Jump to content
mikew_nt

SAS BUG: Userenv warning in Event Viewer on Shutdown

Recommended Posts

I got back from a weekend trip Sunday night, booted the computer, and got my notification window that a new program version was available. I had trouble with installing it, it seemed to hang with a blank progress screen, but I quit out, and tried it again with no problems installing the second time.

SAS is listed as program version 4.28.1010, and my definitions right now are 4094.2034.

The computer has been working fine in almost all respects since then, but I have noticed a warning I've never seen before in my Event Viewer under Application on shutdown.

This has appeared in the logs just about every time I've shut down since updating SAS to the latest program version on Sunday night.

I've installed no new software, and no other updates have occurred except for the usual AVG and SAS definition updates.

I am running Windows XP SP3.

My logs have been squeaky clean until I updated the SAS program version Sunday night.

Is this a minor bug in the latest SAS program version?

Event Type: Warning

Event Source: Userenv

Event Category: None

Event ID: 1517

Date: 9/10/2009

Time: 10:05:36 PM

User: NT AUTHORITY\SYSTEM

Computer: FAMILY

Description:

Windows saved user FAMILY\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Share this post


Link to post
Share on other sites

This is definitely related to SAS and the bug probably crept in with the latest version.

Could SAS please correct this problem soon?

---

Here is what I did:

I installed UPHClean and set to report-only.

This morning I shutdown after SAS had run overnight, and I found the Userenv error once again on startup.

I also found the below UPHClean report.

I did the following steps to confirm that this is a SAS problem:

1. From clean reboot, before running anything be(SAS or otherwise), reboot immediately

2. Confirm no userenv log from shutdown in Event Viewer

3. Use process explorer, confirm no use of those handles

4. Run ONLY SAS, no other programs

5. Use process explorer, note the use of those handles under System while SAS is running

6. Shutdown/Reboot

7. Note reappearance of userenv log, and UPHClean report as below

Event Type: Information

Event Source: UPHClean

Event Category: None

Event ID: 1501

Date: 9/12/2009

Time: 9:37:16 AM

User: FAMILY\Owner

Computer: FAMILY

Description:

The following handles opened in user profile hive FAMILY\Owner (S-1-5-21-3834976116-697536310-2214246676-1003) are preventing the profile from unloading:

System (4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains (0xd30)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains (0x1f00)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Share this post


Link to post
Share on other sites

I'm getting the same warning in Event Viewer, mikew_nt, but I think it goes back before .1010. By any chance are you running any Comodo products?

Share this post


Link to post
Share on other sites

I'm not using any Comodo products.

I checked back in my logs, and I did not find any appearance before the .1010 update I installed on returning Sunday.

I am pretty darn certain this is directly attributed to SAS based on the troubleshooting I did. I can reboot without problems until I run SAS, then I get the userenv problem.

Share this post


Link to post
Share on other sites

When I get the error I know that I had updated and scanned shortly before shut down, so last time I updated and scanned but made sure I waited for a while( one and a half hour) before

shut down and still did get the error. I hope this info helps you Sas team.

Bo

Share this post


Link to post
Share on other sites

I think maybe I was not to clear on my previous post, so I ll try again. Normally when in the past

I do complete scans by SAS its usually before closing the computer down so last time I on purpose

let it the pc idle for one and a half hour after the scan just to see if it made a difference but it did not. I still got the error. Normally I use SAS for scans on particular folders and that does not

produce that error. I think I got that error like 4 times so its not always when I use SAS and I think it happens when I update and run a complete scan and now I know it does not matter how soon I close the computer after the scan.

Bo

Share this post


Link to post
Share on other sites

This manifests the same way in 4.29.1002. I have SAS configured to load at boot, and run quick scan every night at 12midnight.

Please correct this, this is a real problem, and is being caused by SAS.

Here is how I can tie this to SAS:

Shutdown after many days of running, including SAS every night

After powering back up note userenv log occured on shutdown

Do nothing

Shutdown

After powering back up note NO userenv log occured on shutdown

Open Process Explorer, note no System use of "domain" handles

Start Quick Scan on SAS

Open Process Explorer, note multiple System use of "domain" handles

Let Quick Scan finish, close

Open Process Explorer, note multiple System use of "domain" handles still appear

Shutdown

After powering back up note userenv log occured on shutdown

Here is the userenv log and the dump from uphclean:

Event Type: Warning

Event Source: Userenv

Event Category: None

Event ID: 1517

Date: 9/23/2009

Time: 2:51:21 PM

User: NT AUTHORITY\SYSTEM

Computer: FAMILY

Description:

Windows saved user FAMILY\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information

Event Source: UPHClean

Event Category: None

Event ID: 1501

Date: 9/23/2009

Time: 2:50:56 PM

User: FAMILY\Owner

Computer: FAMILY

Description:

The following handles opened in user profile hive FAMILY\Owner (S-1-5-21-3834976116-697536310-2214246676-1003) are preventing the profile from unloading:

System (4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains (0x2010)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains (0x2054)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Share this post


Link to post
Share on other sites

The log information that you've listed is completely safe and is not an indication of any real problem. This issue has been addressed and the change will be available in the next release.

SUPERAntiSpyware Support Team

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×