profiles corrupted due to locked registry

[Guest]

I have about 30 machines out of 2500+ that have had the users local profile
corrupted because w2k was unable to save the registry because two registry
handles leaked.
How can I find out what services where hung after the fact. This happened on
friday when the users logged out so on monday we walked into a maelstrom. I
need to avoid this in the future. I have uphclean, however we can't replicate
the problem.

mc

 

[Mark V]

I have about 30 machines out of 2500+ that have had the users
local profile corrupted because w2k was unable to save the
registry because two registry handles leaked.
How can I find out what services where hung after the fact. This
happened on friday when the users logged out so on monday we
walked into a maelstrom. I need to avoid this in the future. I
have uphclean, however we can't replicate the problem.

From the UPHClean Readme (v1.5.5.21) (excerpt)
=====================================
By default UPHClean takes action to allow profiles to unload. You
can
choose to have UPHClean only report what processes it finds
preventing profiles from unloading. To do this, install UPHClean
and use the registry editor to set:
HKLM\System\CurrentControlSet\Services\UPHClean\Parameters
\REPORT_ONLY to 1.

You can also have UPHClean log the call stack that is responsible
for the profile hive handle. This is necessary to find out what
software is responsible for the hive handle in processes used for
many purposes (e.g. svchost.exe, dllhost.exe, winmgmt.exe). To
enable call stack logging use the registry editor to set:
HKLM\System\CurrentControlSet\Services\UPHClean\Parameters
\CALLSTACK_LOG to 1.

Logging the call stack is computationally and memory intensive.
You should use this option to collect information and then turn it
off. To get more accurate call stack logging it may be necessary
to get symbols installed on the computer. You can read about
getting symbols at:
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx
==========================

Have you tried any of those options?

 

[Guest]

Mark,

thanks for the response, we tried that and like i said we can't replicate
the problem so I'm looking more for a "after the fact" way of figuring out
what happened. We've narrowed it down to a couple of things: a symnatec AV
definition update or a zenworks issue. It hit both win2k and xp machines
which rules out the win2k sp4 roll up, and the event logs are vague at best
this time.

So any other ideas would be appreciated.

 

[Mark V]

I have about 30 machines out of 2500+ that have had the users
local profile corrupted because w2k was unable to save the
registry because two registry handles leaked.
How can I find out what services where hung after the fact.
This happened on friday when the users logged out so on
monday we walked into a maelstrom. I need to avoid this in
the future. I have uphclean, however we can't replicate the
problem.

From the UPHClean Readme (v1.5.5.21) (excerpt)
=====================================
By default UPHClean takes action to allow profiles to unload.
You can [ ]
==========================

Have you tried any of those options?

Mark,

thanks for the response, we tried that and like i said we can't
replicate the problem so I'm looking more for a "after the fact"
way of figuring out what happened. We've narrowed it down to a
couple of things: a symnatec AV definition update or a zenworks
issue. It hit both win2k and xp machines which rules out the
win2k sp4 roll up, and the event logs are vague at best this
time.

I have no ideas for "post-mortem" in your situation other than
comparing (if possible) ntuser.dat files "before" and "after",
possibly revealing something that points to one of your suspects.
Based on nothing other then reputation, I'd suspect Symantec FWIW but
that is purely speculative.

So any other ideas would be appreciated.

I hope someone will. If no responses shortly you may want to re-post
as a new thread. And please let us know what and how if you do find
something.