Event ID: 1517

[Guest]

Windows saved user MEHRAD-840723C3\Mehrad registry while an application or
service was still using the registry during log off. The memory used by the
user's registry has not been freed. The registry will be unloaded when it is
no longer in use.

This is often caused by services running as a user account, try configuring
the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

More Details:
Catelogy: none
Company name: Microsoft Corporation
Date: 11/17/2005
Event ID: 1517
File name: userenv.dll
File Version: 5.12600.2180
Product Name: Microsoft Windows Operation System
Product Version: 5.12600.2180
Source: userenv
Time: 4:47:55 PM
Type: Warning

 

[Guest]

See resolution!!!
http://support.microsoft.com/default.aspx?scid=kb;en-us;810616

 

[Wesley Vogel]

If you see a lot of Userenv/1517, Userenv/1524 or Userenv/1500 errors in the
Event Viewer, download and install the User Profile Hive Cleanup Service.

This decreased my shutdown time a bunch. Takes any where from 10 to 20
seconds to shutdown.

Download details: User Profile Hive Cleanup Service
http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en

UPHClean v1.5e readme.txt
http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075ac/readme.txt

Troubleshooting profile unload issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;837115


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Regarding the link suggested by
dixonion: See resolution!!!
http://support.microsoft.com/default.aspx?scid=kb;en-us;810616

On this link, the resolution is below:
CAUSE
The event occurs if a program or service has the Registry open while Windows
XP is logging off.
RESOLUTION
You do not have to do anything. You can ignore the warning.
STATUS
This behavior is by design.

My comment to MS:
If the registry has not been freed, than shut down is slower.

I would think that the proper resolution would be to change the culprit
program to a local account instead of keeping it in the user account--
stevemalee

 

[Wesley Vogel]

The proper solution is to install UPHClean.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

I do have UPHClean installed.

UPHClean tells me that the registry has not been freed and will be unloaded
when it is no longer in use as below in the Dixonian message.

My contention is that MS should not say that this is by design, but give us
a method to find which registry has not been freed so we can contact the
program vendor for a solution.

Is there a way where we can find out what is meant below? - to which
programs the svchost and HKCU numbers belong?
svchost.exe (804)
HKCU (0x1fx0)

 

[Wesley Vogel]

UPHClean v1.5e readme.txt
http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075ac/readme.txt

Troubleshooting profile unload issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;837115

How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/default.aspx?scid=kb;[LN];221833

Download details: User Profile Hive Cleanup Service
http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

UPHClean is installed. Somehow I cannot understand how it works.

When I edited the registry to "1" I thought there would be a place other
than the event manager where an explanation would be written to explain in
more detail than the event manager what the error was and explain some of the
error message.

For example, the following is the explanation from UPHClean in the event
manager: Source: UPHClean, Event ID 1501 -- " The following handles in user
profile hive computer name\user name
(S-1-5-21-1202660629-706699826-854245398-1004) have been closed because they
were preventing the profile from unloading successfully:
svchost.exe (788)
HKCU (0x15c)"

I was under the impression that the explanation from UPHClean ( talked about
in the readme.txt ) would explain what handles in svchost.exe and HKCU were
causing the problem.



--
stevemalee

UPHClean v1.5e readme.txt
http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075ac/readme.txt

Troubleshooting profile unload issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;837115

How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/default.aspx?scid=kb;[LN];221833

Download details: User Profile Hive Cleanup Service
http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Wesley Vogel]

When I edited the registry to "1" I thought ...
You mean this key?
HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY

Change it back to 0. You are defeating the purpose, with that key set to 1,
all UPHClean does is report. [[By default UPHClean takes action to allow
profiles to unload.]]

[[You can also have UPHClean log the call stack that is responsible for the
profile hive handle. This is necessary to find out what software is
responsible for the hive handle in processes used for many purposes (e.g.
svchost.exe, dllhost.exe, winmgmt.exe). To enable call stack logging use
the registry editor to set:

HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\CALLSTACK_LOG to
1.

Logging the call stack is computationally and memory intensive. You should
use this option to collect information and then turn it off. To get more
accurate call stack logging it may be necessary to get symbols installed on
the computer. You can read about getting symbols at:

http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx ]]

There are some logging options in this key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPHClean\Diagnostics
CLOSEHANDLE_LOG
HANDLELIST_LOG
HIVE_STATUS_LOG
HIVE_TOUNLOAD_LOG
INIT_LOG

I haven't seen any documentation on any of those. I can only guess.

Basically, either UPHClean works or it doesn't. I really do not care what
process has any handles open as long as UPHClean closes them. When I bother
to check the Event Viewer, lsass.exe is usually the culprit.

UPHClean works great for me, shutdown takes any where from 10 to 20 seconds
since installing UPHClean.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

UPHClean is installed. Somehow I cannot understand how it works.

When I edited the registry to "1" I thought there would be a place other
than the event manager where an explanation would be written to explain in
more detail than the event manager what the error was and explain some of
the error message.

For example, the following is the explanation from UPHClean in the event
manager: Source: UPHClean, Event ID 1501 -- " The following handles in
user profile hive computer name\user name
(S-1-5-21-1202660629-706699826-854245398-1004) have been closed because
they were preventing the profile from unloading successfully:
svchost.exe (788)
HKCU (0x15c)"

I was under the impression that the explanation from UPHClean ( talked
about in the readme.txt ) would explain what handles in svchost.exe and
HKCU were causing the problem.



--
stevemalee

UPHClean v1.5e readme.txt
http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075ac/readme.txt

Troubleshooting profile unload issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;837115

How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/default.aspx?scid=kb;[LN];221833

Download details: User Profile Hive Cleanup Service
http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

I do have UPHClean installed.

UPHClean tells me that the registry has not been freed and will be
unloaded when it is no longer in use as below in the Dixonian message.

My contention is that MS should not say that this is by design, but give
us a method to find which registry has not been freed so we can contact
the program vendor for a solution.

Is there a way where we can find out what is meant below? - to which
programs the svchost and HKCU numbers belong?
svchost.exe (804)
HKCU (0x1fx0)

--
stevemalee


:

The proper solution is to install UPHClean.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In stevemalee <[email protected]> hunted and pecked:
Regarding the link suggested by
dixonion: See resolution!!!
http://support.microsoft.com/default.aspx?scid=kb;en-us;810616

On this link, the resolution is below:
CAUSE
The event occurs if a program or service has the Registry open while
Windows XP is logging off.
RESOLUTION
You do not have to do anything. You can ignore the warning.
STATUS
This behavior is by design.

My comment to MS:
If the registry has not been freed, than shut down is slower.

I would think that the proper resolution would be to change the
culprit program to a local account instead of keeping it in the user
account-- stevemalee


:

If you see a lot of Userenv/1517, Userenv/1524 or Userenv/1500 errors
in the Event Viewer, download and install the User Profile Hive
Cleanup Service.

This decreased my shutdown time a bunch. Takes any where from 10 to
20 seconds to shutdown.

Download details: User Profile Hive Cleanup Service

http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en

UPHClean v1.5e readme.txt

http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075ac/readme.txt

Troubleshooting profile unload issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;837115


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Yasmin <[email protected]> hunted and pecked:
Windows saved user MEHRAD-840723C3\Mehrad registry while an
application or service was still using the registry during log off.
The memory used by the user's registry has not been freed. The
registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try
configuring the services to run in either the LocalService or
NetworkService account.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

More Details:
Catelogy: none
Company name: Microsoft Corporation
Date: 11/17/2005
Event ID: 1517
File name: userenv.dll
File Version: 5.12600.2180
Product Name: Microsoft Windows Operation System
Product Version: 5.12600.2180
Source: userenv
Time: 4:47:55 PM
Type: Warning

 

[Guest]

Thanks Wesley for sorting out the explanations re: UPHClean. I did change
the key back to 1 and did set the call stack to list the logging information.
Below is the list of handles:

svchost.exe (812)
HKCU (0x158)
0x77e3b4b7 ADVAPI32!<no symbol>
0x77e072b1 ADVAPI32!IsTextUnicode+0x9cb4
0x77dd6b20 ADVAPI32!RegOpenKeyExW+0xa8
0x77dd773e ADVAPI32!RegOpenKeyW+0x2f
0x77ddb2dc ADVAPI32!SaferComputeTokenFromLevel+0x587
0x77ddb296 ADVAPI32!SaferComputeTokenFromLevel+0x541
0x77dd9e9e ADVAPI32!IdentifyCodeAuthzLevelW+0xd9
0x7c819653 kernel32!BasepCheckWinSaferRestrictions+0x17e
0x7c818d2c kernel32!GetNlsSectionName+0x10cb
0x77df7838 ADVAPI32!CreateProcessAsUserW+0xc3
0x76a93acd rpcss!<no symbol>
0x76a93849 rpcss!<no symbol>
0x77e79dc9 RPCRT4!CheckVerificationTrailer+0x75
0x77ef321a RPCRT4!NdrStubCall2+0x215
0x77ef36ee RPCRT4!NdrServerCall2+0x19
0x77e7988c RPCRT4!NdrGetTypeFlags+0x1c9
0x77e797f1 RPCRT4!NdrGetTypeFlags+0x12e
0x77e7971d RPCRT4!NdrGetTypeFlags+0x5a
0x77e7bd0d RPCRT4!NdrConformantArrayFree+0x42e
0x77e7bb6a RPCRT4!NdrConformantArrayFree+0x28b
0x77e76784 RPCRT4!I_RpcBCacheFree+0x14c
0x77e76c22 RPCRT4!I_RpcBCacheFree+0x5ea
0x77e76a3b RPCRT4!I_RpcBCacheFree+0x403
0x77e76c0a RPCRT4!I_RpcBCacheFree+0x5d2
0x7c80b50b kernel32!GetModuleFileNameA+0x1b4

I googled for ADVAP and could not find the answer. The RPCRT has to do with
remote call manager apparently.

How do I fix these programs so they release more quickly. Thanks a lot for
your help.

--
stevemalee

When I edited the registry to "1" I thought ...

You mean this key?
HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY

Change it back to 0. You are defeating the purpose, with that key set to 1,
all UPHClean does is report. [[By default UPHClean takes action to allow
profiles to unload.]]

[[You can also have UPHClean log the call stack that is responsible for the
profile hive handle. This is necessary to find out what software is
responsible for the hive handle in processes used for many purposes (e.g.
svchost.exe, dllhost.exe, winmgmt.exe). To enable call stack logging use
the registry editor to set:

HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\CALLSTACK_LOG to
1.

Logging the call stack is computationally and memory intensive. You should
use this option to collect information and then turn it off. To get more
accurate call stack logging it may be necessary to get symbols installed on
the computer. You can read about getting symbols at:

http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx ]]

There are some logging options in this key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPHClean\Diagnostics
CLOSEHANDLE_LOG
HANDLELIST_LOG
HIVE_STATUS_LOG
HIVE_TOUNLOAD_LOG
INIT_LOG

I haven't seen any documentation on any of those. I can only guess.

Basically, either UPHClean works or it doesn't. I really do not care what
process has any handles open as long as UPHClean closes them. When I bother
to check the Event Viewer, lsass.exe is usually the culprit.

UPHClean works great for me, shutdown takes any where from 10 to 20 seconds
since installing UPHClean.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

UPHClean is installed. Somehow I cannot understand how it works.

When I edited the registry to "1" I thought there would be a place other
than the event manager where an explanation would be written to explain in
more detail than the event manager what the error was and explain some of
the error message.

For example, the following is the explanation from UPHClean in the event
manager: Source: UPHClean, Event ID 1501 -- " The following handles in
user profile hive computer name\user name
(S-1-5-21-1202660629-706699826-854245398-1004) have been closed because
they were preventing the profile from unloading successfully:
svchost.exe (788)
HKCU (0x15c)"

I was under the impression that the explanation from UPHClean ( talked
about in the readme.txt ) would explain what handles in svchost.exe and
HKCU were causing the problem.



--
stevemalee

UPHClean v1.5e readme.txt
http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075ac/readme.txt

Troubleshooting profile unload issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;837115

How to enable user environment debug logging in retail builds of Windows
http://support.microsoft.com/default.aspx?scid=kb;[LN];221833

Download details: User Profile Hive Cleanup Service
http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In stevemalee <[email protected]> hunted and pecked:
I do have UPHClean installed.

UPHClean tells me that the registry has not been freed and will be
unloaded when it is no longer in use as below in the Dixonian message.

My contention is that MS should not say that this is by design, but give
us a method to find which registry has not been freed so we can contact
the program vendor for a solution.

Is there a way where we can find out what is meant below? - to which
programs the svchost and HKCU numbers belong?
svchost.exe (804)
HKCU (0x1fx0)

--
stevemalee


:

The proper solution is to install UPHClean.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In stevemalee <[email protected]> hunted and pecked:
Regarding the link suggested by
dixonion: See resolution!!!
http://support.microsoft.com/default.aspx?scid=kb;en-us;810616

On this link, the resolution is below:
CAUSE
The event occurs if a program or service has the Registry open while
Windows XP is logging off.
RESOLUTION
You do not have to do anything. You can ignore the warning.
STATUS
This behavior is by design.

My comment to MS:
If the registry has not been freed, than shut down is slower.

I would think that the proper resolution would be to change the
culprit program to a local account instead of keeping it in the user
account-- stevemalee


:

If you see a lot of Userenv/1517, Userenv/1524 or Userenv/1500 errors
in the Event Viewer, download and install the User Profile Hive
Cleanup Service.

This decreased my shutdown time a bunch. Takes any where from 10 to
20 seconds to shutdown.

Download details: User Profile Hive Cleanup Service


http://www.microsoft.com/downloads/...6d-8912-4e18-b570-42470e2f3582&displaylang=en

UPHClean v1.5e readme.txt


http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075ac/readme.txt

Troubleshooting profile unload issues
http://support.microsoft.com/default.aspx?scid=kb;en-us;837115


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In Yasmin <[email protected]> hunted and pecked:
Windows saved user MEHRAD-840723C3\Mehrad registry while an
application or service was still using the registry during log off.
The memory used by the user's registry has not been freed. The
registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try
configuring the services to run in either the LocalService or
NetworkService account.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

More Details:
Catelogy: none
Company name: Microsoft Corporation
Date: 11/17/2005
Event ID: 1517
File name: userenv.dll
File Version: 5.12600.2180
Product Name: Microsoft Windows Operation System
Product Version: 5.12600.2180
Source: userenv
Time: 4:47:55 PM
Type: Warning