3

One of the Terminal Servers has been plagued by an unusual HTTPS issue. After enough users have logged in and logged out, eventually users can no longer load HTTPS websites. It seems to only affect users with generic mandatory shared profiles.

Regression

  • It doesn't matter what browser is used
  • Some groups (admins, faculty) never experience this
  • If I log them out and delete their local store of their profile (man generic shared profile) they can log in and view HTTPS websites.
  • I've tried turning firewall on and off
  • I've tried re-registering DLL's
  • I've tried multiple browsers

Is there a better solution to fix than batch deleting profiles every night?

Community
  • 1
Aaron Smiley
  • 31
  • 1
  • Which browser(s)? – HopelessN00b Dec 23 '14 at 21:59
  • So far I've tried IE and Chrome. Both cannot access HTTPS websites... pretty sure it's not browser-related. – Aaron Smiley Dec 23 '14 at 22:00
  • What happens when they "an no longer load" https sites? Is there an error message? What about other applications relying on cryptography? Do they fail too? – HopelessN00b Dec 23 '14 at 22:04
  • Terminal Servers implies that you're running Windows Server 2000 or 2003. Is that the case? If so, have thought about moving to a newer version of Windows Server? – joeqwerty Dec 23 '14 at 22:09
  • What operating systems? The symptoms aren't clear, but what about the root cert list updates? I recall some issues on win7/server2008 – blaughw Dec 23 '14 at 22:11
  • 1
    Sorry for using the outdated terminology. I should have specified we're using RD Services on Windows 2008 Server! – Aaron Smiley Dec 23 '14 at 22:11
  • They don't time out, it's an immediate fail. There aren't any helpful error codes or messages, just that it failed. – Aaron Smiley Dec 23 '14 at 22:12
  • 2
    Doesn't sound like you've got enough to go on. I'd whip up a little USB key with some portable apps making use of the Windows cryptology APIs, as well as FireFox with my favorite web developer/debugging apps, and Wireshark, to see if I could narrow it down to something on the network side, or something with the OS side. Or at least try to get something more useful to go on than a silent connection failure. – HopelessN00b Dec 23 '14 at 22:22

1 Answers1

0

User registry corruption

I am sure that it is some value in the user's registry, also known as HKCU and/or hkey_current_user.

After only replacing — when the user is logged out — ntuser.dat file in the profile, the https browser issue is gone.

Restoring the old ntuser.dat file, and the https error is back. I have tried to pinpoint the specific hive/key, though was not successful in finding the specific corruption for the https issue.

Repair corrupted user registry

Recovering a user's registry that contains a corruption is not difficult, just a lot stop. Basically it is like exporting the registry, then emptying the registry, and importing back the exported registry.

Requirements

  • the user with the corrupted registry should still be able to login
  • a second account with administrator rights on the same machine
  • do "Show hidden files, folders" in explorer
  • do not "Hide protected operating system files" in explorer
  • a pristine NTUSER.DAT file from a newly created user that has logged in at least once

Step-by-step

  • login as secondary user (with administrator rights)
  • run Registry Editor regedit.exe (as administrator)
  • select HKEY_LOCAL_MACHINE and highlight it (not expand)
  • on File menu select Load Hive (File\Load Hive)
  • browse to %USERPROFILE%\CorruptUsername\NTUSER.dat
  • name the newly loaded hive its Key Name: "corrupt" (without the apostrofs)
  • select the new "corrupt" key (not expand)
  • from the menu choose File\Export
  • save to desktop as corrupt.reg
  • choose menu options File\Unload Hive
  • select File\Load Hive
  • browse to %USERPROFILE%\PristineUserName\NTUSER.DAT
  • name the new Key Name: as "corrupt"
  • expand "corrupt"
  • delete everything under it (ignore that some entries cannot be deleted)
  • after everything is done, click corrupt.reg that you save earlier on desktop
  • select the "corrupt" key (to highlight it)
  • select File\Unload Hive
  • close the registry editor
  • copy your %USERPROFILE%\PristineUserName\NTUSER.DAT to %USERPROFILE%\CorruptedUserName\NTUSER.DAT and replace it
  • you may find many other NTUSER.DAT* files — like ntuser.dat.LOG, ntuser.dat.LOG1, etcera — you can delete those

Adjust registry permissions (optional)

  • login to your (formerly) "corrupted" user account
  • open registry editor
  • right-click at HKEY_CURRENT_USER, Permissions
  • remove unknown group or username
  • then click Add button
  • enter your username
  • finally Ok and exit the registry editor

Inspired by http://write-code.blogspot.nl/2010/08/recover-corrupted-user-registry-hive.html

Community
  • 1
Pro Backup
  • 984
  • 4
  • 15
  • 35