+ Post New Thread
Results 1 to 8 of 8
Windows 7 Thread, Win 7 Enterprise - Profile "Corruption" Issue in Technical; Copied this from my post on technet, but not getting any reply from MS, so I figured I would bounce ...
  1. #1

    Join Date
    Sep 2010
    Posts
    23
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Win 7 Enterprise - Profile "Corruption" Issue

    Copied this from my post on technet, but not getting any reply from MS, so I figured I would bounce this issue across this community which has been extremely helpful in the past.

    Code:
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
      <EventID>1508</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2013-11-05T21:50:21.712962100Z" />
      <EventRecordID>3302</EventRecordID>
      <Correlation />
      <Execution ProcessID="1000" ThreadID="1084" />
      <Channel>Application</Channel>
      <Computer>ABK-A23-BW87.acsd.local</Computer>
      <Security UserID="S-1-5-18" />
      </System>
    - <EventData Name="EVENT_REGLOADKEYFAILED">
      <Data Name="Error">The process cannot access the file because it is being used by another process.</Data>
      <Data Name="File">C:\Users\95142\AppData\Local\Microsoft\Windows\\UsrClass.dat</Data>
      </EventData>
      </Event>
    Code:
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
      <EventID>1542</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2013-11-05T21:50:21.712962100Z" />
      <EventRecordID>3303</EventRecordID>
      <Correlation />
      <Execution ProcessID="1000" ThreadID="1084" />
      <Channel>Application</Channel>
      <Computer>ABK-A23-BW87.acsd.local</Computer>
      <Security UserID="S-1-5-18" />
      </System>
    - <EventData>
      <Data Name="Error">The process cannot access the file because it is being used by another process.</Data>
      </EventData>
      </Event>
    Windows 7 Enterprise - Profile "Corruption" Issue

    We do not believe this is a network or DFS/Server issue, as this happens even to profiles that are on the local machine (ie local administrator account gets bugged too)

    Background: We are a full Windows Shop with Server 2012 and 2008 R2 Domain / Virtual Servers (VMWare). DFS namespace for Folder Redirection (via GPO) of "My Documents" (Not AppData/Profile Info), Shared Drives. We use Endpoint Protection and do all of our Imaging via SCCM 2012, and are a full Windows 7 Enterprise desktop shop.

    Problem: Over the past 4 months this problem has gone from once in a while to about 30-40 calls a day inconveniencing our users. It is best explained on these forums, of which I have copied and pasted to save my fingers: What causes corrupt profiles? - AnandTech Forums

    "One of the problems we have at my work is when a user logs on they get a red x on the network icon, but it isn't a network issue. When this happens the computer is almost unusable. You cant use things like windows explorer, or internet explorer. We know how to fix the issue, which is deleting the usrclass.dat file in the users profile. It has been suggested that SCCM could be causing the issue but i don't know. Has anybody else ran into this issue on a Windows 7 enterprise environment? I've tried googling the issue but some of the stuff is way over my head, and I dont know much about SCCM and if that is causing the issue."

    We can resolve the issue by deleting the users profile, OR by deleting the UsrClass.dat file and letting it rebuild each login, however, we prefer to get to the root cause of the problem.

    Thanks for reading and I look forward to your input.

    Note: We noticed yesterday that there seems to be two \\ in the event log, not sure if that's just how Microsoft drops it in the event log or if that could point to the source of the problem. (C:\Users\95142\AppData\Local\Microsoft\Windows\\Us rClass.dat)
    Last edited by dmanning; 22nd November 2013 at 05:19 PM.

  2. #2
    Zourous's Avatar
    Join Date
    Mar 2007
    Location
    East Sussex
    Posts
    361
    Thank Post
    104
    Thanked 122 Times in 44 Posts
    Rep Power
    54
    Were there any changes 4 months ago that might have caused this? When in the day does the issue occur? Can you monitor the dat file and see when it develops the fault and then check event logs to see what else is going on?

  3. #3

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,214 Times in 761 Posts
    Rep Power
    395
    I suspect the key to this will be finding out what process is accessing that file. If you can reproduce the issue reliably, I suggest running Procmon as the local admin and leaving it running, then switch user and log in as an affected user. Search the resulting Procmon log for access to the UsrClass.dat and see if that reveals anything.

    Past experience with file-locking issues like these leads me to suspect the antivirus is locking it for a scan and not relinquishing it in a timely fashion, but that's really only speculation at this point.

