Windows

  • Windows Vista
  • Windows
  • All forums
Question

ntuser.dat locked by the system process

Applies To:

Dear Microsoft,

Recently I have been experiencing an issue with Windows Vista I wasn't before. I'll try to explain all the facts and some discoveries I have made on this matter.

Some time after Vista boots, the kernel System "process" (PID 4) will open handles on all the ntuser.dat files of all users on my computer. In that case, if an user tries to logon on his account he sees the "Preparing your Desktop" message and when it is done there is a baloon on system tray saying that the profile could not be loaded, the user is on a temporary account and any changes he makes will not be saved. The only way an user can successfully logon on his account is by rebooting the computer. I don't think the ntuser.dat files are corrupted because I can successfully logon the users after a reboot (and have no problems thereafter). I used Handle and Process Explorer applications from Sysinternals and realised that once the System process opens handles on the ntuser.dat files I start having the logon issues. I still haven't been able to determine why and when the System process will open those handles after the computer boots. Unfortunately, that has sincerely became an unacceptable behaviour since rebooting the computer will interrupt some tasks other users left running on their users (from a Switch User command) or any service task running on the machine in the background.

Honestly, I don't think this problem is related to my anti-virus. Firstly, it is the Kernel System "process" that is locking the ntuser.dat files. Moreover, my anti-virus software has NOT been updated recently (specially since I began having this problem) and, finally, I have the exact same anti-virus software (same version) with a different licence running on my laptop without this problem. My laptop, for some reason, hasn't been offered for the SP2 update yet while my desktop (where the problem lies) has all updates on Windows Update up until today. I have tried formatting and performing a clean install on my computer three times and everytime I came up with the exact same issue. For each format I tried installing the updates in a different manner. I have tried installing SP1 and SP2 from standalone download files (and the remaining updates on Windows Update). Then I have tried installing all updates (including the service packs) from Windows Update. I have also tried installing the updates on Windows Update but holding back a little before actually installing them. I have been 3 days free from this issue since my last clean install and now after some updates I have it again. The last installed updates I can see were: KB949104, KB890830, KB973346, KB905866, KB961371, KB960353, KB915597. Some of these updates are Malicious Software removal, Windows Defender updates and Junk Mail filter updates which I don't think are causing this issue. Actually, to be more precise, I believe it was an update after June 19th, a date I can remember I wasn't having this problem.

In any case, just to be clear, these are some information on my computer:
Windows Vista Ultimate 32-bits
Athlon64 3200+, 1GB RAM
NOD32 Anti-Virus 3.0.672.0 (the forums here clearly state that the version 3 of NOD32 is free from the SP2 issues, only version 4 present them)

Below is the output of the handle application when I experience this issue. Just to be clear, there was only one user logged on the machine at the time this capture was executed.

D:\Home\Andre\Program Installers\Power Toys\Handle>handle ntuser.dat

Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

System             pid: 4       320: C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TM.blf
System             pid: 4       324: C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
System             pid: 4       328: C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
System             pid: 4       32C: C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2
System             pid: 4       330: C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System             pid: 4       334: C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{0f694461-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System             pid: 4       748: C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TM.blf
System             pid: 4       750: C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
System             pid: 4       754: C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
System             pid: 4       758: C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2
System             pid: 4       75C: C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System             pid: 4       760: C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{0f694465-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System             pid: 4       964: C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System             pid: 4      14A0: C:\Users\[user2]\NTUSER.DAT
System             pid: 4      1BDC: C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System             pid: 4      1BF8: C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System             pid: 4      1C08: C:\Users\[user2]\ntuser.dat.LOG1
System             pid: 4      1C0C: C:\Users\[user2]\ntuser.dat.LOG2
System             pid: 4      1C14: C:\Users\[user2]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System             pid: 4      1D78: C:\Users\[user1]\NTUSER.DAT
System             pid: 4      1EF0: C:\Users\[user3]\ntuser.dat.LOG2
System             pid: 4      2078: C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms
System             pid: 4      209C: C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000002.regtrans-ms
System             pid: 4      2150: C:\Users\[user3]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System             pid: 4      21CC: C:\Users\[user3]\ntuser.dat.LOG1
System             pid: 4      2254: C:\Users\[user3]\NTUSER.DAT
System             pid: 4      226C: C:\Users\[user1]\ntuser.dat.LOG1
System             pid: 4      228C: C:\Users\[user1]\ntuser.dat.LOG2
System             pid: 4      233C: C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TM.blf
System             pid: 4      237C: C:\Users\[user1]\NTUSER.DAT{0f69446d-6a70-11db-8eb3-985e31beb686}.TMContainer00000000000000000001.regtrans-ms

I renamed the user profile names but believe me when I say those are ntuser.dat files from three different directories (user profiles) on my machine. The Event Viewer IDs when a user tries to logon in these conditions are 1508, 1502, 1515 and 1511, all issued by "User Profile Service". Does anyone have any suggestion on what could be causing this?

I would like to thank you, in advance.

Andre

    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation
22 People had
this question

AndreGB

AndreGB

Was this helpful?

Answer

If it is not too late - http://www.google.com/support/forum/p/earth/thread?tid=79ca6bd9c3819ea8&hl=en. Seems like this issue came with googleupdater.
Вернигора Андрей MCP, MCDBA, MCSA, MCSE
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Eosfor

Eosfor

Was this helpful?

Go to NOD32 and get their UNINSTALL instructions

or use Revo

http://www.revouninstaller.com/

Uninstall NOD32, reboot and then see if the problem still exists.

You can reinstall NOD32 if you desire.

You could also download these before you uninstall NOD32.

Avast - Home - Free - double click on Blue A - click details by OK button, then on upper left TERMINATE any unneeded
shields except keep Web Shield, Standard Shield, and Network Shield ON. I terminate P2P, Outlook/Exchange and
Messaging because I do not use those programs.
http://www.avast.com/eng/avast_4_home.html

Prevx - Home - Free  small, fast, exceptional CLOUD protection and works with other security products. This is scanner
only mode which I use, if it finds something then come back here or check Google to get removal instructions.
http://www.prevx.com/

Prevx review by PC-Mag
http://www.pcmag.com/article2/0,2817,2346862,00.asp


At least now you will know if NOD32 is part of the equation.

Rob - Bicycle - Mark Twain said it right.
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

SpiritX MS MVP

Community Moderator
SpiritX MS MVP MVP
Community Star
Rob Brown - Microsoft MVP - Windows Expert - Consumer : Bicycle - Mark Twain said it right.

Was this helpful?

Rob, thank you for your reply.

I wasn't clear enough on my e-mail but I have already tried that. On my third clean install I did not install any programs until Windows was up to date. I began experiencing the problem before I installed NOD32.
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

AndreGB

AndreGB

Was this helpful?

I have 10 NTUSER.DAT on my machine, and only two users, along with Public and Default.

Try this use the Hidden Admin Account to lower the users to lowest level. APPLY/OK  then go back
and reset them to the desired level.... this sometimes clears corruption.

And try this.. use the HAA to make a New User.... simple name  test  password ->  password  all lower case.
Give it FULL ADMIN

Reboot and login to that account and see if issue is there.

Besure to disable the HAA once you are done..... if it corrupts you are toast.

Another tip, make another FULL ADMIN account with different name and your same password to use when
needed to fix your own or other accounts.

How to Enable or Disable the Real Built-in Administrator Account in Vista
http://www.vistax64.com/tutorials/67567-administrator-account.html

also :

have you tried SFC /scannow  or Chkdsk? even startup repair might be needed.

Rob - Bicycle - Mark Twain said it right.
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

SpiritX MS MVP

Community Moderator
SpiritX MS MVP MVP
Community Star
Rob Brown - Microsoft MVP - Windows Expert - Consumer : Bicycle - Mark Twain said it right.

Was this helpful?

Thank you again, Rob. I tried messing with the profiles levels and the HAA. Nothing. After some time the system process (PID: 4) will still open handles to the ntuser.dat files and I can't log on the users anymore (only after a reboot, then they load as if nothing had happened). I am always redirected to the "Temporary" profile (even if the user has admin rights). I have tried putting all users with admin rights, lower rights. I have also tried creating and removing test profiles (and the entire C:\User\[name] folder structure) but the process seems to open these handles nonetheless causing the issue.

Well, I completely uninstalled my anti-virus but I still haven't had time to test it. I saw on ESET webpage that the NOD32 4.0 has an upgrade solving the issues with Vista SP2, however, I am not sure my licence is entitled for the upgrade.

Thank you again for the help.

Andre
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

AndreGB

AndreGB

Was this helpful?

I use these because they are extremely compatible and effective.

Avast - Home - Free

Prevx - Home - Free

they work extremely well together.

Avast - Home - Free  (right on Blue Icon - Details and TERMINATE any shield not use except Standard, Network,
and Web which should be left running.)
http://www.avast.com/eng/avast_4_home.html

Prevx - Home - Free is a small, fast, adds exceptional CLOUD protection, works with other products. Free is the
fully functional scanner only, so if it finds critters just come back here or Google for removal methods.

Prevx - Home - Free
http://www.prevx.com/freescan.asp

PCmag - Prevx - Editors Choice
http://www.pcmag.com/article2/0,2817,2346862,00.asp
Rob - Bicycle - Mark Twain said it right.
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

SpiritX MS MVP

Community Moderator
SpiritX MS MVP MVP
Community Star
Rob Brown - Microsoft MVP - Windows Expert - Consumer : Bicycle - Mark Twain said it right.

Was this helpful?

Thank you for the tips, Rob. However, I won't change my AV at least until my license expires.

Anyway, I just tested without my anti-virus and, no surprise, the issue is there again. I followed all the vendor's steps to remove the AV completely (even manually deleting the Registry keys and files outside the Program Files folder as they instructed). As I said on my first post, I began experiencing this issue even before installing NOD32 (in fact, before installing ANY non-Microsoft program) so I removed it today just to follow your advice.

I'll see what I can do to test on my laptop. But, like I said, I wasn't experiencing these issues before the last few updates (so this is not SP2 related either). I very rarely turn off my computer and have 3 people using it. Each of them have their own profiles with their own customizations. So I've never had problems with users not being able to log on their profiles some time after the computer was booted up until now.
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

AndreGB

AndreGB

Was this helpful?

this exact same problem started for me on 26th july - i have kaskerlsy is 2009.

all 3 profiles are once a day loading in temp mode - a reboot fixes

happens when we switch profiles

    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

toneclone

toneclone

Was this helpful?

Exact same thing here, started two months ago.


I was using "Avira Antivir" as antivirus, changed for microsoft MSE, problem is still there.


(maybe, since I will upgrade to Seven in the upcoming weeks, I hope imagine that problem may disappear)


    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Cool Raoul

Cool Raoul

Was this helpful?

Hi Andre,

I'm experiencing the exactly the same problems with profiles on Server 2008 system, i've you solved yours?

Thank you
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

Reg62

Reg62

Was this helpful?

No, I still haven't solved my problem. I really tried enabling and disabling everything I could and nothing. My only solution was to live with the problem, no matter how unnaceptable it is. It is very unfortunate to say that, but I am starting to give up on defending Microsoft from all those unfair attacks they receive. No matter how unfair most those attacks are, people do have a point in attacking Microsoft.

With all that said, I must say I haven't experienced this issue on the same situations I used to anymore. In fact, there are some days since I haven't experienced it. I can't say for sure whether it was fixed or not, the only thing I can say is that I did nothing to fix it.

And it is very bad to hear you are experiencing it on Server 2008. Not only the server system is meant to never reboot, but it is also sad that the problem is not isolated within Windows Vista alone.
    • Child exploitation or abuse
    • Harassment or threats
    • Inappropriate/Adult content
    • Nudity
    • Profanity
    • Software piracy
    • SPAM/Advertising
    • Virus/Spyware/Malware danger
    • Other Term of Use or Code of Conduct violation

AndreGB

AndreGB
<< PreviousPage of 4 Next >>

Message marked as answers cannot be deleted

To delete this message, first unmark this message as an answer, then delete it.

Reason to remove escalation


Merge

Enter the thread ID of the thread you are merging into


Reply will be posted to a public thread

You are replying to a public portion of this thread. To reply privately, click Cancel, click the Private Messages tab, and Reply on that private message.

Don't show this message again

To report abuse, sign in or continue without signing in

Thank you.

Report abuse

Abuse type:

Details (optional):

Report abuse

Abuse type:

Details (required):
Enter the characters you see (required):
Type the numbers that you see in the picture.
Play audio and type the numbers that you hear.
Show a different picture.

Sign in

Hotmail, Xbox Live, Messenger, or msn accounts will also work.

Don't have one of the above accounts?

Signing in...
This page will automatically update after you are signed in.
If you are having problems, you can close this message and try to connect again.