This topic describes event 1530 from the User Profile Service
Table of Contents
- Event Details
- Cause
- Resolution
- Related Information
Applies to: Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008
Event Details
|
Product |
Microsoft Windows Operating System |
|
ID |
1530 |
|
Source |
Microsoft-Windows-User Profiles Service; User Profile Service |
|
Version |
6.3, 6.2, 6.1 |
|
Symbolic Name |
EVENT_HIVE_LEAK |
|
Message |
The Windows operating system detected that your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. |
Included in the following details are four examples of the type of information that can appear in this event message:
1 user registry handles leaked from \Registry\User\S-1-5-21-3112862306-1016156048-4130204762-1000: Process 932 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3112862306-1016156048-4130204762-1000
1 user registry handles leaked from \Registry\User\S-1-5-21-4211544788-2274021965-2216582883-1001_Classes: Process 3568 (\Device\HarddiskVolume3\Windows\System32\WUDFHost.exe) has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001_CLASSES
5 user registry handles leaked from \Registry\User\S-1-5-21-4211544788-2274021965-2216582883-1001: Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe) has
opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001 Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe) has opened key \REGISTRY\USER\S-1-5-21-
4211544788-2274021965-2216582883-1001
Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe) has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001 Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37\ccSvcHst.exe)
has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001 Process 1880 (\Device\HarddiskVolume3\Program Files (x86)\Norton AntiVirus\Engine\18.1.0.37 ccSvcHst.exe) has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001
1 user registry handles leaked from \Registry\User\S-1-5-21-4211544788-2274021965-2216582883-1001: Process 2492 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-4211544788-2274021965-2216582883-1001\Software\Microsoft\Windows\CurrentVersion\Explorer
Cause
This event can be caused by apps that do not release their Registry keys before shutting down. This most often occurs when an app runs in the background and does not release
its Registry keys when a user signs off, in which case Windows forces the Registry to unload. There is no impact to users, though in rare cases recent configuration changes in the app might not be saved.
Resolution
No user action is required — this is an acceptable condition.
In Windows 8.1 we changed this to an Information message to help reduce confusion and alarm. This event was a Warning event in prior versions of Windows.
Related Information
- KB 947238 Event ID: 1530 may be logged in the Application log on a Windows
7-based or Windows Vista-based client computer
How to Troubleshoot the Error Message “Windows Detected Your Registry File is Still in Use by Other Applications or Services”
If you receive the error message “Windows Detected Your Registry File is Still in Use by Other Applications or Services,” it means that the registry file is currently being used by another application or service. This can cause problems with the system, as the registry file is an important part of the Windows operating system. To troubleshoot this issue, you should first try restarting your computer. This will allow any applications or services that are using the registry file to be closed, and the registry file will be released.
If restarting your computer does not resolve the issue, you should try running a registry cleaner. A registry cleaner is a program that scans the registry file and repairs any errors that it finds. This can help to resolve any issues that are causing the registry file to be in use.
If the issue persists, you should try disabling any applications or services that may be using the registry file. To do this, open the Task Manager by pressing Ctrl + Alt + Delete. Then, select the Services tab and look for any services that are using the registry file. Right-click on the service and select Stop. This will stop the service from using the registry file.
If none of these steps resolve the issue, you should contact Microsoft Support for further assistance. They will be able to provide more detailed instructions on how to troubleshoot the issue.
What Causes the Error Message “Windows Detected Your Registry File is Still in Use by Other Applications or Services”
The error message “Windows Detected Your Registry File is Still in Use by Other Applications or Services” is caused when the Windows registry is being used by another application or service. The Windows registry is a database that stores important information about the operating system and its settings. When an application or service is using the registry, it can prevent other applications from accessing it, resulting in this error message.
In order to resolve this issue, it is important to identify which application or service is using the registry. This can be done by using the Task Manager to view the list of running processes. If any of the processes are using the registry, they should be closed or stopped. Additionally, it may be necessary to restart the computer in order to completely release the registry from any applications or services that may be using it.
Once the registry is no longer in use, the error message should no longer appear. It is important to note that the Windows registry is a critical component of the operating system and should not be modified or deleted without proper knowledge and understanding of the system.
How to Resolve the Error Message “Windows Detected Your Registry File is Still in Use by Other Applications or Services”
If you receive the error message “Windows Detected Your Registry File is Still in Use by Other Applications or Services,” it means that the registry file is currently being used by another application or service. This can cause problems with the system, as the registry file is an important part of the Windows operating system.
Fortunately, there are a few steps you can take to resolve this issue. First, you should try restarting your computer. This will close any applications or services that may be using the registry file, allowing you to access it.
If restarting your computer does not resolve the issue, you can try running the System File Checker (SFC) utility. This utility will scan your system for any corrupted or missing files, and replace them with the correct versions. To run the SFC utility, open the Command Prompt as an administrator and type “sfc /scannow”.
If the SFC utility does not resolve the issue, you can try running the System Restore utility. This utility will restore your system to a previous state, before the registry file was in use. To run the System Restore utility, open the Control Panel and select “System and Security” > “System” > “System Protection”. Select the “System Restore” option and follow the on-screen instructions.
If none of these steps resolve the issue, you may need to contact Microsoft Support for further assistance.
Problem
One of my installed Apllication’s Windows Service not started automatically and I tried to start it manually, but it again failed to start, then I have started to analyze through event logs and find the below warning event 1530 with error message “Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards“.
Log Name: Application Source: Microsoft-Windows-User Profiles Service Date: 4/8/2015 01:45:18 AM Event ID: 1530 Level: Warning Computer: myPC.myDomain.Com Description: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from RegistryUserS-1-5-21-745457877-148782331-813991262-2636_Classes: Process 1984 (DeviceHarddiskVolume3Program Files Program FilesMTSMyService.exe) has opened key REGISTRYUSERS-1-5-21-745457877-148782331-813991262-2636_CLASSES
Cause
After I have analyzed some time, found this warning event was logged due to service account (The service account used only to run widows service and it was not used to login into system). This warning event (1530) is logged by the behavior of system design.
Other related links
– http://support.microsoft.com/en-us/kb/947238
– http://answers.microsoft.com/en-us/windows/forum/windows_7-security/event-id1530-microsoft-windows-user-profiles/a1ca9fd0-5449-46b6-aae2-35e3edcf8425
– http://social.technet.microsoft.com/wiki/contents/articles/3134.user-profile-service-event-1530-the-windows-operating-system-detected-that-your-registry-file-is-still-in-use-by-other-applications-or-services.aspx
We have an SBS 2008 Server. Once or twice a day the Application Log shows a couple of dozen errors, all identical and all logged within a minute or so, which in full are:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL —
1 user registry handles leaked from \Registry\User\S-1-5-21-1165392890-2796677262-1333002158-1154:
Process 640 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1165392890-2796677262-1333002158-1154
The SID refers to a standard user of the Domain (Gail) who should not have the ability to log on to the Server. However, the folder C:\Users\Gail is created on the Server at the same time as these errors occur, along with the Registry Keys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileGuid\{{007c2490-8b19-4433-b853-ec9e99186c51}}
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1165392890-2796677262-1333002158-1154
The Registry Keys show that it is Gail that they are being created for.
If I delete the Registry Keys and the C:\User\Gail folder they are simply re-created the next time the error appears in the log. This does seem to happen a couple of minutes after the user logs on to their PC, although I haven’t yet been able to fully test whether or not it also happens at other times, or if it always happens at log on.
I have searched the PC for any untoward activity. It is running Windows 7 Pro 64-Bit and is connected to the Domain correctly.
There are no viruses, no rogue software, no scheduled tasks, no odd processes, no strange Registry entries running at start-up, etc.
These issues do not occur for any of the other users on the Domain, all of whom use the same software and all of whom have identically set up PCs.
Any help would be appreciated as I believe this must be malicious in some form.
Sister’s system has many problems. A few samplings after tons of troubleshooting already.
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL —
1 user registry handles leaked from \Registry\User\S-1-5-21-48
Process 720 (\Device\HarddiskVolume1\W
Another sampling is this: Name resolution for the name www.att.com timed out after none of the configured DNS servers responded. . . at&t is our ISP
The content source <iehistory://{S-1-5-21-484
Context: Application, SystemIndex Catalog
Details:
(HRESULT : 0x80004005) (0x80004005)
Name resolution for the name rc.rlcdn.com timed out after none of the configured DNS servers responded.
Someone indicated ipv6 may be problem, so changed back to ipv4. Lost here.
This is not a new problem, and sure would like help. Many related items such as this in Event Viewer, as well as others.
Windows 7 Ultimate — all updated, McAfee Total Protection
Your help is appreciated.
«:0) Asta