none
Error "The Windows logon process has unexpectedly terminated"

    Question

  • Hi,

    I have SBS 2008. There is an error message in the application log .

    Error 4005

    The Windows logon process has unexpectedly terminated.

    I got a few of them almost everyday. Can someone tell me that it is? How to fix it?

    Many thanks!

    Grace


    Grace

    Tuesday, October 02, 2012 1:34 AM

Answers

  • This seems more of like could be due to rdpcorekmts.dll not getting updated to post SP 1 version and certain registry entries not getting created ( I don't know what as I don't have a working and non working machine)

    DBE9B383-7CF3-4331-91CC-A3CB16A3B538 confirms it . There have been  issues with following updates recently KB2621440 and KB2667402.

    please uninstall these patches ( if Installed)

    run sfc /scannow to confirm that theres no file level corruption
    ensure that rdpcorekmts.dll file exists and is SP1 version that is it 6.1.7601.xxxx.

    This is all i can think of for now as I see these events on frequent basis on my server (test machine)

    Thursday, October 04, 2012 7:00 PM

All replies

  • Are you getting these events while logging on to server ?

    What is the full description of the event?

    example :

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Winlogon" />

    Tuesday, October 02, 2012 1:44 AM
  • no, I checked the event, I didn't see this error while I was logging to server.

    Below is the full description of the event:

    The Windows logon process has unexpectedly terminated.

    Log Name: Application

    Source: Winlogon

    Logged: 9/30/2012 6:38:22 PM

    Event ID: 4005

    Task Category: none

    Level: Error

    Keyword: Classic

    User: N/A

    Computer: SBS

    Thanks!


    Grace

    Tuesday, October 02, 2012 5:59 PM
  • No ,  probably you are reading only general description of the event.

    Click on Details tab next left to general and select xml view radio button to verify the guid of the provider.

    Wednesday, October 03, 2012 12:56 AM
  • I see, here you are... Thank you very much for your response. Let me know if you need future information. Just FYI. A few RWW users reported they were kicked out while they were still actively working to their office computers by remote desktop.

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Winlogon" />
      <EventID Qualifiers="49152">4005</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-03T04:49:05.000Z" />
      <EventRecordID>1258917</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>GALAXY.IZlaw.local</Computer>
      <Security />
      </System>
    - <EventData>
      <Binary>1F000000</Binary>
      </EventData>
      </Event>


    Grace

    Wednesday, October 03, 2012 4:40 PM
  • There you are  :-). 

    My apologies, it's been a busy day , it may take around 8-10 hours for me to respond with a possible solution , before i go to sleep . :P

    Thanks for your patience and time.

    Wednesday, October 03, 2012 4:45 PM
  • You are so nice. Your help is highly appreciated. :-)

    Grace

    Wednesday, October 03, 2012 6:49 PM
  • This seems more of like could be due to rdpcorekmts.dll not getting updated to post SP 1 version and certain registry entries not getting created ( I don't know what as I don't have a working and non working machine)

    DBE9B383-7CF3-4331-91CC-A3CB16A3B538 confirms it . There have been  issues with following updates recently KB2621440 and KB2667402.

    please uninstall these patches ( if Installed)

    run sfc /scannow to confirm that theres no file level corruption
    ensure that rdpcorekmts.dll file exists and is SP1 version that is it 6.1.7601.xxxx.

    This is all i can think of for now as I see these events on frequent basis on my server (test machine)

    Thursday, October 04, 2012 7:00 PM
  • Thank you so much! I checked my server, KB2621440 is installed, but KB2667402 isn't. After I uninstall it, do I need to reinstall them back?

    I don't have rdpcorekmts.dll on my SBS server. Should it be located in  C:\Windows\System32? What should I do? I found it on my PC. Can I copy it to SBS server.

    Do I need to reboot server after sfc /scannow is finished?

    Many thanks!


    Grace

    Monday, October 08, 2012 7:31 PM
  • Nope. Don't copy anything from your pc to the server. first run sfc /scannow after uninstalling 2621440 . Once it's completed , reinstall kb 2621440  and reboot.
    Monday, October 08, 2012 7:42 PM
  • I am done the scan and it didn't find any integrity violations. I removed 2621440 and it asked for reboot. Can I install 2621440 now and reboot after?Thanks,

    Thanks!


    Grace

    Monday, October 08, 2012 9:30 PM
  • Yes.
    Monday, October 08, 2012 9:47 PM
  • I scheduled to reboot the server this weekend. Will update here if the error is gone after that.

    Grace

    Friday, October 12, 2012 12:15 AM
  • Installing RDP client 6.1 resolved the issue for me, i was using XP sp 2
    Monday, April 01, 2013 11:14 AM