Endpoint Protection

 View Only
Expand all | Collapse all

"Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

  • 1.  "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 05, 2009 02:29 PM
    Hi,

    I've been using SEP 11.x since it was released, have tried all versions and liked the product, (not those earliest version) still like it a lot.

    I have a question for those who allready updated to the latest version, RU5. Have anyone noticed any problems when logging on to Windows Vista or Windows 7, after installing/updating SEP RU5?

    I have used RU5 with many Windows XP computers, no problems so far. On my own laptop, i've Windows 7 64bit (latest build) installed, and sometimes problems when logging on to Windows. Before RU5 i had SEP 11.4 MP2, no Windows profile errors, at all. On my own computer i use only Antivirus and Antispyware components of SEP.
    Profile loading errors started about day after updating to RU5, and the problem appears randomly from one to three times a week.

    I have not installed any other software, not installed any MS patches or anything else after RU5 update. Yesterday, i installed SEP RU5 to few Windows Vista computers (before that they had different AV software installed). After couple of computer reboots, i got profile loading errors. Anyone else seen this?

    "Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.

    DETAIL - The process cannot access the file because it is being used by another process."

    And almost every time when i shut down Windows Vista or Windows 7 computer, there's warning message on a Windows Application log;


    "Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     DETAIL -
     1 user registry handles leaked from \Registry\User\S-1-5-21-1388608198-252597042-225983441-1000:
    Process 1960 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-1388608198-252597042-225983441-1000\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks"

      


  • 2.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 05, 2009 02:38 PM
    Hi,

           As of now we are working on this issue and I will keep you updated at the earliest.


  • 3.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 05, 2009 02:40 PM
     Looks like you might be turning/logging off the computer while scheduled scan is running.


  • 4.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 05, 2009 03:30 PM
    Hi Sandip,

    Just to be sure, so this issue is known and maybe we should wait a little bit before upgrading RU5 to our customers who mostly use Windows 7 or Windows Vista, until we get patch or workaround for this issue?
    So i dont see any reasons for delaying updates to Windows XP computers, and gladly most of our customers who uses SEP are still using Windows XP.
    Thanks for your quick reply, i'll appreciate it!

    And there isn't any scheduled scans used with our computers having this issue, no scans when logging on/logging of, no floppy scans when shutting down/floppy accessed.



  • 5.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 05, 2009 03:36 PM
    Do you see any messages relating to UPHClean.exe and Tamper Protection?

    Title: 'Tamper Protection is detecting UPHClean.exe.'
    Document ID: 2008091816010648
    > Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008091816010648

    Any event IDs associated with the message you mention?

    sandra


  • 6.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 05, 2009 03:40 PM
     @sandra the UPHCLEAN is a very old issue which is only seen on xp and 2k3 but this looks like a new issue related to Win7..it looks like RTVscan is holding up user profile

    https://www-secure.symantec.com/connect/forums/endpoint-protection-stopping-users-reciving-there-windows-profiles#comment-2492281

    try excluding NTUSER.DAT for workaround



  • 7.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 05, 2009 03:53 PM
    Yep, there's no Tamper Protection or any else error messages. Haven't seen that issue before which Vikram just posted, maybe i'm not using the search options correctly:)

    I'll try exclusing the NTUSER.DAT file, let's see how it goes, cannot verify that workaround for at least couple of days because the problem shows up so randomly.  Thanks for the tip Vikram!

    But to me it doesn't look like related only to Windows 7 because i've also seen that on Windows Vista computers which have Vista SP2 installed.


  • 8.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 06, 2009 10:07 AM
    How to add ntuser.dat exclusion for unmanaged computer?

    From SEP unmanaged client computer, Change Settings, Centralized Exceptions, Configure Settings, Add, Security Exception, File and type %userprofile%\ntuser.dat SEP says;

    NTUSER.DAT
    This file is in use.
    Enter a new name or close the file that's open in another program


    Any ideas how to do ntuser.dat exclusion, maybe from the registry?


  • 9.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?
    Best Answer

    Posted Oct 06, 2009 10:45 AM
    Add any Exclusion then go to this registry entry

     HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName\Client

    here you will find a numbered folder below client and there you will have ThreatName and FileName
    edit both of them and make it %userprofile%\NTUSER.DAT

    close registry
    Open SEP client there you will see the change.


  • 10.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 06, 2009 01:15 PM
    Thanks again Vikram, that worked.

    For my (and every other 64bit OS i assume) 64bit OS the registry path is

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName\Client

    and as you said there's a numbered folder below client.


  • 11.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 06, 2009 01:36 PM
     Ohh..ya i forgot you had 64 bit OS ..but its good you found it..the locations differ a little bit here n there between 32 and 64


  • 12.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 06, 2009 06:49 PM
    I only mentioned it because that issue was UPHClean and RTVscan fighting because UPHClean errored when it thought RTVScan was holding on (scanning) to the profile longer than it thought it should have been  (in as much as UPHClean could think ;) ).

    Glad the issue is now resolved!

    sandra


  • 13.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 07, 2009 10:46 AM

    So much for locking down exclusions through a policy ....



  • 14.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Oct 16, 2009 11:23 AM
    That worked for a time, but after enough reboots this issue reoccured: "user profile cannot be loaded" and then a long, thin box containing no text, but with a red dot containing a white "x" in the upper left hand corner. Locked after that, unless restarted in safe mode.
     


  • 15.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Nov 03, 2009 01:40 PM
    My company is having what appears to be this issue with our newly "managed" clients. My SEPM is RU5, but the clients are "11.0.4202.75". From what I've been told the problem happens when the machine reboots. Not sure if it happens at other times. Started happening after we installed managed clients.

    Based on the earlier posts, I set a centralized exceptions for ntuser.dat, ntuser.dat.log, and ntuser.ini. It may be a few days yet before we can tell if the problem has gone away. This problem does not happen on every system and all the systems are pretty much overloaded.

    In the earlier post from Sandip, he indicated Symantec is working on this problem. Is a fix, patch or workaround available?? Could I get a fix if I used my company's support account and opened a problem ticket?

     


  • 16.  RE: "Windows cannot load the locally stored profile." Possible SEP RU5 related problem?

    Posted Nov 05, 2009 03:21 AM
    I'm having this problem for months now. On Vista and Win 7 machines.

    Similiar thread: http://www.symantec.com/connect/forums/endpoint-protection-stopping-users-reciving-there-windows-profiles

    None of the suggested solutions works. The only thing that helps, is uninstalling SEP...
    I'm seriously considering another security solution.