Staring at a blank desktop, due to Interactive missing from Users group

Ran into an issue this week that was strange.  When you TS’d to the box it would just show a blank background and nothing else.  If you tried to launch task manager it would just fail silently to the user (actually access denied in the debugger).  My user account was in the admin group and the server was completely accessible remotely with administrative perms.  It was just when I (or anyone) tried to logon to the server locally or through TS that it was messed up.  Another piece of the puzzle was that if you disabled UAC and rebooted the server the issue no longer repro’d. 

So what was there with UAC and logging onto this server?

When logging on this event was triggered:

Log Name:      Application
Source:        Microsoft-Windows-Winlogon
Date:          5/27/2008 5:13:28 PM
Event ID:      4006
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      XXXX
The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:\Windows\system32\userinit.exe.

Turns out that they removed the Account "NT AUTHORITY\INTERACTIVE" from the Users group on the machine.  We added that account back into the users group and like magic it worked again.  I'm working on getting a KB filed and written for this issue, but until then at least people can find it if they notice this event in the event log.


UAC Architecture

While the Windows Vista logon process externally appears to be the same as the logon process in Windows XP, the internal mechanics have greatly changed. The following illustration details how the logon process for an administrator differs from the logon process for a standard user.

Windows Vista logon process

When an administrator logs on, the user is granted two access tokens: a full administrator access token and a "filtered" standard user access token. By default, when a member of the local Administrators group logs on, the administrative Windows privileges are disabled and elevated user rights are removed, resulting in the standard user access token. The standard user access token is then used to launch the desktop (Explorer.exe).

HatTip to Ben on my Team who actually figured this out after I tried to debug it for 3 days...

Technorati Tags: ,,,
Comments (4)
  1. BooRadely says:

    Another event you might see from the same issue:

    Log Name:      Application

    Source:        Microsoft-Windows-Winlogon

    Date:          5/23/2008 8:10:08 AM

    Event ID:      4006

    Task Category: None

    Level:         Warning

    Keywords:      Classic

    User:          N/A

    Computer:      XXXX


    The Windows logon process has failed to spawn a user application. Application name: . Command line parameters: C:Windowssystem32logon.scr /s.

  2. Dave B says:

    I am having the same symptoms after joining a Windows 7 machine to the domain.  With UAC on, none of the domain users (that have full admin rights to the local machine) can bring up explorer, just a black screen and the mouse cursor.  Turn UAC off and everything seems to be just fine.  We are using restricted groups to limit local admins.  I wonder if we need to include this builtin account via Group Policy to get it working again.  How do you add the NT AuthorityInteractive user back in manually?

  3. Dave B says:

    Indeed, adding the INTERACTIVE account to the local "Users" group (via group policy) fixed it.  Thanks so much to Ben Parker and Brad for posting this as I have not seen this answer anywhere else.  

  4. Michael Stratton says:

    I wish I had found this article previously as I ran into this same problem. To resolve the problem I had to create another user with administrative permissions, and then accessed the old users account and copied and pasted all data over to the newly created account.

    If I would have found this article previously it would have saved me a ton of trouble, I had the same problem when logging into the user account, blank desktop. Accessing the account in safe mode was not a problem.

    The user believed that the "NT Authority/Authenticated" and the "NT Authority/Interactive" accounts that were listed in the "Users" group in the Computer Management MMC were "hacked accounts", and deleted them.

Comments are closed.

Skip to main content