none
Application Log Event ID 1530

    Question

  • I am getting an application log error on every reboot. The error reads:

     

    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

    DETAIL -

    1 user registry handles leaked from \Registry\User\S-1-5-21-457654573-41071821-693557530-1001_Classes:

    Process 868 (\Device\HarddiskVolume1\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-457654573-41071821-693557530-1001_CLASSES

     

    The XML files reads:

     

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    - <System>
      <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
      <EventID Qualifiers="32768">1530</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2007-09-16T05:38:26.000Z" />
      <EventRecordID>3129</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>m7747c</Computer>
      <Security UserID="S-1-5-18" />
      </System>
    - <EventData Name="EVENT_HIVE_LEAK">
      <Data Name="Detail">1 user registry handles leaked from \Registry\User\S-1-5-21-457654573-41071821-693557530-1001_Classes: Process 868 (\Device\HarddiskVolume1\WINDOWS\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-457654573-41071821-693557530-1001_CLASSES</Data>
      </EventData>
      </Event>

    I have narrowed it down to Windows defender. If I disable Windows Defender, the error goes away. I am running Vista Home Premium Version 6.0 (Build 6000) on an HP Media Center PC Model m7747C Core 2 duo E6400 2.13Ghz. I have had these errors for as long as I have had the computer. I have done a system recovery and brought it back to factory original but the error comes back. It is completely updated with MS and HP updates / fixes. Windows Defender is working correctly with its scans and updating itself and if I didn't look in the event viewer I wouldn't even notice it. It is happening on shut down only and not on startup or using it...just at shutdown. Is this anything to worry about? I just hate to see these warnings in the event viewer.

     

    Sunday, September 16, 2007 6:17 AM

All replies

  • !---BUMP---!

    I have similar problem::

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
      <EventID Qualifiers="32768">1530</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2008-05-26T07:54:01.000Z" />
      <EventRecordID>12941</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>PC</Computer>
      <Security UserID="S-1-5-18" />
      </System>
    - <EventData Name="EVENT_HIVE_LEAK">
      <Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-7362703-1673368824-826635761-1000: Process 1224 (\Device\HarddiskVolume1\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-7362703-1673368824-826635761-1000\Software\Ahead\Nero Home\MediaLibrary\Scanner Process 1224 (\Device\HarddiskVolume1\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-7362703-1673368824-826635761-1000\Software\Ahead\Nero Home\MediaLibrary\Scanner Process 1224 (\Device\HarddiskVolume1\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-7362703-1673368824-826635761-1000\Software\Ahead\Nero Home\MediaLibrary Process 1224 (\Device\HarddiskVolume1\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-7362703-1673368824-826635761-1000\Software\Ahead\Nero Home\MediaLibrary Process 1224 (\Device\HarddiskVolume1\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-7362703-1673368824-826635761-1000\Software\Ahead\Nero Home\MediaLibrary</Data>
      </EventData>
      </Event>
     
    Thanks / Tomas
    Monday, May 26, 2008 8:13 AM
  • I have the same problem as well.  Sometimes when I reboot and the log in the user profile is " virgin " and does not contain any of my settings.  If I log off the user and then log back into the same user account everything come up ok.  This makes me nervous.

     

    Friday, June 20, 2008 9:03 AM
  • Dont worry it is normal.

     

    Thursday, June 26, 2008 7:48 AM
  • I am also getting Event ID 1530 but mine references Symantec: Is this normal?

    Log Name:      Application
    Source:        Microsoft-Windows-User Profiles Service
    Date:          1/31/2009 11:53:55 AM
    Event ID:      1530
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          SYSTEM
    Computer:      DELL
    Description:
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     DETAIL -
     18 user registry handles leaked from \Registry\User\S-1-5-21-955680121-3150948834-2055304089-1000:
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 916 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1088 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\Root
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\TrustedPeople
    Process 1088 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\RAS AutoDial
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\trust
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\My
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\Disallowed
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\CA

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
        <EventID Qualifiers="32768">1530</EventID>
        <Version>0</Version>
        <Level>3</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2009-01-31T16:53:55.000Z" />
        <EventRecordID>36562</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>Application</Channel>
        <Computer>DELL</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData Name="EVENT_HIVE_LEAK">
        <Data Name="Detail">18 user registry handles leaked from \Registry\User\S-1-5-21-955680121-3150948834-2055304089-1000:
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 916 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1088 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\Root
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\TrustedPeople
    Process 1088 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\RAS AutoDial
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\trust
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\My
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\Disallowed
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1648 (\Device\HarddiskVolume3\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE) has opened key \REGISTRY\USER\S-1-5-21-955680121-3150948834-2055304089-1000\Software\Microsoft\SystemCertificates\CA
    </Data>
      </EventData>
    </Event>
    Sunday, February 01, 2009 1:48 PM
  • I got the same Guid but with Event-OD_ 3036.

