Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1542 Source: User Profile Service

Level
Description
Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.
Comments
 
Some support forum posts suggest that this problem might be caused by corrupt user registry files (ntuser.dat). The preferred solution would be to restore this file from backup. In some cases it appeared that the file was corrupted due to Symantec antivirus not releasing the registry files properly. Symantec provided a fix for this but still the ntuser.dat had to be recreated or restored.

A post about recreating the corrupted registry file: "This worked for me. Log on using a diferent account. run regedit (this edits the registry). Go to KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList there is a list of SIDs here. These security IDs are what links the user account to the profile. Each user account has a SID. Click on the SIDs and you will see a ProfileImagePath key in the right hand key. Use this to figure out the effected profile. It will say something like %SystemDrive%\Users\username write this down you will need it later. Once you know which user account the SID is for. Delete the SID from the profile list hive (just right click on it and hit delete). Now restart and log on as the user you couldn't log in as. It will create a new profile all your settings will be gone. Log off and log back on as a local admin. Go back to regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList again. This was repopulated when you logged back on. Now select profile image path and set it back to what it was originally. See if you can log back in as the user."

For a generic description of the "The system cannot find the file specified" problem see the comments for Error code 2.
A suggested workaround from a Microsoft engineer:

Perform the following steps and see whether the issue continues.

Perform clean boot on Windows server 2008.:
A. Click Start | Run and type "msconfig" (no quotes) and press enter.
B. Click services from the tab, check the check box of "Hide All Microsoft Services", and then click "Disable all"
C. Click Startup from the tab, then click "Disable all"
D. Click "OK" and follow the instructions to Restart Computer, after rebooting if
you get a prompt dialog of System Configuration, please check the check box in the
dialog and click "OK".

As a temporary work around we have carried out the following:
Disable the "User Profile Service".
Reboot.
Log on with local admin account.
Remove the problematic profiles.
Remove reference to the specific problematic profiles from registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Log off
Log on with local admin account.
Set "User profile Service" to start automatically.
Reboot
Log back on as problematic account and changes have been saved.

This is a work around only

* * *

Another post from a support engineer:
Based on my research, this issue can potentially be caused by the following:

1) The profile is corrupted.
2) The  UsrClass.dat file at the following location is missing: %userprofile%\AppData\Local\Microsoft\Windows.
3) Folder redirection is enabled to redirect Application Data folder into a Roaming Profile.

To resolve this issue, I would like to suggest:

1) Locate the folder: %userprofile%\AppData\Local\Microsoft\Windows, verify if UsrClass.dat is present.
2) Create a new user profile and fix the corrupted user profile (as described in EV100119).

BTW, if the issue persists, try the following work around:
1) Disable the "User Profile Service".
2) Reboot.
3) Log on with local admin account.
4) Remove the problematic profiles.
5) Remove reference to the specific problematic profiles from registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListLogoff

6) Log on with local admin account.
7) Set "User profile Service" to start automatically.
8) Reboot.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...