Important Notice: On February 29th, this community will be put into read-only mode. All existing posts will remain but customers will be unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

PDQ inventory scan leaves loaded registry hives from user profiles behind

Hi,

after a restart of a computer, there are no user registry hives loaded. I can check this with regedit.exe connected remotely to the machine, or more easily with the SysInternals tool "psloggedon.exe".

After a computer scan with PDQ inventory 7.3 (or 7.2) many, but not all computers have all locally available user hives loaded.

All computers are running 64-bit versions of Windows 7 / 2008 / 2008R2 / 2012R2. It even happens on a fresh machine without antivirus software installed. I can unload those registry hives manually through regedit without a problem, so there should be no reason not to unload those hives automatically.

Further investigation with Process Monitor shows WMI loading all the profiles through a process called wmiprvse.exe, probably initiated by PDQ inventory. On the computers not affected by the problem, Process Monitor shows that the user registry hives get loaded/unloaded two times. On those machines which show the strange behaviour, the hives do not get unloaded even the first time.

Has anyone else seen this?

Any ideas why the profiles do not get unloaded again on some machines although I can unload them manually?

Which WMI classes connected to user registry hives get queried by PDQ inventory? Maybe I can recreate the problem even without PDQ inventory.

 

0

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post