Spybot 1.6 locking user registry hives
Hi Everyone,
I have uncovered an nasty problem with 1.6. I run a weekly scheduled scan using the Administrator account on all of my clients machines. I received several calls this morning from clients saying that they all are receiving the message "Windows cannot find the local profile and is logging you on with a temporary profile." when logging into their limited accounts. Their accounts are limited accounts for security reasons.
I had one of my clients login to the Administrator account to investigate. When we examined the HKEY_USERS hive, we discovered a folder call PE_C_HARVEY. Harvey is the name of the limited user account that is yielding the error message and creating a temporary profile. We unloaded the hive and Harvey was able login with his normal profile. We then checked the scheduled tasks logfile and discovered that the weekly Spybot scan completed successfully with and exit code of 0.
I investigated this further on my machine and discovered that when Spybot runs it creates a folder under HKEY_USERS for each account that is not currently logged in. I assumed that this is done so the immunize and scan functions can process all user accounts on the system. The problem is that when Spybot terminates it is not all ways unloading the temporary hives PE_C_USERNAME that it is creating. Three of my clients also had a folder called PE_C_ALLUSERS in their HKEY_USERS hive. I could reproduce this on my machine but can not understand how this folder would ever be created since the ALLUSERS profile does not even have a registry hive.
I reproduced this problem running Spybot interactively six times in a row closing the program using the red X in the upper right corner. Then I tried terminating the program using File Exit from the menu and the temporary hives were removed. I then went back to closing with the red X and the hives were removed six times in a row. This is very strange and inconsistent behavior.
This problem can be very serious as it will lock the user registy hive forcing Windows to create a temporary profile. A system reboot will not release the hive, you must unload the hive using regedit. This can really mess up the average user that does not understand this stuff. It sounds like this is what happened to ninjat in this recent post...
http://forums.spybot.info/showthread.php?t=33042
The final point that I would like to make is that I did not have any problems with weekly scans using 1.52 with XP Service Pack 2. I updated all of my clients machines to XP Service Pack 3 and Spybot 1.6 at the same time. I am not sure if the SP3 update, or 1.6 or the combination of both is causing this problem. Can anyone else reproduce what I am seeing on multiple systems? Thanks for your support...
Spybot 1.6 locking user registry hives
I have experienced the same problem on two different PC's, of different manufacturers. Both PC's use Windows XP.
The restricted users could not access their existing documents in the "My Document" folder which now was blank. Also all e-mails and contacts in Outlook were lost.
This problem is obviously repeatable. Norton GoBack resolved this temporary disaster. I hope to hear a response on how the SpyBot developers will solve this issue. I have stopped using SpyBot for now.
JohnT
Data in User Profile is truly lost
It seems that I have completely lost all data for my other user profile on my machine due to this problem.
The first time it happened, I found the data on my drive by searching and backed up the My Documents folder, then successfully followed instructions to restore the old profile. The second time it happened, the lost data is no longer turning up in a drive search and I had forgotten to backup my Firefox bookmarks for that user profile. These now seem to be gone for good. I wish there was a way to get those back now. If anyone has a suggestion to recover that user's bookmarks, please let me know.
This all began happening the day I upgraded to Spybot 1.6
haha well to late for that...
i had already tried system restore before you replied. its ok though, thanks. :) Well if this happens again i now know what to do. Thanks for the info. In any rate, deleting the accounts and making them again seemed to have solved the problem. The only thing that happened was avast got corrupted and i had to reinstall it. Not all the shield providers were able to run. Anyway, avast is now working fine, and i am glad this mess it over with. Now I'm just hoping it did not corrupt anything else...
Thanks alot for the info, i appreciate it. :bigthumb:
Getting back to a user profile
For future reference, here's how you can use the registry editor to reset your profile path. This works if Windows created you a new profile because your old profile was locked up for some reason, not if your old profile was actually corrupted.
Start REGEDIT while logged on your administrator account (don't use "Run as" from your regular account) and look at the key,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Each key under ProfileList corresponds to one of the internal system security IDs (SIDs) that Windows assigns to accounts. The short ones are internal Windows functions; the long ones are actual users. (The long one ending in -500, for instance, is the default administrator account.)
Under each SID key is the string value ProfileImagePath, which gives the actual disk path to your profile folder (files, desktop, shortcuts, personal documents, and so on). Skip through the SID keys until you find one with ProfileImagePath pointing at your newly-created profile, and carefully change the path to point back to your original profile. (Don't change the "%systemroot%" string to "C:".)
If your old profile wasn't actually corrupted, it should come up normally the next time you log on your regular account.
so do we have a solution in progress?
because this problem happened to me even when i did not switch users, (if you look at my posting in this thread.) I have fast user service disabled, so i know it was not that that caused the problem. It just happened after finishing the scan, closing spybot and then logging off and logging on under a limited user account-i got the temp user thing. Even a restart did not help...
I am hoping this does not cause a problem with any more users, as this is a pain in the butt.
Going to run spybot scan-*fingers crossed this does not happen again* :)