Windows イベントid 1552

• Author

• • Share

Hi all,

I’m experiencing an issue where periodically users cannot login to their Windows 10 1809 devices because they get the “ The User Profile service failed the sign in User profile cannot be loaded “ message.

We are using Kaspersky Endpoint Security 11.1.1.126 on our client machines and, in the event logs there is a Kaspersky entry which seems to either cause the issue or point to an issue, it’s in the Application log, Event ID 1552, “User hive is loaded by another process (Registry Lock) Process name: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe” ← is this normal? I see it 10 to 20 times a day on a given machine, which experiences the logon issue - after reboot the logon issue goes away. No temporary profiles are being created, replacing ntuser.dat doesn’t help, it happens for new and old profiles.

So can anyone tell me if the above entry from Kaspersky is some routine task and if not, where can I start looking for the reason of Kaspersky locking the registry?

Link to comment

Share on other sites

• • Share

Hi,

Could you please provide us with GSI log from that host?

Thank you!

Link to comment

Share on other sites

• • Share

I added that file to the exclusion list at one point.  I’m pretty sure we had experienced that same issue randomly.

Link to comment

Share on other sites

• Author

• • Share

I spoke with our security department and they said that Kaspesky support is already taking a look into this issue, so I don’t want to give you Nikolay again the same task that you already have somewhere in your queue :)

I know there the guys will install some patch for Kaspersky on an affected device in the upcoming days to check if this will solve the issue.
I’ll post back once the patch is installed, if it fixed the issue or not.

I added that file to the exclusion list at one point.  I’m pretty sure we had experienced that same issue randomly.

From what I know this has already been done, but it didn’t solve the issue, but thank you very much for your support!

Link to comment

Share on other sites

• • Share

Hi All,

Did anyone find a solution to this? because I also have the same issue.

Link to comment

Share on other sites

• Author

• • Share

Hi nt30,

our security department is contacting Kaspersky support via another channel, so at the moment I’m not suppose to share the logs on a public forum.
We still have the issue, I’m doing a own investigation looking through the event log, but sadly I didn’t find much new information.

What I have found is that the 1552 Event ID started with Windows 1809, here is an interesting link

Regarding your case - did you spot anything specific, when the user cannot logon?

Can you share your observations? Maybe we can solve this one together :)

Link to comment

Share on other sites

• Author

• • Share

Unfortunately the issue is still not solved for us, but we have contacted Microsoft to get more insight on the issue and to get to know how to “See Tracelogging for error details” (screen below). I was advised to use Windows Performance Recorder to gather the logs and use Windows Performance Analyzer to review the logs for the error details.
I have the recorded etl file, but honestly I don’t know how to find the related error details in it - has anyone experience with this tool and could share their knowledge?

BTW I've searched for 9f821051-83c5-4816-bb38-5f5fa3b65ddb and it points to Cloud Cache Initializer_Windows.CloudStore.dll - source: https://uuid.pirate-server.com/9f821051-83c5-4816-9b38-5f5fa3b65ddb (not sure if it's a good source, but it was one of the very few that gave results)

Link to comment

Share on other sites

• Author

• • Share

It seems that there has been a break through with this case, the 1552 Event ID is triggered by a module in Kaspersky, the module will be disabled (we were told that it has not impact on security of the client) and  the 1552 event should not get triggered anymore and we hope that the logon issue will be solved also. BTW the outcome of the Microsoft troubleshooting was that Kaspersky is causing the logon issue, so if the mentioned above change won’t solve our issue I guess that the best next step would be to have a meeting with Microsoft support and someone from Kaspersky support to talk through the next troubleshooting steps.

Link to comment

Share on other sites

Guest

• • Share

What is the module that can be disabled to rectify this issue?

Link to comment

Share on other sites

• • Share

There is a fix that solves this problem. (Request from support).

However, this is an old discussion. KES11.4 is now available - this version no longer has this problem, the fix is included since version 11.3.

Regards
Alex

Link to comment

Share on other sites

• Author

• • Share

Hi Alex,

actually we are still facing the issue and we are still troubleshooting the problem with Kaspersky support via our security department, it’s a bit of back and forth, but we are still on KES 11.1.1.126
Are you saying that this is a well known problem and if we upgrade to 11.3 or newer version we will no longer observe the logon problem? If so I will share this post with our security department and advise to upgrade KES.

Additionally, maybe you have some inside knowledge that the problem is not fixable on KES 11.1.1.126, which would be very valuable information for us.

@evanhandel the module had to do something with encryption, but I cannot remember the name of it, but as this approach didn’t work, I’m not sure if you actually need the name :)

Link to comment

Share on other sites

• • Share

We have never used KES11.1 - not even with our customers. So unfortunately I can't tell you whether there is a PrivateFix for it.

But in versions 11.3 and 11.4 this error has definitely been eliminated. Please note that versions 11.3 and 11.4 are only supported with KSC/Agent12.

I would recommend KES11.4 - we have consistently good experiences with it. I am not aware of any serious problem or that a patch is absolutely necessary.

Here you can find a list of Private Patches included in KES11.4 
https://support.kaspersky.com/15532

Regards
Alex

Link to comment

Share on other sites

• Author

• • Share

Hmm, I checked the version info page and 11.1.1.126 seems to be a standard commercial release, so why aren’t you using it with your customers?

Could you please share any document/release note that describes the issue being resolved in 11.3 or 11.4?

Link to comment

Share on other sites

• • Share

Hmm, I checked the version info page and 11.1.1.126 seems to be a standard commercial release, so why aren’t you using it with your customers?

...

It didn't happen for a reason - it just happened that way.

Unfortunately I cannot provide you with any further documents regarding the problem.
But we look after a large number of customer environments with up to 9,000 managed clients and have really good experiences with the KES11.4.

Just test it - I would recommend uninstalling the KES11.1 beforehand (startup required).

Regards
Alex

Link to comment

Share on other sites

• Author

• • Share

Hi Alex,

I understand.

As for the test, we most probably would need to setup a separate environment (DC and few clients) and a separate Kaspersky server that will support KES 11.4 as from what I heard it’s not compatible with our version of Kaspersky server.

So if we would just setup a separate environment for testing purposes only, would we need any extra licenses from Kaspersky to host that?

Link to comment

Share on other sites

• Solution

• Solution

• • Share

...

So if we would just setup a separate environment for testing purposes only, would we need any extra licenses from Kaspersky to host that?

No, you can use your “normal” licenses - unless you exceed the maximum number of protected systems

Regards

Link to comment

Share on other sites

• Author

• • Share

Hi Alex,

I wanted to say thank you for your help on this case! We have installed KES 11.5.0.590 on a few test machines and we do not observe the problem anymore. ☺

Link to comment

Share on other sites

• • Share

Not sure if it exactly the same cause, but a large number, but not all, of our machines are suffering the same problem on Windows 10 Build 19042.928 running KES 11.6.0.394,

The event-log entry for the user-profile service lists KAV as locking the user profile. Whitelisting NTUSER.dat simply changes the event log entry to ‘unspecified error’.

Looking at KAV there are entries for ‘operation with application resources is blocked by Self-Defense’. Disabling Self-Defense and then deleting the (corrupted) local copy of the roaming profile allows users to log-in again.

This only seems to apply to our mandatory profiles.

While we can run without Self-Defense, this seems less than ideal, can anyone offer any advice?

Link to comment

Share on other sites

• • Share

Have you added the NTUSER.dat exclusions stated in one of the first posts (above)?

As fas as I know, KES self defense protects (it’s own) registry keys in HKCU.

Link to comment

Share on other sites

• • Share

Thanks for the suggestion @ak01 , yes we whitelist ntuser.* which changed the error from ‘KAV is locking the user hive’ to ‘unspecified error’.

I have found disabling self-defence is not a complete fix -- sometimes users logging in on affected PCs are still prevented. An occasional fix is to retry logging in ‘until it works’. A more concrete fix is to login with the local admin account and delete the user profile, which guarantees next login works but subsequent logins can still fail.

This is a shared mandatory profile that is causing the issue -- I suspect it something in it is causing issues but not sure what.

The issue also appears to occur predominately at a small remote branch, our head office only has one PC exhibiting these problems.

All the PCs are new and were imaged from the same WDS/MDT image with W10 20H2. The only other potential factor is the head-office had KAV deployed before the remote branch, potential timing with a windows update?

Link to comment

Share on other sites