Mark Fisher

New Member
Joined
Nov 30, 2012
Messages
2
Hi there,

I have been having some issues with windows crashing and restarting recently. I think that I have that part of it fixed..... however there are still some error messages popping up in Event Viewer.... one of which revolves around lsass.exe

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/30/2012 1:41:17 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: MarksTC
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.


DETAIL -
5 user registry handles leaked from \Registry\User\S-1-5-21-1541781749-630166740-1203472716-1000:
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\My
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\CA
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\Disallowed


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-11-30T21:41:17.815496600Z" />
<EventRecordID>107647</EventRecordID>
<Correlation />
<Execution ProcessID="912" ThreadID="3804" />
<Channel>Application</Channel>
<Computer>MarksTC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-1541781749-630166740-1203472716-1000:
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\My
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\CA
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\Disallowed
</Data>
</EventData>
</Event>

I have made sure that all windows updates are current, and i have norton running... no viruses, etc. Any thoughts on how to resolve?
 


Solution
Isass.exe is basically a Windows legitimate application. It should be ok if it is located in C:\Windows\System32, in other cases it is probably a virus.

The easiest way would be to make a simple search for Isass.exe, and if found elsewhere than System32 folder, delete it, or zip it to a safe place, and the delete the original.
Isass.exe is basically a Windows legitimate application. It should be ok if it is located in C:\Windows\System32, in other cases it is probably a virus.

The easiest way would be to make a simple search for Isass.exe, and if found elsewhere than System32 folder, delete it, or zip it to a safe place, and the delete the original.
 


Solution
Back
Top