Windows Vista Forums

Windows Defender is Corrupting Profile
  1. #1


    Aaron Oneal Guest

    Windows Defender is Corrupting Profile

    I'm having an issue that I've traced to Windows Defender. Periodically I
    noticed my stored network passwords were disappearing. After reviewing the
    event logs, I think it's occuring each time I get this message. Any
    suggestions (other than turn off WD)?



    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Microsoft-Windows-User Profiles Service"
    Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
    <EventID Qualifiers="32768">1530</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2007-04-13T00:14:59.000Z" />
    <EventRecordID>17096</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Pegasus</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    - <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">1 user registry handles leaked from
    \Registry\User\S-1-5-21-885596355-2598441921-1701884729-500_Classes: Process
    1180 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key
    \REGISTRY\USER\S-1-5-21-885596355-2598441921-1701884729-500_CLASSES</Data>
    </EventData>
    </Event>


      My System SpecsSystem Spec

  2. #2


    Jesper Guest

    RE: Windows Defender is Corrupting Profile

    What makes you think this has to do with Windows Defender?

    Also, am I reading this log right as saying you are running as the built-in
    Administrator?
    ---
    Your question may already be answered in Windows Vista Security:
    http://www.amazon.com/gp/product/047...otectyourwi-20


    "Aaron Oneal" wrote:

    > I'm having an issue that I've traced to Windows Defender. Periodically I
    > noticed my stored network passwords were disappearing. After reviewing the
    > event logs, I think it's occuring each time I get this message. Any
    > suggestions (other than turn off WD)?
    >
    > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > - <System>
    > <Provider Name="Microsoft-Windows-User Profiles Service"
    > Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
    > <EventID Qualifiers="32768">1530</EventID>
    > <Version>0</Version>
    > <Level>3</Level>
    > <Task>0</Task>
    > <Opcode>0</Opcode>
    > <Keywords>0x80000000000000</Keywords>
    > <TimeCreated SystemTime="2007-04-13T00:14:59.000Z" />
    > <EventRecordID>17096</EventRecordID>
    > <Correlation />
    > <Execution ProcessID="0" ThreadID="0" />
    > <Channel>Application</Channel>
    > <Computer>Pegasus</Computer>
    > <Security UserID="S-1-5-18" />
    > </System>
    > - <EventData Name="EVENT_HIVE_LEAK">
    > <Data Name="Detail">1 user registry handles leaked from
    > \Registry\User\S-1-5-21-885596355-2598441921-1701884729-500_Classes: Process
    > 1180 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key
    > \REGISTRY\USER\S-1-5-21-885596355-2598441921-1701884729-500_CLASSES</Data>
    > </EventData>
    > </Event>
    >


      My System SpecsSystem Spec

  3. #3


    Aaron Oneal Guest

    RE: Windows Defender is Corrupting Profile

    The instance of svchost.exe (process 1180) at the time the event occured was
    hosting the Windows Defender service. The disappearance of network passwords
    seemed to coincide with the times that these entries appeared in the logs. I
    assumed Windows Defender was responsible, but it stands to reason this could
    also be the result of something affecting both WD and the saved credentials.
    I have disabled WD and will test over the next few days to see if the problem
    returns. It's intermittent, but usually occurs a couple times a week. I'm not
    running under the administrator account, but I do have scheduled a nightly
    backup service that is. I'll check the logs to see if there might be any
    correlation.

    "Jesper" wrote:

    > What makes you think this has to do with Windows Defender?
    >
    > Also, am I reading this log right as saying you are running as the built-in
    > Administrator?
    > ---
    > Your question may already be answered in Windows Vista Security:
    > http://www.amazon.com/gp/product/047...otectyourwi-20
    >
    >
    > "Aaron Oneal" wrote:
    >
    > > I'm having an issue that I've traced to Windows Defender. Periodically I
    > > noticed my stored network passwords were disappearing. After reviewing the
    > > event logs, I think it's occuring each time I get this message. Any
    > > suggestions (other than turn off WD)?
    > >
    > > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > > - <System>
    > > <Provider Name="Microsoft-Windows-User Profiles Service"
    > > Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
    > > <EventID Qualifiers="32768">1530</EventID>
    > > <Version>0</Version>
    > > <Level>3</Level>
    > > <Task>0</Task>
    > > <Opcode>0</Opcode>
    > > <Keywords>0x80000000000000</Keywords>
    > > <TimeCreated SystemTime="2007-04-13T00:14:59.000Z" />
    > > <EventRecordID>17096</EventRecordID>
    > > <Correlation />
    > > <Execution ProcessID="0" ThreadID="0" />
    > > <Channel>Application</Channel>
    > > <Computer>Pegasus</Computer>
    > > <Security UserID="S-1-5-18" />
    > > </System>
    > > - <EventData Name="EVENT_HIVE_LEAK">
    > > <Data Name="Detail">1 user registry handles leaked from
    > > \Registry\User\S-1-5-21-885596355-2598441921-1701884729-500_Classes: Process
    > > 1180 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key
    > > \REGISTRY\USER\S-1-5-21-885596355-2598441921-1701884729-500_CLASSES</Data>
    > > </EventData>
    > > </Event>
    > >


      My System SpecsSystem Spec

  4. #4


    Jesper Guest

    RE: Windows Defender is Corrupting Profile

    OK, that's a reasonable correlation, but still not sure that is really
    Defender related.

    The thing is that the event specifically talks about a handle leak for the
    Administrator account's hive. I don't think that's related to your loss of
    network passwords, and I wonder if it is Defender that is leaking it or your
    backup program.

    If you want to test this disable Defender and see what happens. However, I
    run Defender, and so do many others, and we don't see this problem. I'd be
    more inclined to look elsewhere if I were you.

    ---
    Your question may already be answered in Windows Vista Security:
    http://www.amazon.com/gp/product/047...otectyourwi-20


    "Aaron Oneal" wrote:

    > The instance of svchost.exe (process 1180) at the time the event occured was
    > hosting the Windows Defender service. The disappearance of network passwords
    > seemed to coincide with the times that these entries appeared in the logs. I
    > assumed Windows Defender was responsible, but it stands to reason this could
    > also be the result of something affecting both WD and the saved credentials.
    > I have disabled WD and will test over the next few days to see if the problem
    > returns. It's intermittent, but usually occurs a couple times a week. I'm not
    > running under the administrator account, but I do have scheduled a nightly
    > backup service that is. I'll check the logs to see if there might be any
    > correlation.
    >
    > "Jesper" wrote:
    >
    > > What makes you think this has to do with Windows Defender?
    > >
    > > Also, am I reading this log right as saying you are running as the built-in
    > > Administrator?
    > > ---
    > > Your question may already be answered in Windows Vista Security:
    > > http://www.amazon.com/gp/product/047...otectyourwi-20
    > >
    > >
    > > "Aaron Oneal" wrote:
    > >
    > > > I'm having an issue that I've traced to Windows Defender. Periodically I
    > > > noticed my stored network passwords were disappearing. After reviewing the
    > > > event logs, I think it's occuring each time I get this message. Any
    > > > suggestions (other than turn off WD)?
    > > >
    > > > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > > > - <System>
    > > > <Provider Name="Microsoft-Windows-User Profiles Service"
    > > > Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
    > > > <EventID Qualifiers="32768">1530</EventID>
    > > > <Version>0</Version>
    > > > <Level>3</Level>
    > > > <Task>0</Task>
    > > > <Opcode>0</Opcode>
    > > > <Keywords>0x80000000000000</Keywords>
    > > > <TimeCreated SystemTime="2007-04-13T00:14:59.000Z" />
    > > > <EventRecordID>17096</EventRecordID>
    > > > <Correlation />
    > > > <Execution ProcessID="0" ThreadID="0" />
    > > > <Channel>Application</Channel>
    > > > <Computer>Pegasus</Computer>
    > > > <Security UserID="S-1-5-18" />
    > > > </System>
    > > > - <EventData Name="EVENT_HIVE_LEAK">
    > > > <Data Name="Detail">1 user registry handles leaked from
    > > > \Registry\User\S-1-5-21-885596355-2598441921-1701884729-500_Classes: Process
    > > > 1180 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key
    > > > \REGISTRY\USER\S-1-5-21-885596355-2598441921-1701884729-500_CLASSES</Data>
    > > > </EventData>
    > > > </Event>
    > > >


      My System SpecsSystem Spec

  5. #5


    Aaron Oneal Guest

    RE: Windows Defender is Corrupting Profile

    Good advice. WD was disabled and it happened again. I've manually invoked my
    backup program a few times and have been unable to trigger it that way. I
    don't know what's going on, but it's really getting to be a problem. I guess
    I'll look to see if there's a pattern with VSS next. Here are the only events
    since the last time it occured in case anyone has additional thoughts.

    The oldest shadow copy of volume C: was deleted to keep disk space usage for
    shadow copies of volume C: below the user defined limit.
    The Volume Shadow Copy service entered the running state.
    The Microsoft Software Shadow Copy Provider service entered the running state.
    The Volume Shadow Copy service entered the stopped state.
    The Microsoft Software Shadow Copy Provider service entered the stopped state.

    The time stamp counter of CPU on scheduler id 1 is not synchronized with
    other CPUs.
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="MSSQL$SQLEXPRESS" />
    <EventID Qualifiers="16384">17896</EventID>
    <Level>4</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2007-04-14T12:42:55.000Z" />
    <EventRecordID>17522</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Pegasus</Computer>
    <Security />
    </System>
    - <EventData>
    <Data>1</Data>

    <Binary>E84500000A0000001300000050004500470041005300550053005C00530051004C004500580050005200450053005300000000000000</Binary>
    </EventData>
    </Event>

    Disk(s) were polled for SMART status.
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="NVRAIDSERVICE" />
    <EventID Qualifiers="16384">1024</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2007-04-14T12:47:44.000Z" />
    <EventRecordID>17525</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Pegasus</Computer>
    <Security />
    </System>
    - <EventData>
    <Data>N/A</Data>
    <Data>N/A</Data>
    <Data>N/A</Data>
    <Data>N/A</Data>
    </EventData>
    </Event>

    msnmsgr (4012)
    \\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db:
    Online defragmentation is beginning a full pass on database
    '\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db'.
    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="ESENT" />
    <EventID Qualifiers="0">700</EventID>
    <Level>4</Level>
    <Task>10</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2007-04-14T13:01:03.000Z" />
    <EventRecordID>17526</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Pegasus</Computer>
    <Security />
    </System>
    - <EventData>
    <Data>msnmsgr</Data>
    <Data>4012</Data>

    <Data>\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db:</Data>

    <Data>\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db</Data>
    </EventData>
    </Event>

    "Jesper" wrote:

    > OK, that's a reasonable correlation, but still not sure that is really
    > Defender related.
    >
    > The thing is that the event specifically talks about a handle leak for the
    > Administrator account's hive. I don't think that's related to your loss of
    > network passwords, and I wonder if it is Defender that is leaking it or your
    > backup program.
    >
    > If you want to test this disable Defender and see what happens. However, I
    > run Defender, and so do many others, and we don't see this problem. I'd be
    > more inclined to look elsewhere if I were you.
    >
    > ---
    > Your question may already be answered in Windows Vista Security:
    > http://www.amazon.com/gp/product/047...otectyourwi-20
    >
    >
    > "Aaron Oneal" wrote:
    >
    > > The instance of svchost.exe (process 1180) at the time the event occured was
    > > hosting the Windows Defender service. The disappearance of network passwords
    > > seemed to coincide with the times that these entries appeared in the logs. I
    > > assumed Windows Defender was responsible, but it stands to reason this could
    > > also be the result of something affecting both WD and the saved credentials.
    > > I have disabled WD and will test over the next few days to see if the problem
    > > returns. It's intermittent, but usually occurs a couple times a week. I'm not
    > > running under the administrator account, but I do have scheduled a nightly
    > > backup service that is. I'll check the logs to see if there might be any
    > > correlation.
    > >
    > > "Jesper" wrote:
    > >
    > > > What makes you think this has to do with Windows Defender?
    > > >
    > > > Also, am I reading this log right as saying you are running as the built-in
    > > > Administrator?
    > > > ---
    > > > Your question may already be answered in Windows Vista Security:
    > > > http://www.amazon.com/gp/product/047...otectyourwi-20
    > > >
    > > >
    > > > "Aaron Oneal" wrote:
    > > >
    > > > > I'm having an issue that I've traced to Windows Defender. Periodically I
    > > > > noticed my stored network passwords were disappearing. After reviewing the
    > > > > event logs, I think it's occuring each time I get this message. Any
    > > > > suggestions (other than turn off WD)?
    > > > >
    > > > > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > > > > - <System>
    > > > > <Provider Name="Microsoft-Windows-User Profiles Service"
    > > > > Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
    > > > > <EventID Qualifiers="32768">1530</EventID>
    > > > > <Version>0</Version>
    > > > > <Level>3</Level>
    > > > > <Task>0</Task>
    > > > > <Opcode>0</Opcode>
    > > > > <Keywords>0x80000000000000</Keywords>
    > > > > <TimeCreated SystemTime="2007-04-13T00:14:59.000Z" />
    > > > > <EventRecordID>17096</EventRecordID>
    > > > > <Correlation />
    > > > > <Execution ProcessID="0" ThreadID="0" />
    > > > > <Channel>Application</Channel>
    > > > > <Computer>Pegasus</Computer>
    > > > > <Security UserID="S-1-5-18" />
    > > > > </System>
    > > > > - <EventData Name="EVENT_HIVE_LEAK">
    > > > > <Data Name="Detail">1 user registry handles leaked from
    > > > > \Registry\User\S-1-5-21-885596355-2598441921-1701884729-500_Classes: Process
    > > > > 1180 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key
    > > > > \REGISTRY\USER\S-1-5-21-885596355-2598441921-1701884729-500_CLASSES</Data>
    > > > > </EventData>
    > > > > </Event>
    > > > >


      My System SpecsSystem Spec

  6. #6


    Aaron Oneal Guest

    RE: Windows Vista is losing Stored Network Passwords

    For posterity, I wanted to update this thread with some additional
    information in case someone else runs into the same problem. Lately it seems
    the times that network credentials disappeared also coincided with times
    where I experienced another unusual behavior -- windows, context menus, etc.
    would not open. I was running only a few applications, but I noticed closing
    one or two seemed to make the system responsive again. Thinking it was a
    memory issue, I checked, but plenty of my 2GB of RAM was still available. It
    turns out I was running out of desktop heap. There's an article here on the
    issue and a workaround:

    http://blogs.msdn.com/tonyschr/archi...mitations.aspx

    Since I made the adjustment mentioned in the article, I haven't experienced
    the problem again. I'm not sure why this system was running out of heap with
    the default settings. I have pretty much identical software (other than
    drivers) on two of my machines here, but only one had the issue. I suppose a
    rogue driver or app might be causing a leak, in which case, I should
    eventually hit the limit again even after making the heap size update. I'll
    update this thread with more info if I discover anything new.

    "Aaron Oneal" wrote:

    > Good advice. WD was disabled and it happened again. I've manually invoked my
    > backup program a few times and have been unable to trigger it that way. I
    > don't know what's going on, but it's really getting to be a problem. I guess
    > I'll look to see if there's a pattern with VSS next. Here are the only events
    > since the last time it occured in case anyone has additional thoughts.
    >
    > The oldest shadow copy of volume C: was deleted to keep disk space usage for
    > shadow copies of volume C: below the user defined limit.
    > The Volume Shadow Copy service entered the running state.
    > The Microsoft Software Shadow Copy Provider service entered the running state.
    > The Volume Shadow Copy service entered the stopped state.
    > The Microsoft Software Shadow Copy Provider service entered the stopped state.
    >
    > The time stamp counter of CPU on scheduler id 1 is not synchronized with
    > other CPUs.
    > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > - <System>
    > <Provider Name="MSSQL$SQLEXPRESS" />
    > <EventID Qualifiers="16384">17896</EventID>
    > <Level>4</Level>
    > <Task>2</Task>
    > <Keywords>0x80000000000000</Keywords>
    > <TimeCreated SystemTime="2007-04-14T12:42:55.000Z" />
    > <EventRecordID>17522</EventRecordID>
    > <Channel>Application</Channel>
    > <Computer>Pegasus</Computer>
    > <Security />
    > </System>
    > - <EventData>
    > <Data>1</Data>
    >
    > <Binary>E84500000A0000001300000050004500470041005300550053005C00530051004C004500580050005200450053005300000000000000</Binary>
    > </EventData>
    > </Event>
    >
    > Disk(s) were polled for SMART status.
    > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > - <System>
    > <Provider Name="NVRAIDSERVICE" />
    > <EventID Qualifiers="16384">1024</EventID>
    > <Level>4</Level>
    > <Task>0</Task>
    > <Keywords>0x80000000000000</Keywords>
    > <TimeCreated SystemTime="2007-04-14T12:47:44.000Z" />
    > <EventRecordID>17525</EventRecordID>
    > <Channel>Application</Channel>
    > <Computer>Pegasus</Computer>
    > <Security />
    > </System>
    > - <EventData>
    > <Data>N/A</Data>
    > <Data>N/A</Data>
    > <Data>N/A</Data>
    > <Data>N/A</Data>
    > </EventData>
    > </Event>
    >
    > msnmsgr (4012)
    > \\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db:
    > Online defragmentation is beginning a full pass on database
    > '\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db'.
    > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > - <System>
    > <Provider Name="ESENT" />
    > <EventID Qualifiers="0">700</EventID>
    > <Level>4</Level>
    > <Task>10</Task>
    > <Keywords>0x80000000000000</Keywords>
    > <TimeCreated SystemTime="2007-04-14T13:01:03.000Z" />
    > <EventRecordID>17526</EventRecordID>
    > <Channel>Application</Channel>
    > <Computer>Pegasus</Computer>
    > <Security />
    > </System>
    > - <EventData>
    > <Data>msnmsgr</Data>
    > <Data>4012</Data>
    >
    > <Data>\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db:</Data>
    >
    > <Data>\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db</Data>
    > </EventData>
    > </Event>
    >
    > "Jesper" wrote:
    >
    > > OK, that's a reasonable correlation, but still not sure that is really
    > > Defender related.
    > >
    > > The thing is that the event specifically talks about a handle leak for the
    > > Administrator account's hive. I don't think that's related to your loss of
    > > network passwords, and I wonder if it is Defender that is leaking it or your
    > > backup program.
    > >
    > > If you want to test this disable Defender and see what happens. However, I
    > > run Defender, and so do many others, and we don't see this problem. I'd be
    > > more inclined to look elsewhere if I were you.
    > >
    > > ---
    > > Your question may already be answered in Windows Vista Security:
    > > http://www.amazon.com/gp/product/047...otectyourwi-20
    > >
    > >
    > > "Aaron Oneal" wrote:
    > >
    > > > The instance of svchost.exe (process 1180) at the time the event occured was
    > > > hosting the Windows Defender service. The disappearance of network passwords
    > > > seemed to coincide with the times that these entries appeared in the logs. I
    > > > assumed Windows Defender was responsible, but it stands to reason this could
    > > > also be the result of something affecting both WD and the saved credentials.
    > > > I have disabled WD and will test over the next few days to see if the problem
    > > > returns. It's intermittent, but usually occurs a couple times a week. I'm not
    > > > running under the administrator account, but I do have scheduled a nightly
    > > > backup service that is. I'll check the logs to see if there might be any
    > > > correlation.
    > > >
    > > > "Jesper" wrote:
    > > >
    > > > > What makes you think this has to do with Windows Defender?
    > > > >
    > > > > Also, am I reading this log right as saying you are running as the built-in
    > > > > Administrator?
    > > > > ---
    > > > > Your question may already be answered in Windows Vista Security:
    > > > > http://www.amazon.com/gp/product/047...otectyourwi-20
    > > > >
    > > > >
    > > > > "Aaron Oneal" wrote:
    > > > >
    > > > > > I'm having an issue that I've traced to Windows Defender. Periodically I
    > > > > > noticed my stored network passwords were disappearing. After reviewing the
    > > > > > event logs, I think it's occuring each time I get this message. Any
    > > > > > suggestions (other than turn off WD)?
    > > > > >
    > > > > > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > > > > > - <System>
    > > > > > <Provider Name="Microsoft-Windows-User Profiles Service"
    > > > > > Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
    > > > > > <EventID Qualifiers="32768">1530</EventID>
    > > > > > <Version>0</Version>
    > > > > > <Level>3</Level>
    > > > > > <Task>0</Task>
    > > > > > <Opcode>0</Opcode>
    > > > > > <Keywords>0x80000000000000</Keywords>
    > > > > > <TimeCreated SystemTime="2007-04-13T00:14:59.000Z" />
    > > > > > <EventRecordID>17096</EventRecordID>
    > > > > > <Correlation />
    > > > > > <Execution ProcessID="0" ThreadID="0" />
    > > > > > <Channel>Application</Channel>
    > > > > > <Computer>Pegasus</Computer>
    > > > > > <Security UserID="S-1-5-18" />
    > > > > > </System>
    > > > > > - <EventData Name="EVENT_HIVE_LEAK">
    > > > > > <Data Name="Detail">1 user registry handles leaked from
    > > > > > \Registry\User\S-1-5-21-885596355-2598441921-1701884729-500_Classes: Process
    > > > > > 1180 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key
    > > > > > \REGISTRY\USER\S-1-5-21-885596355-2598441921-1701884729-500_CLASSES</Data>
    > > > > > </EventData>
    > > > > > </Event>
    > > > > >


      My System SpecsSystem Spec

  7. #7


    Aaron Oneal Guest

    RE: Windows Vista is losing Stored Network Passwords

    Well, it looks like the desktop heap issue was unrelated because my stored
    network credentials just disappeared again. This sure has been a tough one to
    track down. At least I haven't run out of heap yet, maybe one problem solved.

    "Aaron Oneal" wrote:

    > For posterity, I wanted to update this thread with some additional
    > information in case someone else runs into the same problem. Lately it seems
    > the times that network credentials disappeared also coincided with times
    > where I experienced another unusual behavior -- windows, context menus, etc.
    > would not open. I was running only a few applications, but I noticed closing
    > one or two seemed to make the system responsive again. Thinking it was a
    > memory issue, I checked, but plenty of my 2GB of RAM was still available. It
    > turns out I was running out of desktop heap. There's an article here on the
    > issue and a workaround:
    >
    > http://blogs.msdn.com/tonyschr/archi...mitations.aspx
    >
    > Since I made the adjustment mentioned in the article, I haven't experienced
    > the problem again. I'm not sure why this system was running out of heap with
    > the default settings. I have pretty much identical software (other than
    > drivers) on two of my machines here, but only one had the issue. I suppose a
    > rogue driver or app might be causing a leak, in which case, I should
    > eventually hit the limit again even after making the heap size update. I'll
    > update this thread with more info if I discover anything new.
    >
    > "Aaron Oneal" wrote:
    >
    > > Good advice. WD was disabled and it happened again. I've manually invoked my
    > > backup program a few times and have been unable to trigger it that way. I
    > > don't know what's going on, but it's really getting to be a problem. I guess
    > > I'll look to see if there's a pattern with VSS next. Here are the only events
    > > since the last time it occured in case anyone has additional thoughts.
    > >
    > > The oldest shadow copy of volume C: was deleted to keep disk space usage for
    > > shadow copies of volume C: below the user defined limit.
    > > The Volume Shadow Copy service entered the running state.
    > > The Microsoft Software Shadow Copy Provider service entered the running state.
    > > The Volume Shadow Copy service entered the stopped state.
    > > The Microsoft Software Shadow Copy Provider service entered the stopped state.
    > >
    > > The time stamp counter of CPU on scheduler id 1 is not synchronized with
    > > other CPUs.
    > > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > > - <System>
    > > <Provider Name="MSSQL$SQLEXPRESS" />
    > > <EventID Qualifiers="16384">17896</EventID>
    > > <Level>4</Level>
    > > <Task>2</Task>
    > > <Keywords>0x80000000000000</Keywords>
    > > <TimeCreated SystemTime="2007-04-14T12:42:55.000Z" />
    > > <EventRecordID>17522</EventRecordID>
    > > <Channel>Application</Channel>
    > > <Computer>Pegasus</Computer>
    > > <Security />
    > > </System>
    > > - <EventData>
    > > <Data>1</Data>
    > >
    > > <Binary>E84500000A0000001300000050004500470041005300550053005C00530051004C004500580050005200450053005300000000000000</Binary>
    > > </EventData>
    > > </Event>
    > >
    > > Disk(s) were polled for SMART status.
    > > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > > - <System>
    > > <Provider Name="NVRAIDSERVICE" />
    > > <EventID Qualifiers="16384">1024</EventID>
    > > <Level>4</Level>
    > > <Task>0</Task>
    > > <Keywords>0x80000000000000</Keywords>
    > > <TimeCreated SystemTime="2007-04-14T12:47:44.000Z" />
    > > <EventRecordID>17525</EventRecordID>
    > > <Channel>Application</Channel>
    > > <Computer>Pegasus</Computer>
    > > <Security />
    > > </System>
    > > - <EventData>
    > > <Data>N/A</Data>
    > > <Data>N/A</Data>
    > > <Data>N/A</Data>
    > > <Data>N/A</Data>
    > > </EventData>
    > > </Event>
    > >
    > > msnmsgr (4012)
    > > \\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db:
    > > Online defragmentation is beginning a full pass on database
    > > '\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db'.
    > > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > > - <System>
    > > <Provider Name="ESENT" />
    > > <EventID Qualifiers="0">700</EventID>
    > > <Level>4</Level>
    > > <Task>10</Task>
    > > <Keywords>0x80000000000000</Keywords>
    > > <TimeCreated SystemTime="2007-04-14T13:01:03.000Z" />
    > > <EventRecordID>17526</EventRecordID>
    > > <Channel>Application</Channel>
    > > <Computer>Pegasus</Computer>
    > > <Security />
    > > </System>
    > > - <EventData>
    > > <Data>msnmsgr</Data>
    > > <Data>4012</Data>
    > >
    > > <Data>\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db:</Data>
    > >
    > > <Data>\\.\C:\Users\xxx\AppData\Local\Microsoft\Messenger\xxx\SharingMetadata\Working\database_4A80_E159_80E1_4C4F\dfsr.db</Data>
    > > </EventData>
    > > </Event>
    > >
    > > "Jesper" wrote:
    > >
    > > > OK, that's a reasonable correlation, but still not sure that is really
    > > > Defender related.
    > > >
    > > > The thing is that the event specifically talks about a handle leak for the
    > > > Administrator account's hive. I don't think that's related to your loss of
    > > > network passwords, and I wonder if it is Defender that is leaking it or your
    > > > backup program.
    > > >
    > > > If you want to test this disable Defender and see what happens. However, I
    > > > run Defender, and so do many others, and we don't see this problem. I'd be
    > > > more inclined to look elsewhere if I were you.
    > > >
    > > > ---
    > > > Your question may already be answered in Windows Vista Security:
    > > > http://www.amazon.com/gp/product/047...otectyourwi-20
    > > >
    > > >
    > > > "Aaron Oneal" wrote:
    > > >
    > > > > The instance of svchost.exe (process 1180) at the time the event occured was
    > > > > hosting the Windows Defender service. The disappearance of network passwords
    > > > > seemed to coincide with the times that these entries appeared in the logs. I
    > > > > assumed Windows Defender was responsible, but it stands to reason this could
    > > > > also be the result of something affecting both WD and the saved credentials.
    > > > > I have disabled WD and will test over the next few days to see if the problem
    > > > > returns. It's intermittent, but usually occurs a couple times a week. I'm not
    > > > > running under the administrator account, but I do have scheduled a nightly
    > > > > backup service that is. I'll check the logs to see if there might be any
    > > > > correlation.
    > > > >
    > > > > "Jesper" wrote:
    > > > >
    > > > > > What makes you think this has to do with Windows Defender?
    > > > > >
    > > > > > Also, am I reading this log right as saying you are running as the built-in
    > > > > > Administrator?
    > > > > > ---
    > > > > > Your question may already be answered in Windows Vista Security:
    > > > > > http://www.amazon.com/gp/product/047...otectyourwi-20
    > > > > >
    > > > > >
    > > > > > "Aaron Oneal" wrote:
    > > > > >
    > > > > > > I'm having an issue that I've traced to Windows Defender. Periodically I
    > > > > > > noticed my stored network passwords were disappearing. After reviewing the
    > > > > > > event logs, I think it's occuring each time I get this message. Any
    > > > > > > suggestions (other than turn off WD)?
    > > > > > >
    > > > > > > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    > > > > > > - <System>
    > > > > > > <Provider Name="Microsoft-Windows-User Profiles Service"
    > > > > > > Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
    > > > > > > <EventID Qualifiers="32768">1530</EventID>
    > > > > > > <Version>0</Version>
    > > > > > > <Level>3</Level>
    > > > > > > <Task>0</Task>
    > > > > > > <Opcode>0</Opcode>
    > > > > > > <Keywords>0x80000000000000</Keywords>
    > > > > > > <TimeCreated SystemTime="2007-04-13T00:14:59.000Z" />
    > > > > > > <EventRecordID>17096</EventRecordID>
    > > > > > > <Correlation />
    > > > > > > <Execution ProcessID="0" ThreadID="0" />
    > > > > > > <Channel>Application</Channel>
    > > > > > > <Computer>Pegasus</Computer>
    > > > > > > <Security UserID="S-1-5-18" />
    > > > > > > </System>
    > > > > > > - <EventData Name="EVENT_HIVE_LEAK">
    > > > > > > <Data Name="Detail">1 user registry handles leaked from
    > > > > > > \Registry\User\S-1-5-21-885596355-2598441921-1701884729-500_Classes: Process
    > > > > > > 1180 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key
    > > > > > > \REGISTRY\USER\S-1-5-21-885596355-2598441921-1701884729-500_CLASSES</Data>
    > > > > > > </EventData>
    > > > > > > </Event>
    > > > > > >


      My System SpecsSystem Spec

Windows Defender is Corrupting Profile problems?

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem windows live mail is corrupting attached images when sending NCedding Windows Live 0 03 Mar 2010
Windows Live Hotmail corrupting attachments I send Cindy Live Mail 7 08 Dec 2007
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. invader Vista General 1 01 Nov 2007
Windows Mail corrupting Kimbie Vista mail 1 11 Oct 2007
Windows Mail is corrupting my emails Robert Vista mail 1 14 Nov 2006