Jump to content

Having an issue with Windows start up


Recommended Posts

Hello, I've been experiencing an odd issue with my computer. I've been to the Malware Removal section of the site and have been told there are no signs of an infection, so I'm hoping someone here can help me out. I also ran Sea Tools to check for errors, and the tests came back as passed. I'm going to try to explain as best I can, I hope it doesn't get too long..

I'm using Windows 8.1. I've recently noticed in my Event Log under System Event ID 16962, source Directory-Services-SAM. It's telling me that "remote calls to the SAM database are being restricted using the default security descriptor: ." The event occurs once every start up during boot, after filters are loaded, before the logon screen appears. At the time of the event, there is no internet connection or network connection at all, so I think it's really unlikely that it's a remote attack.

I only noticed it about a week ago, but going through the logs, it's been happening since April 11th, the first restart after downloading the monthly updates, and every restart since. The System log section before the updates has the same entries on boot up except for this event. In the Windows update history, it tells me that MRT update failed even though it was downloaded and ran according to it's log. I've run the tool manually and it completes and exits, but Reliability History shows that it has crashed. It's also run a few times during the week, sometimes crashing, sometimes not. I'm not sure if that's relevant, but I'm trying to provide as much information as I can.

I've tried googling the event ID, but most results are unrelated, or they're in another language and google translate doesn't work for some reason. The only thing from Microsoft I can find is an article on security for Windows Server 2016. The Answers/Support section doesn't seem very helpful.

Has anyone seen this before or think they can help? I'm not very familiar with boot process, so I don't really know where to start with pinpointing what could be causing this.

Link to post
Share on other sites

I just came across this.  It seems to indicate that some user or process (likely the latter given the circumstances you describe and the fact that it happens every boot) is querying the database of users/user accounts.  Basically, there's probably a piece of software on your system which, for whatever reason, is programmed to determine the user account names on the system and it appears that it's being blocked by one of the built in security features of the operating system.

I'm no expert in this area, but my guess would be that it's harmless.  I'm thinking that perhaps it is some program trying to determine something like the privilege/permissions level of the current user account that the software is running under or something like that.  Many programs check that in order to ensure they have sufficient permissions/access to the system to perform their tasks and it could just be that something about the way this particular program is checking is being blocked by the built in security configuration in Windows 8.1.  If none of your software appears to be functioning abnormally then it could be that the software triggering this is getting whatever it is that it needs via some additional means of checking access levels/permissions.

Link to post
Share on other sites

Do you know if there's a way of finding out which process or program is causing this? I'm assuming it has to have something to do with the April 11 Windows Update packages, considering that this event was not generated on an April 10 restart.

I'm not sure if this meaningful or not, and I hope I can explain it properly, but yesterday I was looking at the System, advanced setting, user profiles and found three profiles, my current one, default, and one called account unknown. After some googling, I found that it was related to an account I created about a month and a half ago and deleted via the account manager, which erased it from the log in and basic user profiles, but a folder remains under Users and in the registry. Strangely, this profile was listed as last modified on Friday, the last time I installed any software (CCleaner), and there was an entry for it in the registry for the deleted account. Do you think that it could be this account being not being detected as local?

Link to post
Share on other sites

Yes, that sounds like a possibility (though I'm no expert).  I do know that under some conditions, when software is installed and/or runs it can look for all installed user accounts to create local data/settings etc. for each one and that's likely what's going on with CCleaner where it's probably looking for data folders under that account where temp/data files might be stored for programs and system components that it would normally clean.

Also, based on your comments about the updates etc., it does sound like you might be onto something there.  It might be a good idea to take a look through the update history to see if you can find any updates that deal specifically with things related to logon, user profiles and other areas that seem like they might have something to do with what's going on.  I'm guessing there was probably a security patch in there somewhere that might have changed something about how Windows handles the deleted profile and that may be why this is happening.

Edited by exile360
Link to post
Share on other sites

I'll take a look through them to see if I can find anything.

I just now looked through the start up section on CCleaner, I found an enabled task, optimize start menu, and the numbers after it seem to correspond to the numbers in the registry of the deleted account. Maybe disabling this will solve it? If not, I think I may try disabling some other non-essential start up items to see if it is software related.

Link to post
Share on other sites

  • 2 weeks later...

Hello, sorry for the late update.

The issue was not caused by the deleted account or any service/software I could find. I found this though:

https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

I added the audit only to the registry, but every time I reboot it it's logged into the Event Viewer, but is immediately followed by the remote calls are being restricted message. Maybe I'm missing something in the article, but the SDDL string described under location doesn't exist in my registry. (I'm assuming the first part of it is related to Group Policy, which is not on my version of Windows 8.1)

If anyone can let me know what steps I can take to temporarily disable it so I can see what exactly is happening on boot, please let me know. Thank you.

Edited by guest11
Link to post
Share on other sites

OK, based on that article you posted I've got an idea that I hope may help, or at least might provide more insight/clues.  Please do the following:

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here and save it to your desktop.

  • Note: If using Windows Vista or Windows 7 then you also need to do the following:
    1. Right-click on Autoruns.exe and select Properties
    2. Click on the Compatibility tab
    3. Under Privilege Level check the box next to Run this program as an administrator
    4. Click on Apply then click OK

  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options: then in the Autoruns Scan Options dialog enable/check the following two options:

    • Verify code signatures
    • Check VirusTotal.com

  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.

  • When it's finished and says Ready. on the lower left of the program window click on the LSA Providers tab and take a look at the entries listed.  As I understand it, at least based on the article you posted, those entries are used for authenticating access to login to your system/profiles etc.  You can also filter them via the Options menu at the top to hide the default/Windows entries as well as all Microsoft entries if you wish (though at first I'd suggest checking them all just to familiarize yourself with them and to help in any further research you might need to do).  My guess is it's one of those being accessed by an account or process (via a user token) trying to login that's causing this, so while this isn't necessarily the answer, it might get us one step closer to finding it (I hope).

Link to post
Share on other sites

I downloaded the 64-bit version from the sysinternals site. All the entries in the LSA Providers section are published/signed by Microsoft, nothing missing or unsigned, all clear on Virus Total.

In the article, it mentions something about a hotfix download on the 8.1 KB update page, but I'm not seeing it there.... The changes came with the March preview updates, which would later become the official April update if I'm not wrong. I don't think I installed the March preview, but definitely got the April update, would this make any difference?

Link to post
Share on other sites

I don't think so, at least it shouldn't since the way that MS is doing things now is to roll up all previous updates into each monthly rollup update, basically like constant cumulative service packs.  Honestly, you might try posting over at the MS Support site to see if anyone else has had this issue and has found a solution.  I doubt that you're the only one who's experienced this as I see issues pop up with new Windows Updates all the time, and virtually every time they do there are a slew of customers having the issue, some with a solution and some without.  Hopefully this turns out to be one of the ones with a solution.

You can ask over at the MS community here and see if anyone is familiar with it or has any better ideas on how to troubleshoot it.  A lot of MS MVP's hang out there too, and they tend to be way more educated on the inner workings of Windows than I am, plus many of them hang out there reading topics a lot so it's possible they may have already seen (and hopefully found a solution for) this with other users.

Link to post
Share on other sites

  • 5 months later...
On ‎11‎/‎5‎/‎2017 at 9:49 AM, ferd1787 said:

Three days later we had to reinstall the Windows Operating System

Remember next time you have to re-install your Windows OS, you need to deactivate MB3 first to avoid these issues.

How To: Deactivate the Premium Trial in Malwarebytes for Windows

->>KB Article HERE<<-

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.