Fast switching users

Hello all,
I experienced a strange problem on one PC, since ESET NOD32 3.0.669 upgrade (from 3.0.667). I have 3 accounts (one of them is administrator, mine, and the 2 others are normal users). Frequently, my daughter opens her account by using the XP fast user switching capabilities, selecting Change User... And she opens her session... When trying to switch back to my account, by selecting Close Session (My Daughter session), PC start closing the session and storing paramaters but process take a very long time... Once parameters saved, while I should be able to see the initial session opening tab, I can't see anything, in fact, screen is black and PC does not react to any keys or events... PC si frozen !
I have to reset it ...

Has anyone experienced same problem since 3.0.669 ? (Sorry for my bad english)

Regards

 

You could try uninstalling EAV to confirm or deny that the issue is related to it. Or at least you could try setting the real-time protection not to start automatically, just for testing purposes.

 

Hello,
I made the following tests :
1) Totally re-install EAV 3.0.669, from scratch, and having cleaned files, directories and registry keys (using search facilities given by JV16)
=> After some tests, problem occured once again, but on my 2 PC...

So, it seems that upgrading from 3.0.667 or clean install 3.0.669 does'nt change anything...

2) I installed microsoft UPH-clean and reproduced fast switch user hang...
I noticed a message saying that UPH clean did not succeed in stopping zonealarmpro or something like that...

3) A few weeks ago, I had to install upgrade zap 7.0.483 due to microsoft dns security update... I decided to uninstall zap and fresh reinstall it after a deep cleaning task...

I'm currently testing ...

I will notify you of the result...

 

With UPHC installed, ekrn.exe must be excluded in its registry keys.

 

Thank you for information. How can I exclude ekrn.exe from the registry keys ? Is there some configuration possibility ?
Could you explain me why should I have to exclude ekrn.exe in its registry keys ? What could happen, if not ?
Thank you in advance
Regards

 

Please refer to this readme file.

PROBLEMS USING UPHCLEAN
=======================

Because UPHClean assists in unloading the users registry hive some services
may behave incorrectly. Administrators are encouraged to test and watch for
unexpected behavior. If unwanted behavior is identified contact the
developers of software that UPHClean identified as preventing profile from
unloading.

UPHClean assists the operating system to unload user profile hive by
remapping the handles to the user profile hive to the default user hive.
For example if a process has a handle to
HKEY_USERS\S-1-5-21-X-Y-Z\Software\Microsoft after remapping it would have a
handle to HKEY_USERS\.DEFAULT\Software\Microsoft. This allows the profile
hive to unload. This may not work if the application expects data
that would only be available under the specific user profile hive it was
accessing since the data will not be copied.

If you find that removing UPHClean stops a particular problem from occurring
then you may be interested in restricting UPHClean from processing certain
handles. UPHClean ignores handles that are held opened to profile hives for
the users specified on the user exclusion list or by processes specified on the
process exclusion list. These lists are specified using the following
registry values:

HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\PROCESS_EXCLUSION_LIST

HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\USER_EXCLUSION_LIST

Note that since these values are specified as REG_MULTI_SZ strings you should
use regedt32 on Windows NT and Windows 2000 to edit them.

The process exclusion list is a list of process names that UPHClean should
ignore when determining which handles to user profile hives to act on. Each
process name is specified on its own line when input in registry editor. The
process name should be specified the same way as it shows in Task Manager.
Usually this is the file name of the program (e.g. notepad.exe).

A few process show multiple times in Task Manager. It is possible to specify
that a certain DLL be loaded in the process to allow a selection of a specific
process. This is useful with the svchost process to identify a specific
instance. For example to specify the svchost process that the Remote Procedure
Call (RPC) service is running in on Windows 2000, Windows XP and Windows Server
2003 you would specify svchost.exe/rpcss.dll in the process exclusion list.

The user exclusion list is a list of user security identifier (SID) or user
that UPHClean should ignore when determining which handle to user profile hives
to act on. Each user SID or name is specified on its own line when input in
registry editor. If specifying a user name you must enter the user domain name
followed by a backslash followed by the user name. For example
RCARONDOM\RCARON to specify the user RCARON from domain RCARONDOM. SIDs should
be specified in the usual string format (e.g.
S-1-5-21-2127521184-1604012920-1887927527-68486). This is the same string you
see under HKEY_USERS in registry editor.

Note that the user exclusion list always includes the following SIDs: S-1-5-18,
S-1-5-19, S-1-5-20. Unloading these profiles can cause problems so UPHClean
will not attempt to process handles to these profiles.

Which processes UPHClean performs handle remapping can specified using the
following registry value:

HKLM\System\CurrentControlSet\Services\UPHClean\Parameters\REMAP_HANDLE_PROCESS_LIST

The list by default contains '*' which specifies that handle remapping should
be performed for all non-excluded processes. This list can be changed to only
include specified processes in the same manner as the process exclusion list.
Processes specified on this list can be preceeded by a '-' character to specify
that they should be excluded from handle remapping. Any handle for a process
that is not excluded but has handle remapping turned off will be closed.

 

Yes Marcos, I read it... But nowhere it is said that I should add ekrn.exe in the exlude list. Maybe you or some ESET staff has test it and recommend effectively to do it ?

Well, I beleive (and I hope) that zapro was the culprit... And if it is validated, I plan to uninstall UPC...

 

I uninstalled UPHClean. Therefore, since ZAP clean reinstall, things seem to be ok now...