question

MuhammadUmer-8263 avatar image
0 Votes"
MuhammadUmer-8263 asked MuhammadUmer-8263 action

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
87 user registry handles leaked from \Registry\User\S-1-5-21-3772205575-3961427462-2862485661-500:
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 7088 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\AppContract\Windows.Search
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Office\15.0\Groove\SPFS\Descriptor
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Office\15.0\Groove\SPFS\Descriptor
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\AppDataLow\Software\Microsoft\RepService
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\Shell
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{35c1bd81-d456-4f93-bb56-05e7fc3ff372}
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{35c1bd81-d456-4f93-bb56-05e7fc3ff372}
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows NT\CurrentVersion
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count
Process 1364 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Printers\DevModePerUser
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\CA
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\CA
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\CA
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\AppDataLow

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">;
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-03-08T12:13:56.939161900Z" />
<EventRecordID>36162</EventRecordID>
<Correlation ActivityID="{08D2A96B-0E8E-0008-D969-EA088E0ED701}" />
<Execution ProcessID="660" ThreadID="7992" />
<Channel>Application</Channel>
<Computer></Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">87 user registry handles leaked from \Registry\User\S-1-5-21-3772205575-3961427462-2862485661-500:
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 7088 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\AppContract\Windows.Search
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Disallowed
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\SystemCertificates
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\trust
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{B267E3AD-A825-4A09-82B9-EEC22AA3B847}\Count
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Office\15.0\Groove\SPFS\Descriptor
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Office\15.0\Groove\SPFS\Descriptor
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\AppDataLow\Software\Microsoft\RepService
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\Shell
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 4784 (\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}\Count
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\TrustedPeople
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{35c1bd81-d456-4f93-bb56-05e7fc3ff372}
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume{35c1bd81-d456-4f93-bb56-05e7fc3ff372}
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows NT\CurrentVersion
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CAA59E3C-4792-41A5-9909-6A6A8D32490E}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}\Count
Process 1364 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Printers\DevModePerUser
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\Root
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Internet Explorer\Main
Process 660 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\CA
Process 836 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\CA
Process 1752 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\SystemCertificates\CA
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Policies
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count
Process 6164 (\Device\HarddiskVolume2\Windows\explorer.exe) has opened key \REGISTRY\USER\S-1-5-21-3772205575-3961427462-2862485661-500\Software\AppDataLow
</Data>
</EventData>
</Event>

windows-server-2012
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just want to confirm the current situations.

Please feel free to let us know if you need further assistance.

0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered MuhammadUmer-8263 commented

Hi ,

For more details about the event ID of 1530, you can refer to the following article:

Event ID: 1530 may be logged in the Application log in Windows

Cause:

This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows does this when Windows tries to close a user profile.
Note Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated.

Best Regards,

Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for sharing this link. I had already gone through this information, but I did not get a suitable solution to resolve this issue.
Kindly share the solution as this error is observed many times before.

0 Votes 0 ·
CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Check if the following link can help with you :

A COM+ application may stop working in Windows when a user logs off

You might try the resolution recorded in that source article to enable group policy Do not forcefully unload the user registry at user logoff policy which is located under Computer Configuration > Administrative Templates > System > User Profiles.


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.