Unable to complete logon process: "The Windows logon process has failed to spawn a user application", recovered after logon in Safe Mode RRS feed

  • Question

  • 200+ Windows 7 Pro machines, similar configuration, 1/4 of them x86, 3/4 x64.

    Encountered 6 such machines having this problem: After a restart, user logon stuck at a black screen. In Windows event application log there is an event 'The Windows logon process has failed to spawn a user application'. This application is an in-house developed application and is called at winlogon\userinit registry key.

    A restart into Safe Mode, first logon will experience an auto-restart, then second logon ok. Subsequent logon into normal Windows is ok.

    Setting the group policy setting to User Account Control: Behaviour in Admin Approval Mode to 'Elevated without prompt' doesn't solve the problem.

    All machines are in workgroup.

    There seems to be a relationship between security hardening (through local security policy) and this behaviour but not conclusive because some of the machines encountering the problem had not been hardened.

    When I booted a machine under MS DART and change the userinit registry key to call userinit.exe instead of the in-house application, subsequent user can logon correctly under normal mode. Then changing it back to call the in-house application will again logon into black screen.

    Based on these observations, can anyone share what Windows does during Safe Mode to recovery such problem? under what circumstances does it auto-restart after a logon? Can local GPO enforcement corrupt the default user profile?

    Valuable skills are not learned, learned skills aren't valuable.

    Saturday, July 28, 2018 2:23 AM

All replies

  • NetLogon Service can be edited,simply R.click on cmd/run as Administrator/in cmd type: services.msc

    In msc,scroll to NetLogon/double click/set to "Auto start" start service,exit..Some win services depend on others to run,"Workstation" is needed for logon to operate..Scroll thru services,any set to Disable,probably need to be reset.Also,open Event Viewer,locate the Error/Warning,properties,more info is available.Any event shown,select to open with WordPad,or NotePad,this gets you more details on it...Also in services,one can reset a service behavior if it stops,meaning make it simply restart/again & again..

    Saturday, July 28, 2018 6:10 AM
  • Since cannot logon, I can't see whether the netlogon service is running or not. The affected machines in the production had all already been recovered (just by booting into Safe Mode and reboot) thus I also can't remotely check those machines.

    However, if netlogon service is really disabled, even in Safe Mode shouldn't be able to logon and if I change the userinit key to call userinit.exe instead of the in-house application, it also shouldn't be able to logon, so based on this alone the netlogon service is running.

    Valuable skills are not learned, learned skills aren't valuable.

    • Edited by SingChung Monday, July 30, 2018 2:35 AM
    Monday, July 30, 2018 1:45 AM
  • Hi,

    This may occur when the membership of the local Users group is changed from the default settings. By default, the local Users group should contain the Interactive account and the Authenticated Users group.

    By default, User Account Control (UAC) is enabled. At logon, the standard user access token is built, and if the Users group is missing the default members, the user will be unable to interact with the desktop, resulting in the blank desktop being displayed.

    Add the Authenticated Users group and Interactive account to the local Users group to check.

    Also refer to the link below about the event id information.


    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 30, 2018 9:31 AM
  • The group membership of users missing authenticated users and interactive users is the first solution I saw when I first googled for a solution to this problem. However, this isn't the same case I am experiencing now. When I log in in Safe Mode I can see authenticated users and interactive users are indeed member of user groups. 

    If the problem is caused by missing membership, I would have experienced the same problem after changing the userinit key to load userinit.exe instead of the in-house application.

    Today I discovered that when it auto-restarted at the first logon in Safe Mode, it was actually doing a reset of the registry key by reverting it back to default - HKLM\Software\Microsoft\Windows NT\Winlogon\userinit to load userinit.exe, then restart.

    Valuable skills are not learned, learned skills aren't valuable.

    • Proposed as answer by tmmeland Wednesday, June 12, 2019 4:14 PM
    • Unproposed as answer by tmmeland Wednesday, June 12, 2019 4:14 PM
    Monday, July 30, 2018 3:19 PM
  • I saw the same issue today where admin users could remote in fine but non admin users could not.  I've tried all this other stuff mentioned here and in other posts.  I just made the user a member of Power Users and they got in fine.
    Wednesday, June 12, 2019 4:15 PM
  • I am also experiencing same issue for one of Win12 R2 server, I checked both solution which are correctly set. Both Users group membership setting and registry setting are set correctly and Safe Mode is working fine but still it is showing Blank Black screen for all users in normal mode.

    Please let me know if you found some workaround.

    Monday, August 19, 2019 4:22 PM
  • Sorry that I didn't update this issue after weeks of investigation several months ago as I wanted to forget about it and focus on other problems.

    The cause of this problem is that UAC is preventing the in-house application to directly load through the winlogon userinit key, right after a logon in normal mode. The user will see just a blank screen (when UAC issue a warning at this stage the UI is not appearing). After disabling UAC, it works fine but from security perspective it is not desirable. Thus I concluded that the in-house application must be re-designed to address the security concern.

    Valuable skills are not learned, learned skills aren't valuable.

    Saturday, August 24, 2019 1:54 AM