locked
Event 1530, User Profile Service RRS feed

  • Question

  • Log Name:      Application
    Source:        Microsoft-Windows-User Profiles Service
    Date:          6/30/2012 11:35:04 AM
    Event ID:      1530
    Task Category: None
    Level:         Warning
    Keywords:     
    User:          SYSTEM
    Computer:      Bill-PC-1
    Description:
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     DETAIL -
     7 user registry handles leaked from \Registry\User\S-1-5-21-2716693145-1202002556-3588059362-1000:
    Process 5372 (\Device\HarddiskVolume1\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Policies
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Microsoft\Internet Explorer\Main

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
        <EventID>1530</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2012-06-30T16:35:04.076848100Z" />
        <EventRecordID>3022</EventRecordID>
        <Correlation ActivityID="{0390CA68-F800-0005-0582-E79B5256CD01}" />
        <Execution ProcessID="372" ThreadID="3864" />
        <Channel>Application</Channel>
        <Computer>Bill-PC-1</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="EVENT_HIVE_LEAK">
        <Data Name="Detail">7 user registry handles leaked from \Registry\User\S-1-5-21-2716693145-1202002556-3588059362-1000:
    Process 5372 (\Device\HarddiskVolume1\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Policies
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Process 2212 (\Device\HarddiskVolume1\Program Files\Common Files\McAfee\SystemCore\mcshield.exe) has opened key \REGISTRY\USER\S-1-5-21-2716693145-1202002556-3588059362-1000\Software\Microsoft\Internet Explorer\Main
    </Data>
      </EventData>
    </Event>

    Ive got this warning in my event properties and contacted Mcafee about it in a live chat session and screen viewing the tech representative says that it is a Microsoft issue and so this is why i am posting this question today. When i go to log the event i get this link opened http://social.technet.microsoft.com/wiki/contents/articles/3134.event-id-1530-user-profile-service-en-us.aspx and it says that it should be investigated and so here we are.

    Is this a problem?, should it be something i should be concerned about? (Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. "The applications or services that hold your registry file may not function properly afterwards".)   and is there something that i should do about it?


    windows 7 professional 64-bit
    Sunday, July 1, 2012 8:36 PM

Answers

All replies

  • Hi, 

    This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows Vista does this when Windows Vista tries to close a user profile.

    In versions of the Windows operating system that are earlier than Windows Vista or Windows 7, you must install the User Profile Hive Cleanup Service (UPHClean) utility to have the same functionality. However, the UPHClean utility is incompatible with Windows Vista and Windows 7. Additionally, the UPHClean utility is not needed because this functionality is built into Windows Vista.

    http://support.microsoft.com/kb/947238

    You may try performing aClean Boot to check if any security software is not letting windows to close the registry key.

    To help troubleshoot error messages and other issues, you can start Windows 7 by using a minimal set of drivers and startup programs. This kind of startup is known as a "clean boot." A clean boot helps eliminate software conflicts.

    How to troubleshoot a problem by performing a clean boot in Windows 7:

    http://support.microsoft.com/kb/929135

    Also, see the section on how to return your computer to a Normal startup mode by following the steps under “Reset the computer to start as usual.

    Similar Threads,

    Error 1530, User Profile Service in Event Viewer

    Hope this help you. 

    Thanks & Best Regards,


    Mohammed Imtiyaz Ali

    Monday, July 2, 2012 11:26 AM
  • Hi,

    See these discussions, you may have a try via remove the profiles form registy.

    Remove reference to the specific problematic profiles from registry at:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

    Event ID:1530 -Microsoft-Windows-User Profiles

    http://answers.microsoft.com/en-us/windows/forum/windows_7-security/event-id1530-microsoft-windows-user-profiles/a1ca9fd0-5449-46b6-aae2-35e3edcf8425

    User Profile Service event id 1530 with every remote desktop logout

    http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/c725d773-4134-4452-8b77-e0976bb318d3/

    Ivan-Liu

    TechNet Community Support

    • Marked as answer by Arthur Xie Monday, July 23, 2012 9:31 AM
    Tuesday, July 3, 2012 3:19 AM
  • Hmmm. thankyou for responding.
    Friday, July 20, 2012 3:58 PM