Jump to content

error: Windows cannot impersonate the user

graysky

By graysky
in Windows XP

 Share

Recommended Posts

graysky

graysky

Posted
Posted (edited)

I found an odd entry in my event log today. It happened after I did a windows key + L to lock the machine, when I unlocked it, I found this entry in the event viewer > application log:

User: NT AUTHORITY\SYSTEM
Event ID: 1081

Windows cannot impersonate the user. (The handle is invalid. ). Group Policy processing aborted. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I ran a full malware and virus scan, but found nothing. Does anyone know what this impersonate error is about?

Edited by graysky

jroc

jroc

Posted
Posted
I found an odd entry in my event log today. It happened after I did a windows key + L to lock the machine, when I unlocked it, I found this entry in the event viewer > application log:

User: NT AUTHORITY\SYSTEM
Event ID: 1081

Windows cannot impersonate the user. (The handle is invalid. ). Group Policy processing aborted. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I ran a full malware and virus scan, but found nothing. Does anyone know what this impersonate error is about?

maybe you could have taken one more step and done a 'full google' scan

http://www.google.com/search?q=Windows+can...sonate+the+user

graysky

graysky

Posted
  • Author
Posted

I did google it and followed most of the links at the url you kindly posted. Unfortunately, I haven't found a definitive answer. I did find this but I don't see how it applies since I'm not using or really know what ASP.NET is :)

cluberti

cluberti

Posted
Posted

If you're getting that error, it means you were likely doing a background refresh of group policy, and either your machine's account on the domain had a security issue, or some process on the machine closed the handle underneath the GP engine during processing (like antivirus software). Hard to say, but it is definitely indicative of a failed background refresh - how frequently does this occur, and when did it start happening?

888

888

Posted
Posted (edited)

By default, members of the device's local Administrators group and the device's local Service account are assigned the "Impersonate a client after authentication" user right. The following components also have this user right:

Services that are started by the Service Control Manager

Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account

When you assign the "Impersonate a client after authentication" user right to a user, you permit programs that run on behalf of that user to impersonate a client.

This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes.

MORE INFO

Also there was a patch for enabling pipe create instance for non-admin users AFAIR, but I dont remember details.

Check it on msoft kb

Edited by 888
graysky

graysky

Posted
  • Author
Posted

@cluberti - 9 times yesterday. It started happening (as per the logs) about 2 weeks ago. Unfortunately, I don't know what happened to set it off. Nothing yet today, but the machine was just powered on... we'll see :)

graysky

graysky

Posted
  • Author
Posted (edited)

Update: I only seem to get this error when the user is logged in to the machine, but has either pressed winkey+L or the screensaver did so (since the require password box is checked). In other words, the user is logged in, but the machine is on the welcome screen.

Does that mean anything to help track it down?

EDIT: this isn't true.. the most recent one happened a few minutes ago when I was logged in :(

image1pv6.gif

Edited by graysky
cluberti

cluberti

Posted
Posted

You might want to open the Security Configuration and Analysis MMC and compare your machine against the default security template, to see what is different. It is likely some security setting that is non-standard that is causing this, but it would help for you to do an analysis against the default template to see what is different on your machine against an out-of-the-box security configuration.

graysky

graysky

Posted
  • Author
Posted

So I've never messed around with security templates as far as I know. Can you explain the process of comparing the current template to the default template?

cluberti

cluberti

Posted
Posted

Sure:

1. Open mmc (start > run > mmc)

2. Click File > Add/Remove snapin

3. Click "Add"

4. Select "Security Configuration and Analysis" from the list, and click "Add"

5. Click "Close"

6. Click "OK"

7. Right-click the "Security Configuration and Analysis" option under "Console Root", and click "Open Database"

8. Type in a name for the new database you are creating (can be anything), then click "Open"

9. From the list of templates (if you do not see any .inf templates, browse to %windir%\security\templates) select "setup security.inf" and click "Open"

10. Right-click the "Security Configuration and Analysis" option under "Console Root", and click "Analyze Computer Now"

11. Click "OK" when prompted to create an Error log file path

This will analyze your system against the .inf file that was applied when the OS was first installed, showing you the differences.

graysky

graysky

Posted
  • Author
Posted

Wow, thanks for the level of detail in that reply. I must admit, after looking through the various sections, I really don't see any major differences.

  • 1 year later...

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...