Solved

Help trouble-shooting Event 1530

Posted on 2014-04-03
4
1,651 Views
Last Modified: 2014-04-06
At shutdown I've been getting a registry leak.:

5 user registry handles leaked from \Registry\User\S-1-5-21-2987587682-1074968332-1067063631-1001:
Process 980 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001
Process 980 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001
Process 980 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 980 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001\Software\Microsoft\SystemCertificates\My
Process 980 (\Device\HarddiskVolume3\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001\Software\Microsoft\SystemCertificates\CA

1. Volume3 harddisk is the micro disk (SD) built-in reader. Why is that device holding the registry open when there is no micro-disk in it at shutdown? Is there a way to shut the volume down prior to shut down?

2. Note please: In other user profile warnings for Volume 3, various processes are listed: process 988, process 568, process 560 and, as show above, process 980. Again all involved HardiskVolume3 -- the micro disk reader I use to look at camera disks.

Thanks.
0
Comment
Question by:normanml
  • 2
4 Comments
 
LVL 6

Expert Comment

by:Ryan Smith
ID: 39975685
Run all the firmware updates for your computer.  Not windows updates but firmware.
0
 
LVL 69

Accepted Solution

by:
Merete earned 500 total points
ID: 39977165
It could be because it is internal is not optimised for quick removal
try this sourced from xp and Vista but should be the same"Optimize for quick removal "
This setting disables write caching on the device and in Windows, so the media can be removed without using the Safely Remove Hardware feature in the taskbar.
The card reader might experience a minor drop in device performance.
Source
In Device Manager, click the + sign next to Disk drives to display a list of the drive devices on your computer.
Memory card readers are seen as drive devices in Windows.
In the list of drive devices, right-click the device  to display a drop-down menu (for example, Generic USB CF Reader for CompactFlash media).
Click Properties in this menu.
Click the Policies tab in the Device Properties window.
Select Optimize for quick removal , and then click the OK button.

Using and Troubleshooting Memory Card Readers (Windows Vista and XP)
http://h10025.www1.hp.com/ewfrf/wc/document?cc=au&lc=en&docname=bph07910
0
 

Author Closing Comment

by:normanml
ID: 39981584
By accident deleted volume that had memory card reader software on it. Installed latest version of software (2.1), fixed a registry key pointing to the wrong place, and the leaks seemed to have stopped. Thanks. BTW none of the flash drives in DM had a policies tab, only the HDs internal and external.
0
 
LVL 69

Expert Comment

by:Merete
ID: 39981932
Deleting the  card reader software explains what was going on since it is an internal device.
Good to see it fixed normanml , thank you!
Regards Merete
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
OfficeMate Freezes on login or does not load after login credentials are input.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now