Event Log from NT Authority\System

[Marvel]

I am seeing this event logged in the application event file about once each day. From research it seems Remote Access Connection Manager(RASMAN) svchost.exe -k netsvcs is the source of this issue. Also a trojan can be associated with this problem but in my case I don't believe so. I stopped RASMAN service and so far I don't see any effect to my system good or bad.
-
My question is; does anyone have experience with this event and understand it better than I? Has anyone shut off this service? I have read MS comments about RASMAN and its association with Service Pack-2 but would like more input as to system effect if any. Thanks very much.
Running XP-PRO Service Pack-2 with DSL service, ZAP.
-
Following is the event log
--------
Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 10/20/2004
Time: 6:20:46 AM
User: NT AUTHORITY\SYSTEM
Computer: xxx-xxx
Description:
Windows saved user xxx-xxx\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
-----------

A seperate set of questions in the same area;
Running Belarc Advisor shows under logins that in addition to my normal user accounts there are NT Authority\local service, NT Authority\network service and NT Authority\system. What are these for any information will help????
Thanks again.

 

[Inaris]

NT authority is the local machine. If for example you are in a domain enviornment, you have domain\username. On local system, you have NT Authority\username. That is what that is for. It's just an internal identifier for the system to see that you are local and not from outside this machine.
As to the error. If you have multiple users logging into a machine, or services that have authentication in them, it's possible that you are just bumping heads with access rights. It's not uncommon for a windows machine to keep a lock on an account after it's logged off. This is ussually form a program that terminated improperly and left an open handle to a key or file. The event is really just a warning anyway, so it's not worth troubleshooting, cause there is potential for a lot of time to be spent.
As to other causes, I know we get a problem in out enterprise with SMS accounts. if you not familiar, I'll try to explain... SMS is a software distrabution tool from MS. You can deploy applications out to any machine that is part of the SMS site. anyway, there are several accounts that SMS uses to do this. two are used for network based traffic and one is the installer account. our problem is that every now and again, one or both of the network accounts gets into a pissing match with the it's self, thinking that it is locked out of it's own account and in the interum, creates another account and then does what it needed. Now this will continue on and on untill the profile name space is full. (Account andm.domain.xxx where xxx stops at 999) Same cause as what you are seeing int he above error. Only this isn't duplicating the problem for you.

If you change the account handles for the service, you might be able to clear it, like it's said near the end of the log file...

 

[Marvel]

Thanks Inaris, my concern is over the memory that is not cleaned up and released back to the system. I have a single pc with 3 user accounts, only one is active at a time. They would look like;xxx\administrator, xxx\user1, xxx\user2. I have not noticed this before service pack 2. I log off and then power down as an example to stay away from just these kinds of situations. So thanks again.

 

[Inaris]

Check the service that is listed. Under computer management, you can actually assign the system context that is used for running a service. This may be where the problem exists.
just a thought.

 

[Marvel]

I read the help file on adjusting settings and although they sound ok it is not very clear which service is at fault. I don't feel comfortable about charging in and playing with service setting right now. Got to look around some more.