Stuck on Welcome Screen Corrupt Profile
We are having lots of computers randomly getting stuck on the welcome screen. When I connect to event viewer I can see these errors. Some may be related some not. Any ideas? The errors always seem present especially the corrupt profile ones
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 22/11/2010 09:56:29
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: R118-03.empire.boston.ac.uk
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-220523388-1547161642-725345543-53730:
Process 572 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730
Process 968 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730\Software\Microsoft\Internet Explorer\LinksBar
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2010-11-22T09:56:29.104549100Z" />
<EventRecordID>10324</EventRecordID>
<Correlation />
<Execution ProcessID="968" ThreadID="108" />
<Channel>Application</Channel>
<Computer>R118-03.empire.boston.ac.uk</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-220523388-1547161642-725345543-53730:
Process 572 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730
Process 968 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-220523388-1547161642-725345543-53730\Software\Microsoft\Internet Explorer\LinksBar
</Data>
</EventData>
</Event>
Log Name: Application
Source: Windows Error Reporting
Date: 22/11/2010 09:31:42
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: R118-03.empire.boston.ac.uk
Description:
Fault bucket , type 0
Event Name: PnPDriverImportError
Response: Not available
Cab Id: 0
Problem signature:
P1: x64
P2: E0000247
P3: oemsetup.inf
P4: 0f72ccc8635a051e4082e63be95abc533c508719
P5:
P6:
P7:
P8:
P9:
P10:
Attached files:
C:\Windows\Temp\DMIA563.tmp.log.xml
C:\Windows\System32\spool\{CEE5687B-EDE0-4B2C-84A2-1F82FF93D0E7}\oemsetup.inf
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_cab_049aab30
Analysis symbol:
Rechecking for solution: 0
Report Id: 4f208639-f61b-11df-86bb-001cc05b6dcb
Report Status: 4
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-11-22T09:31:42.000000000Z" />
<EventRecordID>10298</EventRecordID>
<Channel>Application</Channel>
<Computer>R118-03.empire.boston.ac.uk</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>0</Data>
<Data>PnPDriverImportError</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>x64</Data>
<Data>E0000247</Data>
<Data>oemsetup.inf</Data>
<Data>0f72ccc8635a051e4082e63be95abc533c508719</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
C:\Windows\Temp\DMIA563.tmp.log.xml
C:\Windows\System32\spool\{CEE5687B-EDE0-4B2C-84A2-1F82FF93D0E7}\oemsetup.inf</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_cab_049aab30</Data>
<Data>
</Data>
<Data>0</Data>
<Data>4f208639-f61b-11df-86bb-001cc05b6dcb</Data>
<Data>4</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Winlogon
Date: 22/11/2010 09:28:32
Event ID: 6006
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: R118-03.empire.boston.ac.uk
Description:
The winlogon notification subscriber <GPClient> took 595 second(s) to handle the notification event (Logon).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Winlogon" Guid="{DBE9B383-7CF3-4331-91CC-A3CB16A3B538}" EventSourceName="Wlclntfy" />
<EventID Qualifiers="32768">6006</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-11-22T09:28:32.000000000Z" />
<EventRecordID>10294</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>R118-03.empire.boston.ac.uk</Computer>
<Security />
</System>
<EventData>
<Data>GPClient</Data>
<Data>595</Data>
<Data>Logon</Data>
<Binary>02000000</Binary>
</EventData>
</Event>
Log Name: Application
Source: Windows Error Reporting
Date: 22/11/2010 09:18:03
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: R118-03.empire.boston.ac.uk
Description:
Fault bucket , type 0
Event Name: ServiceHang
Response: Not available
Cab Id: 0
Problem signature:
P1: sftlist
P2: sftlist.exe"
P3: 0.0.0.0
P4: 10
P5: 2
P6:
P7:
P8:
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_sftlist_66c8b82913e74362faebe69814168a739671eaa_0a7e2531
Analysis symbol:
Rechecking for solution: 0
Report Id: 658b951f-f619-11df-86bb-001cc05b6dcb
Report Status: 4
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-11-22T09:18:03.000000000Z" />
