locked
Screen flashes black; then Windows unable to load admin account; On reboot the system cannot find the file specified C:\Users\TEMP\ntuser.dat RRS feed

  • Question

  • Two similar events have happened to me recently, all while logged into windows; I use only one account on this pc. On both occurrences the Screen flashes black; after that, in particular the first occurrence i was not able to access the admin account via UAC; Group policy is set to ask for password upon elevation, good and well, but the password dialogue box said that the admin account was locked out. After rebooting, I was unable to login, with the exact same error appearing; A system restore fixed this issue. Unfortunately I did not note the exact string of the error, and I see no references to it in event log except for this " Event 6000 The winlogon notification subscriber <GPClient> was unavailable to handle a notification event."  However the error "description" was quite different error on this second occurrence.

    Here are some event errors that occurred during the first error:

    Nvidia GTX 660 turned off momentarily and turned on again; sound card was disabled at the same time; crashing adobe premiere

    Faulting application name: Adobe QT32 Server.exe, version: 12.0.1.69, time stamp: 0x5a4de952
    Faulting module name: QuickTime.qts_unloaded, version: 0.0.0.0, time stamp: 0x5668a2c5
    Exception code: 0xc0000005
    Fault offset: 0x6059cd89
    Faulting process id: 0x4a4
    Faulting application start time: 0x01d3cccd1782c182
    Faulting application path: C:\Program Files\Adobe\Adobe Premiere Pro CC 2018\32\Adobe QT32 Server.exe
    Faulting module path: QuickTime.qts
    Report Id: 334b8f1c-38d4-11e8-a91c-021b2b02fe63

    Wireshark crashed:

    Faulting application name: Wireshark.exe, version: 2.4.6.0, time stamp: 0x5ac3e3c9
    Faulting module name: Qt5Widgets.dll, version: 5.6.3.0, time stamp: 0x59ba2344
    Exception code: 0xc0000005
    Fault offset: 0x000000000022f0e8
    Faulting process id: 0x1074
    Faulting application start time: 0x01d3ccb2309d7210
    Faulting application path: C:\Program Files\Wireshark\Wireshark.exe
    Faulting module path: C:\Program Files\Wireshark\Qt5Widgets.dll
    Report Id: 0b99045e-38e5-11e8-a91c-021b2b02fe63

    Upon reboot

    The Windows Firewall Control service depends on the Windows Firewall service which failed to start because of the following error: The dependency service or group failed to start.

    --------

    7026 The following boot-start or system-start driver(s) failed to load:
    AFD
    CSC
    DfsC
    discache
    nbdrv
    nsiproxy
    rdbss
    SASDIFSV
    SASKUTIL
    spldr
    tdx
    WfpLwf

    --------

    Error relating to elevated UAC and or logon attempts: Event 6000 The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.

    -------

    DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server:
    {1BE1F766-5536-11D1-B726-00C04FB926AF}

    DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server:
    {DD522ACC-F821-461A-A407-50B198B896DC}

    DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server:
    {BA126AD1-2166-11D1-B1D0-00805FC1270E}

    DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server:
    {A47979D2-C419-11D9-A5B4-001185AD2B89}

    ------

    The Creative Audio Service service depends on the Windows Audio service which failed to start because of the following error:
    The dependency service or group failed to start.

    -----

    Now today this is the problem:

    Allowed adobe flash updater outbound to pass firewall. Screen went black; I immediately shut down the computer suspecting malicious activity (and possibly GPU related attack / rootkit). Upon restarting, I was unable to login.

    Event viewer logs:

    Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

    Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

     DETAIL - The system cannot find the file specified.for C:\Users\TEMP\ntuser.dat
     
    DETAIL - The process cannot access the file because it is being used by another process.
     for C:\Users\Ty\ntuser.dat

    6001 The winlogon notification subscriber <Profiles> failed a notification event.
    6001 The winlogon notification subscriber <Sens> failed a notification event.

    Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.
    Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
    Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

    Event ID 1511

    Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

    Rebooting the computer a second time fixed this problem; no system restore necessary.

    It appears this may have happened to another PC on the same lan; when using a temporary profile apparently quote "this causes the user to be presented with the default profile with no personalized settings. " Another PC on the network had also booted into windows and was presented with the default interface; I can only assume this person was hacked as well. Except they were using the latest windows 10 machine, all updates included.



    • Edited by tutudid Saturday, April 7, 2018 3:45 AM
    Saturday, April 7, 2018 3:02 AM

All replies

  • Any ideas what is going on here?
    Saturday, April 7, 2018 3:09 AM
  • Could this be related to data execution prevention (DEP) running globally? I was not given any notifications from dep.

    • Edited by tutudid Saturday, April 7, 2018 3:29 AM
    Saturday, April 7, 2018 3:22 AM
  • Update:

    It appears this may have happened to another PC on the same lan; when using a temporary profile apparently quote "this causes the user to be presented with the default profile with no personalized settings. " Another PC on the network had also booted into windows and was presented with the default interface; I can only assume this person was hacked as well. Except they were using the latest windows 10 machine, all updates included. I am using windows 7.

    We are sitting behind a hardened Asus Ac66u with Merlin / Skynet & Dnscrypt.


    • Edited by tutudid Saturday, April 7, 2018 3:47 AM
    Saturday, April 7, 2018 3:45 AM
  •  

    Hi,

    Please try to create a new user account to see if the issue still occur.

    Please try to use the System File Checker tool (SFC.exe) to check system files and recovery corrupted files, here are steps:

    1. Open Command Prompt (as administrator).

    2. Type sfc /scannow, and then press Enter.

    Please boot into safe mode to see if the issue still occur.

    Here are steps to enter safe mode.

    1. Just before the Windows 7 splash screen shown above appears, press the F8 key to enter Advanced Boot Options.

    2. Using the arrow keys on your keyboard, highlight the Safe Mode and press Enter.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Vera Hu Tuesday, April 10, 2018 9:55 AM
    Monday, April 9, 2018 10:04 AM
  •  

    Hi, 

    How’s everything going? Please feel free to give me any update.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 12, 2018 9:18 AM
  • For some reason the problem has stopped persisting; (so far as I've experienced to this point.) All I had done was change password lockout from 30 to 5 minutes; and from 3 failures to 4 failures to initiate lockout; I also removed ALL credentials under windows "credential manager". 


    • Edited by tutudid Sunday, April 15, 2018 3:21 AM
    Sunday, April 15, 2018 3:20 AM