B
Bill Woods
I run WinXP Pro + SP1 plus all other patches except SP2. (Don't want
SP2 yet because I have programs which are on the warning list:
http://support.microsoft.com/kb/842242)
When I shut down XP I get very long delays of two minutes duration at
the "Saving Your Settings" screen. In the apps event log it says it
is event ID 1517 and adds:
"Windows saved user COMP\John registry while an
application or service was still using the registry
during log off. The memory used by the user's
registry has not been freed. The registry will be
unloaded when it is no longer in use."
(1) I have run Microsoft's UPHClean as it seems to be recommended by
Microsoft for a 1517 problem on XP (see http://snipurl.com/5b61).
Unfortunately UPHClean did not solve the shutdown delay.
However UPHClean did identify LSASS as connected to the problem:
"The following handles in user profile hive COMP\John
(S-1-5-21-861567501-920026266-1957994488-1003) have
been closed because they were preventing the profile
from unloading successfully.
lsass.exe (572) HKCU (0x394)"
(2) To make sure I was ok, I double checked to see if I has got the
"Sasser" virus. I am ok.
I notice that lsass.exe seems quite central to XP and has lot of
system things related to it. But I can't see what I can do with
lsass.exe to improve the delay.
(3) The main problem sounds to me rather much like the problem
described for Win2000 is Microsoft's bulletin called "Unexpected
Delay When You Log Off". I guess it might just apply to WinXP too.
http://support.microsoft.com/default.aspx?scid=kb;en-us;814770
----
Interestingly, when I remove my Sygate firewall then the delay goes
away. I have uninstalled Sygate, done a thorough manual cleanup of
the folders & registry as explained on the Sygate forums and
reinstalled Sygate but the same problem returns.
If it is relevant I also notice that Taskmanager shows Sygate has a
high value for "IO Other" and this is even higher than for Explorer
or any other Taskmanager entry. It shows over 1,000,000 after less
than 2 hours from bootup with 25 minutes of web surfing at 300 KBps
while the value for Explorer is only 117,000.
Using Regmon from SysInternals I see that when there is no Net
traffic Sygate polls the same set of 120 or so registry keys every
two seconds. (See end of this posting for a list of these keys.)
-----
Should I remove Q329170? If so then my Add/Remove Programs does not
contain an entry for Q329170. Nor is there a (hidden) file in C:
\WINDOWS with 329170 in its name to do the uninstallation.
What should I do to get around this shutdown delay?
Thanks for any help.
Bill
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++ keys polled by Sygate every 2 seconds +++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
\Shared
HKLM\SOFTWARE\CheckPoint\FW1
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\SOFTWARE\Gateway.net\Gateway.net\CurrentVersion
HKLM\Software\America Online\America Online\CurrentVersion
HKLM\Software\America Online\AOL\CurrentVersion
HKLM\Software\America Online\America Online\4.0
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
\EnableDebug802.1x
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
HKLM\SOFTWARE\Cisco Systems\VPN Client
HKLM\SOFTWARE\CheckPoint\FW1
HKLM\SOFTWARE\Aventail\Connect\System\Parameters
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders\AppData
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
\ProfilesDirectory
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
\AllUsersProfile
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\ComSpec
HKLM\System\CurrentControlSet\Control\Session
Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\NUMBER_OF_PROCESSORS
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\OS
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\Path
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PATHEXT
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_ARCHITECTURE
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_IDENTIFIER
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_LEVEL
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_REVISION
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\TEMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\TMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\windir
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\ComSpec
HKLM\System\CurrentControlSet\Control\Session
Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\NUMBER_OF_PROCESSORS
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\OS
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\Path
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PATHEXT
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_ARCHITECTURE
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_IDENTIFIER
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_LEVEL
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_REVISION
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\TEMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\TMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\windir
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\ComputerName
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKLM\System\CurrentControlSet\Control\ComputerName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
\ProfilesDirectory
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
\DefaultUserProfile
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows\CurrentVersion
HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKLM\Software\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKLM\Software\Microsoft\Windows\CurrentVersion
HKCU
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-861567501-920026266-
1957994488-1003
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-861567501-920026266-
1957994488-1003\ProfileImagePath
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-861567501-920026266-
1957994488-1003
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
\ParseAutoexec
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Environment
HKCU\Environment\devmgr_show_nonpresent_devices
HKCU\Environment\TEMP
HKCU\Environment\TMP
HKCU\Environment
HKCU\Environment\devmgr_show_nonpresent_devices
HKCU\Environment\TEMP
HKCU\Environment\TMP
HKCU\Environment
HKCU\Environment
HKCU\Volatile Environment
HKCU\Volatile Environment\CLIENTNAME
HKCU\Volatile Environment\SESSIONNAME
HKCU\Volatile Environment\APPDATA
HKCU\Volatile Environment
HKCU\Volatile Environment\CLIENTNAME
HKCU\Volatile Environment\SESSIONNAME
HKCU\Volatile Environment\APPDATA
HKCU\Volatile Environment
HKCU\Volatile Environment
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
\Shared
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++ ENDS ++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SP2 yet because I have programs which are on the warning list:
http://support.microsoft.com/kb/842242)
When I shut down XP I get very long delays of two minutes duration at
the "Saving Your Settings" screen. In the apps event log it says it
is event ID 1517 and adds:
"Windows saved user COMP\John registry while an
application or service was still using the registry
during log off. The memory used by the user's
registry has not been freed. The registry will be
unloaded when it is no longer in use."
(1) I have run Microsoft's UPHClean as it seems to be recommended by
Microsoft for a 1517 problem on XP (see http://snipurl.com/5b61).
Unfortunately UPHClean did not solve the shutdown delay.
However UPHClean did identify LSASS as connected to the problem:
"The following handles in user profile hive COMP\John
(S-1-5-21-861567501-920026266-1957994488-1003) have
been closed because they were preventing the profile
from unloading successfully.
lsass.exe (572) HKCU (0x394)"
(2) To make sure I was ok, I double checked to see if I has got the
"Sasser" virus. I am ok.
I notice that lsass.exe seems quite central to XP and has lot of
system things related to it. But I can't see what I can do with
lsass.exe to improve the delay.
(3) The main problem sounds to me rather much like the problem
described for Win2000 is Microsoft's bulletin called "Unexpected
Delay When You Log Off". I guess it might just apply to WinXP too.
http://support.microsoft.com/default.aspx?scid=kb;en-us;814770
----
Interestingly, when I remove my Sygate firewall then the delay goes
away. I have uninstalled Sygate, done a thorough manual cleanup of
the folders & registry as explained on the Sygate forums and
reinstalled Sygate but the same problem returns.
If it is relevant I also notice that Taskmanager shows Sygate has a
high value for "IO Other" and this is even higher than for Explorer
or any other Taskmanager entry. It shows over 1,000,000 after less
than 2 hours from bootup with 25 minutes of web surfing at 300 KBps
while the value for Explorer is only 117,000.
Using Regmon from SysInternals I see that when there is no Net
traffic Sygate polls the same set of 120 or so registry keys every
two seconds. (See end of this posting for a list of these keys.)
-----
Should I remove Q329170? If so then my Add/Remove Programs does not
contain an entry for Q329170. Nor is there a (hidden) file in C:
\WINDOWS with 329170 in its name to do the uninstallation.
What should I do to get around this shutdown delay?
Thanks for any help.
Bill
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++ keys polled by Sygate every 2 seconds +++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
\Shared
HKLM\SOFTWARE\CheckPoint\FW1
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\SOFTWARE\Gateway.net\Gateway.net\CurrentVersion
HKLM\Software\America Online\America Online\CurrentVersion
HKLM\Software\America Online\AOL\CurrentVersion
HKLM\Software\America Online\America Online\4.0
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
\EnableDebug802.1x
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
HKLM\SOFTWARE\Cisco Systems\VPN Client
HKLM\SOFTWARE\CheckPoint\FW1
HKLM\SOFTWARE\Aventail\Connect\System\Parameters
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\Windows NT\DnsClient
HKLM\Software\Policies\Microsoft\System\DNSClient
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders\AppData
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
\ProfilesDirectory
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
\AllUsersProfile
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\ComSpec
HKLM\System\CurrentControlSet\Control\Session
Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\NUMBER_OF_PROCESSORS
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\OS
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\Path
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PATHEXT
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_ARCHITECTURE
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_IDENTIFIER
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_LEVEL
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_REVISION
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\TEMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\TMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\windir
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\ComSpec
HKLM\System\CurrentControlSet\Control\Session
Manager\Environment\DEVMGR_SHOW_NONPRESENT_DEVICES
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\NUMBER_OF_PROCESSORS
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\OS
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\Path
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PATHEXT
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_ARCHITECTURE
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_IDENTIFIER
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_LEVEL
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\PROCESSOR_REVISION
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\TEMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\TMP
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
\windir
HKLM\System\CurrentControlSet\Control\Session Manager\Environment
HKLM\System\CurrentControlSet\Control\ComputerName
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKLM\System\CurrentControlSet\Control\ComputerName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
\ProfilesDirectory
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
\DefaultUserProfile
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows\CurrentVersion
HKLM\Software\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKLM\Software\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKLM\Software\Microsoft\Windows\CurrentVersion
HKCU
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-861567501-920026266-
1957994488-1003
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-861567501-920026266-
1957994488-1003\ProfileImagePath
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-861567501-920026266-
1957994488-1003
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
\ParseAutoexec
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Environment
HKCU\Environment\devmgr_show_nonpresent_devices
HKCU\Environment\TEMP
HKCU\Environment\TMP
HKCU\Environment
HKCU\Environment\devmgr_show_nonpresent_devices
HKCU\Environment\TEMP
HKCU\Environment\TMP
HKCU\Environment
HKCU\Environment
HKCU\Volatile Environment
HKCU\Volatile Environment\CLIENTNAME
HKCU\Volatile Environment\SESSIONNAME
HKCU\Volatile Environment\APPDATA
HKCU\Volatile Environment
HKCU\Volatile Environment\CLIENTNAME
HKCU\Volatile Environment\SESSIONNAME
HKCU\Volatile Environment\APPDATA
HKCU\Volatile Environment
HKCU\Volatile Environment
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\AppData
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\SOFTWARE\Sygate Technologies, Inc.\Sygate Personal Firewall
\Shared
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++ ENDS ++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++