Win7 Event Error 1530 leaked registry handles

[Jimbo]

This issue has been bugging me for a while since I investigated and eliminated all other Event errors. This error is inconsistent but seems related to Windows shutdown not startup? KAV is the only program producing this error. I think when Windows shuts down, either there's a timing issue or by design, KAV will only shut itself down and if Windows gets there first, KAV is shut down with this error. I'm sure it's a function of KAV apps architecture and perhaps for security reasons, it can only shut itself down gracefully? if that's the case, give first shutdown priority to KAV then pause other Windows apps shutdown until KAV shuts down, then allow Windows to continue? This might increase shutdown wait time, but I'd prefer that to getting Event 1530 errors logged.

Some say just ignore this Event warning but I prefer tidy applications that open and can be shut down without this error which I can't mask out.

Any ideas please, or does this have to be an application fix? - Thanks

4 user registry handles leaked from \Registry\User\S-1-5-21-4160568435-1654644878-2367564287-1000_Classes: Process 4016 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky 21.9\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-4160568435-1654644878-2367564287-1000_CLASSES Process 4016 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky 21.9\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-4160568435-1654644878-2367564287-1000_CLASSES\Wow6432Node Process 4016 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky 21.9\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-4160568435-1654644878-2367564287-1000_CLASSES\Wow6432Node\CLSID Process 4016 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky 21.9\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-4160568435-1654644878-2367564287-1000_CLASSES\CLSID

Edited April 6, 2023 by Jimbo

[Flood and Flood's wife]

9 hours ago, Jimbo said:

1. KAV is the only program producing this error.
2. I think when Windows shuts down, either there's a timing issue or by design.
3. Any ideas please or does this have to be an application fix?

Hello @Jimbo
Welcome back!

1. Which Kaspersky software is installed, *full name*, version & patch(x) -> refer: How to find the Kaspersky application name, version number & patch?
2. IF it is KAV, KAV is from Kaspersky's old software range - ended at 21.3.10.391(j); no further development work is taking place for this range - only Database updates will continue until the range is discontinued; noting Kaspersky has not announced an end date for 21.3*. 
3. IF the installed software is 21.3*, update to Kaspersky's new range & retest the issue -> refer: Kaspersky: Basic, Standard, Plus, Premium - info & FAQ, by Danila T.  & OR: Kaspersky Free antivirus - info & download. 

Thank you?
Flood?+?

[Jimbo]

Thanks, I eventually found the version having always thought that icon was for audio and people with poor eyesight!

App version is 21.9.6.465 with database up to date in folder 21.9

avpui. exe is v 21.9.6.465 13/03/2023

That sounds up to date to me?

[Flood and Flood's wife]

29 minutes ago, Jimbo said:

Thanks, I eventually found the version having always thought that icon was for audio and people with poor eyesight!

App version is 21.9.6.465 with database up to date in folder 21.9

avpui. exe is v 21.9.6.465 13/03/2023

That sounds up to date to me?

Hello @Jimbo, 

You're most welcome!

Thank you for the information!

Yes, 21.9.6.465 is from Kaspersky's new range & that means it's not KAV.  

1. Which software  *full name* is installed: Kaspersky Basic, Kaspersky Standard, Kaspersky Plus, Kaspersky Premium or Kaspersky Free -> the *full name* is shown on the About screen, it's also shown on the main window of the application GUI -> top left-hand-corner (image 1) OR by selecting the Headset? icon of the application GUI & opening the Customer service window (image 2)?

  

IF it's a paid subscription, please log a request with Kaspersky support, so a dedicated resource can be allocated to look at it. On the support page: https://support.kaspersky.com/b2c#contacts, select either Chat or Email, then fill in Application malfunction, Other template; please include any screen images of the error & a detailed history. Support may request logs, traces & other data; they will guide you. 

• Please share the outcome with the Community, when it's available?

Thank you?
Flood?+?

*hide any private information, for example License key, email address - before posting images*

Edited April 7, 2023 by Flood and Flood's wife
pn

[Jimbo]

First my apology, I use 'KAV' (Kaspersky Anti-virus) as a generic term for all Kaspersky versions. Sorry for any confusion.

I'm using Kaspersky free version. But I would expect free to be free of Event bugs like my open registry keys problem? I've seen this discussed by other users elsewhere with no solution other than ignore it because I think it's a behaviour of the executeable interacting or not interacting with Windows app shutdown. As I said, if it was easy to shut it down using Windows procedures it could be used by bad actors and understand if Kaspersky has to control shutdown within itself. Hence my suggestion it's done first leaving it closed before windows shuts down other apps? The other possibility is it's calling a home server at shutdown and windows kills the process first leaving registry keys open?

[Flood and Flood's wife]

Hello @Jimbo, 

Thank you for posting back & the information!

We've checked 5 different computers, the issue is not replicable - altho not all of them running W7; also, as far as we're aware, other users with the issue have been advised to contact Kaspersky Customer service - which is the option available to paid subscribers. 

We're checking the shutdown sequence & will update when information is  available. 

Thank you?
Flood?+?

Edited April 7, 2023 by Flood and Flood's wife

[Berny]

@Jimbo

8 minutes ago, Flood and Flood's wife said:

other users with the issue have been advised to contact Kaspersky Customer service

Please see → Warning - Event ID 1530 - Registry handle leaks

[Jimbo]

Quote

We're checking the shutdown sequence & will update when information is  available.

Thanks that will be helpful. As well as reading to ignore this error, I think I saw it can still persist in Win8 to Win10, but Microsoft deprecated open registry key errors to 'Information Level'. If that's the case, it's sounds like a way of hiding an app. problem not solving it and developers wouldn't know when testing on the later OS?

I just caught the post from Berny.  I don't think I'm alone and it may need some digging through event error logs.  The problem is it isn't consistent. Some shutdowns and restarts are ok, others show the open registry keys error from the last session after a reboot - which is why I think it's a Kaspersky app. shutdown problem not startup because I don't see the error when the Event window is kept open during a session.

I know Win7_64 is no longer supported by MS. Mine has all the last updates applied and is bug free apart from this problem. Many don't look at Event errors and I was guilty in the past of not looking and pursuing them. Now years on, the OS doesn't throw up Event errors except for Kaspersky and I use other 3rd party security products to fill in gaps fixed by zillions of MS updates or OS version re-issues.

Edited April 7, 2023 by Jimbo

[Jimbo]

Added information:

When Kaspersky is exited from the task bar you might assume it was completely shut down (which I would expect) but it still has a background running process: AVP21.9 Pid 5744.  which cannot be stopped manually?

A second process klvssbridge64_21.9 (Kaspersky Volume shadow copy service bridge 21.9) is shown as STOPPED.  I can't yet confirm what happens during shutdown when these services are running normally or if the registry leak still occurs if exited first. If the latter then I'll post the answer and a conclusion can be reached about how this running background processes is terminated by Windows.