SEP Error in Event Viewer
I generate the following error every time I shut down. OS is Win7 32bit. I thought maybe the problem was that I was using 11.0.5, so I uninstalled it, did a CleanWipe, and installed 11.0.6a. Still getting the same error. There's also an msiexec.exe error in there, but it comes and goes. The Symantec error is on every shutdown. Any idea what's causing it?
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 6/17/2010 8:44:35 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: xxxxx
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-3457670147-962725586-2447221604-1000:
Process 2252 (\Device\HarddiskVolume2\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-3457670147-962725586-2447221604-1000\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
Process 3032 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3457670147-962725586-2447221604-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2010-06-18T00:44:35.502919100Z" />
<EventRecordID>4695</EventRecordID>
<Correlation />
<Execution ProcessID="1024" ThreadID="1052" />
<Channel>Application</Channel>
<Computer>xxxxx</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">2 user registry handles leaked from \Registry\User\S-1-5-21-3457670147-962725586-2447221604-1000:
Process 2252 (\Device\HarddiskVolume2\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-3457670147-962725586-2447221604-1000\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
Process 3032 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3457670147-962725586-2447221604-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
</Data>
</EventData>
</Event>
Comments
this is realted to OS
this is realted to OS
http://support.microsoft.com/kb/947238
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Actually, I think it's a
Actually, I think it's a Symantec issue. From the link you provided: "This behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application."
SEP is leaving the handle open. Why?
at the event logs you have
at the event logs you have mentioned two application
RTVSCAN.exe (related to Symantec)
msiexec.exe ( could be any setup file), hence even if SEP is uninstalled and you shutdown the system and if any application is using the profile you will get an error.
However since you getting the RTVscan.exe most of the time, this application is related to Autoprotection and scanning, so the system profile could be doing some scan during this time, hence an error. You can confirm it by opening a support case.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Thanks Pete. I submitted the
Thanks Pete. I submitted the case. I'll try to remember to post the outcome here.
After going through Symantec
After going through Symantec MySupport, I would summarize Symantec's response as:
1. Symantec and Microsoft are both aware of the issue.
2. Other users have reported the same issue.
3. The issue only happens in Vista, Win7, or Server 2008.
4. SEP is safe to use, even with the Event Viewer error.
5. Symantec is working on a solution to be included in future release.
Would you like to reply?
Login or Register to post your comment.