dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
13735
share rss forum feed

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

[WIN8] User Profiles Service leaked registry handles?

After installing User Profile Hive Cleanup Service on XP years ago, I went from many Warnings in Event Viewer to NONE EVER AGAIN. I am really surprised that the problem still exists in Windows 8 and I don't think the clean up service can be installed on Win 8. So, what do I do? EVERY TIME I boot/reboot Event Viewer warns that my registry file has leaked anywhere from 1 to 43handles! This worries me as eventually I think if this leakage continues I may end up with a corrupt profile.

But maybe it is nothing to worry about? All of the leaked handles (except the uninstall one) have to do with lsass.exe.
Below is the latest Warning.

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 1/12/2013 10:52:04 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Smokey

Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
15 user registry handles leaked from \Registry\User\S-1-5-21-1732874515-3152072288-3741145872-1002:
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Microsoft\SystemCertificates\trust
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Policies\Microsoft\SystemCertificates
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Policies\Microsoft\SystemCertificates
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Policies\Microsoft\SystemCertificates
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Policies\Microsoft\SystemCertificates
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Microsoft\SystemCertificates\Disallowed
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Microsoft\SystemCertificates\TrustedPeople
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Microsoft\SystemCertificates\CA
Process 1252 (\Device\HarddiskVolume7\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Microsoft\Windows\CurrentVersion\Uninstall
Process 864 (\Device\HarddiskVolume7\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1732874515-3152072288-3741145872-1002\Software\Microsoft\SystemCertificates\Root
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


JALevinworth

@embarqhsd.net
Nothing to add here but to say UPHClean was the bomb. Put it on every new XP install. No more stuck profiles that fights to the bitter end before releasing. UPHClean just did it's thing silently, but you knew it did it's job via reports in the event viewer. I'd like to know the answer you seek as well. The "built in functionality" for Win7/8 to resolve this needs some tweaking or something.

-Jim


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to Mele20
Its been a few weeks since I had my Windows 8 test system up and running, but I kind of recall seeing a similar set of warnings.

What stuck out in my mind is that I was seeing them right away on a clean install. Its one thing for them to show up after an install of an application or some major change to the OS. However, on a future boot after such a case, they normally go away (at least they did for me in Windows 7). Yet, I recall that in Windows 8, there was always one that would be left behind on every reboot, even though I had made no changes to anything (just the install of the OS). I don't recall what it was exactly, but I thought it had to do with some kind of uninstall event. Which, would be odd, as I had not installed anything at that point, let alone uninstalled something!

If I get a chance this week, I'll re-do my Windows 8 test system and see what I can figure out with this on my end.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to Mele20
Click for full size
1
Click for full size
2
Well, I did reinstall Windows 8 on a spare 80 GB EIDE hard drive today. Its the same hard drive that I've done all my testing with Windows 8 on.

I'm at what I believe is a "stable" install of the OS. All my look/feel changes have been made, drivers have all been installed, Windows has been registered, and all Windows Updates (minus one that errors out) have been installed.

The above two pictures show the two warning events that I get on every reboot.

The only application that I did uninstall was the updater for my NVIDIA GT220 Video Card. When I updated the driver, it adds a program to help with keeping the driver current. Once the install of the driver was done, I went into Control Panel, Programs, Uninstall a Program and removed it.

I wonder if that could be what is causing one of the warnings to show up? I may have to re-test and not do that uninstall and see...

As for the 1st warning, I'm not sure on that. It seems generic to me, and does not offer a lot of information.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


sekim
Premium,MVM
join:1999-08-17
Saint Petersburg, FL
kudos:1
I did the win8x64 40 dollar pro upgrade from win7 December 14th.. and have had your second Event log item ever since. I've reinstalled the win8 every way I could think of to try to eliminate it.. with no luck.

