Does Your Win 8 Hang After Logon

5/27/2016
Doesyourwin8.1/2012R2/win10logonhangafterapasswordchange?|AskPremierFieldEngineering(PFE)Platforms
Server & Tools Blogs > Server & Management Blogs > Ask Premier Field Engineering PFE
Platforms
Sign in
Ask Premier Field Engineering PFE Platforms

Does your win 8.1 /2012 R2/win10 logon hang after a
password change?
January 11, 2016 by BrandonWilson // 25 Comments

0
********** UPDATE **********

This is now fixed in the following updates:
For Windows 8.1, 2012 R2, 2012 install:
KB3132080 Logon freezes after you reset your password in Windows 8.1, or Stop error 0x1000007e in
Windows Server 2012 R2: http://support.microsoft.com/kb/3132080/ENUS
For Windows 10 TH2 build 1511 install:
KB3135173 Cumulative update for Windows 10 Version 1511: February 9, 2016:
http://support.microsoft.com/kb/3135173/ENUS
******************************
Hi, Linda Taylor here, Senior Escalation Engineer from the Directory Services team in the UK.
I have been working on this issue which seems to be affecting many of you globally on windows 8.1, 2012 R2 and
windows 10, so I thought it would be a good idea to explain the issue and workarounds while we continue to
work on a proper fix here.
The symptoms are such that after a password change, logon hangs forever on the welcome screen:
https://blogs.technet.microsoft.com/askpfeplat/2016/01/11/doesyourwin812012r2win10logonhangafterapasswordchange/
1/13
5/27/2016
How annoying.
The underlying issue is a deadlock between several components including DPAPI and the redirector.
Why does it happen?

So far we have seen this issue in the following circumstances always after a password change/reset which is
done somewhere other than the users machine i.e. on the DC or in a portal
1. If the user has a home drive which maps to a DFS like path for example: \\contoso.com\homefolders\user1
OR
2. If The following GPO is applied:
Computer configuration\administrative templates Windows Components\File Explorer\ Set a default
associations configuration file
2/13
5/27/2016
And the XML file is stored on a DFS based path. For example \\contoso.com\netlogon
OR
3. If you use GPP to map drives during logon to a DFS path like \\contoso.com\someShare
This issue happens due to a deadlock between DPAPI, Credential manager and the Redirector RDR.
It goes like this

1. When the user logs on, the profile service tries to map network home folder to \\contoso.com\
2. To do this, we need to have a call created in RDR, and this requires a SMB session setup to
dcname.contoso.com
3. The SMB session setup requires a security blob created to authenticate with the target server, which is the DC.
4. To create the security blob, Kerberos will check saved credentials by calling DPAPI.
5. DPAPI cannot decode the saved credential because the master key is not available because the users password
is reset on DC, so it will need to query the DC for a master key. This requires a named pipe call to
\\dcname.contoso.com\IPC$\protected_storage
6. To connect to this named pipe, RDR found it is the same as previous call in#2 same fqdn DC name
\\dcname.contoso.com so now session setup is queued
7. The Kerberos thread will hang forever, and the profile service will hang forever until a reboot.
8. After reboot, the user still cannot logon with the same symptom. note: a different user CAN log on.
The problem occurs on client computers with Windows 8.1, Windows 10 and also Windows Server 2012 R2 for
example RDS scenario.
The problem occurs most frequently after an admin password reset which has occurred elsewhere not the on the
client computer to which the logon is happening but it can also occur when the password change is not recent if
the user is logging onto a machine where the cached credentials are old and they have changed their password
on some other machine some time ago.
3/13
5/27/2016
So, what can you do to get out of this problem?

There are several options for working around the issue:
1. If you have the mentioned policy move the XML to some file share which is not DFS based and is not on a
DC.
2. Assuming noone wants to change home drive paths because there are many users and its a hassle, the other
option is to disable Credential manager and clear the cached credentials.
When there are no entries for credential manager, there are no reasons to access the DC to refresh the keys.
Hence the deadlock.
This could be done by disabling this policy:
https://technet.microsoft.com/enus/library/jj852185.aspx
3. Dig your way out by connecting to the machine remotely and deleting the entry under C:\Users\
<username>\AppData\Roaming\Microsoft\Protect\[Problem Users SID].
Noteif there is a roaming profile you can also delete this entry on the profile server and it works. This is because
the profile is downloaded before the drive mapping takes place.
4. Another not so great option is to boot the PC without any network cable and log on with the old password.
Then connect it back.
Some history:
This issue also has a long history and there are other variants of this deadlock which were fixed
before. See below list of related fixes:
Related previous Fixes for Windows 8.1 an Windows 2012 R2:

