Windows 7: Event Viewer Warning - is this important ?

trinaz · 23 Mar 2011

While checking for a chkdsk /f report in Event Viewr...I noticed this Warning:

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 3/23/2011 1:34:39 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Home_Desktop
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
5 user registry handles leaked from \Registry\User\S-1-5-21-4108063887-3821183792-568571711-1001:
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\System Certificates\Disallowed
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\System Certificates\My
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\System Certificates\CA
Event XML:
<Event xmlns="Error">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guido="{BEEF-RAFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2011-03-23T20:34:39.741015800Z" />
<EventRecordID>31957</EventRecordID>
<Correlation />
<Execution ProcessID="1304" ThreadID="4488" />
<Channel>Application</Channel>
<Computer>Home_Desktop</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-4108063887-3821183792-568571711-1001:
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\SystemCertificates\My
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\SystemCertificates\CA
</Data>
</EventData>
</Event>

Is this an issue I shout address and how ?

Thanks...TRinAZ

Maguscreed · 23 Mar 2011

Seems something goofy was going on with the authentication server.
If it only occurred the one time I wouldn't be horribly concerned over it.

A scan for malware may be in order just to be on the safe side though.

**cluberti** · 23 Mar 2011

+1. If you reboot, those handles will get released - especially if it's lsass.exe, Maguscreed's assessment is likely spot on.

Greg S · 24 Mar 2011

I've always gotten this in event viewer when I log off and back on. No malware here.

Windows 7: Event Viewer Warning - is this important ?

Event Viewer Warning - is this important ? problems?