Windows saved registry while an application was still using it

Posted: 12-18-2003, 03:34 AM
On my WinXP Pro SP1 system while using the built in Administrator
account, if I check the "Event Viewer" and look at the Application
Log, I see warning messages stating:


"Windows saved user Xyz\Administrator registry while an application or
service was still using the registry during log off. The memory used
by the user's registry has not been freed. Ther registry will be
unloaded when it is no longer in use.

This is often caused by services running as user account, try
configuring the services to run in either the LocalService or NetWork
service account."


I have configured ALL services to run as LocalService, but these
warning messages do not go away.

Any ideas as to what to do to correct the situatrion these warning
messages point to ?

Any help would be greatly appreciated.

Matt

Windows saved registry while an application was still using it


Responses to "Windows saved registry while an application was still using it"

Roger Abell
Guest
Posts: n/a
 
Re: Windows saved registry while an application was still using it
Posted: 12-18-2003, 07:11 AM
You will have something of a hunt for this one.
Something you can try is keeping an eye on what is
running just before you log off and try to correlate
with when this is recorded in the log.
Try using Task Manager to view the running processes
the next few times you go to log off, and especially pay
attention to non-Microsoft software that is running.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Admin" <Net*man@yahoo.com> wrote in message
news:la72uv4a30ja3asvklah43tcd15qc7ergq@4ax.com...
> On my WinXP Pro SP1 system while using the built in Administrator
> account, if I check the "Event Viewer" and look at the Application
> Log, I see warning messages stating:
>
>
> "Windows saved user Xyz\Administrator registry while an application or
> service was still using the registry during log off. The memory used
> by the user's registry has not been freed. Ther registry will be
> unloaded when it is no longer in use.
>
> This is often caused by services running as user account, try
> configuring the services to run in either the LocalService or NetWork
> service account."
>
>
> I have configured ALL services to run as LocalService, but these
> warning messages do not go away.
>
> Any ideas as to what to do to correct the situatrion these warning
> messages point to ?
>
> Any help would be greatly appreciated.
>
> Matt

Admin
Guest
Posts: n/a
 
Re: Windows saved registry while an application was still using it
Posted: 12-19-2003, 02:45 PM
Using Process Explorer I identified all non-microsoft processes
running under NTAuthority/System and killed them one by one followed
by a restart, the ONLY shutdown-restart that did not produce the
warning in question was the one triggered automatically when I killed
the process" Winlogon.exe", it was not identified as a Microsoft
process therefore, I tried killing it and it shutdown-restart my
system.

With this info, any ideas how to fix this warning?

Thanks

Matt


On Thu, 18 Dec 2003 00:11:34 -0700, "Roger Abell" <mvpNOSpam@asu.edu>
wrote:
>You will have something of a hunt for this one.
>Something you can try is keeping an eye on what is
>running just before you log off and try to correlate
>with when this is recorded in the log.
>Try using Task Manager to view the running processes
>the next few times you go to log off, and especially pay
>attention to non-Microsoft software that is running.
Roger Abell
Guest
Posts: n/a
 
Re: Windows saved registry while an application was still using it
Posted: 12-21-2003, 03:30 PM
Winlogon is part of the OS, it handles the initial login
dialog and tells the system to start the user login processes.

So it seems you have not found a process that, when you make
sure it is not running at logoff, by being absent results in the
message not happening. I am not sure why you focused on only
processes running as system, since processes running as your
account could also be responsible for this.

You could next try to see whether there is a service that is
running that is responsible for having a handle to your user
info. These Normal behavior would be for these to release
that handle when they are signaled, and for them to call back
to the signaler saying they have done so. Here again, I would
only focus on non-Microsoft services that you see listed in
services.msc However, you have probably covered the bases
here when you used TaskManager and worked with the processes
that were running as System.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Admin" <Net*man@yahoo.com> wrote in message
news:6036uv038riioqk6006l8ve96gbugubd6u@4ax.com...
> Using Process Explorer I identified all non-microsoft processes
> running under NTAuthority/System and killed them one by one followed
> by a restart, the ONLY shutdown-restart that did not produce the
> warning in question was the one triggered automatically when I killed
> the process" Winlogon.exe", it was not identified as a Microsoft
> process therefore, I tried killing it and it shutdown-restart my
> system.
>
> With this info, any ideas how to fix this warning?
>
> Thanks
>
> Matt
>
>
> On Thu, 18 Dec 2003 00:11:34 -0700, "Roger Abell" <mvpNOSpam@asu.edu>
> wrote:
>
> >You will have something of a hunt for this one.
> >Something you can try is keeping an eye on what is
> >running just before you log off and try to correlate
> >with when this is recorded in the log.
> >Try using Task Manager to view the running processes
> >the next few times you go to log off, and especially pay
> >attention to non-Microsoft software that is running.
>

Admin
Guest
Posts: n/a
 
Re: Windows saved registry while an application was still using it
Posted: 12-21-2003, 09:59 PM
I limited myself to the processes running under NTAuthority/System
because the warning message in question identifies the User of the
misbehaving process as NTAuthority/System and it reports the Source as
Userenv. (I do not know the significance of the entry under the
Source).

I have checked all non Microsoft processes.

Could a corruption somewhere in the system can cause a Microsoft
process not to release the handle when signaled for shutting down the
station and therefore cause the warning messages?

Thanks

Matt

__________________________________________



On Sun, 21 Dec 2003 08:30:15 -0700, "Roger Abell" <mvpNOSpam@asu.edu>
wrote:
>Winlogon is part of the OS, it handles the initial login
>dialog and tells the system to start the user login processes.
>
>So it seems you have not found a process that, when you make
>sure it is not running at logoff, by being absent results in the
>message not happening. I am not sure why you focused on only
>processes running as system, since processes running as your
>account could also be responsible for this.
>
>You could next try to see whether there is a service that is
>running that is responsible for having a handle to your user
>info. These Normal behavior would be for these to release
>that handle when they are signaled, and for them to call back
>to the signaler saying they have done so. Here again, I would
>only focus on non-Microsoft services that you see listed in
>services.msc However, you have probably covered the bases
>here when you used TaskManager and worked with the processes
>that were running as System.
 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
application files saved as shortcuts ron Windows XP New Users 7 06-13-2004 02:06 PM
Errors: Application popup: Windows - Registry Recovery... CAL Windows XP Help & Support 3 01-31-2004 02:46 AM
Is registry saved on installation? Blacksmith Windows XP Setup 2 01-13-2004 04:15 AM
where are the registry permissions saved? Sabine Windows XP Security & Administration 1 10-28-2003 02:51 PM
removing saved network address in registry? Michael Windows XP Network & Web 0 09-25-2003 08:17 PM