Two errors in Event Viewer

[ratePV]

Hello SF!

I have two errors constantly being registered every time reboot(or turn on) my computer that i cant resolve:

The first one is a Event 3006 LoadPerf:

Unable to read the performance counter strings defined for the 01a language ID. The first DWORD in the Data section contains the Win32 error code.

And a second one a Event 1530 User Profile Settings:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

 

[usasma]

We'll need the information from the Data section of the error in order to get the Win32 error code on the first error.

As for the second error - it's gonna require uninstalling applications until you find out which one is causing it. Or, you can use the free program Process Monitor to see what's doing the registry accesses - but the log file is huge. It's available for free from here: Process Monitor

 

[ratePV]

We'll need the information from the Data section of the error in order to get the Win32 error code on the first error.

As for the second error - it's gonna require uninstalling applications until you find out which one is causing it. Or, you can use the free program Process Monitor to see what's doing the registry accesses - but the log file is huge. It's available for free from here: Process Monitor

I've added a text file with the detail abt. the first error.

View attachment 72123

No need to uninstall, ill just monitor the process number the next time i reboot (the process causing the problem is lsass.exe)

 

[whs]

Do you use Spybot? That puts all kinds stuff into the lsass.exe. I never figured out why or what. I just got rid of Spybot.

 

[ratePV]

Do you use Spybot? That puts all kinds stuff into the lsass.exe. I never figured out why or what. I just got rid of Spybot.

Nope. Only NOD32 SS

 

[whs]

Maybe the Sasser worm has struck you. Open the file "\windows\system32\drivers\etc\hosts" in Notepad. Type or paste:

Notepad \windows\system32\drivers\etc\hosts

into a Run box, and press OK. Normally, it will have one entry for something called "localhost". If in addition you see a list of Anti-Virus sites such as Nod32, then the worm has struck.

 

[ratePV]

Maybe the Sasser worm has struck you. Open the file "\windows\system32\drivers\etc\hosts" in Notepad. Type or paste:

Notepad \windows\system32\drivers\etc\hosts

into a Run box, and press OK. Normally, it will have one entry for something called "localhost". If in addition you see a list of Anti-Virus sites such as Nod32, then the worm has struck.

This is the 5th system reporting these 2 errors(since 22nd october) so its very unlikely it could strike 5 times a row.

These are the last few lines of hosts file

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

 

[whs]

You are OK - no worm. It was just an additional precaution.

 

[usasma]

I'm unable to locate any info on a Win32 error code of 02000000 (?hex) - but I'm not real concerned over that first error.

The second error concerns me a lot more - why would lsass.exe be leaving registry keys open? AFAIK, lsass.exe is a security component of Windows - so I'd have to wonder what's messing with it.

 

[ratePV]

I'm unable to locate any info on a Win32 error code of 02000000 (?hex) - but I'm not real concerned over that first error.

The second error concerns me a lot more - why would lsass.exe be leaving registry keys open? AFAIK, lsass.exe is a security component of Windows - so I'd have to wonder what's messing with it.

Ill examine the error and find the reg. keys that are being opened.
I tried to recreate this error 2 times but without success.
I will upload the log when i recreate it.

 

[ratePV]

Now i had 4 errors: 3 times the Event 3006 LoadPerf, and the second one, but this time it was winlogon.exe:shock:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-...:
Process 640 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-...

 

[usasma]

Just before shutting down, manually kill anything that's open and kill anything that's running in the System Tray (the Notification Area by the clock).

Then shut down and see if it generates the error again.

 

[ratePV]

Just before shutting down, manually kill anything that's open and kill anything that's running in the System Tray (the Notification Area by the clock).

Then shut down and see if it generates the error again.

The problem is that i do this every time i shutdown(no open windows/apps).
And i dont have many app in my Notification Area(only these which are not closable from there):
View attachment 72752

 

[usasma]

The next step is to start killing things in Task Manager...Processes tab (do it in groups of 5).

 

[ratePV]

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 DETAIL - 
 1 user registry handles leaked from \Registry\User\S-xxx:
Process 3232 (\Device\HarddiskVolume1\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-xxx\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

Now its msiexec.exe...:huh: