Kaspersky
Question

The User Profile service failed the sign in User profile cannot be loaded

  • 29 January 2020
  • 15 replies
  • 6098 views

Hi all,

I’m experiencing an issue where periodically users cannot login to their Windows 10 1809 devices because they get the “ The User Profile service failed the sign in User profile cannot be loaded “ message.

We are using Kaspersky Endpoint Security 11.1.1.126 on our client machines and, in the event logs there is a Kaspersky entry which seems to either cause the issue or point to an issue, it’s in the Application log, Event ID 1552, “User hive is loaded by another process (Registry Lock) Process name: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe” ← is this normal? I see it 10 to 20 times a day on a given machine, which experiences the logon issue - after reboot the logon issue goes away. No temporary profiles are being created, replacing ntuser.dat doesn’t help, it happens for new and old profiles.

So can anyone tell me if the above entry from Kaspersky is some routine task and if not, where can I start looking for the reason of Kaspersky locking the registry?


15 replies

Userlevel 5
Badge +4

Hi,

 

Could you please provide us with GSI log from that host?

Thank you!

I added that file to the exclusion list at one point.  I’m pretty sure we had experienced that same issue randomly.

I spoke with our security department and they said that Kaspesky support is already taking a look into this issue, so I don’t want to give you Nikolay again the same task that you already have somewhere in your queue :)

I know there the guys will install some patch for Kaspersky on an affected device in the upcoming days to check if this will solve the issue.
I’ll post back once the patch is installed, if it fixed the issue or not.

 

I added that file to the exclusion list at one point.  I’m pretty sure we had experienced that same issue randomly.


From what I know this has already been done, but it didn’t solve the issue, but thank you very much for your support!

 

Hi All,

Did anyone find a solution to this? because I also have the same issue.

 

Hi nt30,

our security department is contacting Kaspersky support via another channel, so at the moment I’m not suppose to share the logs on a public forum.
We still have the issue, I’m doing a own investigation looking through the event log, but sadly I didn’t find much new information.

What I have found is that the 1552 Event ID started with Windows 1809, here is an interesting link

Regarding your case - did you spot anything specific, when the user cannot logon?

Can you share your observations? Maybe we can solve this one together :)

Unfortunately the issue is still not solved for us, but we have contacted Microsoft to get more insight on the issue and to get to know how to “See Tracelogging for error details” (screen below). I was advised to use Windows Performance Recorder to gather the logs and use Windows Performance Analyzer to review the logs for the error details.
I have the recorded etl file, but honestly I don’t know how to find the related error details in it - has anyone experience with this tool and could share their knowledge?

 

BTW I've searched for 9f821051-83c5-4816-bb38-5f5fa3b65ddb and it points to Cloud Cache Initializer_Windows.CloudStore.dll - source: https://uuid.pirate-server.com/9f821051-83c5-4816-9b38-5f5fa3b65ddb (not sure if it's a good source, but it was one of the very few that gave results)

It seems that there has been a break through with this case, the 1552 Event ID is triggered by a module in Kaspersky, the module will be disabled (we were told that it has not impact on security of the client) and  the 1552 event should not get triggered anymore and we hope that the logon issue will be solved also. BTW the outcome of the Microsoft troubleshooting was that Kaspersky is causing the logon issue, so if the mentioned above change won’t solve our issue I guess that the best next step would be to have a meeting with Microsoft support and someone from Kaspersky support to talk through the next troubleshooting steps.

What is the module that can be disabled to rectify this issue?

Userlevel 6
Badge +5


There is a fix that solves this problem. (Request from support).

However, this is an old discussion. KES11.4 is now available - this version no longer has this problem, the fix is included since version 11.3.

 

Regards
Alex

Hi Alex,

actually we are still facing the issue and we are still troubleshooting the problem with Kaspersky support via our security department, it’s a bit of back and forth, but we are still on KES 11.1.1.126
Are you saying that this is a well known problem and if we upgrade to 11.3 or newer version we will no longer observe the logon problem? If so I will share this post with our security department and advise to upgrade KES.


Additionally, maybe you have some inside knowledge that the problem is not fixable on KES 11.1.1.126, which would be very valuable information for us.

@evanhandel the module had to do something with encryption, but I cannot remember the name of it, but as this approach didn’t work, I’m not sure if you actually need the name :)

Userlevel 6
Badge +5

We have never used KES11.1 - not even with our customers. So unfortunately I can't tell you whether there is a PrivateFix for it.

But in versions 11.3 and 11.4 this error has definitely been eliminated. Please note that versions 11.3 and 11.4 are only supported with KSC/Agent12.

I would recommend KES11.4 - we have consistently good experiences with it. I am not aware of any serious problem or that a patch is absolutely necessary.

Here you can find a list of Private Patches included in KES11.4 
https://support.kaspersky.com/15532

 

Regards
Alex

Hmm, I checked the version info page and 11.1.1.126 seems to be a standard commercial release, so why aren’t you using it with your customers?

Could you please share any document/release note that describes the issue being resolved in 11.3 or 11.4?

Userlevel 6
Badge +5

Hmm, I checked the version info page and 11.1.1.126 seems to be a standard commercial release, so why aren’t you using it with your customers?

...

 

It didn't happen for a reason - it just happened that way.

Unfortunately I cannot provide you with any further documents regarding the problem.
But we look after a large number of customer environments with up to 9,000 managed clients and have really good experiences with the KES11.4.

Just test it - I would recommend uninstalling the KES11.1 beforehand (startup required).

Regards
Alex

Hi Alex,

I understand.

As for the test, we most probably would need to setup a separate environment (DC and few clients) and a separate Kaspersky server that will support KES 11.4 as from what I heard it’s not compatible with our version of Kaspersky server.

So if we would just setup a separate environment for testing purposes only, would we need any extra licenses from Kaspersky to host that?

Userlevel 6
Badge +5

...

So if we would just setup a separate environment for testing purposes only, would we need any extra licenses from Kaspersky to host that?

 

No, you can use your “normal” licenses - unless you exceed the maximum number of protected systems

Regards

Reply / Ответить