Jump to content
Omarinho

User Profile Service failed the sign-in

Recommended Posts

We use Windows GPO: "delete userprofiles older then x days". Somethimes this cleanup fails as already described >> The userprofile will be deleted in the registry, but not the whole userfolder in c:\users\.
if the user logs on after this userprofile cleanup he gets a new Profil folder named  "username.domain" instead of "username", then "username.000", then "username.001" etc.

That brings a lot of software problems, because they point to the Default path c:\users\username  > autodesk menu tools doesnt work anymore, Windows default backgrounds fails, office usericons fails, and lots more
With KES10 and 9 there is no sutch problem.

Now i will disable KES Policy on some test machine and let you know about the results.

Share this post


Link to post
1 hour ago, bsl said:

We use Windows GPO: "delete userprofiles older then x days". Somethimes this cleanup fails as already described >> The userprofile will be deleted in the registry, but not the whole userfolder in c:\users\.
if the user logs on after this userprofile cleanup he gets a new Profil folder named  "username.domain" instead of "username", then "username.000", then "username.001" etc.

That brings a lot of software problems, because they point to the Default path c:\users\username  > autodesk menu tools doesnt work anymore, Windows default backgrounds fails, office usericons fails, and lots more
With KES10 and 9 there is no sutch problem.

Now i will disable KES Policy on some test machine and let you know about the results.

Hello.

What version of KES are you using?

Can this error be reproduced, with scenario and traces? Does this happen when all components of KES are disabled?

Thank you.

Share this post


Link to post

@Kirill Tsapovsky

I wrote it allready with detail above.

 

Edited by bsl

Share this post


Link to post

Hello again

So we have tested a lot. Unfortunately, the problem is very difficult to reproduce because the error does not always appear. With certainty we can say, that the problem occurs with Winodws 7, installed KES11 an active policy "D elete user profiles older than a specified number of days on system restart".

The error happens, when deleting the profile after X days, which can not be done successfully. The profile folder remains with a part of the content, but the registry entry of the profile will be deleted. At next login, the user will receive a profile folder named "username.domain", then "username.000, then "username.001", and so on.

The error also happens when manually deleting the profile over "advanced user profile configuration".

After installation of the private patch  5101 the error occurs less often, but it persists.

The error persists even if the following KES functions ware deactivated and PF5101 is installed:

  • behavior analysis
  • exploit prevention
  • program monitoring
  • rollback of harmful actions
  • firewall
  • protection against network threats
  • protection against modified usb devices
  • device control
  • web control
  • endpoint sensor
  • exam in the background
  • exam of removal media
  • no proxy

I'm still submitting the link to the GSI file (with eventlogs) of sutch a machine today.

I still hope, that we solve the puzzle

Edited by bsl

Share this post


Link to post

Hi,

Please provide us with GSI log from that host along with KES traces, collected while the issue reoccurs.

Please use any file sharing resource to upload data and provide us with a link.

Thank you!

Share this post


Link to post

@Ivan.Ponomarev

Active Directory: GPO > computer configuration > administrative templates > system/user profile > "delete user profiles older than a specified number of days on system restart" = enabled and 3 days

Share this post


Link to post
12 minutes ago, bsl said:

@Kirill Tsapovsky Did you find something interesting in my GSI file?

Unfortunately, GSI is not indicative of the reason for the specified issue.

The collected traces are those of Network Agent and not of KES as requested.

To be able to properly identify what activity leads to such behavior, data needs to be collected in the following order:

1. Temporarily place an affected host outside of an enforced policy (so that no settings are re-applied on reboot)

2. Disable all KES components (locally or via a temporary policy)

3. Start KES tracing: https://support.kaspersky.com/9343

4. Start procmon and enable boot logging (link and instruction can be found here: https://support.kaspersky.com/10935#block3)

5. Reboot and log in

6. Verify that the profile has been removed incompletely, leading to a renamed profile folder being created.

7. Stop KES tracing, save procmon log and provide the collected data

NB: Since this is not a common issue, without said data it wouldn't be possible to detect how KES activity affects Windows behavior (especially if it still reproduces after File Threat Protection and Behavior Analysis has been turned off). If the second scenario (manually deleting the profile over "advanced user profile configuration") is easier to reproduce, it can be followed instead (same set of data is required, but no boot log, if no reboot is featured in the scenario). However, there is no 100% guarantee that both cases have the same culprit.

Thank you.

Share this post


Link to post
On 9/6/2018 at 2:00 PM, Omarinho said:

Thanks Dmitry, I've logged with INC000009567050 and mentioned pf5070 in response to the case notes.

Hello I noticed a few people where posting on this thread I created a while back. So really this is just for information.

We encountered this problem when we had pf5036 and pf5067 installed to fix another issue that we had when we first rolled out KES11.0.0.6499 to our Windows 10 1803 Enterprise client.

Tech support issued us pf5081 (installed alone) and resolved the user profile issue  - but it also introduced a new problem which prevented Microsoft Direct Access from working (which we use as our remote connectivity solution).

We were then issued pf5101 which has resolved all our problems and we're still using this private fix on both our Windows 10 1803 and 1809 Enterprise.

Hope this helps.

Edited by Omarinho
typos!

Share this post


Link to post

Hi 

Sorry to jump on the band wagon but can you tell me how i can get hold of this Patch please as we have the same issue with profiles and can't find the Patch in the general list.

Many thanks

Share this post


Link to post
2 часа назад, Mark Mesa сказал:

Hi 

Sorry to jump on the band wagon but can you tell me how i can get hold of this Patch please as we have the same issue with profiles and can't find the Patch in the general list.

Many thanks

Hello!

You can create an incident to your company account and request the patch.

But previously make sure that the problem is the sane

Thank you!

Share this post


Link to post

Hi Mark Mesa

Request the latest patch from Kaspersky as described by dmitry Parshutin. Please inform us if you get a newer patch as pf5101.

Which Windows/Kaspersky version do you use?

Share this post


Link to post

Thank you, i have been trying to resolve this for months now and thought it was a problem with our image, i completely rebuilt the image and deployed with same issue so googled it and found the exact issue described in the first post here.

I am glad i am not alone but this is terribly frustrating, why is the fix not made part of the standard package if it is so common?

I have created an incident INC000010062912.

Thanks all for your help

Share this post


Link to post
25 minutes ago, Mark Mesa said:

Thank you, i have been trying to resolve this for months now and thought it was a problem with our image, i completely rebuilt the image and deployed with same issue so googled it and found the exact issue described in the first post here.

I am glad i am not alone but this is terribly frustrating, why is the fix not made part of the standard package if it is so common?

I have created an incident INC000010062912.

Thanks all for your help

Okay i have a new patch see below for the response.

--------------------------------

This patch has now been superseded by pf5128 which I have attached, this includes all the fixes from pf5101. I have also included below our support guide on managing private patches:

https://support.kaspersky.com/14409

----------------------------------

Thanks everyone for your comments.

Share this post


Link to post

@Mark Mesa Interesting News! Thanks for your Information. I tought it can not be, that only we have this problem. Do you now, what the patch exactly does?

We will also request the new patch and hope that this old problem will be solved finally. I'll get in touch, if I know more. Do it that way, too. Thanks a lot!

Share this post


Link to post

I ordered the patch too (INC000010063592).

Share this post


Link to post

Bad news, the patch pf5128 definitely doesn't fix the "user profile service" problem. It remains unchanged....no words...

Share this post


Link to post
5 часов назад, bsl сказал:

Bad news, the patch pf5128 definitely doesn't fix the "user profile service" problem. It remains unchanged....no words...

Hello!

Please inform the specialist in the incident about this information and wait for the answer.

Thank you!

 

Share this post


Link to post

I have already done that (also INC000010063592).

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.