I've been receiving User Profile Service event id 1530 with nearly every logout from an rdp session.  Our environment is Windows 2008 R2 64 bit running on Citrix XenServer 5.5.  RDP is in remote administration mode.  Tested with and without Windows updates applied.  No additional printers added, no connection to a domain.

Because the environment is virtual, I've been able to try many combinations and have narrowed it down to this: When Windows 2008 R2 has a single processor, the event does not occur.  When I give the virtual server two processors, the event occurs with nearly every RDP logout.  Same results with or without XenTools installed.  I do not have the resources to test the single/multi processor difference on physical hardware.

Any insights would be appreciated. I've posted the full event as well as information about the process that is mentioned in the event.

AB.

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          7/23/2010 8:38:51 PM
Event ID:      1530
Task Category: None
Level:         Warning
Keywords:     
User:          SYSTEM
Computer:      WIN-36DPBES2P14
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-2545583-721118796-2022419212-1000:
Process 888 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2545583-721118796-2022419212-1000\Printers\DevModePerUser

----------

Process 888 is svchost.exe running UxSMS (Desktop Window Manager Session Manager), UmRdpService (Remote Desktop Services UserMode Port Redirector, TrkWKS (Desktop Distributed Link Tracking Client), and Netman (Network Connection)

• Edited by Ambo Bartok Friday, July 23, 2010 10:24 PM Added detail

Hello,

 

Generally speaking, event ID 1530 means there are some data in the user profile are still be accessed when the user logoff from the Terminal Server, you have very possibly enabled the policy to remove the user profile when logged off. In such a situation the error appears. To troubleshoot this error, you can check if any of the data is still remained in the user profile supposed to be deleted. That should be the data the process is using when logoff happens. You can use Process Monitor or Process Explorer in order to find the software which is using the data and find the solution. If there is no such data remained, the Windows have possibly stopped the process and deleted the data when logoff. In such a case, you can ignore the Event 1530.

 

Regarding EventID 1530, please also take the following KB article as reference:

 (KB947238) Event ID: 1530 may be logged in the Application log on a Windows 7-based or Windows Vista-based client computer

http://support.microsoft.com/default.aspx?scid=kb;EN-US;947238

 

Regards,

Wilson Jia

Thank you for considering my situation.  If there is a local policy to remove the user profile, it is created by Windows with a default install as I created a virtual server for no other purpose than to test this situation. 

It appears that Symantec believes the event is not worth worrying about.  Link to their KB article: http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/85c99cee1e433fe9652577280034406b?OpenDocument

I have come to expect this kind of weirdness from Symantec, but to have it in a fresh install of Windows 2008 R2 with no 3rd party software is frustrating.

I wonder if there is a way that the user profile service could be instructed to wait a little longer before dropping the axe?

For the time being, I'm going to plow ahead with Windows 2008 and Windows 2008 R2 virtual servers and hope for the best.

A.B.

Ambo, I noticed you are also dealing with this issue in a similar situation.  During the research I've done to try and fix my issue I ran into some others with the issue you're describing (where \Printers\DevModePerUser is still locked) and one person mentioned that getting rid of the default "Microsoft XPS" printer that comes installed fixed his issue.    Also, are you redirecting local printers?  I've seen that cause it as well.

If you happen to correct you're issue, if you could try and setup a Software Restriction Policy in your environment (it doens't even need to have anything in it, just make a blank one) and see if the issue i'm having occurs I'd appreciate it.  At least this would point to a more systemic issue rather than a problem with the way I've set it up.

Thanks!

Same problem here, different workarround...

2008 (32 and 64) and 2008R2 both have the 1530 error and only if a printer is redirected in an RDP session. We are running ESX on quad core Xeon's. If I reduce the amount of CPU's to 1 the problem is gone. It does not matter if I install all kinds of software or configurations or even vmware tools. A base install with an IP address and RDP activated will reproduce the event. Seems to happen on some bare metal installs and most virtualized installs. Cannot really explain when and how, only that our machines are experiencing the problem :-(

The real problem however is not the eventlog entry. It's the fact that the spooler is not able to clear the devices and printerports listing in the users registry. Therefore printers are building up (as users arrive, they tend to have a different redirection number every morning therefore the name differs everyday causing a new entry). Windows and most software don't even check this list and don't have a problem. Some older apps however, show all printers in their printing dialog.

