HKLM\Software key grayed out

[Matt Nowell]

Good morning,

The details:

Windows 2000 SP4
IIS 5
..Net Framework 1.1
SQL 2000 SP3


The problem: HKLM\Software key becomes intermittently inaccessible. This
occurs on both a development box and a production box (both similarly loaded
to the specs above). I'd post some event log messages, but there aren't any
that seem relevant to the problem. A reboot resolves the problem, but we've
had it reoccur.

Originally we'd thought that the symptoms were limited to the scheduled TSM
backups failing (couldn't read the password from the registry).
Unfortunately, we now have the problem that there's a process run that
schedules a job using Task Scheduler. That fails, due to the registry
problems.

I've attempted to take ownership of the key, but the dialog fails with
"Unable to display security permissions." Searches on Google and MSKB come
up with nothing (so far). I'd like to resolve the problem without
rebooting the server if possible.

I'll be happy to gather/post any additional information that might prove
useful.

Thanks,

Matt Nowell

 

[Mark V]

Good morning,

The details:

Windows 2000 SP4
IIS 5
.Net Framework 1.1
SQL 2000 SP3


The problem: HKLM\Software key becomes intermittently
inaccessible. This occurs on both a development box and a
production box (both similarly loaded to the specs above). I'd
post some event log messages, but there aren't any that seem
relevant to the problem. A reboot resolves the problem, but
we've had it reoccur.

Originally we'd thought that the symptoms were limited to the
scheduled TSM backups failing (couldn't read the password from
the registry). Unfortunately, we now have the problem that
there's a process run that schedules a job using Task Scheduler.
That fails, due to the registry problems.

I should try running REGMON (Sysinternals) to see if the relevant
registry writes (assumed) can be logged.

I've attempted to take ownership of the key, but the dialog
fails with "Unable to display security permissions." Searches

Yet this is gone on a reboot? Initially it sounds somewhat like
corrupt security data in the SOFTWARE hive (which usually means
replace from last available backup hive file). But clearing on
reboot makes it seem more like some active process is modifying or
locking the key. See if Regmon can show you what process is
(presumably) "messing" things up.

I assume that Anti-* tools have been run on the system and came up
clean. I assume the process list is "normal" and that none of the
event log entries are unexpected or unexplained. Have you thought
to run RootkitRevealer (Sysinternals) just to eliminate one set of
possibilities? (the system should be quiescent for this RKR run)

Just some initial ideas to look at. Anything more you can think of
there to post, may be useful to others here.

 

[Matt Nowell]

Thanks for the response!

I hadn't originally thought about spyware or viruses, since this is a server
that we "shouldn't" be surfing from. That said, I discovered after an audit
that some developers have administrator access.

Unfortunately, the RKRevealer, McAfee Stinger and spyware checks came back
with nothing. A Regmon was slightly more interesting.

I can see applications (mostly Microsoft) continuing to use, access, create,
write and query registry keys under HKLM\Software. Some are successful,
some are not. I still can't get to it from Regedit or any other tool that I
can see. I'm about to the point of calling Microsoft, because I can't even
get to the point of finding any processes that would have the registry
locked.

I also took a look at the active processes using ProcExp (another Mark
Russinovich wondertool), and nothing tracks to being odd. I don't see
anything there that shouldn't be. I'm going to go ahead and reboot the
server after gaining permission and rerun these toolks and checks after the
registry is fully readable.

I'll post whatever resolution Microsoft gives me or I find here for public
consumption once I have one.

Thanks,

 

[Matt Nowell]

In case some of you though I'd fixed it and moved on, I haven't yet fixed
it.

I do however have a ticket open with Microsoft, and will post resolution
should I obtain it!

Thanks,

Matt Nowell

 

[Mark V]

Matt Nowell

[ snip, see parent post ]

In case some of you though I'd fixed it and moved on, I haven't
yet fixed it.

I do however have a ticket open with Microsoft, and will post
resolution should I obtain it!

Thanks Matt for following up and good luck! We will be interested to
hear of Microsoft's explanation and fix.

 

[Matt Nowell]

Well, it's not really a fix so much as it was a process of sorting out what
was going on.

Microsoft was of little to no help. Their recommendation was that I shut
down all third party services on a production server running third party
applications. I wasn't clear as to why, and they didn't provide much
documentation.

So, off I went to sort it out myself. Using Process Explorer, I started
looking extensively at As it turns out, one of our third party jobs (Serena
Teamtrack) had a Broker service that was opening, and not closing, registry
keys.

Restart that service, and all becomes right. Funny part? The Serena folks
know about it and suggested that I write a batch file to stop and start the
Broker service.


Thanks for everyone's help!

 

[Mark V]

Well, it's not really a fix so much as it was a process of
sorting out what was going on.

Microsoft was of little to no help. Their recommendation was
that I shut down all third party services on a production server
running third party applications. I wasn't clear as to why, and
they didn't provide much documentation.

So, off I went to sort it out myself. Using Process Explorer, I
started looking extensively at As it turns out, one of our third
party jobs (Serena Teamtrack) had a Broker service that was
opening, and not closing, registry keys.

Restart that service, and all becomes right. Funny part? The
Serena folks know about it and suggested that I write a batch
file to stop and start the Broker service.

Thanks for everyone's help!

Glad to hear you found the culprit and have a workable solution.
We love happy endings! <G>

 

[RussellJones]

I'm getting a similar problem, although it's not the entire Software
hive. I'm finding that one of my applications is causing a key I use to
become inaccessible. RegMon (all praise Mark) tells me "INSUFFICIENT
RESOURCES". I can also see that my App is repeatedly opening the key,
but never closing it. Stopping my app (which is an NT service) releases
the key, and regedit can then access it.

I checked my code, and found that I was not closing the key, or freeing
the TRegistry object that I was using. Adding these to my code fixed the
problem.

What I suggest you do is use RegMon to come up with a list of processes
that open Common. Try stopping these to find out which one is not
releasing the resources - I'd start with any uncommon services. If
that's successful, set RegMon to monitor only that process, and see
what happens when you start it up.

 

[zahroc]

I too am having the same problem.

After a reboot it runs for about 2 weeks and then it occurs again.

I would be very interested in the results of anyone else.