PC Review


Reply
Thread Tools Rating: Thread Rating: 9 votes, 3.67 average.

Usrclass.dat Issue

 
 
Steven Hutchinson
Guest
Posts: n/a
 
      10th Feb 2005
Can anyone explain what the file usrclass.dat is involved with?

We are currently having random problems with users logging on to a terminal
server where the event viewer will report the following:

Source: Userenv
Event ID: 1000
Type: Error

Description:

RegLoadKey failed. Return value Access is denied. for C:\Documents and
Settings\Username\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

After running File Monitor and Registry Monitor from sysinternals I have
found that winlogon.exe attempts to query this file which is not found with
the problem profile and subsequently generates an Access Denied error from
registry monitor.

The only way I can seem to resolve this is by restarting the server which is
a bit inconvenient for the other 40 users on the server.. which seems to
indicate the profile is fine?

Any help would be greatly appreciated by me and our users.


 
Reply With Quote
 
 
 
 
John John
Guest
Posts: n/a
 
      11th Feb 2005
Seems that it may be an issue to do with registry size being too small.

http://www.eventid.net/display.asp?e...serenv&phase=1

John

Steven Hutchinson wrote:
> Can anyone explain what the file usrclass.dat is involved with?
>
> We are currently having random problems with users logging on to a terminal
> server where the event viewer will report the following:
>
> Source: Userenv
> Event ID: 1000
> Type: Error
>
> Description:
>
> RegLoadKey failed. Return value Access is denied. for C:\Documents and
> Settings\Username\Local Settings\Application
> Data\Microsoft\Windows\\UsrClass.dat
>
> After running File Monitor and Registry Monitor from sysinternals I have
> found that winlogon.exe attempts to query this file which is not found with
> the problem profile and subsequently generates an Access Denied error from
> registry monitor.
>
> The only way I can seem to resolve this is by restarting the server which is
> a bit inconvenient for the other 40 users on the server.. which seems to
> indicate the profile is fine?
>
> Any help would be greatly appreciated by me and our users.
>
>

 
Reply With Quote
 
 
 
 
John John
Guest
Posts: n/a
 
      11th Feb 2005
By the way... delete unused profiles. usrclass.dat stores profile
information. Profiles are pretty large. Profiles are dynamic, they
grow with the user.

John

John John wrote:

> Seems that it may be an issue to do with registry size being too small.
>
> http://www.eventid.net/display.asp?e...serenv&phase=1
>
>
> John
>
> Steven Hutchinson wrote:
>
>> Can anyone explain what the file usrclass.dat is involved with?
>>
>> We are currently having random problems with users logging on to a
>> terminal server where the event viewer will report the following:
>>
>> Source: Userenv
>> Event ID: 1000
>> Type: Error
>>
>> Description:
>>
>> RegLoadKey failed. Return value Access is denied. for C:\Documents and
>> Settings\Username\Local Settings\Application
>> Data\Microsoft\Windows\\UsrClass.dat
>>
>> After running File Monitor and Registry Monitor from sysinternals I
>> have found that winlogon.exe attempts to query this file which is not
>> found with the problem profile and subsequently generates an Access
>> Denied error from registry monitor.
>>
>> The only way I can seem to resolve this is by restarting the server
>> which is a bit inconvenient for the other 40 users on the server..
>> which seems to indicate the profile is fine?
>>
>> Any help would be greatly appreciated by me and our users.
>>

 
Reply With Quote
 
Mark V
Guest
Posts: n/a
 
      11th Feb 2005
In microsoft.public.win2000.registry Steven Hutchinson wrote:

> Can anyone explain what the file usrclass.dat is involved with?


It is one of two User registry hive files and stores per-user CLASS
information. This can be quite useful in a TS environment. It is
represented at
HKEY_CURRENT_USER\Software\Classes

>
> We are currently having random problems with users logging on to
> a terminal server where the event viewer will report the
> following:
>
> Source: Userenv
> Event ID: 1000

[ ]
> RegLoadKey failed. Return value Access is denied. for
> C:\Documents and Settings\Username\Local Settings\Application
> Data\Microsoft\Windows\\UsrClass.dat


Aside from the double backslash (presumed typo.) Access Denied
usually implies a permissions issue. Possibly in the file's ACLs
or in the registry hive file's internal registry ACLs. Both should
be investigated.

[ ]
> The only way I can seem to resolve this is by restarting the
> server which is a bit inconvenient for the other 40 users on the
> server.. which seems to indicate the profile is fine?


Are you saying this is specific to a single account? If so,
replace or rebuild the profile for that one account seems to make
the most sense to me as I currently understand the situation.

 
Reply With Quote
 
Steven Hutchinson
Guest
Posts: n/a
 
      15th Feb 2005
Thanks for your responses. With your help I have tracked this problem down
to what I think is a locked registry key.

In HCU\Software\Classes, there is a list of SID's and their associated
classes key. The accounts that are having this problem have a remaining key
SID_Classes which I cannot delete.

I have checked all of the permissions and taken ownership of the objects in
attempt to delete them but still no luck. I guess there is something
accessing the key which is preventing me from deleting.

Is anyone aware of a way to determine what is accessing this key?

I have tried regmon and filemon from sysinternals but they dont show
anything to be accessing these keys.

Failing this is there a way I can forceable remove these keys without
restarting the server. Until I can find what is preventing these keys from
unloading at logoff, it would be very handy as a short term fix.

Any suggestions greatly appreciated..


"Mark V" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In microsoft.public.win2000.registry Steven Hutchinson wrote:
>
>> Can anyone explain what the file usrclass.dat is involved with?

>
> It is one of two User registry hive files and stores per-user CLASS
> information. This can be quite useful in a TS environment. It is
> represented at
> HKEY_CURRENT_USER\Software\Classes
>
>>
>> We are currently having random problems with users logging on to
>> a terminal server where the event viewer will report the
>> following:
>>
>> Source: Userenv
>> Event ID: 1000

> [ ]
>> RegLoadKey failed. Return value Access is denied. for
>> C:\Documents and Settings\Username\Local Settings\Application
>> Data\Microsoft\Windows\\UsrClass.dat

>
> Aside from the double backslash (presumed typo.) Access Denied
> usually implies a permissions issue. Possibly in the file's ACLs
> or in the registry hive file's internal registry ACLs. Both should
> be investigated.
>
> [ ]
>> The only way I can seem to resolve this is by restarting the
>> server which is a bit inconvenient for the other 40 users on the
>> server.. which seems to indicate the profile is fine?

>
> Are you saying this is specific to a single account? If so,
> replace or rebuild the profile for that one account seems to make
> the most sense to me as I currently understand the situation.
>



 
Reply With Quote
 
Mark V
Guest
Posts: n/a
 
      15th Feb 2005
In microsoft.public.win2000.registry Steven Hutchinson wrote:

> "Mark V" <(E-Mail Removed)> wrote in message
>> In microsoft.public.win2000.registry Steven Hutchinson wrote:
>>
>>> Can anyone explain what the file usrclass.dat is involved
>>> with?

>>
>> It is one of two User registry hive files and stores per-user
>> CLASS information. This can be quite useful in a TS
>> environment. It is represented at
>> HKEY_CURRENT_USER\Software\Classes
>>
>>>
>>> We are currently having random problems with users logging on
>>> to a terminal server where the event viewer will report the
>>> following:
>>>
>>> Source: Userenv
>>> Event ID: 1000

>> [ ]
>>> RegLoadKey failed. Return value Access is denied. for
>>> C:\Documents and Settings\Username\Local Settings\Application
>>> Data\Microsoft\Windows\\UsrClass.dat

>>
>> Aside from the double backslash (presumed typo.) Access Denied
>> usually implies a permissions issue. Possibly in the file's
>> ACLs or in the registry hive file's internal registry ACLs.
>> Both should be investigated.
>>
>> [ ]
>>> The only way I can seem to resolve this is by restarting the
>>> server which is a bit inconvenient for the other 40 users on
>>> the server.. which seems to indicate the profile is fine?

>>
>> Are you saying this is specific to a single account? If so,
>> replace or rebuild the profile for that one account seems to
>> make the most sense to me as I currently understand the
>> situation.


> Thanks for your responses. With your help I have tracked this
> problem down to what I think is a locked registry key.
>
> In HCU\Software\Classes, there is a list of SID's and their
> associated classes key. The accounts that are having this
> problem have a remaining key SID_Classes which I cannot delete.


This is not so clear. In HKCU\software\classes one would normally
find CLSID (Class IDs) not Security IDs as data. Are you refering
to HKU entries for accounts as listed by their SIDs? This seem the
most likely.

> I have checked all of the permissions and taken ownership of the
> objects in attempt to delete them but still no luck. I guess
> there is something accessing the key which is preventing me from
> deleting.


This sounds more and more like a locked registry key(s) in any
given user account's "classes" hive. Something that may be
addressable using the User Profile Hive Cleanup Service from
Microsoft. AKA "UPHClean". Search at MS
"cannot unload hive", "uphclean", and others. Here are two by URL
http://www.microsoft.com/downloads/d...displaylang=en
http://support.microsoft.com/default...b;en-us;885958

Assuming I have correctly assesed your problem of course.

> Is anyone aware of a way to determine what is accessing this
> key?


UPHClean will also allow you to see what the problem process is while
forcing handles closed and permitting the unload operation to complete.

>
> I have tried regmon and filemon from sysinternals but they dont
> show anything to be accessing these keys.
>
> Failing this is there a way I can forceable remove these keys
> without restarting the server. Until I can find what is
> preventing these keys from unloading at logoff, it would be very
> handy as a short term fix.


I have no first-hand experience with UPHClean on Terminal Services
systems, but it does the trick for ordinary Windows 2000 and up
systems.

 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless issue? DNS issue? MS Update issue? WORLDe Windows XP General 1 14th Jan 2009 11:47 PM
Is this an OFFICE issue or XP issue?? dgs369 Windows XP Help 3 12th Jan 2004 03:14 AM
Is this an OFFICE issue or XP issue?? dgs369 Windows XP General 3 12th Jan 2004 03:14 AM
Is this an OFFICE issue or XP issue?? dgs369 Windows XP Help 1 11th Jan 2004 09:11 PM
Outlook issue, XP issue?? Rebecca Windows XP General 0 17th Nov 2003 12:37 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 10:08 PM.