If you have SP4 you can take advantage of some new features to identify the
culprit.
1. Obtain and install the Sysinternals DbgView program. For
information about how to do so, please visit the following Sysinternals
Web
site:
http://www.sysinternals.com/ntw2k/freeware/debugview.shtml
Microsoft
provides third-party contact information to help you find technical
support.
This contact information may change without notice. Microsoft does not
guarantee the accuracy of this third-party contact
information.
2. Apply SP4 on the target computer
3. Run DbgView on a remote computer, and then connect to the problem
computer.
4. To connect to the problem computer remotely by using DbgView, you
may have to first connect to its ipc$ share by using the "net use
\\<problem_computer>\ipc$" (without the quotation marks) command.
Connecting by using the IP address may not work. Optionally, you can
have DbgView save the information to a log file. Remember to set the
maximum log file size.
5. Wait for the problem to occur. You may not see any output in DbgView
until the problem occurs. You may sometimes see some DLLs being loaded,
but you can ignore this output.
Sample Output in DbgView When the Problem Occurs
------------------------------------------------
Note the process name in the debug statements:
Subkeys open inside the hive (e1c09788)
(Settings\Administrator\ntuser.dat) :
Process 81e78940 (PID = e0
ImageFileName = WINLOGON.EXE) (KCB = e1c0cb88) :: Key
\REGISTRY\USER\S-1-5-21-73586283-1767777339-839522115-500
Process
81b8b4a0 (PID = 358 ImageFileName = WinMgmt.exe) (KCB = e1bd3be8) ::
Key
\REGISTRY\USER\S-1-5-21-73586283-1767777339-839522115-500\SOFTWARE\MICROSOFT
\WINDOWS
NT\CURRENTVERSION\Windows
Winmgmt.exe is the problem in this case. Note that
Winlogon.exe has the SID key open only because Winmgmt.exe has a subkey
open
under the SID key.
Good Luck!
--Shawn
This posting is provided "AS IS" with no warranties and confers no rights.