    What schould I do with this varning?

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
      <EventID Qualifiers="32768">3036</EventID>
      <Version>0</Version>
      <Level>3</Level>
      <Task>3</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2009-02-22T18:25:20.000Z" />
      <EventRecordID>92137</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>Application</Channel>
      <Computer>PC</Computer>
      <Security />
      </System>
    - <EventData>
      <Data Name="ExtraInfo">Kontext: program , katalog SystemIndex Information: Odefinierat fel (0x80004005)</Data>
      <Data Name="URL">mapi://{s-1-5-21-7362703-1673368824-826635761-1000}/</Data>
      </EventData>
      </Event>

    Thanks / Tomas

    By helping others you help your self
    Sunday, February 22, 2009 7:03 PM
  • You say it's normal, Babli 123...?
    How come?

    Thanks / Tomas
    By helping others you help your self
    Sunday, February 22, 2009 7:05 PM
  • I am getting 3036, too.  KB 940453 says, "This behavior occurs because the account that you use to log on to the computer is a member of one or more of the following groups: [Guests or Domain Guests]" (It then goes on to give a resolution that is not correct for Vista.) In my case, the user is a member of the local Administrators group--only.

    Is there any additional info on this?
    Monday, May 04, 2009 10:24 PM
  • If you go into Regedit and then scroll through to the following key,
    HKEY_CURRENT_USER\Software\Microsoft\Windows Search\ProcessedSearchRoots, under one of the subfolders you will find the mapi://{s-1-5-21-7362703-1673368824-826635761-1000} reference, delete it and rebuild your search indexes by going into Control Panel And selecting Indexing Options, click on the advanced button and then rebuild.
    Friday, July 17, 2009 7:45 AM
  • I tried the fix suggested by brogahn and it did not clear the Event ID 3036 Symantec

    Log Name:      Application

    Source:        Microsoft-Windows-Search

    Date:          4/13/2010 12:11:05 PM

    Event ID:      3036

    Task Category: Gatherer

    Level:         Warning

    Keywords:      Classic

    User:          N/A

    Computer:      LAT200AD018.carousel.local

    Description:

    The content source <csc://{S-1-5-21-4180378198-628378163-1768571778-1000}/> cannot be accessed.

     

    Context:  Application, SystemIndex Catalog

     

    Details:

                (HRESULT : 0x80004005) (0x80004005)

     

     

    Log Name:      Application

    Source:        Microsoft-Windows-User Profiles Service

    Date:          4/13/2010 8:48:49 AM

    Event ID:      1530

    Task Category: None

    Level:         Warning

    Keywords:     

    User:          SYSTEM

    Computer:      LAT200AD018.carousel.local

    Description:

    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     

     

    Wednesday, April 14, 2010 4:44 PM
  • hi i have had all these problems on all three of my computers. i dont know what to do (schemas) whent as far as building its own 30 gig drive that i cant access. it says that windows NT is running with other users. i run windows 7. it took over my computer and changed drivers. it is destroying my new hp touch smart computer. i think it is a hack through power shell or windows management. ive called everybody including the fbi and am still no help. does anyone know what to do. PLEASE! thanks jason qmc 
    Saturday, August 07, 2010 8:57 PM
  • I too am receiving warning 1530 on Windows 7 Ultimate 64 bit. This warning occurs regularly and I am completely unsure how to resolve it. On Windows XP there is a hive unload utility I used when I received such an warning but I cannot locate a similar utility for Windows 7, let alone for 64 bit.

    My warning seems to be connected to System Cirtificates. The process opening the registry keys is Lsass.exe (PID: 536). The Registry keys appear to be for the System Certificates, with "USER\SID; USER\SID\Software\Microsoft\SystemCertificates\CA; USER\SID\Software\Microsoft\\SystemCertificates\My; USER\SID\Software\Microsoft\SystemCertificates\Disallowed"

    SID=USER Security Identifier Number

    Each warning repeats the above information.

    I add this to the thread in the hopes somebody will solve the issue or Microsoft will take notice and fix it.  

    • Proposed as answer by DM-chaz Tuesday, December 14, 2010 9:45 AM
    Sunday, November 07, 2010 5:27 PM
  • It was a windows updated on security you can uninstall it. I forget the (kb) number just look in view update history and look for something that says enhances your security and uninstall it.
    Tuesday, December 14, 2010 10:00 AM
  • I am confused. If this is a Microsoft TechNet and if Microsoft updates are causing our problems, why are they not fixing them? I am having several problems booting up my computer each day, and I cannot tell what is a symptom and what is a cause anymore.  After I frinally get it up and running all is fine.  I can shut it down and do a cold boot with no problem.  But, leave in of, let's say over night, and it takes me 20 minutes and several attempt to get it to start. Frustrating to say the least.
    Wednesday, December 29, 2010 6:42 PM