Monday, May 18, 2015

The Case of the Mysterious Blank Desktop, part 2?

Hello everyone, 

I recently experienced an issues login into a Windows Server 2008 R2. Whenever I would log in, whether through RDP or VM Console, the only thing that would load was a blank desktop. No errors, no windows, no explorer. I wasn't able to use Remote Tools, but I was able to use PSRemote and from there was was able to pull the following log:

[HOSTNAME]: PS C:\Users\USERNAME\Documents> Get-EventLog -LogName Application | ?{$_.Source -eq 'Winlogon'} | ?{$_.EntryType -eq 'Warning'} | select -First 1 | fl * -Force

EventID            : 4006
MachineName        :
Data               : {5, 0, 0, 0}
Index              : 40795
Category           : (0)
CategoryNumber     : 0
EntryType          : Warning
Message            : The Windows logon process has failed to spawn a user application. Application name: . Command line
                      parameters: C:\Windows\system32\userinit.exe.
Source             : Winlogon
ReplacementStrings : {, C:\Windows\system32\userinit.exe}
InstanceId         : 2147487654
TimeGenerated      : 5/18/2015 8:47:26 PM
TimeWritten        : 5/18/2015 8:47:26 PM
UserName           :
Site               :
Container          :

I quickly pulled out Google and found the following article, but to my demise after checking the local group I found that the users were already added.

[HOSTNAME]: PS C:\Users\USERNAME\Documents> net localgroup users
Alias name     users
Comment        Users are prevented from making accidental or intentional system-wide changes and can run most applications


NT AUTHORITY\Authenticated Users
DOMAIN\Domain Admins
DOMAIN\Domain Users
The command completed successfully.

Great so now what? I searched the internet trying to find someone who might have experienced a similar issue but i only found similar articles to the one linked above. I attempted to reboot, to remove the users Authenticated Users/Interactive off the group, reboot, add them again and reboot once again, but nothing.

I did have some idea of what might be causing the issue based on the article though, so I attempted moving the computer to a different OU that doesn't require UAC to be turned on. I updated the group policy and rebooted but still nothing. Frustrated I went to to Regedit and attempted to load the UAC settings to find out if it was turned on or off by using the following command that I got from this article.

[HOSTNAME]: PS C:\Users\USERNAME\Documents> (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA

To my surprise I got nothing. Null return value. I thought that was weird, so I confirmed on a different server with the same version to ensure that the command was correct, and it was returning a result of 0. So I re-added the setting using the following command, also found in the article. 

[HOSTNAME]: PS C:\Users\USERNAME\Documents> Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -Value 0

I rebooted and the server logged back in without any issues. I have no idea how this registry could have been deleted, or why it had this effect so if anyone has any more information please be sure to share.

I hope this might help someone out there. Do let me know if you have any questions, issues or comments. 

Kind regards,