1.6.1.41 No unloading PE_C_ALL USERS Registry hive

[MrGreg]

Hi Everyone,

PepiMK I am hoping that you find your way to this thread. I am the guy that reported the users registry hive lock problem for 1.6.0. Thanks for taking care of that problem. I have just installed 1.6.1.41 release canidate on a clients machine. The SID based user hives are now unloading perfectly. However I have noticed that PE_C_ALL USERS is not unloading from HKEY_USERS. This hive will not cause a problem with locking user profiles but it should also be unloaded when Spybot terminates. By the way what is PE_C_ALL USERS hive? Thanks for your support...

[PepiMK]

Are you working from drive D: and have another installation on drive A:?

PE_C_ALL USERS would be the hive found at C:\Documents and Settings\All Users\ntuser.dat ... but the all users hive is loaded by the system, and once it is loaded, Spybot shouldn't even be able to load it itself (that's why I'm thinking it might belong to a different installation).

[MrGreg]

Hi PepiMK,

Thanks for your reply. The machine in question has never had Spybot installed before and I am working from drive C with no other drives on the machine. After the install I figured I would check the Users hive after terminating Spybot. This is when I found the PE_C_ALL USERS hive. I manually unloaded the hive and ran Spybot again. The hive returned back in HKEY_USERS. I manually unloaded the hive again and tried a third time. The result was the same. Spybot is definately loading this hive and not unloading it after termination. PE_C_ALL USERS only has two folder in it (Control Panel and Keyboard Layout). I can not imagine that Spyware would plant itself here. In my opinion the hive should never be loaded at all. Hopes this helps you find the problem. Thanks for your support...

[MrGreg]

Hi PepiMK,

I was curious about what you said here...

Spybot shouldn't even be able to load it itself (that's why I'm thinking it might belong to a different installation).

I am able to manually load/unload the hive C:\Documents and Settings\All Users\ntuser.dat into HKEY_USERS using Regedit. This means that Spybot can also load/unload the All Users hive. When I Google about this hive I get several hits from folks posting the antivirus scan logs. It seems that their logs indicate the All Users hive is locked on their machines when they ran the scan. I am curious why the hive is locked on their machines and not mine. I also have tried this on another machine with the same results in that the hive is not loaded/locked by Windows. Can you explain this? Thanks for your support...

[PepiMK]

I searched a bit myself, but - did not find that hive on any machines I looked at! It does not make a lot of sense anyway... what exactly would an "All Users" hive do? I seem to have mistaken it with the .DEFAULT hive the first time I read it.

Still need to check machines that are part of a domain. Maybe it could make some sense for domain policies?

[MrGreg]

Hi PepiMK,

I have figured out what is happening. Spybot is parsing the Documents and Settings subfolders and looking for NTUSER.DAT hive files. If it finds a user hive then it tries to get the SID for the hive. If it finds a SID for the hive then it loads the hive using the SID under HKEY_USERS. If a SID is not found then Spybot is loading the hive the old way using PE_C_Username. In the case that a SID is not found for the hive, the PE_C_Username is not unloaded after normal termination.

This theory can be tested by creating a folder "Test" under Documents and Settings. Then place any NTUSER.DAT file in the "Test" folder. In fact you can create an empty .TXT file and rename it to NTUSER.DAT if you like. Now run Spybot and you will see a key PE_C_TEST under HKEY_USERS.

The question is what to do about this. Here is what I think. If Spybot cannot find the SID for an NTUSER.DAT, then that hive should be ignored. Hives without a SID must be the All Users hive or User Account hives that are no longer active on the system. When you remove an account from the system, you are given the option to delete or keep the files. So this would explain NTUSER.DAT's without an associated SID. If there a alot of dead accounts with NTUSER.DAT's remaining, then this will increase the scan time. What do you think?

I also have made some progress on why some systems have an NTUSER.DAT hive in the All Users folder. I had a look at the NTUSER.DAT.LOG using Notepad. From what I can see it is associated with Windows Media player. I am not sure how the the hive is getting created or why but WMP is definately using it or did so at some time. I have attached a zip file with the NTUSER.DAT and NTUSER.DAT.LOG from the All Users folder. Load the hive under HKEY_USERS and check out the data. It does not give me any clues but if you open up NTUSER.DAT.LOG in Notepad you will see the reference to WMP.

I hope that you can slip in a fix for this before the final release of 1.6.1. Thanks...