On second thought I question the direction this thread is taking. Here is the 1:16PM event ID 1530
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-1447001783-2274183133-4180765549-1228:
Process 880 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1447001783-2274183133-4180765549-1228\Printers\DevModePerUser
Note the Printers. This appears to be a problem between printers and Endpoint Protection.
The event was recorded at 1:16:22 PM. Looking at the DCHP leases, none of the more than 20 leases today occurred during the time of Event ID 1530.
If the problem is scanning files that should not be scanned then the problem should be during scaning and the scan was not occuring during the Event ID 1530s. This doesn't mean that the file/folder exclusion (once I figure how to do that) should not be done as that may prevent other problems.