Windows8.1&2012R2KB#
X64leversionsfordpapisrv.dllandlsasrv.dll
4/13
5/27/2016
hps://support.microso.com/enus/kb/3101183Youcantlog
DPAPISRV.dll6.3.9600.18088.
ontoadomainjoinedcomputerinWindows8.1orWindows
Server2012R2
LSASRV.dllversion6.3.9600.18088.
ReleasedinOctober2015.
Note:thisisthelatestbutdoesnotresolvethisvariantofthe
issue.
3038562CannotaccessDPAPIdataaeranadministrator
Dpapisrv.dll
6.3.9600.17707
Lsasrv.dll
6.3.9600.17415
resetsyourpasswordonaWindowsServer2012R2based
domaincontroller
hp://support.microso.com/kb/3038562/ENUS
Theprerequisiteto3101183 and 3038562 isAprilupdate:
UpdatesLSASRV.dll6.3.9600.17042
2919355WindowsRT8.1,Windows8.1,andWindows
Server2012R2Update:April2014
hp://support.microso.com/kb/2919355/ENUS
Thiscontainswin8.1versionofKB2927267
5/13
5/27/2016
hps://support.microso.com/enus/kb/2927
267YoucannotlogontoWindowsaertheadminchanges
yourpassword
There are no previous fixes for Windows 10.
There are some related past fixes for similar deadlocks in windows 8 also:
Windows 8 KB#
X64 file versions for dpapisrv.dll and lsasrv.dll
3084956
You cant log on to a domainjoined
computer in Windows 8 or Windows Server 2012
X64 file versions:
http://support.microsoft.com/kb/3084956/ENUS
DPAPISRV.dll 6.2.9200.21645 and LSASRV.dll Version

6.2.9200.21582
Released September.
NOTE: This is the windows 8 equivalent of KB3101183.
KB3049843 https://support.microsoft.com/en
us/kb/3049843 You cannot access DPAPI data after an
Dpapisrv.dll
6.2.9200.21442
administrator resets your password on a Windows

Server 2012based domain controller
2927267: https://support.microsoft.com/en
Lsasrv.dll 6.2.9200.20931
us/kb/2927267
Finally, Microsoft is actively working on fixes for Windows 8.1 / WS 2012 R2 and Windows 10 TH2 for the
current issue described above. I will share the release dates and article #s once known. If you experience
this issue please ensure you have all of the above fixes in place and use the workarounds noted above and
keep an eye out on updates to this blog.
Linda Taylor.
6/13
5/27/2016
Search MSDN with Bing

Search this blog
Search all blogs
Share This Post
Tags
Active Directory ADFS Announcements Azure Best Practices Career Charity

Shelbourne David Gregory deployment Disaster Recovery DNS Doug Gabbard Doug Symalla Failover Cluster
Greg Jaworski Group Policy Hyperv Joao Botto Lab Lakshman Hariharan Mailbag
Mark
Morowczynski martin lucas Michael HIldebrand Networking Performance

PowerShell SBSL Security Server 2003 Server 2008 Server 2008 R2 Server
2012 Server 2012 R2 Tom Moser troubleshooting Upgrade Windows

Windows 7 Windows 8 Windows 8.1 Windows 10 windows server 2012 r2 WPA Xperf
Recent Posts
Windows 7 SP1 and Server 2008 R2 SP1 convenience rollup now available at a download location near you!
KB3125574 May 20, 2016
Monitoring Service Accounts with System Center Operations Manager May 16, 2016
Preparing for DAC May 9, 2016
Installing Bash on Ubuntu on Windows 10 Insider Preview May 2, 2016
Live Now on Server & Tools Blogs

New: ASP.NET Session State Provider for SQL Server InMemory OLTP
Getting Started with Power Query Part I
Introducing Microsoft Azure StorSimple
Archives
May 2016 4
April 2016 4
March 2016 5
7/13
5/27/2016
February 2016 5
January 2016 4
All of 2016 22
All of 2015 63
All of 2014 66
All of 2013 90
All of 2012 64
All of 2011 4
Tags
Active Directory
Windows 8.1
Group Policy
Net Logon
Networking
Windows
Windows 10
windows server 2012 r2
Join the conversation

