Jump to content
nosluom

KES10 Roaming Profile Issue

Recommended Posts

Hi all

 

I've come on here as a last resort to try and get to the bottom of a big issue we're encountering at our business. Since rolling out KES 10.2.5.3201 (MR3) a couple of weeks ago we are having a major problem where user's are randomly getting logged onto their windows 7 desktops with a temporary profile. We use roaming profiles across our site where the profiles are simply written back to a file share (old fashioned i know but that's the way it is at present).

Since rolling out 10.2.5.3201 our service desk is receiving at least 50 calls a day from user's who have been logged on with a temp profile. If you check the registry under profile list, we see a .bak entry has been created for the user which we then have to delete to log them on correctly.

We're assuming it has to be Kaspersky causing the issue because it's only started happening since we rolled out this new version and no other changes have been made across the site. If we check the event viewer on a pc after a user has been logged on with a temp profile there is an entry saying Kaspersky has started and then directly after that there is an entry saying NTUSER.dat is locked by another process and the user is being logged on with a temporary profile. We have excluded ntuser.dat in our workstation policy but it has made no difference.

HELLLLLPPPPPPPPP!! does anyone have any ideas at all?

Share this post


Link to post

Hi,

 

Does the issues occur if you exit KES and disable running at windows startup or if you delete KES?

 

BR

Share this post


Link to post
On 7. 12. 2016 at 10:37 AM, nosluom said:

there is an entry saying NTUSER.dat is locked by another process and the user is being logged on with a temporary profile. We have excluded ntuser.dat in our workstation policy but it has made no difference.

 

Hi, looks like that we have similar problem now. With the only difference that we have temporary profiles disabled. So user can not login and must call IT department. However, after this starts logout process immediately that will cause that the only the percentage of files to be transferred back to the file server.  So we must restore their profile from backup. We have small domain around 100 users and this happend a one or two users per day.

What I would like know, wehere i Can find, that the files are locked by Kaspersky. 

The next month we end the contract with the KS, so I would like to find out and look elsewhere.

Share this post


Link to post
On 8. 2. 2018 at 2:06 PM, Konstantin Antonov said:

Hi,

Could you please specify version that you use.

Thank you!

agent 10.4.343
App 10.3.0.6294

Share this post


Link to post

Hello, Same problem here..

agent 10.4.343
App 10.3.0.6294

we are using in a large environment (500+ users) desktop and favorites redirection, and kes 10 as AV. We are experiencing every day, 10 or more users that have the temp profile issue. After 1 or 2 reboot all seems work fine. For now the clients that reported the problem were all the same version of Kes agent and app.

We deployed an activity for distribute this version of kes 2 week ago, and from that moment the problem seems to present more frequently.

In the event viewer the first noticeable error is NTUSER.DAT Locked..

Any idea?

Share this post


Link to post

Hello.

Are you experiencing this problem without Endpoint Security installed ?

What OS version your workstations are using ?

Share this post


Link to post
8 minutes ago, Evgeny_E said:

Hello.

Are you experiencing this problem without Endpoint Security installed ?

What OS version your workstations are using ?

The problem is occasional, and we can't reprodouce it. As i say, every morning some (usually new) clients have the problem. if i reboot a client with the problem, probably at next logon all will be ok.. and i cant' let a production client without Kes for days...

The os are Windows 7 and 8.1 Pro

Share this post


Link to post

Could you provide full GSI report from one of the workstations which experienced this error not a long time ago ?

Share this post


Link to post

Hello. 


So you do not have recurring instances of this issue for a same user on  a given workstation ?
Would you also mind to share KES policy for this workstation ?

Share this post


Link to post
6 hours ago, Sebastian P said:

Hello, Same problem here..

agent 10.4.343
App 10.3.0.6294

we are using in a large environment (500+ users) desktop and favorites redirection, and kes 10 as AV. We are experiencing every day, 10 or more users that have the temp profile issue. After 1 or 2 reboot all seems work fine. For now the clients that reported the problem were all the same version of Kes agent and app.

We deployed an activity for distribute this version of kes 2 week ago, and from that moment the problem seems to present more frequently.

In the event viewer the first noticeable error is NTUSER.DAT Locked..

Any idea?

this is exactly the same issue we are experiencing. Has been going on months now! It's definitely kaspersky causing the issue because we did a fresh build on a pc last month and it was working absolutely fine for 2 weeks until we put kaspersky on it. Same issue as you, in event viewer ntuser.dat is locked and the user then get's a temporary profile! we have had soooooo many calls to our service desk from user's having the issue day in day out

Share this post


Link to post
6 hours ago, Sebastian P said:

yes, the report is ready,

here the file:

https://drive.google.com/open?id=1yKBks7Bm2J8W3jFCqTUSyJcfb3nF5bX5

 

Hello.

Please let us know if the issue occurs if the host's power is turned off unexpectedly. Unfortunately it would be difficult to investigate the issue unless it can be reproduced.

Also, please clarify what leads to assumption that KES is the culprit of the issue.

Thank you.

Share this post


Link to post
On ‎22‎/‎02‎/‎2018 at 5:11 PM, Evgeny_E said:

Hello. 


So you do not have recurring instances of this issue for a same user on  a given workstation ?
Would you also mind to share KES policy for this workstation ?

here the policy

https://drive.google.com/open?id=1NyYHQT-VnuaSG40YL5iTJ3Afeq8S53n6

 

yes, we have recurring instances of the issue with same user and same workstation, but they are totally random...

 

Share this post


Link to post
On ‎22‎/‎02‎/‎2018 at 11:10 PM, Kirill Tsapovsky said:

Hello.

Please let us know if the issue occurs if the host's power is turned off unexpectedly. Unfortunately it would be difficult to investigate the issue unless it can be reproduced.

Also, please clarify what leads to assumption that KES is the culprit of the issue.

Thank you.

we can't turn off unexpectly the client, they are production client.

We assume that KES may be the culprit of the issue because the problem appeared after update kes agent to 10.4.343 and App 10.3.0.6294.

From that time the problem appeared randomly every morning on 10 / 14 computer over 500. We did not install any other update or softare that can cause Lock of ntuser.dat during logon..

Share this post


Link to post

Hi,

 

we are experiencing the same issue (roaming profile on an 2008R2 RDS farm) ; is there any update on this case. We openned a case at Microsoft Support : they pointed out kavfswp putting a handle on ntuser.dat.

They suggest to exclude the C:\users ; we refuse because we don't want to expose our servers.

An help will be appreciated

 

Kaspersky agent10.4.343 and App 10.3.0.6294.

Share this post


Link to post

Hello.

Is it possible to reproduce this issue with KSWS 10.1 this solution is more suitable for RDS service. 

Share this post


Link to post

We do not have KSWS 10.1 installed. But we plan to do it.

What about the recommandations about excluding the C:\users folder ? 

Share this post


Link to post

I personaly would not go with excluding a whole C:\Users folder, who knows what User1 can download to C:\Users\User1\Desktop.

As maximum I can suggest trying C:\Users\User*\NTUSER.DAT for testing.  More on masks can be found here https://support.kaspersky.com/8244#block3

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.