XP Profile problems - User Profiles locked - temp profiles being created
Hi,I'm not sure this is the correct forum to post this on but if not, please point me in the right direction.We have XP SP3 clients in an AD 2003 domain - not using roaming profiles.The problem we have is that for around 20 0f our users out of 200+, when they log in in the morning (only for the first time in the morning) they get a warning that their profiles couldn't be read and that a temporary profile was being created. Then, if they reboot and log back in - usually once but occaisionally more than once - they are able to log in without problem and their profiles are ok. Once in a while, the profile becomes corrupted and has to be rebuilt.In the case of just rebooting, the following UserEnv events are created in the applications log in the following order:1508150215151511While some people have to reboot every day or nearly every day, others tend to come and go. One day we'll have 6 reboots, another day 16 (based on scanning event logs rather than anectdotal evidence).We have tried rebuilding the profiles, and this gives good success most of the time, but occasionally the problem comes back.We have tried installing UPHcleaner - also with mixed resultsand, the user can log out and back in any time during the day with no problem whatever. The issue only manifests overnight. I was able to capture a failed logon attempt for one of the most persistent problem users this morning using Process MonitorHere is 1 suspicious section with 2 bolded lines. The first shows WinLogon trying to open a Key and giving name not found. The second shows Winlogon trying to open the same Key but this time getting a sharing violation. 6:29:01.7338861 AM winlogon.exe 752 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS Desired Access: Read 6:29:01.7339096 AM winlogon.exe 752 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS 6:29:01.7339172 AM winlogon.exe 752 RegOpenKey HKU\S-1-5-21-3315429602-1469848612-1346556707-1261 NAME NOT FOUND Desired Access: All Access 6:29:01.7339484 AM winlogon.exe 752 RegOpenKey HKLM\Software\Policies\Microsoft\Windows\System SUCCESS Desired Access: Read 6:29:01.7339672 AM winlogon.exe 752 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\System\LocalProfile NAME NOT FOUND Length: 144 6:29:01.7339847 AM winlogon.exe 752 RegCloseKey HKLM\SOFTWARE\Policies\Microsoft\Windows\System SUCCESS 6:29:01.7339972 AM winlogon.exe 752 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS Desired Access: Read 6:29:01.7340182 AM winlogon.exe 752 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS 6:29:01.7340260 AM winlogon.exe 752 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS Desired Access: Read 6:29:01.7340439 AM winlogon.exe 752 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261\UserPreference NAME NOT FOUND Length: 144 6:29:01.7340664 AM winlogon.exe 752 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS 6:29:01.7340740 AM winlogon.exe 752 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261.bak NAME NOT FOUND Desired Access: Read 6:29:01.7341636 AM winlogon.exe 752 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS Desired Access: All Access 6:29:01.7341835 AM winlogon.exe 752 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261\State SUCCESS Type: REG_DWORD, Length: 4, Data: 256 6:29:01.7342043 AM winlogon.exe 752 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS 6:29:01.7342174 AM winlogon.exe 752 RegCreateKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS Desired Access: Read/Write 6:29:01.7342378 AM winlogon.exe 752 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261\ProfileImagePath SUCCESS Type: REG_EXPAND_SZ, Length: 88, Data: %SystemDrive%\Documents and Settings\T00954 6:29:01.7342600 AM winlogon.exe 752 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261\State SUCCESS Type: REG_DWORD, Length: 4, Data: 256 6:29:01.7343314 AM winlogon.exe 752 CreateFile C:\Documents and Settings SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened 6:29:01.7343617 AM winlogon.exe 752 QueryDirectory C:\Documents and Settings\T00954 SUCCESS Filter: T00954, 1: T00954 6:29:01.7343924 AM winlogon.exe 752 CloseFile C:\Documents and Settings SUCCESS 6:29:01.7345920 AM winlogon.exe 752 QueryOpen C:\Documents and Settings\T00954\ntuser.man NAME NOT FOUND 6:29:01.7347343 AM winlogon.exe 752 QueryOpen C:\Documents and Settings\T00954\NTUSER.DAT SUCCESS CreationTime: 12/31/2009 10:23:01 AM, LastAccessTime: 2/4/2010 5:47:48 PM, LastWriteTime: 2/4/2010 2:47:11 PM, ChangeTime: 2/4/2010 12:33:28 PM, AllocationSize: 1,835,008, EndOfFile: 1,835,008, FileAttributes: HA 6:29:01.7347698 AM winlogon.exe 752 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261\ProfileUnloadTimeLow NAME NOT FOUND Length: 144 6:29:01.7347923 AM winlogon.exe 752 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS 6:29:01.7348308 AM winlogon.exe 752 RegLoadKey HKU\S-1-5-21-3315429602-1469848612-1346556707-1261 SHARING VIOLATION Hive Path: C:\Documents and Settings\T00954\ntuser.dat 6:29:01.7349666 AM winlogon.exe 752 CreateFile C:\Documents and Settings\T00954\NTUSER.DAT SHARING VIOLATION Desired Access: Read Data/List Directory, Write Data/Add File, Disposition: OpenIf, Options: Random Access, Open For Backup, No Compression, Attributes: N, ShareMode: None, AllocationSize: 0 6:29:01.7349979 AM winlogon.exe 752 RegCloseKey HKU SUCCESS 6:29:01.7350302 AM winlogon.exe 752 ReadFile C:\WINDOWS\system32\userenv.dll SUCCESS Offset: 115,712, Length: 12,288, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O I'm not at all familiar with this level of information, but here is another section that looks off to me. WinLogon is shown trying to delete several group policy keys, and cant. The first grouping is one of the 'Cannot Delete' s in context, the second group just shows the delete attempts:****** 6:29:27.1191748 AM winlogon.exe 752 RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-3315429602-1469848612-1346556707-1261 CANNOT DELETE 6:29:27.1208920 AM winlogon.exe 752 RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3315429602-1469848612-1346556707-1261 CANNOT DELETE 6:29:27.1210650 AM winlogon.exe 752 RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3315429602-1469848612-1346556707-1261\Extension-List CANNOT DELETE 6:29:27.1223162 AM winlogon.exe 752 RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3315429602-1469848612-1346556707-1261\GPLink-List CANNOT DELETE 6:29:27.1232525 AM winlogon.exe 752 RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3315429602-1469848612-1346556707-1261\GPO-List CANNOT DELETE ******* ******6:29:27.1191349 AM uphclean.exe 2020 RegEnumKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS Index: 1, Name: S-1-5-196:29:27.1191432 AM uphclean.exe 2020 RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19 SUCCESS Desired Access: Read6:29:27.1191748 AM winlogon.exe 752 RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-3315429602-1469848612-1346556707-1261 CANNOT DELETE 6:29:27.1191790 AM uphclean.exe 2020 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\RefCount SUCCESS Type: REG_DWORD, Length: 4, Data: 26:29:27.1191838 AM winlogon.exe 752 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\S-1-5-21-3315429602-1469848612-1346556707-1261 SUCCESS ********Does anyone have any idea of what is going on here or how to fix it?thxw2 people need an answerI do too
February 5th, 2010 9:21pm

Hi Wolf, We are having the same problem here. Same symptoms, same events reported. In other TS we have running, with almost exactly the same configuration, this problem was never present. The only difference relies in the GPO and some access control. In the one with this issue, under folder/file properties we implemented through security settings some restrictions to prevent accidental deletion. Our hypothesis is: could this sort of control conflict with SYSTEM access to certain areas causing the profiles not to load correctly? For example, we prevent users to delete shortcuts to applications granting full control to AllUsers\Desktop only to Administrators, disabling the inherited permissios and denying "delete" to any other users/groups. Any tips or suggestions are welcome. Peter
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2010 9:04pm

Peter\Wolf,We have been experiencing this issue as well. 200 machines out of 10,000 in my environment has have this temp profile being created at log-on, sometimes a restart does temporarily fix the issue, however the error still re-occurs. This started happening around February as well.
June 2nd, 2010 8:27pm

Having very similar issues in our environment.Is there a way to disable the creation of the Temporary Profiles, and just let the logon attempt fail so users can either try again or call the support desk?Thanks!
Free Windows Admin Tool Kit Click here and download it now
June 16th, 2010 9:14pm

Anyone still reading/responding to this thread?
July 30th, 2010 8:38pm

Anyone have any breakthroughs on this issue? I'm having the same issues within my organization...
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2010 12:32am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics