lsass.exe erreros in Event Viewer

Discussion in 'Windows 7 Help and Support' started by Mark Fisher, Nov 30, 2012.

  1. Mark Fisher

    Mark Fisher New Member

    Joined:
    Nov 30, 2012
    Messages:
    2
    Likes Received:
    0
    Hi there,

    I have been having some issues with windows crashing and restarting recently. I think that I have that part of it fixed..... however there are still some error messages popping up in Event Viewer.... one of which revolves around lsass.exe

    Log Name: Application
    Source: Microsoft-Windows-User Profiles Service
    Date: 11/30/2012 1:41:17 PM
    Event ID: 1530
    Task Category: None
    Level: Warning
    Keywords:
    User: SYSTEM
    Computer: MarksTC
    Description:
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.


    DETAIL -
    5 user registry handles leaked from \Registry\User\S-1-5-21-1541781749-630166740-1203472716-1000:
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\My
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\CA
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\Disallowed


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1530</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2012-11-30T21:41:17.815496600Z" />
    <EventRecordID>107647</EventRecordID>
    <Correlation />
    <Execution ProcessID="912" ThreadID="3804" />
    <Channel>Application</Channel>
    <Computer>MarksTC</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-1541781749-630166740-1203472716-1000:
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\My
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\CA
    Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\Disallowed
    </Data>
    </EventData>
    </Event>

    I have made sure that all windows updates are current, and i have norton running... no viruses, etc. Any thoughts on how to resolve?
     
  2. Pauli

    Pauli Extraordinary Member
    Premium Supporter

    Joined:
    Mar 1, 2012
    Messages:
    2,499
    Likes Received:
    211
    Isass.exe is basically a Windows legitimate application. It should be ok if it is located in C:\Windows\System32, in other cases it is probably a virus.

    The easiest way would be to make a simple search for Isass.exe, and if found elsewhere than System32 folder, delete it, or zip it to a safe place, and the delete the original.
     

Share This Page

Loading...