Author: Nox Metus
Subject: Why MapUserClassesIntoUserHive deletes keys?
Posted: 10 November 2014 at 4:45pm
Everything began with a problem with system tray customization in Windows 7. Sometimes after a reboot the customization disappears and the tray returns to its original state. I found out that the reason was that sometimes values from HCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify disappear after a reboot.
I tried to set audit on the HCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify key only to find out the next time the system tray returned to its original state the audit settings disappeared too.
It gave me a clue that in fact the whole tree of keys somewhere upper than HCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify gets deleted.
I setup procmon to log during reboot and eventually found out that a call from ProfSvc (User Profile Service) deletes the whole HKCU\Software\Classes\Local Settings.
The stack trace analysis showed that the function inside ProfSvc that deletes the tree is called MapUserClassesIntoUserHive. I even found its source code in Internet. The deletion happens here:
As far as I understand, before creating a link to the user hive it tries to remove everything that was there. It seems like in my case it leads to the deletion of data from the real hive.
How to investigate further what is going on? Or maybe someone has an idea?
Edited by Nox Metus - 10 hours 1 minutes ago at 4:47pm
Subject: Why MapUserClassesIntoUserHive deletes keys?
Posted: 10 November 2014 at 4:45pm
Everything began with a problem with system tray customization in Windows 7. Sometimes after a reboot the customization disappears and the tray returns to its original state. I found out that the reason was that sometimes values from HCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify disappear after a reboot.
I tried to set audit on the HCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify key only to find out the next time the system tray returned to its original state the audit settings disappeared too.
It gave me a clue that in fact the whole tree of keys somewhere upper than HCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify gets deleted.
I setup procmon to log during reboot and eventually found out that a call from ProfSvc (User Profile Service) deletes the whole HKCU\Software\Classes\Local Settings.
The stack trace analysis showed that the function inside ProfSvc that deletes the tree is called MapUserClassesIntoUserHive. I even found its source code in Internet. The deletion happens here:
// |
As far as I understand, before creating a link to the user hive it tries to remove everything that was there. It seems like in my case it leads to the deletion of data from the real hive.
How to investigate further what is going on? Or maybe someone has an idea?
Edited by Nox Metus - 10 hours 1 minutes ago at 4:47pm