Almost Every boot: one of the files containing the system's registry....

[J]

Almost every boot this error is displayed:

One of the files containing the system's registry data had to be recovered by use of a log or alternate copy. The recovery was
successful.

2 users on the computer. I am using TweakUI to auto-logon one of the users.

Most boots the welcome screen is displayed.

I have set restore points. But it appears this is not where the "log or alternate copy" is obtained.

What else is being "forgotten."

Not doubt this is a symptom of some problem.

I have scanned for viruses, spyware, adware,... none found.

AOL is on this box. Had to manually remove MacAfee AV. And having other weird behaviors.

I have reseated all cards and cables and ram chips.

I have performed a repair from the XP disk. I have applied SP2. I have updated all windows things.

Many checkdisk/surface tests.

And so on.

(This is a client's computer.)

Got Ideas?

J

 

[Gerry Cornell]

Please look in the System and Application logs in Event Viewer for
Warning and Error Reports over the last 2 days use and post copies here.

You can access Event Viewer by selecting Start, Administrative Tools, and
Event Viewer. When researching the meaning of the error, information
regarding Event ID, Source and Description are important.

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;enus;308427&Product=winxp

Part of the Description of the error will include a link, which you should
double click for further information. You can copy using copy and paste.
Often the link will, however, say there is no further information.
http://go.microsoft.com/fw.link/events.asp
(Please note the hyperlink above is for illustration purposes only)

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Double click the button and close Event
Viewer. Now start your message (email) and do a paste into the body
of the message. This will paste the info from the Event Viewer Error
Report complete with links into the message. Make sure this is the first
paste after exiting from Event Viewer.


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
Please tell the newsgroup how any
suggested solution worked for you.



~~~~~~~~~~~~~~~~~~~~~~~~

 

[Rock]

Almost every boot this error is displayed:

One of the files containing the system's registry data had to be recovered by use of a log or alternate copy. The recovery was
successful.

2 users on the computer. I am using TweakUI to auto-logon one of the users.

Most boots the welcome screen is displayed.

I have set restore points. But it appears this is not where the "log or alternate copy" is obtained.

What else is being "forgotten."

Not doubt this is a symptom of some problem.

I have scanned for viruses, spyware, adware,... none found.

AOL is on this box. Had to manually remove MacAfee AV. And having other weird behaviors.

I have reseated all cards and cables and ram chips.

I have performed a repair from the XP disk. I have applied SP2. I have updated all windows things.

Many checkdisk/surface tests.

And so on.

(This is a client's computer.)

Got Ideas?

J

How to Troubleshoot Registry Corruption Issues
http://support.microsoft.com/?id=822705

 

[PA Bear]

Had to manually remove MacAfee AV. And having other

weird behaviors

And with what AV did you replace McAfee? What "other weird behaviors"?

 

[J]

A number of these:
source userenv
event id 1517
NT authority\system

Windows saved user Geoffry registry while an application or service was still using the registry during log off,....

This is often caused by services running as a user account try configuring the services to run in either localservice or
networkservice account.

The help page connected to a page describing the User Profile Hive Cleanup Service.
Is this a good thing?

J



Please look in the System and Application logs in Event Viewer for
Warning and Error Reports over the last 2 days use and post copies here.

You can access Event Viewer by selecting Start, Administrative Tools, and
Event Viewer. When researching the meaning of the error, information
regarding Event ID, Source and Description are important.

HOW TO: View and Manage Event Logs in Event Viewer in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;enus;308427&Product=winxp

Part of the Description of the error will include a link, which you should
double click for further information. You can copy using copy and paste.
Often the link will, however, say there is no further information.
http://go.microsoft.com/fw.link/events.asp
(Please note the hyperlink above is for illustration purposes only)

A tip for posting copies of Error Reports! Run Event Viewer and double
click on the error you want to copy. In the window, which appears is a
button resembling two pages. Double click the button and close Event
Viewer. Now start your message (email) and do a paste into the body
of the message. This will paste the info from the Event Viewer Error
Report complete with links into the message. Make sure this is the first
paste after exiting from Event Viewer.


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
Please tell the newsgroup how any
suggested solution worked for you.



~~~~~~~~~~~~~~~~~~~~~~~~

 

[Gerry Cornell]

J

For Event ID: 1517 download and install the User Profile Hive Cleanup
Service
Download details: User Profile Hive Cleanup Service
http://snipurl.com/5b61

UPHClean v1.5e readme.txt
http://snipurl.com/ko8m

It can speed up Shutdown.

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[Rock]

A number of these:
source userenv
event id 1517
NT authority\system

Windows saved user Geoffry registry while an application or service was still using the registry during log off,....

This is often caused by services running as a user account try configuring the services to run in either localservice or
networkservice account.

The help page connected to a page describing the User Profile Hive Cleanup Service.
Is this a good thing?

Yes the User Profile Hive Cleanup service works fine, though I don't
think it will affect your problem.

