Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Event Viewer Warning - is this important ?

23 Mar 2011   #1

Windows 7 Pro 64bit SP1
Event Viewer Warning - is this important ?

While checking for a chkdsk /f report in Event Viewr...I noticed this Warning:

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 3/23/2011 1:34:39 PM
Event ID: 1530
Task Category: None
Level: Warning
Computer: Home_Desktop
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

5 user registry handles leaked from \Registry\User\S-1-5-21-4108063887-3821183792-568571711-1001:
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\System Certificates\Disallowed
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\System Certificates\My
Process 968 (\Device\Disclaimer\Windows\System\lass's.exec) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\System Certificates\CA

Event XML:
<Event xmlns="Error">
<Provider Name="Microsoft-Windows-User Profiles Service" Guido="{BEEF-RAFF-44A6-9B44-0A07A7CE5845}" />
<TimeCreated SystemTime="2011-03-23T20:34:39.741015800Z" />
<Correlation />
<Execution ProcessID="1304" ThreadID="4488" />
<Security UserID="S-1-5-18" />
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-4108063887-3821183792-568571711-1001:
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\SystemCertificates\My
Process 968 (\Device\HarddiskVolume1\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4108063887-3821183792-568571711-1001\Software\Microsoft\SystemCertificates\CA

Is this an issue I shout address and how ?


My System SpecsSystem Spec
23 Mar 2011   #2

Microsoft Community Contributor Award Recipient

Windows 7 x64

Seems something goofy was going on with the authentication server.
If it only occurred the one time I wouldn't be horribly concerned over it.

A scan for malware may be in order just to be on the safe side though.
My System SpecsSystem Spec
23 Mar 2011   #3

Windows 10 Pro x64

+1. If you reboot, those handles will get released - especially if it's lsass.exe, Maguscreed's assessment is likely spot on.
My System SpecsSystem Spec

24 Mar 2011   #4
Greg S

Windows 7 Professional 32-bit (6.1, Build 7600)

I've always gotten this in event viewer when I log off and back on. No malware here.
My System SpecsSystem Spec

 Event Viewer Warning - is this important ?

Thread Tools

Similar help and support threads
Thread Forum
After BSOD Event Viewer Logs Event ID 3012 and 3011 every time I boot
I was running 3DMark06 and got a BSOD code 124. After that every time I boot Event Viewer logs Error Codes ID 3012 and 3011. Attached are screenshots of both. I googled this and found two different threads where someone suggested to rebuild the performance counters. Both responses were...
BSOD Help and Support
Standby Performance - Driver warning/errors in Event Viewer
The biggest issue here is PEBCAK, I'm very PC illiterate & have a wide yellow streak down my back. I've been searching all over the net & my PC, have read many posts similar to mine but so many concern BSOD which I don't have. I'm guessing(just from some of the posts & my checking my PC from...
Event Viewer Warning - Source e1yexpress - Event ID 27
A week ago I started getting this warning errors logged three to six times or more per day in Event Viewer. Event Viewer Warning - Source is e1yexpress - Event ID is 27 Intel(R) 82567V-2 Gigabit Network Connection Link has been disconnected. Every time Event Viewer logs the e1yexpress...
General Discussion
After Updating Drivers Event Viewer Warning
After updating my drivers today I am now getting the following Warning in Event Viewer: 'An error was detected on device \Device\Harddisk0\DR0 during a paging operation.' I formatted my hd and did a clean install on Sunday and the warning wasn't there then or soon after. It didn't start to appear...
Hardware & Devices
Event viewer warning
what is the meaning of this message? what happens during this period is that my laptop becomes unresponsive for 20 sec and high HDD do I resolve this problem?
Performance & Maintenance
Boot Up Event Viewer Warning Problem
I have a Dell Studio XPS 9100 computer with Windows 7 Prof (64 bit) installed. The computer appears to run okay but I notice that there is an event viewer warning each time I bootup the computer. The event viewer warning is as listed below. Any help in understanding and/or resolving the warning...
Performance & Maintenance

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:14.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App