New
#21
this is not the exact way to identify the problem. I'll tell u how to do that.
Open elevated command prompt, and type tasklist /svc and hit enter. It will give you all the task running under svchost.
Copy all the content of the command prompt and paste it into a text file.
Restart your computer and find the warning message in your event viewer and post here with the text file containing the command prompt content :)
Here we go Delphin
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 248 N/A
csrss.exe 364 N/A
csrss.exe 420 N/A
wininit.exe 428 N/A
services.exe 480 N/A
winlogon.exe 504 N/A
lsass.exe 516 KeyIso, SamSs
lsm.exe 528 N/A
svchost.exe 632 DcomLaunch, PlugPlay, Power
svchost.exe 732 RpcEptMapper, RpcSs
atiesrxx.exe 820 AMD External Events Utility
svchost.exe 880 AudioSrv, Dhcp, eventlog,
HomeGroupProvider, lmhosts, wscsvc
svchost.exe 920 AudioEndpointBuilder, CscService,
HomeGroupListener, Netman, PcaSvc, SysMain,
TrkWks, UxSms, wudfsvc
svchost.exe 944 AeLookupSvc, AppMgmt, Browser, gpsvc,
iphlpsvc, LanmanServer, MMCSS, ProfSvc,
Schedule, SENS, ShellHWDetection, Themes,
Winmgmt, wuauserv
svchost.exe 320 EventSystem, fdPHost, netprofm, nsi,
WdiServiceHost
spoolsv.exe 1088 Spooler
sched.exe 1132 AntiVirSchedulerService
svchost.exe 1152 BFE, DPS, MpsSvc
svchost.exe 1220 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
avguard.exe 1296 AntiVirService
atieclxx.exe 1716 N/A
taskhost.exe 1896 N/A
dwm.exe 1948 N/A
explorer.exe 2004 N/A
avgnt.exe 2052 N/A
SearchIndexer.exe 2548 WSearch
wmpnetwk.exe 2660 WMPNetworkSvc
svchost.exe 2912 FDResPub, SSDPSRV, upnphost, wcncsvc
svchost.exe 3032 p2pimsvc, p2psvc, PNRPsvc
svchost.exe 2260 SDRSVC
taskhost.exe 1784 N/A
audiodg.exe 2628 N/A
notepad.exe 3296 N/A
cmd.exe 2248 N/A
conhost.exe 2976 N/A
tasklist.exe 3448 N/A
WmiPrvSE.exe 3248 N/A
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 8/27/2009 3:15:11 AM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Home01
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-783115880-3742272611-1246857717-1000:
Process 504 (\Device\HarddiskVolume7\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-783115880-3742272611-1246857717-1000
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2009-08-27T10:15:11.445216400Z" />
<EventRecordID>1057</EventRecordID>
<Correlation />
<Execution ProcessID="944" ThreadID="3528" />
<Channel>Application</Channel>
<Computer>Home01</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">1 user registry handles leaked from \Registry\User\S-1-5-21-783115880-3742272611-1246857717-1000:
Process 504 (\Device\HarddiskVolume7\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-783115880-3742272611-1246857717-1000
</Data>
</EventData>
</Event>
Are you using roaming profile?
i mean, is your profile being stored on a network computer?
Hi Delphin, no. This PC is only connected to another PC running XP SP3 via a Linksys WRT54GL router and the other PC also W7 Pro x64 is not even connected at all to the router, it's just by itself!
Could it be during installation, I didn't provide any password? (hey, I'm the only one running all the PCs, lol).
Right now every time the PC starts, it goes straight to the desktop, no need to select pix/user or enter password, exactly like my XP SP3...the way I like!
p/s under my user name - AppData - I do see three folders 1)Local 2)LocalLow and 3)Roaming, not this one, right?
Hi Ben,
A silly question but I noticed something.
What it your username you login with?
You haven't named yourself SYSTEM, by any change have you?
<- never mind that last question, silly joke.
Greetz
Hi squonksc, I never needed to enter a user name, there isn't a login screen to begin with. Windows 7 would just go straight to the desktop in record time, lol!
No, I never named myself System!
On a more serious note:
Can you do this:
go to the explorer
right click on that disk7 (partition) in that is mentioned in the logs
go to security tab
See if there is a user in the list by the name:
S-1-5-21-783115880-3742272611-1246857717-1000
If there is.
click edit, and delete that user from the list.
These S numbers, are left overs from previous installs.
They are unrecognized users.
You also see those in dual boot situations, in which case you should not delete them.
Please post back the result.
Greetz
Hi squonksc, I don't know how to tell which is Volume 7, I attached two pixs of my HDDs.
The OS partition was fully formatted/wiped before installation (fresh installation) .
During installation, I entered "C2Q" as name and computer name C2Q-01.
Ops, don't tell me Windows 7 is so smart that it knows that partition "H" is an active partition which also has XP SP3.....but I don't do dual boot, if I want to use XP SP3 in H, I simply go into bios and change the HDD boot sequence!
Oh man, I just found out there is this unknow user??? see pix