Video Screencast Help

Rtvscan.exe scaning all c:\users\XXX\ntuser.dat endlessly

Created: 30 Aug 2011 | 5 comments

So we are using SEP 11.0.6300.803 and on our machines we have 100s of profiles. Rtvscan.exe is scanning all ntuser.dat profiles all the time. It completly kills disk performance and disk queue hangs around 5 all the time. We have watched this happen for hours on end.

Thoughts on what is going on here?

Comments 5 CommentsJump to latest comment

ᗺrian's picture

All those profiles will be scanned. You may want to set an exclusion on this.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture


Could you try and see if an exclusion of the NTUSER.DAT file from scanning helps to temporarily work around the issue?

Add the exclusion as follows: %userprofile%\ntuser.dat

Hope that resolves the Issue.

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

JustusIV's picture

While i havent done this yet, it has crossed my mind. However i am reluctent to take this as a solution. I am more interested in the root of this problem and not a quick work around. Since this isnt happening on all our machines but a select number from a certain group of computers. I am in the middle of a reinstall to see if the issue comes back.

JustusIV's picture

I added the "DAT" to the extension exclusion list and yes that does fix the issue. Still looking for thoughts on why this is happening. It appears to be this way on about 10 machines out of 500. 

PolishPaul's picture

JustusIV - did you find anything abou this issue?

I'm working with 2 Terminal Services (Win 2008) servers and one of them is scanning the ntuser.dat continuously.

I've been dealing with performance issues on these servers that I can't pin down and recently I've made some adjustments as suggested in this article:

specifically diabling the SMCGUI and adding exceptions. I'm not sure if this had anything to do with the rtvscans but i ended up adding an exception to the ntuser.dat as suggested here. I've only made the changes on one of the servers to compare. I'd be curious to find out why symantec is scanning these files so much.

In addition, we had sporadic user logon lockups on the TS servers (user logs on and profile never loads, just spins) and reading other forums about this issue suggest that this may be the case (still need to investigate on my end, but the pieces are starting to fall in place).