We are having lots of computers randomly getting stuck on the welcome screen. When I connect to event viewer I can see these errors. Some may be related some not. Any ideas? The errors always seem present especially the corrupt profile ones Log Name: Application Source: Microsoft-Windows-User Profiles Service Date: 22/11/2010 09:56:29 Event ID: 1530 Task Category: None Level: Warning Keywords: User: SYSTEM Computer: R118-03.empire.boston.ac.uk Description: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 2 user registry handles leaked from \Registry\User\S-1-5-21-220523388-1547161642-725345543-53730: Process 572 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730 Process 968 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730\Software\Microsoft\Internet Explorer\LinksBar Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" /> <EventID>1530</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2010-11-22T09:56:29.104549100Z" /> <EventRecordID>10324</EventRecordID> <Correlation /> <Execution ProcessID="968" ThreadID="108" /> <Channel>Application</Channel> <Computer>R118-03.empire.boston.ac.uk</Computer> <Security UserID="S-1-5-18" /> </System> <EventData Name="EVENT_HIVE_LEAK"> <Data Name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-220523388-1547161642-725345543-53730: Process 572 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730 Process 968 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730\Software\Microsoft\Internet Explorer\LinksBar </Data> </EventData> </Event> Log Name: Application Source: Windows Error Reporting Date: 22/11/2010 09:31:42 Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: R118-03.empire.boston.ac.uk Description: Fault bucket , type 0 Event Name: PnPDriverImportError Response: Not available Cab Id: 0 Problem signature: P1: x64 P2: E0000247 P3: oemsetup.inf P4: 0f72ccc8635a051e4082e63be95abc533c508719 P5: P6: P7: P8: P9: P10: Attached files: C:\Windows\Temp\DMIA563.tmp.log.xml C:\Windows\System32\spool\{CEE5687B-EDE0-4B2C-84A2-1F82FF93D0E7}\oemsetup.inf These files may be available here: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_cab_049aab30 Analysis symbol: Rechecking for solution: 0 Report Id: 4f208639-f61b-11df-86bb-001cc05b6dcb Report Status: 4 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Windows Error Reporting" /> <EventID Qualifiers="0">1001</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-11-22T09:31:42.000000000Z" /> <EventRecordID>10298</EventRecordID> <Channel>Application</Channel> <Computer>R118-03.empire.boston.ac.uk</Computer> <Security /> </System> <EventData> <Data> </Data> <Data>0</Data> <Data>PnPDriverImportError</Data> <Data>Not available</Data> <Data>0</Data> <Data>x64</Data> <Data>E0000247</Data> <Data>oemsetup.inf</Data> <Data>0f72ccc8635a051e4082e63be95abc533c508719</Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> C:\Windows\Temp\DMIA563.tmp.log.xml C:\Windows\System32\spool\{CEE5687B-EDE0-4B2C-84A2-1F82FF93D0E7}\oemsetup.inf</Data> <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_cab_049aab30</Data> <Data> </Data> <Data>0</Data> <Data>4f208639-f61b-11df-86bb-001cc05b6dcb</Data> <Data>4</Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Winlogon Date: 22/11/2010 09:28:32 Event ID: 6006 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: R118-03.empire.boston.ac.uk Description: The winlogon notification subscriber <GPClient> took 595 second(s) to handle the notification event (Logon). Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" /> <EventID Qualifiers="32768">6006</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-11-22T09:28:32.000000000Z" /> <EventRecordID>10294</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>R118-03.empire.boston.ac.uk</Computer> <Security /> </System> <EventData> <Data>GPClient</Data> <Data>595</Data> <Data>Logon</Data> <Binary>02000000</Binary> </EventData> </Event> Log Name: Application Source: Windows Error Reporting Date: 22/11/2010 09:18:03 Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: R118-03.empire.boston.ac.uk Description: Fault bucket , type 0 Event Name: ServiceHang Response: Not available Cab Id: 0 Problem signature: P1: sftlist P2: sftlist.exe" P3: 0.0.0.0 P4: 10 P5: 2 P6: P7: P8: P9: P10: Attached files: These files may be available here: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_sftlist_66c8b82913e74362faebe69814168a739671eaa_0a7e2531 Analysis symbol: Rechecking for solution: 0 Report Id: 