Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

An Exercise in Troubleshooting the Mundane

Posted by William Diaz on September 21, 2011

Many errors or warnings you encounter in the Windows event viewer may not really have an impact on the operating system, such as causing performance bottlenecks or application errors. But that doesn’t mean it doesn’t bother me when I encounter rather vague, mundane, or unexplained errors, such as the Userenv event ID 1041 errors encountered here while recently reviewing some newly deployed workstation images at our helpdesk: “Windows cannot query DllName registry entry for {insert guid here} and it will not be loaded. This is most likely caused by a faulty registration.

I rather always deal with a clean as possible event viewer, so I did some quick searching to unravel and remove the errors. To start, I just needed to locate the globally unique ID string in the error message. You can manually search for this guid in the Windows registry (which can sometimes be a bit slow) or resort to any number of 3rd party tools to do it for you. I have been using a faster registry search utility from NirSoft called RegScanner. There are a handful of search hits:
We are dealing with some group policy extension from something called Privilege Guard, a client service that was installed on the workstations in our local office some time ago during a pilot, which included the helpdesk. In short, GPExtentions are described here:

Administrative Templates client-side extension runs inside userenv.dll and is responsible for modifying the registry according to the Administrative Template policy settings that you configure in Local Group Policy Editor or GPMC.

Userenv.dll is registered at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.

This is the location of all Group Policy CSE registration.

Opening the Task Manager, I do not see the Privilege Guard service running, which was expected since the pilot had since been completed and the service removed. With the client service no longer present (as well as the absence of the server side application as well), the group policy extension in the registry had no valid registration.

Looking at the key, I can see the I can see some missing data types and their values:
It should look like this:
To stop the errors, the unregistered guid can be safely deleted from the registry. To stop the group policy extension from being created on any further workstations going forward, the GPO links for the service needed to be removed from AD.

A common guid often encountered with this type of error is {7B849a69-220F-451E-B3FE-2CB811AF94AE} and {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}. These are known to have been installed with the beta version of IE 8 but were not removed when it was uninstalled or after it was upgraded to the final release. These, too, can be safely deleted.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: