Registry Hive Bloat: Diagnosing and Resolving Excessive NTUSER.DAT and UsrClass.dat TMContainer Files on Windows Server 2008


3 views

These files are part of Windows Transactional Registry (TxR) mechanism, which maintains:

  • NTUSER.DAT*.TMContainer*.regtrans-ms: Transaction logs for HKCU registry hive
  • UsrClass.dat*.TMContainer*.regtrans-ms: Transaction logs for user-specific COM/OLE classes
  • *.TM.blf: Transaction log metadata files (Boot Log Files)

On a healthy system, these files should be automatically purged after successful transactions. The accumulation suggests:

1. Transaction failures leaving orphaned logs
2. Registry operations occurring at abnormal frequency
3. Potential corruption in the transaction system

To identify what's generating these files:

# PowerShell command to monitor registry transactions
Get-WinEvent -LogName "Microsoft-Windows-Kernel-General/Operational" | 
Where-Object {$_.Id -eq 4 -or $_.Id -eq 5} | 
Format-Table TimeCreated, Message -AutoSize

Common culprits in web server environments:

  • Frequent IIS application pool recycling
  • Overactive COM+ component registrations
  • Buggy registry monitoring/security software

For immediate space recovery (after backup):

:: Batch script to clean orphaned transaction files
@echo off
setlocal enabledelayedexpansion

for /f "delims=" %%a in ('dir /s /b "C:\Users\*\NTUSER.DAT*.regtrans-ms"') do (
    echo Deleting %%a
    del /q "%%a"
)

for /f "delims=" %%a in ('dir /s /b "C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat*.regtrans-ms"') do (
    echo Deleting %%a
    del /q "%%a"
)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]
"TxRLogSizeThreshold"=dword:00002000
"TxRMaxLogSize"=dword:00004000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager]
"EnablePeriodicBackup"=dword:00000000

Create a scheduled task with this PowerShell script:

# Transaction log cleaner with safety checks
$threshold = 30 # Days
$paths = @(
    "$env:USERPROFILE\NTUSER.DAT*.TM*",
    "$env:USERPROFILE\AppData\Local\Microsoft\Windows\UsrClass.dat*.TM*"
)

foreach ($path in $paths) {
    Get-ChildItem -Path $path -ErrorAction SilentlyContinue | 
    Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-$threshold) } |
    Remove-Item -Force -WhatIf # Remove -WhatIf for actual execution
}

If files reappear rapidly after cleanup, consider:

  • Process Monitor traces (ProcMon) for registry activity
  • Checking for Windows Updates (KB2992611 addresses related issues)
  • Migrating to newer Windows Server versions with improved TxR handling

When investigating disk space depletion on a Windows Server 2008 Xen VM, I discovered two problematic file patterns consuming ~15GB:

// Primary location (6.7GB)
C:\Users\Administrator\NTUSER.DAT*.TMContainer*.regtrans-ms
C:\Users\Administrator\NTUSER.DAT*.TM.blf

// Secondary location (6.7GB)
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat*.TMContainer*.regtrans-ms
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat*.TM.blf

These files represent Transactional Registry (TxR) operations - Windows' mechanism for atomic registry changes. Each set consists of:

  • .regtrans-ms: Actual transaction data
  • .blf: Base Log File tracking transactions
  • .TMContainer: Transaction Manager container

Common triggers in web server environments include:

// Example 1: Frequent IIS configuration changes
appcmd set config /section:system.webServer/security/requestFiltering /+"fileExtensions.[extension='.config']" 

// Example 2: COM component registration spam
regsvr32 /n /i:user somebad.dll

Diagnostic PowerShell script to identify registry change sources:

# Track registry modification processes
Get-WinEvent -LogName "Microsoft-Windows-Kernel-Registry/Operational" | 
Where-Object {$_.Id -eq 1} |
Select-Object TimeCreated, @{n="Process";e={$_.Properties[2].Value}} |
Sort-Object TimeCreated -Descending |
Format-Table -AutoSize
  1. Stop all IIS services first: 
    iisreset /stop
  2. Delete files via elevated PowerShell: 
    Get-ChildItem "C:\Users\Administrator\NTUSER.DAT*","C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat*" | Remove-Item -Force
  3. Prevent recurrence by adding registry quota: 
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RegistrySizeLimit /t REG_DWORD /d 0xffffffff /f

Scheduled task script (save as .ps1):

# RegistryTxCleaner.ps1
$maxAge = (Get-Date).AddDays(-7)
$paths = @(
    "$env:USERPROFILE\NTUSER.DAT*"
    "$env:USERPROFILE\AppData\Local\Microsoft\Windows\UsrClass.dat*"
)

foreach ($path in $paths) {
    Get-ChildItem $path -Force | 
    Where-Object { $_.LastWriteTime -lt $maxAge } |
    Remove-Item -Force -WhatIf # Remove -WhatIf for actual execution
}