Skip to content


Reply
Stone Esquire
VoyagerCC
Posts: 1
Registered: ‎01-13-2010

Windows 7 Pro 64 bit - during log out warning message registered in log

I have been getting the following warning in my log each time that I log out of windows.

This is a clean install of Windows 7 Pro 64 bit as of January 8 2010.

I'm running Trend Micro Internet Pro 64 bit.

 

Any help or ideas ?

 

Regards

 

VoyagerCC

 

 

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          1/13/2010 6:04:42 PM
Event ID:      1530
Task Category: None
Level:         Warning
Keywords:     
User:          SYSTEM
Computer:     xxxxxxx
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

 DETAIL -
 28 user registry handles leaked from \Registry\User\S-1-5-21-3980533774-1460354998-4155939122-1001:
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Search Assistant
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Run
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunService
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServiceOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunServiceOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunServices
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Policies
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Internet Explorer
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunService
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Search Assistant
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1530</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2010-01-13T23:04:42.994344900Z" />
    <EventRecordID>1287</EventRecordID>
    <Correlation ActivityID="{00000100-0000-0001-6814-91F49F94CA01}" />
    <Execution ProcessID="296" ThreadID="3812" />
    <Channel>Application</Channel>
    <Computer>voyager1</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">28 user registry handles leaked from \Registry\User\S-1-5-21-3980533774-1460354998-4155939122-1001:
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Search Assistant
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Run
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunService
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServiceOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunServiceOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunServices
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Policies
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\RunOnce
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows NT\CurrentVersion\Windows
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Internet Explorer
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunService
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Search Assistant
Process 1628 (\Device\HarddiskVolume4\Program Files\Trend Micro\Internet Security\SfCtlCom.exe) has opened key \REGISTRY\USER\S-1-5-21-3980533774-1460354998-4155939122-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
</Data>
  </EventData>
</Event>

Please use plain text.
Trend Micro Employee
nmromanov
Posts: 2
Registered: ‎02-02-2010

Re: Windows 7 Pro 64 bit - during log out warning message registered in log

[ Edited ]

Hi,

 

I'm also found these messages in Events. I'm not sure absolutely but most probable answer to your question - it's a TIS's protection cover.

For example, if firewall activated in product - there is a Program Control. By default several applications already included into the monitoring list.

Perhaps it's also could be some kind of integrity protection - Prevent Unauthorized Changes. It's also could lead such messages in Events. You can see additional info in article http://esupport.trendmicro.com/Pages/What-are-the-changes-detected-by-the-Prevent-Unauthorized-Chan-...

 

Cheers,

Nikolay


I am a Trend Micro employee. My comments and advice come from my personal knowledge and experience. I’m happy to volunteer what I can to help others have a great Trend Micro experience.
Please use plain text.