none
User Profile Service event id 1530 with every remote desktop logout RRS feed

  • Question

  • I've been receiving User Profile Service event id 1530 with nearly every logout from an rdp session.  Our environment is Windows 2008 R2 64 bit running on Citrix XenServer 5.5.  RDP is in remote administration mode.  Tested with and without Windows updates applied.  No additional printers added, no connection to a domain.

    Because the environment is virtual, I've been able to try many combinations and have narrowed it down to this: When Windows 2008 R2 has a single processor, the event does not occur.  When I give the virtual server two processors, the event occurs with nearly every RDP logout.  Same results with or without XenTools installed.  I do not have the resources to test the single/multi processor difference on physical hardware.

    Any insights would be appreciated. I've posted the full event as well as information about the process that is mentioned in the event.

    AB.

    Log Name:      Application
    Source:        Microsoft-Windows-User Profiles Service
    Date:          7/23/2010 8:38:51 PM
    Event ID:      1530
    Task Category: None
    Level:         Warning
    Keywords:     
    User:          SYSTEM
    Computer:      WIN-36DPBES2P14
    Description:
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

     DETAIL -
     1 user registry handles leaked from \Registry\User\S-1-5-21-2545583-721118796-2022419212-1000:
    Process 888 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2545583-721118796-2022419212-1000\Printers\DevModePerUser

    ----------

    Process 888 is svchost.exe running UxSMS (Desktop Window Manager Session Manager), UmRdpService (Remote Desktop Services UserMode Port Redirector, TrkWKS (Desktop Distributed Link Tracking Client), and Netman (Network Connection)

    • Edited by Ambo Bartok Friday, July 23, 2010 10:24 PM Added detail
    Friday, July 23, 2010 10:01 PM

All replies

  • Hello,

     

    Generally speaking, event ID 1530 means there are some data in the user profile are still be accessed when the user logoff from the Terminal Server, you have very possibly enabled the policy to remove the user profile when logged off. In such a situation the error appears. To troubleshoot this error, you can check if any of the data is still remained in the user profile supposed to be deleted. That should be the data the process is using when logoff happens. You can use Process Monitor or Process Explorer in order to find the software which is using the data and find the solution. If there is no such data remained, the Windows have possibly stopped the process and deleted the data when logoff. In such a case, you can ignore the Event 1530.

     

    Regarding EventID 1530, please also take the following KB article as reference:

     (KB947238) Event ID: 1530 may be logged in the Application log on a Windows 7-based or Windows Vista-based client computer

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;947238

     

    Regards,

    Wilson Jia


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Monday, July 26, 2010 5:55 AM
  • Thank you for considering my situation.  If there is a local policy to remove the user profile, it is created by Windows with a default install as I created a virtual server for no other purpose than to test this situation. 

    It appears that Symantec believes the event is not worth worrying about.  Link to their KB article: http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/85c99cee1e433fe9652577280034406b?OpenDocument

    I have come to expect this kind of weirdness from Symantec, but to have it in a fresh install of Windows 2008 R2 with no 3rd party software is frustrating.

    I wonder if there is a way that the user profile service could be instructed to wait a little longer before dropping the axe?

    For the time being, I'm going to plow ahead with Windows 2008 and Windows 2008 R2 virtual servers and hope for the best.

    A.B.

    Monday, July 26, 2010 5:46 PM
  • Ambo, I noticed you are also dealing with this issue in a similar situation.  During the research I've done to try and fix my issue I ran into some others with the issue you're describing (where \Printers\DevModePerUser is still locked) and one person mentioned that getting rid of the default "Microsoft XPS" printer that comes installed fixed his issue.    Also, are you redirecting local printers?  I've seen that cause it as well.

    If you happen to correct you're issue, if you could try and setup a Software Restriction Policy in your environment (it doens't even need to have anything in it, just make a blank one) and see if the issue i'm having occurs I'd appreciate it.  At least this would point to a more systemic issue rather than a problem with the way I've set it up.

    Thanks!

    Tuesday, July 27, 2010 5:57 PM
  • Same problem here, different workarround...