  4. #4

    Join Date
    Sep 2010
    Posts
    23
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    0
    The only updates we've done on our network are your standard Windows Updates, plus software updates like Java, Adobe, etc which release almost every other day. We use Microsoft's own Endpoint protection 2012 and we put in exceptions for said locations, still happens.
    Additionally, we noticed this happens even at profile creation ... so if the users profile doesn't even exist yet, and they login, this problem happens right away with the above events in the log.
    At the moment, I am installing fresh from the Windows 7 Ent /SP1 DVD on a new machine. Going to drop it in its own OU with no policies at all for Computer or Users, install the same windows updates as we run in our district, and see if I can replicate the problem. This would then eliminate anything such as SCCM 2012, AV, GPO, etc. And will use ProcMon as well.
    Hopefully I won't get too mad this week and start bashing my keyboard against the PC.

  5. #5

    Join Date
    Sep 2010
    Posts
    23
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Getting Buffer Overflow errors see attached:
    procmon.PNG

    Description: Host Process for Windows Services
    Company: Microsoft Corporation
    Name: svchost.exe
    Version: 6.1.7600.16385 (win7_rtm.090713-1255)
    Path: C:\Windows\system32\svchost.exe
    Command Line: C:\Windows\system32\svchost.exe -k netsvcs
    PID: 960
    Parent PID: 476
    Session ID: 0
    User: NT AUTHORITY\SYSTEM
    Auth ID: 00000000:000003e7
    Architecture: 64-bit
    Virtualized: False
    Integrity: System
    Started: 11/25/2013 8:34:01 AM
    Ended: (Running)
    Modules:
    mdnsNSP.dll 0x74610000 0x35000 C:\Program Files\Bonjour\mdnsNSP.dll Apple Inc. 2.0.4.0
    security.dll 0x74670000 0x3000 C:\Windows\system32\security.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
    USER32.dll 0x76990000 0xfa000 C:\Windows\system32\USER32.dll Microsoft Corporation 6.1.7601.17514 (win7sp1_rtm.101119-1850)
    kernel32.dll 0x76d40000 0x11f000 C:\Windows\system32\kernel32.dll Microsoft Corporation 6.1.7601.18015 (win7sp1_gdr.121129-1432)
    ntdll.dll 0x76e60000 0x1a9000 C:\Windows\SYSTEM32\ntdll.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
    psapi.dll 0x77030000 0x7000 C:\Windows\system32\psapi.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
    svchost.exe 0xff060000 0xb000 C:\Windows\system32\svchost.exe Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
    shsvcs.dll 0x7feed380000 0x5e000 c:\windows\system32\shsvcs.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
    dssenh.dll 0x7feed420000 0x32000 C:\Windows\System32\dssenh.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
    mspatcha.dll 0x7feee500000 0xf000 c:\windows\system32\mspatcha.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
    wuaueng.dll 0x7feee5d0000 0x255000 c:\windows\system32\wuaueng.dll Microsoft Corporation 7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1505)
    msi.dll 0x7feeebc0000 0x317000 C:\Windows\System32\msi.dll Microsoft Corporation 5.0.7601.17807
    ESENT.dll 0x7feefbc0000 0x27a000 c:\windows\system32\ESENT.dll Microsoft Corporation 6.1.7600.16385 (win7_rtm.090713-1255)
    ...
    etc

  6. #6

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,214 Times in 761 Posts
    Rep Power
    395
    That's actually a red herring - BUFFER OVERFLOW is part of 'normal' operation for a lot of file system and registry traversal. Buffer Overflows - Mark's Blog - Site Home - TechNet Blogs

    Anything else for that file?

  7. Thanks to AngryTechnician from:

    dmanning (25th November 2013)

  8. #7

    Join Date
    Sep 2010
    Posts
    23
    Thank Post
    2
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Killed my excitement with that link. We were hoping we were on to something since we only see the buffer overflows on affected profiles. From the log the only things in there are Microsoft files, along with the Bonjour (Apple) entry in the log and the Microsoft Forefront TMG Firewall client we use.

  9. #8

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,214 Times in 761 Posts
    Rep Power
    395
    Quote Originally Posted by dmanning View Post
    Killed my excitement with that link. We were hoping we were on to something since we only see the buffer overflows on affected profiles.
    Well, that means it is still notable, even if it's not the root of the problem.

    From the log it looks like the buffer overflows are occurring while Windows is reading the ACL on the file. If that isn't happening on unaffected profiles, it could indicate that the ACL is different on the affected ones. Can you run the command cacls UsrClass.dat on both unaffected and affected users and see if there are any differences that stand out?



SHARE:
+ Post New Thread

Similar Threads

  1. Roaming profile problem corrupt
    By localzuk in forum Windows
    Replies: 17
    Last Post: 7th November 2012, 09:58 AM
  2. Replies: 23
    Last Post: 20th December 2011, 05:22 PM
  3. Replies: 3
    Last Post: 2nd September 2011, 02:28 PM
  4. Replies: 1
    Last Post: 17th February 2011, 01:25 PM
  5. XP - profile- HP 3323 printer issue?
    By NikChillin in forum Windows
    Replies: 6
    Last Post: 10th June 2010, 05:30 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •