Windows Defender is Corrupting Profile

[Guest]

I'm having an issue that I've traced to Windows Defender. Periodically I
noticed my stored network passwords were disappearing. After reviewing the
event logs, I think it's occuring each time I get this message. Any
suggestions (other than turn off WD)?

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-User Profiles Service"
Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
<EventID Qualifiers="32768">1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-04-13T00:14:59.000Z" />
<EventRecordID>17096</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Pegasus</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">1 user registry handles leaked from
\Registry\User\S-1-5-21-885596355-2598441921-1701884729-500_Classes: Process
1180 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key
\REGISTRY\USER\S-1-5-21-885596355-2598441921-1701884729-500_CLASSES</Data>
</EventData>
</Event>

 

[Guest]

What makes you think this has to do with Windows Defender?

Also, am I reading this log right as saying you are running as the built-in
Administrator?

 

[Guest]

The instance of svchost.exe (process 1180) at the time the event occured was
hosting the Windows Defender service. The disappearance of network passwords
seemed to coincide with the times that these entries appeared in the logs. I
assumed Windows Defender was responsible, but it stands to reason this could
also be the result of something affecting both WD and the saved credentials.
I have disabled WD and will test over the next few days to see if the problem
returns. It's intermittent, but usually occurs a couple times a week. I'm not
running under the administrator account, but I do have scheduled a nightly
backup service that is. I'll check the logs to see if there might be any
correlation.

 

[Guest]

OK, that's a reasonable correlation, but still not sure that is really
Defender related.

The thing is that the event specifically talks about a handle leak for the
Administrator account's hive. I don't think that's related to your loss of
network passwords, and I wonder if it is Defender that is leaking it or your
backup program.

If you want to test this disable Defender and see what happens. However, I
run Defender, and so do many others, and we don't see this problem. I'd be
more inclined to look elsewhere if I were you.

 

[Guest]

Good advice. WD was disabled and it happened again. I've manually invoked my
backup program a few times and have been unable to trigger it that way. I
don't know what's going on, but it's really getting to be a problem. I guess
I'll look to see if there's a pattern with VSS next. Here are the only events
since the last time it occured in case anyone has additional thoughts.

The oldest shadow copy of volume C: was deleted to keep disk space usage for
shadow copies of volume C: below the user defined limit.
The Volume Shadow Copy service entered the running state.
The Microsoft Software Shadow Copy Provider service entered the running state.
The Volume Shadow Copy service entered the stopped state.
The Microsoft Software Shadow Copy Provider service entered the stopped state.

The time stamp counter of CPU on scheduler id 1 is not synchronized with
other CPUs.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="MSSQL$SQLEXPRESS" />
<EventID Qualifiers="16384">17896</EventID>
<Level>4</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-04-14T12:42:55.000Z" />
<EventRecordID>17522</EventRecordID>
<Channel>Application</Channel>
<Computer>Pegasus</Computer>
<Security />
</System>
- <EventData>
<Data>1</Data>

<Binary>E84500000A0000001300000050004500470041005300550053005C00530051004C004500580050005200450053005300000000000000</Binary>
</EventData>
</Event>

Disk(s) were polled for SMART status.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="NVRAIDSERVICE" />
<EventID Qualifiers="16384">1024</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-04-14T12:47:44.000Z" />
<EventRecordID>17525</EventRecordID>
<Channel>Application</Channel>
<Computer>Pegasus</Computer>
<Security />
</System>
- <EventData>
<Data>N/A</Data>
<Data>N/A</Data>
<Data>N/A</Data>
<Data>N/A</Data>
</EventData>
</Event>

msnmsgr (4012)
\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db:
Online defragmentation is beginning a full pass on database
'\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db'.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="ESENT" />
<EventID Qualifiers="0">700</EventID>
<Level>4</Level>
<Task>10</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-04-14T13:01:03.000Z" />
<EventRecordID>17526</EventRecordID>
<Channel>Application</Channel>
<Computer>Pegasus</Computer>
<Security />
</System>
- <EventData>
<Data>msnmsgr</Data>
<Data>4012</Data>

<Data>\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db:</Data>

<Data>\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db</Data>
</EventData>
</Event>

 

[Guest]

For posterity, I wanted to update this thread with some additional
information in case someone else runs into the same problem. Lately it seems
the times that network credentials disappeared also coincided with times
where I experienced another unusual behavior -- windows, context menus, etc.
would not open. I was running only a few applications, but I noticed closing
one or two seemed to make the system responsive again. Thinking it was a
memory issue, I checked, but plenty of my 2GB of RAM was still available. It
turns out I was running out of desktop heap. There's an article here on the
issue and a workaround:

http://blogs.msdn.com/tonyschr/archive/2005/05/25/desktop-heap-limitations.aspx

Since I made the adjustment mentioned in the article, I haven't experienced
the problem again. I'm not sure why this system was running out of heap with
the default settings. I have pretty much identical software (other than
drivers) on two of my machines here, but only one had the issue. I suppose a
rogue driver or app might be causing a leak, in which case, I should
eventually hit the limit again even after making the heap size update. I'll
update this thread with more info if I discover anything new.

 

[Guest]

Well, it looks like the desktop heap issue was unrelated because my stored
network credentials just disappeared again. This sure has been a tough one to
track down. At least I haven't run out of heap yet, maybe one problem solved.