Event ID 1517 & 1524 - Windows not releasing user profiles at logo



I'm on an WinXP Home SP3 machine and having Event ID's 1517 and 1527
everytime a user logs off. We have one admin account and two Limited
accounts and at every logoff from one account to another results in multiple
explorer.exe's showing up in task manager process list. What I've done so

1. Gone to Ctrl Panel, User Accts, Change the way users logon/logoff and
told the system toe completely close down programs when a user logs off.

2. Have and occasional (rarely) End Task on SuperAntispyware but
uninstalling SAS does not resolve the multiple copies of explorer.exe.

3. Have d/L and installed Microsoft's UPHClean (User Profile Hive Cleaner)
which installed without a glitch. That has eliminated the Event ID 1517's
and 1524's and now at logoff, there is just the Event ID1401 indicating it
has done it's job because explorer.exe was preventing unloading that user

4. My system was wiped and the OS was clean installed at a repair shop
recently, and a system file check using SCANNOW done by me afterwards yieled
no problems with system files.

5. Have run Trend Micro Housecall virus scan on-line and no infections
found. Have run TrojanHunter, SAS Pro, A-squared, Avast and MalwareBytes
scans and they all find no infections. I really think the pc is "clean".

6. Have cleared and increasesd the Pagefile to 2560 initial size; 2560 Max
Size, per AUHMA's recommendations.

But the problem of multiple copies of explorer.exe in Task Manager persists,
exactly one per user account that has logged on, despite all lthe above
efforts. As Windows is not freeing up the memory for these users at
logoff, by the time there are 3-4 copies, my memory maxes out, the pc freezes
and I have to shutdown via Task Manager, as the taskbar and start button will
no longer display on desktop.

For more technical details I am providing a link to my discussion on another

I hope someone here can shed some light on possible cause or offer
suggestions. FYI only Comodo FW (with Defense+), AvastHome and SAS Pro are
realtime, besides the UPHCleaner itself.




BINGO!!!! I found my problem. I started looking around at my Defense+ event
log (HIPS feature) in Comodo CIS. I saw that Comodo was terminating
csrss.exe at every boot up. ??????? This is what controls the user side of
the operating system, per Wikipedia article, it's a critical system file and
should NEVER be terminated lest you want a BSOD!! Well, no BSOD's yet, thank
God. But why was Comodo terminating a system file when all Windows files are
sacrosanct by Comodo? Hmmmmmm.............So I sstarted looking around at
all my D+ rules in Comodo settings. and BINGO, I could see my problem.

Apparently, as a security measure on my part, I had set up my explorer.exe
rule in Comodo D+ to be "Protected from Process Termination" (just by by
malware, I thought). But it doing that, I was also apparently not letting
WinXP close it down at logoff cleanly either! The minute I undid that rule,
Comodo stopped terminating csrss.exe at bootup in Comodo, the multiple copies
of explorer.exe I've been experiencing at logoffs lately stopped!!!
YIPPEEE!!!!! I suspect the 1517 & 1527 events will stop now also.

Hope posting back my findings may help someone else running Comodo.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question