MsMpEng.exe handle in user profile hive

  • Thread starter Thread starter jkymustang
  • Start date Start date
J

jkymustang

In Event Viewer UPHClean is informing me of the following:

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1501
Date: 8/23/2008
Time: 12:46:24 AM
User: xxxxxxxxxxxxxxxxxx
Computer: xxx-xxxxxxxxxxxx
Description:
The following handles opened in user profile hive xxxx-xxxxxxxxxx\xxxx
(S-1-5-21-1409082233-2147052839-839522115-1003) are preventing the profile
from unloading:

MsMpEng.exe (1688)
HKCU (0x56c)
HKCU\Software\Classes (0x5dc)


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

The next message follows: Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 8/23/2008
Time: 12:46:38 AM
User: NT AUTHORITY\SYSTEM
Computer: xxxx-xxxxxxxxxxx
Description:
Windows saved user xxxx-xxxxxxxxxx\xxxx registry while an application or
service was still using the registry during log off. The memory used by the
user's registry has not been freed. The registry will be unloaded when it is
no longer in use.

This is often caused by services running as a user account, try configuring
the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I've searched Help and Support for an understanding as how to configure
MsMpEng.exe in the Local Service or Network Service, whichever is applicable
in the instance.

Please post a solution. Thanks.
 
In Event Viewer UPHClean is informing me of the following:

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1501
Date: 8/23/2008
Time: 12:46:24 AM
User: xxxxxxxxxxxxxxxxxx
Computer: xxx-xxxxxxxxxxxx
Description:
The following handles opened in user profile hive xxxx-xxxxxxxxxx\xxxx
(S-1-5-21-1409082233-2147052839-839522115-1003) are preventing the profile
from unloading:

MsMpEng.exe (1688)
HKCU (0x56c)
HKCU\Software\Classes (0x5dc)

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

The next message follows: Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 8/23/2008
Time: 12:46:38 AM
User: NT AUTHORITY\SYSTEM
Computer: xxxx-xxxxxxxxxxx
Description:
Windows saved user xxxx-xxxxxxxxxx\xxxx registry while an application or
service was still using the registry during log off. The memory used by the
user's registry has not been freed. The registry will be unloaded when it is
no longer in use.

This is often caused by services running as a user account, try configuring
the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I've searched Help and Support for an understanding as how to configure
MsMpEng.exe in the Local Service or Network Service, whichever is applicable
in the instance.

Please post a solution. Thanks.
Click to expand...


MsMpEng.exe runs as an NT service under the System account (just like
UPHClean). It is configured to automatically load on Windows startup
(whether you login or not); use service.msc applet to check its service
properties. When you logoff, Defender will still running. If was
started/running before you logged on, and it will continue running after
you logoff.

Normally services are designed to run WITHOUT any user intervention. No
output seen by the user, no input required from the user. If you look
at your startup apps using msconfig.exe, you'll see MSASCui.exe gets
executed. This UI allows you to touch the NT service but not until you
login. My guess is that you opened the UI which needed to update
Defender so its service processes needed to go read those changes and
that created a file handle. Since they are service processes, they
don't get killed because you logoff. Because they continue run after
logging off, they still have a handle to whatever file they had to read.
If it wasn't a file that the service processes had to read, it could've
been a config parameter in the registry, and since you were configuring
it under your account for your preferences then it would have a handle
to the registry entry.

I went digging a bit more. I have the open handle (oh.exe) utility from
Windows resource kit (free from Microsoft's FTP site), so I ran:

oh -t file | find /i "msmpeng" | more

None of the files with a handle owned by MsMpEng were under my profile
path. I then ran:

oh -t key | find /i "msmpeng" | more

to see what registry entries were inuse by MsMpEng. From the registry
key:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

I can see which SID is for my Windows account. From the output of the
'oh' command looking for registry key handles, I see that MsMpEng has
handles on keys in the registry under my account. I can shorten the
output 'oh' to just show my account's registry entries by running:

oh -t key | find /i "msmpeng" | find /i "<myAccountSID>" | more

MsMpEng is running as a service. It doesn't unload when I logoff
(because it is a service). It has a couple handles to registry keys
that are for my account. User registry entries are in the ntuser.dat
file. That means this file still had a file handle by MsMpEng when you
logoff because it still has handles to registry keys for your account.
 
Back
Top