Event 1530, User Profile Service
Soyo SY-P4I865PE Plus DRAGON 2 motherboard
Intel Pentium 4 3.20 GHZ HT
2×1024MB pc3200 PNY RAM
Windows Vista Home Premium
PNY GeForce 7800 GS 8x AGP, 256MB (97.46 ForceWare)
PCI Creative X-Fi XtremeMusic
LG Flatron L1920P lcd monitor
Hey guys. I keep getting this warning since 3/16/07 after some Windows
Updates. Happens each time I shut down my pc. Any ideas if they are
anything to be worried about? I haven't made any system changes other than
Vista downloading and installing some updates.
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 3/29/2007 2:56:52 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: Morad-Haj
Description:
Windows detected your registry file is still in use by other applications or
services. The file will be unloaded now. The applications or services that
hold your registry file may not function properly afterwards.
DETAIL -
17 user registry handles leaked from
\Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service"
Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
<EventID Qualifiers="32768">1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-03-29T09:56:52.000Z" />
<EventRecordID>6068</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Morad-Haj</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">17 user registry handles leaked from
\Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
</Data>
</EventData>
</Event>
mhajii210
Re: Event 1530, User Profile Service
It says that there is a badly programmed service that isn't shutting down
when told to. Process 896 is to blame. It will be a different number each
boot. This will probably work but may not (depends which svchost process is
896) Got a better way.
Type cmd in Start Run (most have to contend with UAC do what you need to
become a real admin - I don't use UAC because I ain't clicking through 50
dialog boxes an hour to tell people what to do)
Type
tasklist /svc
To save it to a file
tasklist /svc /fo "table" /fi "imagename eq svchost.exe"
>"%userprofile%\desktop\Svc Host Processes.txt"
Above is one line.
To get help
Tasklist /?
Then reboot. Then read the error again and get the pid and compare it to the
list before we shutdown. That will narrow down which service is causing a
problem from any to only a handful. It may be possible, if the services in
that svchost aren't critical to booting up, to disable them one by one and
bu a process of elimination, find the one.
But try a shortcut first. Type in Start - Run
msconfig
Choose Diagnostic Startup and reboot, reboot again, did the error occur on
the secobd reboot. If not, click Help in MSConfig as it has step by step
instructions on turning individual services on or off. If the error still
occurs you'll have to turn the smaller list on and off in msconfig. I
suspect they'll be microsoft ones.
This is not an error. This is a warning. It may be important but probably
isn't.
Microsoft had a UserProfile tool for this situation in XP and 2000. I can't
find anyrthing but it could be the UserProfileCleanup in Window 2003 Server
Resource Kit. I don't know I would run something like this on Vista unless
it said it was going to work. Before using a program that tries to outthink
another program to prevent unknown bugs in unknown programs from affecting
the second program, I would like to know that Vista hasn't changed that part
of XP first. As if it screws up it may bye bye your user profile (you lose
all settings but your files survive but you have to move them to their new
home on the disk).
"mhajii210" <mhajii210@discussions.microsoft.com> wrote in message
news:09E90E88-E146-4B77-BA25-A2228BEDDE50@microsoft.com...
> Soyo SY-P4I865PE Plus DRAGON 2 motherboard
> Intel Pentium 4 3.20 GHZ HT
> 2×1024MB pc3200 PNY RAM
> Windows Vista Home Premium
> PNY GeForce 7800 GS 8x AGP, 256MB (97.46 ForceWare)
> PCI Creative X-Fi XtremeMusic
> LG Flatron L1920P lcd monitor
>
> Hey guys. I keep getting this warning since 3/16/07 after some Windows
> Updates. Happens each time I shut down my pc. Any ideas if they are
> anything to be worried about? I haven't made any system changes other
> than
> Vista downloading and installing some updates.
>
>
> Log Name: Application
> Source: Microsoft-Windows-User Profiles Service
> Date: 3/29/2007 2:56:52 AM
> Event ID: 1530
> Task Category: None
> Level: Warning
> Keywords: Classic
> User: SYSTEM
> Computer: Morad-Haj
> Description:
> Windows detected your registry file is still in use by other applications
> or
> services. The file will be unloaded now. The applications or services that
> hold your registry file may not function properly afterwards.
>
> DETAIL -
> 17 user registry handles leaked from
> \Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
>
> Event Xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> <System>
> <Provider Name="Microsoft-Windows-User Profiles Service"
> Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
> <EventID Qualifiers="32768">1530</EventID>
> <Version>0</Version>
> <Level>3</Level>
> <Task>0</Task>
> <Opcode>0</Opcode>
> <Keywords>0x80000000000000</Keywords>
> <TimeCreated SystemTime="2007-03-29T09:56:52.000Z" />
> <EventRecordID>6068</EventRecordID>
> <Correlation />
> <Execution ProcessID="0" ThreadID="0" />
> <Channel>Application</Channel>
> <Computer>Morad-Haj</Computer>
> <Security UserID="S-1-5-18" />
> </System>
> <EventData Name="EVENT_HIVE_LEAK">
> <Data Name="Detail">17 user registry handles leaked from
> \Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> </Data>
> </EventData>
> </Event>
>
> mhajii210
Re: Event 1530, User Profile Service
Here's what I found out thanks to you! See below for details but as it turns
out it is WinDefend that is causing the problem. I guess I will have to
report this to Microsoft as a bug. Thanks again for your help!
mhajii210
Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\Morad>TASKLIST /SVC /FI "IMAGENAME EQ SVCHOST.EXE"
Image Name PID Services
========================= ========
============================================
svchost.exe 796 DcomLaunch, PlugPlay
svchost.exe 852 RpcSs
svchost.exe 888 WinDefend
svchost.exe 972 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe 1064 AudioEndpointBuilder, EMDMgmt, hidserv,
Netman, PcaSvc, SysMain,
TabletInputService, TrkWks, UxSms,
WdiSystemHost, WPDBusEnum
svchost.exe 1080 AeLookupSvc, Appinfo, BITS, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
svchost.exe 1248 EventSystem, LanmanWorkstation, netprofm,
nsi, SSDPSRV, W32Time, WebClient
svchost.exe 1352 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
TermService
svchost.exe 1620 BFE, DPS, MpsSvc
svchost.exe 2432 PolicyAgent
svchost.exe 2464 WerSvc
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 4/2/2007 1:22:51 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: Morad-Haj
Description:
Windows detected your registry file is still in use by other applications or
services. The file will be unloaded now. The applications or services that
hold your registry file may not function properly afterwards.
DETAIL -
24 user registry handles leaked from
\Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service"
Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
<EventID Qualifiers="32768">1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-04-02T08:22:51.000Z" />
<EventRecordID>6316</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Morad-Haj</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">24 user registry handles leaked from
\Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
</Data>
</EventData>
</Event>
"." wrote:
> It says that there is a badly programmed service that isn't shutting down
> when told to. Process 896 is to blame. It will be a different number each
> boot. This will probably work but may not (depends which svchost process is
> 896) Got a better way.
>
> Type cmd in Start Run (most have to contend with UAC do what you need to
> become a real admin - I don't use UAC because I ain't clicking through 50
> dialog boxes an hour to tell people what to do)
>
> Type
>
> tasklist /svc
>
> To save it to a file
>
> tasklist /svc /fo "table" /fi "imagename eq svchost.exe"
> >"%userprofile%\desktop\Svc Host Processes.txt"
>
> Above is one line.
>
> To get help
>
> Tasklist /?
>
> Then reboot. Then read the error again and get the pid and compare it to the
> list before we shutdown. That will narrow down which service is causing a
> problem from any to only a handful. It may be possible, if the services in
> that svchost aren't critical to booting up, to disable them one by one and
> bu a process of elimination, find the one.
>
> But try a shortcut first. Type in Start - Run
>
> msconfig
>
> Choose Diagnostic Startup and reboot, reboot again, did the error occur on
> the secobd reboot. If not, click Help in MSConfig as it has step by step
> instructions on turning individual services on or off. If the error still
> occurs you'll have to turn the smaller list on and off in msconfig. I
> suspect they'll be microsoft ones.
>
> This is not an error. This is a warning. It may be important but probably
> isn't.
>
> Microsoft had a UserProfile tool for this situation in XP and 2000. I can't
> find anyrthing but it could be the UserProfileCleanup in Window 2003 Server
> Resource Kit. I don't know I would run something like this on Vista unless
> it said it was going to work. Before using a program that tries to outthink
> another program to prevent unknown bugs in unknown programs from affecting
> the second program, I would like to know that Vista hasn't changed that part
> of XP first. As if it screws up it may bye bye your user profile (you lose
> all settings but your files survive but you have to move them to their new
> home on the disk).
>
>
> "mhajii210" <mhajii210@discussions.microsoft.com> wrote in message
> news:09E90E88-E146-4B77-BA25-A2228BEDDE50@microsoft.com...
> > Soyo SY-P4I865PE Plus DRAGON 2 motherboard
> > Intel Pentium 4 3.20 GHZ HT
> > 2×1024MB pc3200 PNY RAM
> > Windows Vista Home Premium
> > PNY GeForce 7800 GS 8x AGP, 256MB (97.46 ForceWare)
> > PCI Creative X-Fi XtremeMusic
> > LG Flatron L1920P lcd monitor
> >
> > Hey guys. I keep getting this warning since 3/16/07 after some Windows
> > Updates. Happens each time I shut down my pc. Any ideas if they are
> > anything to be worried about? I haven't made any system changes other
> > than
> > Vista downloading and installing some updates.
> >
> >
> > Log Name: Application
> > Source: Microsoft-Windows-User Profiles Service
> > Date: 3/29/2007 2:56:52 AM
> > Event ID: 1530
> > Task Category: None
> > Level: Warning
> > Keywords: Classic
> > User: SYSTEM
> > Computer: Morad-Haj
> > Description:
> > Windows detected your registry file is still in use by other applications
> > or
> > services. The file will be unloaded now. The applications or services that
> > hold your registry file may not function properly afterwards.
> >
> > DETAIL -
> > 17 user registry handles leaked from
> > \Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> >
> > Event Xml:
> > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> > <System>
> > <Provider Name="Microsoft-Windows-User Profiles Service"
> > Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
> > <EventID Qualifiers="32768">1530</EventID>
> > <Version>0</Version>
> > <Level>3</Level>
> > <Task>0</Task>
> > <Opcode>0</Opcode>
> > <Keywords>0x80000000000000</Keywords>
> > <TimeCreated SystemTime="2007-03-29T09:56:52.000Z" />
> > <EventRecordID>6068</EventRecordID>
> > <Correlation />
> > <Execution ProcessID="0" ThreadID="0" />
> > <Channel>Application</Channel>
> > <Computer>Morad-Haj</Computer>
> > <Security UserID="S-1-5-18" />
> > </System>
> > <EventData Name="EVENT_HIVE_LEAK">
> > <Data Name="Detail">17 user registry handles leaked from
> > \Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
> > opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
> > </Data>
> > </EventData>
> > </Event>
> >
> > mhajii210
>
>