Samir Farhat
Add Comment
5 months ago
I really like the issue explanation and why its happening. Good read
Anthony
5 months ago
I picked a good day to a mandatory password reset. Nothing but trouble today. I also
noticed that deleting the user profile at least locally, we do not use roaming profiles solves the problem.
Marc K
4 months ago
Its good to know that a fix is being worked on. Thanks.
Anthony
4 months ago
When I called MS support on this the time frame they have in mind for a resolution is by
March.
Ravi Chinnasamy
4 months ago
Thanks for sharing . Clear and precise information ,,
8/13
5/27/2016
Flemming Hjorth
4 months ago
I found that clearing the Credentials folder in local appdataMicrosoft also solves the
problem. Seems users are still able to log on with cached credentials even after clearing that.
Darren Hunter
4 months ago
Deleting the profile folder and temporarily disabling password cycling although not
ideal is the most effective solution as eventually users can logon to any machine so long as the password is not
amended. The quickest solution is to set the password
must be changed at next logon flag for the user account. This will enable logon to the current workstation but
will prevent logon from any other PC with an existing profile. This is a serious issue and we are inundated
helpdesk requests. Microsoft need to
resolve this NOW!
BrandonWilson
4 months ago
@Whomever reported the broken link

Thank you very much for letting us know about the broken link. It is now fixed
Aaron
4 months ago
Great read hoping for a hotfix or update to resolve this soon as it is frustrating!
Linda Taylor Microsoft GBS UK
4 months ago
Darren I like your suggestion/solution as well thank you! The fix for this issue is
coming very very soon. We will be updating this blog with a link on the day.
Inn VNix Ginner
4 months ago
Good explanation thanks for your help
Jakob
4 months ago
Thanks for the explanation. I hope theres a fix for this soon, it is a showstopper our
9/13
5/27/2016
deployment of Windows 10. We were a few days away from starting full scale
Brian
4 months ago
This has been happening to my company for about 2 months. Windows 8.1 clients with
Server 2012 nonR2 domain controllers. Everyone is assigned a machine. They change the password and it
hangs with "changing password". They hard boot and login and then
it hangs at "welcome". Sometimes they change the password, and then some time the next day they try to login
and it hangs at "welcome". They can logon to other computers. Other users can logon to their account.
Workarounds: Easiest is to hardboot then pull the network cable or place it in Airplane mode. Logon is successful.
Enable the network again and subsequent logons are good. You can also recreate the user profile and they will be
able to logon at first attempt.
Brian_DFW
4 months ago
Edit some words for clarification:

This has been happening to my company for about 2 months. Windows 8.1 clients with Server 2012 nonR2
domain controllers. Everyone is assigned a machine. They change the password and it hangs with "changing
password". They hard boot and login and then it
hangs at "welcome". Sometimes they change the password and login successfully, but then some time the next
day they try to login and it hangs at "welcome". Any time theyve had this problem they can logon to other
computers. And other users can logon to their
computer.
Workarounds: Easiest is to hardboot then pull the network cable, or place it in Airplane mode. Logon is
successful. Enable the network again and subsequent logons are good. A more time consuming method is to
recreate the user profile and they will be able
to logon at first attempt.
Brian_DFW
4 months ago
Ill add that the password change is due to them being forced by the User Account
setting, "must change password at next logon." This is either because its a new user account, or their password
has expired. If I perform a CTRL+ALT_DEL > Change Password,
the problem is not experienced. Nor if I manually change their password and dont force a change at next logon.
So, my experience is kinda similar and kinda opposite of whats being reported above.
Inn VNix Ginner

4 months ago
10/13
5/27/2016
Odio este error porque te deja practicamente indefenso ante alguien que te pueda ver
de reojo escribir la contrasea, espero Microsoft lo solucione pronto el error
Nancy
4 months ago
Our school district has been plagued with this issue for too long. Our sub teacher
password changes daily and several subs use it everyday on several computers. We have to delete the profile daily
on many computers and some are not very speedy. Thats
daily, we still have to deal with users who have to change their passwords on a regular cycle. Please get it fixed.
Anthony Meluso
4 months ago
I also work in education, where almost all our students and teachers move from
computer to computer. Resetting or changing passwords is an instant kill for us. Its also holding us back from
certain migrations and deployments.
Jinish KG
3 months ago
Informative and well said..
Nicolas
3 months ago
Unfortunately, the problem remains despite the patch

