Freeze at logoff from Terminal Server Windows 2008

goodmorning,

we having difficulties 1 of our 4 terminal servers. our terminal servers windows 2008 sp1 (all clones each other). runs virtually on vmware infrastructure.

all has been working smoothly untill 1 week ago.

the symptons during logging off "user profile server" freezes , connection not close automaticly.

the users need press x on rdp session close window.

 

in registry can see following error:

log name:      application
source:        microsoft-windows-user profiles service
date:          14-12-2010 8:17:59
event id:      1530
task category: none
level:         warning
keywords:      classic
user:          system
computer:      rtdts03.cleve.local
description:
windows detected registry file still in use other applications or services. file unloaded now. applications or services hold registry file may not function afterwards. 

 detail -
 1 user registry handles leaked \registry\user\s-1-5-21-926850551-2901305168-2427446387-500:
process 1180 (\device\harddiskvolume1\windows\system32\svchost.exe) has opened key \registry\user\s-1-5-21-926850551-2901305168-2427446387-500\printers\devmodeperuser

event xml:
<event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <system>
    <provider name="microsoft-windows-user profiles service" guid="{89b1e9f0-5aff-44a6-9b44-0a07a7ce5845}" eventsourcename="profsvc" />
    <eventid qualifiers="32768">1530</eventid>
    <version>0</version>
    <level>3</level>
    <task>0</task>
    <opcode>0</opcode>
    <keywords>0x80000000000000</keywords>
    <timecreated systemtime="2010-12-14t07:17:59.000z" />
    <eventrecordid>123848</eventrecordid>
    <correlation />
    <execution processid="0" threadid="0" />
    <channel>application</channel>
    <computer>rtdts03.cleve.local</computer>
    <security userid="s-1-5-18" />
  </system>
  <eventdata name="event_hive_leak">
    <data name="detail">1 user registry handles leaked \registry\user\s-1-5-21-926850551-2901305168-2427446387-500:
process 1180 (\device\harddiskvolume1\windows\system32\svchost.exe) has opened key \registry\user\s-1-5-21-926850551-2901305168-2427446387-500\printers\devmodeperuser
</data>
  </eventdata>
</event>

we using roaming profiles copied our fileserver @ loggoff. not happen anymore, profiles stay on terminal server. in registry under profilelist there users sid's  that have logged today these not deleted.

when shutdown server via the administrator account under infrastructure have same problem, freezes , must press offbutton manualy.

 

i have checked gpo's applied correctly.

tried let computer self, after 40 minutes closed system.

a nother strange when users disconnected server can still see id number in use when check qwinsta there no sessionname or username connected it.

 

hope hear u soon.

with kind regards,

robbert

hi robbert,

 

 

according knowledge, issue caused in ways, such printer service or third party software, etc. perform following suggestions find out issue:

 

1.       according error message event 1530:

 

detail - 1 user registry handles leaked \registry\user\s-1-5-21-926850551-2901305168-2427446387-500:

process 1180 (\device\harddiskvolume1\windows\system32\svchost.exe) has opened key \registry\user\s-1-5-21-926850551-2901305168-2427446387-500\printers\devmodeperuser

 

this message points possible printer driver issue causes registry hive , therefore profile files remain locked @ log off. have printer drivers installed? if so, please remove third party print monitors or processors. if issue still remains, please temporarily uninstall printer drivers , test again after rebooting server.

 

2.       please disable printer redirection temporarily , test result take action below:

 

to need enable policy setting: not allow client printer redirection: can find here: computer configuration\policies\administrative templates\windows components\terminal services\terminal server\printer redirection

 

and open command line on server gpupdate /force. after log off , on user account again , check result.

 

3.       there possible cause issue related the windows defender service. please verify if windows defender service running , disable following these steps:

 

- please disable windows defender service in services console.

- please stop windows defender trying startup deleting link defender under following registry key (after exporting key backup purposes):

hkey_local_machine\software\microsoft\windows\currentversion\run

- restart server , test result new user account.

 

4.       please temporarily disable of firewall test issue again, , have install vnc on server side? because found met same error when installing vnc on server side.

 

5.       please perform msconfig , tried disable third party services under services , startup.

 

clean boot msconfig

 

1) run msconfig.exe. (msconfig built-in tool windows xp\2003 systems.)

 

2) in services tab, click "hide microsoft services" , click "disable all".

 

3) in startup tab, click "disable all". click ok. (this temporarily prevent third-party programs running automatically during start-up.)

 

4) restart computer. problem still persist?

 

if problem not occur, indicates problem related 1 application or service have disabled. can use msconfig tool again re-enable disabled item 1 one find out culprit.

 

 

 

 

hope helps.

Windows Server  >  Remote Desktop Services (Terminal Services)