Follow

Black screen or Logon process might hang during user logon

Product: ProfileUnity-FlexApp

Product Version: Any

Expires on: 365 days from publish date

Updated: April 15, 2019

 

Problem:

When non Admin users login to the desktop the ProfileUnity splash screen does not appear. There is a black screen. Explorer.exe does not load.

The reason for this failure could be:

A) Windows can't contact certificate authority servers

B) Expired Certificate on the older version of PU (Check "Note" bottom of KB)

Symptoms:

The lwl_elevation_servce log found in c:\windows\temp\profileunity will have following error:

Trust verification failed on path: c:\Program Files\ProfileUnity\client.exe Error: The timestamp signature and/or certificate could not be verified or is malformed.

The path: C:\Program Files\ProfileUnity\client.exe is not allowed to be elevated by policy.

Possible Resolution(s): 

When ProfileUnity elevates itself we check that our code is signed by us for security reasons so no one can hijack our elevation process and gain administrator rights to the OS. When “Check for publishers certificate revocation must be enforced” is enforced, this forces the binary that is checking the cert to check a certificate CRL URL on if the cert is valid, since our elevation functions run under the system account this URL cannot be checked.

The resolution here is to move away from our code signing as the check to validate our binaries to the SH1 hash of client.exe. This is just as secure as certificate checking.

Note: This hash will need to be updated with each release or patch!! 

Step 1) Create SH1 hash for client.exe 

a) go to http://onlinemd5.com/

b) select filename "client.exe"

c) Checksum type: SHA1

d) Copy File checksum. Example: "B08D8AA1E92FBB8E2F31561CF17342895365B493"

Step 2) Create SH1 hash for lwl.profileunity.client.exe 

a) go to http://onlinemd5.com/

b) Browse to C:\Program Files\ProfileUnity\Client.net and select filename "lwl.profileunity.client.exe"

c) Checksum type: SHA1

d) Copy File checksum. Example: "8E15FC93DB8F7642D0EB013E251B894119142FE8"

Step 3A) Update lwl_elevation_service.xml and default_lwl_elevation_service.xml

Open lwl_elevation_service.xml from \\domain\netlogon\profileunity\elevation.zip

Add a line above this line:  <path signed="Liquidware Labs, Inc." />

<path hash="B08D8AA1E92FBB8E2F31561CF17342895365B493"/>

<path hash="8E15FC93DB8F7642D0EB013E251B894119142FE8"/> 

Step 3B) If you are updating base image than just update the "C:\Program Files\ProfileUnity\Elevation\lwl_elevation_service.xml"

Step 4) Updating Client Tools on the VM's/Systems:

Option 1)  ProfileUnity not in base and its installed using GPO.

(Non Persistent VDI) - Refresh the vms.

Option 2) ProfileUnity is in the base

Go to base image and run: "LwL.ProfileUnity.Client.Startup.exe /uninstall", than again "LwL.ProfileUnity.Client.Startup.exe". Than recompose the pool.

Option 3) ProfileUnity is installed on physical machines/Persistent Desktops

Edit LwL.ProfileUnity.Client.Startup.exe.config

Find these 2 lines:

<setting name="ElevationVersion" serializeAs="String">

<value>6.5.5696-d5e8616</value>

Append 1 to the end of the #

Example: <value>6.5.5696-d5e8617</value>

Save. 

Restart Physical Machines.

Note: If this is expired certificate issue with old version of ProfileUnity which suddenly stopped working upgrading to new Client tools will fix the problem immediately. The steps 1-4 are optional only if upgrade is not an option. (Check Properties on the lwl.profileunity.client.exe >Details for certificate expiration date)

 

If you're on 6.7.6 you can use these.

LwL.ProfileUnity.Client.exe: E65F61E8E7AA76A8E2BC5EFBE09D4BE32538A0B1
lwl_profile_mgr.exe: 331A1A443C4CB07B5D07B30111487A90AC497F33
vhd.exe: 7387185B9660B173D47FBFA3A4B2A02D0C511776
 
Similar to 
<?xml version="1.0" encoding="UTF-8"?>
<configuration version="1.0">
  <!-- valid log levels are emergency=0, alert=1, critical=2, error warning -->
  <!-- notice, informational, and debug, -->
  <log path="%LOGPATH%" level="debug" />
  <data path="%DATAPATH%" />
  <policy>
    <whitelist>
      <path hash="c722a9e551bbffbf40f10a78004ac7a352fa550aaf920ddd9132b9c6d0e93415" />
      <path hash="fba390da37999bee4d3bbf683ae8c39a1d9c71e17d8664ba63b83a4422148537" />
      <path hash="F196EB27A63C870F0046CD53B89FE67809400FC30C0B2D2665E1B6E744C6F381" />
      <path hash="C416F5961E7B25DB6C954C536833E78E370567C149A8B81C363CCDBC8DBE628B" />
      <path hash="FBA390DA37999BEE4D3BBF683AE8C39A1D9C71E17D8664BA63B83A4422148537" />
      <path hash="E65F61E8E7AA76A8E2BC5EFBE09D4BE32538A0B1" />
      <path hash="7387185B9660B173D47FBFA3A4B2A02D0C511776" />
      <path hash="331A1A443C4CB07B5D07B30111487A90AC497F33" />
      <path signed="Liquidware Labs, Inc." />
      <path signed="Liquidware Labs" />
    </whitelist>
    <blacklist>
    </blacklist>
  </policy>
</configuration>
 

If you're on 6.7.5 you can use these.

LwL.ProfileUnity.Client.exe: 79E4290D8F8FEB5E81A783504D039FC7158E78FB
lwl_profile_mgr.exe: 331A1A443C4CB07B5D07B30111487A90AC497F33
vhd.exe: F649C6CA2297DA6A32CE3B6CC40AEF90920D0A1E
 
Similar to 
<?xml version="1.0" encoding="UTF-8"?>
<configuration version="1.0">
<!-- valid log levels are emergency=0, alert=1, critical=2, error warning -->
<!-- notice, informational, and debug, -->
<log path="%LOGPATH%" level="debug" />
<data path="%DATAPATH%" />
<policy>
<whitelist>
<path hash="c4141727109e5dba43c81a5943f6662347f3ad3674e583668f3919d8bc4dfbd6" />
<path hash="3bb4465f35034cd2d7a50767d141fb09c3839f7984b62001e8c56e7ddc32aa52" />
<path hash="0C6047FAC8133C974332A6821D38BBF6DDADA0745DDABD97EB5604DE67A84DBA" />
<path hash="9ADF35BAAAFCABBD679349E2CF6527DF7F7F992BFE37B63435887A5F41B912FA" />
<path hash="6AAFE76D2AB55CD168361D25C81BECF46C77DCF7AA4057EFF2416EFE113C62E4" />
<path hash="36EFEC4E59CD604C2A911B27DA72EEAB3AD36CC4FE2B84383B96F0AAEB7F49A3" />
<path hash="79E4290D8F8FEB5E81A783504D039FC7158E78FB" />
<path hash="F649C6CA2297DA6A32CE3B6CC40AEF90920D0A1E" />
<path hash="B6E3F01B9EB4010A3B368AC1B5F52140C3037E32" />
<path signed="Liquidware Labs, Inc." />
<path signed="Liquidware Labs" />
</whitelist>
<blacklist>
</blacklist>
</policy>
</configuration>


 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.