This is on a Lenovo g570 budget laptop i3 sandy bridge 2nd gen cpu with the combined/intergrated intel 3000 graphics.

event id 1530
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-976289058-815564480-4253628741-1001:
Process 384 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-976289058-815564480-4253628741-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall

(also has another persistant event - Kernal-PnP event id 219, The driver \Driver\WUDFRd failed to load for the device ROOT\LENOVOVHID\0000. but it is truly loaded )


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to Mele20
According to this »social.technet.microsoft.com/For···d3d5c635

Every windows OS since vista is doing what UPHClean used to do in Windows XP. So in other words, nothing new here, except windows drops the event in the log when it does its mojo.
--
My place : »www.schettino.us

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
Windows is being forced to cleanup after an application has left a registry handle open instead of closing it. That is BAD and that is why the entry is labeled a WARNING rather than "informational". Eventually, the user profile will corrupt and that will cause a real mess. I get these EVERY TIME I boot/reboot. Event Viewer is littered with them just as XP event viewer was until the UPHC tool was brought out so I don't see how these were considered so bad in XP that Microsoft finally had to bring out the UPHC tool to fix the problem but they are hunky-dory in Vista, Win 7 and Win 8. Seems to me maybe Microsoft needs to introduce UPHC for these OSes also.

Even Microsoft states that:

"Note Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated."
»support.microsoft.com/kb/947238

But from the threads I have read investigating the application is not easy. Someone tried to investigate lsass.exe as the application leaving registry handles open:
"On this computer I have regular Event 1530 reports referring to lsass.exe. Investigating using Process Monitor I find references to the Registry key HKLM\SAM\SAM\DOMAINS\etc where the task is "Desired Access Read and the Result is Name not found.

The computer is a Workstation and HKLM\SAM\SAM has no Domain entries. How do you backtrack to find what causes whatever it is to look for Domain entries on a Workstation?"
»answers.microsoft.com/en-us/wind···5?auth=1

Once UPHC was installed on XP Pro, all 1530 warning events disappeared from Event Viewer. SUPPOSEDLY, starting with Vista, Microsoft improved things so that UPHC was not needed. Uhuh, yeah...so why then do I get all these warnings and no way to fix the problem since this is Win 8 rather than XP? Why does Microsoft label this a WARNING rather than a chatty informational entry? Why am I warned about eventual profile corruption (among other things) if these events are "nothing"? They were NOT nothing on XP until we got UPHC. If they are nothing on Vista, Win 7 and Win 8 then Microsoft has been extremely remiss in not fixing the Event 1530 so it is no longer a warning.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Oedipus

join:2005-05-09
kudos:1
reply to Mele20
I wish I had the spare time to worry about stuff like this.


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to Mele20
You really don't read what I post, do you.

Nothing changed since XP - apps can and do exit with open registry handles. In XP, you needed to install a 3rd party app to clean those up. Since Vista, Windows does this for you. The 3rd party app didn't long a warning when it did it. Vista and newer Windows does.

This isn't a big deal. Everything is working as it should.
--
My place : »www.schettino.us


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
For what its worth, I understand what you are saying. Microsoft now has its own process in place to perform the functions that UPHClean did under Windows XP.

That is all fine and good, as the end user does not have to go figure out how to get that 3rd party app, and install it. Windows now does it.

But, I guess what still bugs me, and I think Mele20 See Profile as well, is that the processes that are not closing down properly are Microsoft's own processes. In her case, she has many references to lsass.exe , and in my case, as well as sekim See Profile's, the process is svchost.exe . You would think out of all the applications, the OS would be coded to not cause this problem!

I think that is why we're getting frustrated with this. If the app was some third party to begin with (like a Virus Scanner for example), while it would probably still be a frustration to see the warnings, we could put the blame on said application. But, that's not the case, as the processes that are showing up in these warnings are part of the OS, which was written by Microsoft.

What gets me is that in my case, it appears that something is trying to uninstall every time. Sure, I can see that showing up once or twice, but on every boot? What is Windows trying to remove every time I reboot? Not to mention, in my case specifically, this is an issue with Windows 8. On the exact same hardware (sans the hard drive), when I'm running Windows 7, I get a "clean" log on every boot; meaning, if I clear the logs and then reboot, once the system is up, I will have zero critical events, zero error events, and zero warnings. Just a lot of informational and security events. So I know that there was no issues with the shutdown or startup of my system. Life is good.

I get that the new functionally of Windows Vista, 7 and 8 is doing its job, and that's all find and great. However, it just seems like bad coding on Microsoft's part. If they cannot do this right, how can they expect other software developers to do it right either.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to Mele20
svhost.exe hosts services, including ones not written by Microsoft. lsass.exe isn't a container, but can use third party dll authentication agents which might be the leakers.

in either case its just a handle, exiting uncleanly will cause a process to not get a chance to close its open resources. Not an error, unless the OS doesn't clean up. Which it does.
--
My place : »www.schettino.us