AD or local PC Profile issue

Posted on 2010-08-18
Medium Priority
Last Modified: 2012-05-10
I've a user that can log on to any PC and their profile works fine.  Then they log on to one PC and I get the Windows can't log you on etc with the following detail.
'DETAIL - The system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format.'

I've tried several solutions but to no avail; these include, removing the profile from that Laptop completely,running UPHclean, cleaning up registry.

It basically will not allow this user to log in but anyone else can fine with no issues.

Any Ideas and solutions would be helpful and welcome...and yes the user needs to use this Laptop.
Question by:lfrs_org
LVL 10

Expert Comment

ID: 33463367
this pc looks like infected
please log in as local admin... scan the computer .. disjoin and join to domain again and check

Thank you

Expert Comment

ID: 33463407
The file that is causing the problem, UsrClass.dat, and its found it residing in
C:\Documents and Settings\Current User\Local Settings\ApplicationData\Microsoft\Windows\UsrClass.dat

Where the Current User is the user logged in to the network at the moment). Move the file out of that directory and log back in (it doesn’t matter where you move it to as long as you know, just in case it wouldn’t work). The file is going to be recreated and this will eliminate the login error the user was getting. When everything is working fine, just delete the old UsrClass.dat file.

Author Comment

ID: 33463474
Zsaurabh: The profile has been completely deleted from the PC and therefore has no C:\Documents and Settings\Current User\Local Settings\ApplicationData\Microsoft\Windows\UsrClass.dat file to move any where.  Unless you are thinking of all users but then it doesn't explain why other people can log into this PC fine.

Basically the pc will not let this user log in full stop, no profile is created it just goes back to the login prompt.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.


Expert Comment

ID: 33465814
Did you check the startup programs via msconfig?
Which programs and 3rd party services are being loaded at startup?
Please send a list of programs loading at the startup...

Did you try reinstalling a fresh XP or whatever you're using on the laptop?

Author Comment

ID: 33466146
Yes      HKLM:Run      Preload      C:\Windows\RUNXMLPL.exe
Yes      HKLM:Run      IAAnotif      "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
Yes      HKLM:Run      SynTPStart      C:\Program Files\Synaptics\SynTP\SynTPStart.exe
Yes      HKLM:Run      RTHDCPL      RTHDCPL.EXE
Yes      HKLM:Run      Alcmtr      ALCMTR.EXE
Yes      HKLM:Run      AzMixerSel      C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
Yes      HKLM:Run      Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Yes      HKLM:Run      RemoteControl      "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
Yes      HKLM:Run      LanguageShortcut      "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
Yes      HKLM:Run      IMJPMIG8.1      "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
Yes      HKLM:Run      MSPY2002      C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
Yes      HKLM:Run      PHIME2002ASync      C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
Yes      HKLM:Run      PHIME2002A      C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
Yes      HKLM:Run      IgfxTray      C:\WINDOWS\system32\igfxtray.exe
Yes      HKLM:Run      HotKeysCmds      C:\WINDOWS\system32\hkcmd.exe
Yes      HKLM:Run      Persistence      C:\WINDOWS\system32\igfxpers.exe
Yes      HKLM:Run      PLFSetL      C:\WINDOWS\PLFSetL.exe
Yes      HKLM:Run      Acer ePresentation HPD      C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
Yes      HKLM:Run      ePower_DMC      C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
Yes      HKLM:Run      Boot      C:\Acer\Empowering Technology\ePower\Boot.exe
Yes      HKLM:Run      StarteLock      "C:\Acer\Empowering Technology\eLock\Service\startelock.exe"
Yes      HKLM:Run      eDataSecurity Loader      C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
Yes      HKLM:Run      eRecoveryService      C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
Yes      HKLM:Run      LManager      C:\PROGRA~1\LAUNCH~1\LManager.exe
Yes      HKLM:Run      BCSSync      "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
Yes      HKLM:Run      ccApp      "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Yes      HKLM:Run      QuickTime Task      "C:\Program Files\QuickTime\QTTask.exe" -atboottime
Yes      HKLM:Run      SunJavaUpdateSched      "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
Yes      Startup Common      Acer Empowering Technology.lnk      C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
Yes      Startup Common      Citrix XenApp.lnk      C:\WINDOWS\Installer\{388C130B-0079-46B4-A0D5-DC2DD7A89A7B}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe

Are the startup content.  The laptop has only 2weeks ago been reinstalled with windows XP with service pack 3.  

Other people log on fine to this computer what is your thinking VB?

Expert Comment

ID: 33470868
Some malware camouflage themselves as RUNXMLPL.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the RUNXMLPL.exe process on your pc whether it is pest .(the first item on your list)

There are some items that I didn't see before in your startup list.

 I recommend to download Spybot Search and Destroy software and after updating the software scan you laptop.

Also download & run ComboFix to be sure there is no BHO or any other malware that cannot be identified by looking into startup objects.

Did you check the event viewer (system and application sections) ?
Is there a red (error) or warning (yellow) when the pc is booting to windows?

Author Comment

ID: 33474654
Virus and malware scans are clear.

The only errors that have come up in the event viewer are Crypt32 which is to do with Windows Root Certificates.

Still no joy.


Expert Comment

ID: 33475008
Since there is no relevant record on event viewer, it must be a 3rd party software.

I think one of the startup programs are causing it. Can you disable all of them (using msconfig: HKLM-RUN, HKCU-RUN, Startup Folder...), restart and give it a try? If it boots correctly then you can be sure one of them is causing this message.

After that you can turn them on one by one, restart and see exactly which one is causing the problem...

Author Comment

ID: 33475296
Ok, I think you are misunderstanding what it is that is happening here.

* Have disabled all startup items and the issue continues.
* There are not viruses or Malware issues;
* Other people can log on to this laptop fine, and can work on it with out any issues.
* This is just 1 person having the problem, his account is fine in active directory and has been tested on other PCs/Laptops and he has no problems loging in to them.
* He has no profile left on the laptop, so it should load a new one, but it doesn't! It comes up with
"Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, or that your network is functioning correctly. If this problem persists, contact your network administrator.
DETAIL - The system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format. "

When you click ok it takes you back to the CTRL-ALT-DEL login screen.  I can then log in fine.  

Once again thankyou for your help.

Accepted Solution

VBDotNetCoder earned 1500 total points
ID: 33475428
Yes I misunderstood, sorry...

Do you have event IDs 1505 and 1508 in Application log?

Author Comment

ID: 33475778
I get 1500 and 1508 in the event log.

After seraching these I found the Microsoft User Profile Hive Cleanup Service (UPHClean) which loads onto the laptop fine, but doesn't solve my problem.  Its automatically in the services startup and seems to have no effect on the profile whatsoever.

Assisted Solution

VBDotNetCoder earned 1500 total points
ID: 33475925
So now I have 3 questions:

1) How much RAM is installed on the laptop?
2) How are the virtual memory settings (What is the pagefile size min/max ?)
3) Does the problem occur when you give administrator (first local than domain, for testing only) priviledges to the problematic account?

Author Comment

ID: 33476127
1 - 1GB
2 - Page file Currently allocated 3000MB, Initial Size (MB) 3000 and Max Size (MB) 3000.
3 - Made user local administrator get the event id 1508 then 1505, logs in with temp account.

Author Comment

ID: 33476293
I've solved the problem, basically looks like the profile was trying to associate itself with a TEMP profile, that I was totally ingoring.

I've removed that profile and it has allowed the user to log into the laptop without any errors. I've tested again by removing administrator priviledges and it has help the profile.

VB thankyou for your assistance in this matter it has helped talking it through with someone.

Author Closing Comment

ID: 33476323
Managed to work out the solution with the question VB asked.

Expert Comment

ID: 33476937
Glad I helped :)

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Seizing the Operation Master Roles in Windows Server 2016 in case of FSMO holder failure.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question