The User Profile Service failed to logon

Got this message on a client workstation last week. It was running managed Symantec Endpoint Protection client 12.1…so much for that. The message is caused by a clever virus/worm/malware application which makes a small change in the Windows 7 registry and voila users can’t log in anymore…all they get is the following message when they attempt to log in with their username/password:

[The User Profile Service service failed to logon.]

[User profile cannot be loaded.]

Further analysis of the registry shows that the user accounts in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList have been copied, the modified and the original renamed by an appended “.bak”. The modification essentially points to a hard drive location which does not exist or worse yet, exists with a profile that upon login displays a message stating you must pay money to get your files back.

There’s a Microsoft KB article on this as well with steps on how to fix this here, but I found these steps faster and easier:

[step 1] Boot to safe mode by mashing the F8 key repeatedly during a reboot until you see startup choices.

[step 2] You should be able to log in as the previously disabled user…if not, fire up safe mode with command prompt and type net user administrator /active:yes to enable the administrator account. Then start over from [step 1] but log in as Administrator instead of the disabled user account.

[step 3] Open Regedit and locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.

[step 4] Locate any keys with .bak appended to them and find their duplicates minus the .bak. Rename those keys to .old and then rename the keys with .bak such that just the “.bak” is deleted.

if [step 4] is too confusing and/or does not resolve the problem, try:

• Find two folders starting with S-1-5 followed by same long numbers and one of them ended with .bak.
  
  1. Right click the folder without .bak and choose Rename. Then add .ba at the end of the folder name.
     
     
  2. Right click the folder with .bak and choose Rename. Then remove .bak at the end of the folder name.
     
     
  3. Right click the folder with .ba and choose Rename. Then change the .ba to .bak at the end of the folder name.
     
     
• If you have only one folder starting with S-1-5 followed by a long numbers and ended with .bak. Right click the folder and choose Rename. Then remove .bak at the end of the folder name.

[step 5] Choose the folder without .bak, in the right pane, double click RefCount and type 0 (zero) and then click OK.

Choose the folder without .bak, in the right pane, double click State and type 0 (zero) and then click OK.

[step 6] Close regedit and Reboot.

That’s it. You should now be able to log back into your system using your standard username/password. I’d also recommend running a full antivirus scan.

sumber : davidvielmetter.com/tips/the-user-profile-service-failed-to-logon