Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

Muhammad Umer 1 Reputation point
2021-03-09T04:58:41.687+00:00

DETAIL -
87 user registry handles leaked from \Registry\User\S-1-5-21-3772205575-3961427462-2862485661-500:
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 7088 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\AppContract\Windows.Search
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Office\15.0\Groove\SPFS\Descriptor
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Office\15.0\Groove\SPFS\Descriptor
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\AppDataLow\Software\Microsoft\RepService
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\Shell
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{35c1bd81-d456-4f93-bb56-05e7fc3ff372}
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{35c1bd81-d456-4f93-bb56-05e7fc3ff372}
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows NT\CurrentVersion
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count
Process 1364 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Printers\DevModePerUser
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\CA
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\CA
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\CA
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\AppDataLow

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-03-08T12:13:56.939161900Z" />
<EventRecordID>36162</EventRecordID>
<Correlation ActivityID="{08D2A96B-0E8E-0008-D969-EA088E0ED701}" />
<Execution ProcessID="660" ThreadID="7992" />
<Channel>Application</Channel>
<Computer></Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">87 user registry handles leaked from \Registry\User\S-1-5-21-3772205575-3961427462-2862485661-500:
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 7088 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\AppContract\Windows.Search
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Office\15.0\Groove\SPFS\Descriptor
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Office\15.0\Groove\SPFS\Descriptor
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\AppDataLow\Software\Microsoft\RepService
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\Shell
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{35c1bd81-d456-4f93-bb56-05e7fc3ff372}
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{35c1bd81-d456-4f93-bb56-05e7fc3ff372}
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows NT\CurrentVersion
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count
Process 1364 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Printers\DevModePerUser
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-286248566

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,534 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Candy Luo 12,661 Reputation points Microsoft Vendor
    2021-03-10T07:54:39.22+00:00

    Hi ,

    For more details about the event ID of 1530, you can refer to the following article:

    Event ID: 1530 may be logged in the Application log in Windows

    Cause:

    This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows does this when Windows tries to close a user profile.
    Note Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated.

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Candy Luo 12,661 Reputation points Microsoft Vendor
    2021-03-15T06:25:53.907+00:00

    Check if the following link can help with you :

    A COM+ application may stop working in Windows when a user logs off

    You might try the resolution recorded in that source article to enable group policy Do not forcefully unload the user registry at user logoff policy which is located under Computer Configuration > Administrative Templates > System > User Profiles.

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments