Registry leaks

Posted on 2016-08-12
Last Modified: 2016-08-16
After installing the latest round of Win updates (WIN7/64), I'm getting registry leaks. The same leak but different processes.

Here's the latest:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  

 1 user registry handles leaked from \Registry\User\S-1-5-21-2987587682-1074968332-1067063631-1001:
Process 760 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2987587682-1074968332-1067063631-1001

At every shutdown or restart, I get a message that Win Explorer has not closed. Then after startup, I get the 1530 single registry leak in my admin events,. The message is the same save the processes. Above is 760. Today with many restarts and a shutdown, I've gotten process 1920, 752, 748 AND Others.

I know these are warnings. I know in a general sense what's causing them - some process with winlogon.exe

I've had registry leaks before but they usually resolve themselves. Not this time. Seems like every time MS sends out its updates, something gets screwed up. I spend more time resolving those conflicts that I do working some days.

What's you best guess - and fix - on this one.
Thank you.
Question by:normanml
  • 2
  • 2
LVL 25

Expert Comment

ID: 41756477
You mean besides moving to Linux or Mac? ;)

I did find the following on Microsoft's own site about Windows "Exploder", aka Explorer:

This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows Vista does this when Windows Vista tries to close a user profile.
Note Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated.
(emphasis mine)
At the end it says it is "by design."

So it sounds like Windows Explorer is doing what it frequently does--exploding.  Since Windows sees a handle to the registry--probably registry file, but I'm not sure-- that isn't closed, it closes it and logs the warning.

I don't think I'd worry about the warning.  As to Explorer, I don't know how you can fix it.
LVL 25

Accepted Solution

SStory earned 500 total points
ID: 41756492
More info: On Microsoft's Technet I found this:


This event can be caused by apps that do not release their Registry keys before shutting down. This most often occurs when an app runs in the background and does not release its Registry keys when a user signs off, in which case Windows forces the Registry to unload. There is no impact to users, though in rare cases recent configuration changes in the app might not be saved.

No user action is required - this is an acceptable condition.

In Windows 8.1 we changed this to an Information message to help reduce confusion and alarm. This event was a Warning event in prior versions of Windows.
(emphasis mine)

So it appears to not be a big deal. I probably wouldn't worry about it.

Author Comment

ID: 41758194
Talked to a tech I use for serious problems - crashes etc - and he suggested the cause is likely a new shared external hard disk on my intranet. He said much of the code for sharing is kind of a work-around on the original Win7, rather than a rebuild of XP, which had a special utility for registry leaks problems. This was supposed "built into" Win 7, which many techs take to me cobbled on. Any way, I have tried everything save creating another profile. I use a one user admin setup and everything about it seemed fine. So since the computer seems to be running okay. I'll ignore it . . . until the Win decides to go kaflooey again.

Author Closing Comment

ID: 41758197

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now