none
Win7 logging users with temp profile

    Question

  • Hi,

    It happens randomly (always when PC is on since some hours) that at user logon  Win7 builds a temporary profile informing the user that it was not possible to access the files of his/her profile and that the temp profile will be deleted after use

    When I am in this situation the only thing I can do to make the users to be able to log on with their profiles is to restart the PC. This means that the profiles ARE NOT DAMAGED.


    In the event log I got this error:

    Log Name: Application
    Source: Microsoft-Windows-User Profiles Service
    Date: 29/09/2009 1.53.56
    Event ID: 1508
    Task Category: None
    Level: Error
    Keywords:
    User: SYSTEM
    Computer: MYPC
    Description:
    Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

    DETAIL - The process cannot access the file because it is being used by another process.
    for C:\Users\User1\ntuser.dat


    Does anyone know how can I identify where is the problem?

    And how is it possible to understand which is the process which is locking the ntuser.dat file?

    Thanks in advance.


    Plo
    Thursday, November 05, 2009 12:14 AM

Answers

All replies

  • Hi,

     

    Please try the following to check the issue:

     

    1.    When you logon without issues, click “Start”, type “gpedit.msc” in Search Bar and press Enter.

    2.    Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy” in the left pane, double click “Audit object access” and select “Success” in “Audit object access Properties”.

    3.    Click OK to apply the settings.

    4.    Then run the following command in an elevated command prompt:

     

    gpupdate /force

     

    5.    Go to the path “C:\Users\User1\”

    6.    Check if the “ntuser.dat” exists, if it is not be displayed, please also perform the following steps:

     

    1)    In Windows Explorer, press Alt, click “Tools” and select “Folder Options”

    2)    Switch to “View” tab, under the Hidden files and folders heading select Show hidden files and folders.

    3)    Uncheck the “Hide extensions for known file types” option.

    4)    Uncheck the “Hide protected operating system files (recommended)” option.

    5)    Click yes to confirm that you really want to do this.

    6)    Click Apply, click OK.

    7)    Then the “ntuser.dat” will appear in “C:\Users\User1\”.

     

    7.    Right click “ntuser.dat” and select “Properties”.

    8.    Switch to “Security” tab and click “Advanced”.

    9.    In Advanced Security Settings for NTUSER.DAT, switch to “Auditing” tab, click “Continue”.

    10. Click “Add” in the new opened dialogue box, input everyone and click OK; then, assign “Full control” to Everyone in “Auditing Entry for NTUSER.DAT” and click OK.

    11. Continue clicking “OK” to apply the changes.

     

    After the steps, please keep monitoring the issue, if the issue appeared, please check “Windows Logs - Security” in Event Viewer and see which process or application is occupying this file. You can also save the events and share the log with us by uploading to Windows Live SkyDrive.

     

    Thanks.


    Nicholas Li - MSFT
    Thursday, November 05, 2009 10:00 AM
  • Hi,

     

    Please try the following to check the issue:

     

    1.    When you logon without issues, click “Start”, type “gpedit.msc” in Search Bar and press Enter.

    2.    Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy” in the left pane, double click “Audit object access” and select “Success” in “Audit object access Properties”.

    3.    Click OK to apply the settings.

    4.    Then run the following command in an elevated command prompt:

     

    gpupdate /force

     

    5.    Go to the path “C:\Users\User1\”

    6.    Check if the “ntuser.dat” exists, if it is not be displayed, please also perform the following steps:

     

    1)    In Windows Explorer, press Alt, click “Tools” and select “Folder Options”

    2)    Switch to “View” tab, under the Hidden files and folders heading select Show hidden files and folders.

    3)    Uncheck the “Hide extensions for known file types” option.

    4)    Uncheck the “Hide protected operating system files (recommended)” option.

    5)    Click yes to confirm that you really want to do this.

    6)    Click Apply, click OK.

    7)    Then the “ntuser.dat” will appear in “C:\Users\User1\”.

     

    7.    Right click “ntuser.dat” and select “Properties”.

    8.    Switch to “Security” tab and click “Advanced”.

    9.    In Advanced Security Settings for NTUSER.DAT, switch to “Auditing” tab, click “Continue”.

    10. Click “Add” in the new opened dialogue box, input everyone and click OK; then, assign “Full control” to Everyone in “Auditing Entry for NTUSER.DAT” and click OK.

    11. Continue clicking “OK” to apply the changes.

     

    After the steps, please keep monitoring the issue, if the issue appeared, please check “Windows Logs - Security” in Event Viewer and see which process or application is occupying this file. You can also save the events and share the log with us by uploading to Windows Live SkyDrive.

     

    Thanks.


    Nicholas Li - MSFT

    OK. I'll do it.
    Plo
    Friday, November 06, 2009 11:49 PM
  • Hi,

     

    Please try the following to check the issue:

     

    1.    When you logon without issues, click “Start”, type “gpedit.msc” in Search Bar and press Enter.

    2.    Navigate to “Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy” in the left pane, double click “Audit object access” and select “Success” in “Audit object access Properties”.

    3.    Click OK to apply the settings.

    4.    Then run the following command in an elevated command prompt:

     

    gpupdate /force

     

    5.    Go to the path “C:\Users\User1\”

    6.    Check if the “ntuser.dat” exists, if it is not be displayed, please also perform the following steps:

     

    1)    In Windows Explorer, press Alt, click “Tools” and select “Folder Options”

    2)    Switch to “View” tab, under the Hidden files and folders heading select Show hidden files and folders.

    3)    Uncheck the “Hide extensions for known file types” option.

    4)    Uncheck the “Hide protected operating system files (recommended)” option.

    5)    Click yes to confirm that you really want to do this.

    6)    Click Apply, click OK.

    7)    Then the “ntuser.dat” will appear in “C:\Users\User1\”.

     

    7.    Right click “ntuser.dat” and select “Properties”.

    8.    Switch to “Security” tab and click “Advanced”.

    9.    In Advanced Security Settings for NTUSER.DAT, switch to “Auditing” tab, click “Continue”.

    10. Click “Add” in the new opened dialogue box, input everyone and click OK; then, assign “Full control” to Everyone in “Auditing Entry for NTUSER.DAT” and click OK.

    11. Continue clicking “OK” to apply the changes.

     

    After the steps, please keep monitoring the issue, if the issue appeared, please check “Windows Logs - Security” in Event Viewer and see which process or application is occupying this file. You can also save the events and share the log with us by uploading to Windows Live SkyDrive.

     

    Thanks.


    Nicholas Li - MSFT


    Hi Nicholas.

    I did the capture of the event logs. From a first analisys, there are only 2 processes accessing NTUSER.DAT.

    The first is SVCHOST with PID 1112. There are a bunch of services quite important running in it. So I need your help to understand where is the problem. I saved the Event Log file and a printout of Process Monitor for PID 1112. I tried to kill the process with PID 1112 but the problem did not disappear. I still have to reboot in order to unlock NTUSER.DAT and be able to logon.

    The second is AVG antivirus. I discarded the possibility that the problem is there because I recently upgraded from v.8.5 to v.9.0 and I noticed the problem both before and after the upgrade.

    I also noticed that the file NTUSER.DAT:
    1. is visible even if I do not have uchecked the "Hide protected operating system file" in folder options. I suspect this is due to the fact that I defined he audit on it.
    2. has a state "Shared". Is it correct?
    3. if I try to rename it, I'm warned that the file is locked by System. 

    I'm still stucked. :-(

    You can check if those are the only two processes to access NTUSER.DAT in the event log file I saved in http://cid-80333a7a60b078f8.skydrive.live.com/browse.aspx/Event%20Log. Keep in mind that the name of the user that is suffering the problem is "Nadia" and not "User1".

    Thank you.


    Plo
    Sunday, November 08, 2009 12:50 AM
  • I discovered an additional symptom that could possibly be part of the problem.

    On the only PC in my home where I have the problem, I noticed during a backup the existence of the following directory:

    C:\Users\Paolo\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data

    This for all users.

    If you want to verify if you have this symptom too, you'll have to modify security settings for C:\Users\YourUser\Appdata\Local\Application Data which has a Deny access to group Everyone.

    May this help to identify the origin of the problem?

    Plo
    Thursday, November 12, 2009 12:57 PM
  • Hi,

     

    Please also try to create a new user account and see if the issue also occurs.

     

    Thanks.


    Nicholas Li - MSFT
    Monday, November 16, 2009 4:39 AM
  • Hi,

     

    Please also try to create a new user account and see if the issue also occurs.

     

    Thanks.


    Nicholas Li - MSFT

    Too late. Yesterday I reinstalled Windows 7 from scratch. Starting today, I'll definetly stop to say to friends and on forums that I never had to reinstall Windows for Windows' problems. I'm really disappointed that a problem apparently quite common (looking at other posts as http://social.answers.microsoft.com/Forums/en-US/w7security/thread/6a5f0f5d-d9a4-448b-af8f-b2e6a0a05479 in this and other forums on internet) has not been correctly addressed by MSFT itself.
    Plo
    Monday, November 16, 2009 10:39 AM
  •  

    Hi,

     

    I am sorry that you have reinstalled Windows 7, sorry for the inconvenience.

     

    Your efforts on this issue are highly appreciated. And I still hope the information and what you experienced will benefit many other users; and we really value having you as a Microsoft customer.

     

    In the future, if you experience any issues regarding our products, you are welcome to post a new thread in our forum.

    Thanks again.


    Nicholas Li - MSFT
    Tuesday, November 17, 2009 10:40 AM
  • Hi,

    I am having the same problem.

    I have a Windows 7 machine with 3 users user1 (admin), user2 and user3.

    When I logon a user1 and logoff, I can log on to user2 or user3. But when I logoff from user3 or user2, I cannot log on as user1 or user3 (it goes into a temp profile). I can log on as user2 again

    Only option is a reboot. I disabled switch user capability as I thought this might be an issue. No success. After a while I thought as user3 was added recently, it might be a issue. So I deleted user3. But the problem still exists.

    Then I created user4 (admin). Now I can logoff as user1 or user4 and there are no issues. But when I try to logon as user2 and logoff, I cannot go into user1 or user4 (it goes into a temp profile).

    Every time,it goes into a temp profile i get gfollowing event.

    --------

    Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights.

    DETAIL - The process cannot access the file because it is being used by another process.

    for C:\Users\amod gokhale\ntuser.dat

    --------

    Any help ?

    Regards

    Dark.Mage.Returns

    Friday, October 29, 2010 10:12 AM