M
MikePuz
Since the end of August 2020 network users getting temp profiles on multiple Windows 7 machines. Checked the registry and there is no .BAK entry. Does not happen on Windows 10 machines. Below our event viewer details. Stumped.
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/10/2020 1:25:46 PM
Event ID: 1511
Task Category: None
Level: Error
Keywords:
User: BELLEDOMAIN\testmike
Computer: A-Lib-1.BELLEDOMAIN.local
Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1511</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-10T18:25:46.097074800Z" />
<EventRecordID>211431</EventRecordID>
<Correlation />
<Execution ProcessID="1028" ThreadID="5144" />
<Channel>Application</Channel>
<Computer>A-Lib-1.BELLEDOMAIN.local</Computer>
<Security UserID="S-1-5-21-224070922-1371501334-623648099-24263" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/10/2020 1:25:46 PM
Event ID: 1515
Task Category: None
Level: Error
Keywords:
User: BELLEDOMAIN\testmike
Computer: A-Lib-1.BELLEDOMAIN.local
Description:
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1515</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-10T18:25:46.097074800Z" />
<EventRecordID>211430</EventRecordID>
<Correlation />
<Execution ProcessID="1028" ThreadID="5144" />
<Channel>Application</Channel>
<Computer>A-Lib-1.BELLEDOMAIN.local</Computer>
<Security UserID="S-1-5-21-224070922-1371501334-623648099-24263" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/10/2020 1:25:25 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: A-Lib-1.BELLEDOMAIN.local
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-224070922-1371501334-623648099-23227:
Process 424 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-224070922-1371501334-623648099-23227
Process 424 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-224070922-1371501334-623648099-23227\Printers\DevModePerUser
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-10T18:25:25.510782300Z" />
<EventRecordID>211427</EventRecordID>
<Correlation />
<Execution ProcessID="1028" ThreadID="5144" />
<Channel>Application</Channel>
<Computer>A-Lib-1.BELLEDOMAIN.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-224070922-1371501334-623648099-23227:
Process 424 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-224070922-1371501334-623648099-23227
Process 424 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-224070922-1371501334-623648099-23227\Printers\DevModePerUser
</Data>
</EventData>
</Event>
Continue reading...
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/10/2020 1:25:46 PM
Event ID: 1511
Task Category: None
Level: Error
Keywords:
User: BELLEDOMAIN\testmike
Computer: A-Lib-1.BELLEDOMAIN.local
Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1511</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-10T18:25:46.097074800Z" />
<EventRecordID>211431</EventRecordID>
<Correlation />
<Execution ProcessID="1028" ThreadID="5144" />
<Channel>Application</Channel>
<Computer>A-Lib-1.BELLEDOMAIN.local</Computer>
<Security UserID="S-1-5-21-224070922-1371501334-623648099-24263" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/10/2020 1:25:46 PM
Event ID: 1515
Task Category: None
Level: Error
Keywords:
User: BELLEDOMAIN\testmike
Computer: A-Lib-1.BELLEDOMAIN.local
Description:
Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1515</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-10T18:25:46.097074800Z" />
<EventRecordID>211430</EventRecordID>
<Correlation />
<Execution ProcessID="1028" ThreadID="5144" />
<Channel>Application</Channel>
<Computer>A-Lib-1.BELLEDOMAIN.local</Computer>
<Security UserID="S-1-5-21-224070922-1371501334-623648099-24263" />
</System>
<EventData>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/10/2020 1:25:25 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: A-Lib-1.BELLEDOMAIN.local
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-224070922-1371501334-623648099-23227:
Process 424 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-224070922-1371501334-623648099-23227
Process 424 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-224070922-1371501334-623648099-23227\Printers\DevModePerUser
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-10T18:25:25.510782300Z" />
<EventRecordID>211427</EventRecordID>
<Correlation />
<Execution ProcessID="1028" ThreadID="5144" />
<Channel>Application</Channel>
<Computer>A-Lib-1.BELLEDOMAIN.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-224070922-1371501334-623648099-23227:
Process 424 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-224070922-1371501334-623648099-23227
Process 424 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-224070922-1371501334-623648099-23227\Printers\DevModePerUser
</Data>
</EventData>
</Event>
Continue reading...