- 1508 0 2 0 0" /> Win 7 Enterprise - Profile "Corruption" Issue

    + Post New Thread
    Results 1 to 8 of 8
    Windows 7 Thread, Win 7 Enterprise - Profile "Corruption" Issue in Technical; Copied this from my post on technet, but not getting any reply from MS, so I figured I would bounce ...
    1. #1

      Join Date
      Sep 2010
      Posts
      23
      Thank Post
      2
      Thanked 1 Time in 1 Post
      Rep Power
      0

      Win 7 Enterprise - Profile "Corruption" Issue

      Copied this from my post on technet, but not getting any reply from MS, so I figured I would bounce this issue across this community which has been extremely helpful in the past.

      Code:
      - 
      - 
        
        1508
        0
        2
        0
        0
        0x8000000000000000
        
        3302
        
        
        Application
        ABK-A23-BW87.acsd.local
        
        
      - 
        The process cannot access the file because it is being used by another process.
        C:\Users\95142\AppData\Local\Microsoft\Windows\\UsrClass.dat
        
        
      Code:
      - 
      - 
        
        1542
        0
        2
        0
        0
        0x8000000000000000
        
        3303
        
        
        Application
        ABK-A23-BW87.acsd.local
        
        
      - 
        The process cannot access the file because it is being used by another process.
        
        
      Windows 7 Enterprise - Profile "Corruption" Issue

      We do not believe this is a network or DFS/Server issue, as this happens even to profiles that are on the local machine (ie local administrator account gets bugged too)

      Background: We are a full Windows Shop with Server 2012 and 2008 R2 Domain / Virtual Servers (VMWare). DFS namespace for Folder Redirection (via GPO) of "My Documents" (Not AppData/Profile Info), Shared Drives. We use Endpoint Protection and do all of our Imaging via SCCM 2012, and are a full Windows 7 Enterprise desktop shop.

      Problem: Over the past 4 months this problem has gone from once in a while to about 30-40 calls a day inconveniencing our users. It is best explained on these forums, of which I have copied and pasted to save my fingers: What causes corrupt profiles? - AnandTech Forums

      "One of the problems we have at my work is when a user logs on they get a red x on the network icon, but it isn't a network issue. When this happens the computer is almost unusable. You cant use things like windows explorer, or internet explorer. We know how to fix the issue, which is deleting the usrclass.dat file in the users profile. It has been suggested that SCCM could be causing the issue but i don't know. Has anybody else ran into this issue on a Windows 7 enterprise environment? I've tried googling the issue but some of the stuff is way over my head, and I dont know much about SCCM and if that is causing the issue."

      We can resolve the issue by deleting the users profile, OR by deleting the UsrClass.dat file and letting it rebuild each login, however, we prefer to get to the root cause of the problem.

      Thanks for reading and I look forward to your input.

      Note: We noticed yesterday that there seems to be two \\ in the event log, not sure if that's just how Microsoft drops it in the event log or if that could point to the source of the problem. (C:\Users\95142\AppData\Local\Microsoft\Windows\\Us rClass.dat)
      Last edited by dmanning; 22nd November 2013 at 04:19 PM.

    2. #2
      Zourous's Avatar
      Join Date
      Mar 2007
      Location
      East Sussex
      Posts
      337
      Thank Post
      96
      Thanked 117 Times in 39 Posts
      Rep Power
      54
      Were there any changes 4 months ago that might have caused this? When in the day does the issue occur? Can you monitor the dat file and see when it develops the fault and then check event logs to see what else is going on?

    3. #3

      AngryTechnician's Avatar
      Join Date
      Oct 2008
      Posts
      3,730
      Thank Post
      698
      Thanked 1,212 Times in 761 Posts
      Rep Power
      394
      I suspect the key to this will be finding out what process is accessing that file. If you can reproduce the issue reliably, I suggest running Procmon as the local admin and leaving it running, then switch user and log in as an affected user. Search the resulting Procmon log for access to the UsrClass.dat and see if that reveals anything.

      Past experience with file-locking issues like these leads me to suspect the antivirus is locking it for a scan and not relinquishing it in a timely fashion, but that's really only speculation at this point.

    4. #4

      Join Date
      Sep 2010
      Posts
      23
      Thank Post
      2
      Thanked 1 Time in 1 Post
      Rep Power
      0
      The only updates we've done on our network are your standard Windows Updates, plus software updates like Java, Adobe, etc which release almost every other day. We use Microsoft's own Endpoint protection 2012 and we put in exceptions for said locations, still happens.
      Additionally, we noticed this happens even at profile creation ... so if the users profile doesn't even exist yet, and they login, this problem happens right away with the above events in the log.
      At the moment, I am installing fresh from the Windows 7 Ent /SP1 DVD on a new machine. Going to drop it in its own OU with no policies at all for Computer or Users, install the same windows updates as we run in our district, and see if I can replicate the problem. This would then eliminate anything such as SCCM 2012, AV, GPO, etc. And will use ProcMon as well.
      Hopefully I won't get too mad this week and start bashing my keyboard against the PC.

    5. #5

      Join Date
      Sep 2010
      Posts
      23
      Thank Post
      2
      Thanked 1 Time in 1 Post
      Rep Power
      0
      Getting Buffer Overflow errors see attached:
      procmon.PNG

      Description: Host Process for Windows Services
      Company: Microsoft Corporation
      Name: svchost.exe
      Version: 6.1.7600.16385 (win7_rtm.090713-1255)
      Path: C:\Windows\system32\svchost.exe
      Command Line: C:\Windows\system32\svchost.exe -k netsvcs
      PID: 960
      Parent PID: 476
      Session ID: 0
      User: NT AUTHORITY\SYSTEM
      Auth ID: 00000000:000003e7
      Architecture: 64-bit
      Virtualized: False
      Integrity: System
      Started: 11/25/2013 8:34:01 AM
      Ended: (Running)
      Modules:
      mdnsNSP.dll 0x74610000 0x35000 C:\Program Files\Bonjour\mdnsNSP.dll Apple Inc. 2.0.4.0
      security.dll 0x74670000 0x3000 C:\Windows\system32\security.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
      USER32.dll 0x76990000 0xfa000 C:\Windows\system32\USER32.dll Microsoft Corporation 6.1.7601.17514 (win7sp1_rtm.101119-1850)
      kernel32.dll 0x76d40000 0x11f000 C:\Windows\system32\kernel32.dll Microsoft Corporation 6.1.7601.18015 (win7sp1_gdr.121129-1432)
      ntdll.dll 0x76e60000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
      psapi.dll 0x77030000 0x7000 C:\Windows\system32\psapi.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
      svchost.exe 0xff060000 0xb000 C:\Windows\system32\svchost.exe Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
      shsvcs.dll 0x7feed380000 0x5e000 c:\windows\system32\shsvcs.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
      dssenh.dll 0x7feed420000 0x32000 C:\Windows\System32\dssenh.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
      mspatcha.dll 0x7feee500000 0xf000 c:\windows\system32\mspatcha.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
      wuaueng.dll 0x7feee5d0000 0x255000 c:\windows\system32\wuaueng.dll Microsoft Corporation 7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1505)
      msi.dll 0x7feeebc0000 0x317000 C:\Windows\System32\msi.dll Microsoft Corporation 5.0.7601.17807
      ESENT.dll 0x7feefbc0000 0x27a000 c:\windows\system32\ESENT.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
      ...
      etc

    6. #6

      AngryTechnician's Avatar
      Join Date
      Oct 2008
      Posts
      3,730
      Thank Post
      698
      Thanked 1,212 Times in 761 Posts
      Rep Power
      394
      That's actually a red herring - BUFFER OVERFLOW is part of 'normal' operation for a lot of file system and registry traversal. Buffer Overflows - Mark's Blog - Site Home - TechNet Blogs

      Anything else for that file?

    7. Thanks to AngryTechnician from:

      dmanning (25th November 2013)

    8. #7

      Join Date
      Sep 2010
      Posts
      23
      Thank Post
      2
      Thanked 1 Time in 1 Post
      Rep Power
      0
      Killed my excitement with that link. We were hoping we were on to something since we only see the buffer overflows on affected profiles. From the log the only things in there are Microsoft files, along with the Bonjour (Apple) entry in the log and the Microsoft Forefront TMG Firewall client we use.

    9. #8

      AngryTechnician's Avatar
      Join Date
      Oct 2008
      Posts
      3,730
      Thank Post
      698
      Thanked 1,212 Times in 761 Posts
      Rep Power
      394
      Quote Originally Posted by dmanning View Post
      Killed my excitement with that link. We were hoping we were on to something since we only see the buffer overflows on affected profiles.
      Well, that means it is still notable, even if it's not the root of the problem.

      From the log it looks like the buffer overflows are occurring while Windows is reading the ACL on the file. If that isn't happening on unaffected profiles, it could indicate that the ACL is different on the affected ones. Can you run the command cacls UsrClass.dat on both unaffected and affected users and see if there are any differences that stand out?

    SHARE:

    Similar Threads

    1. Roaming profile problem corrupt
      By localzuk in forum Windows
      Replies: 17
      Last Post: 7th November 2012, 08:58 AM
    2. Replies: 23
      Last Post: 20th December 2011, 04:22 PM
    3. Replies: 3
      Last Post: 2nd September 2011, 01:28 PM
    4. Replies: 1
      Last Post: 17th February 2011, 12:25 PM
    5. XP - profile- HP 3323 printer issue?
      By NikChillin in forum Windows
      Replies: 6
      Last Post: 10th June 2010, 04:30 AM

    Thread Information

    Users Browsing this Thread

    There are currently 1 users browsing this thread. (0 members and 1 guests)

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •