Endpoint Protection

I'm running Windows 7 64bit with SEP RU5. I've noticed that when I shutdown my machine, it appears to shutdown but does not go down completely. The screen will go black but the machine hangs and I have to do a hard power off to completely shut it off.

This doesn't happen all the time, but about 90% of the time. When it does happen I notice the following Application Event Log entry (I've stripped the SID and Computer Name from the event).

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          10/16/2009 5:27:04 PM
Event ID:      1530
Task Category: None
Level:         Warning
Keywords:     
User:          SYSTEM
Computer:      XXXXXXXX
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-1(SID REMOVED):
Process 2424 (\Device\HarddiskVolume4\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1(SID REMOVED)\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

Question: Is this a problem? Is SEP hanging because of this, and causing my power down to not complete properly?

If I'm reading that log right, WIndows is saying it is killing the program (Rtvscan.exe) that's preventing the shutdown.  See if there are other log entries after this one that might give you more insight.  Also, does Windows log if this termination was succesful?  Does windows claim it was not shutdown properly when you turn it back on?

No other entries.
Not marked as an unexpected shutdown.

It's actually not saying it's killing the program, it's unloading the registry file, basically closing the leaked handle.

Had you been running 7 for very long before you installed RU5?  Just trying to get more info.  We have a handful of 7 workstations here running both 32 and 64 bit versions, so far, we've had no issues.

Yes, we have an EA with Microsoft so I've had Windows 7 since it went GTM. I have most of my team running it as well for testing.

We're seeing this 90% of the time on the machines it is running on. I'm not saying it is necessarily related, but a leaked handle always scares me as it indicates a running process isn't seeing or handling the shutdown semaphore sent from the OS properly.

I also suspected power management drivers from Lenovo, which just went gold today so they have been updated. Unfortunately it still appears to be happening.

This may turn out to be driver or OS related, but I still don't like to see leaked handles. It is very consistent as well. When the machine shuts down fine (10% of the time) there's no leaked handle. When it does not completely power off (90%) of the time, I see the leaked handle entry when checking the log post-mortem.

I would lean towards driver issues myself as well.  I'm having trouble comming up with ways to diagnose the problem, as its occuring when the OS is trying to kill off all running processes--makes it difficult to watch what is going on.  Have you considered bumping up the Windows logging level?

I'd like to believe drivers but again it's sort of hard to ignore a logged registry handle leak consistently from the same application, RTVSCAN.EXE. You just don't ignore that as a red herring without further evidence. It's not expected or desired behavior.

There's no way to increase the logging level here to my knowledge. I could throw a debugger on there but the shutdown is problematic for that. I'll probably end up opening a case with Symantec, I just wanted to see if anyone else had the problem.

I found out the cause of the machine not powering off. It's related to BitLocker being enabled. There is a hotfix available from Microsoft. Here is the link to the discussion, which includes a link to the hotfix.

http://social.answers.microsoft.com/Forums/en-US/GettingReadyforWindows7/thread/66b6e093-9de7-4e76-84cf-322bd1e35f22

Note that the registry handle leak caused by RTVSCAN.EXE still remains.
 

Glad you found the answer.

I noticed the same behaviour today on a Vista 32bit machine with RU5. The System would not shutdown. The screen would go blank but system would not shutdown. In the Event Log you can see message that RTVSCan.exe has 1 registry handle open (HKEY_USERS\S-x-x-xx-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx\Software\Symantec Endpoint Protection\AV\Custom Tasks\<GUID>

TRY BY DISABLING TAMPER PROTECTION 

The Symantec Certified Compatible version of SEP for Windows 7 is 11.0.5002.333 so hope you are using this version. 

That is the version I am using.  I just verified (Windows 7 is 11.0.5002.333)

No comment

Saw that you just bumped this thread. I just wanted to let you know that if you were to make a new thread on your issue you would probably get more responses. Most people will ignore old threads. 

Cheers
Grant

Thank you, I will do that.

Does anybody know if the handle leak with RTVSCan.exe problem has been solved?  I am having the same issue on Windows 7 64bit.  Here is the Event Viewer log:

_____________________________________________________________________________________________________________________________________

 

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -

1 user registry handles leaked from \Registry\User\(removed sid):

Process 1316 (\Device\HarddiskVolume4\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\(removed sid)\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

It looks like the Symantec driver is leaking memory...