Winlogon Terminating Unexpectedly - Windows Server 2008 TS
- I have a Windows Server 2008 SP2 terminal server. I receive the following error at least 60 to 70 times per day:
_____
Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 11/18/2009 12:49:48 PM
Event ID: 4005
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PCTS02.pindlercorp.network
Description:
The Windows logon process has unexpectedly terminated.
______
Microsoft states this issue is caused by insufficient system resources, a corrupt registry, or a service that failed to start. I have plenty of system resources. Before restoring the registry, I wanted to check into the services. The Netlogon service lists "Workstation" as a dependant system component. The Workstation service has the following dependancies:
1. Backup Excec Remote Agent for Windows Systems
2. Computer Browser
3. Netlogon
4. Terminal Services Configuration
All of these services are started with the exception of the Computer Browser. The Computer Browser service is stopped and disabled. The Computer Browser service on all my Windows Server 2008 machines is stopped. However, the Computer Browser service on all my Windows Server 2003 machines is started. Is there a reason why this service needs to be stopped on Windows Server 2008? Would I be doing any harm by starting the Computer Browser service? Would this be one of the reason why I am receiving Event ID 4005? Any advice is much appreciated.
Antworten
Hello Tennzbutler,
Thanks for your reply.
I have checked the new errors your machine got, and here is my analysis:
· Event ID 1530: this error means there are some data in the user profile are still be accessed when the user logoff from the Terminal Server, you have very possibly enabled the policy to remove the user profile when logged off. In such a situation the error appear. To troubleshoot this error, you can check if any of the data is still remained in the user profile supposed to be deleted. That should be the data the process is using when logoff happens. You can use Process Monitor or Process Explorer in order to find the software which is using the data and find the solution. If there is no such data remained, the Windows have possibly stopped the process and deleted the data when logoff. In such a case, you can ignore the Event 1530.
· Event ID 12293: This error is caused by that the DNS record registered for KMS server is not correct. To resolve this issue, you can delete the DNS record for the KMS sever and then re-register the record.
· Event ID 10016: As 12293, this error is not related to the Terminal Services either. Although I’m not quite sure which cause the issue in your Windows Server 2008 SP2-based server, but as the reference, please check the following KB article which is written for Windows Server 2003:
(KB920720) Error message when you try to view a Web site that is hosted on IIS 6: "Service unavailable"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;920720As the new errors are not similar to the original issue, please consider to start new threads for them if you have further questions on those event logs. In this thread, if the original issue comes back again, please let me know it. I’d like to provide further assistance to you.
Thanks for your cooperation and patience
Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Als Antwort markiertLionel Chen - MSFTMSFT, ModeratorMittwoch, 2. Dezember 2009 02:47
Alle Antworten
Hello Teenzbutler,
To get clear why the Event 4005 appears, please send the Microsoft Product Support Logs to me. To do that, you could use the following steps:
1. On the problematic terminal server, download and install the MPS Record Tool:
Microsoft Product Support Reports
http://www.microsoft.com/downloads/details.aspx?FamilyID=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0&displaylang=en2. Download the install the prerequisites of the tool.
3. In the Select the diagnostics you want to run phase, please check General and Server Components.
4. After the logs are generated, please send them to us.
Note: You can use the network storage to upload the log files. Or we recommend you to use Windows Live SkyDrive (http://skydrive.live.com/) to store the record files and give me the address for downloading.
I’d like to provide further assistance as soon as I receive the logs. Thanks.
Lionel ChenTechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Als Antwort markiertLionel Chen - MSFTMSFT, ModeratorMittwoch, 25. November 2009 10:22
- Tag als Antwort aufgehobenLionel Chen - MSFTMSFT, ModeratorMittwoch, 25. November 2009 10:22
- Hello Teenzbutler,
How's the issue going now?
If it is not resolved yet, please send the information to me and we will try to help you as soon as possible.
Thanks.
Lionel ChenTechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
Lionel,
Thanks for responding. The Winlogon event ID 4005 has not happened since November 18th. I rebooted the machine and it seems to be working fine now. However, I am getting a lot of other events:
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/25/2009 7:07:11 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: PCTS01.pindlercorp.network
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.DETAIL -
0 user registry handles leaked from \Registry\User\S-1-5-21-990400319-699996810-868425949-5563:
______
Log Name: Application
Source: Microsoft-Windows-Security-Licensing-SLC
Date: 11/24/2009 5:21:58 PM
Event ID: 12293
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PCTS01.pindlercorp.network
Description:
Publishing the Key Management Service (KMS) to DNS in the 'pindlercorp.network' domain failed.
