"Windows cannot load the locally stored profile." Possible SEP RU5 related problem?
Hi,
I've been using SEP 11.x since it was released, have tried all versions and liked the product, (not those earliest version) still like it a lot.
I have a question for those who allready updated to the latest version, RU5. Have anyone noticed any problems when logging on to Windows Vista or Windows 7, after installing/updating SEP RU5?
I have used RU5 with many Windows XP computers, no problems so far. On my own laptop, i've Windows 7 64bit (latest build) installed, and sometimes problems when logging on to Windows. Before RU5 i had SEP 11.4 MP2, no Windows profile errors, at all. On my own computer i use only Antivirus and Antispyware components of SEP.
Profile loading errors started about day after updating to RU5, and the problem appears randomly from one to three times a week.
I have not installed any other software, not installed any MS patches or anything else after RU5 update. Yesterday, i installed SEP RU5 to few Windows Vista computers (before that they had different AV software installed). After couple of computer reboots, i got profile loading errors. Anyone else seen this?
"Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.
DETAIL - The process cannot access the file because it is being used by another process."
And almost every time when i shut down Windows Vista or Windows 7 computer, there's warning message on a Windows Application log;
"Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-1388608198-252597042-225983441-1000:
Process 1960 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1388608198-252597042-225983441-1000\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks"
Comments
Windows cannot load the locally stored profile
Hi,
As of now we are working on this issue and I will keep you updated at the earliest.
Thanks & Regards Sandip C Sali
Hi Sandip, Just to be sure,
Hi Sandip,
Just to be sure, so this issue is known and maybe we should wait a little bit before upgrading RU5 to our customers who mostly use Windows 7 or Windows Vista, until we get patch or workaround for this issue?
So i dont see any reasons for delaying updates to Windows XP computers, and gladly most of our customers who uses SEP are still using Windows XP.
Thanks for your quick reply, i'll appreciate it!
And there isn't any scheduled scans used with our computers having this issue, no scans when logging on/logging of, no floppy scans when shutting down/floppy accessed.
Looks like you might be
Looks like you might be turning/logging off the computer while scheduled scan is running.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Out of curiosity
Do you see any messages relating to UPHClean.exe and Tamper Protection?
Title: 'Tamper Protection is detecting UPHClean.exe.'
Document ID: 2008091816010648
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008091816010648
Any event IDs associated with the message you mention?
sandra
Symantec Technical Support Engineer, LAM/NAM // SAV/SEP for Mac
Don't forget to mark your thread as 'solved' with the answer that best helped you!
@sandra the UPHCLEAN is a
@sandra the UPHCLEAN is a very old issue which is only seen on xp and 2k3 but this looks like a new issue related to Win7..it looks like RTVscan is holding up user profile
https://www-secure.symantec.com/connect/forums/endpoint-protection-stopping-users-reciving-there-windows-profiles#comment-2492281
try excluding NTUSER.DAT for workaround
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
UPHClean
I only mentioned it because that issue was UPHClean and RTVscan fighting because UPHClean errored when it thought RTVScan was holding on (scanning) to the profile longer than it thought it should have been (in as much as UPHClean could think ;) ).
Glad the issue is now resolved!
sandra
Symantec Technical Support Engineer, LAM/NAM // SAV/SEP for Mac
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Yep, there's no Tamper
Yep, there's no Tamper Protection or any else error messages. Haven't seen that issue before which Vikram just posted, maybe i'm not using the search options correctly:)
I'll try exclusing the NTUSER.DAT file, let's see how it goes, cannot verify that workaround for at least couple of days because the problem shows up so randomly. Thanks for the tip Vikram!
But to me it doesn't look like related only to Windows 7 because i've also seen that on Windows Vista computers which have Vista SP2 installed.
How to add ntuser.dat
How to add ntuser.dat exclusion for unmanaged computer?
From SEP unmanaged client computer, Change Settings, Centralized Exceptions, Configure Settings, Add, Security Exception, File and type %userprofile%\ntuser.dat SEP says;
NTUSER.DAT
This file is in use.
Enter a new name or close the file that's open in another program
Any ideas how to do ntuser.dat exclusion, maybe from the registry?
Add any Exclusion then go to
Add any Exclusion then go to this registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName\Client
here you will find a numbered folder below client and there you will have ThreatName and FileName
edit both of them and make it %userprofile%\NTUSER.DAT
close registry
Open SEP client there you will see the change.
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
So much for locking down
So much for locking down exclusions through a policy ....
Does not seem to work after two to three restarts
That worked for a time, but after enough reboots this issue reoccured: "user profile cannot be loaded" and then a long, thin box containing no text, but with a red dot containing a white "x" in the upper left hand corner. Locked after that, unless restarted in safe mode.
Thanks again Vikram, that
Thanks again Vikram, that worked.
For my (and every other 64bit OS i assume) 64bit OS the registry path is
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName\Client
and as you said there's a numbered folder below client.
Ohh..ya i forgot you had 64
Ohh..ya i forgot you had 64 bit OS ..but its good you found it..the locations differ a little bit here n there between 32 and 64
VMWARE-- SEP 12.1 vs McAfee vs Trend Micro
Same or Similar Issue with Managed Clients
My company is having what appears to be this issue with our newly "managed" clients. My SEPM is RU5, but the clients are "11.0.4202.75". From what I've been told the problem happens when the machine reboots. Not sure if it happens at other times. Started happening after we installed managed clients.
In the earlier post from Sandip, he indicated Symantec is working on this problem. Is a fix, patch or workaround available?? Could I get a fix if I used my company's support account and opened a problem ticket?
I'm having this problem for
I'm having this problem for months now. On Vista and Win 7 machines.
Similiar thread: http://www.symantec.com/connect/forums/endpoint-protection-stopping-users-reciving-there-windows-profiles
None of the suggested solutions works. The only thing that helps, is uninstalling SEP...
I'm seriously considering another security solution.
Would you like to reply?
Login or Register to post your comment.