Applies ToWindows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows 10 Windows 8.1 Windows 8 Windows 7 Windows Vista

Symptoms

In Windows, the following event may be logged in the Application log:

Provider [Name] Microsoft-Windows-User Profiles Service [Guid] {GUID} [EventSourceName] profsvc

EventID 1530 message similar to 3 user registry handles leaked from \Registry\User\S-1-5-21-1049297961-3057247634-349289542-1004_Classes: Process 2428 (\Device\HarddiskVolume1\myprocess.exe) has opened key \REGISTRY\USER\S-1-5-21-1123456789-3057247634-349289542-1004 If a service or background service uses a user specific hive because it runs under a specific user identity and the relevant user account logs out.

Cause

This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows does this when Windows tries to close a user profile. Note Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated.  

Status

This behavior is by design.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center