Solved

svchost.exe error while shutting down the pc

Posted on 2014-01-27
17
785 Views
Last Modified: 2014-02-03
Hi i have  windows 8 64 bit , while shutting down the pc i am getting svchost.exe  error
please advice
0
Comment
Question by:sanjeevkmrs
  • 6
  • 5
  • 3
  • +2
17 Comments
 
LVL 6

Expert Comment

by:xeroxzerox
ID: 39811762
check this error in event viewer for why it's happen
press windows key + W then type event viewer

check error and reply us..
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39811880
Yes, do the logs show anything?  How about booting in safe mode and then shutting down.  Does that cause the error?

- gurutc
0
 

Author Comment

by:sanjeevkmrs
ID: 39811900
there are lot of events how can i check this one ?
please advice
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39811940
I'd note the time when I get the error, then I'd look in the Application and System logs at that time to see if there's any errors showing at that time.

- gurutc
0
 

Author Comment

by:sanjeevkmrs
ID: 39811974
please see the below


Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          27/01/2014 17:33:05
Event ID:      1530
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      Home-PC
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 DETAIL -
 32 user registry handles leaked from \Registry\User\S-1-5-21-2956737109-2472759578-1202411323-1002:
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1156 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1156 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\CA
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\CA
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\trust
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\trust
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\MY
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\Disallowed
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\Disallowed
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\TrustedPeople
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\Root
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\Root
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\Windows\CurrentVersion\Uninstall

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1530</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2014-01-27T13:33:05.251028900Z" />
    <EventRecordID>7951</EventRecordID>
    <Correlation />
    <Execution ProcessID="1156" ThreadID="4572" />
    <Channel>Application</Channel>
    <Computer>Home-PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">32 user registry handles leaked from \Registry\User\S-1-5-21-2956737109-2472759578-1202411323-1002:
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1156 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002
Process 1156 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\CA
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\CA
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\trust
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\trust
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\MY
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Policies\Microsoft\SystemCertificates
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\Disallowed
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\Disallowed
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\TrustedPeople
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\Root
Process 448 (\Device\HarddiskVolume4\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\SystemCertificates\Root
Process 1264 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2956737109-2472759578-1202411323-1002\Software\Microsoft\Windows\CurrentVersion\Uninstall
</Data>
  </EventData>
</Event>
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39812024
Is this a Domain-based PC?  Are there Group Policies being applied on shutdown?  

- gurutc
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39812031
This can also be caused by a redirected printer or the Windows Defender service.  Do you have any networked printers configured on this box?  Also, if it's running, turn off and disable the Windows Defender service and see if that fixes things.

- gurutc
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 39812969
My approach would be similar to gurutc's: open msconfig and disable all non-Microsoft services. Then open task manager and disable all startup items and reboot to see if any of those softwares caused it. Also try a different user profile (new user).
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:sanjeevkmrs
ID: 39814160
Hi this is a standalone laptop not in domain
0
 

Author Comment

by:sanjeevkmrs
ID: 39814770
tried all above mentioned points but still getting same SVC HOST error
please advice
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39814801
Also have you turned off Windows Update?

- gurutc
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39814808
Did you reboot twice? Because on first reboot, the changes that msconfig required (and those of task manager neither) are NOT yet applied.
0
 
LVL 3

Expert Comment

by:SandyWalve
ID: 39814838
Can you get the error screenshot which you get while you shutdown your PC? You may need to use camera of your phone or something else to click it.
0
 

Author Comment

by:sanjeevkmrs
ID: 39814865
still while restarting it shows svhost.exe pop up error
please advice
0
 
LVL 3

Expert Comment

by:SandyWalve
ID: 39814929
I need the screenshot to see if any error code is given in that like 0x0000xxx0 sort of
0
 

Author Closing Comment

by:sanjeevkmrs
ID: 39830231
thanks
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39830274
Was it solved? If yes, how?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now