zeezam Posted March 27, 2012 Share Posted March 27, 2012 Having this issue several times for our users.Something makes the windows profile corrupt so they got logged in as a temporary profile.This is what I can find in the event log:Is it Symantec that causing the trouble?Log Name: ApplicationSource: Microsoft-Windows-User Profiles ServiceDate: 3/27/2012 8:46:56 AMEvent ID: 1530Task Category: NoneLevel: VarningKeywords: User: SYSTEMComputer: idg000578.idg.localDescription:Windows har upptäckt att din registerfil fortfarande används av andra program eller servrar. Filen tas nu bort ur minnet. Programmen eller tjänsterna som använder registerfilen kanske inte fungerar korrekt efter detta. INFORMATION - 2 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-500:Process 2004 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500\Software\Symantec\Symantec Endpoint Protection\AV\Custom TasksEvent Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" /> <EventID>1530</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2012-03-27T06:46:56.185206800Z" /> <EventRecordID>16864</EventRecordID> <Correlation /> <Execution ProcessID="936" ThreadID="2588" /> <Channel>Application</Channel> <Computer>idg000578.idg.local</Computer> <Security UserID="S-1-5-18" /> </System> <EventData Name="EVENT_HIVE_LEAK"> <Data Name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-500:Process 2004 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks</Data> </EventData></Event>Din profil kan inte läsas in, så du har loggats in med datorns standardprofil. INFORMATION - Åtkomst nekad.Windows har upptäckt att din registerfil fortfarande används av andra program eller servrar. Filen tas nu bort ur minnet. Programmen eller tjänsterna som använder registerfilen kanske inte fungerar korrekt efter detta. INFORMATION - 59 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-2237:Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\CountProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\MSF\Registration\ListenProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeopleProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeopleProcess 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeopleProcess 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Symantec\Symantec Endpoint Protection\AV\Custom TasksProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\RootProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\RootProcess 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\RootProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\ShellProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\SoftwareProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\ExplorerProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\ExplorerProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\ExplorerProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\PoliciesProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\MyProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\MyProcess 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\MyProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trustProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trustProcess 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trustProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\Windows\CurrentVersion\Internet SettingsProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CAProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CAProcess 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CAProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\CountProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\Shell\Bags\1\DesktopProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\DisallowedProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\DisallowedProcess 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\DisallowedProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificatesProcess 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificatesProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificatesProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificatesProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificatesProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificatesProcess 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRootProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRootProcess 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRootProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows NT\CurrentVersionProcess 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows NT\CurrentVersionProcess 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\HomeGroup\Printers Link to comment Share on other sites More sharing options...
Tripredacus Posted March 27, 2012 Share Posted March 27, 2012 I never researched it myself, but I have a server that has this problem. It doesn't have Symantec anything on it. There seems to be a few different attempts or solutions for this, try these out:http://windows.microsoft.com/en-US/windows-vista/fix-a-corrupted-user-profilehttp://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/5ec0b949-effa-4e30-ba09-dc948a4c7a8b Link to comment Share on other sites More sharing options...
cluberti Posted March 27, 2012 Share Posted March 27, 2012 Note that this one is actually something I see a lot of times with Symantec Endpoint Protection's COM surrogate process which actually hooks running processes (and it is actually called out explicitly in this particular event log), but Trip is correct - anything can technically cause it to happen. However, the handles being left open are indeed the cause of the profile unload not occuring, and if a user's profile is still locked, their next logon (until a reboot) will be with a temporary profile. Link to comment Share on other sites More sharing options...
zeezam Posted March 29, 2012 Author Share Posted March 29, 2012 Note that this one is actually something I see a lot of times with Symantec Endpoint Protection's COM surrogate process which actually hooks running processes (and it is actually called out explicitly in this particular event log), but Trip is correct - anything can technically cause it to happen. However, the handles being left open are indeed the cause of the profile unload not occuring, and if a user's profile is still locked, their next logon (until a reboot) will be with a temporary profile.Yes. It seems to be problem with the symantec client.Local user profiles become corrupted on Windows Vista and Windows 7 computersFix ID: 2291558Symptom: Users are unable to log on to their local Windows profiles.Solution: The method that Rtvscan.exe uses to monitor the user's scheduled scan registry has been enhanced to resolve this issuehttp://www.symantec.com/business/support/index?page=content&id=TECH103087 Link to comment Share on other sites More sharing options...
symthomas Posted March 30, 2012 Share Posted March 30, 2012 As pointed out earlier, this issue was addressed in RU7. I suggest upgrading, the latest build available is RU7 MP1.Log into your Fileconnect account with a valid serial number to get the newest versions of the software.Version List - http://www.symantec.com/business/support/index?page=content&id=TECH156226 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now