Usrclass.dat Issue

Discussion in 'Microsoft Windows 2000 Registry Archive' started by Steven Hutchinson, Feb 10, 2005.

  1. Can anyone explain what the file usrclass.dat is involved with?

    We are currently having random problems with users logging on to a terminal
    server where the event viewer will report the following:

    Source: Userenv
    Event ID: 1000
    Type: Error

    Description:

    RegLoadKey failed. Return value Access is denied. for C:\Documents and
    Settings\Username\Local Settings\Application
    Data\Microsoft\Windows\\UsrClass.dat

    After running File Monitor and Registry Monitor from sysinternals I have
    found that winlogon.exe attempts to query this file which is not found with
    the problem profile and subsequently generates an Access Denied error from
    registry monitor.

    The only way I can seem to resolve this is by restarting the server which is
    a bit inconvenient for the other 40 users on the server.. which seems to
    indicate the profile is fine?

    Any help would be greatly appreciated by me and our users.
     
    Steven Hutchinson, Feb 10, 2005
    #1
    1. Advertisements

  2. Steven Hutchinson

    John John Guest

    Seems that it may be an issue to do with registry size being too small.

    http://www.eventid.net/display.asp?eventid=1000&eventno=3687&source=Userenv&phase=1

    John

    Steven Hutchinson wrote:
    > Can anyone explain what the file usrclass.dat is involved with?
    >
    > We are currently having random problems with users logging on to a terminal
    > server where the event viewer will report the following:
    >
    > Source: Userenv
    > Event ID: 1000
    > Type: Error
    >
    > Description:
    >
    > RegLoadKey failed. Return value Access is denied. for C:\Documents and
    > Settings\Username\Local Settings\Application
    > Data\Microsoft\Windows\\UsrClass.dat
    >
    > After running File Monitor and Registry Monitor from sysinternals I have
    > found that winlogon.exe attempts to query this file which is not found with
    > the problem profile and subsequently generates an Access Denied error from
    > registry monitor.
    >
    > The only way I can seem to resolve this is by restarting the server which is
    > a bit inconvenient for the other 40 users on the server.. which seems to
    > indicate the profile is fine?
    >
    > Any help would be greatly appreciated by me and our users.
    >
    >
     
    John John, Feb 10, 2005
    #2
    1. Advertisements

  3. Steven Hutchinson

    John John Guest

    By the way... delete unused profiles. usrclass.dat stores profile
    information. Profiles are pretty large. Profiles are dynamic, they
    grow with the user.

    John

    John John wrote:

    > Seems that it may be an issue to do with registry size being too small.
    >
    > http://www.eventid.net/display.asp?eventid=1000&eventno=3687&source=Userenv&phase=1
    >
    >
    > John
    >
    > Steven Hutchinson wrote:
    >
    >> Can anyone explain what the file usrclass.dat is involved with?
    >>
    >> We are currently having random problems with users logging on to a
    >> terminal server where the event viewer will report the following:
    >>
    >> Source: Userenv
    >> Event ID: 1000
    >> Type: Error
    >>
    >> Description:
    >>
    >> RegLoadKey failed. Return value Access is denied. for C:\Documents and
    >> Settings\Username\Local Settings\Application
    >> Data\Microsoft\Windows\\UsrClass.dat
    >>
    >> After running File Monitor and Registry Monitor from sysinternals I
    >> have found that winlogon.exe attempts to query this file which is not
    >> found with the problem profile and subsequently generates an Access
    >> Denied error from registry monitor.
    >>
    >> The only way I can seem to resolve this is by restarting the server
    >> which is a bit inconvenient for the other 40 users on the server..
    >> which seems to indicate the profile is fine?
    >>
    >> Any help would be greatly appreciated by me and our users.
    >>
     
    John John, Feb 11, 2005
    #3
  4. Steven Hutchinson

    Mark V Guest

    In microsoft.public.win2000.registry Steven Hutchinson wrote:

    > Can anyone explain what the file usrclass.dat is involved with?


    It is one of two User registry hive files and stores per-user CLASS
    information. This can be quite useful in a TS environment. It is
    represented at
    HKEY_CURRENT_USER\Software\Classes

    >
    > We are currently having random problems with users logging on to
    > a terminal server where the event viewer will report the
    > following:
    >
    > Source: Userenv
    > Event ID: 1000

    [ ]
    > RegLoadKey failed. Return value Access is denied. for
    > C:\Documents and Settings\Username\Local Settings\Application
    > Data\Microsoft\Windows\\UsrClass.dat


    Aside from the double backslash (presumed typo.) Access Denied
    usually implies a permissions issue. Possibly in the file's ACLs
    or in the registry hive file's internal registry ACLs. Both should
    be investigated.

    [ ]
    > The only way I can seem to resolve this is by restarting the
    > server which is a bit inconvenient for the other 40 users on the
    > server.. which seems to indicate the profile is fine?


    Are you saying this is specific to a single account? If so,
    replace or rebuild the profile for that one account seems to make
    the most sense to me as I currently understand the situation.
     
    Mark V, Feb 11, 2005
    #4
  5. Thanks for your responses. With your help I have tracked this problem down
    to what I think is a locked registry key.

    In HCU\Software\Classes, there is a list of SID's and their associated
    classes key. The accounts that are having this problem have a remaining key
    SID_Classes which I cannot delete.

    I have checked all of the permissions and taken ownership of the objects in
    attempt to delete them but still no luck. I guess there is something
    accessing the key which is preventing me from deleting.

    Is anyone aware of a way to determine what is accessing this key?

    I have tried regmon and filemon from sysinternals but they dont show
    anything to be accessing these keys.

    Failing this is there a way I can forceable remove these keys without
    restarting the server. Until I can find what is preventing these keys from
    unloading at logoff, it would be very handy as a short term fix.

    Any suggestions greatly appreciated..


    "Mark V" <> wrote in message
    news:...
    > In microsoft.public.win2000.registry Steven Hutchinson wrote:
    >
    >> Can anyone explain what the file usrclass.dat is involved with?

    >
    > It is one of two User registry hive files and stores per-user CLASS
    > information. This can be quite useful in a TS environment. It is
    > represented at
    > HKEY_CURRENT_USER\Software\Classes
    >
    >>
    >> We are currently having random problems with users logging on to
    >> a terminal server where the event viewer will report the
    >> following:
    >>
    >> Source: Userenv
    >> Event ID: 1000

    > [ ]
    >> RegLoadKey failed. Return value Access is denied. for
    >> C:\Documents and Settings\Username\Local Settings\Application
    >> Data\Microsoft\Windows\\UsrClass.dat

    >
    > Aside from the double backslash (presumed typo.) Access Denied
    > usually implies a permissions issue. Possibly in the file's ACLs
    > or in the registry hive file's internal registry ACLs. Both should
    > be investigated.
    >
    > [ ]
    >> The only way I can seem to resolve this is by restarting the
    >> server which is a bit inconvenient for the other 40 users on the
    >> server.. which seems to indicate the profile is fine?

    >
    > Are you saying this is specific to a single account? If so,
    > replace or rebuild the profile for that one account seems to make
    > the most sense to me as I currently understand the situation.
    >
     
    Steven Hutchinson, Feb 15, 2005
    #5
  6. Steven Hutchinson

    Mark V Guest

    In microsoft.public.win2000.registry Steven Hutchinson wrote:

    > "Mark V" <> wrote in message
    >> In microsoft.public.win2000.registry Steven Hutchinson wrote:
    >>
    >>> Can anyone explain what the file usrclass.dat is involved
    >>> with?

    >>
    >> It is one of two User registry hive files and stores per-user
    >> CLASS information. This can be quite useful in a TS
    >> environment. It is represented at
    >> HKEY_CURRENT_USER\Software\Classes
    >>
    >>>
    >>> We are currently having random problems with users logging on
    >>> to a terminal server where the event viewer will report the
    >>> following:
    >>>
    >>> Source: Userenv
    >>> Event ID: 1000

    >> [ ]
    >>> RegLoadKey failed. Return value Access is denied. for
    >>> C:\Documents and Settings\Username\Local Settings\Application
    >>> Data\Microsoft\Windows\\UsrClass.dat

    >>
    >> Aside from the double backslash (presumed typo.) Access Denied
    >> usually implies a permissions issue. Possibly in the file's
    >> ACLs or in the registry hive file's internal registry ACLs.
    >> Both should be investigated.
    >>
    >> [ ]
    >>> The only way I can seem to resolve this is by restarting the
    >>> server which is a bit inconvenient for the other 40 users on
    >>> the server.. which seems to indicate the profile is fine?

    >>
    >> Are you saying this is specific to a single account? If so,
    >> replace or rebuild the profile for that one account seems to
    >> make the most sense to me as I currently understand the
    >> situation.


    > Thanks for your responses. With your help I have tracked this
    > problem down to what I think is a locked registry key.
    >
    > In HCU\Software\Classes, there is a list of SID's and their
    > associated classes key. The accounts that are having this
    > problem have a remaining key SID_Classes which I cannot delete.


    This is not so clear. In HKCU\software\classes one would normally
    find CLSID (Class IDs) not Security IDs as data. Are you refering
    to HKU entries for accounts as listed by their SIDs? This seem the
    most likely.

    > I have checked all of the permissions and taken ownership of the
    > objects in attempt to delete them but still no luck. I guess
    > there is something accessing the key which is preventing me from
    > deleting.


    This sounds more and more like a locked registry key(s) in any
    given user account's "classes" hive. Something that may be
    addressable using the User Profile Hive Cleanup Service from
    Microsoft. AKA "UPHClean". Search at MS
    "cannot unload hive", "uphclean", and others. Here are two by URL
    http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en
    http://support.microsoft.com/default.aspx?scid=kb;en-us;885958

    Assuming I have correctly assesed your problem of course.

    > Is anyone aware of a way to determine what is accessing this
    > key?


    UPHClean will also allow you to see what the problem process is while
    forcing handles closed and permitting the unload operation to complete.

    >
    > I have tried regmon and filemon from sysinternals but they dont
    > show anything to be accessing these keys.
    >
    > Failing this is there a way I can forceable remove these keys
    > without restarting the server. Until I can find what is
    > preventing these keys from unloading at logoff, it would be very
    > handy as a short term fix.


    I have no first-hand experience with UPHClean on Terminal Services
    systems, but it does the trick for ordinary Windows 2000 and up
    systems.
     
    Mark V, Feb 15, 2005
    #6
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dave Patrick

    Re: HKEY_USERS\.Default <versus> %WINDIR%\Documents and Settings\Default User\NTUSER.DAT

    Dave Patrick, Jul 27, 2003, in forum: Microsoft Windows 2000 Registry Archive
    Replies:
    0
    Views:
    598
    Dave Patrick
    Jul 27, 2003
  2. Walter Schulz

    Re: HKEY_USERS\.Default <versus> %WINDIR%\Documents and Settings\Default User\NTUSER.DAT

    Walter Schulz, Jul 27, 2003, in forum: Microsoft Windows 2000 Registry Archive
    Replies:
    2
    Views:
    6,727
    Arian van der Pijl
    Jul 28, 2003
  3. philippe nolin

    export from backup user.dat

    philippe nolin, Aug 5, 2003, in forum: Microsoft Windows 2000 Registry Archive
    Replies:
    2
    Views:
    472
    Dave Patrick
    Aug 5, 2003
  4. Andre Laarakker

    minimizing ntuser.dat

    Andre Laarakker, Dec 3, 2003, in forum: Microsoft Windows 2000 Registry Archive
    Replies:
    2
    Views:
    406
    Buz [MSFT]
    Dec 16, 2003
  5. Matthew

    NTUSER.DAT contents

    Matthew, Mar 1, 2004, in forum: Microsoft Windows 2000 Registry Archive
    Replies:
    4
    Views:
    1,093
    Bill Peele [MS]
    Mar 1, 2004
Loading...

Share This Page