Hiving off trouble

There has definitely been an increase in the number of machines requiring the patch that most support staff call the “hive patch”. To give it its proper name User Profile Hive Cleanup Service is described by Microsoft as “A service to help with slow log off and unreconciled profile problems”.

Their information further says “The User Profile Hive Cleanup service helps to ensure user sessions are completely terminated when a user logs off. System processes and applications occasionally maintain connections to registry keys in the user profile after a user logs off. In those cases the user session is prevented from completely ending. This can result in problems when using Roaming User Profiles in a server environment or when using locked profiles as implemented through the Shared Computer Toolkit for Windows XP.

On Windows 2000 you can benefit from this service if the application event log shows event id 1000 where the message text indicates that the profile is not unloading and that the error is “Access is denied”. On Windows XP and Windows Server 2003 either event ids 1517 and 1524 indicate the same profile unload problem.

To accomplish this the service monitors for logged off users that still have registry hives loaded. When that happens the service determines which application have handles opened to the hives and releases them. It logs the application name and what registry keys were left open. After this the system finishes unloading the profile.”

So why is this particular issue on the rise and what can you do about it ?

I’ve actually had this fault twice today on two diverse and quite different client sites. Both the machines were behaving problematically – though in different ways. The event logs both show Userenv 1517 errors with the content of

Windows saved user Clientsdomainuserwithproblem registry while an application or service was still using the registry during log off. The memory used by the user’s registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at

So my advice is to check the event logs for this regularly and apply the patch at first signs if you want to save yourself from dealing with other problems relating to what this fixes !!