UPHClean and other profile ramblings

A blog to discuss UPHClean and profile problems

Windows Vista, Windows Server 2008 and UPHClean

Windows Vista, Windows Server 2008 and UPHClean

  • Comments 6
  • Likes

UPHClean fails to install on Windows Vista and Windows Server 2008.  This happens because the User Profile service included with those operating system includes the functionality of UPHClean v1.6 built in.  There is no point in having UPHClean perform its monitoring work when the profile service does all necessary work to prevent user hive fails from occuring.

Whereas UPHClean logs event 1401 to indicate that it took action to resolve a problem that would have prevent a user profile hive from unloading, the User Profile service logs event 1530.  It looks like this:

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 2/28/2008 2:56:52 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: RCARON-PC
Description:
Windows detected your registry file is still in use by other applications or
services. The file will be unloaded now. The applications or services that
hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from
\Registry\User\S-1-5-21-2641105361-2081720548-7543625-1000:
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost. exe) has
opened key \REGISTRY\USER\S-1-5-21-2641105361-2081720548-7543625-1000

This event is letting you know that when the profile was being unloaded svchost.exe with process id (PID) 896 had a registry key handle to the profile hive for the user with SID S-1-5-21-2641105361-2081720548-7543625-1000.

The event is there so you know that the system took action.  That way you could know that if the application fails in some way you can investigate whether this action might be involved in the failure.  Generally my advice for this (as for UPHClean event 1401) is to ignore it.

I am working on UPHClean v2.0.  This version will address many more user profile problem scenarios.  This version will likely install on Windows Vista and Windows Server 2008.  It is in beta but currently the beta bits do not yet install on those operating systems.

Robin.

Comments
  • Hi, I have user profile unloading problem on my vista, just like hte one you are describing. I find the 1530-event in my eventviewer but I cannot see how I have to resolve this.

    Can I work with you as a testcase or can you give me some hints on how I can find out which application prevents the profile from unloading ?

    Thx.

  • Event 1530 tells you what application caused the problem.  In the event listed above svchost in process 896 is the one causing a problem.

    If you are unsure how to interpret the event post it here and I'll help.

    Thank you,

    Robin.

  • I get every shutdown two messages of the type 1530.

    These are the messages in the eventvwr: (it's in dutch, I ope you have enough with the technical stuff -otherwise I'll translate it).

    -----------------------------------------------

    Uw registerbestand is nog steeds in gebruik door andere toepassingen of services. Het bestand wordt nu verwijderd. De toepassingen en services die het registerbestand nu gebruiken, werken achteraf mogelijk niet meer goed.  

    DETAIL -

    1 user registry handles leaked from \Registry\User\S-1-5-21-1564836495-3584289984-1312657921-1000_Classes:

    Process 972 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1564836495-3584289984-1312657921-1000_CLASSES

    AND

    Uw registerbestand is nog steeds in gebruik door andere toepassingen of services. Het bestand wordt nu verwijderd. De toepassingen en services die het registerbestand nu gebruiken, werken achteraf mogelijk niet meer goed.  

    DETAIL -

    1 user registry handles leaked from \Registry\User\S-1-5-21-1564836495-3584289984-1312657921-1000:

    Process 972 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1564836495-3584289984-1312657921-1000

    -----------------------------------------------

    Some more information: When I look in the process viewer to see which svcprocesses are running: I find three processes with a PID around 972 :

    - svchost.exe -k DcomLaunch under SYSTEM.

    - svchost.exe -k rpcss under username NETWORK SERVICE.

    - svchost.exe -k secsvcs under username SYSTEM.

    Since I don't know the PID's at the moment of logoff, I am not sure which svchost is causing the problem.

    I hope you have enough information to help me out and enough information to incorporate in your new vista-ready uphclean-version.

    P.

  • Aha, I managed to find out which of the svchost processes is causing the problem.

    (How?  -> tasklist /v and tasklist /svc, save output in a file and perform a shutdown...).

    It is WinDefend !!

    Now I only have to find out why he does this...

  • "Windows Vista and Windows Server 2008 include the functionality of UPHClean."

