WD is preventing shutdown of Windows

  • Thread starter Thread starter Vanguard
  • Start date Start date
V

Vanguard

After installing Windows Defender (whatever was the most recent version
about 3 days ago), I could no longer properly shutdown Windows (XP Pro
SP-2). I'd see the dialog of "Saving your settings", followed by the
dialog of "Shutting down Windows" (not sure about the exact verbiage),
that dialog would disappear leaving only the blue background and there
it would sit for hours. I'd leave it overnight and it was still on this
blue-background state. When it did manage to shutdown, it would take
just about 5 minutes. Normally it takes only 25 seconds. When I
uninstalled WD, shutdown went back to the normal of 25 seconds.

With Windows Defender installed, I might not be able to shutdown so I
have to hit the Reset button. This includes shutting down or trying to
restart since the problem is shutting down *Windows*, not the hardware.
If it did manage to shutdown/restart, it took 10 times longer than
without WD installed. Obviously I now have WD uninstalled. It has some
other problems but this one became the last straw. Is this a known
defect?
 
Alan said:
Hello Vanguard,

If you don't already have it on your PC, you might want to consider
installing the User Profile Hive Cleanup Service at
http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&DisplayLang=en
to see if this helps with your shutdown problems.
Click to expand...

Thanks for this Alan. I've been puzzled for ages by the regular appearance
of a 'userenv' warning (event 1517) in Event Viewer at shutdown, and I
presume this may well remove it for me and speed up my shutdowns?
 
alan, I was seeing the same event error 1517 on 2 computers.
I put on the UPHC and I no longer see this error so don't be afraid to put
it on.
You should set a restore point first
also it puts itself in add/remove programs so at worse you could remove it
robin
 
Robin said:
alan, I was seeing the same event error 1517 on 2 computers.
I put on the UPHC and I no longer see this error so don't be afraid to put
it on.
You should set a restore point first
also it puts itself in add/remove programs so at worse you could remove it
robin
Click to expand...

Thanks for the encouragement Robin. I've installed it and I must say that
shutdown is noticeably faster now. There's no trace of the Userenv error
1517, but there is a UPH entry at shutdown, saying that it remapped
something-or-other. I presume this is just the program doing the job I
installed it to do?

I wish it was as easy to speed up my ponderously slow startup times, but I
think the AVG Security suite is responsible for most of that (judging from
what is revealed by task manager), and I just have to live with it.
 
Alan D said:
Thanks for the encouragement Robin. I've installed it and I must say that
shutdown is noticeably faster now.
Click to expand...

Well though, this is a bit odd. Since installing this UPPHC thing, my
firewall has reported two Defender attempts for MpCmdRun.exe to access the
default gateway address. That's never happened before. I presume I can safely
allow this? But why would this suddenly be happening now, and never before?
And what is Defender trying to do?
 
mine says the same thing on both computers in event viewer at shutdown so i
am assuming it is doing also what it is suppose to do.
 
it is interesting that i was seeing this error msg since i had installed WD
out of beta, in fact i never thought it was WD but one of my other hundred
of programs on here and could never figure out which one it is.
I am wondering if WD is the culpurt to this error msg in the first place. I
have not seen avg here ask to allow
MpCmdRun.exe again- well not yet anyway. If it does I will post that.
robin
 
oh and you should allow it- maybe it was just a hiccup and you would not
want WD not to be able to go out to the internet.
As long as you know it is WD's exe you should allow it
robin
 
also just so you know the program runs in the backround and yes if it sees
an application acting funky it is suppose to remap it so shut down goes
correctly.
robin
 
Alan said:
Hello Vanguard,

If you don't already have it on your PC, you might want to consider
installing the User Profile Hive Cleanup Service at
http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&DisplayLang=en
to see if this helps with your shutdown problems.
Click to expand...


I'll try it out. However, uninstalling WD eliminate the hang during
shutdown. When I get time and if I decided to reinstall, I can try this
tool to see what is WD's problem but pretty much that would be if I
wanted to decide to bother reporting the problem and waiting until
another year for it to get fixed.
 
Alan said:
Hello Vanguard,

If you don't already have it on your PC, you might want to consider
installing the User Profile Hive Cleanup Service at
http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&DisplayLang=en
to see if this helps with your shutdown problems.
Click to expand...


