Fwd: Fwd: Re: [patchmanagement] Windows 23H2 Unable to open user profile
HDSupport
I am forwarding this issue that I am facing on the suggestion of one member of PatchManagement group.
Hope you may help!
Thanks
Sutha
From: Free/HD Support
<hdsu...@free.fr>
To: 'Tim Cormier' via PatchManagement
<patchma...@googlegroups.com>
Date: 3 Apr 2025 17:53:22
Subject: Re[2]: [patchmanagement] Windows
23H2 Unable to open user profile
@Kurt Buff,
1. I thought it could be related to patches and I vaguely remember there was an issue where user couldn't open their session after installing patches.
Thanks for your suggestion and will send this to that different distribution list.
2. If user logins for the first time, no issue at all.
@Tim Cormier
I do not see how to run process Explorer since the issue hits when user is opening their session.
I will look into Msconfig due to sporadic issue it's not easy to confirm the test results. But thanks for your suggestion.
I also continued the investigation by disabling the fast reboot and not concluded.
These devices are hybrid azure as joined with zscaler for filtering connectivity based on conditions.
I found few settings in my research and applied to few devices where the frequency is often to see if these changes give any improvement!
2. Prevent Profile Corruption by Configuring Profile Load Timeout
By default, Windows might give up on loading a user profile if it takes too long to access ntuser.dat. You can adjust this timeout to potentially allow more time for the file to become accessible before failing.
- Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Value Name: ProfileLoadTimeout
- Type: DWORD
- Value Data: 60000 (in milliseconds, or 60 seconds)
7. Modify Profile Load Behavior
In some cases, you can configure Windows to allow more lenient loading behavior when the ntuser.dat file is inaccessible. This is more of a system-side tweak and doesn't directly resolve the problem but can help mitigate failures when profiles fail to load.
- Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
- Value Name: DontLoadOnFailure
- Type: DWORD
- Value Data: 1
This setting can help to prevent Windows from permanently failing to load a profile when the ntuser.dat file is not accessible.
Any of thoughts and suggestions are welcome to narrow down the root cause.
Thanks
From: 'Tim Cormier' via PatchManagement
<patchma...@googlegroups.com>
To: patchma...@googlegroups.com
Date: 3 Apr 2025 13:03:24
Subject: RE: [patchmanagement] Windows
23H2 Unable to open user profile
Probably going to be hard to track down since you can’t reproduce on demand. I would try Process Explorer to see what has it open. Is Defender the only A/V on the machines?
Found some similar reports, but no solid answer -> https://www.techguy.org/threads/ntuser-dat-file-in-use-by-another-process.1186781/
You could try msconfig -> diagnostic startup and see if it reproduces under those conditions.
From:
patchma...@googlegroups.com
<patchma...@googlegroups.com> On Behalf
Of Kurt Buff
Sent: Wednesday, April 2, 2025 2:02 PM
To: patchma...@googlegroups.com
Subject: Re: [patchmanagement] Windows 23H2
Unable to open user profile
1 - this probably more belongs on the ntsysadmin list, subscribe by sending an email to ntsysadmin...@googlegroups.com
2 - What happens when a new user (someone who doesn't have a profile on the machine) logs in for the first time?
Kurt
On Wed, Apr 2, 2025 at 2:26 PM Free/HD Support <hdsu...@free.fr> wrote:
Hi Team,
We are facing a random issue hitting more and more users where they cannot open their profile.
The user profile service failed to open user profile and in the application event logs, we see many errors related to the user profile services not be able to open the ntuser.dat file because it's been used by another process.
No information about the another process.
The user profile is not corrupted because the user can login after few attempts or login after an average 10 min waiting after powering the computer (varies from one device to another).
When the issue hits, rebooting and login keeps fails but in general waiting few minutes and attempt to login succeeds.
Checked the event logs from affected devices, the only common pattern seeing the user can login once the defender default scan after intelligence engine updates completed.
The issue is very sporadic so decided to use sys internal Handle to help identifying what process hooking the user ntuser.dat file but didn't help revealing the process by running remotely on the affected device.
We also pushed a policy to Windows Defender to exclude the ntuser.dat file and the issue persists.
This issue reported a less than one month ago affecting very users to significant by now. Till sporadic so we cannot reproduce on demande or predict who will be affected.
That's said, not all users are affected.
Any of you faced such issue? Or any suggestions.
Thank you
Sutha--
You received this message because you are subscribed to the Google Groups "PatchManagement" group.
To unsubscribe from this group and stop receiving emails from it, send an email to patchmanageme...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/patchmanagement/1e8e9338-5858-4b5a-a671-72dd0265c37e%40free.fr.
--
You received this message because you are subscribed to
the Google Groups "PatchManagement" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to patchmanageme...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/patchmanagement/CADy1Ce7AvNttE4vzG0zgk9aoKGqO_Cie%2BHL1Nb1S61zBnfCqrw%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "PatchManagement" group.
To unsubscribe from this group and stop receiving emails from it, send an email to patchmanageme...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/patchmanagement/IA2PR22MB543178B52405B8DB441950E1D0AE2%40IA2PR22MB5431.namprd22.prod.outlook.com.
HDSupport
After went through a deep analysis, this issue is related to
large size of user profile registry hive NTUSER.DAT that is
reached 2GB
in conjunction with Microsoft Defender that scans this file and
other files associated such log, regtrans and TM.blf at each
system reboot.
After excluding those files in AV, it reduced the login failure.
However, due to the large size of NTUSER.DAT, it takes a
significant amount of time
to open user session.
After investigation, the telemetry of Remote
Desktop client used to connect to Azure Virtual Desktop,
causing the fill of following registry key
and causing the growth of NTUSER.DAT size.
"HKEY_CURRENT_USER\Software\Microsoft\RdClientRadc\DiagConnectionCache"
After emptying the contents of that registry key and disabling
the telemetry of product, the size of NTUSER.DAT remains the same
even after system reboot:
reg delete "HKEY_CURRENT_USER\Software\Microsoft\RdClientRadc\DiagConnectionCache" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\RdClientRadc\DiagConnectionCache" /f
reg add "HKEY_CURRENT_USER\Software\Microsoft\RDclientRadc" /v EnableMSRDCTelemetry /d 0 /t REG_DWORD
The only way, I found to shrink the size of that file, to run Sysinternal Registry Usage using the following command which shrank the size of NTUSER.DAT from 2GB to 14MB:
ru.exe -h c:\users\[USER NAME]\ntuser.dat
After reducing the size, no more slowness to login and logoff.
The challenge here, that command cannot be used while the user
profile is loaded. I could pursue into a direction of developing a
script that would run at system start-up
to execute this command with additional complexity and safeguard.
Here comes my question to you, if you are aware of a way to
shrink the user registry while it is in use which would definitely
reduce the complexity.
Your thoughts and ideas are most welcome to resolve this issue which affects numerous devices.
Thank you in advance.
Sutha