When browsing through my Events Logs, I notice numerous “Warning” entries dating back to mid-November 2008. They all refer to Userenv like the example below:
Event Type: Warning Event Source: Userenv Event Category: None Event ID: 1517 Date: 2/11/2009 Time: 1:58:23 AM User: NT AUTHORITY\SYSTEM Computer: HOMEDescription:
Windows saved user HOME*username* registry while an application or service was still using the registry during log off. The memory used by the user’s registry has not been freed. The registry will be unloaded when it is no longer in use.This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The cause is cmdagent.exe not releasing registry memory hive info on computer shut down. I have an entry on every shut down since last November (2008). I found a workaround:
Microsoft offers a “User Profile Hive Cleanup Service” utility that makes sure there are no hooks using memory when the computer shuts down. I installed the utility and it seems to have resolved the problem. I’ve had no more “Warnings” stored and the utility tells you what it has to remap before the computer shuts down. The culprit, in my case, is cmdagent.exe (1372) HKCU (0x3e4).
WinXP Pro SP3
CIS 3.5.57173.439 (32 bit)