Terminal Service Plus

The best Citrix / RDS Alternative for Remote Desktop and Web Access
https://forum.tsplus.net/

Event Log: Registry Left Open Correction

https://forum.tsplus.net/viewtopic.php?f=8&t=3980

Page 1 of 1

Event Log: Registry Left Open Correction

Posted: Wed Mar 08, 2017 3:48 pm
by spmnemrc
We are using TSPlus 9.80.1.24 on Win Server 2012 r2. Upon Logins we see this event.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2574512835-602412554-1081805905-500:
Process 1804 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2574512835-602412554-1081805905-500\Printers\DevModePerUser

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 3/6/2017 5:05:34 PM
Event ID: 1530
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: NCS01
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2574512835-602412554-1081805905-500:
Process 1804 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2574512835-602412554-1081805905-500\Printers\DevModePerUser

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-03-06T22:05:34.773069900Z" />
<EventRecordID>74751</EventRecordID>
<Correlation ActivityID="{B7B68A96-960F-0000-6FEC-B6B70F96D201}" />
<Execution ProcessID="936" ThreadID="13700" />
<Channel>Application</Channel>
<Computer>NCS01</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">1 user registry handles leaked from \Registry\User\S-1-5-21-2574512835-602412554-1081805905-500:
Process 1804 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2574512835-602412554-1081805905-500\Printers\DevModePerUser
</Data>
</EventData>
</Event>

Re: Event Log: Registry Left Open Correction

Posted: Thu Mar 09, 2017 10:46 am
by admin
Hello,

This looks like a corrupted user profile or device driver issue, unrelated to TSplus though.

Re: Event Log: Registry Left Open Correction

Posted: Thu Jul 18, 2019 7:38 am
by khiu001
Hi,

We are having same error with TS 12.40.7.12 on Server 2012r2 with Universal Printer.
Its a standalone Server with local user. No Users profiles setup.

1 user registry handles leaked from \Registry\User\S-1-5-21-1690228915-3420803660-859863675-1004:
Process 2032 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1690228915-3420803660-859863675-1004\Printers\DevModePerUser

This happens few time daily on separate Users.

Kindly assist.

Thanks.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited