Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1524 Source: Userenv

Source
Level
Description
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Comments
 
Recreation of the profile worked for me. Backup old profile:

Documents and Settings\Username

Login as Administrator and delete the old profile:

->System Properties -> Advanced -> User Profile -> Settings -> "Delete"

Create a new profile and copy the files you need from backed-up profile.
In my case it happened because I had Spybot Search and Destroy running with TeaTimer, who had the registry in use, preventing uninvited mal-/spy- and ad-ware.
See ME949575 if you cannot start the Live Communications Server service on a Live Communications Server 2005 access proxy server.

This problem can occur because, when you log on to the computer, the WebDav client service caches a handle to the HKEY_CURRENT_USER\Software\Classes registry subkey during per-user initialization. The HKEY_CURRENT_USER\Software\Classes registry subkey is the Usrclass.dat file in your user profile. The HKEY_CURRENT_USER\Software\Classes registry subkey is used for per-user COM registrations. Therefore, the HKEY_CURRENT_USER\Software\Classes registry subkey cannot be unloaded when you log off from the computer because of the cached handle. See ME842827 for a hotfix applicable to Microsoft Windows XP.
On Windows 2003 server I had a service running under a non-Windows account. The particular service would not start and event 1524 was being logged against the service account. I discovered the problem was caused by a corrupt local profile for the service account. I recreated the account's local profile on the server and I was then able to successfully start the service.
In my case, this event occured when the remote desktop users log off from the server.


In one case, this occured when Outlook Express hung while checking emails due to a malformed email message.
From a newsgroup post: "I had the same problem on a laptop that I had installed NAV onto. It kept telling me that I could not delete my own user profile when I was logged on as a local administrator. I did uninstall NAV and hey presto I was able to delete the profile. If I remember correctly, I did install NAV when logged in using the profile I tried to delete. Therefore, it would seem that it is correct and NAV seems to be the culprit. Anyway uninstalling NAV certainly solved the problem. I assume if I then installed it as the administrator then it would attach itself to that account and the same thing would happen again".

As per Microsoft: "UPHClean monitors the computer while Windows is unloading user profiles and forces resources that are open to close. Therefore, the computer can unload and reconcile user profiles". See ME837115 to get the Microsoft User Profile Hive Cleanup Service (UPHClean).
See Michael Buczkowski's solution for event 1517 from source Userenv. It worked for my XP-Home box with 2003 Norton Antivirus installed.
In my configuration, the driver software, supplied with the keyboard, caused the problem. When the Logitech iTouch software is loaded, it takes 90 seconds before the computer actually shuts down. When I stopped iTouch, the computer shut down immediately.
In my case, the error is caused by the Telephony service. I have done a selective boot in a "services troubleshoot" to find it. If I disable the Telephony service, the shutdown returns to normal. My machine's symptom was a three to four minute shutdown.
Follow the suggestions for event id 1517.
This is often caused by services running as a user account, try configuring the service to run in either the localService or NetworkService account.
As per Microsoft: "Windows unloads each user's profile and user's section of the registry when the user logs off. This message indicates that Windows could not unload the user's profile because a program was referencing the user's section of the registry. This locked the profile. The registry cannot unload profiles that are locked and in use. When the program that is locking the profile is no longer referencing the registry, the profile will be unloaded. No user action is required."
In my case, this error came from me changing settings in my services. I had "tweaked" them and apparently upset something that needed to be running. Luckily, I remembered which services I changed and just set them back. Now all is well. I can't tell you which exact Service change caused it though.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...