Hello all,
Having spent two days poking this problem I am
throwing myself on the groups mercy. Windows XP SP1 computer joined to
domain much like its 300 brothers and sisters decides one day that winlogon.exe
should take 50% or rather 100 % of one of the Dell GX270 hyper threading virtual
processors, constant high cpu utilization makes the fans ramp up and turns a
nice box into a loud evil box.
With winlogon using all the processor the
box shows symptoms of having broken WINS no Netbios name resolution, can not
find file shares etc which also creates event id of 1030 and 1058 as the group
policy objects can not be found.
Example
Windows cannot access the
file gpt.ini for GPO
CN={****-0**2-4B**-B3F6-7B*****8B878},CN=Policies,CN=System,DC=**,DC=***,DC=**,DC=**.
The file must be present at the location
<\\ad.***.**.**\SysVol\ad.****.**.**\Policies\{*******-***-***-***-****}\gpt.ini>.
(The network path was not found. ). Group Policy processing aborted
While
in this confused state the box will also not shutdown clean and has to be
POPO'd
The obvious malware lines of investigation have proved fruitless
ad-aware did find some bits but this has not resolved the problem. The winlogon
has been verified as being in the right location and has not been switched with
another version. The fact that the box is a Dell Gx270 with a Gigabit card also
made me think that MS Article 840669 with the group policy not starting due to
the race
condition might have helped but again zip. Virus protection is installed and
maintained and returns no nasties.
The Intel 1000 gigabit card has had
its drivers updated and still nadda. I even disabled the built in card and
installed a 3com 10 Mb NIC and that exhibited the same trouble.
The
curious thing and what is driving me absolutely nuts is that if the Computer is
removed from the domain and returned to a workgroup the problem persists until
you change the way users logon and use the welcome with the fast user switching,
it has to be both using the welcome screen and fast user switching, this puts
the box back on its feet. Winlogon behaves and the network drives can once again
be accessed.
We have seen this twice before on separate
computers but have not paid it too much attention. rebuilds of the
Computershave fixed the problem, as this is something which keeps raising
its ugly head I think I need to try and get a good handle on it, the fact that
there are so many other unaffected boxes makes me think that it is a software
conflict on the client. What I don't get is why it can be turned on and
off with the fast user switching? If I did'nt need the box to be in AD I would
leave it as is fast user switching enabled and slip into a dark cave and put
this down to gremlins but thats not an option, and I am very nervous that more
boxes could start playing up too...
~cheers
Gary