    2008 (32 and 64) and 2008R2 both have the 1530 error and only if a printer is redirected in an RDP session. We are running ESX on quad core Xeon's. If I reduce the amount of CPU's to 1 the problem is gone. It does not matter if I install all kinds of software or configurations or even vmware tools. A base install with an IP address and RDP activated will reproduce the event. Seems to happen on some bare metal installs and most virtualized installs. Cannot really explain when and how, only that our machines are experiencing the problem :-(

    The real problem however is not the eventlog entry. It's the fact that the spooler is not able to clear the devices and printerports listing in the users registry. Therefore printers are building up (as users arrive, they tend to have a different redirection number every morning therefore the name differs everyday causing a new entry). Windows and most software don't even check this list and don't have a problem. Some older apps however, show all printers in their printing dialog.

    One of you please confirm that your:

    CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices

    CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts

    Are not clearing during logoff and we'll have a case !

    Simply test bij logging on using RDP with a printer mapping (does not matter if it needs a driver, easyprint or fails to install aslong as the port is redirected). Don't click anything but logoff. Clear the printers checkbox and logon again. Check eventvwr for the 1530 error and check the above keys to view it's contents. They should both be empty (or contain only your local printers if you have any on your server)

    Wednesday, July 28, 2010 4:06 PM
  • Unfortunatly my situation isn't the same as yours so I can't really comment, we don't use redirected printers in our environment.    The problem I'm having is described here (which links back to this post :))

    http://social.technet.microsoft.com/Forums/en/winserverTS/thread/a52c7dac-401b-4843-a69c-04a92ef16457

     

    Wednesday, July 28, 2010 4:22 PM
  • But can you resolve your issue by reducing the amount of CPU's aswell. Maybe worth a try.
    Wednesday, July 28, 2010 6:27 PM
  • The virtual machine I was testing it with was already at 1 CPU when the condition was occuring, thx for the suggestion though.  Besides my physical box that I'm planning to run this on is a dual-quad core system so I can't really reduce the CPU's in it :)   It really seems like my particular issue (with the Software Restriction Policy causing the error) is actually a bug as I can reproduce it in a completely isolated environment.  I may just have to live with it until a fix is found (if ever).
    Wednesday, July 28, 2010 9:22 PM
  • Hi,

    Please perform clean boot on Windows server 2008 R2 to see if the issue continues.

    ======================
    A. Click Start | Run and type "msconfig" (no quotes) and press enter.
    B. Click services from the tab, check the check box of "Hide All Microsoft
    Service", and then click "Disable all"
    C. Click Startup from the tab, then click "Disable all"
    D. Click "OK" and follow the instructions to Restart Computer, after rebooting if
    you get a prompt dialog of System Configuration, please check the check box in the
    dialog and click "OK".

    As a temporary work around we have carried out the following.
    Disable the "User Profile Service".
    Reboot.
    Log on with local admin account.
    Remove the problematic profiles.
    Remove reference to the specific problematic profiles from registry at:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

    Log off
    Log on with local admin account.
    Set "User profile Service" to start automatically.
    Reboot
    Log back on as problematic account and changes have been saved.

    This is a work around only.

     

    Regards,

    Wilson Jia

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Monday, August 2, 2010 8:16 AM
  • Hi all. I have the exact same problem. I followed the workaround posted above as follows:

    1. Run>Msconfig>Disable All>Reboot
    2. Logon local admin>Services>Disable User Profile Service>Reboot
    3. Logon Local Admin>Delete Remote User Profile in Computer Management\Users
    4. Deleted Remote User Profile Folder in C:\Users\
    5. Deleted Remote User Profile in Registry
    6. Log off>Reboot
    7. Logon as Admin>Renable Services

    However this did not work. Did i follow the steps correctly?

    Also,Would this happen to have anything to do with why my windows server 2008 fails to install the 2 same windows updates? KB967723 and KB981793? ever since i ran into the registry leak problem this happend as well.

    Friday, August 27, 2010 12:39 AM
  • H-ummer

    I can confirm that when i do a Remote desktop connection from a client computer, I see many redirected printers in the registry where you mentioned. But not if logged on at the server. Can you elaborate on what to do next? i don't quite follow.

    Thanx

    Friday, August 27, 2010 2:17 AM
  • I have the same issue going on.  the process hanging is:

     

    Process 1272 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3197591532-3394961484-3160339202-2620\Printers\DevModePerUser

    On the Remote Desktop application printers are NOT checked and are not trying to load local printers.  Any other suggestions here?  I cant unload ALL of my services and run it, or I'll have a very unhappy environment.  My 2003 Servers that are not x64 I was able to install that UPHClean and that did the trick.  But there seems to be no other solution for the others?

    I read that the 2008 servers its built in, even though I haven't seen it anywhere and its definitely NOT doing its job.

     

    Can anyone else here provide me with any ideas?  I'm at a loss with this.

    Wednesday, March 9, 2011 4:16 PM
  • Ok... I found the problem.  If you have Server 2008 and Symantec Endpoint Protection this is the error it keeps giving.  Only when logging into the server using RDP.  After some use of RDP the service finally hangs and the server has to have a hard reset.  Once removing Symantec its been smooth sailing. 

    Switching to another AV!!!

     

    Here is the article for anyone interested or having this issue:

    http://www.symantec.com/connect/forums/endpoint-protection-errors-and-warning-windows-server-2008

    Thursday, March 17, 2011 3:37 PM
  • I'm running Trend Micro OfficeScan Cient 10.5.1997 and have this problem.  It's driving me nuts.
    Monday, March 19, 2012 12:01 PM
  • I'm using Mcafee and I'm having the same problem. It's not exclusively caused by Symantec, though it may have been your case.


    • Edited by cvlowe Monday, April 9, 2012 3:46 PM
    Monday, April 9, 2012 3:46 PM
  • I have the same warning on a physical 2008R2 with 2 hexa-cores CPU but note that I have no anti-virus program.

    As it doesn't seem a real problem I'll leave it like this...


    Monday, July 9, 2012 4:41 PM
  • This is likely one of those errors Microsoft has no clue what's going on with Windows so just recommends we "ignore". If enough people complain, they will release a patch that stops the error from being logged.

    Monday, July 9, 2012 6:26 PM
  • Got this Problem on all my W2k8R2 Server with AV - CA Total Defense. From time to time they Hand and you can just do a Hard Reset to reboot. Nothing works, RDP, disable Remote Service nothing works :(
    • Proposed as answer by za.net Thursday, July 26, 2012 11:03 AM
    • Unproposed as answer by za.net Thursday, July 26, 2012 11:04 AM
    Wednesday, July 18, 2012 7:45 AM
  •  
    This is a workaround for:  Event 1530 when every Remote Desktop user logs off.  This clears out some of the User Profile that the RDS Logoff was supposed to do, but failed during the Event 1530.

    Option Explicit
    On Error Resume Next
    Dim objShell, x
    Set objShell = WScript.CreateObject("WScript.Shell")
    objShell.run("REG.EXE DELETE ""HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices"" /va /f")
    objShell.run("REG.EXE DELETE ""HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts"" /va /f")
    Set objShell = Nothing
    WScript.quit

    This workaround does not address the underlying cause, the Event 1530. Only relieves the mess with Redirected Printers.
    It’s all about the 1530 Events.   The Redirected Printers are just a victims. 
    We're not sure if other areas are being hosed, none that I can obviously see. 
    Possible infinite growth occurring in system Registry and/or User Profile Hives.

     

    Friday, March 1, 2013 11:12 PM
  • hello john,

    I am also having the problem with 1530. In a few months, this problem will have been discussed, with no solution, for -3- years!

    some have found workarounds but no fix. even MS KB states the issue needs to be examined and resolved. well, I am waiting. 12 users working over 3 years to find a solution to this MS issue. frustrating in deed yhes. 

    • Proposed as answer by pm1_44 Sunday, June 2, 2013 6:38 PM
    Sunday, June 2, 2013 6:38 PM
  • Hi pm1_44,

    Can you tell me the KB # that acknowledged issue with RDS 1530 event and redirected printers?

    Thanks.

    Wednesday, June 26, 2013 4:24 PM
  • You are brilliant.  I made sure that I was not redirecting printers, then went to those two registry keys and deleted all of the redirected printers.  Voila.  No more 1530 during RDP logoff.