658b951f-f619-11df-86bb-001cc05b6dcb Report Status: 4 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Windows Error Reporting" /> <EventID Qualifiers="0">1001</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-11-22T09:18:03.000000000Z" /> <EventRecordID>10263</EventRecordID> <Channel>Application</Channel> <Computer>R118-03.empire.boston.ac.uk</Computer> <Security /> </System> <EventData> <Data> </Data> <Data>0</Data> <Data>ServiceHang</Data> <Data>Not available</Data> <Data>0</Data> <Data>sftlist</Data> <Data>sftlist.exe"</Data> <Data>0.0.0.0</Data> <Data>10</Data> <Data>2</Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_sftlist_66c8b82913e74362faebe69814168a739671eaa_0a7e2531</Data> <Data> </Data> <Data>0</Data> <Data>658b951f-f619-11df-86bb-001cc05b6dcb</Data> <Data>4</Data> </EventData> </Event> Log Name: Application Source: Windows Error Reporting Date: 19/11/2010 13:35:41 Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: R118-03.empire.boston.ac.uk Description: Fault bucket , type 0 Event Name: PnPDriverImportError Response: Not available Cab Id: 0 Problem signature: P1: x64 P2: E0000247 P3: oemsetup.inf P4: 0f72ccc8635a051e4082e63be95abc533c508719 P5: P6: P7: P8: P9: P10: Attached files: These files may be available here: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_0178f275 Analysis symbol: Rechecking for solution: 0 Report Id: d6cbb648-f3e1-11df-969a-001cc05b6dcb Report Status: 0 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Windows Error Reporting" /> <EventID Qualifiers="0">1001</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2010-11-19T13:35:41.000000000Z" /> <EventRecordID>10217</EventRecordID> <Channel>Application</Channel> <Computer>R118-03.empire.boston.ac.uk</Computer> <Security /> </System> <EventData> <Data> </Data> <Data>0</Data> <Data>PnPDriverImportError</Data> <Data>Not available</Data> <Data>0</Data> <Data>x64</Data> <Data>E0000247</Data> <Data>oemsetup.inf</Data> <Data>0f72ccc8635a051e4082e63be95abc533c508719</Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data> </Data> <Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_0178f275</Data> <Data> </Data> <Data>0</Data> <Data>d6cbb648-f3e1-11df-969a-001cc05b6dcb</Data> <Data>0</Data> </EventData> </Event> Log Name: System Source: Microsoft-Windows-Kernel-General Date: 22/11/2010 09:58:03 Event ID: 5 Task Category: None Level: Error Keywords: User: SYSTEM Computer: R118-03.empire.boston.ac.uk Description: {Registry Hive Recovered} Registry hive (file): '\??\c:\users\120624\ntuser.dat' was corrupted and it has been recovered. Some data might have been lost. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" /> <EventID>5</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2010-11-22T09:58:03.523990400Z" /> <EventRecordID>23615</EventRecordID> <Correlation /> <Execution ProcessID="2400" ThreadID="1620" /> <Channel>System</Channel> <Computer>R118-03.empire.boston.ac.uk</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="FinalStatus">0x8000002a</Data> <Data Name="ExtraStringLength">30</Data> <Data Name="ExtraString">\??\c:\users\120624\ntuser.dat</Data> </EventData> </Event>

I think I have found the root cause. We have some how carried over the User Profile Hive Cleanup Service over to Windows 7 from one of our group policies http://support.microsoft.com/kb/947238 I'll report back when I'm sure this fixes it Robbie

I was mistaken this wasn't on any of the PC's with the issue Any other ideas? Robbie

Hi, After checking this issue, I notice that the event id 5 is error level. I would like to confirm if all computers are in a domain environment. If so, are you currently using roaming profile? According to the description of the error, I suspect the user profiles got corrupted, please refer to the following article: Fix a corrupted user profile Hope it helps. Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

We are on roaming profiles now BUT it was happening prior to roaming profiles Robbie

Hi, Does this issue still exist when you use roaming profile? Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

It's happening on machines even after roaming profiles are turned on I can't say for certain if it's the roaming profile corrupting too but I could find out if it would help? Most of those errors above I've discounted as regular warnings etc. Apart from the last kernel-error one I've also turned on logging in verbose logins to see if I can pull any logs from one stuck on welcome Robbie