Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1509 Source: Userenv

Source
Level
Description
Windows cannot copy file <file> to location <location path>. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.

DETAIL - <detail>.
Comments
 
- Detail: "Insufficient system resources exist to complete the requested service" - MS Support suggests that setting the two following registry keys resolves the issue:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory_Management

Key name: PoolUsageMaximum
Data type: REG_DWORD
Radix: Decimal
Value: 60

Key name: PagedPoolSize
Data type: REG_DWORD
Radix: Hex
Value: 0xFFFFFFFF
We had this event, when the userís profile contained a file that had a name longer than 256 characters.
In one case, on a Windows 2003 SP1 computer, I was trying to copy a profile to the "Default User" folder via "My Computer" -> Properties and a dialog box was displayed with the message "Directory <C:\Documents and Settings\Default User> could not be deleted. Please delete the directory and retry". This was caused by the file "C:\Documents and Settings\Default User\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch" being in use by some other process. Everything else in "C:\Documents and Settings\Default User" was deleted. This always happens on my domain controllers and sometimes on Windows 2003 member servers. Instead of fixing this problem immediately, I erroneously logged on with another account that did not have a profile on this computer and got this Event ID. The resultant profile was malformed (small in size and did not contain the correct settings). The <file> in the description was "C:\Documents and Settings\Default User\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch". The <location path> was "C:\Documents and Settings\<username>\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch. The "DETAIL" was "Access is denied".

In another case, on a Windows 2003 SP1 computer that I was building as a secondary domain controller, before I added it to the domain and ran DCPROMO, I had configured a local account and successfully copied it to the "Default User" folder via "My Computer" -> Properties. Later when it was a domain controller, I ran a Task Scheduler job to back up the System State data (with an account that did not have a profile on this computer) and got this Event ID (for the same file as above).
In my experience, on Windows 2003/XP, in Start -> Settings -> Control panel -> Regional and Language Options, you should avoid the check box named "Apply all settings to the current user account and to the default user profile". When this check box is ticked (followed by a confirmation dialog box), the contents of the "Default User" folder are deleted and recreated. If during this process, a file is in use and cannot be deleted, this causes the creation of a malformed "Default User" folder. Unlike the method of copying a profile to the "Default User" folder via "My Computer" -> Properties, no dialog box is displayed if this error occurs. It is not detected until malformed profiles are created when accounts are logged on to that computer for the first time. I solved this problem by restarting the computer in Safe Mode or Safe Mode with Networking and copied a profile to the "Default User" folder via "My Computer" -> Properties and restarted the computer normally. See ME291586 for information on how to do that. I deleted all malformed profiles including the one for the account named in this Event ID, and repeated the process that caused the Event ID to ensure that it was fixed.

In another case, on a Windows 2003 SP1 computer this was not an issue with the "Default User" folder. A user who's account was configured to use a roaming profile, logged on and got this Event ID.
The <file> in the description was "\\<domain>\dfsroot\Profile\<User>\Cookies\index.dat". The <location path> was "C:\Documents and Settings\<User>\Cookies\index.dat". The "DETAIL" was "The process cannot access the file because it is being used by another process". This was followed by EventID 1515 from source Userenv and EventID 1511 from source Userenv. The user tried logging off and logging on again but go the same result. This was resolved by restarting the computer in Safe Mode with Networking, logging on as the same user, restarting the computer normally, and logging on as the same user. This Event ID then did not appear.
Terminal Server User Profiles were configured to be roaming on a Windows Server 2003 SP1 Terminal Server, but not all users were affected. I resolved this problem by resetting the permissions on the affected userís Terminal Server user profile folder at %USERPROFILE% on the server, so that SYSTEM, Local Admins and the user (Domain\User) had full control permissions over the folder. Once this was done, the user was able to log on to the Terminal Server normally.
We are using Windows Server 2003 Standard Edition and I tried the potential repairs stated below that were relevant to our configurations. I found our problem was due to cached login information. I performed the following steps to remediate the problem:

1. Open the Control Panel.
2. Go to Stored User Names and Passwords.
3. Delete any Cached user names.

Once I did this, everything began to click (although the information provided below is helpful in clearing up best practices when configuring roaming profiles).


After a little search on the Internet, I saw someone suggested that ZoneAlarm might cause the problem. I uninstalled it and the problem did not reappear.
As per Microsoft: "This problem occurs if the following conditions are true:
1.You have installed the redirector software update ME885250 or a later version of the redirector software update. Update ME885250 is described in Microsoft security bulletin MS05-11.
2.The following flag is enabled on the users profile share of the Profile server:
SHI1005_FLAGS_ALLOW_NAMESPACE_CACHING"
See ME896427 for a hotfix applicable to Microsoft Windows XP.
I had checked all of the options listed on the site pertaining to this event. However, none of them had helped. I performed the following three things on my terminal server to resolve the issue:

I had previously allowed the system to adjust the paging file, which had been assigned to 8Gb in size. I hard-coded the size to 4Gb considering that Microsoft suggested anything larger could lead to memory fragmentation.

The terminal server also had the /3Gb switch in boot.ini. I added the /USERVA=3030 switch as well (ME316739). Microsoft suggested failure to do so could also lead to memory fragmentation.

Finally, under the local group policy, I enabled the feature that disabled security checking on roaming profiles (ME327259 & ME327462). This was most likely the culprit, but the other options are good to implement anyway. If the memory on the server gets too fragmented, then it may not have the resources to allow people to properly login or logoff.
As per Microsoft: "Possible reasons why Windows cannot copy this file include: a network connectivity problem, a file copy error, the failure of an application to release file handles on the roaming user profile files on the server, or incorrect permissions on the user's profile folders". See MSW2KDB for more details on this event.

As per Microsoft: "This issue may occur if the NetApp Filer has timing problems and returns incorrect SMB status codes. To resolve this issue, update the NetApp Filer to ONTAP Release 6.4.1D16". See ME826379 for more details.

From a newsgroup post: "Try the following steps to troubleshoot this issue:
1. Please check that uses have Full Control permission to the shared folders.
3. Please try to install the hotfix based on ME826379.
4. If the problem happens on certain clients, please try the User Profile Hive Cleanup tool from MS (see the link below).
5. If the problem happens on all computers, I recommend you to check the Group Policy and the shared folder.
To check the Group Policy:
a. Open GPMC.msc.
b. Right click the "Small Business Server Folder Redirection" GOP and click Edit.
c. Go to User Configuration/Windows Settings/Folder Redirection/My Documents, and My Pictures.
d. They should be configured to be redirected to
\\sbsserver\users\%username%\my documents and
\\sbsserver\users\%username%\my documents\My Pictures.
To check the shared folder's permission, follow the instructions in ME274443".
I was receiving this error message and my roaming profiles were failing to upload to the server. It turned out this was due to insufficient permissions on the "route" to the user profile folder. I changed all the parent folders so that "Everyone" had the "Traverse Folder / Execute File", "Read Attributes" and "Read Extended Attributes" permissions on "This folder only" for each of the folders in the user profile path. Users are now able to upload their roaming profiles and the event is gone.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...