    Thanks so much!



    • Proposed as answer by Susie2229 Friday, February 21, 2014 11:16 PM
    • Edited by Susie2229 Friday, February 21, 2014 11:16 PM
    Friday, February 21, 2014 11:08 PM
  • One of you please confirm that your:

    CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices

    CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts

    Are not clearing during logoff and we'll have a case !

    Simply test bij logging on using RDP with a printer mapping (does not matter if it needs a driver, easyprint or fails to install aslong as the port is redirected). Don't click anything but logoff. Clear the printers checkbox and logon again. Check eventvwr for the 1530 error and check the above keys to view it's contents. They should both be empty (or contain only your local printers if you have any on your server)

    The problem still exxists in 2012 R2, and I'm thinking the XPS printer is at least partly to blame.  However, I've completely removed this printer from the server, and I still get the following two entries.

    Process 1408 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2664737520-481353137-1098671830-632619\Printers\DevModePerUser
    Process 808 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2664737520-481353137-1098671830-632619\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

    I've disabled printer sharing in RDP via GPO, and have confirmed that it is unchecked and greyed out in my RDP client. The last one puzzles me though.  That one may be caused by something else.

    Wednesday, April 30, 2014 3:53 PM
  • Hello,

    on 2012R2, I revolved issue by removing XPS printer. Now VHDX are released upon logoff


    Mathieu Chateau http://www.lotp.fr

    Saturday, March 7, 2015 5:04 PM
  • I have also have been searching for a resolution to these events being logged after every user logout from our 2012 terminal server. Never found a real solution but I was able to create a workaround that eliminated the events from my logs. I created a logout script that stops the UmRdpService, clears the printer and device registry keys and restarts the service. So far the 1530 events have not returned and there are no more orphaned printer entries in my registry. In order for the script to work I had to grant start and stop rights for the UmRdpService to the terminal server users group. I read many different and complicated methods of granting users rights to start and stop a service but then found a utility called "Process Hacker" that simplified granting the rights. Here is the logout script I have been using:

    @echo off
    echo %username% has logged off at %time% %date% >> c:\Logoff_Log.txt
    echo Stopping UmRdpService >> c:\Logoff_Log.txt
    sc stop UmRdpService
    if %ERRORLEVEL% == 0 echo UmRdpService has been stopped >> c:\Logoff_Log.txt
    ping -n 3 127.0.0.1
    echo Cleaning users printer settings from registry >> c:\Logoff_Log.txt
    echo Cleaning HKCU\Printers\DevModePerUser... >> c:\Logoff_Log.txt
    REG DELETE HKCU\Printers\DevModePerUser /va /f >> c:\Logoff_Log.txt
    REM echo Cleaning HKCU\Printers\DevModes2... >> c:\Logoff_Log.txt
    REM REG DELETE HKCU\Printers\DevModes2 /va /f >> c:\Logoff_Log.txt
    echo Cleaning HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices... >> c:\Logoff_Log.txt
    REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices" /va /f >> c:\Logoff_Log.txt
    echo Cleaning HKCU\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts... >> c:\Logoff_Log.txt
    REG DELETE "HKCU\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts" /va /f >> c:\Logoff_Log.txt
    echo Restarting UmRdpService >> c:\Logoff_Log.txt
    sc start UmRdpService
    if %ERRORLEVEL% == 0 echo UmRdpService has been started >> c:\Logoff_Log.txt
    echo. >> c:\Logoff_Log.txt

    Thursday, September 3, 2015 5:55 PM
  • Dan,

    Thursday, March 24, 2016 3:39 PM
  • Dan,

    Have you had success with this logoff script?I have been dealing with this issue since server 2003, Issues Terminal services session printers not populating or showing up but not accessible.  Gpupdate /force usually corrects the issue.

    Thursday, March 24, 2016 4:49 PM
  • rm304,

    So far so good, no more 1530 errors in my event logs since I implemented the script. The whole logging part of the script may be overkill but I've found it comes in handy if I want to quickly see when a user logged out from their session. I also like to be able to verify that the commands are still working.

    Thursday, March 24, 2016 8:01 PM