Windows temp profile: user profile service failed the sign-in

[IT-user 1]

Since a couple of weeks, some users complain they receive the following message before the login-screen of windows:

The user profile service service failed the sign-in. User profile cannot be loaded

On signing in, the user is presented with a temporary profile. After a couple of reboots (or deleting the .bak registry key) the user can succesfully log in to his/her profile.

Upon digging in the event viewer, I noticed several of the following error at the time of boot-up:

Event ID 1552: User hive is loaded by another process (Registry Lock) Process name: C:\Program Files\ESET\ESET Security\ekrn.exe, PID: 3088, ProfSvc PID: 2068.

And also:

Windows cannot unload your registry file. The memory used by the registry has not been freed. This problem is often caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account. 

 DETAIL - Access denied 

So it seems to me as if Eset is locking the user profile service which causes the issue with a temporary profile.

Has anyone else noticed this behaviour & managed to solve this?

Below some more information about our installation:

• Windows 11 (occurs on all versions)
• Eset 10.1.2050.0
• Devices are not domain joined - user is logged on with local user profile

Thanks in advance

[Marcos 4,935]

Please raise a support ticket. It's likely that the next version of the Configuration Engine module will fix it. We expect it to be released within this month.

[IT-user 1]

Ok thx. I've posted a support ticket. I'll keep you informed of the progress.

 

 

[Kurt234 0]

Hi we have the same problem,

could you manage to fix this problem?

[Marcos 4,935]

This issue should be addressed by the next release of the Configuration Engine module soon.

[IT-user 1]

1 hour ago, Kurt234 said:

Hi we have the same problem,

could you manage to fix this problem?

I've posted a support request to eset and they are planning a session with me 16/11/2023 so at the moment no progress on that front.

FYI: I've also found a similar event id log at the same time of the login problem.:

Event ID 1552: User hive is loaded by another process (Registry Lock) Process name: C:\Windows\System32\SriverStore\FileRepository\hpcustomcapcomp.inf_amd64_44fcd5c63470399d\x64\SysInfoCap.exe 

This is refereing to HP App Helper HSA service, something that is installed by default on HP laptops apparently. Does this error also appear on your system? 

 

1 hour ago, Marcos said:

This issue should be addressed by the next release of the Configuration Engine module soon.

When will this update be released approximately? I suppose this update is pushed automatically to the clients?

[Marcos 4,935]

14 minutes ago, IT-user said:

When will this update be released approximately? I suppose this update is pushed automatically to the clients?

We want to release it ASAP, however, the module must be tested completely first. Personally I'd expect it to be released on the pre-release update channel within 1 week or a little bit earlier followed by granular batch releases on the regular update channel.

[Marcos 4,935]

Configuration Engine module 2099.4 with a fix is now available on the pre-release update channel.

[Kurt234 0]

2 hours ago, IT-user said:

This is refereing to HP App Helper HSA service, something that is installed by default on HP laptops apparently. Does this error also appear on your system

Really interesting. Yes we also use HP Notebooks in our company. And in some of the error logs i can see it aswell, but it is not always the case.

Edited November 9 by Kurt234

[IT-user 1]

16 minutes ago, Marcos said:

Configuration Engine module 2099.4 with a fix is now available on the pre-release update channel.

How can you check which configuration engine module is installed? I've tried to search within eset protect cloud -> computer -> details but i guess this version is only for the detection engine? 

See my example after I've just updated my client

Moreover - I assume this pre-release channel is only available for selected testers?

 

9 minutes ago, Kurt234 said:

Really interesting. Yes we also use HP Notebooks in our company. And in some of the error logs i can see it aswell, but it is not always the case.

The same here, we only see it occasionaly which made me think that Eset was the culprint for the error (as also confirmed by Marcos).

Let's hope this update soon hits our environments. 

[Marcos 4,935]

It depends on how you have set up the update server. In a policy you can set it up here:

If the clients update from a mirror, this has no effect and it depends on if you mirror update files from the regular or pre-release update channel.

However, we don't recommend using pre-release updates on mission critical systems.

If the Engine number ends with P it's very likely that the machine is using pre-release updates.

[IT-user 1]

I've noticed my Eset has been updated to the following version:

@Marcos could you confirm this update contains the fix for the temporary profile problem?

[Marcos 4,935]

It is the version of the Configuration module that matters:

[IT-user 1]

Where can I get this version of the Configuration module? I cannot find it neither in eset cloud nor in the client itself

[Marcos 4,935]

You can find information about installed modules under Help -> About in the ESET PROTECT console:

In Endpoint it's under Update -> Show all modules:

[IT-user 1]

Thanks for your reply. I notice that I'm still on an older version for the configuration module: 

IThe new update will probably take some time to reach our environment I guess.
However, we haven't encountered this temp profile problem for over a week now (knock wood).

[Marcos 4,935]

The Configuration module 2099.5 is currently on the pre-release update channel with staggered release on the regular update channel to follow soon. We expect it to be fully released towards the end of November.

[Kurt234 0]

Thanks, just want to confirm that we have the new configuration module.
A few users still receive that error after booting.. Keep you updated.

[IT-user 1]

The same within our company: one user with configuration module 2099.6 still receives the same error (The user profile service service failed the sign-in. User profile cannot be loaded) from time to time. 

@Marcos what is the status of this issue?

[Marcos 4,935]

The Configuration module 2099.6 addresses storing files in users' roaming folders (AppData/Roaming) which didn't turn out sufficient. The next version of the Configuration engine should help in cases when the whole user profile is deleted on logoff.

M_CNFENG-1821

[IT-user 1]

OK thx for the extra information.

FYI: the user profile is not actually deleted. The matter is that the user profile folder is changed to c:\users\temp instead of its own personal folder. The same problem as described in this link (when the problem occurs, applying the regfix solves the problem but of course this is not a long term solution).

[Kurt234 0]

@IT-user

One of our users simply waits to enter his credentials after booting and then no longer has the problem - it doesn't solve the cause, but at least he doesn't have any further complications.

[IT-user 1]

@Kurt234

Could you explain a bit more? How long does he wait (e.g. 1 minute or until something appears on the screen?)

thx for the suggestion

[Kurt234 0]

3 minutes ago, IT-user said:

@Kurt234

Could you explain a bit more? How long does he wait (e.g. 1 minute or until something appears on the screen?)

thx for the suggestion

He's making himself some tea and or coffee, so he'll probably wait about 2-3 minutes.

[IT-user 1]

@Kurt234

Good advice, I'll also let our users know to first make a cup of coffee 😊. 

No, it's really helpful I'll try it the next time. It's better than rebooting & praying that the own user profile is loaded.