Winlogon error 4005

lelumpolelum 1

Hello,

after 1 year we noticed an winlogon error 4005 again. We're experiencing an issue with nearly all of our users connecting to Windows Server 2016 RDS. When the problem occurs, users are able to authenticate, but are presented with a blank/black screen. Event logs show: Event ID 4005 - The windows logon process has unexpectedly terminated

Doing some googling on this over the past day or two shows that this is an issue with other versions of Windows Server (2012 r2 for instance), and that the issue is caused by specific Windows Updates....

Only thing is...these updates don't exist in 2016/2019 from what I can tell. In fact, I'm led to believe this is an outstanding issue with Server 2016/2019.

Two weeks ago we process with new installation of session host - this time Windows Server 2019 instead 2016, but the problem appears after a few days.

There was plenty of free memory (over 50% free), not high cpu utilization, all services configured for automatic startup were started.

Our infrastructure is an RDS 2019 deployment having:

Session Host
Connection Broker
Web Access
Gateway
Licensing

Antyvirus - only Windows Defender
rdpcorets.dll version 10.0.17763.1879

Posting to hear if anyone else has experienced/solved/developed a workaround for this.

Thanks.

Regards

8 answers

Charles Baumhart 1 Reputation point

2021-08-27T21:00:25.503+00:00

Having previously experienced this exact error and sequence last year, we were able to track it down (using the WMI tracing below) to a driver being pushed from a remote client.

Our resolution was to disable installation of removable devices through GPO [Computer > Policies > Administrative Templates > System > Device Installation > Device Installation Restrictions : Prevent installation of removable devices].

tThis was working well enough until the changes pushed through update for Print Nightmare, which interact negatively.

As for the hosts themselves, as you've probably already figured out the only recovery option we've found is to restart the affected server.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Don Gurú Ψ 1 Reputation point

2021-10-30T12:39:11.007+00:00

You can test disable redirection device: smart cards at rdp collection options.
In my case, I saw a bit improve
Please sign in to rate this answer.
Don Gurú Ψ 1 Reputation point

2023-01-27T15:35:37.5333333+00:00

updated, WORKARROUND!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

LogonTimeout dword in seconds, in my case I set 3600
Sign in to comment
Miles Thompson 1 Reputation point

2023-01-18T13:53:30.7066667+00:00

I had this issue too, I saw other event relating the smart card device enumeration service.

I disabled this service and issue went away.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment