UPHClean

  • Thread starter Thread starter JD
  • Start date Start date
J

JD

I've installed the UPHClean program and no longer get the "Userenv" event on
shutdown, though, interestingly, the shutdown time does not seem to have
been shortened.
What I'd like to know is how to learn what program or application was
responsible for the event in the first place. Is this recorded in a "log"
somewhere?
 
Look for Event ID: 1201 Event Source: UPHClean in the Event Viewer.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Hi Wes,
No 1201, but here's what I do find, and I wonder if this can "identify" the
culprit:

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1401
Description: The following handles in user profile hive GATEWAY\Owner
(S-1-5-21-1844237615-1801674531-725345543-1003) have been remapped because
they were preventing the profile from unloading successfully:
svchost.exe (1696)
HKCU (0x164)
 
Apparently you are using handle remapping.

8) If you use handle remapping instead of getting event id 1201 logged you
will
get event 1401:

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1401

Which processes UPHClean performs handle remapping can specified using the
following registry value:

HKLM\System\CurrentControlSet\Services\UPHClean\
Parameters\REMAP_HANDLE_PROCESS_LIST

The list by default contains '*' which specifies that handle remapping
should
be performed for all non-excluded processes. This list can be changed to
only
include specified processes in the same manner as the process exclusion
list.
Processes specified on this list can be preceeded by a '-' character to
specify
that they should be excluded from handle remapping. Any handle for a
process
that is not excluded but has handle remapping turned off will be closed.

from...

UPHClean v1.6d readme.txt
http://download.microsoft.com/download/a/8/7/a87b3d05-cd04-4743-a23b-b16645e075ac/readme.txt

You must have a different version of uphclean than I have. I have v1.5e
according to my Readme. The Readme that came with my version does not list
Event ID: 1401 or mention handle remapping.

Read through your Readme, either online at the link above or...

Paste the following line into Start | Run and click OK...

%ProgramFiles%\UPHClean\readme.txt

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Apparently "handle remapping" is the default with version 1.6.30.0.
The following, from the Readme, may explain how to discover what program is
causing the Userenv "event":

By default UPHClean takes action to allow profiles to unload. You can choose
to have UPHClean only report what processes it finds preventing profiles
from unloading. To do this, install UPHClean and use the registry editor to
set: HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY
to 1.

You can also have UPHClean log the call stack that is responsible for the
profile hive handle. This is necessary to find out what software is
responsible for the hive handle in processes used for many purposes (e.g.
svchost.exe, dllhost.exe, winmgmt.exe). To enable call stack logging use the
registry editor to set:

HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\CALLSTACK_LOG to
1.

Logging the call stack is computationally and memory intensive. You should
use this option to collect information and then turn it off. To get more
accurate call stack logging it may be necessary to get symbols installed on
the computer. You can read about getting symbols at:
http://www.microsoft.com/whdc/ddk/debugging/symbols.mspx



Do I understand correctly that if I follow these instructions I can learn
what program or process is causing the "event"?

Is that not the way your version works? If it doesn't do "handle remapping,"
what does it do? How do YOU learn what program is the culprit?

Also, is it significant that I definitely do not notice any improvement in
the shutdown time?
 
I did the registry changes as indicated, then rebooted. But I am at a loss
as to where to find the "log" that I assume should have been created. It is
not in the UPHClean folder in Windows/Programs.
How, exactly, does this "service" identify what programs, services, or
applications are causing the Userenv "event"?
 
Is that not the way your version works? If it doesn't do "handle
remapping," what does it do? How do YOU learn what program is the culprit?
Click to expand...

My version closes the handles on the offending process. I.e. lsass.exe is
the culprit that I always see in my Event ID: 1201s. At least the ones that
I've bothered to read. ;-)

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1201
Date: 7/30/2005
Time: 10:41:39 PM
User: MYPENTIUM450\Wesley P. Vogel
Computer: MYPENTIUM450
Description:
The following handles in user profile hive MYPENTIUM450\Wesley P. Vogel
(S-1-5-21-1708537768-15xxxx6667-1202660629-1003) have been closed because
they were preventing the profile from unloading successfully:

lsass.exe (436) HKCU (0x3f8)
------

Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1201
Date: 10/22/2005
Time: 3:44:07 PM
User: MYPENTIUM450\Wesley P. Vogel
Computer: MYPENTIUM450
Description:
The following handles in user profile hive MYPENTIUM450\Wesley P. Vogel
(S-1-5-21-1708537768-15xxxx667-1202660629-1003) have been closed because
they were preventing the profile from unloading successfully:

lsass.exe (440) HKCU (0x3c4)
------

For HKCU (0x3f8) & HKCU (0x3c4) HKCU is the HKEY_CURRENT_USER registry hive.
(0x3f8) & (0x3c4) must be the memory locations, just a guess.

I assume that for lsass.exe (436) & lsass.exe (440), (436) & (440) were the
PID #s for lsass.exe on those dates.

PID is Process ID or process identifier. These numbers change every time
you reboot. I think that they are just an arbitrarily assigned number.
Each process has a different number while running. A process can also have
a different PID if opened and closed, etc.
------

If
HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REPORT_ONLY
is set to 1, UPHClean will NOT take action to allow profiles to unload. All
it does is make a log somewhere.

Make sure that it is set 0 (zero).

I do not know its name or location, but I would guess that it's be in C:\ or
C:\WINDOWS or look at C:\WINDOWS\Debug\UserMode\userenv.log userenv.log
also seems to list Profile or registry hive load, unload, or deletion
failures. I think that you can only get userenv.log with Windows XP
Professional because it also reports on Group Policy.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Does lsass.exe (436) HKCU (0x3f8) give you a clue as to what program is
causing the problem that UPHClean is "fixing"?
C:\WINDOWS\Debug\UserMode\userenv.log userenv.log is an empty folder.
Perhaps you're correct that I can only get such a log from XP Pro, the
UPHClean directions to the contrary notwithstanding.
I appreciate your attempts to help.
 
Lsass.exe is the process or program that causes my problem. I do not
understand half of it, a lot relates to networks and servers. I'm sure that
there are a half a dozen .dll files involved as well.

Lsass.exe is LSA Shell (Export Version). LSA = Local Security Authority.

It is also called the Local Security Administration Subsystem Service.
Lsass.exe seems to have a lot of names.

Lsass.exe starts pretty early in the Windows boot process.

Lsass.exe runs all of the time and is one of the few processes that cannot
be ended with Task Manager.

Lsass.exe is a system process of the Microsoft Windows security mechanisms.
It specifically deals with local security and login policies.

Lsass.exe is the local security authentication server, and it generates the
process responsible for authenticating users for the Winlogon service. This
process is performed by using authentication packages such as the default
Msgina.dll. If authentication is successful, Lsass generates the user's
access token, which is used to launch the initial shell. Other processes
that the user initiates inherit this token.

Lsass.exe is responsible for many services: Net Logon (netlogon), NT LM
Security Support Provider (NtLmSsp), IPSEC Services (PolicyAgent), Protected
Storage (ProtectedStorage) and Security Accounts Manager (SamSs).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Npfs\Aliases
Value Name: lsass
Data Type: REG_MULTI_SZ
Value Data: protected_storage;netlogon;lsarpc;samr

The Security Account Manager Remote Procedure Call (RPC) protocol (SAMR) is
an integral subsystem that is used to perform remote Service Account Manager
operations, such as user account management and manipulation. The SAMR
interface defines the remote Security Account Manager (SAM) methods that are
called by the client.

Netlogon – Net Logon service
Lsarpc – LSA access
Samr – SAM access

When Windows boots, the MBR(Master Boot Record) reads the boot sector which
is the first sector of the active partition. This sector contains the code
that starts Ntldr which is the boot strap loader for Windows XP. Ntldr runs
Ntdetect.com to get information about installed hardware. Ntldr, then,
loads the two files that make up the core of XP: Ntoskrnl.exe and Hal.dll.
Ntoskrnl.exe starts Winlogon.exe which starts Lsass.exe (Local Security
Administration), this is the program that displays the Welcome screen and
allows a user to log on with their credentials (user name and password).

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
You've outdone yourself Wes. Your work is greatly appreciated.
I take it that you are not particularly concerned to learn what program is
causing the Userenv "event."
I suspect the AV program. It seems to make sense that it is always on. I
also wonder about the cable Internet connection. It isn't a serious problem,
however.
I used to boast about my fast shut-down times, even with the Userenv event.
Since installing and subsequently uninstalling IE7, the shutdown process is
much longer. After "Windows is shutting down," there are long seconds in
which nothing seems to be happening. No "clicking" or other signs of
activity. This even with the UPHClean running. Coincidence?
BTW, my boot time is 25 seconds. Shutdown runs between 30 seconds and one
minute. Does that sound "normal"?
 
I take it that you are not particularly concerned to learn what program is
causing the Userenv "event."
Click to expand...

I already know what program, lsass.exe is the program.

These are usually the only programs running when I shut down:
avgamsvr.exe, avgcc.exe, csrss.exe, devldr32.exe, explorer.exe, lsass.exe,
services.exe, smss.exe, spoolsv.exe,svchost.exe, svchost.exe, uphclean.exe,
vsmon.exe, winlogon.exe and zonealarm.exe.

SWAG: IE7 is probably your problem. I see nothing but problems with it.
The fact that you uninstalled it does not mean that it hasn't left problems
behind.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
I always assumed that the program that was causing the Userenv event was an
after-market application. I see now that it is one of the Windows normal
functions.
The first thing I noticed with IE7 was that my HP scanner program would not
work. The techs at HP suggested that I roll back to IE6 until they can come
up with a patch.
From the IE newsgroup, I see lots of people reporting all kinds of problems
with version 7. I think I'll wait a while longer before trying it again.
Meanwhile, as to how to identify and fix problems that IE7 has "left
behind"? I guess if it's no more than a slower shutdown I can just live with
it.
BTW, I'm not familiar with SWAG. What does that mean?
 
<lots snipped>

Wesley Vogel wrote:
SWAG: IE7 is probably your problem. I see nothing but problems
with it. The fact that you uninstalled it does not mean that it
hasn't left problems behind.
Click to expand...

JD wrote:
BTW, I'm not familiar with SWAG. What does that mean?
Click to expand...

http://www.acronymfinder.com/af-query.asp?String=exact&Acronym=swag

and/or

http://www.acronymattic.com/results.aspx?q=SWAG

I'll let you guess at which ones might apply...
(Hint: It's probably *not* Star Wars Artists Guild... *grin*)
 
Meanwhile, as to how to identify and fix problems that IE7 has
"left behind"? I guess if it's no more than a slower shutdown I can just
live with it.
Click to expand...

I have no idea. I never tried IE7. I did, however, try SP2 and the
uninstall left some problems, but I go most of those fixed. Been so long
ago, I don't even remember what they were.
BTW, I'm not familiar with SWAG. What does that mean?
Click to expand...

It's a technical term: Silly Wild A** Guess. :-)

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
Back
Top