SEP Rtvscan holds on to the user profiles when logging out.
Last Updated June 27, 2012
When users log off of the system, errors in the Windows Event Log are generated from UPHClean with an event ID of 1401. If the user tries to log back in immediately they may be switched to a default profile as their profile is still in use.
Symptoms The Event Viewer lists 1401 errors showing RTVScan.exe is using the Hkey_Current_User\...\Custom Tasks\ hive, if UPHClean is running.
The Event Viewer lists event ID 1514 and 1517 if UPH Clean is not installed.
System resources for the user profile are held open longer than normal.
Windows Event Logs:
The Event Viewer lists 1401 errors showing RTVScan.exe is using the Hkey_Current_User\...\Custom Tasks\ hive, if UPHClean is running.
The Event Viewer lists event ID 1514 and 1517 if UPHClean is not installed.
RTVScan.exe regularly accesses the user's registry hive to check for user defined scans that should be run when the user isn't logged in.
Addition of the following registry keys can resolve this issue in most cases:
This setting disables the scheduled Scan Notify thread. This thread is used to monitor the Custom Task registry key. Setting this key to 1 (disabled) will cause the client to load scan schedule changes only at SEP service start-up or system restart.
HKLM\Software\Symantec\Symantec Endpoint Protection\AV\ProductControl DWORD: ReloadRTScheduledScanHours = x hours
This key can be configured to alleviate the effects of "DisableRTScheduledScanUpdate" by checking for and loading changes to scheduled scans every "x" hours where "x" is an number between 1 and 24.
Technical Information User scans are not typically used in a terminal server environment. This change will not affect Administrator-Defined scans.
Symantec Endpoint Protection 11.x
Imported Document ID: TECH106256
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe