[THIN] Re: Users can't logoff, admins can; winlogon.exe taking all cpu time
- From: "M" <mathras@xxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 21 Jul 2004 21:17:00 +0100
http://support.microsoft.com/default.aspx?scid=kb;en-us;828326
Seen this ?
----- Original Message -----
From: Ruud Bransen
To: thin@xxxxxxxxxxxxx
Sent: Wednesday, July 21, 2004 1:25 PM
Subject: [THIN] Re: Users can't logoff, admins can; winlogon.exe taking all
cpu time
Thanx, but no. The file(s) and the regkey are not on the system.
Regards,
Ruud Bransen
Databalk bv
------------------------------------------------------------------------------
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Gano, David
Sent: woensdag 21 juli 2004 13:53
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users can't logoff, admins can; winlogon.exe taking all
cpu time
I remember a Virus/Spyware thing that caused similar issues in my office.
Here are my notes:
The virus creates two random-named files (probably in %systemroot%\system32),
filename.dll and filename.cpy.dll -- easy to check for an infection by
searching for *.cpy.dll. It also creates (and tightly protects) the registry
hive HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian.
To get rid of it:
- Reboot the machine and don't log on to it.
- Go to another workstation, run \\machinename\c$ (to the infected machine)
and delete the offending files. Get both filename.cpy.dll and filename.dll.
- Log on to the infected machine and delete the above registry key.
On a non-networked machine, here are some instructions that work.
- Go to regedit (regedt32 in 2K)
- Expand: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\Guardian and ake a note of the file name
there, in System32. (You could just search for *.cpy.dll in system32 folder)
- RightClick (security menu->permissions in 2K) permissions, uncheck box:
"Allow inheritibale permissions"..
- Hit ok, and REMOVE on next prompt.
- Restart computer!
- Find and delete the <file> that was in that key along with it's companion
from System32: <file name>.cpy.dll
- Go back to registry editor,recheck the permissions box on that key, right
click Delete the 'Guardian' folder.
------------------------------------------------------------------------------
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Ruud Bransen
Sent: Wednesday, July 21, 2004 3:25 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users can't logoff, admins can; winlogon.exe taking all
cpu time
Login times are fine. It just logging off that never happens.
Regards,
Ruud Bransen
Databalk bv
------------------------------------------------------------------------------
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Newman, Phil
Sent: dinsdag 20 juli 2004 18:23
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users can't logoff, admins can; winlogon.exe taking all
cpu time
Sounds like you need the post SP4 patches to slow out the slow login times
------------------------------------------------------------------------------
From: Ruud Bransen [mailto:R.Bransen@xxxxxxxxxxx]
Sent: 20 July 2004 16:32
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Users can't logoff, admins can; winlogon.exe taking all cpu
time
Environment:
Windows 2000 SP4 domain controller with roaming user profiles
Windows 2000 SP4 / Citrix MF XP 1.0 SP3 FR3
And this issue:
"Normal" users can not log off, once the user is a member of the Domain
Admins, the user logs off normally. After logging off the session hangs at the
"Closing network connections" message. If I disconnect the network connections
manually, it hangs without this message (so just W2K blue). The Winlogon
process takes the complete CPU time even after logging off the user through CMC
or Terminal Server Manager. After logging of the user through CMC, the user
profile is still on the Terminal Server and "in use" as it can not be deleted
till the server has rebooted.
I tried
- the policy "Do not check for ownership of roaming profiles" (or something
similar)
- changing permissions at the "Documents and Settings" folder
- installing all updates at Windows update
Can anyone help out?
Regards,
Ruud Bransen
Databalk bv
Other related posts:
