Fast switching users

Discussion in 'ESET NOD32 Antivirus' started by Philippe_FR22, Aug 4, 2008.

Thread Status:
Not open for further replies.
  1. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    Hello all,
    I experienced a strange problem on one PC, since ESET NOD32 3.0.669 upgrade (from 3.0.667). I have 3 accounts (one of them is administrator, mine, and the 2 others are normal users). Frequently, my daughter opens her account by using the XP fast user switching capabilities, selecting Change User... And she opens her session... When trying to switch back to my account, by selecting Close Session (My Daughter session), PC start closing the session and storing paramaters but process take a very long time... Once parameters saved, while I should be able to see the initial session opening tab, I can't see anything, in fact, screen is black and PC does not react to any keys or events... PC si frozen !
    I have to reset it ...

    Has anyone experienced same problem since 3.0.669 ? (Sorry for my bad english)

    Regards
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    You could try uninstalling EAV to confirm or deny that the issue is related to it. Or at least you could try setting the real-time protection not to start automatically, just for testing purposes.
     
  3. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    Hello,
    I made the following tests :
    1) Totally re-install EAV 3.0.669, from scratch, and having cleaned files, directories and registry keys (using search facilities given by JV16)
    => After some tests, problem occured once again, but on my 2 PC...

    So, it seems that upgrading from 3.0.667 or clean install 3.0.669 does'nt change anything...

    2) I installed microsoft UPH-clean and reproduced fast switch user hang...
    I noticed a message saying that UPH clean did not succeed in stopping zonealarmpro or something like that...

    3) A few weeks ago, I had to install upgrade zap 7.0.483 due to microsoft dns security update... I decided to uninstall zap and fresh reinstall it after a deep cleaning task...

    I'm currently testing ...

    I will notify you of the result...
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    With UPHC installed, ekrn.exe must be excluded in its registry keys.
     
  5. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    Thank you for information. How can I exclude ekrn.exe from the registry keys ? Is there some configuration possibility ?
    Could you explain me why should I have to exclude ekrn.exe in its registry keys ? What could happen, if not ?
    Thank you in advance
    Regards
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please refer to this readme file.

    PROBLEMS USING UPHCLEAN
    =======================

    Because UPHClean assists in unloading the users registry hive some services
    may behave incorrectly. Administrators are encouraged to test and watch for
    unexpected behavior. If unwanted behavior is identified contact the
    developers of software that UPHClean identified as preventing profile from
    unloading.

    UPHClean assists the operating system to unload user profile hive by
    remapping the handles to the user profile hive to the default user hive.
    For example if a process has a handle to
    HKEY_USERS\S-1-5-21-X-Y-Z\Software\Microsoft after remapping it would have a
    handle to HKEY_USERS\.DEFAULT\Software\Microsoft. This allows the profile
    hive to unload. This may not work if the application expects data
    that would only be available under the specific user profile hive it was
    accessing since the data will not be copied.

    If you find that removing UPHClean stops a particular problem from occurring
    then you may be interested in restricting UPHClean from processing certain
    handles. UPHClean ignores handles that are held opened to profile hives for
    the users specified on the user exclusion list or by processes specified on the
    process exclusion list. These lists are specified using the following
    registry values:

    HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\PROCESS_EXCLUSION_LIST

    HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\USER_EXCLUSION_LIST

    Note that since these values are specified as REG_MULTI_SZ strings you should
    use regedt32 on Windows NT and Windows 2000 to edit them.

    The process exclusion list is a list of process names that UPHClean should
    ignore when determining which handles to user profile hives to act on. Each
    process name is specified on its own line when input in registry editor. The
    process name should be specified the same way as it shows in Task Manager.
    Usually this is the file name of the program (e.g. notepad.exe).

    A few process show multiple times in Task Manager. It is possible to specify
    that a certain DLL be loaded in the process to allow a selection of a specific
    process. This is useful with the svchost process to identify a specific
    instance. For example to specify the svchost process that the Remote Procedure
    Call (RPC) service is running in on Windows 2000, Windows XP and Windows Server
    2003 you would specify svchost.exe/rpcss.dll in the process exclusion list.

    The user exclusion list is a list of user security identifier (SID) or user
    that UPHClean should ignore when determining which handle to user profile hives
    to act on. Each user SID or name is specified on its own line when input in
    registry editor. If specifying a user name you must enter the user domain name
    followed by a backslash followed by the user name. For example
    RCARONDOM\RCARON to specify the user RCARON from domain RCARONDOM. SIDs should
    be specified in the usual string format (e.g.
    S-1-5-21-2127521184-1604012920-1887927527-68486). This is the same string you
    see under HKEY_USERS in registry editor.

    Note that the user exclusion list always includes the following SIDs: S-1-5-18,
    S-1-5-19, S-1-5-20. Unloading these profiles can cause problems so UPHClean
    will not attempt to process handles to these profiles.

    Which processes UPHClean performs handle remapping can specified using the
    following registry value:

    HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REMAP_HANDLE_PROCESS_LIST

    The list by default contains '*' which specifies that handle remapping should
    be performed for all non-excluded processes. This list can be changed to only
    include specified processes in the same manner as the process exclusion list.
    Processes specified on this list can be preceeded by a '-' character to specify
    that they should be excluded from handle remapping. Any handle for a process
    that is not excluded but has handle remapping turned off will be closed.
     
  7. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    Yes Marcos, I read it... But nowhere it is said that I should add ekrn.exe in the exlude list. Maybe you or some ESET staff has test it and recommend effectively to do it ?

    Well, I beleive (and I hope) that zapro was the culprit... And if it is validated, I plan to uninstall UPC...
     
  8. Philippe_FR22

    Philippe_FR22 Registered Member

    Joined:
    Sep 6, 2007
    Posts:
    249
    I uninstalled UPHClean. Therefore, since ZAP clean reinstall, things seem to be ok now...
     
Thread Status:
Not open for further replies.