Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1096 Source: Userenv

Windows cannot access the registry policy file, <path to .pol file>. (<error description>).
This problem can occur because the Ntuser.pol file is corrupted. See ME903252 for a hotfix applicable to Microsoft Windows XP.

This problem occurs when one or more of the following conditions are true:
1. There is a sharing violation on the registry.pol file. This makes the registry.pol file inaccessible to the other processes.
2. Access to parse the registy.pol file is denied through NTFS permissions.
3. Network connectivity fails when the registry.pol file is parsed.
See ME930597 for a hotfix applicable to Microsoft Windows XP.
As per Microsoft: "This error indicates that there is a missing file in a Group Policy Object (GPO). GPOs reside on the domain controller's Sysvol share, and a local GPO also resides on the local computer's system drive. The event indicates that the Administrative Templates client side extension was trying to access the registry.pol file. This file might be corrupt. The Event log indicates the location of the corrupted registry.pol file. This error can also occur if the registry configuration is incorrect. Group Policy stores registry-based policy settings in the registry. If these registry keys have access control lists (ACLs) that prevent the system from writing to those values, this failure can occur". See MSW2KDB for more details.
- Policy file \\<domain>\SysVol\<domain>\Policies\{BD1551FE-D7EF-4DE5-8B8E-77574297A93E}\Machine\registry.pol - This may occur if the policy files are missing. From a newsgroup post, here are the steps to recreate the policy files on a SBS2003 server:
1. Make a backup include the system state.
2. Open Group Policy Managemen snapin
3. Under Group Policy Objects, right-click Small Business Server Client
Computer, select Delete. Click Ok to delete the GPO
4. Start -> Run -> type \\domain.local\sysvol\domain.local\Policies. Verify
the GUID {1568CD4A-2703-4803-B3AD-5919679EF671} is gone.
5. Start -> Run -> Gpupdate.exe.
6. Reboot.
7. Logon again, check event viewer verify ID 1096 Userenv is gone.
8. Open Group Policy Managemen snapin, this time right-click domain.local
and select Create and Link a GPO here.
9. Call the GPO "Small Business Server Client Computer"
10. Expand Group Policy Objects. Hightlight Small Business Server Client
Computer and right-click and select Edit.
11. Expand Computer Configuration -> Administrative Templates -> Network ->
Network Connections.
12. Double click the first 3 "Prohibit ......" and select Enabled.
13. Expand Computer Configuration -> Administrative Templates -> System  ->
14. Double click "Don't display the Getting ....." and select Enabled.
15. Start -> Run -> Gpupdate.exe.
16. Check event viewer and make sure no errors.

- Policy file: C:\Documents and Settings\All Users\ntuser.pol - From a newsgroup post: "This error occured together with event id 15 and it was fixed by applying the suggestions in ME310461."
From another post: "It seems that the user profile is corrupted. See ME318011."

Generic information about the error message:
Error: "Access is denied." - See the information for Error code 5 for conditions when such error may occur.
Error: "The data is invalid." - See the information for Error code 13.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.