Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Is there any way to tell who is accessing the registry?

27 Aug 2009   #21
ben07

Windows 7 Pro x64 RTM
 
 

Quote   Quote: Originally Posted by Antman View Post
Right now, I have a different error code. 18 month old naked baby running around on my $1800 carpets.
, that's a good one!

Well, after enabling the default firewall settings....still got the same yellow warning.....I think maybe is the ATI/AMD video drives, cause I see two entries in the task bar, but they are NOT listed under start-ups anywhere.

atiedxx.exe
atiesrxx.exe


My System SpecsSystem Spec
.
27 Aug 2009   #22
Delphin

windows 7
 
 

this is not the exact way to identify the problem. I'll tell u how to do that.

Open elevated command prompt, and type tasklist /svc and hit enter. It will give you all the task running under svchost.

Copy all the content of the command prompt and paste it into a text file.

Restart your computer and find the warning message in your event viewer and post here with the text file containing the command prompt content
My System SpecsSystem Spec
27 Aug 2009   #23
ben07

Windows 7 Pro x64 RTM
 
 

Here we go Delphin

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 248 N/A
csrss.exe 364 N/A
csrss.exe 420 N/A
wininit.exe 428 N/A
services.exe 480 N/A
winlogon.exe 504 N/A
lsass.exe 516 KeyIso, SamSs
lsm.exe 528 N/A
svchost.exe 632 DcomLaunch, PlugPlay, Power
svchost.exe 732 RpcEptMapper, RpcSs
atiesrxx.exe 820 AMD External Events Utility
svchost.exe 880 AudioSrv, Dhcp, eventlog,
HomeGroupProvider, lmhosts, wscsvc
svchost.exe 920 AudioEndpointBuilder, CscService,
HomeGroupListener, Netman, PcaSvc, SysMain,
TrkWks, UxSms, wudfsvc
svchost.exe 944 AeLookupSvc, AppMgmt, Browser, gpsvc,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
Schedule, SENS, ShellHWDetection, Themes,
Winmgmt, wuauserv
svchost.exe 320 EventSystem, fdPHost, netprofm, nsi,
WdiServiceHost
spoolsv.exe 1088 Spooler
sched.exe 1132 AntiVirSchedulerService
svchost.exe 1152 BFE, DPS, MpsSvc
svchost.exe 1220 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
avguard.exe 1296 AntiVirService
atieclxx.exe 1716 N/A
taskhost.exe 1896 N/A
dwm.exe 1948 N/A
explorer.exe 2004 N/A
avgnt.exe 2052 N/A
SearchIndexer.exe 2548 WSearch
wmpnetwk.exe 2660 WMPNetworkSvc
svchost.exe 2912 FDResPub, SSDPSRV, upnphost, wcncsvc
svchost.exe 3032 p2pimsvc, p2psvc, PNRPsvc
svchost.exe 2260 SDRSVC
taskhost.exe 1784 N/A
audiodg.exe 2628 N/A
notepad.exe 3296 N/A
cmd.exe 2248 N/A
conhost.exe 2976 N/A
tasklist.exe 3448 N/A
WmiPrvSE.exe 3248 N/A

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 8/27/2009 3:15:11 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Home01
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-783115880-3742272611-1246857717-1000:
Process 504 (\Device\HarddiskVolume7\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-783115880-3742272611-1246857717-1000

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2009-08-27T10:15:11.445216400Z" />
<EventRecordID>1057</EventRecordID>
<Correlation />
<Execution ProcessID="944" ThreadID="3528" />
<Channel>Application</Channel>
<Computer>Home01</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">1 user registry handles leaked from \Registry\User\S-1-5-21-783115880-3742272611-1246857717-1000:
Process 504 (\Device\HarddiskVolume7\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-783115880-3742272611-1246857717-1000
</Data>
</EventData>
</Event>
My System SpecsSystem Spec
.

27 Aug 2009   #24
Delphin

windows 7
 
 

Are you using roaming profile?

i mean, is your profile being stored on a network computer?
My System SpecsSystem Spec
27 Aug 2009   #25
ben07

Windows 7 Pro x64 RTM
 
 

Hi Delphin, no. This PC is only connected to another PC running XP SP3 via a Linksys WRT54GL router and the other PC also W7 Pro x64 is not even connected at all to the router, it's just by itself!

Could it be during installation, I didn't provide any password? (hey, I'm the only one running all the PCs, lol).

