Windows Vista, Windows Server 2008 and UPHClean


UPHClean fails to install on Windows Vista and Windows Server 2008.  This happens because the User Profile service included with those operating system includes the functionality of UPHClean v1.6 built in.  There is no point in having UPHClean perform its monitoring work when the profile service does all necessary work to prevent user hive fails from occuring.


Whereas UPHClean logs event 1401 to indicate that it took action to resolve a problem that would have prevent a user profile hive from unloading, the User Profile service logs event 1530.  It looks like this:


Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 2/28/2008 2:56:52 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: RCARON-PC
Description:
Windows detected your registry file is still in use by other applications or
services. The file will be unloaded now. The applications or services that
hold your registry file may not function properly afterwards.

DETAIL –
1 user registry handles leaked from
\Registry\User\S-1-5-21-2641105361-2081720548-7543625-1000:
Process 896 (\Device\HarddiskVolume1\Windows\System32\svchost. exe) has
opened key \REGISTRY\USER\S-1-5-21-2641105361-2081720548-7543625-1000


This event is letting you know that when the profile was being unloaded svchost.exe with process id (PID) 896 had a registry key handle to the profile hive for the user with SID S-1-5-21-2641105361-2081720548-7543625-1000.


The event is there so you know that the system took action.  That way you could know that if the application fails in some way you can investigate whether this action might be involved in the failure.  Generally my advice for this (as for UPHClean event 1401) is to ignore it.


I am working on UPHClean v2.0.  This version will address many more user profile problem scenarios.  This version will likely install on Windows Vista and Windows Server 2008.  It is in beta but currently the beta bits do not yet install on those operating systems.


Robin.

Comments (6)

  1. Anonymous says:

    I get every shutdown two messages of the type 1530.

    These are the messages in the eventvwr: (it’s in dutch, I ope you have enough with the technical stuff -otherwise I’ll translate it).

    ———————————————–

    Uw registerbestand is nog steeds in gebruik door andere toepassingen of services. Het bestand wordt nu verwijderd. De toepassingen en services die het registerbestand nu gebruiken, werken achteraf mogelijk niet meer goed.  

    DETAIL –

    1 user registry handles leaked from RegistryUserS-1-5-21-1564836495-3584289984-1312657921-1000_Classes:

    Process 972 (DeviceHarddiskVolume2WindowsSystem32svchost.exe) has opened key REGISTRYUSERS-1-5-21-1564836495-3584289984-1312657921-1000_CLASSES

    AND

    Uw registerbestand is nog steeds in gebruik door andere toepassingen of services. Het bestand wordt nu verwijderd. De toepassingen en services die het registerbestand nu gebruiken, werken achteraf mogelijk niet meer goed.  

    DETAIL –

    1 user registry handles leaked from RegistryUserS-1-5-21-1564836495-3584289984-1312657921-1000:

    Process 972 (DeviceHarddiskVolume2WindowsSystem32svchost.exe) has opened key REGISTRYUSERS-1-5-21-1564836495-3584289984-1312657921-1000

    ———————————————–

    Some more information: When I look in the process viewer to see which svcprocesses are running: I find three processes with a PID around 972 :

    – svchost.exe -k DcomLaunch under SYSTEM.

    – svchost.exe -k rpcss under username NETWORK SERVICE.

    – svchost.exe -k secsvcs under username SYSTEM.

    Since I don’t know the PID’s at the moment of logoff, I am not sure which svchost is causing the problem.

    I hope you have enough information to help me out and enough information to incorporate in your new vista-ready uphclean-version.

    P.

  2. Anonymous says:

    Aha, I managed to find out which of the svchost processes is causing the problem.

    (How?  -> tasklist /v and tasklist /svc, save output in a file and perform a shutdown…).

    It is WinDefend !!

    Now I only have to find out why he does this…

  3. Anonymous says:

    "Windows Vista and Windows Server 2008 include the functionality of UPHClean."

    (http://support.microsoft.com/kb/837115/en-us)

  4. Anonymous says:

    Event 1530 tells you what application caused the problem.  In the event listed above svchost in process 896 is the one causing a problem.

    If you are unsure how to interpret the event post it here and I’ll help.

    Thank you,

    Robin.

  5. Anonymous says:

    Hi, I have user profile unloading problem on my vista, just like hte one you are describing. I find the 1530-event in my eventviewer but I cannot see how I have to resolve this.

    Can I work with you as a testcase or can you give me some hints on how I can find out which application prevents the profile from unloading ?

    Thx.

  6. shadow says:

    ПОМОГИТЕ УБРАТЬ ЭТУ ОШИБКУ НА win7

    Имя журнала:   Application

    Источник:      Microsoft-Windows-User Profiles Service

    Дата:          04.08.2011 13:22:53

    Код события:   1530

    Категория задачи:Отсутствует

    Уровень:       Предупреждение

    Ключевые слова:

    Пользователь:  система

    Компьютер:     DNS

    Описание:

    Система Windows обнаружила, что файл реестра используется другими приложениями или службами. Файл будет сейчас выгружен. Приложения или службы, которые используют файл реестра, могут впоследствии работать неправильно.  

    ПОДРОБНО –

    15 user registry handles leaked from RegistryUserS-1-5-21-3708398860-879459951-1888100198-1000:

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatestrust

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesMy

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesCA

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesTrustedPeople

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesDisallowed

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwarePoliciesMicrosoftSystemCertificates

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwarePoliciesMicrosoftSystemCertificates

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwarePoliciesMicrosoftSystemCertificates

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwarePoliciesMicrosoftSystemCertificates

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesRoot

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesSmartCardRoot

    Xml события:

    <Event xmlns="schemas.microsoft.com/…/event">

     <System>

       <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />

       <EventID>1530</EventID>

       <Version>0</Version>

       <Level>3</Level>

       <Task>0</Task>

       <Opcode>0</Opcode>

       <Keywords>0x8000000000000000</Keywords>

       <TimeCreated SystemTime="2011-08-04T09:22:53.013703500Z" />

       <EventRecordID>833</EventRecordID>

       <Correlation />

       <Execution ProcessID="852" ThreadID="2136" />

       <Channel>Application</Channel>

       <Computer>DNS</Computer>

       <Security UserID="S-1-5-18" />

     </System>

     <EventData Name="EVENT_HIVE_LEAK">

       <Data Name="Detail">15 user registry handles leaked from RegistryUserS-1-5-21-3708398860-879459951-1888100198-1000:

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatestrust

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesMy

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesCA

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesTrustedPeople

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesDisallowed

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwarePoliciesMicrosoftSystemCertificates

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwarePoliciesMicrosoftSystemCertificates

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwarePoliciesMicrosoftSystemCertificates

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwarePoliciesMicrosoftSystemCertificates

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesRoot

    Process 1700 (DeviceHarddiskVolume2WindowsSystem32msiexec.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000SoftwareMicrosoftSystemCertificatesSmartCardRoot

    </Data>

     </EventData>

    </Event>

    Имя журнала:   Application

    Источник:      Microsoft-Windows-User Profiles Service

    Дата:          04.08.2011 13:29:43

    Код события:   1530

    Категория задачи:Отсутствует

    Уровень:       Предупреждение

    Ключевые слова:

    Пользователь:  система

    Компьютер:     DNS

    Описание:

    Система Windows обнаружила, что файл реестра используется другими приложениями или службами. Файл будет сейчас выгружен. Приложения или службы, которые используют файл реестра, могут впоследствии работать неправильно.  

    ПОДРОБНО –

    1 user registry handles leaked from RegistryUserS-1-5-21-3708398860-879459951-1888100198-1000:

    Process 360 (DeviceHarddiskVolume2WindowsSystem32svchost.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    Xml события:

    <Event xmlns="schemas.microsoft.com/…/event">

     <System>

       <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />

       <EventID>1530</EventID>

       <Version>0</Version>

       <Level>3</Level>

       <Task>0</Task>

       <Opcode>0</Opcode>

       <Keywords>0x8000000000000000</Keywords>

       <TimeCreated SystemTime="2011-08-04T09:29:43.836277700Z" />

       <EventRecordID>872</EventRecordID>

       <Correlation ActivityID="{02EB4908-F800-0001-633F-59278852CC01}" />

       <Execution ProcessID="956" ThreadID="2928" />

       <Channel>Application</Channel>

       <Computer>DNS</Computer>

       <Security UserID="S-1-5-18" />

     </System>

     <EventData Name="EVENT_HIVE_LEAK">

       <Data Name="Detail">1 user registry handles leaked from RegistryUserS-1-5-21-3708398860-879459951-1888100198-1000:

    Process 360 (DeviceHarddiskVolume2WindowsSystem32svchost.exe) has opened key REGISTRYUSERS-1-5-21-3708398860-879459951-1888100198-1000

    </Data>

     </EventData>

    </Event>