Win7 logging users with temp profile
Hi,
It happens randomly (always when PC is on since some hours) that at user logon Win7 builds a temporary profile informing the user that it was not possible to access the files of his/her profile and that the temp profile will be deleted after use
When I am in this situation the only thing I can do to make the users to be able to log on with their profiles is to restart the PC. This means that the profiles ARE NOT DAMAGED.
In the event log I got this error:Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 29/09/2009 1.53.56
Event ID: 1508
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: MYPC
Description:
Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.DETAIL - The process cannot access the file because it is being used by another process.
for C:\Users\User1\ntuser.dat
Does anyone know how can I identify where is the problem?
And how is it possible to understand which is the process which is locking the ntuser.dat file?Thanks in advance.
Plo
Answers
Hi,
Please also try to create a new user account and see if the issue also occurs.
Thanks.
Nicholas Li - MSFT
Too late. Yesterday I reinstalled Windows 7 from scratch. Starting today, I'll definetly stop to say to friends and on forums that I never had to reinstall Windows for Windows' problems. I'm really disappointed that a problem apparently quite common (looking at other posts as http://social.answers.microsoft.com/Forums/en-US/w7security/thread/6a5f0f5d-d9a4-448b-af8f-b2e6a0a05479 in this and other forums on internet) has not been correctly addressed by MSFT itself.
Plo- Marked As Answer byNicholas LiMSFT, ModeratorTuesday, November 17, 2009 10:41 AM
All Replies
Hi,
Please try the following to check the issue:
1. When you logon without issues, click “Start”, type “gpedit.msc” in Search Bar and press Enter.
2. Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy” in the left pane, double click “Audit object access” and select “Success” in “Audit object access Properties”.
3. Click OK to apply the settings.
4. Then run the following command in an elevated command prompt:
gpupdate /force
5. Go to the path “C:\Users\User1\”
6. Check if the “ntuser.dat” exists, if it is not be displayed, please also perform the following steps:
1) In Windows Explorer, press Alt, click “Tools” and select “Folder Options”
2) Switch to “View” tab, under the Hidden files and folders heading select Show hidden files and folders.
3) Uncheck the “Hide extensions for known file types” option.
4) Uncheck the “Hide protected operating system files (recommended)” option.
5) Click yes to confirm that you really want to do this.
6) Click Apply, click OK.
7) Then the “ntuser.dat” will appear in “C:\Users\User1\”.
7. Right click “ntuser.dat” and select “Properties”.
8. Switch to “Security” tab and click “Advanced”.
9. In Advanced Security Settings for NTUSER.DAT, switch to “Auditing” tab, click “Continue”.
10. Click “Add” in the new opened dialogue box, input everyone and click OK; then, assign “Full control” to Everyone in “Auditing Entry for NTUSER.DAT” and click OK.
11. Continue clicking “OK” to apply the changes.
After the steps, please keep monitoring the issue, if the issue appeared, please check “Windows Logs - Security” in Event Viewer and see which process or application is occupying this file. You can also save the events and share the log with us by uploading to Windows Live SkyDrive.
Thanks.
Nicholas Li - MSFTHi,
Please try the following to check the issue:
1. When you logon without issues, click “Start”, type “gpedit.msc” in Search Bar and press Enter.
2. Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy” in the left pane, double click “Audit object access” and select “Success” in “Audit object access Properties”.
3. Click OK to apply the settings.
4. Then run the following command in an elevated command prompt:
gpupdate /force
5. Go to the path “C:\Users\User1\”
6. Check if the “ntuser.dat” exists, if it is not be displayed, please also perform the following steps:
1) In Windows Explorer, press Alt, click “Tools” and select “Folder Options”
2) Switch to “View” tab, under the Hidden files and folders heading select Show hidden files and folders.
3) Uncheck the “Hide extensions for known file types” option.
4) Uncheck the “Hide protected operating system files (recommended)” option.
5) Click yes to confirm that you really want to do this.
6) Click Apply, click OK.
7) Then the “ntuser.dat” will appear in “C:\Users\User1\”.
7. Right click “ntuser.dat” and select “Properties”.
8. Switch to “Security” tab and click “Advanced”.
9. In Advanced Security Settings for NTUSER.DAT, switch to “Auditing” tab, click “Continue”.
10. Click “Add” in the new opened dialogue box, input everyone and click OK; then, assign “Full control” to Everyone in “Auditing Entry for NTUSER.DAT” and click OK.
11. Continue clicking “OK” to apply the changes.
After the steps, please keep monitoring the issue, if the issue appeared, please check “Windows Logs - Security” in Event Viewer and see which process or application is occupying this file. You can also save the events and share the log with us by uploading to Windows Live SkyDrive.
Thanks.
Nicholas Li - MSFT
OK. I'll do it.
PloHi,
Please try the following to check the issue:
1. When you logon without issues, click “Start”, type “gpedit.msc” in Search Bar and press Enter.
2. Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy” in the left pane, double click “Audit object access” and select “Success” in “Audit object access Properties”.
3. Click OK to apply the settings.
4. Then run the following command in an elevated command prompt:
gpupdate /force
5. Go to the path “C:\Users\User1\”
6. Check if the “ntuser.dat” exists, if it is not be displayed, please also perform the following steps:
1) In Windows Explorer, press Alt, click “Tools” and select “Folder Options”
2) Switch to “View” tab, under the Hidden files and folders heading select Show hidden files and folders.
3) Uncheck the “Hide extensions for known file types” option.
4) Uncheck the “Hide protected operating system files (recommended)” option.
5) Click yes to confirm that you really want to do this.
6) Click Apply, click OK.
7) Then the “ntuser.dat” will appear in “C:\Users\User1\”.
7. Right click “ntuser.dat” and select “Properties”.
8. Switch to “Security” tab and click “Advanced”.
9. In Advanced Security Settings for NTUSER.DAT, switch to “Auditing” tab, click “Continue”.
10. Click “Add” in the new opened dialogue box, input everyone and click OK; then, assign “Full control” to Everyone in “Auditing Entry for NTUSER.DAT” and click OK.
11. Continue clicking “OK” to apply the changes.
After the steps, please keep monitoring the issue, if the issue appeared, please check “Windows Logs - Security” in Event Viewer and see which process or application is occupying this file. You can also save the events and share the log with us by uploading to Windows Live SkyDrive.
Thanks.
Nicholas Li - MSFT
Hi Nicholas.
I did the capture of the event logs. From a first analisys, there are only 2 processes accessing NTUSER.DAT.
The first is SVCHOST with PID 1112. There are a bunch of services quite important running in it. So I need your help to understand where is the problem. I saved the Event Log file and a printout of Process Monitor for PID 1112. I tried to kill the process with PID 1112 but the problem did not disappear. I still have to reboot in order to unlock NTUSER.DAT and be able to logon.
The second is AVG antivirus. I discarded the possibility that the problem is there because I recently upgraded from v.8.5 to v.9.0 and I noticed the problem both before and after the upgrade.
I also noticed that the file NTUSER.DAT:
1. is visible even if I do not have uchecked the "Hide protected operating system file" in folder options. I suspect this is due to the fact that I defined he audit on it.
2. has a state "Shared". Is it correct?
3. if I try to rename it, I'm warned that the file is locked by System.
I'm still stucked. :-(
You can check if those are the only two processes to access NTUSER.DAT in the event log file I saved in http://cid-80333a7a60b078f8.skydrive.live.com/browse.aspx/Event%20Log. Keep in mind that the name of the user that is suffering the problem is "Nadia" and not "User1".
Thank you.
Plo- I discovered an additional symptom that could possibly be part of the problem.
On the only PC in my home where I have the problem, I noticed during a backup the existence of the following directory:
C:\Users\Paolo\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
This for all users.
If you want to verify if you have this symptom too, you'll have to modify security settings for C:\Users\YourUser\Appdata\Local\Application Data which has a Deny access to group Everyone.
May this help to identify the origin of the problem?
Plo Hi,
Please also try to create a new user account and see if the issue also occurs.
Thanks.
Nicholas Li - MSFTHi,
Please also try to create a new user account and see if the issue also occurs.
Thanks.
Nicholas Li - MSFT
Too late. Yesterday I reinstalled Windows 7 from scratch. Starting today, I'll definetly stop to say to friends and on forums that I never had to reinstall Windows for Windows' problems. I'm really disappointed that a problem apparently quite common (looking at other posts as http://social.answers.microsoft.com/Forums/en-US/w7security/thread/6a5f0f5d-d9a4-448b-af8f-b2e6a0a05479 in this and other forums on internet) has not been correctly addressed by MSFT itself.
Plo- Marked As Answer byNicholas LiMSFT, ModeratorTuesday, November 17, 2009 10:41 AM
Hi,
I am sorry that you have reinstalled Windows 7, sorry for the inconvenience.
Your efforts on this issue are highly appreciated. And I still hope the information and what you experienced will benefit many other users; and we really value having you as a Microsoft customer.
In the future, if you experience any issues regarding our products, you are welcome to post a new thread in our forum.
Thanks again.
Nicholas Li - MSFT
