Posted on by

Oh Winlogon, Where Are Thou?

I logged into my “before to this point” trustworthy Windows 2012 R2 Server that I have nicknamed Sierra, it told me that I didn’t have rights to the D: drive as the domain administrator. Okay, so I can fix that by getting to the console, brought it up on TeamViewer, and it was a featureless black box. Nothing to connect to, nothing to command, “Send Control-Alt-Delete” did absolutely nothing.

So next stop, plug into the actual VGA console on the server and plug in a USB keyboard and mouse. I verified that the keyboard was alive, it toggled Caps Lock and Num Lock properly, tried Control-Alt-Delete, Control-Alt-Backspace, and Control-Alt-Esc. Nothing. Featureless. Except the local console was a dark blue screen and the monitor was not in sleep mode. It was registering a video signal, nothing but a blue screen. Heh, not a BSOD, that would have been something ROTFL.

I tried to connect to the file shares on the server, that wasn’t a problem, so I knew the server was at least alive. The front panel didn’t show any alerts, so the CPU, RAM, and Array were also just fine. The only problem was, no ability to logon to Windows!

I was able to remotely connect to Event Viewer from the Primary Domain Controller, which helped. There was an error, Winlogon recorded an error event type 6000, with the error: “The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.” and then that started a Google search for ways to correct it. Every response was the same, reboot. I really can’t do that, the server has thousands of files open, there has to be another way.

I then connected remotely to services.msc to the troubled server. Nothing there looked promising, no references to Winlogon or any of that. Then it occurred to me that Sysinternals tools might be useful. I ran pslist \\ip-of-server and scanned the output. I spotted winlogon running, noted its PID, and then tried pskill \\ip-of-server winlogon to no positive effect, but I had the PID, so I tried that too. The moment I issued the command, Windows restarted winlogon, I peeked around the corner at the server console and there it was, the time and the entreaty to press Control-Alt-Delete. I don’t know what caused winlogon to crap out on me, but at least the fix was easy. I got logged into the shell on the server, and it is running idle, nice and normal.

So if you have a server like I do, and end up with a mystery blue screen and no way to login, look into downloading the pstools kit from Sysinternals. It saved my day!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.