UPHCleanup, Handle, ProcExp vs. NTUSER.DAT

The infamous:

Windows cannot load the user’s profile but has logged you on with the default profile for the system.

This was received on Windows Server 2003 Terminal Server (non-roaming profile) when I logged in this morning.  I *really* grumble when I see these errors. My first thought was NTUSER.dat and NTUSER.dat.LOG files were locked. This server has User Profile Hive Cleanup which is supposed to combat this during a user log off and make sure handles are closed to the files in the user’s profile. First things first, I grabbed Process Explorer from SysInternals website.  I know that in the application  you can search for a file and close it’s handle (from previous experience) so I got to work. I fired up ProcExp and searched for NTUSER.dat then sorted by handle. [caption id=attachment_1372 align=alignnone width=597 caption=Process Explorer Search for Handle][width=597 command-line tool.

C:CMDS>handle -u ntuser.dat|find /i rkreider System pid: 4 type: File NT AUTHORITYSYSTEM 27D4: C:Documents and Settingsrkreiderntuser.dat.LOG System pid: 4 type: File NT AUTHORITYSYSTEM 2B9C: C:Documents and SettingsrkreiderNTUSER.DAT

I need the PID and handle (hex) from the information above (bolded), then I could try to kill it:

C:CMDS>handle -c 27D4 -p 4 Handle v3.46 Copyright (C) 1997-2011 Mark Russinovich Sysinternals - www.sysinternals.com 27D4: File (—) C:Documents and Settingsrkreiderntuser.dat.LOG Close handle 27D4 in System (PID 4)? (y/n) y Handle closed. C:CMDS>handle -c 2b9c -p 4 Handle v3.46 Copyright (C) 1997-2011 Mark Russinovich Sysinternals - www.sysinternals.com 2B9C: File (—) C:Documents and SettingsrkreiderNTUSER.DAT Close handle 2B9C in System (PID 4)? (y/n) y Handle closed.

Now, you’d think it would be closed, right since ‘handle’ told me so.  Let’s check!

C:CMDS>handle -u ntuser.dat|find /i rkreider System pid: 4 type: File NT AUTHORITYSYSTEM 27D4: C:Documents and Settingsrkreiderntuser.dat.LOG System pid: 4 type: File NT AUTHORITYSYSTEM 2B9C: C:Documents and SettingsrkreiderNTUSER.DAT

Aaaiiieee! It didn’t work. =( I decided to make sure UPHClean.exe was running (User Profile Hive Cleanup) with a quick

tasklist | find /i uphclean.exe

It is running I saw so I decided for S&G (shits & giggles) to just restart the service. After I restarted the service, I once again used handle to quickly locate the files using:

handle -u ntuser.dat | find /I rkreider

BINGO! It was gone.  So, what is the root problem here?  UPHClean not doing it’s job?  *shrug*

Published At
Tagged with