locked
Help! "The reference account is currently locked out" user registry handles leaked, Process 2996 winlogon.exe has opened key \REGISTRY\USER\S-1-5-21- 2240875929-447784991-1091042645-500 RRS feed

  • Question

  • I had left my computer on, and went to bed; it had went to sleep evetually; when i awoke, tried to log back in to my account and i got the error  "The reference account is currently locked out and may not be logged into". The internet was disabled and disconnected at the hardware level during this timeframe. Every time this takes place, upon boot Event viewer shows the following:

    The following boot-start or system-start driver(s) failed to load:
    AFD
    CSC
    DfsC
    discache
    ESProtectionDriver
    nbdrv
    nsiproxy
    rdbss
    SASDIFSV
    SASKUTIL
    spldr
    tdx
    WfpLwf

    This is the third time this has happened this week; another PC on the network also had a problem and was booted into a clean defaulted temporary account at logon; Also, this occurred as I am writing this again; I am no longer able to access anything that requires administrative privileges. I am told that the lock out occurs due to password lockout policy, which I have enabled; Once I had did a system restore, and restored access to my desktop, I had immediately changed the passwords of my two admin accounts; and within 20-30 minutes the lock had re-appeared; and all while the computer was unplugged from the internet, cable and all. So if this were a hacking attempt; it would have to be by a pre-installed rootkit;  Winlogon is clean according to virus-total. Anyone know whats going on and how to fix this issue? Typically these errors are due to NON windows apps and services, like anti-virus; Perhaps some malware is hooking into Winlogon when this occurs?

    There were multiple apps (no longer installed) in the "Store credentials for automatic logon" as well, could these be the culprit? I have removed them, but I am locked out so I must do a system restore, and I will try removing them again prior to any of these events occurring to factor that out.

    I see another error Event 1530, User Profile Service:

    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

     DETAIL -
     1 user registry handles leaked from \Registry\User\S-1-5-21-2240875929-447784991-1091042645-500:
    Process 2996 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2240875929-447784991-1091042645-500


    Here are other errors immediately before this time; I had did a system restore and successfully logged in, then the following occurred, timed from bottom to top:

    ================================

    The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.

    ================================

    The Desktop Window Manager has exited with code (0x40010004)

    ================================

    (what is winmail? I don't use winmail)

    WinMail (4076) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

    ================================

    WinMail (4700) WindowsMail0: The database engine (6.01.7601.0000) started a new instance (0).

    ================================

    The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.

    ================================

    License Activation Scheduler (sppuinotify.dll) was not able to automatically activate.  Error code:
    0xC004F074

    ================================

    The client has sent an activation request to the key management service machine.

    ================================

    Event 6000, Winlogon

    The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.

    ================================

    Event 0, AGSService

    The description for Event ID 0 from source AGSService cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    AGSService
    CppWindowsService in OnStart






    • Edited by tutudid Tuesday, April 10, 2018 2:29 AM
    Tuesday, April 10, 2018 2:15 AM

All replies

  • After 30 minutes my account is no longer locked out. but this happens over and over again.
     ( I am not part of a doman, just a power users) I'm not very interested in disabling this password policy, may be proof that it is actually working properly.


    • Edited by tutudid Tuesday, April 10, 2018 2:18 AM
    Tuesday, April 10, 2018 2:17 AM
  • Data Execution Prevention (DEP) Status: Enabled on winlogon.exe; I find it highly unlikely this is the cause; but it is enabled system wide via Microsoft's own build in functionality. Sfc /scannow shows no errors;
    • Edited by tutudid Tuesday, April 10, 2018 2:28 AM
    Tuesday, April 10, 2018 2:27 AM
  • All I can see in the logs regarding Audit Failure for logon is the following:

    "The computer attempted to validate the credentials for an account.

    Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon Account:    Ty
    Source Workstation:    U3RKgL
    Error Code:    0xc0000234"


    Others have had this issue: http://jackstromberg.com/2013/03/finding-the-source-to-something-that-keeps-locking-a-domain-user/  "Today, I had the lovely experience in trying to troubleshoot why a users account was locking out of the domain every 30 seconds."
    • Edited by tutudid Tuesday, April 10, 2018 2:49 AM
    Tuesday, April 10, 2018 2:48 AM
  • Computer is not part of a local area network or domain; total lock down, will update as I debug further.
    Tuesday, April 10, 2018 2:56 AM
  • I tried increasing verbosity of the logs via the suggestions in the above until I realized this is only for netlogon, not for winlogon; this is a local issue on my pc.


    • Edited by tutudid Tuesday, April 10, 2018 4:49 AM
    Tuesday, April 10, 2018 4:49 AM
  • anybody out there?
    Tuesday, April 10, 2018 7:55 AM
  • Hi,

    Please check if your could boot into safe mode.

    Here are steps to enter safe mode.

    1. Just before the Windows 7 splash screen shown above appears, press the F8 key to enter Advanced Boot Options.

    2. Using the arrow keys on your keyboard, highlight the Safe Mode and press Enter.

    Please check if there is Repair your computer option on the Advanced Boot Options screen after you press F8.

    If yes, please try to click the option to repair your computer

    If no, you need to use Windows 7 installation media to use Startup Repair.

    In addition, please check if the PC is up to date. (Type Check for updates in search box , then select Check for updates. )

    Here are some links about the event 1530 and event 6000 for your reference.

    Event ID: 1530 may be logged in the Application log on a Windows Vista or newer computer:

    https://support.microsoft.com/en-sg/help/947238/event-id-1530-may-be-logged-in-the-application-log-on-a-windows-vista

    Event ID 6000 — Windows Logon Availability:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc734033(v=ws.10)


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Vera Hu Thursday, April 12, 2018 9:16 AM
    Wednesday, April 11, 2018 8:16 AM
  • Hi, 

    How’s everything going? Please feel free to give me any update.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 13, 2018 7:13 AM