MSFN Forum: Problem with windows 7 profile - MSFN Forum

Jump to content


Windows 7 forum rules

If you have questions about customizing Windows 7 that are vLite-specific, please post them in the vLite forum, not here. If you have questions regarding the unattended installation of Windows 7, please post them in the Unattended Windows 7/Server 2008 R2 section.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Problem with windows 7 profile logged in as temporary profile

#1 User is offline   zeezam 

  • Member
  • PipPip
  • Group: Members
  • Posts: 145
  • Joined: 28-March 08

Posted 27 March 2012 - 02:23 AM

Having this issue several times for our users.

Something makes the windows profile corrupt so they got logged in as a temporary profile.


This is what I can find in the event log:

Is it Symantec that causing the trouble?

Quote

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 3/27/2012 8:46:56 AM
Event ID: 1530
Task Category: None
Level: Varning
Keywords:
User: SYSTEM
Computer: idg000578.idg.local
Description:
Windows har upptäckt att din registerfil fortfarande används av andra program eller servrar. Filen tas nu bort ur minnet. Programmen eller tjänsterna som använder registerfilen kanske inte fungerar korrekt efter detta.

INFORMATION -
2 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-500:
Process 2004 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500
Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-03-27T06:46:56.185206800Z" />
<EventRecordID>16864</EventRecordID>
<Correlation />
<Execution ProcessID="936" ThreadID="2588" />
<Channel>Application</Channel>
<Computer>idg000578.idg.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData name="EVENT_HIVE_LEAK">
<Data name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-500:
Process 2004 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500
Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
</Data>
</EventData>
</Event>



Din profil kan inte läsas in, så du har loggats in med datorns standardprofil.

INFORMATION - Åtkomst nekad.




Windows har upptäckt att din registerfil fortfarande används av andra program eller servrar. Filen tas nu bort ur minnet. Programmen eller tjänsterna som använder registerfilen kanske inte fungerar korrekt efter detta.

INFORMATION -
59 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-2237:
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\MSF\Registration\Listen
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeople
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeople
Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Root
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Root
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Root
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\Shell
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\My
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\My
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\My
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trust
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trust
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trust
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CA
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CA
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CA
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Disallowed
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Disallowed
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Disallowed
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows NT\CurrentVersion
Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows NT\CurrentVersion
Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\HomeGroup\Printers



#2 User is offline   Tripredacus 

  • K-Mart-ian Legend
  • Group: Super Moderator
  • Posts: 8,726
  • Joined: 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Posted 27 March 2012 - 07:58 AM

I never researched it myself, but I have a server that has this problem. It doesn't have Symantec anything on it.

There seems to be a few different attempts or solutions for this, try these out:
http://windows.micro...ed-user-profile
http://social.techne...09-dc948a4c7a8b

#3 User is offline   cluberti 

  • Gustatus similis pullus
  • Group: Supervisor
  • Posts: 11,219
  • Joined: 09-September 01
  • OS:Windows RT
  • Country: Country Flag

Posted 27 March 2012 - 01:59 PM

Note that this one is actually something I see a lot of times with Symantec Endpoint Protection's COM surrogate process which actually hooks running processes (and it is actually called out explicitly in this particular event log), but Trip is correct - anything can technically cause it to happen. However, the handles being left open are indeed the cause of the profile unload not occuring, and if a user's profile is still locked, their next logon (until a reboot) will be with a temporary profile.

#4 User is offline   zeezam 

  • Member
  • PipPip
  • Group: Members
  • Posts: 145
  • Joined: 28-March 08

Posted 29 March 2012 - 02:31 AM

View Postcluberti, on 27 March 2012 - 01:59 PM, said:

Note that this one is actually something I see a lot of times with Symantec Endpoint Protection's COM surrogate process which actually hooks running processes (and it is actually called out explicitly in this particular event log), but Trip is correct - anything can technically cause it to happen. However, the handles being left open are indeed the cause of the profile unload not occuring, and if a user's profile is still locked, their next logon (until a reboot) will be with a temporary profile.



Yes. It seems to be problem with the symantec client.

Quote

Local user profiles become corrupted on Windows Vista and Windows 7 computers
Fix ID: 2291558
Symptom: Users are unable to log on to their local Windows profiles.
Solution: The method that Rtvscan.exe uses to monitor the user's scheduled scan registry has been enhanced to resolve this issue


http://www.symantec....t&id=TECH103087

#5 User is offline   symthomas 

  • Group: Members
  • Posts: 1
  • Joined: 30-March 12
  • OS:none specified
  • Country: Country Flag

Posted 30 March 2012 - 08:06 AM

As pointed out earlier, this issue was addressed in RU7. I suggest upgrading, the latest build available is RU7 MP1.

Log into your Fileconnect account with a valid serial number to get the newest versions of the software.


Version List - http://www.symantec....t&id=TECH156226

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users



All trademarks mentioned on this page are the property of their respective owners
Copyright © 2001 - 2013 msfn.org
Privacy Policy