Right now every time the PC starts, it goes straight to the desktop, no need to select pix/user or enter password, exactly like my XP SP3...the way I like!

p/s under my user name - AppData - I do see three folders 1)Local 2)LocalLow and 3)Roaming, not this one, right?


Attached Thumbnails
Is there any way to tell who is accessing the registry?-roaming.jpg  
My System SpecsSystem Spec
27 Aug 2009   #26
SquonkSC

Win7 Build 7600 x86
 
 

Hi Ben,

A silly question but I noticed something.

What it your username you login with?

You haven't named yourself SYSTEM, by any change have you?

<- never mind that last question, silly joke.

Greetz
My System SpecsSystem Spec
27 Aug 2009   #27
ben07

Windows 7 Pro x64 RTM
 
 

Hi squonksc, I never needed to enter a user name, there isn't a login screen to begin with. Windows 7 would just go straight to the desktop in record time, lol!

No, I never named myself System!
My System SpecsSystem Spec
27 Aug 2009   #28
SquonkSC

Win7 Build 7600 x86
 
 

On a more serious note:

Can you do this:

go to the explorer

right click on that disk7 (partition) in that is mentioned in the logs

go to security tab

See if there is a user in the list by the name:
S-1-5-21-783115880-3742272611-1246857717-1000

If there is.

click edit, and delete that user from the list.

These S numbers, are left overs from previous installs.
They are unrecognized users.

You also see those in dual boot situations, in which case you should not delete them.

Please post back the result.

Greetz
My System SpecsSystem Spec
27 Aug 2009   #29
SquonkSC

Win7 Build 7600 x86
 
 

Quote   Quote: Originally Posted by ben07 View Post
Hi squonksc, I never needed to enter a user name, there isn't a login screen to begin with. Windows 7 would just go straight to the desktop in record time, lol!

No, I never named myself System!
But when you installed Win7 you must have chosen a username.

We need to establish under what username you are working.

If you can't figure that out, post back, I'll show you where to look.

Greetz
My System SpecsSystem Spec
27 Aug 2009   #30
ben07

Windows 7 Pro x64 RTM
 
 

Hi squonksc, I don't know how to tell which is Volume 7, I attached two pixs of my HDDs.

The OS partition was fully formatted/wiped before installation (fresh installation) .

During installation, I entered "C2Q" as name and computer name C2Q-01.

Ops, don't tell me Windows 7 is so smart that it knows that partition "H" is an active partition which also has XP SP3.....but I don't do dual boot, if I want to use XP SP3 in H, I simply go into bios and change the HDD boot sequence!

Oh man, I just found out there is this unknow user??? see pix


Attached Thumbnails
Is there any way to tell who is accessing the registry?-ld.jpg  
Attached Images
Is there any way to tell who is accessing the registry?-dm.jpg Is there any way to tell who is accessing the registry?-user.jpg 
My System SpecsSystem Spec
Reply

 Is there any way to tell who is accessing the registry?




Thread Tools




Similar help and support threads
Thread Forum
.bat reg import gives error accessing the registry
Hello everyone, im new here! now, ive got a .reg file that id like to import automatically via .bat file to the registry. if i type the code myself in CMD it does work, but the same code via the .bat file refuses to add and get the error of: error accessing the registry im using the code :...
General Discussion
Error Accessing the Registry in regedit.
Running .reg file gives this error. In Regedit I also cannot create a new key (to add the contents of the .reg file manually.) I have Full Control in permissions for HKEY_USERS.
General Discussion
Registry problem after windows update and registry optimization tool
Hello sevenforum, I've already spend some time on this forum today but I can't find the solution to a particular registry problem I'm having. While windows was uploading some updates yesterday, I cleaned my registry using Iolo's system mechanic tool and that's where the problems started. (I...
Backup and Restore
BSOD On Startup / Accessing New HD / Accessing Internet
Hello all, I'm running on a relatively new install of Windows 7 64bit Ultimate. I recently (about 2-3 weeks ago) installed a new HD and decided to have a fresh start so everything was formatted followed by win 7 install. Everything has been running great up until mid day yesterday. Out of what...
BSOD Help and Support
Error accessing the registry
Hi all and merry hollidays. I got a problem you may be able to help me... Yesterday I did a fresh installation of my W7 professional. Before that I backup the things I know I need. One ot them was to backup a branch from the registry to keep some details for a program I have. Today I...
Installation & Setup


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:44.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App