I recently experienced an issues login into a Windows Server 2008 R2. Whenever I would log in, whether through RDP or VM Console, the only thing that would load was a blank desktop. No errors, no windows, no explorer. I wasn't able to use Remote Tools, but I was able to use PSRemote and from there was was able to pull the following log:
[HOSTNAME]: PS C:\Users\USERNAME\Documents> Get-EventLog -LogName Application | ?{$_.Source -eq
'Winlogon'} | ?{$_.EntryType -eq 'Warning'} |
select -First 1 | fl * -Force
EventID : 4006
MachineName : HOSTNAME.DOMAIN.com
Data : {5, 0, 0, 0}
Index : 40795
Category : (0)
CategoryNumber : 0
EntryType : Warning
Message : The Windows
logon process has failed to spawn a user application. Application name: .
Command line
parameters: C:\Windows\system32\userinit.exe.
Source : Winlogon
ReplacementStrings : {, C:\Windows\system32\userinit.exe}
InstanceId : 2147487654
TimeGenerated : 5/18/2015
8:47:26 PM
TimeWritten : 5/18/2015
8:47:26 PM
UserName :
Site :
Container :
I quickly pulled out Google and found the following article, but to my demise after checking the local group I found that the users were already added.
[HOSTNAME]: PS C:\Users\USERNAME\Documents> net localgroup users
Alias name users
Comment Users are prevented from making accidental or intentional system-wide changes and can run most applications
Members
-------------------------------------------------------------------------------
NT AUTHORITY\Authenticated Users
NT AUTHORITY\INTERACTIVE
DOMAIN\Domain Admins
DOMAIN\Domain Users
The command completed successfully.
Great so now what? I searched the internet trying to find someone who might have experienced a similar issue but i only found similar articles to the one linked above. I attempted to reboot, to remove the users Authenticated Users/Interactive off the group, reboot, add them again and reboot once again, but nothing.
I did have some idea of what might be causing the issue based on the article though, so I attempted moving the computer to a different OU that doesn't require UAC to be turned on. I updated the group policy and rebooted but still nothing. Frustrated I went to to Regedit and attempted to load the UAC settings to find out if it was turned on or off by using the following command that I got from this article.
[HOSTNAME]: PS C:\Users\USERNAME\Documents> (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).EnableLUA
To my surprise I got nothing. Null return value. I thought that was weird, so I confirmed on a different server with the same version to ensure that the command was correct, and it was returning a result of 0. So I re-added the setting using the following command, also found in the article.
[HOSTNAME]: PS C:\Users\USERNAME\Documents> Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -Value 0
I rebooted and the server logged back in without any issues. I have no idea how this registry could have been deleted, or why it had this effect so if anyone has any more information please be sure to share.
I hope this might help someone out there. Do let me know if you have any questions, issues or comments.
Kind regards,
Me.
