Error occurs during desktop setup and desktop location is unavailable when you log on to Windows for the first time

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials More

Symptoms


After you install the update in Vulnerability in Windows User Profile service could allow elevation of privilege: January 13, 2015 (MS15-003), you encounter the following issues:
  • Profiles don't load when users log on to a computer for the first time. Or, you log on to a computer where policy then deletes the cached profile after a date interval when you log off.

    Note Logons that use mandatory user profiles or Virtual Desktop Infrastructure (VDI) may also be affected.
  • Profiles don't load when users log on by using cached user profiles.
  • Services don't start because of profile load failures. Affected services include but are not limited to the following:
    • Local Service
    • Network Service
    • MSSQL
When this issue occurs, related events are logged. See the events that are logged in Event Viewer.

Process Monitor may indicate that a CreateFile operation fails with an ACCESS DENIED result to the following path, depending on how file access is constrained:
<drive>:\documents & settings\<username>\local settings\Application Data\Microsoft\Windows\UsrClasss.dat
The screen shot of Process Monitor can be seen here:

The screen shot of Process Monitor

See the failure details that are displayed in Process Monitor.

Cause


Update 3021674 adds checks for access to the Ntuser.dat and the Usrclass.dat files.

Resolution


To resolve this issue, follow these steps:
  1. Check whether the READ ONLY flag is set on the NTUSER.DAT or USERCLASS.DAT file for the profile that fails to load.

    New user profiles are derived from C:\users\default\ during first-time account logons. If profiles fail to load with signatures that match those that are described in the "Symptoms" section, check whether the Read-Only bit is enabled on the NTUSER.DAT and USRCLASS.DAT files in the profile directory for the users or service accounts in question.

    NTUSER.DAT in Windows Vista and later versions of Windows is located in C:\users\default\ntuser.dat. Earlier operating systems have other paths, such as C:\Documents and Settings\<username>\ntuser.dat.

    The USRCLASS.DAT file is typically located along a path like C:\Documents and Settings\<user_name>\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat or C:\Users\<user_name>\AppData\Local\Microsoft\Windows.

    In Windows Explorer, right-click the NTUSER.DAT or USRCLASS file for the relevant default user or cached user profile. The Read-only check box should be cleared. It this check box is selected, it will cause profile load failures.

    Ntuser.dat properties
  2. Check the NTFS File System permissions setting on the NTUSER.DAT or USERCLASS.DAT file in the cached profile directory that fails to load.

    Be aware that in the following screen shot, the test user, CONTOSO/testUser, has full control over NTUSER.DAT (not shown) and USRCLASS.DAT. Everyone is not listed in the ACL Editor group. 

    NTFS File System ACLS on DAT filesAdvanced NTFS File System ACLS on DAT files
    UsrClass.dat Properties

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


Events that are logged in Event Viewer

Log NameEvent senderEvent ID Event message text
ApplicationMicrosoft-Windows-User Profiles Service 1542Windows cannot load classes registry file.
DETAIL - Unspecified error
Die Klassenregistrierungsdatei kann nicht geladen werden.
DETAIL - Unbekannter Fehler
ApplicationService Control Manager 7005The LoadUserProfile call failed with the following error:
The system cannot find the file specified.
ApplicationService Control Manager 7024The SQL Server (MSSQLSERVER) service terminated with service-specific error 2148081668 (0x80092004).
ApplicationUserenv 1500Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, or that your network is functioning correctly. If this problem persists, contact your network administrator. DETAIL - The system cannot find the file specified.
ApplicationUserenv 1502Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. If this problem persists, contact your network administrator.
Details of the failure that are displayed in Process Monitor
ProMon detailsThe following message is displayed in Process Monitor:

Desired Access: Generic Read/Write, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: H, ShareMode: Read, Write, AllocationSize: n/a, Impersonating: <SID>

The following screen shot shows the Process Monitor details:

Event Properties