⚑ Deus Ex Machina ➽ Eventlog Lookup

Deus Ex Machina » Eventlog » Event 1517 - Userenv

Userenv - 1517


Warning

Description »
Windows saved user DOMAIN\sAMAccountName registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. 

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
Data formatted as » None

Short answer: install UPHClean.

Long answer: The user session is being logged off, and therefore Windows is trying to unload the user profile hive. This means the bit of the registry that the user sees as being HKEY_CURRENT_USER, and is located on disk in the user's profile as NTUSER.DAT. Whilst the user is logged on, this hive is loaded into memory. When they log off, it is written back to disk and unloaded from memory.
In the case of this log entry, Windows has been unable to unload the hive from memory because something is still using it (still has an open handle to it). Now, this may be because something else is running as the user (eg a service), or it may be the result of a bug in a filter driver, keeping handles open where they're no longer needed. Or it could just be some process which doesn't want to exit. Install UPHClean to remap these handles and prevent this issue from occurring.