Showing posts with label Event ID 1517. Show all posts
Showing posts with label Event ID 1517. Show all posts

Sunday, September 30, 2012

Event ID 1517 / 1524 in Windows Server 2003 Event Viewer - Server Login Requires Reboot

I recently worked on a Windows 2003 server that required manual reboots in order to login, whether via console or Remote Desktop. After rebooting, Event ID 1517 was logged repeatedly in Event Viewer (protip: this error could also appear as Event ID 1524 in Windows Server 2003, or as Event 1000 in Windows Server 2000). Microsoft explains this error in better detail than I can in KB article 944984 - essentially, user profile registry hives are kept in limbo after log off, and never completely terminated. Unfortunately, the hotfix described in the KB article didn't help. I don't administrate this server, I was just called in to fix the issue without breaking anything else. At this point, I know the administrator had an application in need of some coding assistance. I didn't have time to review every application's authentication behavior, though, and I am a novice developer at best.

As an alternative to reviewing miles of code, I installed the User Profile Hive Cleanup Service. The service runs continuously and looks for users that have logged off but still have a registry hive loaded. Each time a user session is terminated, the user, application and effected registry keys are logged in Event Viewer.

There are no fancy configurations needed to install the User Profile Hive Cleanup Service - just download, install and reboot. The service immediately resolved the issue for me, and no further logon issues were encountered. After the first reboot the eventvwr had a helpful entry in the System log showing me which application and user was causing the issue.

NSA Leak Bust Points to State Surveillance Deal with Printing Firms

Earlier this week a young government contractor named Reality Winner was accused by police of leaking an internal NSA document to news outle...