Troubleshooting profile unload issues
http://support.microsoft.com/?id=837115

To download and install UPHClean, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B286E6D-8912-4E18-B570-42470E2F3582

 

[Kerry Brown]

Almost every boot this error is displayed:

One of the files containing the system's registry data had to be
recovered by use of a log or alternate copy. The recovery was
successful.

2 users on the computer. I am using TweakUI to auto-logon one of the
users.

Most boots the welcome screen is displayed.

I have set restore points. But it appears this is not where the "log
or alternate copy" is obtained.

What else is being "forgotten."

Not doubt this is a symptom of some problem.

I have scanned for viruses, spyware, adware,... none found.

AOL is on this box. Had to manually remove MacAfee AV. And having
other weird behaviors.

I have reseated all cards and cables and ram chips.

I have performed a repair from the XP disk. I have applied SP2. I
have updated all windows things.

Many checkdisk/surface tests.

And so on.

(This is a client's computer.)

Got Ideas?

J

This is often caused by bad ram. Go to www.memtest.org and download either a
floppy or CD image of memtest86+. Create the media you downloaded, boot from
this media and run memtest86+ overnight to see if you get any errors.

Kerry

 

[J]

And with what AV did you replace McAfee?

I did some online scans. And installed the AOL security center, again.

None found during scans.

I installed MS antispyware, and Spybot: nothing found.

 

[J]

Yes the User Profile Hive Cleanup service works fine, though I don't
think it will affect your problem.

It has not.

 

[J]

This is often caused by bad ram.

Ran memtest86+. No problems.

===============================
The error message is displayed every time the computer boots, for each user.

From where is the file being copied?

Does this suggest the file being overwritten is corrupt?
Is there a way to copy the backup to overwrite the damaged file?

What else is there to do?

J

 

[Kerry Brown]

This is often caused
by bad ram.

Ran memtest86+. No problems.

===============================
The error message is displayed every time the computer boots, for
each user.

From where is the file being copied?

Does this suggest the file being overwritten is corrupt?
Is there a way to copy the backup to overwrite the damaged file?

What else is there to do?

J

If you have tested all the hardware and it tests good then it is most likely
something that is either writing to the registry or has the registry open at
shutdown. If you can't figure it out then a backup of data and a clean
install might sort it out. I'd still bet on hardware though.

Kerry

 

[Gerry Cornell]

J

What error reports are you getting since installing the User
Profile Hive Cleanup service. Can you please post full text
copies.

You mentioned two user profiles. Do the Errors occur
when you use the second profile or in a new third profile?

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

 

[J]

3 surface scans have been performed.

Trouble shooter tested hard drive, cpu, mother board,...

During the past week I have
performed a OS repair
installed SP2
installed all updates
installed office XP updates

I have removed most of AOL

I have installed and run spy and virus scans

The computer appears to be working fine except for this error.


The UPHClean logged event:

event id 1401

the following handles were remapped :
svhost.exe (720)
HKCU (0x32c)
call stack data collection not enabled for this process


Backing up data is difficult: AOL is installed. I have never been able to find all the stuff related to this pest.
All the docs and such have been copied from the computer to another.

What about creating new and deleting old users? Except for the AOL files and such?

J

This is often caused
by bad ram.

Ran memtest86+. No problems.

===============================
The error message is displayed every time the computer boots, for
each user.

From where is the file being copied?

Does this suggest the file being overwritten is corrupt?
Is there a way to copy the backup to overwrite the damaged file?

What else is there to do?

J

If you have tested all the hardware and it tests good then it is most likely
something that is either writing to the registry or has the registry open at
shutdown. If you can't figure it out then a backup of data and a clean
install might sort it out. I'd still bet on hardware though.

Kerry

 

[Gerry Cornell]

J

Before running anti-spyware programmes in Safe Mode delete Temporary
Internet Files (IE Tools>Internet Options>General)
accepting the option to delete all offline content. Reboot and delete
contents of all TEMP folders and then your Recycle Bin.

After cleaning try HijackThis.

Install and run HijackThis:
Download HijackThis (Freeware)
http://tomcoyote.com/hjt/

Finally run HijackThis and post the HijackThis log to the HijackThis
forum here:
http://aumha.net/

You will need to register with Aumha to be able to post.

--


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Using invalid email address

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~

 

[PA Bear]

Please do *not* post a HijackThis log in Aumha Forums without first taking
care of the preliminaries outlined in http://aumha.net/viewtopic.php?t=4075.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/archive/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

 

[J]

Thank you for your reply

I have deleted all the temp files, many of times. Logged-on for both users and did this.

I deleted the page file and defragged.

===========================
Hijackthis shows nothing not OK.

