Things to do when troubleshooting Internet Explorer Terminal Server and Profiles issues.

Hi Everybody!

In this blog post we are assuming you have deployed Internet Explorer as a Desktop or Published Application in  your environment and encounter some abnormalities.  

Some of the abnormalities may include the following configuration and symptoms:

  1. User logon account is configured to use mandatory user profile or hybrid when using citrix.
  2. User logs onto a new computer for the 1st time where a local or roaming profile is derived from default user profile.
  3. User logs onto a computer that would normally have cached profile which has been deleted by The "delete cached copies of roaming profiles" policy setting
  4. The "Delete user profiles older than a specified number of days on system startup" policy
  5. Explorer initialization delays during user logon - The iedkcs32.dll (Internet Explorer Maintenance) takes long time to initialize user profile, over 100 seconds
  6. Active Setup execution can delay the user logon operation.

One of the components that first executes when users logs in on windows is Active Setup. The Active Setup component registers shell32 dlls and installs stubs that configure desktop shortcuts, desktop themes, Internet Explorer, Windows Media Player, Windows Mail (Winmail) and msfeedssync.exe to mention a few.

Active Setup executes:

  • The 1st time a user logs on to a computer and builds a new profile based on the default user profile. On subsequent logons when the locally cached or roaming profile does not contain active setup entries in the ntuser.dat file.
  • Every time a user logs onto a computer with a mandatory user profile.
  • Active Setup will execute the following commands:

"C:\Windows\SysWOW64\ie4uinit.exe" -UserIconConfig
"C:\Windows\System32\ie4uinit.exe" -BaseSettings
"C:\Windows\SysWOW64\ie4uinit.exe" -BaseSettings
"C:\Windows\System32\ie4uinit.exe" -UserIconConfig
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll";BrandIEActiveSetup SIGNUP
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll";BrandIEActiveSetup SIGNUP
"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll;Install
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iesetup.dll";IEHardenAdmin
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll;Install
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE

During the Active Setup execution the registry keys "HKLM\Software\Microsoft\Active Setup\Installed Components\%APPNAME% " and "HKCU\Software\Microsoft\Active Setup\Installed Components\%APPNAME% " are compared, and if the HKCU registry entries don't exist, or the version number of HKCU is less than HKLM, then the specified application is executed for the current user.

 

What tools can you us to help isolate these types of issues?

  • Process Monitor can be use to help find out if you have missing registry entries for the users at logon. You may find a lot of Not Found entries when accessing the Zones registry key. You can also access the user's registry key remotely while connected as a domain or local administrator and navigate to the Zones key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones] and compared the Zones 0, 1, 2, 3 and 4 against a working client machine. If you are missing entries under any of these keys, your user profile was not able to fully created these settings during the first logon attempt. This will cause abnormal behavior when visiting internal or external websites or applications.
  • Userenv verbose logging or winlogon etl tracing. These logs can help you find out if the profile is generating any errors and give you in off clues to find out what the problem is.

 

TIP: If you have encounter issues related to the items outlined in this blog post, consider using Procmon to help you validate the behavior. One of the first actions you can perform is to:

A: Run the C:\WINDOWS\system32\ie4uinit.exe -BaseSettings at login for the problematic user and see if this fixes any issues related to IE not loading properly when in TS publish application or full desktop scenario.(Note: You may also want to run the "C:\Windows\SysWOW64\ie4uinit.exe" -BaseSettings when using 64bit OSs.

B: Find out if the user profile is missing Zones registry keys. Importing these keys from a working profile can hel If you have IE Enhanced Security, try disabling both User and Administrator configuration. See blog post How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?

 

 

Article on creating a user profiles:

Comments

  • Anonymous
    February 24, 2015
    Thanks for the post, however, what setting affects the IE icon where it sets the target and start in properties to the %homedrive% I am in a domain environment and users are mapped to network drive as their home drive. Recently deployed IE9 to upgrade users from IE8. Launching IE fails because the IE shortcut is pointing to the users' Q drive. How can I change that so at initial logon IE builds to the local instead of the mapped drive?
  • Anonymous
    October 09, 2015
    @AbnrangerX You are branching to a profile scenario and the Active Directory team may be more suitable to answer your question. The risk you run into when redirecting users to external resources are normally linked to performance scenarios, where disk/network IO and other application locking files for access.