[THIN] Re: Users can't logoff, admins can; winlogon.exe taking all cpu time
- From: "Ruud Bransen" <R.Bransen@xxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 21 Jul 2004 14:25:52 +0200
Thanx, but no. The file(s) and the regkey are not on the system.
Regards,
Ruud Bransen
Databalk bv
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Gano, David
Sent: woensdag 21 juli 2004 13:53
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users can't logoff, admins can; winlogon.exe taking
all cpu time
I remember a Virus/Spyware thing that caused similar issues in my
office. Here are my notes:
The virus creates two random-named files (probably in
%systemroot%\system32), filename.dll and filename.cpy.dll -- easy to
check for an infection by searching for *.cpy.dll. It also creates (and
tightly protects) the registry hive HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\Guardian.
To get rid of it:
- Reboot the machine and don't log on to it.
- Go to another workstation, run \\machinename\c$
<file:///\\machinename\c$> (to the infected machine) and delete the
offending files. Get both filename.cpy.dll and filename.dll.
- Log on to the infected machine and delete the above registry key.
On a non-networked machine, here are some instructions that work.
- Go to regedit (regedt32 in 2K)
- Expand: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\Guardian and ake a note of the file
name there, in System32. (You could just search for *.cpy.dll in
system32 folder)
- RightClick (security menu->permissions in 2K) permissions, uncheck
box: "Allow inheritibale permissions"..
- Hit ok, and REMOVE on next prompt.
- Restart computer!
- Find and delete the <file> that was in that key along with it's
companion from System32: <file name>.cpy.dll
- Go back to registry editor,recheck the permissions box on that key,
right click Delete the 'Guardian' folder.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Ruud Bransen
Sent: Wednesday, July 21, 2004 3:25 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users can't logoff, admins can; winlogon.exe taking
all cpu time
Login times are fine. It just logging off that never happens.
Regards,
Ruud Bransen
Databalk bv
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Newman, Phil
Sent: dinsdag 20 juli 2004 18:23
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users can't logoff, admins can; winlogon.exe taking
all cpu time
Sounds like you need the post SP4 patches to slow out the slow login
times
________________________________
From: Ruud Bransen [mailto:R.Bransen@xxxxxxxxxxx]
Sent: 20 July 2004 16:32
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Users can't logoff, admins can; winlogon.exe taking all
cpu time
Environment:
Windows 2000 SP4 domain controller with roaming user profiles
Windows 2000 SP4 / Citrix MF XP 1.0 SP3 FR3
And this issue:
"Normal" users can not log off, once the user is a member of the Domain
Admins, the user logs off normally. After logging off the session hangs
at the "Closing network connections" message. If I disconnect the
network connections manually, it hangs without this message (so just W2K
blue). The Winlogon process takes the complete CPU time even after
logging off the user through CMC or Terminal Server Manager. After
logging of the user through CMC, the user profile is still on the
Terminal Server and "in use" as it can not be deleted till the server
has rebooted.
I tried
- the policy "Do not check for ownership of roaming profiles" (or
something similar)
- changing permissions at the "Documents and Settings" folder
- installing all updates at Windows update
Can anyone help out?
Regards,
Ruud Bransen
Databalk bv
Other related posts:
