Fixing the “Failed to Load Log File” Error in Standard User Analyzer


From time to time, I get an email about Standard User Analyzer that includes a screenshot or a MessageBox text copy (you do know you can control-c a MessageBox and paste just the text, right?) that looks something like this:

Failed to load log file c:\Users\<user name>\AppData\Local\Temp\1\sua: No (valid) log file is found.

It typically is reported by people running Windows Server 2008 or Windows Server 2008 R2. What’s going on?

It turns out that it’s caused by a group policy setting enabled for Terminal Services: Do not use temporary folders per session.

Now, “session” is an unfortunately overloaded term in Windows. There is an LSA Logon Session, and there is a Remote Desktop Session (formerly known as Terminal Services Session). When you log on as a protected administrator (a member of the local administrators group with UAC enabled), you generate two LSA Logon Sessions – one for your filtered token, and one for your full token. However, you live in one Remote Desktop Session. So, it’s legitimately a bug that we’re popping over to a different temp directory for one of your tokens.

However, it’s a bug we’re not going to close at the moment, for application compatibility reasons. This bug has existed since Windows Vista, and those who have come across it have implemented workarounds – workarounds it turns out we break if we fix the bug.

App compat is one of those weird realms for engineers. If we fix bugs, we break apps, and people are unhappy. If we don’t fix bugs, then we still have bugs, and people are unhappy. That’s why we come up with features like SwitchBack and Shims – so new apps can get bug fixes, but old apps continue to get bugs. But it’s hard to always do that perfectly, particularly mid-stream.

So, what do you do to get SUA running? It turns out that you have a couple of workarounds:

  • Run SUA as admin. Most of the time, you’re running on a lab computer anyway, and the tool has an admin dependency, so while I normally caution against this solution for production computers, it’s certainly not the end of the world for a test tool
  • Disable using temporary folders per session

Hopefully that gets some of you back up and removing admin dependencies.

Preemptive snarky comment: You can also just use LUA Buglight as a workaround. 🙂

Comments (3)

  1. Remko says:

    "Preemptive snarky comment" I usually read those 3 words on Raymond's blog 😀

    Can't we simply apply a shim to the Standard User Analyzer?

  2. Dipu says:

    Hello Chris,

    I did try using the fix you provided but did not help in my case. I uninstalled and reinstalled ACT 5.6 and AppVerifier again to no avail.

    There are tons of "REPARSE", "NAME NOT FOUND", "BUFFER OVERFLOW", "END OF FILE", "NO MORE FILE" etc on Procmon.

    I will try to reinstall ACT again in another machine. I thought someone in the lab changed the policies so I deliberately moved my machine to its own sub OU and blocked inheritence. And then went into machine to check for the policy you mentioned and disabled it. Also I tried running SUA as Admin but did not help.

    BTW, it was working and SUA suggested mitigations, which applied but later removed it from Programs and Features manually as it broke my app.

    Just so you know the OS version is win 7.

    Thanks.

  3. Greg Lambert says:

    Hey Chris, thanks for this post – I did not know about the "Switchback" context option. Very nice!