<EventRecordID>10263</EventRecordID>
<Channel>Application</Channel>
<Computer>R118-03.empire.boston.ac.uk</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>0</Data>
<Data>ServiceHang</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>sftlist</Data>
<Data>sftlist.exe"</Data>
<Data>0.0.0.0</Data>
<Data>10</Data>
<Data>2</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppHang_sftlist_66c8b82913e74362faebe69814168a739671eaa_0a7e2531</Data>
<Data>
</Data>
<Data>0</Data>
<Data>658b951f-f619-11df-86bb-001cc05b6dcb</Data>
<Data>4</Data>
</EventData>
</Event>
Log Name: Application
Source: Windows Error Reporting
Date: 19/11/2010 13:35:41
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: R118-03.empire.boston.ac.uk
Description:
Fault bucket , type 0
Event Name: PnPDriverImportError
Response: Not available
Cab Id: 0
Problem signature:
P1: x64
P2: E0000247
P3: oemsetup.inf
P4: 0f72ccc8635a051e4082e63be95abc533c508719
P5:
P6:
P7:
P8:
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_0178f275
Analysis symbol:
Rechecking for solution: 0
Report Id: d6cbb648-f3e1-11df-969a-001cc05b6dcb
Report Status: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-11-19T13:35:41.000000000Z" />
<EventRecordID>10217</EventRecordID>
<Channel>Application</Channel>
<Computer>R118-03.empire.boston.ac.uk</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>0</Data>
<Data>PnPDriverImportError</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>x64</Data>
<Data>E0000247</Data>
<Data>oemsetup.inf</Data>
<Data>0f72ccc8635a051e4082e63be95abc533c508719</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
</Data>
<Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_12224c22f2f83131fa2d3fe91a573a9f2dcb24a7_0178f275</Data>
<Data>
</Data>
<Data>0</Data>
<Data>d6cbb648-f3e1-11df-969a-001cc05b6dcb</Data>
<Data>0</Data>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-Kernel-General
Date: 22/11/2010 09:58:03
Event ID: 5
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: R118-03.empire.boston.ac.uk
Description:
{Registry Hive Recovered} Registry hive (file): '\??\c:\users\120624\ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-General" Guid="{A68CA8B7-004F-D7B6-A698-07E2DE0F1F5D}" />
<EventID>5</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2010-11-22T09:58:03.523990400Z" />
<EventRecordID>23615</EventRecordID>
<Correlation />
<Execution ProcessID="2400" ThreadID="1620" />
<Channel>System</Channel>
<Computer>R118-03.empire.boston.ac.uk</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="FinalStatus">0x8000002a</Data>
<Data Name="ExtraStringLength">30</Data>
<Data Name="ExtraString">\??\c:\users\120624\ntuser.dat</Data>
</EventData>
</Event>
November 22nd, 2010 5:35am
I think I have found the root cause. We have some how carried over the User Profile Hive Cleanup Service over to Windows 7 from one of our group policies
http://support.microsoft.com/kb/947238
I'll report back when I'm sure this fixes it
Robbie
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2010 12:59pm
I was mistaken this wasn't on any of the PC's with the issue
Any other ideas?
Robbie
November 23rd, 2010 4:42am
Hi,
After checking this issue, I notice that the event id 5 is error level.
I would like to confirm if all computers are in a domain environment. If so, are you currently using roaming profile?
According to the description of the error, I suspect the user profiles got corrupted, please refer to the following article:
Fix a corrupted user profile
Hope it helps.
Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 26th, 2010 2:00am
We are on roaming profiles now BUT it was happening prior to roaming profiles
Robbie
November 26th, 2010 6:12am
Hi,
Does this issue still exist when you use roaming profile?
Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2010 9:02pm
It's happening on machines even after roaming profiles are turned on
I can't say for certain if it's the roaming profile corrupting too but I could find out if it would help? Most of those errors above I've discounted as regular warnings etc. Apart from the last kernel-error one
I've also turned on logging in verbose logins to see if I can pull any logs from one stuck on welcome
Robbie
November 29th, 2010 2:42am