Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
Windows saved user <user name> registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What are the registry files?
How are the registry loaded and unloaded?
What is the role of Userenv?
See ME949575 if you cannot start the Live Communications Server service on a Live Communications Server 2005 access proxy server.
When a user uses a roaming profile to log on to a domain, he accesses shared folders on a Microsoft Windows Server 2003-based file server. When this user encrypts a file on the file server, a miniprofile is created for the user on the file server. However, this miniprofile is not deleted as expected. This problem occurs because EFS does not release the certificate chain cache. Therefore, the roaming profile cannot be unloaded. See ME900613 for a hotfix applicable to Microsoft Windows Server 2003.
As per Microsoft: "Windows unloads each user's profile and user's section of the registry when the user logs off. This message indicates that Windows could not unload the user's profile because a program was referencing the user's section of the registry. This locked the profile. The registry cannot unload profiles that are locked and in use. When the program that is locking the profile is no longer referencing the registry, the profile will be unloaded". See MSW2KDB for more information about this event.
This problem occurs because of a race condition on the reference count in the registry optimization module. See ME944984 for a hotfix applicable to Microsoft Windows Server 2003.
Nicolai Baral Müller
After several weeks of trying to eliminate this error, I started to read about computer accounts in a MCSA/MCSE book. By accident, I found the exact event described along with steps to alleviate this problem.
1. Reset the computer account (Active Directory Users & Computers).
2. Join the affected computer to a Workgroup.
3. Join the computer to the Domain.
This eliminated the event for me.
In my case, AVG AntiVirus caused this problem. Reinstalling it stopped this event from occurring.
This problem occurred on several machines on my Network and was caused by the Security Update for Windows XP (KB925902) installed on 04/05/2007. Uninstalling the update stopped this event from occurring.
As per Microsoft: "This issue may occur if Microsoft Windows or third-party programs such as printer drivers or virus scanners do not stop and release resources when you log off your computer". See ME837115 for more details.
From a newsgroup post: "I discovered that once I installed the facsimile application in Windows XP home edition, by default a small program runs in the background and listens on your com port for incoming calls via the modem. Although I thought this was wonderful, what I did not realize, was that this small process was the culprit regarding the slow shutdown or reboot. I went into the services console and configured the process "fxssvc.exe" to use the local service account via the properties sheet and then the logon tab. From now on, this little application will not be used unless I run the facsimile program. At least that is what I believe. Before, it started up automatically during the boot process and then had trouble shutting down in time when Windows wanted to end my current session. Everything is working fine now".
From a newsgroup post: "In my case the problem was caused by the WebClient Service. I set it to manual and then this error started to occur. Setting it back to Automatic fixed it".
From a newsgroup post: "This issue may occur if you have installed Veritas Software on your SBS 2003 server. If this is the case, please remove the program to see if it fixes the problem.
The issue can also be caused by the incorrect content of the “script.bks” file. Open the Small Business Backup Script.bks file with the notepad. If you see:
JET SERVERNAME\Microsoft Information Store\Recovery Storage Group\ ,
this problem will appear because NTbackup is not able to back up the Recovery Storage Group either via the script or directly via the NTbackup GUI. To correct it, you can use NTbackup to remove Recovery Storage Group reference from the backup selection script:
1. Start -> Run -> NTBackup -> Advanced Mode -> Backup tab -> Job -> Load Selections.
2. Select Small Business Backup Script.bks
3. Click OK on the error message: “Some invalid selections found in C:\Program Files\Microsoft Windows Small Business Server\Backup\Small Business Backup Script.bks”.
4. Job -> Save Selections".
This event seems to appear in conjunction with event 1524. Check "EventID 1524 from source Userenv" for more details.
See ME888318 and the link to "Windows XP Shutdown and Restart Troubleshooting" for additional information on this event.
In my case, the keyboard was the cause of this event. I couldn`t replace it because I didn't have another keyboard to try. I decided to go into Device Manager and uninstall the "HID Keyboard Device" and the "Standard 101/102-key or Microsoft Natural PS/2 Keyboard" and have Windows XP reinstall them on reboot. Believe it or not, this solved my problem.
In my case, this event appeared on several PCs with BrSplService for Brother-Printers. To resolve this problem, I set the Spooler Service and BrSplService to manual and reinstalled the Brother printer driver, then activated the two services again.
In my case, this problem was caused by InstallShield’s automatic updater (issch.exe). I removed it from the registry under the Run key (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run) and the problem was solved.
On my computer, Logitech Itouch was the culprit. Logitech says they will release a newer version (the problematic one is 2.15), but until then I have disabled the program.
Logitech iTouch Version: v2.22 build 289 is now available from Logitech; see the link below to download it.
I have written a freeware service (UPHClean) which monitors for user logging out and insures that user profile hive handles that are opened are closed. It logs what process was holding the handle and what the key name was. If you are really interest in details it can even get a call stack, which will give you the code path where the handle was opened. Ultimately, UPHClean closing these handles allows the system (Userenv) to unload the profile normally and no 1517 or 1524 event is logged. UPHClean can also be used in a report mode where it will not take any action but will still log the information about process and key (and optionally call stack) so you can still find out what is causing the 1517 or 1524 event without being worried that it will cause other problems. Thousands of people have used UPHClean already. See the link to "User Profile Hive Cleanup Service" to download it.
Kaspersky Anti-Virus Personal 5.0.121 caused this warning in my case. This problem appeared only after performing a virus update. The problem did not occur with the previous versions. Maybe a future update will clear this problem.
I got this warning after creating, and misspelling, a new entry in the registry. For those that are interested, I tried to disable balloon tips. See the link to Windows XP interface for more details. Correcting the spelling solved this problem.
I have had problems with this for months. Finally, I set the print spooler to manual and the problem has disappeared.
I had this exact problem. Mine turned out to be cause by the drivers that came with a Logitech Elite Keyboard. I uninstalled the drivers for the device and my problem went away. Now I am using just the generic Windows drivers for the keyboard.
In my case, this was caused by Automatic Updates Service on Windows XP when the computer has no internet connection. Simply setting this service to disable (or stop) resolved this warning.
On my computer it was the service "TrueVector Internet Monitor" (Zone Alarm). Changing the account from LocalSystem to NT AUTHORITY\NetworkService solved the problem.
This error can appear after you run Sysprep on an installation of Win XP. See ME810616 for more information.
I was able to get rid of this error by following the indications in the description not only in the services that are running but also that are stopped.
You may try to just do what Windows wants. Config all services, even disabled or stopped to run in either LocalService or NetworkService account.
Jimmie L. Scott
In Win XP Pro, I changed the environment variables "Temp = %USERPROFILE%\Local Settings\Temp" and "Tmp = %USERPROFILE%\Local Settings\Tmp" in the user profile to "Temp = %SystemRoot%\TEMP" and "Tmp = %SystemRoot%\TMP" and it has stopped this warning in my events.
Can occur when a service set to run at shutdown is timing out. Does not seem to cause any actual problems, however.
In my case, this was caused by NVidia application configured to run at startup. I was got rid of the error by deleting the following NVidia items under
"NvCplDaemon"="RUNDLL32.EXE NvQTwk, NvCplDaemon initialize"
They came within the NVidia Detonator driver.
What I found is that this issue was caused by the way I configured the regional settings. During the setup I adjusted the "Standards and Formats" to my regional location and removed "English (United States)" as the default standard and format. Once I changed this back to English, the error disappeared from the event log. In summary, it seems as long as you do not delete "English (United States)" as the default regional standard this error will not occur. Tested in XP Home and XP Pro both final released editions.
I was recieving this error on Windows XP (Home Edition) only when Norton Antivirus 2002 was installed. Turns out it was caused by the "Scan floppy disk in A: for boot viruses when shutting down." setting being checked. This can be found under Auto-Protect, Advanced. Unchecking this got rid of this error in my event log.
Turned out to be the fax service. After shutting it down, the problem resolved itself.
After installing XP SP1 this error started to occur. I fixed it after I set webclient service to "Automatic".
This happened when I disabled the "computer Browser" service. Simply setting this service back to Automatic resolved this error.
|Private comment: Subscribers only. See example of private comment|
|Links: EventID 1524 from source Userenv, Windows XP interface, User Profile Hive Cleanup Service, Logitech iTouch Version: v2.22 build 289, Windows XP Shutdown and Restart Troubleshooting|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (7) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated