ntuser.dat locked by the system process

  • Thread starter Thread starter Andre
  • Start date Start date
A

Andre

Recently I have been experiencing an issue with Windows Vista I wasn't
before. I'll try to explain all the facts and some discoveries I have made on
this matter.

Some time after Vista boots, the kernel System "process" (PID 4) will open
handles on all the ntuser.dat files of all users on my computer. In that
case, if an user tries to logon on his account he sees the "Preparing your
Desktop" message and when it is done there is a baloon on system tray saying
that the profile could not be loaded, the user is on a temporary account and
any changes he makes will not be saved. The only way an user can successfully
logon on his account is by rebooting the computer. I don't think the
ntuser.dat files are corrupted because I can successfully logon the users
after a reboot (and have no problems thereafter). I used Handle and Process
Explorer applications from Sysinternals and realised that once the System
process opens handles on the ntuser.dat files I start having the logon
issues. I still haven't been able to determine why and when the System
process will open those handles after the computer boots. Unfortunately, that
has sincerely became an unacceptable behaviour since rebooting the computer
will interrupt some tasks other users left running on their users (from a
Switch User command) or any service task running on the machine in the
background.

Honestly, I don't think this problem is related to my anti-virus. Firstly,
it is the Kernel System "process" that is locking the ntuser.dat files.
Moreover, my anti-virus software has NOT been updated recently (specially
since I began having this problem) and, finally, I have the exact same
anti-virus software (same version) with a different licence running on my
laptop without this problem. My laptop, for some reason, hasn't been offered
for the SP2 update yet while my desktop (where the problem lies) has all
updates on Windows Update up until today. I have tried formatting and
performing a clean install on my computer three times and everytime I came up
with the exact same issue. For each format I tried installing the updates in
a different manner. I have tried installing SP1 and SP2 from standalone
download files (and the remaining updates on Windows Update). Then I have
tried installing all updates (including the service packs) from Windows
Update. I have also tried installing the updates on Windows Update but
holding back a little before actually installing them. I have been 3 days
free from this issue since my last clean install and now after some updates I
have it again. The last installed updates I can see were: KB949104, KB890830,
KB973346, KB905866, KB961371, KB960353, KB915597. Some of these updates are
Malicious Software removal, Windows Defender updates and Junk Mail filter
updates which I don't think are causing this issue. Actually, to be more
precise, I believe it was an update after June 19th, a date I can remember I
wasn't having this problem.

In any case, just to be clear, these are some information on my computer:
Windows Vista Ultimate 32-bits
Athlon64 3200+, 1GB RAM
NOD32 Anti-Virus 3.0.672.0 (the forums here clearly state that the version 3
of NOD32 is free from the SP2 issues, only version 4 present them)

Below is the output of the handle application when I experience this issue.
Just to be clear, there was only one user logged on the machine at the time
this capture was executed.

D:\Home\Andre\Program Installers\Power Toys\Handle>handle ntuser.dat

Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

System pid: 4 320:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 324:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
System pid: 4 328:
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
System pid: 4 32C:
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2
System pid: 4 330:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 334:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 748:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 750:
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
System pid: 4 754:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
System pid: 4 758:
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2
System pid: 4 75C:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 760:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 964:
C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 14A0: C:\Users\[user2]\NTUSER.DAT
System pid: 4 1BDC:
C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 1BF8:
C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 1C08: C:\Users\[user2]\ntuser.dat.LOG1
System pid: 4 1C0C: C:\Users\[user2]\ntuser.dat.LOG2
System pid: 4 1C14:
C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 1D78: C:\Users\[user1]\NTUSER.DAT
System pid: 4 1EF0: C:\Users\[user3]\ntuser.dat.LOG2
System pid: 4 2078:
C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 209C:
C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 2150:
C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 21CC: C:\Users\[user3]\ntuser.dat.LOG1
System pid: 4 2254: C:\Users\[user3]\NTUSER.DAT
System pid: 4 226C: C:\Users\[user1]\ntuser.dat.LOG1
System pid: 4 228C: C:\Users\[user1]\ntuser.dat.LOG2
System pid: 4 233C:
C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 237C:
C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms

I renamed the user profile names but believe me when I say those are
ntuser.dat files from three different directories (user profiles) on my
machine. The Event Viewer IDs when a user tries to logon in these conditions
are 1508, 1502, 1515 and 1511, all issued by "User Profile Service". Does
anyone have any suggestion on what could be causing this?

I posted this exact same issue on Microsoft Answers (here:
http://social.answers.microsoft.com...y/thread/1aaa1799-f29e-4d13-905e-6fee09b3a658
) and I am also posting here on the Newsgroups hoping that someone else have
any suggestions for me.

I would like to thank you, in advance.

Andre
 
I don't know the answer, but I don't think you can necessarily connect the
particular symptoms of open handles to ntuser.dat, with the problem of user
profiles not being loaded. Not that I know why those handles are being
created / maintained, but I'd look initially for more direct ways of dealing
with the issue eg this site has some suggestions

How to Fix the Error "The User Profile Service failed the logon. User
profile cannot be loaded."
http://www.vistax64.com/tutorials/1...-failed-logon-user-profile-cannot-loaded.html

--
Jon


Andre said:
Recently I have been experiencing an issue with Windows Vista I wasn't
before. I'll try to explain all the facts and some discoveries I have made
on
this matter.

Some time after Vista boots, the kernel System "process" (PID 4) will open
handles on all the ntuser.dat files of all users on my computer. In that
case, if an user tries to logon on his account he sees the "Preparing your
Desktop" message and when it is done there is a baloon on system tray
saying
that the profile could not be loaded, the user is on a temporary account
and
any changes he makes will not be saved. The only way an user can
successfully
logon on his account is by rebooting the computer. I don't think the
ntuser.dat files are corrupted because I can successfully logon the users
after a reboot (and have no problems thereafter). I used Handle and
Process
Explorer applications from Sysinternals and realised that once the System
process opens handles on the ntuser.dat files I start having the logon
issues. I still haven't been able to determine why and when the System
process will open those handles after the computer boots. Unfortunately,
that
has sincerely became an unacceptable behaviour since rebooting the
computer
will interrupt some tasks other users left running on their users (from a
Switch User command) or any service task running on the machine in the
background.

Honestly, I don't think this problem is related to my anti-virus. Firstly,
it is the Kernel System "process" that is locking the ntuser.dat files.
Moreover, my anti-virus software has NOT been updated recently (specially
since I began having this problem) and, finally, I have the exact same
anti-virus software (same version) with a different licence running on my
laptop without this problem. My laptop, for some reason, hasn't been
offered
for the SP2 update yet while my desktop (where the problem lies) has all
updates on Windows Update up until today. I have tried formatting and
performing a clean install on my computer three times and everytime I came
up
with the exact same issue. For each format I tried installing the updates
in
a different manner. I have tried installing SP1 and SP2 from standalone
download files (and the remaining updates on Windows Update). Then I have
tried installing all updates (including the service packs) from Windows
Update. I have also tried installing the updates on Windows Update but
holding back a little before actually installing them. I have been 3 days
free from this issue since my last clean install and now after some
updates I
have it again. The last installed updates I can see were: KB949104,
KB890830,
KB973346, KB905866, KB961371, KB960353, KB915597. Some of these updates
are
Malicious Software removal, Windows Defender updates and Junk Mail filter
updates which I don't think are causing this issue. Actually, to be more
precise, I believe it was an update after June 19th, a date I can remember
I
wasn't having this problem.

In any case, just to be clear, these are some information on my computer:
Windows Vista Ultimate 32-bits
Athlon64 3200+, 1GB RAM
NOD32 Anti-Virus 3.0.672.0 (the forums here clearly state that the version
3
of NOD32 is free from the SP2 issues, only version 4 present them)

Below is the output of the handle application when I experience this
issue.
Just to be clear, there was only one user logged on the machine at the
time
this capture was executed.

