Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1508 Source: Userenv

Windows was unable to load the registry. This is often caused by insufficient memory or insufficient security rights.

DETAIL - <detail message>
Logged with Event ID 1505 Source Userenv,   happen when the value in \registry\user\HKEY_USERS in HKLM\system\CCS\control\hivelist was pointing to another profile path. Logon locally as another user with rights and update the path to solve it.
You experience this problem if many users are logged on to the terminal server. See ME935649 to solve it.
Look for a policy.pol file in the %windir% folder. This is the group policy file from Windows 9x. Remove it and see if it solves your problem. Make a backup first.
I had a similar problem on a Terminal Server where the pagefile size was set to 2 GB. The C drive ran out of swap space. I allowed Windows to manage the virtual memory and also set it to use the other drives.
I had a W2K3 member server, which was running fine until I made it a DHCP server. Then it started to continuously give me error 1508. I installed SP1 and that resolved the issue.

See ME843426 for a hotfix if you have previous installed ME818133.

This problem can appear if the registry hive is corrupt or if you no longer have adequate privileges to the registry hive. See MSW2KDB for more details.

From a newsgroup post: "These error logs indicate that the user profiles in your server are either corrupted, or are not properly configured.

Suggestion 1:
This can happen if some users’ ProfileImagePath registries are duplicated with other users' ProfileImagePath. To resolve the issue, perform the following steps:
1. Run "WHOAMI /USER /SID" to determine the users’ correct SID.
If you do not have the whoami command tool, you can download and install it from the link below.
Note: By default, it will install to the C:\Program files\Resource Kit folder. To run it, go to a command prompt and change the path to C:\Program Files\Resource Kit. Then type "whoami /USER /SID" (without quotes) and press Enter. It should display the current users’ name and SID.
2. Check the ProfileImagePath value under the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>.
Note down this ProfileImagePath value.
3. Check the other ProfileList\<SID> keys for matching ProfileImagePath values and deleted those keys.
Note: Please make sure you have backed up the registry key before you delete them.
4. Test and see if the problem is fixed.
Did you manually move your users' profiles to another drive? If you have moved the Documents and Settings folder, it will lead to the issue. Microsoft does not support moving the Documents and Settings folder in Windows Server 2003 or Windows XP to another drive. Although you can try the steps in ME236621, Microsoft provides it for informational purposes only.

Suggestion 2:
If the issue persists, I suggest that you create a new user and then copy the user profile. When copying, the following files should be excluded:
- Ntuser.dat
- Ntuser.dat.log
- Ntuser.ini.
See ME811151 for information on how to copy user data to a new user profile. Test and see if the problem is fixed".
I previously installed ME898060, but after 2 days the error reappeared. I called MS and the next settings in addition to removing speech recognition did the trick. System is now running for 2 weeks without problems.

Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management, and add the next values:

Value name: PoolUsageMaximum
Data type: REG_DWORD
Radix: Decimal
Value data: 60

Value name: PagedPoolSize
Data type: REG_DWORD
Radix: Hex
Value data: 0xFFFFFFFF

Then, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, and add:

Value Name: MaxWorkItems
Data Type: REG_DWORD
Value data: 65535 (decimal)

Value Name: MaxRawWorkItems
Data Type: REG_DWORD
Value data: 512 (decimal)

Value Name: MaxFreeConnections
Data Type: REG_DWORD
Value data: 100 (decimal)

Value Name: MinFreeConnections
Data Type: REG_DWORD
Value data: 32 (decimal)

Then, see ME823586 for information on how to turn off the speech recognition and the handwriting recognition features in Office 2003.
This problem appeared on a Windows 2003 Terminal server after applying SP1. More than 30 users could login successfully but other users got this error and an EventID 1500 from source Userenv. After I installed ME898060, the errors disappeared.
It seems that there might be a problem with UPHC (User Profile Hive Cleanup Service) choosing the wrong entry from ProfileList. Make sure to delete old profile data completely. To do this, see ME814584.
I solved this by downloading the “User Profile Hive Cleanup Service” from Microsoft. See ME837115 to download the program.
Detail message: "The process cannot access the file because it is being used by another process. for C:\Documents and Settings\aw01tdur\ntuser.dat". - For Windows XP according to a newsgroup post the solution is "to delete the 'ntuser.dat' for each profile. The file is rebuilt on restart". See also ME318011.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.