Winlogon error 4005

lelumpolelum 1 Reputation point


after 1 year we noticed an winlogon error 4005 again. We're experiencing an issue with nearly all of our users connecting to Windows Server 2016 RDS. When the problem occurs, users are able to authenticate, but are presented with a blank/black screen. Event logs show: Event ID 4005 - The windows logon process has unexpectedly terminated

Doing some googling on this over the past day or two shows that this is an issue with other versions of Windows Server (2012 r2 for instance), and that the issue is caused by specific Windows Updates....

Only thing is...these updates don't exist in 2016/2019 from what I can tell. In fact, I'm led to believe this is an outstanding issue with Server 2016/2019.

Two weeks ago we process with new installation of session host - this time Windows Server 2019 instead 2016, but the problem appears after a few days.

There was plenty of free memory (over 50% free), not high cpu utilization, all services configured for automatic startup were started.

Our infrastructure is an RDS 2019 deployment having:

Session Host
Connection Broker
Web Access

Antyvirus - only Windows Defender
rdpcorets.dll version 10.0.17763.1879

Posting to hear if anyone else has experienced/solved/developed a workaround for this.



Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,225 questions
0 comments No comments
{count} votes

8 answers

Sort by: Most helpful
  1. Charles Baumhart 1 Reputation point

    Having previously experienced this exact error and sequence last year, we were able to track it down (using the WMI tracing below) to a driver being pushed from a remote client.

    Our resolution was to disable installation of removable devices through GPO [Computer > Policies > Administrative Templates > System > Device Installation > Device Installation Restrictions : Prevent installation of removable devices].

    tThis was working well enough until the changes pushed through update for Print Nightmare, which interact negatively.

    As for the hosts themselves, as you've probably already figured out the only recovery option we've found is to restart the affected server.

    0 comments No comments

  2. Don Gurú Ψ 1 Reputation point

    You can test disable redirection device: smart cards at rdp collection options.
    In my case, I saw a bit improve

  3. Miles Thompson 1 Reputation point

    I had this issue too, I saw other event relating the smart card device enumeration service.

    I disabled this service and issue went away.

    0 comments No comments