4
I have a Windows 7 laptop which is connected to the domain. The laptop is located in our regional office in Africa (we are in the UK). However, a few domain users in Africa are complaining that they are unable to log in with their credentials.
So I decided to access the laptop remotely to see if I can log on. I logged in as a domain administrator rather than my own credentials as loading my profiles from the UK to the server in Nairobi will take forever.
I managed to log in fine with domain administrator so I didn't see what the issue was.
I then looked in the event logs and found Warning: User Profile Service Error: 1530.
It was something to do with the user profiles and the registry in Windows. I've had User Profile errors before but never come across this one.
The details are below:
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 22/04/2015 16:27:17
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: IH-*PC_NAME*.*DOMAIN_NAME*.ORG.UK
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
16 user registry handles leaked from \Registry\User\S-1-5-21-779955827-3448407892-3122252932-1588:
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\Disallowed
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\TrustedPeople
Process 9600 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\My
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\CA
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\trust
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\Root
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-04-22T13:27:17.139891900Z" />
<EventRecordID>18588</EventRecordID>
<Correlation />
<Execution ProcessID="1160" ThreadID="9224" />
<Channel>Application</Channel>
<Computer>LAPTOP1.*DOMAIN*.ORG.UK</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">16 user registry handles leaked from \Registry\User\S-1-5-21-779955827-3448407892-3122252932-1588:
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\Disallowed
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\TrustedPeople
Process 9600 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\My
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Policies\Microsoft\SystemCertificates
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\CA
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\trust
Process 1160 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-779955827-3448407892-3122252932-1588\Software\Microsoft\SystemCertificates\Root
</Data>
</EventData>
</Event>
What I would like to know is how do I solve this issue? The users are still not able to log in. Also, how do I prevent this in the future.
zain.ali
Posted 2015-06-15T09:59:10.183
Reputation: 665