Jump to content
Welcome to our new Citrix community!
  • 0

Problem with unloading NTUSER.DAT


Daniel Hepp

Question

Hi,

I got a new Server 2016 - XenApp 7.15 LTSR XenApp-Environment.

The Profile-Management can´t unload the NTUSER.DAT at logoff.

 

(Zugriff verweigert means Access denied in german)

2017-12-06;17:36:27.091;ERROR;domain;ctx-test;5;1700;CRegistryHive::Unload: RegUnloadKey of hive <upm_S-1-5-21-442255346-4051920526-3705523271-4116_logoff> failed with: Zugriff verweigert
2017-12-06;17:36:27.091;ERROR;domain;ctx-test;5;1700;ProcessRegistryLogoff: Unloading the logoff registry hive failed!

 

I monitored it with Process-Explorer.

"System" has access to it, so i can´t delete it until I restart the server.

 

I tried disabling profile-Streaming and disabling active-write-back, disabling the service ""Connected User Experiences and Telemetry""

 

What else can I do?

 

Kind Regards,

Daniel

 

 

Here is the complete Logoff-Log:

 

2017-12-06;17:36:26.168;INFORMATION;;;5;1700;DispatchLogonLogoff: ---------- Starting logoff processing...
2017-12-06;17:36:26.168;INFORMATION;domain;ctx-test;5;1700;DispatchLogonLogoff: Session is a console session.
2017-12-06;17:36:26.168;INFORMATION;domain;ctx-test;5;1700;DispatchLogonLogoff: UserSID = S-1-5-21-442255346-4051920526-3705523271-4116
2017-12-06;17:36:26.168;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStart: Successfully impersonated a client.
2017-12-06;17:36:26.168;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStop: Successfully stopped client impersonation.
2017-12-06;17:36:26.168;INFORMATION;domain;ctx-test;5;1700;SessionCount::RealTimeCount - User: ctx-test, Domain: domain, Session Count: 0.
2017-12-06;17:36:26.168;INFORMATION;domain;ctx-test;5;1700;ProcessLogoff: Profile directory read from registry: C:\Users\ctx-test
2017-12-06;17:36:26.168;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStart: Successfully impersonated a client.
2017-12-06;17:36:26.168;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStop: Successfully stopped client impersonation.
2017-12-06;17:36:26.215;INFORMATION;domain;ctx-test;5;1700;CRegistryHive::Load: RegLoadKey of <C:\Users\ctx-test\NTUSER.DAT> to <upm_S-1-5-21-442255346-4051920526-3705523271-4116_logoff> succeeded.
2017-12-06;17:36:26.215;INFORMATION;domain;ctx-test;5;1700;ProcessLogoff: Performing Cross Platform logoff processing
2017-12-06;17:36:26.215;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStart: Successfully impersonated a client.
2017-12-06;17:36:26.215;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStop: Successfully stopped client impersonation.
2017-12-06;17:36:26.215;INFORMATION;domain;ctx-test;5;1700;CpsUserData::ProcessChangedFiles: Cross Platform processing will not be performed for user
2017-12-06;17:36:26.215;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStart: Successfully impersonated a client.
2017-12-06;17:36:26.215;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStop: Successfully stopped client impersonation.
2017-12-06;17:36:26.215;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStart: Successfully impersonated a client.
2017-12-06;17:36:26.247;INFORMATION;domain;ctx-test;5;5996;CJitFolderSupport::CacheFillFile: request for <AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs> succeeded.
2017-12-06;17:36:26.262;INFORMATION;domain;ctx-test;5;5996;CJitFolderSupport::CacheFillFile: request for <AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs> succeeded.
2017-12-06;17:36:26.278;INFORMATION;domain;ctx-test;5;5996;CJitFolderSupport::CacheFillFile: request for <AppData\Local\Microsoft\Windows\WebCache\V01tmp.log> succeeded.
2017-12-06;17:36:26.340;INFORMATION;domain;ctx-test;5;5996;CJitFolderSupport::CacheFillFile: request for <AppData\Local\TileDataLayer\Database\EDB00001.log> succeeded.
2017-12-06;17:36:26.387;INFORMATION;domain;ctx-test;5;5996;CJitFolderSupport::CacheFillFile: request for <AppData\Local\TileDataLayer\Database\EDBres00001.jrs> succeeded.
2017-12-06;17:36:26.465;INFORMATION;domain;ctx-test;5;5996;CJitFolderSupport::CacheFillFile: request for <AppData\Local\TileDataLayer\Database\EDBres00002.jrs> succeeded.
2017-12-06;17:36:26.528;INFORMATION;domain;ctx-test;5;5996;CJitFolderSupport::CacheFillFile: request for <AppData\Local\TileDataLayer\Database\EDBtmp.log> succeeded.
2017-12-06;17:36:26.528;INFORMATION;domain;ctx-test;5;5996;JitThread: Jit Thread terminating for user domain\ctx-test. Collecting any remaining driver change notifications...
2017-12-06;17:36:26.528;INFORMATION;domain;ctx-test;5;5996;JitThread: Finished processing driver change notifications for domain\ctx-test...
2017-12-06;17:36:26.528;INFORMATION;domain;ctx-test;5;1700;ProcessLogoff: Found registry hive file in: <\\server\citrix-profiles$\roaming\ctx-test\Win2016!ctx_profilever>.
2017-12-06;17:36:26.543;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStop: Successfully stopped client impersonation.
2017-12-06;17:36:26.606;ERROR;domain;ctx-test;5;1700;CRegistryHive::Unload: RegUnloadKey of hive <upm_S-1-5-21-442255346-4051920526-3705523271-4116_logoff> failed with: Zugriff verweigert
2017-12-06;17:36:26.606;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStart: Successfully impersonated a client.
2017-12-06;17:36:26.606;INFORMATION;domain;ctx-test;5;1700;RegistryWriteBack: Copying user registry file.
2017-12-06;17:36:26.653;INFORMATION;domain;ctx-test;5;1700;CopyFileWithRetries: Copied a file from: <\\server\citrix-profiles$\roaming\ctx-test\Win2016!ctx_profilever\UPM_Profile\NTUSER.DAT> to <C:\Users\ctx-test\NTUSER.DAT.NET>.
2017-12-06;17:36:26.668;INFORMATION;domain;ctx-test;5;1700;CopyFileWithRetries: Copied a file from: <\\server\citrix-profiles$\roaming\ctx-test\Win2016!ctx_profilever\UPM_Profile\NTUSER.DAT> to <C:\Users\ctx-test\NTUSER.DAT.NET.BAK>.
2017-12-06;17:36:26.668;INFORMATION;domain;ctx-test;5;1700;RegistryWriteBack: Copying user registry file succeeded.
2017-12-06;17:36:26.668;INFORMATION;domain;ctx-test;5;1700;RegistryWriteBack: Locking user registry file.
2017-12-06;17:36:26.668;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStop: Successfully stopped client impersonation.
2017-12-06;17:36:26.668;INFORMATION;domain;ctx-test;5;1700;ProcessRegistryLogoff: User logged on at <2017-12-06  17:34:35.383>.
2017-12-06;17:36:26.668;INFORMATION;domain;ctx-test;5;1700;CRegistryHive::Load: RegLoadKey of <C:\Users\ctx-test\NTUSER.DAT> to <upm_S-1-5-21-442255346-4051920526-3705523271-4116_logoff> succeeded.
2017-12-06;17:36:26.668;INFORMATION;domain;ctx-test;5;1700;ProcessRegistryLogoff: User's hive is not loaded, loading '_logoff' hive.
2017-12-06;17:36:26.715;INFORMATION;domain;ctx-test;5;1700;CRegistryHive::Load: RegLoadKey of <C:\Users\ctx-test\NTUSER.DAT.START> to <upm_S-1-5-21-442255346-4051920526-3705523271-4116_logon> succeeded.
2017-12-06;17:36:26.715;INFORMATION;domain;ctx-test;5;1700;ProcessRegistryLogoff: Starting registry scan.
2017-12-06;17:36:26.872;INFORMATION;domain;ctx-test;5;1700;CRegistryHive::Unload: Unloaded registry hive <upm_S-1-5-21-442255346-4051920526-3705523271-4116_logon>.
2017-12-06;17:36:26.950;INFORMATION;domain;ctx-test;5;1700;CRegistryHive::Load: RegLoadKey of <C:\Users\ctx-test\NTUSER.DAT.NET> to <upm_S-1-5-21-442255346-4051920526-3705523271-4116_network> succeeded.
2017-12-06;17:36:26.965;INFORMATION;domain;ctx-test;5;1700;CopyFileWithRetries: Copied a file from: <C:\Users\ctx-test\NTUSER.DAT.NET.BAK> to <C:\Users\ctx-test\NTUSER.DAT.NET.BAK.LASTGOODLOAD>.
2017-12-06;17:36:27.091;INFORMATION;domain;ctx-test;5;1700;CRegistryHive::Unload: Unloaded registry hive <upm_S-1-5-21-442255346-4051920526-3705523271-4116_network>.
2017-12-06;17:36:27.091;INFORMATION;domain;ctx-test;5;1700;ProcessRegistryLogoff: Finished registry scan.
2017-12-06;17:36:27.091;ERROR;domain;ctx-test;5;1700;CRegistryHive::Unload: RegUnloadKey of hive <upm_S-1-5-21-442255346-4051920526-3705523271-4116_logoff> failed with: Zugriff verweigert
2017-12-06;17:36:27.091;ERROR;domain;ctx-test;5;1700;ProcessRegistryLogoff: Unloading the logoff registry hive failed!
2017-12-06;17:36:27.091;INFORMATION;domain;ctx-test;5;1700;TouchFile: Touched file <C:\Users\ctx-test\NTUSER.DAT.NET>
2017-12-06;17:36:27.091;INFORMATION;domain;ctx-test;5;1700;TouchFile: Touched file <C:\Users\ctx-test\NTUSER.DAT>
2017-12-06;17:36:27.091;ERROR;domain;ctx-test;5;1700;CRegistryHive::Unload: RegUnloadKey of hive <upm_S-1-5-21-442255346-4051920526-3705523271-4116_logoff> failed with: Zugriff verweigert
2017-12-06;17:36:27.091;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStart: Successfully impersonated a client.
2017-12-06;17:36:27.091;INFORMATION;domain;ctx-test;5;1700;WriteFeaturesToINIFile: temporary file name: C:\Users\ctx-test\cpmCA97.tmp
2017-12-06;17:36:27.123;INFORMATION;domain;ctx-test;5;1700;ImpersonateClientStop: Successfully stopped client impersonation.
2017-12-06;17:36:27.138;ERROR;domain;ctx-test;5;1700;CRegistryHive::Unload: RegUnloadKey of hive <upm_S-1-5-21-442255346-4051920526-3705523271-4116_logoff> failed with: Zugriff verweigert
2017-12-06;17:36:27.138;ERROR;domain;ctx-test;5;1700;DispatchLogonLogoff: ---------- Finished logoff processing with errors in : <0.97>.

 

 

Link to comment

11 answers to this question

Recommended Posts

  • 0

Hi Carl,

thanks for you answer.


We got Windows Defender and I deactivated (with reboot) it, but got the same issue.

 

How do I get the possibility to see what is locking the ntuser.dat?

Proc-Explorer tells me that "System" is locking the file.

I think, if I understand what "thing" is locking the ntuser.dat I can remove the problem.

 

Thanks, Daniel

 

 

 

Link to comment
  • 0

I solved this problem in our environment. I analysed the logoff with proccess monitor. There I found out that a process of our KYOCERA printer driver had  access on current user-registry-hive during logoff. So now I kill this process with a task during logoff and  NTUSER.DAT is being synced without any problem!

Link to comment
  • 0

I know this post is a bit old, but I have a quick question..

We have what seems to be a similar issue..  In our case we see that the NTUSER.DAT is padded with NULL values (as seen in notepad++) when the profile is corrupted and subsequent user logins get a temp profile, until a previous version of the ntuser.dat is restored.  the corrupt ntuser.dat appears in either the pending folder or the main profile folder..  Either location is fatal causing a temp profile for the user.  What I suspect is happening is that UPM or the mechanism it uses to write the ntuser.dat is first creating an empty file, and then normally fill the file with a copy of the user's hive data from the sessions NTUSER.DAT.

 

So for my question: In your cases of corruption are you also seeing the NTUSER.DAT written to the user's profile/share padded with null values?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...