Userenv error with ddwin.exe

Discussion in 'NOD32 version 2 Forum' started by ThomasAdams, Jan 6, 2008.

Thread Status:
Not open for further replies.
  1. ThomasAdams

    ThomasAdams Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    35
    Location:
    Oregon, USA
    I recently reformatted my system and reinstalled NOD 32 2.7 (details below) and ran across an error on shutdown and I thought I would post it here just in case others had problems also.

    On computer shutdown, I was getting a ddwin.exe error, with no details as to what program had caused the error. Upon boot, there was no logs to be found, aside from the Event viewer which also was not alot of help. But at least let me know something was happening.

    In event viewer the Userenv Provides a little info (not enough to really point you in the right direction).

    Event:

    Date 1/5/2008 Source: Userenv
    Type: Warning Event ID: 1517
    User: NT Authority\System



    After reading up on it, I chose to follow the link to this:

    http://support.microsoft.com/kb/837115/en-us

    I started disabling/Ending task for each service/program hoping to locate the culprit of the errors in the event log, and on shutdown. That did not offer any solution. Then it dawned on me, I checked the NOD 32 settings and sure enough, it was set to scan the boot sector on shutdown. Which could cause the scenario as detailed by Microsoft. I unchecked the scan boot sector at shutdown, rebooted... No error on shutdown (ddwin.exe popup) and after my machine was up and running, event viewer had no new event's with the ID: 1517.

    Hope this helps some!
    Best regards,
    Thomas
     
  2. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Hi, Thomas. Where did you uncheck 'scan boot sector at shutdown' in NOD32 2.7?
    I have the same entries in my Event log from time to time, although I don't have the dwwin.exe popup.

    Furthermore, can anyone comment on the fact if it's wise to uncheck this option in NOD32?

    I don't have the dwwin.exe popups myself but I do find the 'userenv' notations in my event log from time to time. I don't know if this is bad or not.

    EDIT: @Thomas: I found where to uncheck 'scan boot sectors at shutdown', but I don't know if it's smart/safe to uncheck it. As I understand it you might risk an infection on reboot if you uncheck this option in NOD, but perhaps someone with more knowledge on this subject can comment on this?
     
    Last edited: Jan 6, 2008
  3. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    @Thomas: I did some more research into this problem and I discovered that it isn't NOD that is causing the userenv errors in the log, but in fact svchost.exe.

    It has problems unloading the userprofile and therefore a 'userenv\1517'-message is created.

    Microsoft has developed a tool for this problem, UPHClean.exe, which unloads any profile or process that causes this message in the event logs.
    I installed it and the problem was solved.

    Perhaps you could try this as well, I wouldn't recommend unchecking the 'scan boot sector at shutdown' in NOD.
     
Thread Status:
Not open for further replies.