Been using Avast Home Edition for some time now and love it. Runs smoothly and rarely see a glitch. I’m having a problem (think it has been going on for some time & I just never noticed) I don’t know how to resolve. This WinXP Home SP3 machine is set up with 3 user accounts and I have gone into Control Panel, User Accounts, “Change how users log off” to have Windows totally close down user programs at log off. But that has not resolved the problem. Husband and I completely log off when we get off this shared pc. We have never used Fast User Switching and that service has actually been disabled now.
Problem is that when I bounce back and forth between my LUA and the Admin account to do admin stuff, Windows is not releasing the last user on the machine’s copy of explorer.exe per Task Manager, despite my above mentioned user settings. Each time one of us logs off and then during the same session log onto another account, yet another copy of explorer.exe is not closing down. Some days I can get as many as 3-4 appearing in task manager, one for each user I have been logged on as, killing my 512MB ram. I have cleared/increased the Pagefile per AUHMA.org’s recommendations, but that hasn’t resolved the memory usage from running high after awhile.
Been trying to figure this out for some time now. Took a look at my Windows Event Viewer and I see a lot of these errors on the Event log:
Event ID 1524: “Windows cannot unload your classes registry file. It is still in use by another application or service. The file will be unloaded when it is no longer in use.”
Event ID 1517: “Windows saved user Computer Name\User Name registry while an application or service was still using the registry during log off. The memory used by the user’s registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account. Try reconfiguring the services to run in either Local Service or Network Service.”
Well, the only programs on this pc that run under the user name are Superantispyware.exe, ashDisp.exe (Avast) and cfp.exe (Comodo Firewall). I’m beginning to think these multiple instances of explorer.exe ( using 17,000K apiece!) are related to these very event errors and that it has ALWAYS been going on and I just never noticed it before. Plan on upgrading ram soon, but would like to perhaps find a work around until that happens.
So basically my question is: Is there some way to make Avast’s ashDisp.exe install against Local Service or Network Service rather than the user that is logged on?
Thanks for the very useful link, Tarq. After reading it all, I was sure that was gonna fix me right up. I downloaded and installed the UPHClean service, it is showing started and it HAS stopped the 1517 and 1524 event ID errors. Now, for each user that was signed on, I just get a 1401 informational entry that would indicate it is working properly and doing what it was designed to do. The entry reads:
Event Type: Information
Event Source: UPHClean
Event Category: None
Event ID: 1401
Date: 3/3/2009
Time: 6:45:11 PM
User: HOME-23AB30824B\ButtonAdmin
Computer: HOME-23AB30824B
Description:
The following handles in user profile hive HOME-23AB30824B\ButtonAdmin (S-1-5-21-1085031214-1757981266-839522115-1005) have been remapped because they were preventing the profile from unloading successfully:
It would appear that explorer.exe is truly my problem. But sadly this has not corrected the multiple instances of explorer.exe after logging off one account and logging onto another. Something else must be holding onto it. I welcome any other thoughts you might have.
Your articles linked me to a known bug report with Java that said Java may hold onto a profile (by design per Sun) because it uses/creates a file called hsperfdata_ with permissions set only to the user and which cannot be removed by System w/o taking ownership. But a SEARCH is not finding any such file(s) on my system, even searching system/hidden files. So I don’t think that’s what’s causing it in my case.
That’s why I thought perhaps Comodo CIS (w/o AV), Avast Home or SAS Pro might be what was holding onto my profile. I’ve asked my question on those forums as well and will post back their conclusions. For the time being, we’re just doing a RESTART to insure no multiple instances of explorer.exe. But I’d like to get to the bottom of this so as not to have to restart each user logoff. I think I’ll go bounce this issue off the folks on Windows User Groups and see what they have to say. Maybe one of their really sharp MVP’s will see my post and have a solution.
Thanks for posting back this info.
It’s certainly a bit too deep for me to work out the answer, but if you get an answer (that’s not too techy) I’d be interested in it.
It is a free event log viewer and will provide a free license
Analyze your event logs with Event Log Explorer™
Event Log Explorer™ is an effective software solution for viewing, monitoring and analyzing events recorded in Security, System, Application and another logs of Microsoft Windows NT/2000/XP/2003 operating systems. Event Log Explorer greatly extends standard Windows Event Viewer monitoring functionality and brings many new features.
http://www.eventlogxp.com
I do not see those events on my Vista system so when I fire up the XP Pro system I’ll have a look for those events.
Well, I’m now running UPHClean service at each boot up and that hasn’t resolved the multiple explorer.exe’s. Because I have had the rare “End Task” hang of SAS Pro at shutdown (as have other users reported on their forums), I was just convinced maybe SAS was causing explorer.exe to not unload. So I just uninstalled SAS in Safe Mode using their uninstall tool to see what that might reveal. Rebooted to Normal Mode.
If I logged into the admin account first, after a log off it would not allow me to then go to a LUA.
But if I initially logged onto a LUA, it would then let me logoff the LUA and log right onto the admin account. But Task Manager would show both user copies of explorer.exe. Totally weird, huh?
So I’ve reinstalled SAS as it doesn’t look like it is causing the problem, or at least it’s not readily transparent that it is. I have also presented my dilemma over on the SAS and Comodo forums and am still waiting for further thoughts over there. Going to bounce all this off the MVP’s on Windows User Groups now, because if UPHClean isn’t resolving, I just don’t know where else to look for possible causes.
BINGO!!! I found my problem. I started looking around at my Defense+ event log (HIPS feature) in Comodo CIS. I saw that Comodo was terminating csrss.exe at every boot up. ??? This is what controls the user side of the operating system, per Wikipedia article, it’s a critical system file and should NEVER be terminated lest you want a BSOD!! Well, no BSOD’s yet, thank God. But why was Comodo terminating a system file when all Windows files are sacrosanct by Comodo? Hmmmmmm…So I started looking around at all my D+ rules in Comodo settings. BINGO, I could see my problem.
Apparently, as a security measure on my part, I had set up my explorer.exe rule in Comodo D+ to be “Protected from Process Termination” (just by by malware, I thought). But it doing that, I was also apparently not letting WinXP close it down at logoff cleanly either! :o The minute I undid that rule, Comodo stopped terminating csrss.exe at bootup in Comodo, the multiple copies of explorer.exe I’ve been experiencing at logoffs lately stopped!!! YIPPEEE!!! I suspect the 1517 & 1524 events will stop now, too.
Hope posting back my findings may help someone else.
This post is just to confirm the two Event ID’s 1517 & 1524 have stopped as I predicted they would. Problem is truly fixed now. Thanks to everyone who offered input.
I suspect the 1517 & 1524 events will stop now, too.