One of you please confirm that your:

CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices

CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts

Are not clearing during logoff and we'll have a case !

Simply test bij logging on using RDP with a printer mapping (does not matter if it needs a driver, easyprint or fails to install aslong as the port is redirected). Don't click anything but logoff. Clear the printers checkbox and logon again. Check eventvwr for the 1530 error and check the above keys to view it's contents. They should both be empty (or contain only your local printers if you have any on your server)

Unfortunatly my situation isn't the same as yours so I can't really comment, we don't use redirected printers in our environment.    The problem I'm having is described here (which links back to this post :))

http://social.technet.microsoft.com/Forums/en/winserverTS/thread/a52c7dac-401b-4843-a69c-04a92ef16457

 

But can you resolve your issue by reducing the amount of CPU's aswell. Maybe worth a try.

The virtual machine I was testing it with was already at 1 CPU when the condition was occuring, thx for the suggestion though.  Besides my physical box that I'm planning to run this on is a dual-quad core system so I can't really reduce the CPU's in it :)   It really seems like my particular issue (with the Software Restriction Policy causing the error) is actually a bug as I can reproduce it in a completely isolated environment.  I may just have to live with it until a fix is found (if ever).

Hi,

Please perform clean boot on Windows server 2008 R2 to see if the issue continues.

======================
A. Click Start | Run and type "msconfig" (no quotes) and press enter.
B. Click services from the tab, check the check box of "Hide All Microsoft
Service", and then click "Disable all"
C. Click Startup from the tab, then click "Disable all"
D. Click "OK" and follow the instructions to Restart Computer, after rebooting if
you get a prompt dialog of System Configuration, please check the check box in the
dialog and click "OK".

As a temporary work around we have carried out the following.
Disable the "User Profile Service".
Reboot.
Log on with local admin account.
Remove the problematic profiles.
Remove reference to the specific problematic profiles from registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Log off
Log on with local admin account.
Set "User profile Service" to start automatically.
Reboot
Log back on as problematic account and changes have been saved.

This is a work around only.

 

Regards,

Wilson Jia

 

Hi all. I have the exact same problem. I followed the workaround posted above as follows:

1. Run>Msconfig>Disable All>Reboot
2. Logon local admin>Services>Disable User Profile Service>Reboot
3. Logon Local Admin>Delete Remote User Profile in Computer Management\Users
4. Deleted Remote User Profile Folder in C:\Users\
5. Deleted Remote User Profile in Registry
6. Log off>Reboot
7. Logon as Admin>Renable Services

However this did not work. Did i follow the steps correctly?

Also,Would this happen to have anything to do with why my windows server 2008 fails to install the 2 same windows updates? KB967723 and KB981793? ever since i ran into the registry leak problem this happend as well.

H-ummer

I can confirm that when i do a Remote desktop connection from a client computer, I see many redirected printers in the registry where you mentioned. But not if logged on at the server. Can you elaborate on what to do next? i don't quite follow.

Thanx

I have the same issue going on.  the process hanging is:

 

Process 1272 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3197591532-3394961484-3160339202-2620\Printers\DevModePerUser

On the Remote Desktop application printers are NOT checked and are not trying to load local printers.  Any other suggestions here?  I cant unload ALL of my services and run it, or I'll have a very unhappy environment.  My 2003 Servers that are not x64 I was able to install that UPHClean and that did the trick.  But there seems to be no other solution for the others?

I read that the 2008 servers its built in, even though I haven't seen it anywhere and its definitely NOT doing its job.

 

Can anyone else here provide me with any ideas?  I'm at a loss with this.

Ok... I found the problem.  If you have Server 2008 and Symantec Endpoint Protection this is the error it keeps giving.  Only when logging into the server using RDP.  After some use of RDP the service finally hangs and the server has to have a hard reset.  Once removing Symantec its been smooth sailing. 

Switching to another AV!!!

 

Here is the article for anyone interested or having this issue:

http://www.symantec.com/connect/forums/endpoint-protection-errors-and-warning-windows-server-2008

I'm running Trend Micro OfficeScan Cient 10.5.1997 and have this problem.  It's driving me nuts.

I'm using Mcafee and I'm having the same problem. It's not exclusively caused by Symantec, though it may have been your case.

• Edited by cvlowe Monday, April 09, 2012 3:46 PM

I have the same warning on a physical 2008R2 with 2 hexa-cores CPU but note that I have no anti-virus program.

As it doesn't seem a real problem I'll leave it like this...

• Edited by GimelLavergne Monday, July 09, 2012 4:42 PM

This is likely one of those errors Microsoft has no clue what's going on with Windows so just recommends we "ignore". If enough people complain, they will release a patch that stops the error from being logged.

Got this Problem on all my W2k8R2 Server with AV - CA Total Defense. From time to time they Hand and you can just do a Hard Reset to reboot. Nothing works, RDP, disable Remote Service nothing works :(

• Proposed as answer by za.net Thursday, July 26, 2012 11:03 AM
• Unproposed as answer by za.net Thursday, July 26, 2012 11:04 AM

 
This is a workaround for:  Event 1530 when every Remote Desktop user logs off.  This clears out some of the User Profile that the RDS Logoff was supposed to do, but failed during the Event 1530.

Option Explicit
On Error Resume Next
Dim objShell, x
Set objShell = WScript.CreateObject("WScript.Shell")
objShell.run("REG.EXE DELETE ""HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices"" /va /f")
objShell.run("REG.EXE DELETE ""HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts"" /va /f")
Set objShell = Nothing
WScript.quit

This workaround does not address the underlying cause, the Event 1530. Only relieves the mess with Redirected Printers.
Its all about the 1530 Events.   The Redirected Printers are just a victims. 
We're not sure if other areas are being hosed, none that I can obviously see. 
Possible infinite growth occurring in system Registry and/or User Profile Hives.

 

hello john,

I am also having the problem with 1530. In a few months, this problem will have been discussed, with no solution, for -3- years!

some have found workarounds but no fix. even MS KB states the issue needs to be examined and resolved. well, I am waiting. 12 users working over 3 years to find a solution to this MS issue. frustrating in deed yhes. 

• Proposed as answer by pm1_44 Sunday, June 02, 2013 6:38 PM

Hi pm1_44,

Can you tell me the KB # that acknowledged issue with RDS 1530 event and redirected printers?

Thanks.

You are brilliant.  I made sure that I was not redirecting printers, then went to those two registry keys and deleted all of the redirected printers.  Voila.  No more 1530 during RDP logoff.

Thanks so

One of you please confirm that your:

CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices

CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts

Are not clearing during logoff and we'll have a case !

Simply test bij logging on using RDP with a printer mapping (does not matter if it needs a driver, easyprint or fails to install aslong as the port is redirected). Don't click anything but logoff. Clear the printers checkbox and logon again. Check eventvwr for the 1530 error and check the above keys to view it's contents. They should both be empty (or contain only your local printers if you have any on your server)

The problem still exxists in 2012 R2, and I'm thinking the XPS printer is at least partly to blame.  However, I've completely removed this printer from the server, and I still get the following two entries.

Process 1408 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2664737520-481353137-1098671830-632619\Printers\DevModePerUser
Process 808 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2664737520-481353137-1098671830-632619\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

I've disabled printer sharing in RDP via GPO, and have confirmed that it is unchecked and greyed out in my RDP client. The last one puzzles me though.  That one may be caused by something else.

Hello,

on 2012R2, I revolved issue by removing XPS printer. Now VHDX are released upon logoff