Now, I can see the desktop of the affected user profile, but the computer hangs just after.
May we have to wait for a patch during several more months without working ?
3 months ago
hi Nicolas, it sounds like you experience a different issue after applying the patch. Do
the workarounds in this blog allow the logon to complete? i recommend trying the workarounds as a first
step to troubleshooting. please also state tell us the Os which you are using.
Thanks,
Linda
Daniel Slazinik
3 months ago
Does anyone have an update on this issue? We are experiencing this problem after
installing the cumulative update. I believe it is hanging due to our home drive mapping at login which is
11/13
5/27/2016
conflicting with the authentication of the password change. We are unable to change home drive mapping, and
are also unable to turn off credential caching. I have scoured the internet but am not finding any update on this.
3 months ago
hi Daniel,
If the fix described here does not work for you then you have a different underlying issue/cause.
please tell us the OS involved and please check if the workarounds in this blog allow the login to proceed?
that would be one way of telling if you have *this* issue I would create a test user and reproduce the issue
and use that for your tests. ensure you have the relevant fix installed. Unfortunately the welcome screen is a
common one to see on logon hangs but the underlying activity can be completely different to this issue. Lots
of things happen during the time this screen is displayed to the user. Therefore the only way to be 100% sure
of what is causing your hang if the fix described here does not work is to review a complete memory dump
of the hung machine.
Hope this helps,
Linda.
Rob M
1 month ago
I was having really slow login with Windows 7 & they were still slow after I upgraded to
Windows 10 machines that had roaming profiles networked to a server with Windows Server 2012 full version. I
spent hours researching & trying to fix it and no luck. So, I switched my PC to a local profile & of course I didnt
have the issue anymore. I just recently switched it back to a roaming profile b/c I needed to work from a different
PC & for some reason its loading fast and what I would call normal. I dont why it fixed it, but as much as I have
tinkered with machines on in the past sometimes it is the simplest thing that fixes a problem & of course I always
try fixing what should be the root of the problem first & have a 15 round boxing match with the machine if its
really trying to piss me off. I must admit I do end up learning a lot of new stuff when researching & doing trial &
error, so if nothing else I do get some education in the process that usually helps later on.
Terry McManus
1 month ago
We found a work around, but havent found a permanent fix. This article really helped
shine some light on the issue. We suspected it had something to do with credential manager, but had not
idea about DFS mapped drives. We found that we can unplugging the LAN cable and having the user login
with the their old login and clear credentials in credential manager, then attempt to login with the new
credentials. Weve also found after the hang that sometimes the new credentials will login without clearing
the credentials, but the LAN cable has to be disconnected. It seems to always happen after a password has
been changed in AD. It caused us a lot of headaches here at the SCC. I assume it doesnt try to map the drive
once the cable has been disconnected.
2016 Microsoft Corporation.

Terms of Use Trademarks Privacy & Cookies
12/13
5/27/2016
Terms of Use Trademarks Privacy & Cookies
13/13

Does Your Win 8 Hang After Logon

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Does Your Win 8 Hang After Logon

Transféré par

Droits d'auteur :

Formats disponibles

5/27/2016

Ask Premier Field Engineering PFE Platforms

January 11, 2016 by BrandonWilson // 25 Comments

********** UPDATE **********

Why does it happen?

It goes like this

So, what can you do to get out of this problem?

Related previous Fixes for Windows 8.1 an Windows 2012 R2:

Theprerequisiteto3101183 and 3038562 isAprilupdate:

There are no previous fixes for Windows 10.

X64 file versions for dpapisrv.dll and lsasrv.dll

X64 file versions:

DPAPISRV.dll 6.2.9200.21645 and LSASRV.dll Version

administrator resets your password on a Windows

Search MSDN with Bing

Search all blogs

Share This Post

Active Directory ADFS Announcements Azure Best Practices Career Charity

Morowczynski martin lucas Michael HIldebrand Networking Performance

2012 Server 2012 R2 Tom Moser troubleshooting Upgrade Windows

Live Now on Server & Tools Blogs

windows server 2012 r2

Join the conversation

Its good to know that a fix is being worked on. Thanks.

Thanks for sharing . Clear and precise information ,,

@Whomever reported the broken link

Linda Taylor Microsoft GBS UK

Inn VNix Ginner

Good explanation thanks for your help

Edit some words for clarification:

Inn VNix Ginner

Informative and well said..

Unfortunately, the problem remains despite the patch

Linda Taylor Microsoft GBS UK

Linda Taylor Microsoft GBS UK

2016 Microsoft Corporation.

Terms of Use Trademarks Privacy & Cookies

Vous aimerez peut-être aussi

UPDATE