Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Symantec causing corrupt windows 7 profile?

Migration User

Migration UserMar 27, 2012 05:15 AM

SEP 11.0.502.333. I'll check out the link.
Migration User

Migration UserMar 27, 2012 06:11 AM

Ok. I'll try upgrading to SEP 12.1 RU1.

  • 1.  Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 04:50 AM

    We often got corrupt windows 7 profile on our clients.

    I saw that there was some errors with the symantec client in the event log. Can it be the antivirus client that is causing it?

     

    Log Name:      Application
    Source:        Microsoft-Windows-User Profiles Service
    Date:          3/27/2012 8:46:56 AM
    Event ID:      1530
    Task Category: None
    Level:         Varning
    Keywords:      
    User:          SYSTEM
    Computer:      idg000578.idg.local
    Description:
    Windows has detected your registry file is still in use by other applications or servers. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

    INFORMATION -
    2 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-500:
    Process 2004 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500
    Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
        <EventID>1530</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-03-27T06:46:56.185206800Z" />
        <EventRecordID>16864</EventRecordID>
        <Correlation />
        <Execution ProcessID="936" ThreadID="2588" />
        <Channel>Application</Channel>
        <Computer>idg000578.idg.local</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="EVENT_HIVE_LEAK">
        <Data Name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-500:
    Process 2004 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500
    Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-500\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
    </Data>
      </EventData>
    </Event>



    Your profile can not be loaded, so you have logged into the computer's default profile.

    INFORMATION - Access is denied.



    Windows has detected your registry file is still in use by other applications or servers. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

    INFORMATION -
    59 user registry handles leaked from \Registry\User\S-1-5-21-1606980848-1645522239-682003330-2237:
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\MSF\Registration\Listen
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeople
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeople
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\TrustedPeople
    Process 2028 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Root
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Root
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Root
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\Shell
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\My
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\My
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\My
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trust
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trust
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\trust
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CA
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CA
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\CA
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\Shell\Bags\1\Desktop
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Disallowed
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Disallowed
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\Disallowed
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Policies\Microsoft\SystemCertificates
    Process 312 (\Device\HarddiskVolume2\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRoot
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRoot
    Process 2448 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\SystemCertificates\SmartCardRoot
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows NT\CurrentVersion
    Process 1668 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\SmcGui.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows NT\CurrentVersion
    Process 2676 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-1606980848-1645522239-682003330-2237\Software\Microsoft\Windows\CurrentVersion\HomeGroup\Printers



  • 2.  RE: Symantec causing corrupt windows 7 profile?

    Broadcom Employee
    Posted Mar 27, 2012 05:03 AM

    what is the SEP version?

    check if this link is of help

    http://support.microsoft.com/kb/947215



  • 3.  RE: Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 05:07 AM

    Hi,

    Run SEP support tool & log the case with symantec support.

    Run power eraser or scan the fulls system.



  • 4.  RE: Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 05:12 AM

    you can check this if you have receive any help

    http://social.technet.microsoft.com/Forums/en-US/w7itproperf/thread/2679dc8b-7a61-492b-94d2-4b6e4ea37fbc/

     

    This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows Vista does this when Windows Vista tries to close a user profile.

    In versions of the Windows operating system that are earlier than Windows Vista or Windows 7, you must install the User Profile Hive Cleanup Service (UPHClean) utility to have the same functionality. However, the UPHClean utility is incompatible with Windows Vista and Windows 7. Additionally, the UPHClean utility is not needed because this functionality is built into Windows Vista.

    http://support.microsoft.com/kb/947238

    You may try performing aClean Boot to check if any security software is not letting windows to close the registry key.

    To help troubleshoot error messages and other issues, you can start Windows 7 by using a minimal set of drivers and startup programs. This kind of startup is known as a "clean boot." A clean boot helps eliminate software conflicts.

    How to troubleshoot a problem by performing a clean boot in Windows 7:

    http://support.microsoft.com/kb/929135

    Also, see the section on how to return your computer to a Normal startup mode by following the steps under “Reset the computer to start as usual.



  • 5.  RE: Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 05:15 AM

    SEP 11.0.502.333.

    I'll check out the link.



  • 6.  RE: Symantec causing corrupt windows 7 profile?

    Broadcom Employee
    Posted Mar 27, 2012 05:32 AM

    there was a known issue which is fixed in SEP 11 RU 7, upgrade the client

    Local user profiles become corrupted on Windows Vista and Windows 7 computers
    Fix ID: 2291558
    Symptom: Users are unable to log on to their local Windows profiles.
    Solution: The method that Rtvscan.exe uses to monitor the user's scheduled scan registry has been enhanced to resolve this issue
     
    check this link


  • 7.  RE: Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 05:42 AM

    Hi,

    If you are using the old version of SEP then got upgrade the new version of SEP 12.1 RU1.

    Lot of fixes in SEP 12.1 RU1



  • 8.  RE: Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 06:11 AM

    Ok.

    I'll try upgrading to SEP 12.1 RU1.



  • 9.  RE: Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 06:30 AM

    Is it only the client patch?

     

    http://www.symantec.com/business/support/index?page=content&id=TECH174706&key=54619&basecat=DOWNLOADS&actp=LIST#



  • 10.  RE: Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 07:19 AM

    Can't find the sep 12.1 RU1 installation files...

     

    Do I have to upgrade the license to?



  • 11.  RE: Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 07:26 AM

    go to fileconnect.symantec.com

    Enter your serial number and download the product 12.1 RU1 SEPM or Part 1



  • 12.  RE: Symantec causing corrupt windows 7 profile?

    Broadcom Employee
    Posted Mar 27, 2012 07:26 AM

    it is the client side issue, you need to install SEP client either SEP 11 RU 7 later or SEP 12.1 RU1.



  • 13.  RE: Symantec causing corrupt windows 7 profile?

    Posted Mar 27, 2012 08:54 AM

    I can only see up to version Product: Symantec Multi-Tier Protection 11.0.2  when I log in.



  • 14.  RE: Symantec causing corrupt windows 7 profile?

    Posted Jun 11, 2012 12:04 PM

    You should be able to see up to 11.0.7

    12.1 changed the licensing scheme from "paper" to client licenses.

    Therefore, you will need to renew your Symantec licensing in order to be able to access 12.1 as well as download the new version.  Likely, you wil be given a new serial number for 12.1 (should you choose to upgrade).

    In the meantime, since you were already able to download and install 11.0.5 you should be able to see 11.0.7.

    If you are having problems with fileconnect, I would suggest you contact Customer Support:

    http://customersupport.symantec.com/

    You can also verify, using your registered e.mail address, if your 11.x version is properly licensed/registered here:

    https://licensing.symantec.com/acctmgmt/index.jsp