locked
Event ID 1530 at Shutdown RRS feed

  • Question

  • WIN&PRO/64

    I've read on this for months and months.  First, I'm aware that KB947238 says the following:  "Note Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated." And it says "this behavior is by design." The last statement has been widely interpreted to mean: do nothing. Other forums have said that Windows 7 has a bug closing the User Profile Service and this is the reason for the warning. I've also read http://social.technet.microsoft.com/wiki/contents/articles/3134.microsoft-windows-user-profiles-service-event-1530.aspx?PageIndex=2. which says, "No user action is required - this is an acceptable condition. In Windows 8.1 we changed this to an Information message to help reduce confusion and alarm. This event was a Warning event in prior versions of Windows." Which of course contradicts KB947238. Which is it? Investigate and troubleshoot, or "no user action." And, if I'm making a mountain out of a molehill, is there a way to stop this from filling the Event Log? I have no idea if this is true. Here's what I do know: I get this at every shutdown:

    DETAIL -
     5 user registry handles leaked from \Registry\User\S-1-5-21-29

    87587682-1074968332-1067063631-1001:
    Process 936 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001
    Process 936 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001
    Process 936 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001\Software\Microsoft\SystemCertificates\Disallowed
    Process 936 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001\Software\Microsoft\SystemCertificates\My
    Process 936 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001\Software\Microsoft\SystemCertificates\CA

    First, I looked up Volume 3. It's an external hard drive, a G-Tech, and it has no special driver and no firmware to be updated. Second, I checked key S-1-5-21-2987587682-1074968332-1067063631-1001. It HKCU/Software/Microsoft/Internet Explorer/Internet Registry/Registry/User/[key#] The default value is empty. I have no idea what process 936 is, but the warning has also listed other processes, 928.2440 etc.
    I'm the only user/administrator so there is only one profile.
    Since all the warning are about vol3, a G-tech HD, I took a look at its properties and notice the following listed drivers:

    C\Windows\system32\DRIVERS\DISK.SYS

    C\Windows\system32\DRIVERS\PARTMGR.SYS

    C\Windows\system32\DRIVERS\TDRPM.SYS


    Notice the last one, tdrpm273, an Acronis TIH2010 leftover. The driver is part of what Acronis calls "try and decide," a kind of sandbox to try out new software. You have to decide where, what partition, you want to use as a trial platform. At all events, I uninstalled Acronis two years ago, which is to say, like many Acronis users I tried to uninstall it and ended up with a bunch of leftover registry entries pointing to several drivers. Trying to get rid of those registry leftover, tdrpm273 among them, has sent my machine BSOD three times. Putting all that aside, maybe tdrpm is still trying to interact with the G-Tech drive, VOL3 in the warning. But what it's doing and why I have no idea. There are no Acronis services running on my machine; all the software is gone, but, as I said, several registry entries remain as do the drivers they refer to, including tdrpm273. In fact every drive listed in device manager has listed the tdrpm273 driver. If Acronis Try and Decide is interacting with the G-Drive on shutdown, I have no idea. Also I have no idea why the registry key mentioned in linked to IE11. Here's what I do know: every 1530 event has Vol3 listed. Also the same key is usually listed S-1-5-21-2987587682-1074968332-1067063631-1001. That key is HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\Registry\User\ [the number].

    Can anyone make sense of all this?
    Thursday, May 29, 2014 7:29 PM

All replies

  • So what are you warrying about here?

    As the stuff seems no effect on the OS using.

    Rgds

    Saturday, May 31, 2014 2:29 AM