none
Stuck on Welcome Screen Corrupt Profile

    Question

  • We are having lots of computers randomly getting stuck on the welcome screen. When I connect to event viewer I can see these errors. Some may be related some not. Any ideas? The errors always seem present especially the corrupt profile ones

    Log Name:      Application
    Source:        Microsoft-Windows-User Profiles Service
    Date:          22/11/2010 09:56:29
    Event ID:      1530
    Task Category: None
    Level:         Warning
    Keywords:     
    User:          SYSTEM
    Computer:      R118-03.empire.boston.ac.uk
    Description:
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     DETAIL -
     2 user registry handles leaked from \Registry\User\S-1-5-21-220523388-1547161642-725345543-53730:
    Process 572 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730
    Process 968 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730\Software\Microsoft\Internet Explorer\LinksBar

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
        <EventID>1530</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2010-11-22T09:56:29.104549100Z" />
        <EventRecordID>10324</EventRecordID>
        <Correlation />
        <Execution ProcessID="968" ThreadID="108" />
        <Channel>Application</Channel>
        <Computer>R118-03.empire.boston.ac.uk</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="EVENT_HIVE_LEAK">
        <Data Name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-220523388-1547161642-725345543-53730:
    Process 572 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730
    Process 968 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730\Software\Microsoft\Internet Explorer\LinksBar
    </Data>
      </EventData>
    </Event> 

    Log Name:      Application
    Source:        Windows Error Reporting
    Date:          22/11/2010 09:31:42
    Event ID:      1001
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      R118-03.empire.boston.ac.uk
    Description:
    Fault bucket , type 0
    Event Name: PnPDriverImportError
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: x64
    P2: E0000247
    P3: oemsetup.inf
    P4: 0f72ccc8635a051e4082e63be95abc533c508719
    P5:
    P6:
    P7:
    P8:
    P9:
    P10:

    Attached files:
    C:\Windows\Temp\DMIA563.tmp.log.xml
    C:\Windows\System32\spool\{CEE5687B-EDE0-4B2C-84A2-1F82FF93D0E7}\oemsetup.inf

    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_cab_049aab30

    Analysis symbol:
    Rechecking for solution: 0
    Report Id: 4f208639-f61b-11df-86bb-001cc05b6dcb
    Report Status: 4
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Windows Error Reporting" />
        <EventID Qualifiers="0">1001</EventID>
        <Level>4</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-11-22T09:31:42.000000000Z" />
        <EventRecordID>10298</EventRecordID>
        <Channel>Application</Channel>
        <Computer>R118-03.empire.boston.ac.uk</Computer>
        <Security />
      </System>
      <EventData>
        <Data>
        </Data>
        <Data>0</Data>
        <Data>PnPDriverImportError</Data>
        <Data>Not available</Data>
        <Data>0</Data>
        <Data>x64</Data>
        <Data>E0000247</Data>
        <Data>oemsetup.inf</Data>
        <Data>0f72ccc8635a051e4082e63be95abc533c508719</Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
    C:\Windows\Temp\DMIA563.tmp.log.xml
    C:\Windows\System32\spool\{CEE5687B-EDE0-4B2C-84A2-1F82FF93D0E7}\oemsetup.inf</Data>
        <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_cab_049aab30</Data>
        <Data>
        </Data>
        <Data>0</Data>
        <Data>4f208639-f61b-11df-86bb-001cc05b6dcb</Data>
        <Data>4</Data>
      </EventData>
    </Event>

    Log Name:      Application
    Source:        Microsoft-Windows-Winlogon
    Date:          22/11/2010 09:28:32
    Event ID:      6006
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      R118-03.empire.boston.ac.uk
    Description:
    The winlogon notification subscriber <GPClient> took 595 second(s) to handle the notification event (Logon).
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
        <EventID Qualifiers="32768">6006</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-11-22T09:28:32.000000000Z" />
        <EventRecordID>10294</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>R118-03.empire.boston.ac.uk</Computer>
        <Security />
      </System>
      <EventData>
        <Data>GPClient</Data>
        <Data>595</Data>
        <Data>Logon</Data>
        <Binary>02000000</Binary>
      </EventData>
    </Event>

    Log Name:      Application
    Source:        Windows Error Reporting
    Date:          22/11/2010 09:18:03
    Event ID:      1001
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      R118-03.empire.boston.ac.uk
    Description:
    Fault bucket , type 0
    Event Name: ServiceHang
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: sftlist
    P2: sftlist.exe"
    P3: 0.0.0.0
    P4: 10
    P5: 2
    P6:
    P7:
    P8:
    P9:
    P10:

    Attached files:

    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_sftlist_66c8b82913e74362faebe69814168a739671eaa_0a7e2531

    Analysis symbol:
    Rechecking for solution: 0
    Report Id: 658b951f-f619-11df-86bb-001cc05b6dcb
    Report Status: 4
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Windows Error Reporting" />
        <EventID Qualifiers="0">1001</EventID>
        <Level>4</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-11-22T09:18:03.000000000Z" />
        <EventRecordID>10263</EventRecordID>
        <Channel>Application</Channel>
        <Computer>R118-03.empire.boston.ac.uk</Computer>
        <Security />
      </System>
      <EventData>
        <Data>
        </Data>
        <Data>0</Data>
        <Data>ServiceHang</Data>
        <Data>Not available</Data>
        <Data>0</Data>
        <Data>sftlist</Data>
        <Data>sftlist.exe"</Data>
        <Data>0.0.0.0</Data>
        <Data>10</Data>
        <Data>2</Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_sftlist_66c8b82913e74362faebe69814168a739671eaa_0a7e2531</Data>
        <Data>
        </Data>
        <Data>0</Data>
        <Data>658b951f-f619-11df-86bb-001cc05b6dcb</Data>
        <Data>4</Data>
      </EventData>
    </Event>

    Log Name:      Application
    Source:        Windows Error Reporting
    Date:          19/11/2010 13:35:41
    Event ID:      1001
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:      R118-03.empire.boston.ac.uk
    Description:
    Fault bucket , type 0
    Event Name: PnPDriverImportError
    Response: Not available
    Cab Id: 0

    Problem signature:
    P1: x64
    P2: E0000247
    P3: oemsetup.inf
    P4: 0f72ccc8635a051e4082e63be95abc533c508719
    P5:
    P6:
    P7:
    P8:
    P9:
    P10:

    Attached files:

    These files may be available here:
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_0178f275

    Analysis symbol:
    Rechecking for solution: 0
    Report Id: d6cbb648-f3e1-11df-969a-001cc05b6dcb
    Report Status: 0
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Windows Error Reporting" />
        <EventID Qualifiers="0">1001</EventID>
        <Level>4</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2010-11-19T13:35:41.000000000Z" />
        <EventRecordID>10217</EventRecordID>
        <Channel>Application</Channel>
        <Computer>R118-03.empire.boston.ac.uk</Computer>
        <Security />
      </System>
      <EventData>
        <Data>
        </Data>
        <Data>0</Data>
        <Data>PnPDriverImportError</Data>
        <Data>Not available</Data>
        <Data>0</Data>
        <Data>x64</Data>
        <Data>E0000247</Data>
        <Data>oemsetup.inf</Data>
        <Data>0f72ccc8635a051e4082e63be95abc533c508719</Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_0178f275</Data>
        <Data>
        </Data>
        <Data>0</Data>
        <Data>d6cbb648-f3e1-11df-969a-001cc05b6dcb</Data>
        <Data>0</Data>
      </EventData>
    </Event>

    Log Name:      System
    Source:        Microsoft-Windows-Kernel-General
    Date:          22/11/2010 09:58:03
    Event ID:      5
    Task Category: None
    Level:         Error
    Keywords:     
    User:          SYSTEM
    Computer:      R118-03.empire.boston.ac.uk
    Description:
    {Registry Hive Recovered} Registry hive (file): '\??\c:\users\120624\ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
        <EventID>5</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2010-11-22T09:58:03.523990400Z" />
        <EventRecordID>23615</EventRecordID>
        <Correlation />
        <Execution ProcessID="2400" ThreadID="1620" />
        <Channel>System</Channel>
        <Computer>R118-03.empire.boston.ac.uk</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="FinalStatus">0x8000002a</Data>
        <Data Name="ExtraStringLength">30</Data>
        <Data Name="ExtraString">\??\c:\users\120624\ntuser.dat</Data>
      </EventData>
    </Event>

    Monday, November 22, 2010 10:27 AM

All replies

  • I think I have found the root cause. We have some how carried over the User Profile Hive Cleanup Service over to Windows 7 from one of our group policies

    http://support.microsoft.com/kb/947238

    I'll report back when I'm sure this fixes it

    Robbie

    Monday, November 22, 2010 5:51 PM
  • I was mistaken this wasn't on any of the PC's with the issue

    Any other ideas?

    Robbie

    Tuesday, November 23, 2010 9:40 AM
  • Hi,

     

    After checking this issue, I notice that the event id 5 is error level.

     

    I would like to confirm if all computers are in a domain environment. If so, are you currently using roaming profile?

     

    According to the description of the error, I suspect the user profiles got corrupted, please refer to the following article:

     

    Fix a corrupted user profile

     

    Hope it helps.

     

    Alex Zhao


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, November 26, 2010 6:57 AM
  • We are on roaming profiles now BUT it was happening prior to roaming profiles

    Robbie

    Friday, November 26, 2010 11:10 AM
  • Hi,

     

    Does this issue still exist when you use roaming profile?

     

    Alex Zhao


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, November 29, 2010 1:59 AM
  • It's happening on machines even after roaming profiles are turned on

    I can't say for certain if it's the roaming profile corrupting too but I could find out if it would help? Most of those errors above I've discounted as regular warnings etc. Apart from the last kernel-error one

    I've also turned on logging in verbose logins to see if I can pull any logs from one stuck on welcome

    Robbie

    Monday, November 29, 2010 7:39 AM