    (http://support.microsoft.com/kb/837115/en-us)

  • ПОМОГИТЕ УБРАТЬ ЭТУ ОШИБКУ НА win7

    Имя журнала:   Application

    Источник:      Microsoft-Windows-User Profiles Service

    Дата:          04.08.2011 13:22:53

    Код события:   1530

    Категория задачи:Отсутствует

    Уровень:       Предупреждение

    Ключевые слова:

    Пользователь:  система

    Компьютер:     DNS

    Описание:

    Система Windows обнаружила, что файл реестра используется другими приложениями или службами. Файл будет сейчас выгружен. Приложения или службы, которые используют файл реестра, могут впоследствии работать неправильно.  

    ПОДРОБНО -

    15 user registry handles leaked from \Registry\User\S-1-5-21-3708398860-879459951-1888100198-1000:

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\trust

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\My

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\CA

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\TrustedPeople

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\Disallowed

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Policies\Microsoft\SystemCertificates

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Policies\Microsoft\SystemCertificates

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Policies\Microsoft\SystemCertificates

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Policies\Microsoft\SystemCertificates

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\Root

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\SmartCardRoot

    Xml события:

    <Event xmlns="schemas.microsoft.com/.../event">

     <System>

       <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />

       <EventID>1530</EventID>

       <Version>0</Version>

       <Level>3</Level>

       <Task>0</Task>

       <Opcode>0</Opcode>

       <Keywords>0x8000000000000000</Keywords>

       <TimeCreated SystemTime="2011-08-04T09:22:53.013703500Z" />

       <EventRecordID>833</EventRecordID>

       <Correlation />

       <Execution ProcessID="852" ThreadID="2136" />

       <Channel>Application</Channel>

       <Computer>DNS</Computer>

       <Security UserID="S-1-5-18" />

     </System>

     <EventData Name="EVENT_HIVE_LEAK">

       <Data Name="Detail">15 user registry handles leaked from \Registry\User\S-1-5-21-3708398860-879459951-1888100198-1000:

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\trust

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\My

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\CA

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\TrustedPeople

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\Disallowed

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Policies\Microsoft\SystemCertificates

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Policies\Microsoft\SystemCertificates

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Policies\Microsoft\SystemCertificates

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Policies\Microsoft\SystemCertificates

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\Root

    Process 1700 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000\Software\Microsoft\SystemCertificates\SmartCardRoot

    </Data>

     </EventData>

    </Event>

    Имя журнала:   Application

    Источник:      Microsoft-Windows-User Profiles Service

    Дата:          04.08.2011 13:29:43

    Код события:   1530

    Категория задачи:Отсутствует

    Уровень:       Предупреждение

    Ключевые слова:

    Пользователь:  система

    Компьютер:     DNS

    Описание:

    Система Windows обнаружила, что файл реестра используется другими приложениями или службами. Файл будет сейчас выгружен. Приложения или службы, которые используют файл реестра, могут впоследствии работать неправильно.  

    ПОДРОБНО -

    1 user registry handles leaked from \Registry\User\S-1-5-21-3708398860-879459951-1888100198-1000:

    Process 360 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    Xml события:

    <Event xmlns="schemas.microsoft.com/.../event">

     <System>

       <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />

       <EventID>1530</EventID>

       <Version>0</Version>

       <Level>3</Level>

       <Task>0</Task>

       <Opcode>0</Opcode>

       <Keywords>0x8000000000000000</Keywords>

       <TimeCreated SystemTime="2011-08-04T09:29:43.836277700Z" />

       <EventRecordID>872</EventRecordID>

       <Correlation ActivityID="{02EB4908-F800-0001-633F-59278852CC01}" />

       <Execution ProcessID="956" ThreadID="2928" />

       <Channel>Application</Channel>

       <Computer>DNS</Computer>

       <Security UserID="S-1-5-18" />

     </System>

     <EventData Name="EVENT_HIVE_LEAK">

       <Data Name="Detail">1 user registry handles leaked from \Registry\User\S-1-5-21-3708398860-879459951-1888100198-1000:

    Process 360 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3708398860-879459951-1888100198-1000

    </Data>

     </EventData>

    </Event>

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment