Jump to content

After a quarantine unable to login Win7: Group Policy Client failed the logon

dromski
 Share

Recommended Posts

dromski

dromski

Posted
Posted

My wife's Win7 computer was infected with Astromenda (and perhaps a couple others).  I installed Malwarebytes and it detected a dozen infected files or registry entries (wish I had written down list - may be in logs).  I then clicked the "quarantine" button to fix the issue.  After reboot I am not able to login to any account on system.  

 

Windows login returns error "The Group Policy Client service failed the logon. Access is denied." and returns me back to the login screen. 

 

I am looking for help to undo or otherwise fix the system so I can login.  I am able to login via safe mode but am unsure how to undo the changes made for quarantine.  Any help is appreciated.

 

Thanks,

 

--Dave

 

PS.  I did find self help pages on the login error with notes on fixing registry but my values do not match those described:

 

This is what I did find (hand typed from different computer):

 

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gpsvc 

   ImagePath="%systemroot%\system32\svchost.exe -k netsvcs"  

   This did not match values online: "%systemroot%\system32\svchost.exe -k GPSvcGroup"

 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Svchost

   Did not contain the key described online: "GPSvcGroup"

   It did have the key for "netsvcs"

        netsvcs="AeLookupSvc CertPropSvc SCPolicySvc lanmanserver gpsvc IKEEXT AudioSrv ... <long listing>"

 

I'm not brave enough to continue, and I assume the Malwarebytes quarantine should allow unquarantine.  Please reply ASAP with ideas as my wife is lost without her computer.

Link to post
Share on other sites
dromski

dromski

Posted
  • Author
Posted

I learned a bit more.  And was finally able to fix it.   The short answer:

 

A long time ago (2010) I had moved my Users partition to a second drive D:\Users with a Junction (symbolic link) from C:\Users as described here:

http://docs-windows.readthedocs.org/en/latest/move-users-to-another-drive.html

 

Evidently the removal process (Malwarebytes?) decided to delete this link so that it no longer found my users directories (and failed as shown in log entries below).  To make it more confusing, Windows decided to create a new set of subdirectories at C:\Users\XXXX that now had my new users within it (but still had invalid registry entries).

 

Recreating my Junction (symbolic link) and all is working again.  After 4 years of no problems, I'll need to keep an eye on this.  No need for further replies but I'll leave these breadcrumbs (and log entries below) in case it is useful for others.

 

--Dave

 

In the event viewer I was able to find the following log entries each time I tried to login:

 

10/20/2014 8:29:36 [Warn] The winlogon notification subscriber <GPClient> failed a critical notification event. [Winlogon; EventID: 6004]

10/20/2014 8:29:36 [Error] Windows cannot load classes registry file. DETAIL - They system cannot find the file specified. [user Profiles Service; EventID:1542]

10/20/2014 8:29:45 [Warn] The winlogon notification subscriber <Sens> failed a notification event [Winlogon, EventID: 6001]
10/20/2014 8:29:45 [infor] The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event [Winlogon; EventID 6000]
 
Earlier I see signs that the services should be up:
10/20/2014 8:21:59 [info] The operation system started at system time …
...
10/20/2014 8:22:19 [info] The Group Policy Client service entered the running state
10/20/2014 8:22:19 [info] The User Profile Service service entered the running state
...

 

Searching on the first event message "The winlogon notification subscriber <GPClient> failed a critical notification event."  it appears to be a registry problem (such as the user not having permissions, bad, missing, or corrupted registry files).  Odd that it would be corrupted for all of the users on this box.     As I was looking for those registry files I recalled the changes I had made earlier for D:\Users.

Link to post
Share on other sites
daledoc1

daledoc1

Posted
Posted

Hello and :welcome: :

 

We can't work on malware diagnostics and removal in this sub-section of the forum.

So, for expert assistance checking the system for malware remnants and damage, I suggest that you please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.
It explains the options for free, expert help >>AND<< the preliminary steps to expedite the process.
A malware analyst will guide you through the scanning, cleanup & repair process.

Thanks,

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.