Winlogon error 4005

lelumpolelum 1 Reputation point
2021-05-10T11:20:49.833+00:00

Hello,

after 1 year we noticed an winlogon error 4005 again. We're experiencing an issue with nearly all of our users connecting to Windows Server 2016 RDS. When the problem occurs, users are able to authenticate, but are presented with a blank/black screen. Event logs show: Event ID 4005 - The windows logon process has unexpectedly terminated

Doing some googling on this over the past day or two shows that this is an issue with other versions of Windows Server (2012 r2 for instance), and that the issue is caused by specific Windows Updates....

Only thing is...these updates don't exist in 2016/2019 from what I can tell. In fact, I'm led to believe this is an outstanding issue with Server 2016/2019.

Two weeks ago we process with new installation of session host - this time Windows Server 2019 instead 2016, but the problem appears after a few days.

There was plenty of free memory (over 50% free), not high cpu utilization, all services configured for automatic startup were started.

Our infrastructure is an RDS 2019 deployment having: 

Session Host
Connection Broker
Web Access
Gateway
Licensing

Antyvirus - only Windows Defender
rdpcorets.dll version 10.0.17763.1879

Posting to hear if anyone else has experienced/solved/developed a workaround for this.

Thanks.

Regards

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,243 questions
0 comments

8 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy YOU 3,071 Reputation points
    2021-05-11T05:33:19.04+00:00

    HI lelumpolelum-3314,

    1.How often do your issue happen?

    2.Did you configure UPD, roaming profile, Fslogix in your problematical RDsession host server?

    3.How many devices did you set to redirect to RD session host server?

    4.We need to enable below logs and debug logs on problematical RD session host server and wait the issue happen, can we find more log information about our issue?

    Tracing WMI Activity
    https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity

    Event Viewer – Applications and Services Logs – Microsoft –WMI-activity_operational
    Event Viewer – Applications and Services Logs – Microsoft –WMI-activity_trace
    Event Viewer – Applications and Services Logs – Microsoft –Windows-user profile service

    Event Viewer-windows logs-system
    Event Viewer-windows logs-application
    Event Viewer-windows logs-setup
    Event Viewer – Applications and Services Logs – Microsoft –Windows-smbclient
    Event Viewer – Applications and Services Logs – Microsoft – Windows-remoteapp and desktop connection admin
    Event Viewer – Applications and Services Logs – Microsoft – Windows-remoteapp and desktop connection operational
    Event Viewer – Applications and Services Logs – Microsoft –Windows-remotedesktopservices-rdpcoreTS_admin
    Event Viewer – Applications and Services Logs – Microsoft –Windows-remotedesktopservices-rdpcoreTS_operational
    Event Viewer – Applications and Services Logs – Microsoft –Windows-remotedesktopservices-sessionservice-operatinal
    Event Viewer – Applications and Services Logs – Microsoft –Windows-TerminalServices-*

    0 comments
  2. lelumpolelum 1 Reputation point
    2021-05-11T07:12:23.07+00:00

    This issue don't happen every day, but once it occurs, any user can log in until the server is restarted. We use UPD, max 20 users pro SH. I collect the logs and wait for 4005

  3. Tjatte1336 1 Reputation point
    2021-05-11T13:01:53.18+00:00

    I have excatly the same problem on a fresh Windows server 2019. Fully patched, havent found any solution yet..

  4. Andy YOU 3,071 Reputation points
    2021-05-14T05:24:33.777+00:00

    HI lelumpolelum-3314 and Tjatte1336,

    There are many different reason cause for this problem.

    There are some suggestions for IT friends:

    If you want to do any change for your registry, please full backup your registry of problematical server first.

    1.Some issues are related device0 registry key missing.
    Please check below registry key is existed on problematical server.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPUDD\Device0
    "InstalledDisplayDrivers"=RDPUDD or other value hex(7):52,00,44,00,50,00,55,00,44,00,44,00,00,00,00,00
    "VgaCompatible"=dword:00000000
    "Device Description"="RDPUDD Chained DD"

    additionally, in some cases the above registry location not corrupted then check the following : Check if value exist under HKLM\System\CurrentControlSet\Control\Terminal Server\VIDEO\RDPUDD\Device\Video0 (we can compare with working server, and non-working server)

    2.Some issues be resolved by deleting the HKLM\System\CurrentControlSet\Enum\TERMINPUT_BUS\UMB\ key on problematical server.

    3.Reduce rediected devices to problematical RD session host server then check result

    4.Reduce firewall rules then check result
    Windows Servr 2016 RDSH - Firewall rules created at every login
    https://social.technet.microsoft.com/Forums/en-US/992e86c8-2bee-4951-9461-e3d7710288e9/windows-servr-2016-rdsh-firewall-rules-created-at-every-login?forum=winserverTS

    5.Check if the issue happen on new created domain user (or test domain user)?
    if the issue also happen on new created domain user (or test domain user), we can don't use UPD or roaming profile or Fslogix for the new domain user account (or test domain user). then monitor some time and check the result.

    6.We can build a new test collection and add the same OS clean installed RDsession host server in it, logon both normal RDSH server and problematical RDSH server by using local admin account in console session, then run procmon on both normal RDSH server and problematical RDSH server respectively in local admin console session, and waiting issue the same issue user account to remote logon normal RDSH server and problematical RDSH server respectively.
    then capture both normal procmon log and problematical procmon log then save all events.
    Finally, we can compare both normal procmon log and problematical procmon log.
    Process Monitor v3.70
    https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

    96618-16.png

    7.Since There are many different reason causes for this problem and we need to analyze much more logs. Please open a ticket to Microsoft support. In forum, doing troubleshoot for this kind of issue is more difficulty. Thanks for your understanding.

    For more information about our Premier support, please see below link:
    https://www.microsoft.com/en-us/microsoftservices/support.aspx 
    https://hubstaticsite.z5.web.core.windows.net/

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  5. Andy YOU 3,071 Reputation points
    2021-05-31T10:36:27.957+00:00

    HI

    Is there other thing I can help you?

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments