Symptoms

In Windows, the following event may be logged in the Application log:

Provider
[Name] Microsoft-Windows-User Profiles Service
[Guid] {GUID}
[EventSourceName] profsvc

EventID 1530
message similar to
3 user registry handles leaked from \Registry\User\S-1-5-21-1049297961-3057247634-349289542-1004_Classes:
Process 2428 (\Device\HarddiskVolume1\myprocess.exe) has opened key \REGISTRY\USER\S-1-5-21-1123456789-3057247634-349289542-1004
If a service or background service uses a user specific hive because it runs under a specific user identity and the relevant user account logs out.

Cause

This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows does this when Windows tries to close a user profile.

Note Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated.


 

Status

This behavior is by design.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Any additional feedback? (Optional)

Thank you for your feedback!

×