Page 1 of 2 12 LastLast
Results 1 to 10 of 84

Thread: Spybot 1.6 locking user registry hives

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Member
    Join Date
    Oct 2007
    Posts
    55

    Default Spybot 1.6 locking user registry hives

    Hi Everyone,

    I have uncovered an nasty problem with 1.6. I run a weekly scheduled scan using the Administrator account on all of my clients machines. I received several calls this morning from clients saying that they all are receiving the message "Windows cannot find the local profile and is logging you on with a temporary profile." when logging into their limited accounts. Their accounts are limited accounts for security reasons.

    I had one of my clients login to the Administrator account to investigate. When we examined the HKEY_USERS hive, we discovered a folder call PE_C_HARVEY. Harvey is the name of the limited user account that is yielding the error message and creating a temporary profile. We unloaded the hive and Harvey was able login with his normal profile. We then checked the scheduled tasks logfile and discovered that the weekly Spybot scan completed successfully with and exit code of 0.

    I investigated this further on my machine and discovered that when Spybot runs it creates a folder under HKEY_USERS for each account that is not currently logged in. I assumed that this is done so the immunize and scan functions can process all user accounts on the system. The problem is that when Spybot terminates it is not all ways unloading the temporary hives PE_C_USERNAME that it is creating. Three of my clients also had a folder called PE_C_ALLUSERS in their HKEY_USERS hive. I could reproduce this on my machine but can not understand how this folder would ever be created since the ALLUSERS profile does not even have a registry hive.

    I reproduced this problem running Spybot interactively six times in a row closing the program using the red X in the upper right corner. Then I tried terminating the program using File Exit from the menu and the temporary hives were removed. I then went back to closing with the red X and the hives were removed six times in a row. This is very strange and inconsistent behavior.

    This problem can be very serious as it will lock the user registy hive forcing Windows to create a temporary profile. A system reboot will not release the hive, you must unload the hive using regedit. This can really mess up the average user that does not understand this stuff. It sounds like this is what happened to ninjat in this recent post...

    http://forums.spybot.info/showthread.php?t=33042

    The final point that I would like to make is that I did not have any problems with weekly scans using 1.52 with XP Service Pack 2. I updated all of my clients machines to XP Service Pack 3 and Spybot 1.6 at the same time. I am not sure if the SP3 update, or 1.6 or the combination of both is causing this problem. Can anyone else reproduce what I am seeing on multiple systems? Thanks for your support...
    Last edited by MrGreg; 2008-08-23 at 23:17.

  2. #2
    Member
    Join Date
    Oct 2007
    Posts
    55

    Default

    Can anyone shed some light on this problem? It would be most appreciated.
    Thanks for the support..

  3. #3
    Member
    Join Date
    Oct 2007
    Posts
    55

    Default

    Hi Everyone,

    I am still waiting for anyone to reply to this thread. Thanks for the support...

  4. #4
    Member
    Join Date
    Oct 2007
    Posts
    55

    Default

    Anyone have an answer for me?

  5. #5
    Member
    Join Date
    Oct 2007
    Posts
    55

    Default

    Hi Everyone,

    I keep adding a reply to this post so it will not get lost in the forum. Can anyone assist me with this issue? I would greatly appreciate it. Thanks for the support...

  6. #6
    Member
    Join Date
    Oct 2007
    Posts
    55

    Default

    Stll waiting on anyone that can shed so light on this one. Thanks...

  7. #7
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    MrGreg:

    If you left the thread with a zero (0) reply count rather than bumping the thread daily, perhaps you would have received a reply sooner.

    __________

    I do not believe that the problem you encountered has anything to do with the loading of user registry hives. The problem is most likely caused because Spybot locks the profile of other user accounts while it is doing a scan and your "clients" are logging on to another user account while the Spybot scan is running.

    Because Spybot locks the profile of other user accounts while it is doing a scan, you cannot:
    1. Switch users while a Spybot scan is still running.
    2. Kill the Spybot scan and then switch users.

    If either of these situations occur, reboot the system and everything should return to normal.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  8. #8
    Junior Member
    Join Date
    Sep 2008
    Posts
    6

    Default

    Thank God I'm not the only one having this problem!

    I have two people here that have come to me for help on this. Both times I just restored their systems to save myself some time. But then they would go home and run a scan and be right back with me the next day! I figured it was a Trojan or something that might be taking the system down with them once Spybot removed them, but no dice to confirm that because others scanners are working just fine. Kaspersky, Malwarebytes.. Did the SpywareWarriors forum and Found Nothing out of the norm.

    Both of these systems have many accounts on their computers. I can confirm that there is no problem without spybot 1.6 on their computers. Just to be safe I've run every scanner there is and found nothing. HiJackThis showed nothing that I could think of that would cause this problem. But sure enough those accounts have been looked from the Registry as decribed above. It seems to happen with the latest Spybot version. After running the spybot scan on their accounts with either Admin or User, they are greeted with the "Temp Profile" even after a full reboot.

    If I had to guess Spybot locks parts of the registry while doing scans and malware removel. However at the end of the scan it fails to remove the block on the accounts from the registry, thus causing the Temp Profile problems.

    This is a BIG problem for me now! So I'm removing SpyBot S&D from all of these computers that I manage until a comfirmed fix has been done.

    If there is anything the Spybot Team needs I'll try to help. Spybot is kickass software and I would like to feel safer using it rather than being scared of it.

    P.S. I'm sorry if by me replying to your thread causes this to be bumped again and prolongs the reply of the system admins.

  9. #9
    Junior Member
    Join Date
    Sep 2008
    Posts
    1

    Default

    I too can toss in my two cents and say that I'm having the same issue. Didn't start till I downloaded and installed 1.6 TODAY! Been pulling my hair out till I stumbled onto this.

    I've got three accounts on this PC, when I've run spybot and then switched to a different user (having let spybot complete its checks and immunizations, and then closing the program) I get a corrupted user profile error, restoring to a previous setpoint seems to take care of this for me, but needless to say I won't be running spybot till it's cleared.

  10. #10
    Junior Member
    Join Date
    Sep 2008
    Posts
    1

    Exclamation Spybot 1.6 locking user registry hives

    I have experienced the same problem on two different PC's, of different manufacturers. Both PC's use Windows XP.

    The restricted users could not access their existing documents in the "My Document" folder which now was blank. Also all e-mails and contacts in Outlook were lost.

    This problem is obviously repeatable. Norton GoBack resolved this temporary disaster. I hope to hear a response on how the SpyBot developers will solve this issue. I have stopped using SpyBot for now.

    JohnT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •