Problem with windows 7 profile

[zeezam]

Having this issue several times for our users.

Something makes the windows profile corrupt so they got logged in as a temporary profile.

This is what I can find in the event log:

Is it Symantec that causing the trouble?

Log Name: Application

Source: Microsoft-Windows-User Profiles Service

Date: 3/27/2012 8:46:56 AM

Event ID: 1530

Task Category: None

Level: Varning

Keywords:

User: SYSTEM

Computer: idg000578.idg.local

Description:

Windows har upptäckt att din registerfil fortfarande används av andra program eller servrar. Filen tas nu bort ur minnet. Programmen eller tjänsterna som använder registerfilen kanske inte fungerar korrekt efter detta.

INFORMATION -

2 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-500:

Process 2004 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500

Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />

<EventID>1530</EventID>

<Version>0</Version>

<Level>3</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x8000000000000000</Keywords>

<TimeCreated SystemTime="2012-03-27T06:46:56.185206800Z" />

<EventRecordID>16864</EventRecordID>

<Correlation />

<Execution ProcessID="936" ThreadID="2588" />

<Channel>Application</Channel>

<Computer>idg000578.idg.local</Computer>

<Security UserID="S-1-5-18" />

</System>

<EventData Name="EVENT_HIVE_LEAK">

<Data Name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-500:

Process 2004 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500

Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

</Data>

</EventData>

</Event>

Din profil kan inte läsas in, så du har loggats in med datorns standardprofil.

INFORMATION - Åtkomst nekad.

Windows har upptäckt att din registerfil fortfarande används av andra program eller servrar. Filen tas nu bort ur minnet. Programmen eller tjänsterna som använder registerfilen kanske inte fungerar korrekt efter detta.

INFORMATION -

59 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-2237:

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\MSF\Registration\Listen

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeople

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeople

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeople

Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Root

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Root

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Root

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\Shell

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\My

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\My

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\My

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trust

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trust

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trust

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CA

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CA

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CA

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\Shell\Bags\1\Desktop

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Disallowed

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Disallowed

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Disallowed

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates

Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows NT\CurrentVersion

Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows NT\CurrentVersion

Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\HomeGroup\Printers

[Tripredacus]

I never researched it myself, but I have a server that has this problem. It doesn't have Symantec anything on it.

There seems to be a few different attempts or solutions for this, try these out:

http://windows.microsoft.com/en-US/windows-vista/fix-a-corrupted-user-profile

http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/5ec0b949-effa-4e30-ba09-dc948a4c7a8b

[cluberti]

Note that this one is actually something I see a lot of times with Symantec Endpoint Protection's COM surrogate process which actually hooks running processes (and it is actually called out explicitly in this particular event log), but Trip is correct - anything can technically cause it to happen. However, the handles being left open are indeed the cause of the profile unload not occuring, and if a user's profile is still locked, their next logon (until a reboot) will be with a temporary profile.

[zeezam]

Note that this one is actually something I see a lot of times with Symantec Endpoint Protection's COM surrogate process which actually hooks running processes (and it is actually called out explicitly in this particular event log), but Trip is correct - anything can technically cause it to happen. However, the handles being left open are indeed the cause of the profile unload not occuring, and if a user's profile is still locked, their next logon (until a reboot) will be with a temporary profile.

Yes. It seems to be problem with the symantec client.

Local user profiles become corrupted on Windows Vista and Windows 7 computers

Fix ID: 2291558

Symptom: Users are unable to log on to their local Windows profiles.

Solution: The method that Rtvscan.exe uses to monitor the user's scheduled scan registry has been enhanced to resolve this issue

http://www.symantec.com/business/support/index?page=content&id=TECH103087

[symthomas]

As pointed out earlier, this issue was addressed in RU7. I suggest upgrading, the latest build available is RU7 MP1.

Log into your Fileconnect account with a valid serial number to get the newest versions of the software.

Version List - http://www.symantec.com/business/support/index?page=content&id=TECH156226