______
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 11/25/2009 11:07:26 AM
Event ID: 10016
Task Category: None
Level: Error
Keywords: Classic
User: PINDLERCORP\lbutler
Computer: PCTS01.pindlercorp.network
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
to the user PINDLERCORP\lbutler SID (S-1-5-21-990400319-699996810-868425949-5605) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
_____
I ran the diagnostic tool. Here is the address:
http://cid-beeba2a3eb21b92f.skydrive.live.com/self.aspx/.Public
I appreciate any assistance that you can offer.
Thanks again.Hello Tennzbutler,
Thanks for your reply.
I have checked the new errors your machine got, and here is my analysis:
· Event ID 1530: this error means there are some data in the user profile are still be accessed when the user logoff from the Terminal Server, you have very possibly enabled the policy to remove the user profile when logged off. In such a situation the error appear. To troubleshoot this error, you can check if any of the data is still remained in the user profile supposed to be deleted. That should be the data the process is using when logoff happens. You can use Process Monitor or Process Explorer in order to find the software which is using the data and find the solution. If there is no such data remained, the Windows have possibly stopped the process and deleted the data when logoff. In such a case, you can ignore the Event 1530.
· Event ID 12293: This error is caused by that the DNS record registered for KMS server is not correct. To resolve this issue, you can delete the DNS record for the KMS sever and then re-register the record.
· Event ID 10016: As 12293, this error is not related to the Terminal Services either. Although I’m not quite sure which cause the issue in your Windows Server 2008 SP2-based server, but as the reference, please check the following KB article which is written for Windows Server 2003:
(KB920720) Error message when you try to view a Web site that is hosted on IIS 6: "Service unavailable"
http://support.microsoft.com/default.aspx?scid=kb;EN-US;920720As the new errors are not similar to the original issue, please consider to start new threads for them if you have further questions on those event logs. In this thread, if the original issue comes back again, please let me know it. I’d like to provide further assistance to you.
Thanks for your cooperation and patience
Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Als Antwort markiertLionel Chen - MSFTMSFT, ModeratorMittwoch, 2. Dezember 2009 02:47
- Hello teenzbutler,
Does the information above help? If you need any further help from us, please follow up here and let me know.
Thanks.
Lionel ChenTechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Hi Lionel,
For Event ID 1530: I don't have a policy that removes the profile. The users are setup as roaming profile. Their profiles and all their data remain on the server after logging off.
For Event ID 12293: This error is caused by that the DNS record registered for KMS server is not correct. To resolve this issue, you can delete the DNS record for the KMS sever and then re-register the record. I am unable to find this record on the DNS server. Do you have any instructions on how to find the record, delete it, and re-register it?
For Event ID 10016: As 12293, this error is not related to the Terminal Services either. Although I’m not quite sure which cause the issue in your Windows Server 2008 SP2-based server, but as the reference, please check the following KB article which is written for Windows Server 2003: (KB920720) Error message when you try to view a Web site that is hosted on IIS 6: "Service unavailable" http://support.microsoft.com/default.aspx?scid=kb;EN-US;920720. This server does not run IIS 6.0. So I don't believe this article pertains to our issue.
Another error is now popping up:
Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 12/2/2009 8:28:29 AM
Event ID: 6003
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: PCTS01.pindlercorp.network
Description:
The winlogon notification subscriber <TrustedInstaller> was unavailable to handle a critical notification event.
Again, I searched online and I get the same information as event ID 4005. Microsoft states this issue is cause by insufficient system resources, a corrupt registry, or a service that failed to start. Can you please advise. Hello Teenzbutler,
Regarding EventID 1530, please also take the following KB article as reference:
(KB947238) Event ID: 1530 may be logged in the Application log on a Windows 7-based or Windows Vista-based client computer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;947238
Regarding KMS registering issue, we are not the best support resource, but for your convenience, please refer to the following article:
Volume Activation 2.0
http://technet.microsoft.com/en-us/library/cc770903(WS.10).aspxFor more information about KMS and Windows Activation, please use our forum on Windows Server deployment:
Setup Deployment
http://social.technet.microsoft.com/Forums/en-US/winserversetup/threadsThe Event 10016 is also very possibly related to Windows Activation, if IIS is not installed. Do you have any issues on Windows Server activation in your environment?
Regarding the new Event Log (6003) appearing, I noticed that you started a new thread in our forum. We could discuss there.
Thanks.
· Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Hello Teenzbutler,
Can I provide further helps on this issue? Please drop a note and let me know it.
Thanks.
Lionel ChenTechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