However, it does generate an error upon loading:

=======================
UPHClean event log entry

The following handles in user profile hive SANDHILL\Jane (S-1-5-21-1214440339-492894223-839522115-1005) have been remapped because
they were preventing the profile from unloading successfully:

svchost.exe (736)
HKCU (0x318)
0x77e3b4b7 ADVAPI32!<no symbol>
0x77e072b1 ADVAPI32!IsTextUnicode+0x9cb4
0x77dd6b20 ADVAPI32!RegOpenKeyExW+0xa8
0x77dd773e ADVAPI32!RegOpenKeyW+0x2f
0x77ddb2dc ADVAPI32!SaferComputeTokenFromLevel+0x587
0x77ddb296 ADVAPI32!SaferComputeTokenFromLevel+0x541
0x77dd9e9e ADVAPI32!IdentifyCodeAuthzLevelW+0xd9
0x7c819653 kernel32!BasepCheckWinSaferRestrictions+0x17e
0x7c818d2c kernel32!GetNlsSectionName+0x10cb
0x77df7838 ADVAPI32!CreateProcessAsUserW+0xc3
0x76a93acd rpcss!<no symbol>
0x76a93849 rpcss!<no symbol>
0x77e79dc9 RPCRT4!CheckVerificationTrailer+0x75
0x77ef321a RPCRT4!NdrStubCall2+0x215
0x77ef36ee RPCRT4!NdrServerCall2+0x19
0x77e7988c RPCRT4!NdrGetTypeFlags+0x1c9
0x77e797f1 RPCRT4!NdrGetTypeFlags+0x12e
0x77e7971d RPCRT4!NdrGetTypeFlags+0x5a
0x77e7bd0d RPCRT4!NdrConformantArrayFree+0x42e
0x77e7bb6a RPCRT4!NdrConformantArrayFree+0x28b
0x77e76784 RPCRT4!I_RpcBCacheFree+0x14c
0x77e76c22 RPCRT4!I_RpcBCacheFree+0x5ea
0x77e76a3b RPCRT4!I_RpcBCacheFree+0x403
0x77e76c0a RPCRT4!I_RpcBCacheFree+0x5d2
0x7c80b50b kernel32!GetModuleFileNameA+0x1b4
==================================================



J

Before running anti-spyware programmes in Safe Mode delete Temporary
Internet Files (IE Tools>Internet Options>General)
accepting the option to delete all offline content. Reboot and delete
contents of all TEMP folders and then your Recycle Bin.

After cleaning try HijackThis.

Install and run HijackThis:
Download HijackThis (Freeware)
http://tomcoyote.com/hjt/

Finally run HijackThis and post the HijackThis log to the HijackThis
forum here:
http://aumha.net/

You will need to register with Aumha to be able to post.

--


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Using invalid email address

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~

 

[J]

How do I determine what program/process is doing this.

I found many messages similar but no clear resolution.


UPHClean event log entry

The following handles in user profile hive SANDHILL\Jane (S-1-5-21-1214440339-492894223-839522115-1005) have been remapped because
they were preventing the profile from unloading successfully:

svchost.exe (736)
HKCU (0x318)
0x77e3b4b7 ADVAPI32!<no symbol>
0x77e072b1 ADVAPI32!IsTextUnicode+0x9cb4
0x77dd6b20 ADVAPI32!RegOpenKeyExW+0xa8
0x77dd773e ADVAPI32!RegOpenKeyW+0x2f
0x77ddb2dc ADVAPI32!SaferComputeTokenFromLevel+0x587
0x77ddb296 ADVAPI32!SaferComputeTokenFromLevel+0x541
0x77dd9e9e ADVAPI32!IdentifyCodeAuthzLevelW+0xd9
0x7c819653 kernel32!BasepCheckWinSaferRestrictions+0x17e
0x7c818d2c kernel32!GetNlsSectionName+0x10cb
0x77df7838 ADVAPI32!CreateProcessAsUserW+0xc3
0x76a93acd rpcss!<no symbol>
0x76a93849 rpcss!<no symbol>
0x77e79dc9 RPCRT4!CheckVerificationTrailer+0x75
0x77ef321a RPCRT4!NdrStubCall2+0x215
0x77ef36ee RPCRT4!NdrServerCall2+0x19
0x77e7988c RPCRT4!NdrGetTypeFlags+0x1c9
0x77e797f1 RPCRT4!NdrGetTypeFlags+0x12e
0x77e7971d RPCRT4!NdrGetTypeFlags+0x5a
0x77e7bd0d RPCRT4!NdrConformantArrayFree+0x42e
0x77e7bb6a RPCRT4!NdrConformantArrayFree+0x28b
0x77e76784 RPCRT4!I_RpcBCacheFree+0x14c
0x77e76c22 RPCRT4!I_RpcBCacheFree+0x5ea
0x77e76a3b RPCRT4!I_RpcBCacheFree+0x403
0x77e76c0a RPCRT4!I_RpcBCacheFree+0x5d2
0x7c80b50b kernel32!GetModuleFileNameA+0x1b4
==================================================


J