Event 1530, User Profile Service

G

Guest

Soyo SY-P4I865PE Plus DRAGON 2 motherboard
Intel Pentium 4 3.20 GHZ HT
2×1024MB pc3200 PNY RAM
Windows Vista Home Premium
PNY GeForce 7800 GS 8x AGP, 256MB (97.46 ForceWare)
PCI Creative X-Fi XtremeMusic
LG Flatron L1920P lcd monitor

Hey guys. I keep getting this warning since 3/16/07 after some Windows
Updates. Happens each time I shut down my pc. Any ideas if they are
anything to be worried about? I haven't made any system changes other than
Vista downloading and installing some updates.


Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 3/29/2007 2:56:52 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: Morad-Haj
Description:
Windows detected your registry file is still in use by other applications or
services. The file will be unloaded now. The applications or services that
hold your registry file may not function properly afterwards.

DETAIL -
17 user registry handles leaked from
\Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service"
Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
<EventID Qualifiers="32768">1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-03-29T09:56:52.000Z" />
<EventRecordID>6068</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Morad-Haj</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">17 user registry handles leaked from
\Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
</Data>
</EventData>
</Event>

mhajii210
 
G

Guest

It says that there is a badly programmed service that isn't shutting down
when told to. Process 896 is to blame. It will be a different number each
boot. This will probably work but may not (depends which svchost process is
896) Got a better way.

Type cmd in Start Run (most have to contend with UAC do what you need to
become a real admin - I don't use UAC because I ain't clicking through 50
dialog boxes an hour to tell people what to do)

Type

tasklist /svc

To save it to a file

tasklist /svc /fo "table" /fi "imagename eq svchost.exe"
"%userprofile%\desktop\Svc Host Processes.txt"
Click to expand...

Above is one line.

To get help

Tasklist /?

Then reboot. Then read the error again and get the pid and compare it to the
list before we shutdown. That will narrow down which service is causing a
problem from any to only a handful. It may be possible, if the services in
that svchost aren't critical to booting up, to disable them one by one and
bu a process of elimination, find the one.

But try a shortcut first. Type in Start - Run

msconfig

Choose Diagnostic Startup and reboot, reboot again, did the error occur on
the secobd reboot. If not, click Help in MSConfig as it has step by step
instructions on turning individual services on or off. If the error still
occurs you'll have to turn the smaller list on and off in msconfig. I
suspect they'll be microsoft ones.

This is not an error. This is a warning. It may be important but probably
isn't.

Microsoft had a UserProfile tool for this situation in XP and 2000. I can't
find anyrthing but it could be the UserProfileCleanup in Window 2003 Server
Resource Kit. I don't know I would run something like this on Vista unless
it said it was going to work. Before using a program that tries to outthink
another program to prevent unknown bugs in unknown programs from affecting
the second program, I would like to know that Vista hasn't changed that part
of XP first. As if it screws up it may bye bye your user profile (you lose
all settings but your files survive but you have to move them to their new
home on the disk).
 
G

Guest

Here's what I found out thanks to you! See below for details but as it turns
out it is WinDefend that is causing the problem. I guess I will have to
report this to Microsoft as a bug. Thanks again for your help!

mhajii210

Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Morad>TASKLIST /SVC /FI "IMAGENAME EQ SVCHOST.EXE"

Image Name PID Services
========================= ========
============================================
svchost.exe 796 DcomLaunch, PlugPlay
svchost.exe 852 RpcSs
svchost.exe 888 WinDefend
svchost.exe 972 Audiosrv, Dhcp, Eventlog, lmhosts, wscsvc
svchost.exe 1064 AudioEndpointBuilder, EMDMgmt, hidserv,
Netman, PcaSvc, SysMain,
TabletInputService, TrkWks, UxSms,
WdiSystemHost, WPDBusEnum
svchost.exe 1080 AeLookupSvc, Appinfo, BITS, gpsvc, IKEEXT,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
svchost.exe 1248 EventSystem, LanmanWorkstation, netprofm,
nsi, SSDPSRV, W32Time, WebClient
svchost.exe 1352 CryptSvc, Dnscache, KtmRm, NlaSvc, TapiSrv,
TermService
svchost.exe 1620 BFE, DPS, MpsSvc
svchost.exe 2432 PolicyAgent
svchost.exe 2464 WerSvc

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 4/2/2007 1:22:51 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: Morad-Haj
Description:
Windows detected your registry file is still in use by other applications or
services. The file will be unloaded now. The applications or services that
hold your registry file may not function properly afterwards.

DETAIL -
24 user registry handles leaked from
\Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service"
Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" EventSourceName="profsvc" />
<EventID Qualifiers="32768">1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2007-04-02T08:22:51.000Z" />
<EventRecordID>6316</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Morad-Haj</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">24 user registry handles leaked from
\Registry\User\S-1-5-21-2641106361-2081730548-1607543625-1000:
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
Process 888 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has
opened key \REGISTRY\USER\S-1-5-21-2641106361-2081730548-1607543625-1000
</Data>
</EventData>
</Event>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Warnings "user profile service" each shutdown or logoff 1
Warning - Event ID 1530 5
event_hive_leak 0
Seeking help - Microsoft support unable to find a solution. 9
Event Viewer - Warning 2
Many registry warnings. Are they significant ?? 4
Many Registry warnings. Are these significant ? 4
Vista Windows Defender causing registry handle leaks 1

Top