Corrupt Profiles lead to nearly empty desktops, Win2k3 & XPSP1 Cli

[Guest]

Basic problem a user sees: The user logs in and gets a blank desktop with no
drive mappings and no desktop shortcuts or Internet Explorer Favorites.

Technical problem: The profile is locked and will not unload, so the next
time the user logs in, another new (empty) profile is made for the user, and
the user is told either that they're being logged in with a temporary
profile, or a similar error message. A string of profile directories can be
created (username, username.000, username.001, etc.) in the Documents and
Settings directory, and technical support must spend time fixing the impacted
user by copying over user data, desktop icons, internet shortcuts,
reconfiguring software, and the like.

Error message:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1517
Description:
Windows saved user ComputerName\UserName registry while an application or
service was still using the registry during log off. The memory used by the
user's registry has not been freed. The registry will be unloaded when it is
no longer in use. This is caused by services running as a user account, try
configuring the services to run in either the LocalService or NetworkService
account.

Overview:

Profiles do not unload successfully, so Microsoft Support KB 837115 was
consulted. (http://support.microsoft.com/default.aspx?scid=kb;en-us;837115)
;
UPHClean was installed on the impacted machines, and logging was turned on in
order to see what programs or threads had a lock on the user profile.

Here is the list of threads that are locking the profile open, per
Microsoft's UPHClean, error 1201:

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1201
Date: 8/17/2005
Time: 4:06:26 PM
User: XXYYZZ\XXYYZZ
Computer: XXYYZZ
Description:
The following handles in user profile hive XXYYZZ\XXYYZZ
(S-1-5-21-4135613065-917552800-1533411840-18239) have been closed because
they were preventing the profile from unloading successfully:

svchost.exe (684)
HKCU (0x4a0)
0x77e2a1aa ADVAPI32!CredFree+0x6c1
0x773418c0 comctl32!InitCommonControlsEx+0x1f7
0x773424bb comctl32!RemoveWindowSubclass+0x4e5
0x77341a0c comctl32!InitCommonControlsEx+0x343
0x77f56771 ntdll!RtlCreateHeap+0xf20
0x77f6151e ntdll!LdrGetProcedureAddress+0x5b6
0x77f570e0 ntdll!LdrLoadDll+0x1c5
0x77e7d854 kernel32!LoadLibraryExW+0xc8
0x77e73b70 kernel32!LoadLibraryW+0xd
0x7cd532fb SHELL32!Ordinal646+0x8ff
0x7cd29cea SHELL32!Ordinal517+0x29cea
0x77f5b42c ntdll!LdrInitializeThunk+0x24
0x77f56771 ntdll!RtlCreateHeap+0xf20
0x77f6151e ntdll!LdrGetProcedureAddress+0x5b6
0x77f570e0 ntdll!LdrLoadDll+0x1c5
0x77e7d854 kernel32!LoadLibraryExW+0xc8
0x77e73b70 kernel32!LoadLibraryW+0xd
0x7641ae0d msi!MsiAdvertiseScriptW+0x2a6b
0x7642853f msi!MsiEnumProductsW+0x4878
0x764209a3 msi!MsiAdvertiseScriptW+0x8601
0x00350046 <no module>!<no symbol>


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

This is consistent across many, many machines. Users still get corrupt
profiles, even after UPHClean is installed. The list of threads keeping a
profile open can be seen almost every time some users log out of an impacted
machine.

I need to know what is causing these locked profiles. Does the list of
threads locking the profile tell anyone anything? Can a Microsoft DS Support
Professional tell me anything more from a KB search?

USERENVDEBUGLEVEL = 10002 will be set on a few hundred PCs in the domain,
and I'm hopeful that the userenv.log files will tell me something; is anyone
aware of a tool to parse those files for profile errors or issues?

Thank you.

 

[Guest]

I'm getting exactly the same error in our domain!

During last weekend we relaunched aur Network with Server 2003 and XP Pro
SP2 and set up 100 machines with 5 servers. Yesterday we were enabled rhe
roaming Profiles for each user an had the same symptoms! My way of getting
rid of the problem seemed to be the same as yours: Installing UPHclean
service as described in KB837115 But without any effect. Our workarround was
to disable the roaming profiles wich is not a satisfying situation. I also
changed the Reg Key "waituntilservicekill" to 1000 on a testmachine but I
assume that the profiles still won't close clean. Some details to our
enviroment:

All system are P4 2,8 or 3 GHz with 512 MB RAM on a Intel 845G Chipset (ASUS
P5P800VM)
We are using Kaspersky AV Version 5.x with Administrator Kit 5.x
All machines have Office 2003 SBE installed
UltraVNC inkl. HookDriver
Adobe Acrobat Reader 7.05
20% of the system have some individual software installed

The Server Systems are running on Server 2003 SP1

I hope anyone has an approach for a solution.

 

[Guest]

Thanks for the reply. We have XP Pro SP1, and no roaming profiles, but it's
a problem here too.

Basic software includes:
Scalable Software "Survey" software
McAfee v7.0
....not that much else, really. A few components and software, but not a lot
of kernel-level stuff.

We do have waituntilservicekill:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="3000"

but that's a pretty good wait there.

What does your UPHClean logs (be sure to turn on CallStackLog feature) show?
Anything interesting pointing to the service or software causing the issue?
It should... go over the UPHClean docs and turn on everything and you should
get some detailed reports.

 

[Guest]

This is what I get without enabling any further Logging Options:

Ereignistyp: Informationen
Ereignisquelle: UPHClean
Ereigniskategorie: Keine
Ereigniskennung: 1401
Datum: 08.11.2005
Zeit: 19:17:44
Benutzer: SALUS03\tmf103
Computer: WST-03-069
Beschreibung:
The following handles in user profile hive SALUS03\tmf103
(S-1-5-21-2809045491-4103733910-460318220-1174) have been remapped because
they were preventing the profile from unloading successfully:

svchost.exe (912)
HKCU (0x3b0)


Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie unter
http://go.microsoft.com/fwlink/events.asp.

Sorry: It's in german! Later that day I will turn on some more log options
and post the result!

Thanks for the reply. We have XP Pro SP1, and no roaming profiles, but it's
a problem here too.

Basic software includes:
Scalable Software "Survey" software
McAfee v7.0
...not that much else, really. A few components and software, but not a lot
of kernel-level stuff.

We do have waituntilservicekill:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="3000"

but that's a pretty good wait there.

What does your UPHClean logs (be sure to turn on CallStackLog feature) show?
Anything interesting pointing to the service or software causing the issue?
It should... go over the UPHClean docs and turn on everything and you should
get some detailed reports.

I'm getting exactly the same error in our domain!

During last weekend we relaunched aur Network with Server 2003 and XP Pro
SP2 and set up 100 machines with 5 servers. Yesterday we were enabled rhe
roaming Profiles for each user an had the same symptoms! My way of getting
rid of the problem seemed to be the same as yours: Installing UPHclean
service as described in KB837115 But without any effect. Our workarround was
to disable the roaming profiles wich is not a satisfying situation. I also
changed the Reg Key "waituntilservicekill" to 1000 on a testmachine but I
assume that the profiles still won't close clean. Some details to our
enviroment:

All system are P4 2,8 or 3 GHz with 512 MB RAM on a Intel 845G Chipset (ASUS
P5P800VM)
We are using Kaspersky AV Version 5.x with Administrator Kit 5.x
All machines have Office 2003 SBE installed
UltraVNC inkl. HookDriver
Adobe Acrobat Reader 7.05
20% of the system have some individual software installed

The Server Systems are running on Server 2003 SP1

I hope anyone has an approach for a solution.

 

[Guest]

All right! I got a more detailed UPHclean Log:
Sorry it toke some time cause we have pretty lot work with the network
relaunch!

Ereignistyp: Informationen
Ereignisquelle: UPHClean
Ereigniskategorie: Keine
Ereigniskennung: 1401
Datum: 09.11.2005
Zeit: 19:18:05
Benutzer: SALUS03\xxx
Computer: WST-03-069
Beschreibung:
The following handles in user profile hive SALUS03\Administrator
(S-1-5-21-2809045491-4103733910-460318220-500) have been remapped because
they were preventing the profile from unloading successfully:

svchost.exe (908)
HKCU (0x3ac)
0x77e0b4b7 ADVAPI32!<no symbol>
0x77dd72b1 ADVAPI32!IsTextUnicode+0x9cb4
0x77da6b20 ADVAPI32!RegOpenKeyExW+0xa8
0x77da773e ADVAPI32!RegOpenKeyW+0x2f
0x77dab2dc ADVAPI32!SaferComputeTokenFromLevel+0x587
0x77dab296 ADVAPI32!SaferComputeTokenFromLevel+0x541
0x77da9e9e ADVAPI32!IdentifyCodeAuthzLevelW+0xd9
0x7c819653 kernel32!BasepCheckWinSaferRestrictions+0x17e
0x7c818d2c kernel32!GetNlsSectionName+0x10cb
0x77dc7838 ADVAPI32!CreateProcessAsUserW+0xc3
0x76a642fd rpcss!<no symbol>
0x76a5deaf rpcss!<no symbol>
0x77e59dc9 RPCRT4!CheckVerificationTrailer+0x75
0x77ed321a RPCRT4!NdrStubCall2+0x215
0x77ed36ee RPCRT4!NdrServerCall2+0x19
0x77e5988c RPCRT4!NdrGetTypeFlags+0x1c9
0x77e597f1 RPCRT4!NdrGetTypeFlags+0x12e
0x77e5971d RPCRT4!NdrGetTypeFlags+0x5a
0x77e5bd0d RPCRT4!NdrConformantArrayFree+0x42e
0x77e5bb6a RPCRT4!NdrConformantArrayFree+0x28b
0x77e56784 RPCRT4!I_RpcBCacheFree+0x14c
0x77e56c22 RPCRT4!I_RpcBCacheFree+0x5ea
0x77e56a3b RPCRT4!I_RpcBCacheFree+0x403
0x77e56c0a RPCRT4!I_RpcBCacheFree+0x5d2
0x7c80b50b kernel32!GetModuleFileNameA+0x1b4


Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie unter
http://go.microsoft.com/fwlink/events.asp.

Does not make any sense to me!

Thanks for the reply. We have XP Pro SP1, and no roaming profiles, but it's
a problem here too.

Basic software includes:
Scalable Software "Survey" software
McAfee v7.0
...not that much else, really. A few components and software, but not a lot
of kernel-level stuff.

We do have waituntilservicekill:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="3000"

but that's a pretty good wait there.

What does your UPHClean logs (be sure to turn on CallStackLog feature) show?
Anything interesting pointing to the service or software causing the issue?
It should... go over the UPHClean docs and turn on everything and you should
get some detailed reports.

I'm getting exactly the same error in our domain!

During last weekend we relaunched aur Network with Server 2003 and XP Pro
SP2 and set up 100 machines with 5 servers. Yesterday we were enabled rhe
roaming Profiles for each user an had the same symptoms! My way of getting
rid of the problem seemed to be the same as yours: Installing UPHclean
service as described in KB837115 But without any effect. Our workarround was
to disable the roaming profiles wich is not a satisfying situation. I also
changed the Reg Key "waituntilservicekill" to 1000 on a testmachine but I
assume that the profiles still won't close clean. Some details to our
enviroment:

All system are P4 2,8 or 3 GHz with 512 MB RAM on a Intel 845G Chipset (ASUS
P5P800VM)
We are using Kaspersky AV Version 5.x with Administrator Kit 5.x
All machines have Office 2003 SBE installed
UltraVNC inkl. HookDriver
Adobe Acrobat Reader 7.05
20% of the system have some individual software installed

The Server Systems are running on Server 2003 SP1

I hope anyone has an approach for a solution.

 

[Guest]

I've got it!!!

For me the solution is obviously simple! I thought it must have something to
do with
the clientsided enviroment! 2 Minutes ago I turned of the AV-Engine on our
fileserver and there you go ... no logoff troubles ... even if the profile is
new generated.
The damn fact is that I called Kaspersky 2 days ago and asked for if it
could be a problem depending on our AV constalation and they assured that
they never heared about such problems. Bet they get another call tomorrow!!!

I hope you get rid of that problem soon, cause it really sucks!

With best regards

D. Kuhn.

This is what I get without enabling any further Logging Options:

Ereignistyp: Informationen
Ereignisquelle: UPHClean
Ereigniskategorie: Keine
Ereigniskennung: 1401
Datum: 08.11.2005
Zeit: 19:17:44
Benutzer: SALUS03\tmf103
Computer: WST-03-069
Beschreibung:
The following handles in user profile hive SALUS03\tmf103
(S-1-5-21-2809045491-4103733910-460318220-1174) have been remapped because
they were preventing the profile from unloading successfully:

svchost.exe (912)
HKCU (0x3b0)


Weitere Informationen über die Hilfe- und Supportdienste erhalten Sie unter
http://go.microsoft.com/fwlink/events.asp.

Sorry: It's in german! Later that day I will turn on some more log options
and post the result!

Thanks for the reply. We have XP Pro SP1, and no roaming profiles, but it's
a problem here too.

Basic software includes:
Scalable Software "Survey" software
McAfee v7.0
...not that much else, really. A few components and software, but not a lot
of kernel-level stuff.

We do have waituntilservicekill:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"WaitToKillServiceTimeout"="3000"

but that's a pretty good wait there.

What does your UPHClean logs (be sure to turn on CallStackLog feature) show?
Anything interesting pointing to the service or software causing the issue?
It should... go over the UPHClean docs and turn on everything and you should
get some detailed reports.

I'm getting exactly the same error in our domain!

