Suspicious UserEnv Error

P

Patrick

There are persistent Userenv error as listed below on a Win2K Server SP4
with the latest Service Pack, IIS5.0, SQL Server 2000 SP3, Symanctec PC
Anywhere 10.5, Terminal Services, Domain Controller, McAfee Virus Scan
Enterprise 7.1.0.

It is suspcious in that the error occurs at the 44 minutes past each hour,
although it does *not* correspond to any user logon/log -off nor does it
correspond to any sheduled task, SQL Agent Jobs, Virus Update task

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 11/05/2004
Time: 08:44:41
User: NT AUTHORITY\SYSTEM
Computer: COMPUTER-NAME
Description:
Windows cannot unload your registry file. If you have a roaming profile,
your settings are not replicated. Contact your administrator.

DETAIL - Access is denied. , Build number ((2195)).
 
P

Patrick

Btw, I do NOT use romaing profile, but some interesting entries in
userenv.log which correspond to the time when the error is logged in event
Viewer!

USERENV(6ac.6b0) 10:45:00:015 Profile was loaded but the Ref Count is 1 !!!
USERENV(6ac.e48) 10:45:53:828 MyRegUnLoadKey: Hive unload for
S-1-5-21-484763869-1078081533-839522115-500 failed due to open registry key.
Windows will try unloading the registry hive once a second for the next 60
seconds (max).
USERENV(6ac.e48) 10:46:53:859 MyRegUnLoadKey: Windows was not able to unload
the registry hive.
USERENV(6ac.e48) 10:46:53:859 MyRegUnLoadKey: Failed to unmount hive 5
USERENV(6ac.e48) 10:46:53:859 UnloadUserProfile: Didn't unload user profile
<err = 5>
USERENV(6ac.e48) 10:46:53:859 DumpOpenRegistryHandle: 2 user registry
Handles leaked from
\Registry\User\S-1-5-21-484763869-1078081533-839522115-500
USERENV(6ac.6b0) 11:45:00:015 Profile was loaded but the Ref Count is 1 !!!
USERENV(6ac.e48) 11:45:57:718 MyRegUnLoadKey: Hive unload for
S-1-5-21-484763869-1078081533-839522115-500 failed due to open registry key.
Windows will try unloading the registry hive once a second for the next 60
seconds (max).
USERENV(6ac.e48) 11:46:57:718 MyRegUnLoadKey: Windows was not able to unload
the registry hive.
USERENV(6ac.e48) 11:46:57:718 MyRegUnLoadKey: Failed to unmount hive 5
USERENV(6ac.e48) 11:46:57:718 UnloadUserProfile: Didn't unload user profile
<err = 5>
USERENV(6ac.e48) 11:46:57:718 DumpOpenRegistryHandle: 2 user registry
Handles leaked from
\Registry\User\S-1-5-21-484763869-1078081533-839522115-500
USERENV(6ac.6b0) 12:45:00:015 Profile was loaded but the Ref Count is 1 !!!
USERENV(6ac.e48) 12:45:55:718 MyRegUnLoadKey: Hive unload for
S-1-5-21-484763869-1078081533-839522115-500 failed due to open registry key.
Windows will try unloading the registry hive once a second for the next 60
seconds (max).
USERENV(6ac.e48) 12:46:55:734 MyRegUnLoadKey: Windows was not able to unload
the registry hive.
USERENV(6ac.e48) 12:46:55:734 MyRegUnLoadKey: Failed to unmount hive 5
USERENV(6ac.e48) 12:46:55:734 UnloadUserProfile: Didn't unload user profile
<err = 5>
USERENV(6ac.e48) 12:46:55:734 DumpOpenRegistryHandle: 2 user registry
Handles leaked from
\Registry\User\S-1-5-21-484763869-1078081533-839522115-500
USERENV(6ac.6b0) 13:45:00:015 Profile was loaded but the Ref Count is 1 !!!
USERENV(6ac.e48) 13:46:02:015 MyRegUnLoadKey: Hive unload for
S-1-5-21-484763869-1078081533-839522115-500 failed due to open registry key.
Windows will try unloading the registry hive once a second for the next 60
seconds (max).
USERENV(6ac.e48) 13:47:02:015 MyRegUnLoadKey: Windows was not able to unload
the registry hive.
USERENV(6ac.e48) 13:47:02:015 MyRegUnLoadKey: Failed to unmount hive 5
USERENV(6ac.e48) 13:47:02:015 UnloadUserProfile: Didn't unload user profile
<err = 5>
USERENV(6ac.e48) 13:47:02:015 DumpOpenRegistryHandle: 2 user registry
Handles leaked from
\Registry\User\S-1-5-21-484763869-1078081533-839522115-500
 
P

Patrick

Looks like S-1-5-21-484763869-1078081533-839522115-500 = "Administrator"
Domain Users (note it does NOT have admin rights!)
 
S

Steve Parry [MVP]

In
Patrick said:
There are persistent Userenv error as listed below on a Win2K Server
SP4 with the latest Service Pack, IIS5.0, SQL Server 2000 SP3,
Symanctec PC Anywhere 10.5, Terminal Services, Domain Controller,
McAfee Virus Scan Enterprise 7.1.0.

It is suspcious in that the error occurs at the 44 minutes past each
hour, although it does *not* correspond to any user logon/log -off
nor does it correspond to any sheduled task, SQL Agent Jobs, Virus
Update task

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 11/05/2004
Time: 08:44:41
User: NT AUTHORITY\SYSTEM
Computer: COMPUTER-NAME
Description:
Windows cannot unload your registry file. If you have a roaming
profile, your settings are not replicated. Contact your administrator.

DETAIL - Access is denied. , Build number ((2195)).
Click to expand...


Refer to

http://support.microsoft.com/default.aspx?scid=kb;en-us;837115&Product=win2000

Hope that helps
 
V

Vicrota

Could you check NTFS permissions on profiles. I'm having
the problem you are suffering and also NTFS permissions on
profiles have been modified. Users can read other users
profiles.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

PCAnywhere Locking Registry? 3
Event ID: 1000 (Userenv) 1
EVENT ID 1000 FROM USERENV 1
Userenv Error 3
Error on "Windows cannot unload your registry file" 3
Unknown Event 1
Event ID: 1000 3
Error : "Event ID: 1000 Source: Userenv" 1

Top