС зарезервировать 90% физ. памяти (из 8ГБ) под свои кэши и т.д.

Думаю причина в утечках при работе с общей кучей памяти в ОС.

Подскажите как можно разобраться с такой проблемой?

   shuhard

1 — 23.07.10 — 14:01

(0) есть множество диспетчеров задач, позволяющих получить детальную картину
встроенный для этого не годится

   TormozIT

2 — 23.07.10 — 14:44

Я также использовал Process Explorer (Mark Russinovich).

   TormozIT

3 — 01.08.10 — 21:39

Опять Терминальный сервер не дает войти никому. Но основные системные службы все еще работают.

Я могу подключиться perfmon’ом. Смотрю Aviable Physical Memory — 2GB Of 10GB (20%). А запущено то пару десятков процессов всего, чья сумма Private Working Set  не превышает 500MB. Системный кэш 300МБ

Уже всю голову сломал, чем заняты остальные 7GB?

   TormozIT

4 — 01.08.10 — 21:41

При попытке входа winlogon.exe падает и в лог Application пишет

ID:    4005

Source:    Microsoft-Windows-Winlogon

Version:    6.0

Symbolic Name:    EVENT_WINLOGON_FATAL_FAILURE

Message:    The Windows logon process has unexpectedly terminated.

   Рэйв

5 — 02.08.10 — 00:41

(0)Имхо, Гдето держит файлы в память, Толи из кеша толи еще откуда….

   6tuf

6 — 02.08.10 — 06:21

у сервера 1с предприятие вроде были утечки, приходится перезагружать серв. а вот насчет клиента — хз

   TormozIT

7 — 02.08.10 — 10:42

(5) Не совсем понял. Поясни пожта.

(6) На сколько я знаю, те утечки приводили к необходимости перезапуска серверных процессов 1С, но не самой ОС.

   TormozIT

8 — 02.08.10 — 10:48

Может ли быть (косвенной) причиной вызов метода Terminate у Win32_Process? Может при этом какие то хендлы на открытые файлы не освобождаются?

   loh_pedalny

9 — 02.08.10 — 11:26

(8)может

   TormozIT

10 — 02.08.10 — 12:00

(9) В таком случае проблема вероятно в платформе. Но как ее отловить, как продемонстрировать ее разработчикам, что она есть?

   Jstunner

11 — 02.08.10 — 12:07

(10) стотысячмиллионов раз повторить подозреваемую операцию

   loh_pedalny

12 — 02.08.10 — 13:18

(10)MSDN
The TerminateProcess function is used to unconditionally cause a process to exit. The state of global data maintained by dynamic-link libraries (DLLs) may be compromised if TerminateProcess is used rather than ExitProcess.
В связи с этим и утечки. Выделенная память может автоматически и не освобождаться.

   TormozIT

13 — 02.08.10 — 15:04

Имею WMI объект класса Win32_Process http://msdn.microsoft.com/en-us/library/aa394372(VS.85).aspx. Это в моем случае 1cv8.exe. Нужно его завершить. Я вызываю метод Terminate(), т.к. других способов не вижу.

   TormozIT

14 — 02.08.10 — 15:08

Если кто то знает более правильный способ завершить процесс 1С (в том числе зависший) снаружи по PID, то пусть не молчит)

   TormozIT

15 — 02.08.10 — 15:23

(12) ExitProcess процесс может вызывать только сам для себя, а у меня процесс может быть завис (не отвечает). Снаружи завершить процесс можно только через TerminateProcess или Terminate.

   TormozIT

16 — 02.08.10 — 16:33

MSDN отмечает

The TerminateProcess function is used to unconditionally cause a process to exit. The state of global data maintained by dynamic-link libraries (DLLs) may be compromised if TerminateProcess is used rather than ExitProcess.

Тут  http://wm-help.net/books-online/book/59464/59464-23.html пишут следующее

Вызов функции TerminateProcess завершает процесс:

BOOL TerminateProcess( HANDLE hProcoss, UINT fuExitCode);

Главное отличие этой функции от ExitProcess в том, что ее может вызвать любой поток и завершить любой процесс. Параметр bProcess идентифицирует описатель завершаемого процесса, а в параметре fuExitCode возвращается код завершения про цесса.

Пользуйтесь TerminateProcess лишь в том случае, когда иным способом завершить процесс не удается. Процесс не получает абсолютно никаких уведомлений о том, что он завершается, и приложение не может ни выполнить очистку, ни предотвратить свое неожиданное завершение (если оно, конечно, не использует механизмы защиты). При этом теряются все данные, которые процесс не успел переписать из памяти на диск.

Процесс действительно не имеет ни малейшего шанса самому провести очистку, но операционная система высвобождает все принадлежавшие ему ресурсы: возвращает себе выделенную им память, закрывает любые открытые файлы, уменьшает счетчики соответствующих объектов ядра и разрушает все его User- и GDI-объекты.

По завершении процесса (не важно каким способом) система гарантирует: после него ничего не останется — даже намеков на то, что он когда-то выполнялся. Завершенный процесс не оставляет за собой никаких следов.

Закрадывается подозрение, что при таком завершении процесса все же есть вероятность, что ОС не сумеет освободить все ресурсы процесса. Может ли кто то компетентно подтвердить или опровергнуть это предположение?

   TormozIT

17 — 02.08.10 — 23:55

Похоже taskkill локально завершает процессы мягким способом, давая им освободить все ресурсы.

Осталось еще доделать удаленный локальный его запуск.

  

TormozIT

18 — 21.08.10 — 23:36

Метод завершения процессов здесь похоже не причем.

Новейшей программой rammap удалось выяснить, что неуклонно растет таблица страниц (Page table). Похоже это рост фрагментированности памяти.

Like this post? Please share to your friends:
  • Esp32 драйвер для windows 10 x64
  • Event id 2012 windows server 2012 r2
  • Esp разделы windows 10 что это
  • Event id 1001 windows error reporting
  • Excel 2019 скачать бесплатно для windows 7 x64