During last weekend we relaunched aur Network with Server 2003 and XP Pro
SP2 and set up 100 machines with 5 servers. Yesterday we were enabled rhe
roaming Profiles for each user an had the same symptoms! My way of getting
rid of the problem seemed to be the same as yours: Installing UPHclean
service as described in KB837115 But without any effect. Our workarround was
to disable the roaming profiles wich is not a satisfying situation. I also
changed the Reg Key "waituntilservicekill" to 1000 on a testmachine but I
assume that the profiles still won't close clean. Some details to our
enviroment:

All system are P4 2,8 or 3 GHz with 512 MB RAM on a Intel 845G Chipset (ASUS
P5P800VM)
We are using Kaspersky AV Version 5.x with Administrator Kit 5.x
All machines have Office 2003 SBE installed
UltraVNC inkl. HookDriver
Adobe Acrobat Reader 7.05
20% of the system have some individual software installed

The Server Systems are running on Server 2003 SP1

I hope anyone has an approach for a solution.

:

Basic problem a user sees: The user logs in and gets a blank desktop with no
drive mappings and no desktop shortcuts or Internet Explorer Favorites.

Technical problem: The profile is locked and will not unload, so the next
time the user logs in, another new (empty) profile is made for the user, and
the user is told either that they're being logged in with a temporary
profile, or a similar error message. A string of profile directories can be
created (username, username.000, username.001, etc.) in the Documents and
Settings directory, and technical support must spend time fixing the impacted
user by copying over user data, desktop icons, internet shortcuts,
reconfiguring software, and the like.

Error message:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1517
Description:
Windows saved user ComputerName\UserName registry while an application or
service was still using the registry during log off. The memory used by the
user's registry has not been freed. The registry will be unloaded when it is
no longer in use. This is caused by services running as a user account, try
configuring the services to run in either the LocalService or NetworkService
account.

Overview:

Profiles do not unload successfully, so Microsoft Support KB 837115 was
consulted. (http://support.microsoft.com/default.aspx?scid=kb;en-us;837115)
;
UPHClean was installed on the impacted machines, and logging was turned on in
order to see what programs or threads had a lock on the user profile.

Here is the list of threads that are locking the profile open, per
Microsoft's UPHClean, error 1201:

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1201
Date: 8/17/2005
Time: 4:06:26 PM
User: XXYYZZ\XXYYZZ
Computer: XXYYZZ
Description:
The following handles in user profile hive XXYYZZ\XXYYZZ
(S-1-5-21-4135613065-917552800-1533411840-18239) have been closed because
they were preventing the profile from unloading successfully:

svchost.exe (684)
HKCU (0x4a0)
0x77e2a1aa ADVAPI32!CredFree+0x6c1
0x773418c0 comctl32!InitCommonControlsEx+0x1f7
0x773424bb comctl32!RemoveWindowSubclass+0x4e5
0x77341a0c comctl32!InitCommonControlsEx+0x343
0x77f56771 ntdll!RtlCreateHeap+0xf20
0x77f6151e ntdll!LdrGetProcedureAddress+0x5b6
0x77f570e0 ntdll!LdrLoadDll+0x1c5
0x77e7d854 kernel32!LoadLibraryExW+0xc8
0x77e73b70 kernel32!LoadLibraryW+0xd
0x7cd532fb SHELL32!Ordinal646+0x8ff
0x7cd29cea SHELL32!Ordinal517+0x29cea
0x77f5b42c ntdll!LdrInitializeThunk+0x24
0x77f56771 ntdll!RtlCreateHeap+0xf20
0x77f6151e ntdll!LdrGetProcedureAddress+0x5b6
0x77f570e0 ntdll!LdrLoadDll+0x1c5
0x77e7d854 kernel32!LoadLibraryExW+0xc8
0x77e73b70 kernel32!LoadLibraryW+0xd
0x7641ae0d msi!MsiAdvertiseScriptW+0x2a6b
0x7642853f msi!MsiEnumProductsW+0x4878
0x764209a3 msi!MsiAdvertiseScriptW+0x8601
0x00350046 <no module>!<no symbol>


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

This is consistent across many, many machines. Users still get corrupt
profiles, even after UPHClean is installed. The list of threads keeping a
profile open can be seen almost every time some users log out of an impacted
machine.

I need to know what is causing these locked profiles. Does the list of
threads locking the profile tell anyone anything? Can a Microsoft DS Support
Professional tell me anything more from a KB search?

USERENVDEBUGLEVEL = 10002 will be set on a few hundred PCs in the domain,
and I'm hopeful that the userenv.log files will tell me something; is anyone
aware of a tool to parse those files for profile errors or issues?

Thank you.