Usrclass.dat Issue

  • Thread starter Thread starter Steven Hutchinson
  • Start date Start date
S

Steven Hutchinson

Can anyone explain what the file usrclass.dat is involved with?

We are currently having random problems with users logging on to a terminal
server where the event viewer will report the following:

Source: Userenv
Event ID: 1000
Type: Error

Description:

RegLoadKey failed. Return value Access is denied. for C:\Documents and
Settings\Username\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

After running File Monitor and Registry Monitor from sysinternals I have
found that winlogon.exe attempts to query this file which is not found with
the problem profile and subsequently generates an Access Denied error from
registry monitor.

The only way I can seem to resolve this is by restarting the server which is
a bit inconvenient for the other 40 users on the server.. which seems to
indicate the profile is fine?

Any help would be greatly appreciated by me and our users.
 
By the way... delete unused profiles. usrclass.dat stores profile
information. Profiles are pretty large. Profiles are dynamic, they
grow with the user.

John
 
In said:
Can anyone explain what the file usrclass.dat is involved with?

It is one of two User registry hive files and stores per-user CLASS
information. This can be quite useful in a TS environment. It is
represented at
HKEY_CURRENT_USER\Software\Classes
We are currently having random problems with users logging on to
a terminal server where the event viewer will report the
following:

Source: Userenv
Event ID: 1000 [ ]
RegLoadKey failed. Return value Access is denied. for
C:\Documents and Settings\Username\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Aside from the double backslash (presumed typo.) Access Denied
usually implies a permissions issue. Possibly in the file's ACLs
or in the registry hive file's internal registry ACLs. Both should
be investigated.

[ ]
The only way I can seem to resolve this is by restarting the
server which is a bit inconvenient for the other 40 users on the
server.. which seems to indicate the profile is fine?

Are you saying this is specific to a single account? If so,
replace or rebuild the profile for that one account seems to make
the most sense to me as I currently understand the situation.
 
Thanks for your responses. With your help I have tracked this problem down
to what I think is a locked registry key.

In HCU\Software\Classes, there is a list of SID's and their associated
classes key. The accounts that are having this problem have a remaining key
SID_Classes which I cannot delete.

I have checked all of the permissions and taken ownership of the objects in
attempt to delete them but still no luck. I guess there is something
accessing the key which is preventing me from deleting.

Is anyone aware of a way to determine what is accessing this key?

I have tried regmon and filemon from sysinternals but they dont show
anything to be accessing these keys.

Failing this is there a way I can forceable remove these keys without
restarting the server. Until I can find what is preventing these keys from
unloading at logoff, it would be very handy as a short term fix.

Any suggestions greatly appreciated..


Mark V said:
In said:
Can anyone explain what the file usrclass.dat is involved with?

It is one of two User registry hive files and stores per-user CLASS
information. This can be quite useful in a TS environment. It is
represented at
HKEY_CURRENT_USER\Software\Classes
We are currently having random problems with users logging on to
a terminal server where the event viewer will report the
following:

Source: Userenv
Event ID: 1000 [ ]
RegLoadKey failed. Return value Access is denied. for
C:\Documents and Settings\Username\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Aside from the double backslash (presumed typo.) Access Denied
usually implies a permissions issue. Possibly in the file's ACLs
or in the registry hive file's internal registry ACLs. Both should
be investigated.

[ ]
The only way I can seem to resolve this is by restarting the
server which is a bit inconvenient for the other 40 users on the
server.. which seems to indicate the profile is fine?

Are you saying this is specific to a single account? If so,
replace or rebuild the profile for that one account seems to make
the most sense to me as I currently understand the situation.
 
In said:
Mark V said:
In said:
Can anyone explain what the file usrclass.dat is involved
with?

It is one of two User registry hive files and stores per-user
CLASS information. This can be quite useful in a TS
environment. It is represented at
HKEY_CURRENT_USER\Software\Classes
We are currently having random problems with users logging on
to a terminal server where the event viewer will report the
following:

Source: Userenv
Event ID: 1000 [ ]
RegLoadKey failed. Return value Access is denied. for
C:\Documents and Settings\Username\Local Settings\Application
Data\Microsoft\Windows\\UsrClass.dat

Aside from the double backslash (presumed typo.) Access Denied
usually implies a permissions issue. Possibly in the file's
ACLs or in the registry hive file's internal registry ACLs.
Both should be investigated.

[ ]
The only way I can seem to resolve this is by restarting the
server which is a bit inconvenient for the other 40 users on
the server.. which seems to indicate the profile is fine?

Are you saying this is specific to a single account? If so,
replace or rebuild the profile for that one account seems to
make the most sense to me as I currently understand the
situation.
Thanks for your responses. With your help I have tracked this
problem down to what I think is a locked registry key.

In HCU\Software\Classes, there is a list of SID's and their
associated classes key. The accounts that are having this
problem have a remaining key SID_Classes which I cannot delete.

This is not so clear. In HKCU\software\classes one would normally
find CLSID (Class IDs) not Security IDs as data. Are you refering
to HKU entries for accounts as listed by their SIDs? This seem the
most likely.
I have checked all of the permissions and taken ownership of the
objects in attempt to delete them but still no luck. I guess
there is something accessing the key which is preventing me from
deleting.

This sounds more and more like a locked registry key(s) in any
given user account's "classes" hive. Something that may be
addressable using the User Profile Hive Cleanup Service from
Microsoft. AKA "UPHClean". Search at MS
"cannot unload hive", "uphclean", and others. Here are two by URL
http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en
http://support.microsoft.com/default.aspx?scid=kb;en-us;885958

Assuming I have correctly assesed your problem of course.
Is anyone aware of a way to determine what is accessing this
key?

UPHClean will also allow you to see what the problem process is while
forcing handles closed and permitting the unload operation to complete.
I have tried regmon and filemon from sysinternals but they dont
show anything to be accessing these keys.

Failing this is there a way I can forceable remove these keys
without restarting the server. Until I can find what is
preventing these keys from unloading at logoff, it would be very
handy as a short term fix.

I have no first-hand experience with UPHClean on Terminal Services
systems, but it does the trick for ordinary Windows 2000 and up
systems.
 
Hai,can anyone help me for my question.
when i delete usrclass.dat file from my system the start button,search button,and desktop options like calendar,sound button are not worked. but when i restart my system the usrclass.dat file is automatically restore in the system and works as default.so what i have to do when i delete the this file to enable the above given options are to work.
 
Back
Top