Jump to content
JohnH2O

Registry Warning, Event ID 1530_User Profile Service

Recommended Posts

At shutdown an error is logged in the Event Viewer. The message is like this:

 

The Windows operating system detected that your registry file is still in use by other applications or services.

The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

INFO -

1 user registry handles leaked from \Registry\User\S-1-5-21-90131422-3553516416-3319797328-1001:

Process 1588 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-90131422-3553516416-3319797328-1001

 

Microsoft KB Article

Cause

This behavior occurs because the Windows operating system automatically closes any registry handle to a user profile that is left open by an application.

User action

 

Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open, and it should be investigated.

My environement: Win7 Pro x64 SP1, PURE 2.0 12.0.1.288 [a.b].

 

Is this a known issue?

 

Share this post


Link to post
Guest Tube-Rider-Dude
At shutdown an error is logged in the Event Viewer. The message is like this:

 

The Windows operating system detected that your registry file is still in use by other applications or services.

The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

INFO -

1 user registry handles leaked from \Registry\User\S-1-5-21-90131422-3553516416-3319797328-1001:

Process 1588 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-90131422-3553516416-3319797328-1001

 

Microsoft KB Article

Cause

This behavior occurs because the Windows operating system automatically closes any registry handle to a user profile that is left open by an application.

User action

 

Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open, and it should be investigated.

My environement: Win7 Pro x64 SP1, PURE 2.0 12.0.1.288 [a.b].

 

Is this a known issue?

 

 

Hi ya John,

 

I've noticed today that I have a very similar event error but the 'Event ID' differs! Please note that I use the Microsoft Program called 'UPHClean' which unloads locked handles, this is the handle it has unlocked 'klwtblfs.exe'

 

According to Lucian Bara and mentioned in another post, 'klwtblfs.exe' belongs to kaspersky, it's the link checker helper! I was experiencing very slow web browsing last night and some pages were taking over 5 minutes to load, is this why?

 

See below:

 

Event Type: Information

Event Source: UPHClean

Event Category: None

Event ID: 1401

Date: 20/04/2012

Time: 05:54:08

User: SLINKY\Christopher

Computer: SLINKY

Description:

The following handles in user profile hive SLINKY\Christopher (S-1-5-21-1957994488-1078081533-839522115-1008) have been remapped because they were preventing the profile from unloading successfully:

 

klwtblfs.exe (3048)

HKCU (0x60)

HKCU\Software\Classes (0x70)

HKCU\Software\Classes (0xe4)

HKCU\Software\Classes (0x104)

HKCU\Software\Classes (0x158)

HKCU\Software\Classes (0x174)

HKCU\Software\Classes (0x188)

HKCU\Software\Classes (0x1a0)

 

Anyone else experiencing slow web browsing please check your event viewer for Event ID: 1401

 

Tyler

 

Share this post


Link to post
Guest Tube-Rider-Dude
How do you open the data base files (PWS) ?

 

Hello 3771,

 

It looks like you posted your request in the wrong thread as opposed to creating a 'New Post'. Not to worry.., are you trying to import your database files back into the password manager or are you simply trying to read them?

 

If you can clarify which, I will try and guide you through it.

 

Tyler

Share this post


Link to post
At shutdown an error is logged in the Event Viewer. The message is like this:

 

The Windows operating system detected that your registry file is still in use by other applications or services.

The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

INFO -

1 user registry handles leaked from \Registry\User\S-1-5-21-90131422-3553516416-3319797328-1001:

Process 1588 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-90131422-3553516416-3319797328-1001

 

Microsoft KB Article

Cause

This behavior occurs because the Windows operating system automatically closes any registry handle to a user profile that is left open by an application.

User action

 

Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open, and it should be investigated.

My environement: Win7 Pro x64 SP1, PURE 2.0 12.0.1.288 [a.b].

 

Is this a known issue?

 

 

How many 1530 events do you have in event viewer and please specify if this occurs for other applications as well.

Can you see any pattern in event viewer according to this? Any other regular event before or after the "1530"?

 

 

Share this post


Link to post
How many 1530 events do you have in event viewer and please specify if this occurs for other applications as well.

Can you see any pattern in event viewer according to this? Any other regular event before or after the "1530"?

Thanks for your response. First: I have opened a support ticket, yesterday they asked for a GSI report (I sent it immediately).

 

I have not observed any special pattern, I only shut down the computer.

 

I checked the event viewer for details. 11.04.2012 I restored the system from the the recovery CDs delivered by Compaq-HP due to a BitLocker error. I was afraid a not completely uninstalled driver, was the reason for the error with “*** NOT MOUNTABLE UNTIL A VOLUME MOUNT POINT IS CREATED. ***” and preventing CHKDSK /R to run.

 

I have run Windows Update, I am back with Win7 SP1. I have a lot of registry leak entries caused by avp.exe (at least one per day), but yes, I have other applications too (I did not know). It started with winlogon.exe and explorer.exe 11.04. 12.04 I had 26 user registry handles leaked cause by explorer. During 11.04-15.04 I had 4 occasions with 16 handles leaked due to avp.exe. 15.04-24.04: 6 events caused by GSSearchIndexer.exe.

 

The BitLocker/Mountvol problem reoccurred after reinstalling PURE 2.0, but I avoid error logging through the command mountvol /r (the list message then changes to *** NO MOUNT POINT ***).

 

Do you have any idea?

 

PS I have the CHKDSK problem also on my XP computer. Unfortunately I know why; I have reported what I have found to the KL support. But that is another case...

 

 

Share this post


Link to post
At shutdown an error is logged in the Event Viewer. The message is like this:

 

The Windows operating system detected that your registry file is still in use by other applications or services.

The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

INFO -

1 user registry handles leaked from \Registry\User\S-1-5-21-90131422-3553516416-3319797328-1001:

Process 1588 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky PURE 2.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-90131422-3553516416-3319797328-1001

 

Is this a known issue?

I have noticed that other users have the same problem according to their GSI log:

 

docrobin http://forum.kaspersky.com/index.php?showtopic=238508&view=findpost&p=1870505

saadali http://forum.kaspersky.com/index.php?showtopic=239318&view=findpost&p=1875648

jtrousd http://forum.kaspersky.com/index.php?showtopic=231076

 

The error still occurs after patch c. I am waiting for an answer from Tech Support.

 

In the meantime: Does anybody have an idea of how to resolve this?

 

 

Share this post


Link to post

I am also getting these Event ID 1530 warning messages in my Event Log when I shut down a Win 8 Pro 64-bit system with Kaspersky IS 2013. Sometimes it lists as many as 60 open registry handles involving Kaspersky files.

 

Has this issue ever been resolved?

Is it necessary to uninstall KIS, clean registry, reinstall KIS? If so, what is the recommended tool for cleaning the registry?

 

Share this post


Link to post
I am also getting these Event ID 1530 warning messages in my Event Log when I shut down a Win 8 Pro 64-bit system with Kaspersky IS 2013. Sometimes it lists as many as 60 open registry handles involving Kaspersky files.

 

Has this issue ever been resolved?

Is it necessary to uninstall KIS, clean registry, reinstall KIS? If so, what is the recommended tool for cleaning the registry?

 

 

Same problem here....and in these days I have many problems with avp.exe.....that loads heavily the cpu :dash1:

Share this post


Link to post

Quote: "Same problem here"

 

Information underload.

 

Can we guess your basic information? Or: We can search your other posts and use google translate? And have this issue in two different language sections of the forum?

 

If you would like to have someone who knows En help you, instructions for you are below:

 

Please create gsi sysinfo text and post link to GSI Report which will provide a wee tiny smidgen of information about your Kaspersky product and operating system

and which also may identify issue area, instructions see the fifth (5th) Important topic.

 

Please see the small print that is located at the bottom of this message.

 

However, we do not encourage posting same issue in two different language sections of the forum, so you can simply please continue this issue in your other topic thread. :)

Share this post


Link to post

This pre-Windows 8 info sheds some light on our common problem with User Profile Service Event ID 1530:

 

Error 1530, User Profile Service in Event Viewer

 

After shutting down my Win 8 Pro 64-bit system, the Event Viewer for ID 1530 contains the message:

 

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

 

almost always followed by multiple references to registry keys opened by KIS 2013, just as others have described above. Sometimes there are also references to other processes with open keys.

 

So far the net result has been harmless, but it would be greatly appreciated if Kaspersky could eliminate the root cause in their software.

Do you still need a GIS report?

Edited by markf2748

Share this post


Link to post

Form the "for what its worth" department, I've seen the warning at shutdown for as long as I can remember, going back several iterations of KIS and Windows. It appears to be one of those log issues that can be found in the windows logs. I'm sure this is an issue noticed by a small group of users because most folks don't look at the logs, and many have no idea where to look. I know this isn't a definitive answer for you, but there may not be a definative answer - it's likely just a quirk in how the system handles shut down.

 

If you track down a definative answer, perhaps you can post it on this Forum and let us know.

 

BC

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Share this post


Link to post

Thanks for your insight. I submitted a support request today to Kaspersky Lab Support (Americas) including reference to this thread.

 

Of the multitude of applications I run and many many background processes, there are only a small handful which ever appear in Warning Event ID 1530. The leader among them is KIS in terms of frequency and number of open registry handles. This tells me that KIS is doing something "wrong" or at least different than the vast majority of Windows applications (including other security programs) with regard to self-cleanup at shutdown. So maybe it's about time Kaspersky determined if a fix is possible without compromising KIS protection capabilities. These warnings about leaked registry handles are disconcerting and frankly shabby for an otherwise very polished program.

Edited by markf2748

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.