Profile service crashes when you log on and then log off many times in Windows Server 2012

Applies to: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 Standard

Symptoms


Assume that you have a computer that is running Windows on which you have a business process that mandates many automated interactive logons to occur. Additionally, one or both of the following configuration details are used in your environment:
  • You have a server that is running a Server Core installation of Windows Server 2012.

    Note This problem occurs on the release version of the product.
  • You delete one of the following registry keys on all other product versions and editions:
    • HKEY_CURRENT_USER(root of the user profile)
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
When you have many logons by a user in this environment configuration, the computer profile service experiences an access violation and stops. In this situation, no additional logons are possible, and other services that are running in the same instance of SVCHOST will encounter issues.

Cause


This issue occurs because the profile service checks permissions for the "All application packages" group when a user logs on. The service only checks a subset of the keys where the permissions are required. If there is an error accessing the registry key or the permissions are missing, the profile service adds an additional access control entry (ACE)to all keys that require the permissions.

Because the implementation does not merge duplicate access control entries, the number of access control entries increases until the 64 kilobyte (KB)-limit on the size of the security descriptor is reached. When this limit is reached, the profile service uses a code path in which it encounters an access violation.

Resolution


To resolve this problem, install update rollup 2975331. For more information about how to obtain this update rollup package, click the following article number to view the article in the Microsoft Knowledge Base:
2975331 August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012

Workaround


If the user profile has not yet started to crash, you can avoid the problem by following these steps:
  1. Check the registry of the user to see whether the indicator registry keys that are listed in the Symptoms section are missing or whether the required entry for the "All application packages" group is missing.
  2. If you detect a problem while you are performing the first step, create the missing registry key, and then make sure that the user has full access to it.
Then, the facility can check and add the permission on all required keys on the next loading of the profile.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


This problem was first encountered on a Server Core installation of a Windows Server 2012-based computer that was using the Hyper-V role. However, this problem is independent of this particular server load, and occurs together with any deployment in which the operations use many interactive logons.

For more information about this problem, go to the following Microsoft websites:For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates