Event-warnings after installing beta[Resolved]


After installing Beta every time when I shut down the system I get two event-warnings in applicationlog.

I have no screenshots, because I have a Dutch system, and I don’t think many people read Dutch around here.
I only get these warnings when the firewall itself is running, when only Launch Pad is running nothing happens.
When I exit manually the firewall just before I shut the system down I don’t get the warnings.

Event: 1524
Source: Userenv
Category: none
User: Peter
Text (translated it on eventid.net):
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

A few seconds later followed by:
Event: 1517
Source: Userenv
Category: none
User: System
Text (translated it on eventid.net):
Windows saved user registry while an application or service was still using the registry during log off. The memory used by the user’s registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Before installing the beta I didn’t get this error. I suppose it’s not a big deal, but something is a bit wrong, it seems.

Peter Zwitser

Sounds very similar to file locking doesn’t it. I know the rules are in the registry… If you were updating your rules in the GUI, maybe the Beta didn’t “release” it after it was done writting the rules to the registry.

Hopefully the developers can duplicate the issue… alot easier to fix that way.

Hi mOngOd,
Yes, something in the registry seems to be ‘locked’ (don’t know how that’s called exactly). But the eventlog gives not the smallest hint to what can be locked.
Well, it’s not a really big thing I guess, but since it’s happening every time I’m pretty sure they can replicate it, or I can give enough information they can fix it.


Well, let’s hope it’s not a big thing. ::slight_smile:

Maybe plan driver updates with reboots with the GUI closed. :wink:

Oh, didn’t think of that, thanks! You may have a good point there!

If somebody of Comodo has any time to reply?
By the way, I’m wondering if i’ve put this subject in the right forum. If it’s the wrong forum, please let me now.


If you’re not interested in beta-testers anymore, just let me know.
Otherwise some kind of reply would be appreciated, even if it’s only something like “we don’t have time at the moment, but we have listed your problem”.

Peter Zwitser

Hi Goeroeboeroe,
Thanks for your input, we appreciate your comments and would like to listen more…
Well we have not seen this sort of error while testing! But quite possible as CPF protects it’s registry entries from getting modified by non-cpf application.
Can you please tell us the OS you are using with Service Pack in use.

Hi Peter,

To help us help you, can you download and run HijackThis (www.merijn.org/downloads). This will generate a listing of all runtime apps, services and BHOs. One of the options in Hijack This is to do a scan and save a log file. Select this option and then send me the log file through the IM on this forum. I’ll go through it as soon as I get it (but please bear in mind that it is already 9:15pm Sydney time - you may not hear back from me until tomorrow my time).

Looking at your original post, I suspect there is “something” locking the classes hive of the registry open and Windows can’t close the registry for a graceful shutdown. One possible cause could be multiple security-type apps trying to do the right thing simultaneously.

IM the log and I’ll have a look - no guarantees - I just didn’t want you left stranded. Comodo do care (their ethics are the best I’ve come across in 20+ years in the industry), but they are a BIG company with a diverse range of commercial offerings, and while we only care about the stuff we’re using (for free, I should add), they have an obligation to support all branches of their company. If we have to suffer a delay at times, I view that as being the price we pay, since they won’t take money. :wink:

Hopefully, we’ll find the root cause of the problem (and the solution).

Ewen :slight_smile:


I don’t mind waiting at all, just wanted to know it was useful what I’m doing. That’s why I wanted a reply. And now I’ve got two.

I’m using XP SP 2, everything updated etc.

I’ll IM you the HijackThis log (I know this app, I’ve been working with it for years removing malware).
I don’t really see what you could find in it concerning this problem, but maybe you’ve got an idea I don’t have. What you say about another security-app could be a possibility, but it didn’t happen with the last non-beta-version (don’t know versionnumber, but it’s the most recent one). So I guess it has to do something with a change in CPF.

Don’t hurry, I really don’t mind waiting, as long as I know the problem got attention. I understand very well there’s more to do in the world beside my event-problems. Much too much real events at the moment :frowning:


Thanks Peter. I mainly wanted the HJT log to get a feel for your system and see whether you’re likely to have multiple sec. apps installed. When you get time, send it over anyway.

Ewen :slight_smile:

There are MAJOR changes under the hood of the beta version, and there are more to come. The beta will, I think (and I’m only reading between the lines here) be in a state of flux for a while yet, but the end result will be the ants pants.

(I wonder why we say that “ants pants” means a good thing? What are they covering up?)

Ewen :slight_smile:

I’m sure. I use the beta because it’s already much better than the stable version. And I also like beta-testing for a good app.

After some IM-ing with Ewen (Panic) it looked like a good idea to see if there was any conflict with some other application.

I closed as much as I could. No other applications were running, almost every service shut down, etc.

The only services running were (because I couldn’t shut down them, or they were needed for testing, or it would be a really bad idea to shut them down):

Com+ Event System
Comodos Application Agent
Event Log
Plug and Play
Remote Procedure Call (RPC)
Security Account Manager
System Event Notification
System Restore Service

I kept keeping the event-warnings. I removed every checkmark in the Advanced-screen of CPF, and disabled all three monitors (wonder why protection was suddenly Bad…).
Event-warnings were still there.
Only when I turned off CPF in Launch Pad the warnings disappeared.
If I have to reboot one more time today I’m gonna throw this machine out of the window :o)


Any ideas???

What about UPHClean (User Profile Hive Cleanup) as a culprit?

This is recent-ish offering from MS that “Cleans up handles to allow unloading of user profile hive. This can help speed up logging off, reconciliation of roaming profiles and prevent exceeding the registry size limit.”. So, it’s possibly in the right area.

Hi Kail,

It’s not that recent, it’s recently updated. I’ve been using it for about two year, I think, because I had some problems with some service, if I remember well. And sometimes it still unloads something when something goes wrong, so I leave it running.

I don’t think it has anything to do with it, but I disabled it anyway and rebooted three times: problem still exists.
What’s pretty strange: this uphclean is supposed to free the registry, or parts of it. So I should think it should take care of this problem too. But it doesn’t, for some reason. The very reason I installed uphclean is to prevent this kind of warings/errors.

But I’m not a big genius in registry-things, so there may be a very good explanation.


Hi Peter

Sorry, I guess that I did indeed spot the recent update you mentioned.

However, I do suspect that UPHC would need an exclusive registry lock to do what it does.

But, your suggestion of disabling it sounds like a good idea. I can’t test it, because I don’t actually have the problem myself.

Hi Kail,

Well, every suggestion is welcome.
You made me think of looking in Userenv.log, what logs logging on and logging off.
I can’t make anything up out of the relevant section, but maybe somebody else can.

USERENV(1b8.1bc) 03:41:48:687 UnloadUserProfile: Entering, hProfile = <0x4fc>
USERENV(1b8.1bc) 03:41:48:687 UnloadUserProfile: In console winlogon process
USERENV(1b8.1bc) 03:41:48:687 UnloadUserProfileP: Entering, hProfile = <0x4fc>
USERENV(1b8.1bc) 03:41:48:703 GetExclusionListFromRegistry: Policy list is empty, returning user list = <Local Settings;Temporary Internet Files;Geschiedenis;Temp>
USERENV(1b8.1bc) 03:41:48:703 CSyncManager::EnterLock
USERENV(1b8.1bc) 03:41:48:703 CSyncManager::EnterLock: No existing entry found
USERENV(1b8.1bc) 03:41:48:703 CSyncManager::EnterLock: New entry created
USERENV(1b8.1bc) 03:41:48:703 CHashTable::HashAdd: S-1-5-21-1606980848-764733703-839522115-1004 added in bucket 12
USERENV(1b8.1bc) 03:41:48:703 UnloadUserProfileP: Wait succeeded. In critical section.
USERENV(1b8.1bc) 03:41:49:171 MyRegUnLoadKey: Failed to unmount hive 00000005
USERENV(1b8.1bc) 03:41:49:171 MyRegUnLoadKey: Returning 0.
USERENV(1b8.1bc) 03:41:49:171 DumpOpenRegistryHandle: 12 user registry Handles leaked from \Registry\User\S-1-5-21-1606980848-764733703-839522115-1004
USERENV(1b8.1bc) 03:41:49:171 UnloadUserProfileP: Didn’t unload user profile <err = 5>
USERENV(1b8.1bc) 03:41:49:187 MyRegUnLoadKey: Failed to unmount hive 00000005
USERENV(1b8.1bc) 03:41:49:187 MyRegUnLoadKey: Returning 0.
USERENV(1b8.1bc) 03:41:49:187 UnLoadClassHive: failed to unload classes key with 5
USERENV(1b8.1bc) 03:41:49:187 UnloadUserProfileP: Didn’t unload user classes.
USERENV(1b8.1bc) 03:41:49:187 DumpOpenRegistryHandle: 29 user registry Handles leaked from \Registry\User\S-1-5-21-1606980848-764733703-839522115-1004_Classes
USERENV(1b8.1bc) 03:41:49:187 ReportError: Impersonating user.
USERENV(1b8.1bc) 03:41:49:187 HandleRegKeyLeak: RtlAdjustPrivilege succeeded!
USERENV(1b8.1bc) 03:42:24:031 HandleRegKeyLeak: RegSaveKey succeeded!
USERENV(1b8.1bc) 03:42:24:031 HandleRegKeyLeak: RtlAdjustPrivilege succeeded!
USERENV(1b8.1bc) 03:42:24:031 HandleRegKeyLeak: hkCurrentUser closed
USERENV(1b8.1bc) 03:42:24:031 Entering CUserProfile::WatchHiveRefCount: S-1-5-21-1606980848-764733703-839522115-1004, 3
USERENV(1b8.1bc) 03:42:24:031 CUserProfile::WatchHiveRefCount: In critical section
USERENV(1b8.1bc) 03:42:24:031 CUserProfile::WatchHiveRefCount: NtUnloadKeyEx succeeded for \Registry\User\S-1-5-21-1606980848-764733703-839522115-1004
USERENV(1b8.1bc) 03:42:24:031 Entering CUserProfile::AddWorkItem: S-1-5-21-1606980848-764733703-839522115-1004
USERENV(1b8.1bc) 03:42:24:031 CHashTable::HashAdd: S-1-5-21-1606980848-764733703-839522115-1004 added in bucket 12
USERENV(1b8.1bc) 03:42:24:031 CUserProfile::AddWorkItem: No thread available, create a new one.
USERENV(1b8.1bc) 03:42:24:046 CUserProfile::AddWorkItem: Signal event item inserted
USERENV(1b8.1bc) 03:42:24:046 CUserProfile::AddWorkItem: New thread created
USERENV(1b8.1bc) 03:42:24:046 CUserProfile::AddWorkItem: Work Item inserted
USERENV(1b8.1bc) 03:42:24:046 CUserProfile::AddWorkItem: thread woken up
USERENV(1b8.1bc) 03:42:24:046 Exiting CUserProfile::AddWorkItem with 00000000
USERENV(1b8.1bc) 03:42:24:046 CUserProfile::WatchHiveRefCount: NtUnloadKeyEx succeeded for \Registry\User\S-1-5-21-1606980848-764733703-839522115-1004_Classes
USERENV(1b8.1bc) 03:42:24:046 Entering CUserProfile::AddWorkItem: S-1-5-21-1606980848-764733703-839522115-1004_Classes
USERENV(1b8.1bc) 03:42:24:046 CHashTable::HashAdd: S-1-5-21-1606980848-764733703-839522115-1004_Classes added in bucket 20
USERENV(1b8.1bc) 03:42:24:046 CUserProfile::AddWorkItem: Work item inserted
USERENV(1b8.1bc) 03:42:24:046 CUserProfile::AddWorkItem: thread woken up
USERENV(1b8.1bc) 03:42:24:046 Exiting CUserProfile::AddWorkItem with 00000000
USERENV(1b8.1bc) 03:42:24:046 HandleRegKeyLeak: Calling WatchHiveRefCount (S-1-5-21-1606980848-764733703-839522115-1004) succeeded
USERENV(1b8.1bc) 03:42:24:046 UnloadUserProfileP: Impersonated user
USERENV(1b8.1bc) 03:42:24:046 UnloadUserProfileP: Writing local ini file
USERENV(1b8.664) 03:42:24:046 Entering CUserProfile::WorkerThreadMain
USERENV(1b8.664) 03:42:24:046 CUserProfile::WorkerThreadMain: In critical section
USERENV(1b8.664) 03:42:24:046 CUserProfile::WorkerThreadMain: Leave critical section
USERENV(1b8.664) 03:42:24:046 CUserProfile::WorkerThreadMain: Back to waiting…
USERENV(1b8.1bc) 03:42:24:078 UnloadUserProfileP: Reverting to Self
USERENV(1b8.1bc) 03:42:24:078 UnloadUserProfileP: exitting without cleaning up due to hive unloading failure
USERENV(1b8.1bc) 03:42:24:078 CSyncManager::LeaveLock
USERENV(1b8.1bc) 03:42:24:078 CSyncManager::LeaveLock: Lock released
USERENV(1b8.1bc) 03:42:24:078 CHashTable::HashDelete: S-1-5-21-1606980848-764733703-839522115-1004 deleted
USERENV(1b8.1bc) 03:42:24:078 CSyncManager::LeaveLock: Lock deleted
USERENV(1b8.1bc) 03:42:24:078 UnloadUserProfileP: Leave critical section.
USERENV(1b8.1bc) 03:42:24:093 UnloadUserProfileP: Leaving with a return value of 1
USERENV(1b8.1bc) 03:42:24:093 UnloadUserProfile: UnloadUserProfileP succeeded
USERENV(1b8.1bc) 03:42:24:093 UnloadUserProfile: returning 1
USERENV(cb0.7f8) 03:42:25:406 LibMain: Process Name: C:\WINDOWS\system32\wuauclt.exe


Hi Goeroeboeroe

Sorry for the dumb question. But, does the above USERENV log coincide with Event Log USERENV error?