11 November 2007

Event 1530, User Profile Service

After having to debug a couple of Windows profile problems recently, I started to keep an eye for Warning or Error events in the Windows Event Viewer. The latest warning was Event 1530, User Profile Service, where there was some conflict between processes writing to the registry as I was logging out and had the following details:

 2 user registry handles leaked from ...:
Process 932 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key ...
Process 3472 (\Device\HarddiskVolume2\Windows\System32\IFXSPMGT.exe) has opened key ...

Process 3472 is IFXSPMGT.exe (Infineon Security Platform Software) but what was process 932? One solution was to run tasklist and save the list of process numbers in the current session. Here's the command to run:

tasklist /svc /fo table /fi "imagename eq svchost.exe" > C:\Temp\Processes.txt

Very roughly, we are looking for all services started by svchost.exe.

I ran the tasklist command in the previous session and found that process 932 was WinDefend (Windows Defender, Microsoft's anti-spyware program).

14-Nov-2007. For Windows pre-Vista, if you receive Event ID 1517, Microsoft provides User Profile Hive Update (UPHClean.exe) utility to detect and free the registry. There isn't a version of UPHClean.exe for Vista yet.