Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Archive for the ‘Troubleshooting’ Category

“The User Profile Service service failed the logon”

Posted by William Diaz on January 14, 2014


 

Today, I encountered the following on a newly imaged workstation: “The user Profile Service service failed the logon. User profile cannot be loaded.”

User-Profile

Often times when I encounter this it’s a simple matter of hacking the registry to fix it. This is covered in detail in this Microsoft KB You receive a "The User Profile Service failed the logon” error message. It also covered in one of my older (pre-MS KB) blogs.

The article, however, doesn’t cover the other scenario. Local admin and domain techs accounts could logon but not standard users accounts. This is often due to file permissions. For whatever reason, a system-admin protected file was created deep into the profile of the Default user account. This is where all new profiles are created from, and Everyone\Users must have at least read permissions for a new profile to be successfully spawned from the Default. The details are alluded to in the Windows Application event logs, event ID 1509:

Windows cannot copy file \\?\C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm to location \\?\C:\Users\TEMP\AppData\Local\Microsoft\Windows\Temporary Internet Files\SQM\iesqmdata_setup0.sqm. This error may be caused by network problems or insufficient security rights.

DETAIL – Access is denied.

image

Looking at the problem file, we can see that the file has no permissions for Everyone\Users:

SNAGHTML566fb99

The solution is to delete the file (if non-essential) or add the correct user(s) and permissions. And depending on the location, you may need to uncheck Hide protected operation system files in Windows Explorer.

Advertisements

Posted in Troubleshooting | Leave a Comment »

Configure WinHttp for Proxy

Posted by William Diaz on November 3, 2013


Recently, we were testing a new remote desktop application but I was experiencing problems connecting to the application, and it wasn’t isolated to a single workstation. A few of my other labs were unable to access the application as were other computers as the testing expanded. Admittedly, I should have figured this one out quickly as it was not the first time I encountered an issue trying to access remote desktop applications (i.e. terminal server apps) inside our network. The fact that we were hosting this RDP app internally, though, lead me to dismiss my initial hunch. A quick look with Network Monitor confirmed the problem:

  image

The Windows local security authority processes (lsass.exe) is trying to get out to the cloud to do something, in this case likely some certificate revocation checking (this is usually the case for RDP apps). It keeps on trying by retransmitting until a response is received or it times out, but because we are behind a proxy, lsass.exe will never find a path outside the network. Certificate checking is handled by the Windows crypto API, which relies on WinHttp. Now, by default, Winhttp 5.1 can find a way out of the network if your network is configured to use Web Proxy Autodiscovery (WPAD). We do not, so the fix is to manually configure Winhttp to use some proxy. Since we have this information configured in Internet Explorer (along with proxy exceptions), we just need to import these settings into Winhttp via (elevated command prompt) netsh winhttp import proxy source=ie. Afterwards, the connection problem resolved*.

On the flipside, configuring Winhttp to use a static proxy can also cause connectivity problems for mobile users. I ran into this issue myself today when I was trying to stream a movie from Netflix and kept on encountering the following error: “Whoops. something went wrong… An Internet or home connection network connection problem is preventing playbackError code: H7111-1101”

Capture

To verify my suspicion that the opposite was true—that Winhttp was trying to use a proxy it could not reach to do certificate verification checks—I looked in the Windows event CAPI2 logs and could see that the Netflix certificate check was failing:

Capture2

The details pane further down revealed the cause as the certificate server was “offline”, which is just a generic term for can’t be found. You can verify your winhttp proxy via netsh winhttp show proxy. To correct, simply set the winhttp proxy to use direct connection via netsh winhttp reset proxy when outside the network.


*Certificate verification does not need to be performed for every session, i.e. the initial check is good enough until the crypto API determines that the information is expired and another check needs to be performed.

I am not sure why yet, but Netmon captures on a Windows 8.1 system did not reveal the lsass.exe process. Instead, the process was listed as unavailable.

image

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , | Leave a Comment »

Java Headaches After Update Release

Posted by William Diaz on October 17, 2013


So Java just released JRE 7 Update 45. This is apparent when someone goes to run a Java applet and encounters the following prompt:”Your Java version is out of date…”

image

For the average home user, this is not a big deal. But in a corporate environment headaches ensue. Why? Because some users will blindly click on the Update button and be redirected to the Java download page for the latest release. The first problem is that our users are not going to have the administrative privileges to update their Java client. But the real problem is that once a user has done this, they will be redirected to the Java download page each and every time they need to run a Java applet. So the question was, how do we get the prompt back so the user can select the appropriate Later option and Do not ask again until the next update is available?

For starters, the property that controls this setting is located in a file called deployment.properties in %userprofile\AppData\LocalLow\Sun\Java\Deployment named deployment.expiration.decision.10.25.2=update:

Posted in Troubleshooting | Tagged: | Leave a Comment »

Some CCM Client Workstations Failing to Install Updates

Posted by William Diaz on October 2, 2013


While browsing various reports for workstation compliancy, I noticed that several reports and/or updates failed to install on a large number of computers. Although we don’t expect complete 100% compliancy with thousands of workstation in our environment, there was some sort of mystery going on here because many of the updates that failed to install were along the same computers, i.e. they were not just random computers across the various reports. For example, below is a report for various updates that were missing from generally the same number of computers and computer names:

image

After some research in the CCM logs, I noticed a repetitive theme in the C:\Windows\SysWOW64\CCM\Logs\UpdatesDeployment.log: “Install not allow as another job is still in progress”:

image

Using the SCCM Client Center utility, we compared the time in the logs to the Advertisement > Execution History in the SCCM Client Center and saw nothing that was actually trying to install at that time. Out of ideas, I decided to delete root\CCM namespace (also accomplished with the SCCM Client Center utility) on a few of the problem workstations in the reports above. After a few minutes, I noticed the CCM Cache in C:\Windows\Syswow64\CCM\Cache was rebuilt, pulling several pending updates. The next step was to wait for the SCCM service windows to pass. The next day when I came in, I remotely checked the workstation Event Setup logs and saw that several (sometimes dozens) of various pending updates had successfully installed.

Knowing that we had a problem with the CCM namespace, I followed up with some more research. My digging around eventually led me to what might have been an update that was advertised to these computers but likely pulled before it could be deployed. Specifically, what I found was that each update gets an unique update ID. To the CCM agent, this property is known as the AssignmentID, which resides in the instance of the CCM_DeploymentTaskEx1 of the root\CCM\SoftwareUpdates\DeploymentAgent namespace. I went around to several workstation in the SCCM reports and ran wbemtest.exe and saw the same assignmentId(s) across all the computers in the reports:

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Leave a Comment »

Troubleshooting Web Certificate Issues in IE

Posted by William Diaz on September 4, 2013


A while back ago one of our internal servers presented an issue to us. While trying to navigate to it, we were running into the following warning: “There is a problem with this website’s security certificate…”

image

The real problem was that clicking the Continue to this website (not recommended) link didn’t let you proceed to the login page, it would simply refresh this page each time. To explorer causes with certificate issues in Windows you simply need to enable CAPI2 logging. CAPI is Microsoft’s cryptography API. Logging can be enabled by going into the Windows event viewer > selecting Application and Services Logs > Microsoft > Windows > CAPI2:

image

Right-click the Operational log and select Enable Log. Recreate the issue, right-click the log again, select Disable Log, and look at the individual events, especially those error events. You will need to scan through the Details tab to isolate the issue as no general information is provided. This is not as bad as it looks. You don’t necessarily need to understand everything you are looking at. The Internet and your favorite search engine can handle the rest. In this case, I started by copying the ErrorStatus lines that had a boolean of true into my search engine. I hit pay dirt when CERT_TRUST_HAS_WEAK_SIGNATURE pointed me to this Microsoft KB article Microsoft Security Advisory: Update for minimum certificate key length. In short, Microsoft disabled support for weak key lengths, i.e. lengths that were not equal to or more than 1024 bits. From the certificate error below, I could see that the key length for the certificate the server was using was only 512 bits long:

image

To work around the issue, we needed to enable support for weak certificates on those workstations that needed access to the site. To do this, open an elevated command prompts and type certutil -setreg chain\minRSAPubKeyBitLength 512. See the KB article for more command line options. This can also be toggled in the registry at HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config and creating a DWORD of minRSAPubKeyBitLength equal to 512.

Posted in Troubleshooting | Tagged: | Leave a Comment »

Java 7 Domain Account Locks

Posted by William Diaz on August 16, 2013


We recently moved from Java 6 to Java 7, specifically JRE 7 Update 25. Immediately, we began get reports of user accounts getting locked after the affected users visited web sites hosting Java applets. For the most parts, the applets would run until the 5th attempt to load-refresh the applet and then the domain account would get locked. The initial look with Network Monitor showed that authenticated users were failing at the proxy level:

SNAGHTML151ef729

The spot-workaround was to create bypass rules for the individual sites to allow all users to pass without authentication, which was by no means a elegant since it was a reactionary approach  that waited for user’s to get locked across various offices and then report the problem to tier 1 and then escalate.

When the support issues began to settle down, I began to look more deeply into the problem. We took a non-production proxy and removed all the rules that were created over the previous days so that any Java applet would begin failing authentication (I used the Java Verify page as my test). I have to admit, network traffic and protocols are not my Zen, but as I began to look at various captures and figure may way around netmon, I saw the same theme each time, Kerberos authentication failing:

Read the rest of this entry »

Posted in Troubleshooting | Tagged: , | 1 Comment »

Failure Connecting to Printer

Posted by William Diaz on July 9, 2013


I have only seen a handful of these previously and encountered another one recently, so with time permitting I decided to look at it more in-depth. The issue was that on one particular workstation, regardless of the account being used, we were unable to connect to a particular model of printer. Navigating to the printer server share, right-clicking the printer and selecting Connect resulted in the following error: “Connect to Printer. Windows cannot connect to the printer.

image

The details stated that the “Operation failed with error 0x00000057.” Looking up that status code was of no help, it simply states ERROR_INVALID_PARAMETER.

The error may also present itself as: “Printer driver was not installed. operation could not be completed (error 0x00000057).”

image

Initial troubleshooting involved deleting the printer and going into the Print Management console and selecting the related print drivers and deleting them. This requires admin permissions and you must stop and start the spooler to unhook any drivers hooked by the spooler process. This does two things, it purges the drivers from C:\Windows\System32\DriverStore\FileRepository and cleans the registry of the printer and print driver references. In this case, this failed to correct the problem.

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Tagged: | Leave a Comment »

Unable to Install, Uninstall or Update Java

Posted by William Diaz on July 9, 2013


I have run into this a few times. I suspect the issue was being caused by the method in which the original installation of the JRE client was being uninstalled. In our environment, we control the installation of removal of most software via a 3rd party utility. This means that in some cases our techs (or sometimes the user) will try to remove a product via Programs and Features but will not have complete permissions to undertake the process, which may end up only partially uninstalling the product, leaving fragments of it in the file system.

The problem often starts with the following warning": "Java Setup. This software has already been installed on your computer. Would you like to reinstall it?

image

Selecting Yes results in the following error: “Error 1723. There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run…”

image

Sometimes this may be proceeded or followed by a Windows installer error: “This action is only valid for products that are currently installed.”

image

Looking at the details of the error in the Windows Application Event logs offers some details:

image

I can only assume regutils.dll is the module necessary for registering and unregistering the JRE client properly. Looking at that path, I can see that the Java programs folder is gone or the sub-folder for regutils.dll is empty. I am guessing that sometimes a technician comes along and decides to just delete the Java programs folder in desperation while trying to recover from a botched uninstall.

One way to work around this is to simply take this dll from a another workstation and copy it to or create the folder path in the error. For standalone computers, though, this may not be an option. I decided to take a quick look in the registry to see is I could identify the key that was still in place and preventing the complete removal or upgrade of the existing JRE using Process Monitor. I filtered the trace for the Java install-uninstall msiexec, registry only. After the trace was collected, I filtered further to include only “installer” in the path. After a few tries, I came to the culprit:

image

After deleting HKCR\Installer\Products\4EA42A62D9304AC4784BF238120602FF The Java JRE install proceeded normally.

I should mention that Microsoft offers another way to handle stubborn uninstalls: http://support.microsoft.com/mats/program_install_and_uninstall/, and upon reproducing the issue I can confirm it also works in properly cleaning up the residual registry key(s).

Posted in Troubleshooting | Leave a Comment »

Check Your IE Bitness

Posted by William Diaz on April 26, 2013


Not too long ago we began to see a rash of IE problems when trying to install or run various ActiveX controls and plugins. Often, there was no literal error, the ActiveX control would just try to install again after revisiting the page, often indicating that it was successfully installed, but then only fail to run. We would initially troubleshoot by running IE elevated because standard users could not install ActiveX controls. The odd thing was that this always resolved the issue temporarily, so long as we left that session of the browser opened. Once closed, the problem resumed. Eventually, after much head scratching, we realized that the affected users Internet Explorer pinned in the Taskbar was pointing to C:\Program Files\Internet Explorer but when we would troubleshoot, we were elevating from the proper C:\Program Files (x86)\Internet Explorer folder since we are a 64 bit shop now. The question still remain, though, how the IE shortcut pinned to the taskbar was getting its path changed to the 64 bit version of IE. Since most, if not all the users, were recent Windows 7 migrations, we are guessing something went funky in the task sequence.


UPDATE

Even after writing this it still didn’t occur to me that IE Bitness was again the issue when encountering a Java error in IE for a Citrix published app.
CitrixJavaIE

Manually logging into the server confirmed that Java was installed and working. It didn’t come to me that IE might be running in the wrong bitness until after I looked at the HKU\S-1-5-21…SID\Software\ key of the user profiles on the Citrix box and saw that the JavaSoft key was not being created. A script was used to launch the app and went something like this.

Option Explicit
Dim WSHShell, objNet, strusername, IE
Set WSHShell = WScript.CreateObject("WScript.Shell")
Set objNet = WScript.CreateObject("WScript.Network")

On Error Resume Next

Call openIE()

Sub openIE()
     Set IE = CreateObject("InternetExplorer.Application")
     ie.menubar=0
     ie.toolbar=1
     ie.Navigate “http://www.someplace.html”
     ie.visible=1
End Sub

The InternetExplorer.Application object in a 64 bit OS will launch the 64 bit version of IE since the OS will default to the 64 bit wscript engine. To work around this, force the 32 bit wscript engine:

Main()

Sub Main()
Force32bit()’Need to call IE 32Bit
    Dim objExplorer : Set IE = CreateObject("InternetExplorer.Application")
    IE.menubar=0
    IE.toolbar=0
    IE.Navigate “www.someplace.com”
    IE.visible=1
End Sub

Sub Force32bit()
     If InStr(UCase(WScript.FullName), "SYSTEM32") > 0 Then
          Dim objShell : Set objShell = CreateObject("WScript.Shell")
          objShell.CurrentDirectory = "C:\Windows\SysWOW64"
          objShell.Run "wscript.exe " & WScript.ScriptFullName, 1, False
          WScript.Quit
     End If
End Sub

Posted in Troubleshooting | Tagged: | Leave a Comment »

Random Workstation Hangs

Posted by William Diaz on April 26, 2013


A user recently complained to me of application hangs. After pressing her, it turns out the entire workstation was hanging randomly and after some time would return to normal. I often refer to these as “soft hangs”, a hang in which the workstation-OS eventually recovers from (opposite a “hard hang” in which the system has halted and needs to be restarted with manual “button-intervention”). Often, this is caused by an excessively large disk queue that needs to be handled or a processor hog. Looking at the Windows Event Viewer under the System logs, I noticed an error on the primary storage device. I sorted the logs by the Source and could see that this had been happening practically everyday. The error was reported as “The device, \Device\Ide\iaStor0\, did not respond within the timeout period.” with an Event ID of 9 and source of iaStor:

image

Furthermore, she had complained of the issue before with her previous workstation before it was swapped out for the current one so I also decided to look at her previous workstation and noted the same daily errors. Both workstations were of the same model. With that, I decided to setup Event Forwarding for this error and saw that ALL workstations of the same model were reporting the this error. Some quick research pointed me to a known issues with the Intel Array Storage Technology (aka Rapid Storage) and SSDs that do not support one of its features known as Link Power Management.

To resolve

  1. Go to HKLM\System\CurrentControlSet\Services\iaStor\Parameters\Portn, where n=the hard disk (often Port0 for the primary storage). If the key Portn does not exist, create it*.
  2. Create the following DWORDS with a value of 0: LPM, LPMDSTATE, DIPM.

Since we have hundreds of these, a group policy preference was used to target the PC model hard drives affected (via wmi query) and push the reg hack firm wide. Afterward applying, the errors went away.


*The existence of the Portn key depends on the driver version of the Intel Array Storage driver. Version 10 and higher does not require the existence of the keys and values to enable LPM, only to disable.

Posted in Troubleshooting | Tagged: | Leave a Comment »