Is there any way to tell who is accessing the registry?

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 8/26/2009 6:00:03 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Home01
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-783115880-3742272611-1246857717-1000_Classes:
Process 2164 (\Device\HarddiskVolume7\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-783115880-3742272611-1246857717-1000_CLASSES

Event Xml:

1530
0
3
0
0
0x8000000000000000

1111

Application
Home01

1 user registry handles leaked from \Registry\User\S-1-5-21-783115880-3742272611-1246857717-1000_Classes:
Process 2164 (\Device\HarddiskVolume7\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-783115880-3742272611-1246857717-1000_CLASSES

I'm getting two of these yellow warnings everyday and according to MS it's OK or it's well expected to get these type of warnings in Event Viewer....but just for the sake of it, is there anyway to tell which program/software is causing these yellow warnings?

Thanks.

ben07 said:

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 8/26/2009 6:00:03 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Home01
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-783115880-3742272611-1246857717-1000_Classes:
Process 2164 (\Device\HarddiskVolume7\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-783115880-3742272611-1246857717-1000_CLASSES
1 user registry handles leaked from \Registry\User\S-1-5-21-783115880-3742272611-1246857717-1000_Classes:
Process 2164 (\Device\HarddiskVolume7\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-783115880-3742272611-1246857717-1000_CLASSES

Hi

Nothing fishy about this.

S-1-5-21-783115880-3742272611-1246857717-1000 is a username used by svchost.exe

There is a problem though according to this part of the message:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

One of your programs is causing a conflict by not releasing a certain service that is using the registry.

Which program we can not tell from this, because several programs that connect to the internet are masked by svchost.exe which is kind of a container for multiple processes.


Try to think back to when it started.
Then uninstall the program's that were installed since then.

A windows repair from DVD might also help.

Greetz

Thanks squonksc, TGSoldier.

I really can't think of anything that would cause this...it's a new fresh installation...according to MS, it OK/accepted, but then MS won't tell you why it's OK/accepted,lol

On a Windows Vista-based client computer, the following event may be logged in the Application log:Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: Date
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: ComputerName

Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3112862306-1016156048-4130204762-1000: Process 932 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3112862306-1016156048-4130204762-1000


This behavior occurs because Windows Vista automatically closes any registry handle to a user profile that is left open by an application. Windows Vista does this when Windows Vista tries to close a user profile.

In versions of the Windows operating system that are earlier than Windows Vista, you must install the User Profile Hive Cleanup Service (UPHClean) utility to have the same functionality. However, the UPHClean utility is incompatible with Windows Vista. Additionally, the UPHClean utility is not needed because this functionality is built into Windows Vista.

Note Event ID 1530 is logged as a Warning event. However, this behavior is expected. Usually, you can safely ignore this event.

Ben, I'm on to something.

Would you humor me and uninstall your virusscanner/security suite?

Post back the results.

greetz

Hi squonksc, I will and I'll post back.

1) I had MS Security Essentials Beta/updated to the latest version few days ago, but had it uninstalled 2 days ago. (NO longer using)

2) Windows 7's built in Windows Defender (ON)

3) AntiVir (ON)


I'll deactivate the above two, reboot and post back.

ben07 said:

Hi squonksc, I will and I'll post back.

1) I had MS Security Essentials Beta/updated to the latest version few days ago, but had it uninstalled 2 days ago. (NO longer using)

2) Windows 7's built in Windows Defender (ON)

3) AntiVir (ON)


I'll deactivate the above two, reboot and post back.

Uninstall Antivir, not deactivate please.

Defender can stay as is for now.

greetz

This pseudo problem dates back across multiple OS. Unless you are attempting to isolate a known real problem, I would not bother.

Antman said:

This pseudo problem dates back across multiple OS. Unless you are attempting to isolate a known real problem, I would not bother.

Hi Antman

Sounds intriguing, can you direct me to an article about this issue?

Thanks.

Well, after deactivated both Windows Defender and AntiVir, I got only one yellow warnings instead of two:).

Reactivated Only Windows Defender and immediately got back two yellow warnings.

Deactivated Windows Defender and reactivated AntiVir, I got only one yellow warnings.

My conclusion, nothing to do with AntiVir, but definitely Windows Defender is causing one of the yellow warnings Event ID 1530.

I think maybe this has something to do with my blocking all Outbound Connections/Traffics in Windows built in Firewall, as I only created rules to allow IE, FireFox, ThunderBird and Windows Updates to pass thru.