I haven't reinstalled WD yet but decided to install UPHClean to see if
anything else might be causing shutdown/logoff problems. After the
install, I cleared the logs in Event Viewer (to simply make it easier to
see just new entries) and restart (i.e., shutdown Windows and do a warm
reboot). I then looked in Event Viewer for any suspicious entries. I
found:

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1401
Date: 1/4/2007
Time: 8:46:37 PM
User: ZODIAC\lee_hodsdon
Computer: ZODIAC
Description:
The following handles in user profile hive ZODIAC\lee_hodsdon
(S-1-5-21-436374069-562591055-725345543-1003) have been remapped because
they were preventing the profile from unloading successfully:

svchost.exe (1168)
HKCU (0x158)

Okay, so something was hanging onto my user profile (the S-1-5-21-...
entry under HKCU). The problem is that this gives absolutely no
information to help the user determine the cause of the problem. That
is, identifying svchost.exe is not identifying anything unique. svchost
is used to rollup several NT processes under one controller process. I
have 5 of these. The more NT services you have running then the more
instances of svchost are needed.

When I am running Windows and logged in, I can use SysInternal's Process
Explorer to see what are the child processes under each instance of
svhost.exe. That doesn't help me during shutdown since obvious all the
instances of svchost.exe will no longer be in memory to interrogate
using Process Explorer, and the PID is worthless across restarts of
Windows. The only way the UPHClean could help identify the culprit is
if it listed each of the children process being controlled under the
problematic instance of svchost.exe that it reports. Without that info,
it is like saying that a human was the murderer in a crime but that
gives no useful info in determining who committed the murder.

UPHClean may eliminate the symptom but it doesn't provide a clue as to
how to fix the cause. So you end up masking the problem but never can
actually get rid of it. That's similar to how SpywareBlaster works by
adding kill bits for class IDs of known evil ActiveX controls. That
does NOT prevent the crapware from getting into your computer but simply
eliminates one means, the usual means but not the only means, of using
that AX control, and why users of SpywareBlaster are often surprised
that the pest is detected that SpywareBlaster was supposed to block, but
SpywareBlaster doesn't block any entry of a pest and only blocks its
normal means of execution. Likewise UPHClean provides a bandage but the
cure remains elusive.
 
Hello... I am new to this site (a Godsend!) but I'm not very computer savvy.
I was, however, interested in the last reply (Vanguard) regarding the
UPHClean download. Would this be a "good thing" to download, generally
speaking? (anything to make the beast either boot up or turn off faster!)
I'm running Windows Pro SP-2.
 
Mimi said:
Hello... I am new to this site (a Godsend!) but I'm not very computer
savvy.
I was, however, interested in the last reply (Vanguard) regarding the
UPHClean download. Would this be a "good thing" to download,
generally
speaking? (anything to make the beast either boot up or turn off
faster!)
I'm running Windows Pro SP-2.
Click to expand...


Even if you don't know what it does or that what it reports may not be
useful in tracking down the actual culprit, it can speed up logging off
or shutting down Windows. Many users don't give a damn why or how
something does what it does but are just interested in the effect
produced. To figure out if it indeed helps speedup shutting down of
Windows, I would have to reinstall WD to see if the same long delays
occur during shutdown with WD active, and test with and without the
UPHClean service active. I haven't had time yet to expend on this
testing.
 
Hi Mimi;
Just to add a small bit to Vanguards very informative post, the User
Profile Hive Cleanup Service is easily removed from a system once installed
by means of the Add/Remove Programs feature of the Control Panel, so I'd
recommend you give it a try to see if you reap any benefit, if not removal
is only a click away.
 
Mimi said:
Hello... I am new to this site (a Godsend!) but I'm not very computer savvy.
I was, however, interested in the last reply (Vanguard) regarding the
UPHClean download. Would this be a "good thing" to download, generally
speaking?
Click to expand...

A useful indicator, Mimi, is to check Event Viewer to see whether you're
getting 'Userenv' warnings (error 1517) at shutdown. To check it (it's simple
- even I can do it):
1. Right-click 'My computer'
2. Select 'Manage'
3. Double-click 'Event Viewer'
4. Double-click 'Application'
5. Scroll down the list of entries looking for 'Userenv' under the 'source'
heading, with associated 'event' number 1517 or 1524.

If you've got some of those, then the chances are that you'll get the same
benefit as I did by installing the UPHClean program. (As Dave says, if you
get no benefit it's easy to uninstall it.)
 
Dave M said:
Hi Mimi;
Just to add a small bit to Vanguards very informative post, the User
Profile Hive Cleanup Service is easily removed from a system once
installed by means of the Add/Remove Programs feature of the Control
Panel, so I'd recommend you give it a try to see if you reap any
benefit, if not removal is only a click away.
Click to expand...


Since it is a service, all you would have to do is stop and disable it.
 
and if you do not want to forget where event viewer is again you can make it
a shortcut on your desktop. this way you just double click it and you can
see it again or you can install eventlogviewer at

http://www.eventlogxp.com/

Scroll down to the bottom where it says "Download Event Log Explorer For
Free

robin
 
Back
Top