avast filling event log

[t_r_davies]

Hi all,

I've just set up my parents' new XP machine with avast Home and have noticed that the event log is filling up with hundreds upon hundreds of warnings and errors about being unable to scan C:\WINDOWS\Debug\usermode\userenv.log, error number 00000005.  Searching this forum has thrown up a couple of threads from 2005 but nothing at all since then.

The problem only occurs when a limited user is logged on.  I've tried explicitly allowing limited users full read access to the C:\WINDOWS\Debug directory, all subdirectories and files, and also adding the log file to avast's exclude list but to no avail.  Curiously, *.log is already included in the exclusion list by default but does not appear to be being honoured, is this a bug?

Not a major functional problem I agree, but I use Remote Desktop into their PC every couple of days to check that all's well with it (they're not hugely computer-literate) and having these hundreds of events logged makes it rather difficult to see if anything really problematic has been happening, sorting the wheat from the chaff so to speak.

Very grateful for any advice or pointers anyone can offer, however small

[DavidR]

Well the windows error 5 is 'Access is denied' which is possibly not too surprising.

Which event log are we talking about or avast Log Viewer ?

If Windows Event Viewer, what section is it in, Application, Security, System or Antivirus ?
The same goes for avast, what section of the avast log viewer ?

Do you know what type of scan is creating these entries, e.g. are they as a result of an on-demand scan or normal activity on-access ?

What is the level of logging in Program Settings, Logging, Notice I think is the default. If the slider is opposite say Debug, then there are going to much greater detailed logging. Though I'm surprised there are attempts to scan .log files.

[t_r_davies]

Hi David,

Well the windows error 5 is 'Access is denied' which is possibly not too surprising.

Which event log are we talking about or avast Log Viewer ?

If Windows Event Viewer, what section is it in, Application, Security, System or Antivirus ?
The same goes for avast, what section of the avast log viewer ?

Sorry, should have made it a bit clearer, it's the Windows event log, in the Antivirus section.  I'll admit to having completely forgotten about avast's own log viewer , I've checked through it and all of the warnings and errors in the Windows event log are reproduced in the corresponding Error and Warning sections there.

Do you know what type of scan is creating these entries, e.g. are they as a result of an on-demand scan or normal activity on-access ?

What is the level of logging in Program Settings, Logging, Notice I think is the default. If the slider is opposite say Debug, then there are going to much greater detailed logging. Though I'm surprised there are attempts to scan .log files.

It's just normal on-access activity, from the timestamps it's logging a warning and error pair roughly every minute when the limited user has logged on, although they don't appear to last for the entire duration of the session.

I hadn't realised there was an enhanced logging capability, it was at the default of Notice but I've cranked it up to Debug, hopefully when my mother logs back on later it'll spew out some more detailed information.

As a side note, looking at the userenv.log file itself, it currently stands at nearly 300K in size and appears to consist almost entirely of multiple "ProcessAutoexec: Cannot process autoexec.bat."  I've checked TweakUI and "Process autoexec.bat at logon" is disabled, so I can't imagine why anything is looking to process that particular file, especially as under XP the file that should be used is autoexec.nt.

[DavidR]

Putting it to debug will generate more event viewer entries as you have noticed they are replicated. Me mention of the logging level was in case you had cranked it up, with a view to setting it back.

The only reason there would be a scanning requirement for the C:\WINDOWS\Debug\usermode\userenv.log file is its access and modification (leaving aside the fact that the .log file should be excluded), now that would I assume that you have debug enabled in windows ?

AutoExec.bat isn't usually used by XP (as you say) so there must be some setting that is trying to access that also.