USERNV PROBLEM

  • Thread starter Thread starter Peter Fitch
  • Start date Start date
P

Peter Fitch

I have this error reported in event viewer:

Source: usernv Category: None
Type: error Event ID: 1000
User: NT AUTHORITY\SYSTEM

Windows cannot unload your registry file. If you have a
roaming profile, your settings are not replicated. Contact
your administrator.

DETAIL - Access is denied. , Build number ((2195)).

Is there a patch anywhere that will fix this? If so,
please provide source URL if possible, or recommend change
to security settings in filesystem.

Many thanks

Pete
 
If you have SP4 you can take advantage of some new features to identify the
culprit.

1. Obtain and install the Sysinternals DbgView program. For
information about how to do so, please visit the following Sysinternals
Web
site:

http://www.sysinternals.com/ntw2k/freeware/debugview.shtml
Microsoft
provides third-party contact information to help you find technical
support.
This contact information may change without notice. Microsoft does not
guarantee the accuracy of this third-party contact
information.


2. Apply SP4 on the target computer

3. Run DbgView on a remote computer, and then connect to the problem
computer.

4. To connect to the problem computer remotely by using DbgView, you
may have to first connect to its ipc$ share by using the "net use
\\<problem_computer>\ipc$" (without the quotation marks) command.
Connecting by using the IP address may not work. Optionally, you can
have DbgView save the information to a log file. Remember to set the
maximum log file size.

5. Wait for the problem to occur. You may not see any output in DbgView
until the problem occurs. You may sometimes see some DLLs being loaded,
but you can ignore this output.


Sample Output in DbgView When the Problem Occurs
------------------------------------------------

Note the process name in the debug statements:



Subkeys open inside the hive (e1c09788)
(Settings\Administrator\ntuser.dat) :
Process 81e78940 (PID = e0
ImageFileName = WINLOGON.EXE) (KCB = e1c0cb88) :: Key
\REGISTRY\USER\S-1-5-21-73586283-1767777339-839522115-500
Process
81b8b4a0 (PID = 358 ImageFileName = WinMgmt.exe) (KCB = e1bd3be8) ::
Key

\REGISTRY\USER\S-1-5-21-73586283-1767777339-839522115-500\SOFTWARE\MICROSOFT
\WINDOWS
NT\CURRENTVERSION\Windows


Winmgmt.exe is the problem in this case. Note that
Winlogon.exe has the SID key open only because Winmgmt.exe has a subkey
open
under the SID key.



Good Luck!

--Shawn

This posting is provided "AS IS" with no warranties and confers no rights.
 
Why should it make any difference? You'll still be vunerable for the
msblast-worm.

Marina
 
Who's talking about the MSBLAST.EXE worm?

I'm talking about a USERNV problem to do with Roaming
Profiles!!!

Any useful, meaningful and relevant contribution to my
enquiry would be gratefully received.

regards

Pete
 
Did you try www.eventid.net?

Marina

Pete said:
Who's talking about the MSBLAST.EXE worm?

I'm talking about a USERNV problem to do with Roaming
Profiles!!!

Any useful, meaningful and relevant contribution to my
enquiry would be gratefully received.

regards

Pete
 
Back
Top