explanation of admin event warnings
-
Thursday, April 26, 2012 12:03 PMHi,
I recently switched to Windows 7 under advice for added security -had a few issues /malware/virus/bugs with previous XP system.
I run my desktop through a wired ehthernet connection to bt home hub which also provides wireless connectivity for other home pc & laptop.
I have no network establised and file sharing etc is off. Three Users on computer: Admin & two other family members (non admin rights).Run Norton 360.
I'd be grateful if someone could explain what the following Admin event warnings mean, I really could do with a plain,simple (as much as possible) explanation of what these events mean. in context What is my pc apparently looking at/trying to do with : "Gatherer"? , " Search of CSC?" "sharepoint workspace"? and IE search History?, what does the S.I.D number represent?. Is there anything here that should concern me about intrusion on my pc or are these regular events?. Many thanks.
Here goes.......
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 25/04/2012 22:59:37
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: downstairs
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
5 user registry handles leaked from \Registry\User\S-1-5-21-1270894132-2919628928-3103407009-1001:
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\My
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\CA
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\Disallowed
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-04-25T21:59:37.691549900Z" />
<EventRecordID>2088</EventRecordID>
<Correlation ActivityID="{02AC8A40-F800-0000-67B7-5641DC22CD01}" />
<Execution ProcessID="928" ThreadID="1372" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-1270894132-2919628928-3103407009-1001:
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\My
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\CA
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\Disallowed
</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Search
Date: 25/04/2012 22:29:55
Event ID: 3036
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: downstairs
Description:
The content source <SharePointWorkspaceSearch://{S-1-5-21-1270894132-2919628928-3103407009-1001}/> cannot be accessed.
Context: Application, SystemIndex Catalog
Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">3036</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-04-25T21:29:55.000000000Z" />
<EventRecordID>2082</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security />
</System>
<EventData>
<Data Name="ExtraInfo">
Context: Application, SystemIndex Catalog
Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)
</Data>
<Data Name="URL">SharePointWorkspaceSearch://{S-1-5-21-1270894132-2919628928-3103407009-1001}/</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Search
Date: 24/04/2012 18:44:26
Event ID: 3036
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: downstairs
Description:
The content source <csc://{S-1-5-21-1270894132-2919628928-3103407009-1003}/> cannot be accessed.
Context: Windows Application, SystemIndex Catalog
Details:
(HRESULT : 0x80004005) (0x80004005)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">3036</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-04-24T17:44:26.000000000Z" />
<EventRecordID>1985</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security />
</System>
<EventData>
<Data Name="ExtraInfo">
Context: Windows Application, SystemIndex Catalog
Details:
(HRESULT : 0x80004005) (0x80004005)
</Data>
<Data Name="URL">csc://{S-1-5-21-1270894132-2919628928-3103407009-1003}/</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Search
Date: 24/04/2012 18:44:26
Event ID: 3036
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: downstairs
Description:
The content source <iehistory://{S-1-5-21-1270894132-2919628928-3103407009-1003}/> cannot be accessed.
Context: Windows Application, SystemIndex Catalog
Details:
(HRESULT : 0x80004005) (0x80004005)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">3036</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-04-24T17:44:26.000000000Z" />
<EventRecordID>1983</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security />
</System>
<EventData>
<Data Name="ExtraInfo">
Context: Windows Application, SystemIndex Catalog
Details:
(HRESULT : 0x80004005) (0x80004005)
</Data>
<Data Name="URL">iehistory://{S-1-5-21-1270894132-2919628928-3103407009-1003}/</Data>
</EventData>
</Event>
All Replies
-
Friday, April 27, 2012 9:15 AMModerator
Hi,
Regarding the Event ID 1530, this behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows 7 does this when Windows 7 tries to close a user profile.
Regarding the Event ID 3036, this issue is related with Windows Search. CSC here may mean Client Side Caching (Offline Files). You can try the following steps.
Method 1: Restore Index to its original settings
Here’s how:
a. Go to Start > Control Panel.
b. Double click on the Indexing Options.
c. Click on the Advanced button.
d. Click on Restore Defaults.
Method 2: Rebuild index:
http://windows.microsoft.com/en-US/windows7/Change-advanced-indexing-options
You can refer to the following KB for reference:
Event ID: 1530 may be logged in the Application log on a Windows Vista or newer computer
http://support.microsoft.com/kb/947238
Hope this helps
Vincent Wang
TechNet Community Support
-
Friday, April 27, 2012 9:52 AM
Thank You Vincent,
are there any security issues here for me to be concerned about or to put is simply, are these warnings related to various processes within Windows 7 ?. I don't use windows search or share point workspace. Is my PC possibly compromised?
-
Monday, April 30, 2012 8:21 AMModerator
Hi,
I would like to tell you that Event warnings are used to communicate tolerable failures in the system that are not immediately significant, which requires an administrator to determine whether it is an error. Regarding your case, windows search is a feature in Windows 7 and will not affect your security issue. If you still worry about this, please try the steps in my previous post to test the issue.
Windows Search Features
http://technet.microsoft.com/en-us/library/dd744686(v=ws.10).aspx
Hope this helps.
Vincent Wang
TechNet Community Support
- Marked As Answer by Leo HuangMicrosoft Contingent Staff, Moderator Monday, May 07, 2012 2:33 AM
- Unmarked As Answer by Leo HuangMicrosoft Contingent Staff, Moderator Tuesday, May 08, 2012 5:50 AM
.png)
