How to Troubleshoot FSLogix “CORRUPT” Profiles

FSlogix
Trentent Tye
January 24, 2024
Updated on: June 10, 2025
Duration: 12 minutes
Subscribe to our blog
RSS feed

IT troubleshooting is a dark art at the best of times. It involves information gathering, deducing operations based on outputs or results, and then formulating a hypothesis on the root cause and testing the hypothesis. It can be made very hard if the data you need to understand a process is opaque or missing. Fortunately, ControlUp brings visibility to the darkness and augments your ability to gather information. This article details how I used ControlUp to quickly diagnose and resolve a significant challenge: troubleshooting FSLogix corrupt user profiles in a virtual desktop environment.

  1. The Reported Problem
  2. How to Use ControlUp to Gather Targeted FSLogix Data
  3. How to Run Process Monitor (ProcMon) during Logon on Single-Session Machines
  4. How to Adjust the ProcMon Filter Driver Altitude with ControlUp
  5. Parsing the ProcMon Data
  6. Root Cause Analysis

The Reported Problem

A ticket came in that we were running out of disk space on the FSLogix file share. Investigation showed gigabytes of FSLogix user profile containers with “CORRUPT” in their file name. Each time a user logs on, a new “CORRUPT” profile would appear. Some of these were gigabytes in size, some hundreds of megabytes, but overall it was a LOT!

Searching through the FSLogix file share revealed the extent of the issue.

Where do you begin to tackle this issue? With ControlUp, of course!

A line graph displaying performance metrics over time, in this case, it shows all the Corrupt folders that were causing an issue with multiple colored lines representing different data points.
Visualizing performance metrics and analyzing log data, often through tools like ControlUp, is crucial for identifying anomalies and pinpointing the root cause of issues such as FSLogix corrupt profiles.

How to Use ControlUp to Gather Targeted FSLogix Data

I wrote a PowerShell script—converted to a script action within ControlUp—that will parse the FSLogix Profile.log file for the exact session from which this profile container was loaded. To execute the action within ControlUp, right-click on a user session, go to User Environment, and then FSLogix log parser.

A screenshot of a performance monitoring dashboard, likely from ControlUp, showing a list of running processes with real-time metrics such as CPU usage, memory consumption, disk I/O, and network I/O, along with overview graphs for CPU and memory.
Leveraging the comprehensive performance monitoring features of ControlUp allows administrators to precisely identify resource consumption by individual processes, a critical step in diagnosing and resolving issues like FSLogix corrupt profiles.

Upon execution, a dialog displays the action’s results, enabling you to pinpoint precisely when FSLogix flagged the profile as corrupt.

A screenshot of a management or automation tool interface in ControlUp, displaying a 'Script Actions' window with sections for target objects, scope, output destination, and a detailed view of action execution results, including a script editor pane.
Executing targeted script actions and reviewing the detailed output is fundamental to precisely identifying and resolving the underlying causes of FSLogix profile corruption.

By reading the entries around this line, I saw an “ERROR” reported, giving a hint to the cause:

ERROR:00000002 Creating new user profile disk (user’s registry hive was missing) (The system cannot find the file specified.)

This script action removes any noise by focusing just on the activities of this particular user, so by focusing on the timestamps in the log, I saw there was about an 8-second gap. This lies between the lines “DiskContext: mount returning after X milliseconds” and the next line flagged as ERROR “Creating new user profile disk…”

This 8-second gap implies that some kind of processing is happening outside of FSLogix that leads to the failure. In order to determine what was occurring during this time frame, I want to run Process Monitor (ProcMon) for a user login exhibiting this issue, as ProcMon will show everything happening on the machine during that time.

How to Run Process Monitor (ProcMon) during Logon on Single-Session Machines

Running procmon during a user logon is easy when you have a multi-session machine like Windows Server or Windows 10/11 multi-session. But on a single-session client OS like the user I’m working with… It could be cumbersome and time-consuming to set up a machine where I could execute ProcMon without being logged on to the machine.

I’m thinking about how I would do this… I would logon to the machine, set up a scheduled task (as they can be executed remotely), learn the proper command-line parameters to give to procmon, test it, and then probably snapshot the machine. Then, I would contact the user, execute the scheduled task remotely, and have them log in.

That is a ton of work! It becomes more difficult if you want to do it on a machine managed by Citrix Provisioning (PVS) or a Horizon Instant Clone, as you would have to update the master image(s)!

OR… I could take the very simple route of running ProcMon remotely on a machine using a ControlUp script action, “ProcMon—Trace System Activity.” It’s super simple: select a machine (or multiple), right-click, and go under System health > ProcMon—Trace System Activity.

A screenshot of a command line interface displaying log parsing results, with text indicating successful parsing, the number of entries found, and completion, suggesting diagnostic data analysis.
Parsing extensive log files and diagnostic output provides critical insights, allowing administrators to uncover the specific events that lead to FSLogix profile corruption.

In the prompt that appears, I specified a duration longer than the expected logon duration, hit OK, and had the user log on.

A 'Run as' dialog box, likely from a system management tool or Windows, prompting for user credentials (username, password, domain/computer) to execute a program with specified permissions, including an option for running as a non-elevated user.
Utilizing ‘Run as’ functionality allows for precise control over execution permissions, critical for performing diagnostic actions like adjusting ProcMon filter drivers without direct logon, as demonstrated in advanced FSLogix troubleshooting.

The script action will output a dialog detailing where the log file will be saved and when ProcMon will be complete with its trace.

A screenshot of a ControlUp dashboard providing a high-level overview of system performance, showing multiple machines or sessions with columns for CPU, memory, active sessions, logged on users, disk latency, and network latency metrics.
From a unified dashboard, ControlUp provides an immediate overview of your environment’s health, allowing you to quickly spot performance anomalies and identify machines or sessions that might be experiencing FSLogix profile issues.

When I examined this ProcMon file, I had trouble finding anything that showed a failure. I surmised that it may be due to ProcMon’s filter driver altitude. A lower value will see activities on drivers above it, but not vice versa. I can get a list of filter drivers by running the ControlUp Script Action: Filter Driver Altitude.

A screenshot of a file explorer or management console displaying a list of directories, including columns for Name, Size, Items, Owner, Created, and Last Modified dates, suggesting a view of user profile folders or shared storage.
Examining directory properties and permissions within the shared profile storage is a critical step in troubleshooting FSLogix corrupt profiles, often revealing underlying access or ownership issues.

To see where ProcMon is on the altitude list, I needed to run ProcMon on the machine first to get the driver installed. Once that was done, I ran the script action and got the following result:

A screenshot displaying a file path, specifically a UNC path to an FSLogix Profile.log file, such as \\\\server\\share\\users\\username_SID\\Profile.log, indicating the location of diagnostic logs.
The ProcMon filter driver is identified by the red arrow, and the FSLogix filter driver is identified by the yellow arrow.

 

The ProcMon driver is loaded above the FSLogix filter drivers. Activities managed by the FSLogix filter drivers (beginning with the letters frx) won’t be seen by Process Monitor.

Adjusting the ProcMon Filter Driver Altitude with ControlUp

I need to load the ProcMon filter driver below the FSLogix filter drivers. The challenge, again, is to do so without having to log on to a single session desktop first. Fortunately, ControlUp offers a solution: Run As. This feature is available in the ControlUp console by right-clicking on a machine, going to Processes, and selecting Run As.

A screenshot of a user session monitoring dashboard, likely within ControlUp, displaying a list of users with columns for Logon Time, Application Latency, Desktop Latency, and Active Sessions, alongside a performance graph at the top.
Monitoring user session details and performance metrics, including logon times and various latencies, provides vital clues to identify and troubleshoot issues like FSLogix corrupt profiles that can impact user experience.

This brings up a dialog where we can specify a command to execute. I copied procmon.exe to the machine and ran the following command:

C:\swinst\procmon.exe /altitude 42000 /accepteula /quiet /runtime 1

A screenshot of a file explorer window displaying a network share containing FSLogix user profile containers, with folders named by user SIDs and usernames (e.g., 'S-1-5-21...-user.V6'), showing details like date modified, type, and size.
Directly inspecting FSLogix profile containers on the file share, often identified by user SIDs and version numbers, is essential for confirming the presence of profile files and diagnosing issues like corruption or accessibility problems.

This sets the altitude of the ProcMon filter driver to 42,000 from its original value of 385,200.

After executing the command and re-running the Filter Driver Altitude script action, I confirmed that the ProcMon was now lower in altitude.

A diagram or flowchart illustrating the interaction between ControlUp, FSLogix, and profile storage, depicting a system architecture or troubleshooting workflow for virtual desktop environments.
Understanding the interconnected architecture of ControlUp, FSLogix, and user profile storage is key to effective troubleshooting and quickly resolving issues like corrupt profiles.

At this point, I ran the Procmon – Trace System Activity again while the user was logging on. Once the user completed their logon, I re-ran the FSLogix Log Parser script action to find the time frame of the “corrupt” error message. The same ~8-second gap existed again.

A screenshot of a 'Properties' dialog box, likely for an FSLogix profile container or related folder, displaying general information such as file type, location, size, and dates created, modified, and accessed, with tabs for Security and Sharing settings.
Inspecting the properties of FSLogix profile containers, particularly their size, timestamps, and crucially, their security permissions, is a fundamental step in diagnosing and rectifying issues leading to corrupt profiles.

Parsing the ProcMon Data

I found the time frames in the Procmon log, right-clicked on the time before the error time in the log, and chose Exclude Events Before… Then, I found a time after the 8-second gap, right-clicked on the time, and selected Exclude Events After…

In order to see failures in ProcMon more clearly, I went to the Filter menu, selected Highlight, and added a rule Result is not SUCCESS, then include. This will highlight all results that are not successful. It’s a neat little trick to bring visibility to “errors” in the trace.

A screenshot of the 'Security' tab within a file or folder's 'Properties' dialog, displaying user and group permissions such as Full control, Modify, Read & execute, and Write, relevant for troubleshooting file access issues.
Properly configured security permissions on FSLogix profile shares are paramount; issues with access rights, as seen in this permissions view, are a common root cause of profile corruption.

A symptom of these user logons is that a Temp profile is created. This gives me some data to search for within ProcMon. I found the moment it made the Temp directory. An oddity here is that FSLogix set the profile value to C: UsersTemp. FSLogix doesn’t come up with this value; it gets it from somewhere else.

A Windows Security dialog box prompting the user to allow the 'ControlUp Monitor Service' to make changes to the device, with 'Verified publisher: ControlUp LTD' displayed, and 'Yes' and 'No' buttons
When ControlUp components require elevated permissions to perform diagnostic or remediation actions, standard Windows Security prompts ensure proper authorization, facilitating secure and effective troubleshooting of issues like FSLogix corrupt profiles.

I searched for more instances of this path and found the moment it was created. ProcMon is so good for this. You can see the first arrow from the top is the User Profile Service checking if the path exists (NOT FOUND), and then it actually creates it! It’s so cool to see this.

Why did the User Profile Service think it needed to create a Temp directory?

A neat behavior of Windows apps/service is that they will read registry keys and values in response to stuff. I found the User Profile Service trying to read a registry value ProfileErrorAction. This registry value is an action that should be taken if Windows can’t load its profile. By default, Windows logs on the user with a temporary profile when Windows can’t load their user profile. This is exactly what is occurring, so Windows found it couldn’t load the profile, and at this point, it needed to make a decision about what to do about it. So the error occurred before this point.

A screenshot of a Process Monitor (Procmon) results viewer within a tool like ControlUp, displaying detailed system operations including time, process name, operation type (e.g., ReadFile, WriteFile), file path, result (e.g., SUCCESS, FAST IO DISALLOWED), and additional details.
Analyzing detailed Process Monitor (Procmon) traces, readily accessible through ControlUp, is instrumental in identifying the exact file operations and access failures that lead to FSLogix profile corruption.

When looking through the event log, I remembered that the User Profile Service logged an error:

Event ID 1521—”Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

DETAIL – Access is denied.”

Screenshot of the Windows Event Viewer showing a User Profile Service error (Event ID 1521) indicating access denial when trying to load a roaming profile.

Denials typically happen on registry and file system activity. I enabled only File System activity in ProcMon and found some big red flags.

A path to a file share was getting denied.

Screenshot of Process Monitor showing access denied errors when FSLogix tries to read profile and metadata files on a network share, with red arrows highlighting "ACCESS DENIED" events related to the vhdx and v6 profile paths.

When I had the user attempt to navigate to that share, they got the big, bold Windows cannot access error message:

Screenshot of a Windows Network Error dialog box stating that access to \\fileshare01.acmeorg.net\Profiles is denied, with instructions to contact a network administrator for permission.

When processes query the registry for values, those values end up in the Details column in ProcMon.

I added a filter to see where or if this path was being read. Sure enough, it was! There is a Roaming Profile Group Policy value in place:

A screenshot of a Registry Editor showing different files in a folder system

Root Cause Analysis

What is the end result? I had a user who couldn’t access a file share on which the User Profile Service needs to create profiles. Since the User Profile Service couldn’t access the share, it marked the profile as temporary, preventing FSLogix from saving anything, including the NTUSER.DAT, when the user logs off. Upon the next login, FSLogix noticed the missing NTUSER.DAT, marked the profile as corrupt, and created a new profile container.

How did I solve this? I added the user to the appropriate group that grants access to this share. Now, the User Profile Service can successfully create the profile for that user, and FSLogix can create good, working profile containers.

Key Takeaways

  • Troubleshooting complex issues, like FSLogix Corrupt profiles, demands deep visibility into system processes and file operations.
  • File share access issues are a common culprit for FSLogix profile corruption, often leading to temporary profile creation.
  • ControlUp provides essential tools and insights, such as parsing FSLogix logs and analyzing Process Monitor data, to pinpoint root causes efficiently.
  • Leveraging ControlUp’s capabilities, including its ‘Run As’ feature and detailed process monitoring, enables precise diagnosis and swift resolution by identifying and correcting permission or access discrepancies.
  • Ultimately, ensuring correct file share permissions is crucial for stable FSLogix profile management.

Solve Your FSLogix Problems—and More!

ControlUp was built to recognize issues, assist in information gathering, and make remediation easy.

Check out how ControlUp can benefit your FSLogix environment today. Schedule a personalized demo today!

Trentent Tye

Trentent Tye, a Tech Person of Interest, is based out of Canada and its many, many feet of snow. FUN FACT: Trentent came to ControlUp because, as a former customer, the product impacted his life in so many positive ways—from reducing stress, time to remediation, increased job satisfaction, and more—he had to be our evangelist. Now an integral part of ControlUp’s Product Marketing Team, he educates our customers, pours his heart and soul into the product, and generally makes ControlUp a better place. Trentent recently moved to be closer to family. He does not recommend moving during a pandemic.