Endpoint Protection

Microsoft's KB947238 Dated 11/08/2011

Cause of 1530 Event: This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows Vista does this when Windows Vista tries to close a user profile.

Note Event ID 1530 is logged as a Warning event. The application that is listed in the event detail is leaving the registry handle open and should be investigated.


In my case, the registry handle that is being left open is | 2 user registry handles leaked from \Registry\User\S-1-5-21-725345543-1965331169-2146715285-1572:
Process 2584 (\Device\HarddiskVolume3\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-725345543-1965331169-2146715285-1572\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
Process 936 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-725345543-1965331169-2146715285-1572\Printers\DevModePerUser
 

I would like to get a complete explanation on how this can be resolved since the offending application is Symantec Endpoint Protection. Can Symmantec fix this issue?

open a support ticket , is the same event seen for symantec?

I acknowledge the request to open a support ticket, which I will do, but I'm sure there are other people experiecing this same issue so this discussion would be a great opportunity to post a solution. I just found that the initial discussion about the Event 1530 comments to see KB947238 was lame since Microsoft is clearly saying the event handle should be investigated - Also noted that this was for Vista I'm getting this same problem on Windows 7

I'm not sure what is meant by "is the same event seen for symantec?" The event is being triggered by Rtvscan.exe and svchost.exe (the svchost.exe is a thread being called by RTVScan.exe) - therefore, yes, the event is the same for symantec...since Rtvscan is a symantec product

Hello,

Could you Migrate the SEP 11.x to the Latest Release of SEP 12.1?

https://www-secure.symantec.com/connect/articles/quick-access-symantec-endpoint-protection-121

This does not seem to be an Issue with SEP version 12.1

This seems to be a Behavior by design in SEP 11.x, However what version of SEP 11.x are you running?

References
https://www-secure.symantec.com/connect/forums/endpoint-protection-windows-7-application-warnings-events-1530-3036

However, to understand more on this, I would suggest you to create a case with Symantec Technical Support.

Hope that helps!!

what i meant was does this event happens at specfic time, like scan, updates etc?

defintely the forum members can add their experience in dealing with this issue, at the same open support ticket which might be faster response.

Good Morning, Mithun and Pete thank you for your replies.  Mithun, my current version of SEP is V11.0.6300.803. I will upgrade to 12.1. As I indicated before, I will open a case with Symantec.

Pete, Event 1530 is logged after I log out of the Windows 7 Desktop.  Event 3036 is logged when I log into the Windows 7 Desktop or when the SEP scan is completed. 

Also, I have found Event 4107 Source: CAPI2 which I'm getting, has lead me to start the operational logging on the Windows 7 Desktop.  I checked the logging today and found the operational logging showed an Event ID 11 Source Windows CAPI2 Task Category Build Chain Error. The Security ID is S-1-5-21-725345543-1965331169-2146715285-1572. This security ID is the same one reference for the Evt ID 1530.  The result value = 80092013 - The revocation function was unable to check revocation because the revocation server was offline.

So, I'm prepared now to open my symantec ticket.  After I work with Symantec technical support, I will upgrade my version of SEP. I will update this discussion with a resolution after I work with Symantec technical support.