Mythical Creatures – Corrupt User Profiles

re: Mythical Creatures – Corrupt User Profiles

MikeStephensMSFT — Thu, 21 Oct 2010 15:10:33 GMT

Ashley,

Thanks for the comments. The first issue you mentioned is Windows’ inability to load the user’s CLASSES registry hive. This registry key is backed by the file usrclass.dat. It’s just registry data. The key is HKEY_CURRENT_USER\Software\Classes. The idea behind this is to allow per-user COM registration. For XP and 2003, you can enable USERENV logging to track down while Winlogon is having a problem loading the file – there should be an error message and usually and result code. Other ways to track this down is to use Process Monitor and log the profile load. Filter File and registry events that involve the filename or registry location, respectively. Most of the time that Windows fails to load something is because something else has opened an exclusive handle to the file or registry (95 percent of the time is a file handle). I typically use Process Explorer and search for the process that has a handle to the file (sounds like another blog post). If you’re lucky, the process will be intuitively named to where you can identify the “dood” that isn’t playing nice in the sandbox. Sometimes, the process will be SVCHOST, which now you need to further investigate all the services living in that SVCHOST process. The worst scenario is when the process comes under SYSTEM. The likely of culprits in this scenario is a kernel mode driver that has a handle to the file. Unfortunately, this requires a debugger and copious amounts of free time. However, you could ask the question “What uses a filter driver and constantly looks at files on the operating system?” Antivirus and intrusion protection software are two big ones that come to mind. Uninstall these (disabling does not remove the kernel driver—that why we uninstall) and reproduce the problem. The bad thing with that is the reboot kills your repro.

Second issue – you claim the shell folders keys were corrupt—define corrupt? Shell folder keys are stored in ntuser.dat, not usrclass.dat so, I’m disinclined to believe the two events are related—especially when I’d guess the first problem is a handle problem and not an actual problem with the registry key. Also, I’m a bit confused that the key was impossible to read; however, some way it could be deleted. Typically, you need to be able to read something to delete it. Without data, I’d lean toward something wrote “bad” data to these keys, or they were empty. I’ve seen this before. Again, I turn to trusty Process Monitor to identify the process “that massages” those keys into porridge; and go from there

re: Mythical Creatures – Corrupt User Profiles

Mike Kline — Thu, 21 Oct 2010 14:58:04 GMT

Outstanding post Mike! (and nice Eminem reference) I think as long as there are users and help desk techs this myth will continue.

I have to admit years ago when I did frontline helpdesk support it was an easy thing to say to a VIP user. "Your profile is corrupt". You recreate it and have a script to copy from the old to the new and they are back up and running and you get out of their office as fast as possible.

I like the virtual machine idea; that was not around when I was help desk...would have been nice.

Thanks

Mike

re: Mythical Creatures – Corrupt User Profiles

sgrinker — Thu, 21 Oct 2010 14:40:09 GMT

@Mike

Sounds good, and thanks for the follow-up! Looking forward to the future posts...

re: Mythical Creatures – Corrupt User Profiles

MikeStephensMSFT — Thu, 21 Oct 2010 14:35:12 GMT

Sgrinker

I’ve received several requests to elaborate on the scenarios in the article. The plan is to create additional blog posts with each post providing more depth about the scenarios; and hopefully a way to allow our readers walk through the scenarios themselves. My hope is to outline the scenario; provide some background; break it; and then show how we here in support identify it—that’s the plan at least. I have everything done … in my mind—now I just need to write it 

I’ll try to dedicate a blog that highlights actual registry corruption (the structure itself); however, that’s actually more difficult to do while making it look like an accident. But, it would be a good post if I can swing the details and implementation.

Mike

re: Mythical Creatures – Corrupt User Profiles

HelgeKlein — Thu, 21 Oct 2010 07:41:59 GMT

As the architect for what is now Citrix's Profile Management product I have been working with and writing about user profiles a lot. Regarding the common misconception of corrupt profiles I came to roughly the same conclusion as you, albeit 2.5 years ago. Here is my take on the subject:

www.sepago.de/.../corrupt-user-profiles-do-they-even-exist

re: Mythical Creatures – Corrupt User Profiles

AshleyKnowles — Wed, 20 Oct 2010 22:47:49 GMT

Hi Mike,

Great post!

I'd like to get your opinion on an issue which I don't think you have quite put your finger on with this post. I suspect it may be on the borderline of being a real corruption (albeit, caused by something else?).

As a desktop tech a year or two ago (*shudder*, glad to be back in the systems engineering arena), I had a number of clients who would regularly have the exact same issue as below, primarily on Windows Vista, but occasionally on XP and 7.

The issue, is two fold (forgive me for not having any event logs etc for further perusal, it was a while ago). Firstly, it is reported in the event log that the users "CLASSES" registry hive could not be loaded. Secondly, the registry key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" was actually "corrupted" - which I suspect has some relation to the first part of the issue. You could not even open this key and see the actual registry entries (it wasn't permissions related, either)

Fixing the issue was simple, delete the "Shell Folders" key, and recreate all of it's registry entries. Everything would then come back fine...

Corruption? Or bad data? That's the question.

Cheers

Ashley

re: Mythical Creatures – Corrupt User Profiles

sgrinker — Wed, 20 Oct 2010 20:18:29 GMT

Mike

Very nice post. Although would it be possible for you to further elaborate on the few cases you have run accross? Mostly from a curiousity standpoint, but I would be interested to see more details on what the real "corruption" looked like, how it manifested, and how it was ultimately found.

Thanks!