locked
Event ID 1530 at Shutdown latest chapter RRS feed

  • Question

  • For many months I've been trying to trouble shoot fairly regular registry leaks. Typically they would look like this:

    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

     DETAIL -
     5 user registry handles leaked from \Registry\User\S-1-5-21-2987587682-1074968332-1067063631-1001:
    Process 624 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001

    And typically they always came at shutdown. After months of investigation and trial and error, I thought I'd finally tracked down the culprit. Vol 3 above in the warning is an external hard drive and when I checked its drivers, I found a leftover driver on all disks from Acronis TIH 2010. I deleted the driver from the properties of each disk in device manager, tracked the drivers entries in the registry and deleted them, and for a while the registry leaks stopped.

    Then they returned. Not every shutdown, but many, at least three a week. I know MS now in a KB has downgraded this from a warning to an informational event in WIN 8. In WIN7/64Pro, which I have, it's still a warning, and an older KB urges the user to investigate.

    I know there are two points of view with such events in the AdminEventLog: if the system work okay, and MS now says it's just an informational event, ignore it. Other point of view is, clearly any event should be investigated to see what's causing it, especially registry leaks which, I've read, can corrupt your user profile. I don't know what point of view is valid. I'm sure the top experts here do and I've found their advice sound. But I'd sure like to know what Process 624 is, and what lsass.exe is doing at shutdown to cause the error.

    NOW HERE'S THE WRINKLE. Last night at shutdown produced the following User Profile Service Warning:

    "Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

     "DETAIL -
     0 user registry handles leaked from \Registry\User\S-1-5-21-2987587682-1074968332-1067063631-1001:"

    What this seems to suggest is that the system is set up a shutdown to check for leaks and issues a report even when there isn't a leak. The registry key that is being checked is S-1-5-21-2987587682-1074968332-1067063631-1001.

    Can someone kindly explain to this somewhat experienced PC user what is going on here. What is the registry key that keeps keep checked for leaks and why is windows checking that particular key. Is this programed behavior (I can't believe that I'm supposed to get a 1530 at every shutdown, or almost every shutdown), whether the key leaks or does not leak.

    Thanks for thinking about this and perhaps suggesting a  remedy.
    Saturday, July 5, 2014 3:03 PM

Answers

  • Hi,

    This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows Vista or Windows 7does this when Windows tries to close a user profile. Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated. It can be seen at Microsoft site:

    http://support.microsoft.com/kb/947238/en-gb

    Regards


    Wade Liu
    TechNet Community Support

    • Marked as answer by Michael_LS Friday, July 18, 2014 1:56 AM
    Monday, July 7, 2014 10:36 AM

All replies

  • Normanml

    Just for an FYI, I see you have 3 parts to this on Superuser, have another thread on SAS, and others I am sure dating from back to April and before.  You have (in part 3) asked users to

    "I've asked this question three times. Please, if you have not had experience fixing registry leaks, do not list exchanges from other forums".  If you haven't gotten an answer on other forums and don't want users to list exchanges from other forums, why are you here?

    If you haven't gotten a satisfactory answer since April and since it is now "informational" perhaps there is no answer other than perhaps to re-install.

    Just my 0.02 worth.


    Wanikiya and Dyami--Team Zigzag

    Saturday, July 5, 2014 3:27 PM
  • Hi,

    This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows Vista or Windows 7does this when Windows tries to close a user profile. Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated. It can be seen at Microsoft site:

    http://support.microsoft.com/kb/947238/en-gb

    Regards


    Wade Liu
    TechNet Community Support

    • Marked as answer by Michael_LS Friday, July 18, 2014 1:56 AM
    Monday, July 7, 2014 10:36 AM