D:\Home\Andre\Program Installers\Power Toys\Handle>handle ntuser.dat

Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

System pid: 4 320:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 324:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
System pid: 4 328:
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
System pid: 4 32C:
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2
System pid: 4 330:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 334:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 748:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 750:
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
System pid: 4 754:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
System pid: 4 758:
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2
System pid: 4 75C:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 760:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 964:
C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 14A0: C:\Users\[user2]\NTUSER.DAT
System pid: 4 1BDC:
C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 1BF8:
C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 1C08: C:\Users\[user2]\ntuser.dat.LOG1
System pid: 4 1C0C: C:\Users\[user2]\ntuser.dat.LOG2
System pid: 4 1C14:
C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 1D78: C:\Users\[user1]\NTUSER.DAT
System pid: 4 1EF0: C:\Users\[user3]\ntuser.dat.LOG2
System pid: 4 2078:
C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 209C:
C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 2150:
C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 21CC: C:\Users\[user3]\ntuser.dat.LOG1
System pid: 4 2254: C:\Users\[user3]\NTUSER.DAT
System pid: 4 226C: C:\Users\[user1]\ntuser.dat.LOG1
System pid: 4 228C: C:\Users\[user1]\ntuser.dat.LOG2
System pid: 4 233C:
C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 237C:
C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms

I renamed the user profile names but believe me when I say those are
ntuser.dat files from three different directories (user profiles) on my
machine. The Event Viewer IDs when a user tries to logon in these
conditions
are 1508, 1502, 1515 and 1511, all issued by "User Profile Service". Does
anyone have any suggestion on what could be causing this?

I posted this exact same issue on Microsoft Answers (here:
http://social.answers.microsoft.com...y/thread/1aaa1799-f29e-4d13-905e-6fee09b3a658
) and I am also posting here on the Newsgroups hoping that someone else
have
any suggestions for me.

I would like to thank you, in advance.

Andre
Click to expand...
 
Hi Jon, thank you for your reply. I have confirmed, after innumerous testing,
that the issue really happens when the handles are opened. I have spent
almost three entire days running the handle application and logging on my
users. Every time the handles were not opened, I could log on successfully.
When the handles appeared on the list, I couldn't anymore. I rebooted and
restarted the process.

I have tried disabling the System Restore, the VSS (Volume Shadow Copy),
nothing. It is very unfortunate that this is giving me so much headaches.

I tried deleting and creating full new profies (no configuration backups),
nothing. I tried formatting my PC and not installing any programs but the
Windows Updates, I still had the problem.

Unfortunately, it seems, not many people have the same usage habits than I
have. Usually computers are used by one single person (or one single profile)
and they will never experience the issue I am having.

Thank you again.

Jon said:
I don't know the answer, but I don't think you can necessarily connect the
particular symptoms of open handles to ntuser.dat, with the problem of user
profiles not being loaded. Not that I know why those handles are being
created / maintained, but I'd look initially for more direct ways of dealing
with the issue eg this site has some suggestions

How to Fix the Error "The User Profile Service failed the logon. User
profile cannot be loaded."
http://www.vistax64.com/tutorials/1...-failed-logon-user-profile-cannot-loaded.html

--
Jon


Andre said:
Recently I have been experiencing an issue with Windows Vista I wasn't
before. I'll try to explain all the facts and some discoveries I have made
on
this matter.

Some time after Vista boots, the kernel System "process" (PID 4) will open
handles on all the ntuser.dat files of all users on my computer. In that
case, if an user tries to logon on his account he sees the "Preparing your
Desktop" message and when it is done there is a baloon on system tray
saying
that the profile could not be loaded, the user is on a temporary account
and
any changes he makes will not be saved. The only way an user can
successfully
logon on his account is by rebooting the computer. I don't think the
ntuser.dat files are corrupted because I can successfully logon the users
after a reboot (and have no problems thereafter). I used Handle and
Process
Explorer applications from Sysinternals and realised that once the System
process opens handles on the ntuser.dat files I start having the logon
issues. I still haven't been able to determine why and when the System
process will open those handles after the computer boots. Unfortunately,
that
has sincerely became an unacceptable behaviour since rebooting the
computer
will interrupt some tasks other users left running on their users (from a
Switch User command) or any service task running on the machine in the
background.

Honestly, I don't think this problem is related to my anti-virus. Firstly,
it is the Kernel System "process" that is locking the ntuser.dat files.
Moreover, my anti-virus software has NOT been updated recently (specially
since I began having this problem) and, finally, I have the exact same
anti-virus software (same version) with a different licence running on my
laptop without this problem. My laptop, for some reason, hasn't been
offered
for the SP2 update yet while my desktop (where the problem lies) has all
updates on Windows Update up until today. I have tried formatting and
performing a clean install on my computer three times and everytime I came
up
with the exact same issue. For each format I tried installing the updates
in
a different manner. I have tried installing SP1 and SP2 from standalone
download files (and the remaining updates on Windows Update). Then I have
tried installing all updates (including the service packs) from Windows
Update. I have also tried installing the updates on Windows Update but
holding back a little before actually installing them. I have been 3 days
free from this issue since my last clean install and now after some
updates I
have it again. The last installed updates I can see were: KB949104,
KB890830,
KB973346, KB905866, KB961371, KB960353, KB915597. Some of these updates
are
Malicious Software removal, Windows Defender updates and Junk Mail filter
updates which I don't think are causing this issue. Actually, to be more
precise, I believe it was an update after June 19th, a date I can remember
I
wasn't having this problem.

In any case, just to be clear, these are some information on my computer:
Windows Vista Ultimate 32-bits
Athlon64 3200+, 1GB RAM
NOD32 Anti-Virus 3.0.672.0 (the forums here clearly state that the version
3
of NOD32 is free from the SP2 issues, only version 4 present them)

Below is the output of the handle application when I experience this
issue.
Just to be clear, there was only one user logged on the machine at the
time
this capture was executed.

D:\Home\Andre\Program Installers\Power Toys\Handle>handle ntuser.dat

Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

System pid: 4 320:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 324:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
System pid: 4 328:
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
System pid: 4 32C:
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2
System pid: 4 330:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 334:
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 748:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 750:
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
System pid: 4 754:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
System pid: 4 758:
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2
System pid: 4 75C:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 760:
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 964:
C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 14A0: C:\Users\[user2]\NTUSER.DAT
System pid: 4 1BDC:
C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 1BF8:
C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 1C08: C:\Users\[user2]\ntuser.dat.LOG1
System pid: 4 1C0C: C:\Users\[user2]\ntuser.dat.LOG2
System pid: 4 1C14:
C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 1D78: C:\Users\[user1]\NTUSER.DAT
System pid: 4 1EF0: C:\Users\[user3]\ntuser.dat.LOG2
System pid: 4 2078:
C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System pid: 4 209C:
C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System pid: 4 2150:
C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 21CC: C:\Users\[user3]\ntuser.dat.LOG1
System pid: 4 2254: C:\Users\[user3]\NTUSER.DAT
System pid: 4 226C: C:\Users\[user1]\ntuser.dat.LOG1
System pid: 4 228C: C:\Users\[user1]\ntuser.dat.LOG2
System pid: 4 233C:
C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System pid: 4 237C:
C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms

I renamed the user profile names but believe me when I say those are
ntuser.dat files from three different directories (user profiles) on my
machine. The Event Viewer IDs when a user tries to logon in these
conditions
are 1508, 1502, 1515 and 1511, all issued by "User Profile Service". Does
anyone have any suggestion on what could be causing this?

I posted this exact same issue on Microsoft Answers (here:
http://social.answers.microsoft.com...y/thread/1aaa1799-f29e-4d13-905e-6fee09b3a658
) and I am also posting here on the Newsgroups hoping that someone else
have
any suggestions for me.

I would like to thank you, in advance.

Andre
Click to expand...
Click to expand...
 
Back
Top