When your users logon to a terminal server they experience that their session hang after the logon. They may also visit the error message "Windows cannot log you on because your profile cannot be loaded". If your users are facing this issue then please follow the below mentioned troubleshooting steps to solve this issue.
Infostealer.Banker.C virus
The symptoms below will help you to verify that your machine is a victim of the "Infostealer.Banker.C" virus. Do read the symptoms below and follow the troubleshooting steps to resolve the "Terminal Server RDP session hangs after logon" issue.
1. When a user connects to a terminal server via a RDP session it hangs after entering their credentials and the only way to recover from this is to disconnect the RDP session.
-or-
2. When the user connects to a terminal server via a RDP session they receive the following message:
Windows cannot log you on because your profile cannot be loaded
The user would then get disconnected from the RDP session.
After we review the userenv logs we find the following:
USERENV(b00.a6c) 13:27:15:032 =========================================================
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: Entering, hToken = <0x280>, lpProfileInfo = 0x6e5d8
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: lpProfileInfo->dwFlags = <0x0>
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: lpProfileInfo->lpUserName = <briansi>
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: lpProfileInfo->lpProfilePath = <\\Tsrv01\tsprofiles\briansi>
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: lpProfileInfo->lpDefaultPath = <\\Tsrv01\netlogon\Default User>
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: NULL server name
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: no thread token found, impersonating self.
USERENV(b00.a6c) 13:27:15:032 GetInterface: Returning rpc binding handle
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: Calling DropClientContext took exception. err = 1723
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: Calling DropClientContext failed. err = 1723
USERENV(b00.a6c) 13:27:15:032 ReleaseInterface: Releasing rpc binding handle
USERENV(b00.a6c) 13:27:15:032 LoadUserProfile: Returning FALSE. Error = 1723
USERENV(1640.818) 13:27:23:032 InitializePolicyProcessing: Initialised Machine Mutex/Events
USERENV(1640.818) 13:27:23:032 InitializePolicyProcessing: Initialised User Mutex/Events
USERENV(1640.818) 13:27:23:032 LibMain: Process Name: \??\C:\WINDOWS\system32\winlogon.exe
USERENV(1640.818) 13:27:36:360 LoadUserProfile: Yes, we can impersonate the user. Running as self
The "net helpmsg 1723" comes with the following result:
The RPC server is too busy to complete this operation.
In both of these cases the following were the same under the userinit value in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit"=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\briansi.contoso\Application Data\ntos.exe,C:\Documents and Settings\briansi\Application Data\ntos.exe
To let you know ntos.exe is not an operating system file. It's a component of the Infostealer.Banker.C virus. The virus captures sensitive information from a user's machine and sends to a remote computer. If you get a case with similar behavior and you see this file being loaded under userinit, ensure the customer has the latest definitions for their anti-virus software and perform a full scan of the system. If needed please engage PSSSEC for assistance on this issue.
Leave a comment