Good morning,

The details:

Windows 2000 SP4
IIS 5
..Net Framework 1.1
SQL 2000 SP3


The problem: HKLM\Software key becomes intermittently inaccessible. This
occurs on both a development box and a production box (both similarly loaded
to the specs above). I'd post some event log messages, but there aren't any
that seem relevant to the problem. A reboot resolves the problem, but we've
had it reoccur.

Originally we'd thought that the symptoms were limited to the scheduled TSM
backups failing (couldn't read the password from the registry).
Unfortunately, we now have the problem that there's a process run that
schedules a job using Task Scheduler. That fails, due to the registry
problems.

I've attempted to take ownership of the key, but the dialog fails with
"Unable to display security permissions." Searches on Google and MSKB come
up with nothing (so far). I'd like to resolve the problem without
rebooting the server if possible.

I'll be happy to gather/post any additional information that might prove
useful.

Thanks,

Matt Nowell

In microsoft.public.win2000.registry Matt Nowell wrote:

> Good morning,
>
> The details:
>
> Windows 2000 SP4
> IIS 5
> .Net Framework 1.1
> SQL 2000 SP3
>
>
> The problem: HKLM\Software key becomes intermittently
> inaccessible. This occurs on both a development box and a
> production box (both similarly loaded to the specs above). I'd
> post some event log messages, but there aren't any that seem
> relevant to the problem. A reboot resolves the problem, but
> we've had it reoccur.
>
> Originally we'd thought that the symptoms were limited to the
> scheduled TSM backups failing (couldn't read the password from
> the registry). Unfortunately, we now have the problem that
> there's a process run that schedules a job using Task Scheduler.
> That fails, due to the registry problems.

I should try running REGMON (Sysinternals) to see if the relevant
registry writes (assumed) can be logged.

> I've attempted to take ownership of the key, but the dialog
> fails with "Unable to display security permissions." Searches

Yet this is gone on a reboot? Initially it sounds somewhat like
corrupt security data in the SOFTWARE hive (which usually means
replace from last available backup hive file). But clearing on
reboot makes it seem more like some active process is modifying or
locking the key. See if Regmon can show you what process is
(presumably) "messing" things up.

I assume that Anti-* tools have been run on the system and came up
clean. I assume the process list is "normal" and that none of the
event log entries are unexpected or unexplained. Have you thought
to run RootkitRevealer (Sysinternals) just to eliminate one set of
possibilities? (the system should be quiescent for this RKR run)

Just some initial ideas to look at. Anything more you can think of
there to post, may be useful to others here.

Thanks for the response!

I hadn't originally thought about spyware or viruses, since this is a server
that we "shouldn't" be surfing from. That said, I discovered after an audit
that some developers have administrator access.

Unfortunately, the RKRevealer, McAfee Stinger and spyware checks came back
with nothing. A Regmon was slightly more interesting.

I can see applications (mostly Microsoft) continuing to use, access, create,
write and query registry keys under HKLM\Software. Some are successful,
some are not. I still can't get to it from Regedit or any other tool that I
can see. I'm about to the point of calling Microsoft, because I can't even
get to the point of finding any processes that would have the registry
locked.

I also took a look at the active processes using ProcExp (another Mark
Russinovich wondertool), and nothing tracks to being odd. I don't see
anything there that shouldn't be. I'm going to go ahead and reboot the
server after gaining permission and rerun these toolks and checks after the
registry is fully readable.

I'll post whatever resolution Microsoft gives me or I find here for public
consumption once I have one.

Thanks,


"Mark V" <notvalid@nul.invalid> wrote in message
news:Xns973AAEC96CEE3z9zzaQ2btw@msnews.microsoft.com...
> In microsoft.public.win2000.registry Matt Nowell wrote:
>
>> Good morning,
>>
>> The details:
>>
>> Windows 2000 SP4
>> IIS 5
>> .Net Framework 1.1
>> SQL 2000 SP3
>>
>>
>> The problem: HKLM\Software key becomes intermittently
>> inaccessible. This occurs on both a development box and a
>> production box (both similarly loaded to the specs above). I'd
>> post some event log messages, but there aren't any that seem
>> relevant to the problem. A reboot resolves the problem, but
>> we've had it reoccur.
>>
>> Originally we'd thought that the symptoms were limited to the
>> scheduled TSM backups failing (couldn't read the password from
>> the registry). Unfortunately, we now have the problem that
>> there's a process run that schedules a job using Task Scheduler.
>> That fails, due to the registry problems.
>
> I should try running REGMON (Sysinternals) to see if the relevant
> registry writes (assumed) can be logged.
>
>> I've attempted to take ownership of the key, but the dialog
>> fails with "Unable to display security permissions." Searches
>
> Yet this is gone on a reboot? Initially it sounds somewhat like
> corrupt security data in the SOFTWARE hive (which usually means
> replace from last available backup hive file). But clearing on
> reboot makes it seem more like some active process is modifying or
> locking the key. See if Regmon can show you what process is
> (presumably) "messing" things up.
>
> I assume that Anti-* tools have been run on the system and came up
> clean. I assume the process list is "normal" and that none of the
> event log entries are unexpected or unexplained. Have you thought
> to run RootkitRevealer (Sysinternals) just to eliminate one set of
> possibilities? (the system should be quiescent for this RKR run)
>
> Just some initial ideas to look at. Anything more you can think of
> there to post, may be useful to others here.

Thanks for the response!

I hadn't originally thought about spyware or viruses, since this is a server
that we "shouldn't" be surfing from. That said, I discovered after an audit
that some developers have administrator access.

Unfortunately, the RKRevealer, McAfee Stinger and spyware checks came back
with nothing. A Regmon was slightly more interesting.

I can see applications (mostly Microsoft) continuing to use, access, create,
write and query registry keys under HKLM\Software. Some are successful,
some are not. I still can't get to it from Regedit or any other tool that I
can see. I'm about to the point of calling Microsoft, because I can't even
get to the point of finding any processes that would have the registry
locked.

I also took a look at the active processes using ProcExp (another Mark
Russinovich wondertool), and nothing tracks to being odd. I don't see
anything there that shouldn't be. I'm going to go ahead and reboot the
server after gaining permission and rerun these toolks and checks after the
registry is fully readable.

I'll post whatever resolution Microsoft gives me or I find here for public
consumption once I have one.

Thanks,


"Mark V" <notvalid@nul.invalid> wrote in message
news:Xns973AAEC96CEE3z9zzaQ2btw@msnews.microsoft.com...
> In microsoft.public.win2000.registry Matt Nowell wrote:
>
>> Good morning,
>>
>> The details:
>>
>> Windows 2000 SP4
>> IIS 5
>> .Net Framework 1.1
>> SQL 2000 SP3
>>
>>
>> The problem: HKLM\Software key becomes intermittently
>> inaccessible. This occurs on both a development box and a
>> production box (both similarly loaded to the specs above). I'd
>> post some event log messages, but there aren't any that seem
>> relevant to the problem. A reboot resolves the problem, but
>> we've had it reoccur.
>>
>> Originally we'd thought that the symptoms were limited to the
>> scheduled TSM backups failing (couldn't read the password from
>> the registry). Unfortunately, we now have the problem that
>> there's a process run that schedules a job using Task Scheduler.
>> That fails, due to the registry problems.
>
> I should try running REGMON (Sysinternals) to see if the relevant
> registry writes (assumed) can be logged.
>
>> I've attempted to take ownership of the key, but the dialog
>> fails with "Unable to display security permissions." Searches
>
> Yet this is gone on a reboot? Initially it sounds somewhat like
> corrupt security data in the SOFTWARE hive (which usually means
> replace from last available backup hive file). But clearing on
> reboot makes it seem more like some active process is modifying or
> locking the key. See if Regmon can show you what process is
> (presumably) "messing" things up.
>
> I assume that Anti-* tools have been run on the system and came up
> clean. I assume the process list is "normal" and that none of the
> event log entries are unexpected or unexplained. Have you thought
> to run RootkitRevealer (Sysinternals) just to eliminate one set of
> possibilities? (the system should be quiescent for this RKR run)
>
> Just some initial ideas to look at. Anything more you can think of
> there to post, may be useful to others here.

Thanks for the response!

I hadn't originally thought about spyware or viruses, since this is a server
that we "shouldn't" be surfing from. That said, I discovered after an audit
that some developers have administrator access.

Unfortunately, the RKRevealer, McAfee Stinger and spyware checks came back
with nothing. A Regmon was slightly more interesting.

I can see applications (mostly Microsoft) continuing to use, access, create,
write and query registry keys under HKLM\Software. Some are successful,
some are not. I still can't get to it from Regedit or any other tool that I
can see. I'm about to the point of calling Microsoft, because I can't even
get to the point of finding any processes that would have the registry
locked.

I also took a look at the active processes using ProcExp (another Mark
Russinovich wondertool), and nothing tracks to being odd. I don't see
anything there that shouldn't be. I'm going to go ahead and reboot the
server after gaining permission and rerun these toolks and checks after the
registry is fully readable.

I'll post whatever resolution Microsoft gives me or I find here for public
consumption once I have one.

Thanks,


"Mark V" <notvalid@nul.invalid> wrote in message
news:Xns973AAEC96CEE3z9zzaQ2btw@msnews.microsoft.com...
> In microsoft.public.win2000.registry Matt Nowell wrote:
>
>> Good morning,
>>
>> The details:
>>
>> Windows 2000 SP4
>> IIS 5
>> .Net Framework 1.1
>> SQL 2000 SP3
>>
>>
>> The problem: HKLM\Software key becomes intermittently
>> inaccessible. This occurs on both a development box and a
>> production box (both similarly loaded to the specs above). I'd
>> post some event log messages, but there aren't any that seem
>> relevant to the problem. A reboot resolves the problem, but
>> we've had it reoccur.
>>
>> Originally we'd thought that the symptoms were limited to the
>> scheduled TSM backups failing (couldn't read the password from
>> the registry). Unfortunately, we now have the problem that
>> there's a process run that schedules a job using Task Scheduler.
>> That fails, due to the registry problems.
>
> I should try running REGMON (Sysinternals) to see if the relevant
> registry writes (assumed) can be logged.
>
>> I've attempted to take ownership of the key, but the dialog
>> fails with "Unable to display security permissions." Searches
>
> Yet this is gone on a reboot? Initially it sounds somewhat like
> corrupt security data in the SOFTWARE hive (which usually means
> replace from last available backup hive file). But clearing on
> reboot makes it seem more like some active process is modifying or
> locking the key. See if Regmon can show you what process is
> (presumably) "messing" things up.
>
> I assume that Anti-* tools have been run on the system and came up
> clean. I assume the process list is "normal" and that none of the
> event log entries are unexpected or unexplained. Have you thought
> to run RootkitRevealer (Sysinternals) just to eliminate one set of
> possibilities? (the system should be quiescent for this RKR run)
>
> Just some initial ideas to look at. Anything more you can think of
> there to post, may be useful to others here.

In case some of you though I'd fixed it and moved on, I haven't yet fixed
it.

I do however have a ticket open with Microsoft, and will post resolution
should I obtain it!

Thanks,

Matt Nowell
"Matt Nowell" <mdnowell@spamnotme.gmail.com> wrote in message
news:%23W$dqp%23CGHA.1028@TK2MSFTNGP11.phx.gbl...
> Good morning,
>
> The details:
>
> Windows 2000 SP4
> IIS 5
> .Net Framework 1.1
> SQL 2000 SP3
>
>
> The problem: HKLM\Software key becomes intermittently inaccessible. This
> occurs on both a development box and a production box (both similarly
> loaded to the specs above). I'd post some event log messages, but there
> aren't any that seem relevant to the problem. A reboot resolves the
> problem, but we've had it reoccur.
>
> Originally we'd thought that the symptoms were limited to the scheduled
> TSM backups failing (couldn't read the password from the registry).
> Unfortunately, we now have the problem that there's a process run that
> schedules a job using Task Scheduler. That fails, due to the registry
> problems.
>
> I've attempted to take ownership of the key, but the dialog fails with
> "Unable to display security permissions." Searches on Google and MSKB
> come up with nothing (so far). I'd like to resolve the problem without
> rebooting the server if possible.
>
> I'll be happy to gather/post any additional information that might prove
> useful.
>
> Thanks,
>
> Matt Nowell
>
>

In microsoft.public.win2000.registry Matt Nowell wrote:

> Matt Nowell
> "Matt Nowell" <mdnowell@spamnotme.gmail.com> wrote in message
> news:%23W$dqp%23CGHA.1028@TK2MSFTNGP11.phx.gbl...
>> Good morning,
>>
>> The details:

[ snip, see parent post ]


> In case some of you though I'd fixed it and moved on, I haven't
> yet fixed it.
>
> I do however have a ticket open with Microsoft, and will post
> resolution should I obtain it!

Thanks Matt for following up and good luck! We will be interested to
hear of Microsoft's explanation and fix.

Well, it's not really a fix so much as it was a process of sorting out what
was going on.

Microsoft was of little to no help. Their recommendation was that I shut
down all third party services on a production server running third party
applications. I wasn't clear as to why, and they didn't provide much
documentation.

So, off I went to sort it out myself. Using Process Explorer, I started
looking extensively at As it turns out, one of our third party jobs (Serena
Teamtrack) had a Broker service that was opening, and not closing, registry
keys.

Restart that service, and all becomes right. Funny part? The Serena folks
know about it and suggested that I write a batch file to stop and start the
Broker service.


Thanks for everyone's help!


"Matt Nowell" <mdnowell@spamnotme.gmail.com> wrote in message
news:%23W$dqp%23CGHA.1028@TK2MSFTNGP11.phx.gbl...
> Good morning,
>
> The details:
>
> Windows 2000 SP4
> IIS 5
> .Net Framework 1.1
> SQL 2000 SP3
>
>
> The problem: HKLM\Software key becomes intermittently inaccessible. This
> occurs on both a development box and a production box (both similarly
> loaded to the specs above). I'd post some event log messages, but there
> aren't any that seem relevant to the problem. A reboot resolves the
> problem, but we've had it reoccur.
>
> Originally we'd thought that the symptoms were limited to the scheduled
> TSM backups failing (couldn't read the password from the registry).
> Unfortunately, we now have the problem that there's a process run that
> schedules a job using Task Scheduler. That fails, due to the registry
> problems.
>
> I've attempted to take ownership of the key, but the dialog fails with
> "Unable to display security permissions." Searches on Google and MSKB
> come up with nothing (so far). I'd like to resolve the problem without
> rebooting the server if possible.
>
> I'll be happy to gather/post any additional information that might prove
> useful.
>
> Thanks,
>
> Matt Nowell
>
>

In microsoft.public.win2000.registry Matt Nowell wrote:

> Well, it's not really a fix so much as it was a process of
> sorting out what was going on.
>
> Microsoft was of little to no help. Their recommendation was
> that I shut down all third party services on a production server
> running third party applications. I wasn't clear as to why, and
> they didn't provide much documentation.
>
> So, off I went to sort it out myself. Using Process Explorer, I
> started looking extensively at As it turns out, one of our third
> party jobs (Serena Teamtrack) had a Broker service that was
> opening, and not closing, registry keys.
>
> Restart that service, and all becomes right. Funny part? The
> Serena folks know about it and suggested that I write a batch
> file to stop and start the Broker service.

Can we say "DUMB"? Lovely solution <sarcasm> for their poorly
written (and apparently disowned) application/service.

> Thanks for everyone's help!

Glad to hear you found the culprit and have a workable solution.
We love happy endings! <G>

I'm getting a similar problem, although it's not the entire Software
hive. I'm finding that one of my applications is causing a key I use to
become inaccessible. RegMon (all praise Mark) tells me "INSUFFICIENT
RESOURCES". I can also see that my App is repeatedly opening the key,
but never closing it. Stopping my app (which is an NT service) releases
the key, and regedit can then access it.

I checked my code, and found that I was not closing the key, or freeing
the TRegistry object that I was using. Adding these to my code fixed the
problem.

What I suggest you do is use RegMon to come up with a list of processes
that open Common. Try stopping these to find out which one is not
releasing the resources - I'd start with any uncommon services. If
that's successful, set RegMon to monitor only that process, and see
what happens when you start it up.



--
RussellJones
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message2049016.html

I too am having the same problem.

After a reboot it runs for about 2 weeks and then it occurs again.

I would be very interested in the results of anyone else.



--
zahroc
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message2049016.html