Система windows обнаружила что файл реестра используется другими приложениями или службами 1530

Источник:      Microsoft-Windows-User Profiles Service

Дата:          19.04.2017 19:10:25

Код события:   1530

Категория задачи:Отсутствует

Уровень:       Предупреждение

Ключевые слова:

Пользователь:  система

Компьютер:     QWERTY1

Описание:

Система Windows обнаружила, что файл реестра используется другими приложениями или службами. Файл будет сейчас выгружен. Приложения или службы, которые используют файл реестра, могут впоследствии работать неправильно.  

 ПОДРОБНО — 

 16 user registry handles leaked from \Registry\User\S-1-5-21-208439106-2742066226-3157559274-1000:

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\Root

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Policies\Microsoft\SystemCertificates

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Policies\Microsoft\SystemCertificates

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Policies\Microsoft\SystemCertificates

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Policies\Microsoft\SystemCertificates

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\Disallowed

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\trust

Process 1732 (\Device\HarddiskVolume2\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\NVIDIA Corporation\Global\ShadowPlay

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\TrustedPeople

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\My

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\CA

Xml события:

  <System>

    <Provider Name=»Microsoft-Windows-User Profiles Service» Guid=»{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}» />

    <EventID>1530</EventID>

    <Version>0</Version>

    <Level>3</Level>

    <Task>0</Task>

    <Opcode>0</Opcode>

    <Keywords>0x8000000000000000</Keywords>

    <TimeCreated SystemTime=»2017-04-19T16:10:25.900958800Z» />

    <EventRecordID>49493</EventRecordID>

    <Correlation />

    <Execution ProcessID=»832″ ThreadID=»4916″ />

    <Channel>Application</Channel>

    <Computer>QWERTY1</Computer>

    <Security UserID=»S-1-5-18″ />

  </System>

  <EventData Name=»EVENT_HIVE_LEAK»>

    <Data Name=»Detail»>16 user registry handles leaked from \Registry\User\S-1-5-21-208439106-2742066226-3157559274-1000:

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\Root

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Policies\Microsoft\SystemCertificates

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Policies\Microsoft\SystemCertificates

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Policies\Microsoft\SystemCertificates

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Policies\Microsoft\SystemCertificates

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\Disallowed

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\trust

Process 1732 (\Device\HarddiskVolume2\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\NVIDIA Corporation\Global\ShadowPlay

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\TrustedPeople

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\My

Process 4384 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-208439106-2742066226-3157559274-1000\Software\Microsoft\SystemCertificates\CA

</Data>

  </EventData>

</Event>

This topic describes event 1530 from the User Profile Service

Applies to: Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008

Event Details

Product	Microsoft Windows Operating System
ID	1530
Source	Microsoft-Windows-User Profiles Service; User Profile Service
Version	6.3, 6.2, 6.1
Symbolic Name	EVENT_HIVE_LEAK
Message	The Windows operating system detected that your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

Included in the following details are four examples of the type of information that can appear in this event message:

1 user registry handles leaked from \Registry\User\S-1-5-21-3112862306-1016156048-4130204762-1000: Process 932 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3112862306-1016156048-4130204762-1000

1 user registry handles leaked from \Registry\User\S-1-5-21-4211544788-2274021965-2216582883-1001_Classes: Process 3568 (\Device\HarddiskVolume3\Windows\System32\WUDFHost.exe) has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001_CLASSES

5 user registry handles leaked from \Registry\User\S-1-5-21-4211544788-2274021965-2216582883-1001: Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe) has
opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001 Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe) has opened key \REGISTRY\USER\S-1-5-21-

4211544788-2274021965-2216582883-1001

Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe) has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001 Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe)
has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001 Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37 ccSvcHst.exe) has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001

1 user registry handles leaked from \Registry\User\S-1-5-21-4211544788-2274021965-2216582883-1001: Process 2492 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001\Software\Microsoft\Windows\CurrentVersion\Explorer

Cause

This event can be caused by apps that do not release their Registry keys before shutting down. This most often occurs when an app runs in the background and does not release
its Registry keys when a user signs off, in which case Windows forces the Registry to unload. There is no impact to users, though in rare cases recent configuration changes in the app might not be saved.

Resolution

No user action is required — this is an acceptable condition.

In Windows 8.1 we changed this to an Information message to help reduce confusion and alarm. This event was a Warning event in prior versions of Windows.

Related Information

• KB 947238 Event ID: 1530 may be logged in the Application log on a Windows
  7-based or Windows Vista-based client computer

 

Hi Wayward

A description of this subject goes back to the era of NT4, Windows 2000, Windows XP, and Windows Server 2003.

The problems would occur when profiles were not fully unloaded because some process, which could be any driver, application, or service, would still maintain hooks into a users profile registry hive, when the system was shut down or a user logged off.  It was mainly a problem that was seen in roaming profile situations, but it also happened on standalone systems.

The result would be that the profile would be corrupted and the next time that user logged on they would receive a message similar to «Windows cannot log you on because your profile cannot be loaded.»

Microsoft developed a utility called UPHClean, which, when installed, runs automatically when a system is shut down or a user logs off. It checks for any service, application, or driver that may still have the users registry hive open and cleans them up, thereby letting a users profile unload cleanly.

During the Windows Vista beta, a version (2.0) of UPHClean was being developed for Vista, but the decision was made to integrate this component into the system for better stability. The reason for this was that a user would not normally install this utility until after a problem occurred.

You can read some of the history about this issue in the following KB article.

You experience log off problems on a Windows XP-based, Windows Server 2003-based, Windows 2000-based, or Windows NT 4.0-based computer

In your case, the msiexec.exe (Windows Installer Service) and the CTxfispi.exe (Creative Audio Driver) were the culprits.

The bottom line is that seeing these warnings in the Event Viewer shows that this component is working to keep your system stable.

I hope this information is useful.

Thank You for testing Windows 7

Ronnie Vernon MVP

• Marked as answer by

  Monday, September 21, 2009 4:18 AM

Подробности

Опубликовано 15.12.2012 16:19

Появилась необходимость удалить профиль пользователя в Windows 7 в ручном режиме. Без задней мысли, полагаясь на многолетний опыт, зашел в папку, где хранятся профиль пользователей (C:\Users\username\) и убил (удалил) папку, так удалялся профиль пользователя в Windows 98, 2000, XP. После перезагрузки увидел, что для пользователя, которого удалил, появляется ошибка о не возможности загрузить свой основной профиль, и выдается временный профиль, после перезагрузки — настройки в профиле не сохраняются.

В логах системы я увидел такую ошибку:

Имя журнала: Приложение
Источник: User Profile Service
Дата: 06.12.2012 10:19:07
Код события: 1530
Категория задачи: Отсутствует
Уровень: Предупреждение
Ключевые слова:
Пользователь: система
Компьютер: COMP-521
Описание:
Система Windows обнаружила, что файл реестра используется другими приложениями или службами. Файл будет сейчас выгружен. Приложения или службы, которые используют файл реестра, могут впоследствии работать неправильно.

 ПОДРОБНО -
 5 user registry handles leaked from \Registry\User\S-1-5-21-3126996866-3225961863-1138111795-1126:
Process 708 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-3126996866-3225961863-1138111795-1126
Process 264 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3126996866-3225961863-1138111795-1126\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 384 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3126996866-3225961863-1138111795-1126\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 264 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3126996866-3225961863-1138111795-1126\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 384 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3126996866-3225961863-1138111795-1126\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Просмотрев особенности я увидел, что помимо папки Windows 7 еще хранит информацию о профиле в реестре системы. Необходимо убить еще информацию о профиле в ветке реестра:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Номер профиля можно взять из кода ошибки, в моем случае это было S-1-5-21-3126996866-3225961863-1138111795-1126. Перезагружаем компьютер и наслаждаемся. А на счет удаления профиля пользователя правильным способом, читаем статью Удаление профиля пользователя в Windows 7. С картинками. После удаления, мне пришлось перегрузиться несколько раз.