Message:
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 5/12/2012 4:13:40 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: NONEOFYOURBIZ2
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
9 user registry handles leaked from \Registry\User\S-1-5-21-664570727-300873648-2978798648-1000:
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\My
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\CA
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-05-12T20:13:40.907441900Z" />
<EventRecordID>30031</EventRecordID>
<Correlation />
<Execution ProcessID="416" ThreadID="4684" />
<Channel>Application</Channel>
<Computer>NONEOFYOURBIZ2</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">9 user registry handles leaked from \Registry\User\S-1-5-21-664570727-300873648-2978798648-1000:
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\My
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\CA
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
</Data>
</EventData>
</Event>