Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1000 Source: Userenv

Source
Level
Description
Windows cannot unload your registry class file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL Access is denied. , Build number ((2195)).
Comments
 
See the links to "Symantec Knowledge Base Document ID: 2005042912312448" and "Symantec Knowledge Base Document ID: 2002011012432348" for information about this event.
This problem may occur after Microsoft Windows Installer installs a program on the computer. See ME827825 for a hotfix.

See "Novell Support TID10094376" and "Novell Support TID10094600" for more details on this problem.
See ME833781 for a hotfix applicable to Microsoft Windows Server 2003.
See the link to "User Profile Hive Cleanup Service" to download Microsoft User Profile Hive Cleanup Service (UPHClean). As per Microsoft: "UPHClean monitors the computer while Windows is unloading user profiles and forces resources that are open to close. Therefore, the computer can unload and reconcile user profiles".
A small, but useful tip. Before looking for an extremely complicated turn-around, just try to right-click the bugging directory profile and do a change owner in advanced security settings. Give the ownership to the user and replace in all subdirectories. It often work for me whatever the SP or hotfix on my Win2K servers.


I am running both SP3 and SP4 Windows 2000 servers in my Citrix Farm. The problem lies with VNC Server.  I am running the infamous Microsoft HotFix ME329170 on the SP3 servers.  I found that on both SP3 servers with the HotFix and the SP4 servers, if I removed VNC Server, my roaming profiles started working again, the Userenv error disappeared and my logoff time dropped substantially.
When I did a regular uninstall, I would get a message stating some components of VNC Server could not be removed and I needed to remove them manually.  I also noticed the VNC Server Service was still registered and listed in the services.  So this is what one should do:
1. Go to the RealVNC or VNC program group (depending on your version) and run the "unregister the VNC server service".
2. Open Control Panel and uninstall VNC. (May get message stating some items could not be removed, remove them manually).
3. Reboot server
4. Once the server came back up, if you are running Citrix or Terminal Server, immediately disallow remote logins.
5. Change user mode of the server to "install mode" by opening a command prompt and typing "change user/install” (TS and Citrix only).
6. Run a fresh install of VNC and make sure you set the VNC Server service to re-register. You may get prompted about the directory that it already exists; overwrite everything and finish the install.  Once the install is complete, you may be asked to reboot.  Reboot server, disallow logins, change to "install mode" again and immediately go to the Control Panel and uninstall VNC.  This time it will successfully unregister the VNC Server Service itself and uninstall VNC completely.
7. Reboot the server.
Now your roaming profiles should be working again.  Run some test to see if they are.  I would go to the folder of a test user where their roaming profile would be stored and delete all the sub folders and files, log in to a TS or Citrix server with that test account, then log off, switch back to watch the folder where their roaming profile would be stored and see if the files and folders reappeared.
NOTE:  I have eight Citrix Servers in a farm.  I did have trouble with the above steps on 2 of the servers and still could not get the roaming profiles to work and still had the 60 second log off time.  I had to run REGEDIT on these two servers, after following the above steps, and delete every instance of VNC in the registry. (Obviously use EXTREME CARE when messing with your registry.  Updating your ERD and backing up your registry first would be a good idea).  Once I finished searching the registry, I rebooted the servers again with the cleaned registry and my roaming profiles started working on these 2 other servers as well.
Many workarounds are available, but this one was the only one that worked for us. Before restarting W2K, open a console and type:

net stop MDM

For some reason, MDM (Machine Debug Manager) assigns itself an exclusive access over the registry and it refuses to release it. By manually stopping MDM process (service) we were able to fix all previous Userenv errors. You could also write a small script that can be executed during shutdown. Inside the script add following lines and save it as shutdown.cmd

@echo off
net stop MDM

Move script to a folder: C:\WINNT\system32\GroupPolicy\User\Scripts\Logoff

Open following console: C:\WINNT\system32\gpedit.msc

Look at "User Configuration" section and select "Windows Settings -> Scripts". Now on the right side double-click "Logoff". From here, you can select saved script and confirm by selecting OK. Restart the computer.
In our case, this occured on Dell computers. I called into Dell with this error and their techs had me remove Hotfix 329170 and reboot all the affected servers, then I did the same in the clients and all is well.
To work around this problem, turn on the IPSec Policy agent. Windows 2000 Service Pack 3 is supposed to fix this problem. See ME319909 for details.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...