Registry not unloading - event warnings and error

[wackobird]

When I shut down the pc, the following application events (Warning type) are occurring:

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1524
Date: 7/8/2008
Time: 2:53:15 AM
User: YOUR-F31493CC9A\Owner
Computer: YOUR-F31493CC9A
Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 7/8/2008
Time: 2:53:21 AM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-F31493CC9A
Description:
Windows saved user YOUR-F31493CC9A\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


As soon as I log on in the morning there are several more application events (information type) category None for iPod Service, gusvc, and Bonjour Service; and a category (1) for Avira AntiVir. Event ID for all is 0, with the exception of Avira, Event ID: 4096. The description is identical for all:

Event Type: Information
Event Source: Avira AntiVir
Event Category: (1)
Event ID: 4096
Date: 7/8/2008
Time: 11:00:21 AM
User: NT AUTHORITY\SYSTEM
Computer: YOUR-F31493CC9A
Description:
The description for Event ID ( 4096 ) in Source ( Avira AntiVir ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: , , , .


There is also a system event (Error type) for Service Control Manager Event ID: 7000 with this description:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 7/8/2008
Time: 11:00:17 AM
User: N/A
Computer: YOUR-F31493CC9A
Description:
The Automatic LiveUpdate Scheduler service failed to start due to the following error:
The system cannot find the path specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Are the error and information events because of the profile not unloading? Should I be concerned WHY is isn't unloading, or just use the UPHClean Service and not worry about it? Is this service something I would leave in place or uninstall later? Sorry for the length of the post, and thank you in advance for any guidance or suggestions.

 

[CCT]

http://support.microsoft.com/kb/837115

edit: use the UPH thing - I do.

I believe some of the av programs we all use won't quit so the system has this problem. Which, btw, is OK with me if they have to be forced to quit at least they are looking for bad guys.

 

[wackobird]

Thank you, CCT, that link is the one I followed regarding the UPHClean service. My questions were not whether to use it, but should I be concerned WHY the registry isn't unloading? Is it something I'm doing to cause this? Is this service something that is left in place, or should it be uninstalled later?

 

[CCT]

Please see my edit you obviously missed ^

 

[wackobird]

You're right, I read the reply before the edit was added. Thank you for the additional info. I had disabled the service for apple mobile device, since I don't use either an iPhone or Apple Tv and have no plans to. I was starting to wonder if that had caused problems. The items that really concerned me were Avira and Live Update (I'm hoping this meant windows update and not something else).

 

[CCT]

Use the UPH Clean and then if you get boot messages/error post again.

 

[wackobird]

Ok, I downloaded UPHClean service and installed it. When I check the event viewer, there is an item related to that service:


Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1401
Date: 7/9/2008
Time: 11:03:53 AM
User: YOUR-F31493CC9A\Owner
Computer: YOUR-F31493CC9A
Description:
The following handles in user profile hive YOUR-F31493CC9A\Owner

(S-1-5-21-1053390937-329126051-2261473879-1006) have been remapped because they were preventing the profile from unloading successfully:

svchost.exe (1032)
HKCU (0x340)

MsMpEng.exe (1156)
HKCU (0x464)
HKCU\Software\Classes (0x51c)

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



What will this "remapping" do? msmpeng is the scanner for windows defender, and
svchost... well, i have 7 of those currently running! When I click the link within
the information properties it comes up saying no additional information is available,
so it's useless.

I've noticed the Userenv warnings are no longer there... but all the rest are! So much
for my theory that they may have been caused by the registry not unloading
correctly...

Which means I still have an issue with my Automatic Live Update Scheduler (Event ID
7000) and my Avira AntiVir (Event ID 4096 Category 1), along with the others. I could
care less about iPod, Google updater and what the heck is Bonjour anyway? I would
rather these things didn't just load on their own and it especially bothers me that
Bonjour & gusvc (Google updater) load prior to my Security Center or Avira! I'm not
even using the Google toolbar!

While clicking the various information property links, one of them mentioned the
registry getting maxed out being an issue. I've been worried about what mine looks
like, because I know I have several things that I can't get rid of via add/remove
programs in control panel. I have downloaded Hijackthis and Ccleaner, but I'm very
leery about running these without guidance. I'm pretty certain I suffer from registry
bloat. Do I need to start a new thread or move to a different forum?

I tried the free Windows Livecare online checkup, but it made my system crawl... so I
uninstalled it. Could that have contributed to this? I'm at a loss here... any suggestions?

 

[Bobbye]

You really don't have much of a problem. All you have to do is determine which of the reasons the Auto Live Update isn't happening (below):
For Event #7000, Source: Service Control Manager, Description: The system cannot find the path specified. A Network Error code #3 is generated for this:
This error code may indicate one of the following:
- the requested path does not exist
- the user may not have enough folders permissions to access a specific path or its location or the path may be on the network and the user does not have the right to access resources over the network (typically happening for the SYSTEM account).

Warning, Event Source: Userenv, Event ID#1517. First, understand this is a Warning, not an Error. It happens whenever you shut down and don't log off first. I've been seeing that one for 6 years! Don't worry about the fancy Registry 'techno-speak.'
Read these descriptions from Event 1517 carefully:

Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Windows saved user YOUR-F31493CC9A\Owner registry while an application or service was still using the registry during log off.

This doesn't say "load"- it says "unload" and it's because you didn't log off to 'unload' the Registry. It just means that your Registry information is still in the memory.

As for Information Events, that's all they all- logging what is done. The Event Viewer contains logs for the System, Apps and Security Audit. They document everything that is happening in your computer. Using the Event ID#, the Source and the Description for "Errors", troubleshooting can begin to find the cause-and hopefully resolution, for a problem with your computer.

The Event Viewer can be a good tool> A user can become very confused just browsing the Event Viewer without any idea of it's use or purpose! It is an excellent tool to troubleshoot an problem or an error message that appears, but considering that it contains logs for everything happening on the system, 'overuse' is not recommended!

Ignore Event Type: Information Event Source: Avira AntiVir Event ID: 4096

 

[wackobird]

You really don't have much of a problem. All you have to do is determine which of the reasons the Auto Live Update isn't happening (below):
For Event #7000, Source: Service Control Manager, Description: The system cannot find the path specified. A Network Error code #3 is generated for this:
This error code may indicate one of the following:
- the requested path does not exist
- the user may not have enough folders permissions to access a specific path or its location or the path may be on the network and the user does not have the right to access resources over the network (typically happening for the SYSTEM account).

Bobbye - Thank you for your reply and your patience.

How do you recommend I determine the reason Auto Live Update isn't happening? This pc is a stand-alone desktop, not networked. My user profile has full admin rights.

I had asked earlier within this post if I should post a HJT log here or move to the security forum for assistance? Possibly someone experienced with HJT might notice something. I am heading back to TrendMicro to run another online check.

There is only one other event warning that is recurring, regarding tcpip:

Details
Product: Windows Operating System
ID: 4226
Source: Tcpip
Version: 5.2
Symbolic Name: EVENT_TCPIP_TCP_CONNECT_LIMIT_REACHED
Message: TCP/IP has reached the security limit imposed on the number of concurrent (incomplete) TCP connect attempts.


Again, thank you to the helpers in these forums for any advice.

 

[Bobbye]

Ignore Warnings.

Automatic LiveUpdate Scheduler service: Check Services in the Administrative Tools in the Control Panel. See if Avira has a Service for this. If you see it> right click> Properties> change start up mode to Automatic> Start the Service.

If you don't find a Service for it, go offline (File> Work offline) and reinstall Avira from the setup on your desktop. Go back online and check for updates.

I have no experience with the UPHClean service.

 

[CCT]

A workaround for Symantec Auto Live Update failure is total removal and reboot and reinstall.

You shouldn't run Norton products with ANY other AV since it is such a PITA about sharing. (imho)

 

[Bobbye]

I think this scheduler may be used by Avira.

An update may be forced this way:
Search for preupd.exe. This is an utility that is able to perform on-demand updates. All you have to do is to run it.

Source: http://forum.avira.com/wbb/index.php?page=Thread&postID=633299&l=3