explanation of admin event warnings
Hi,
I recently switched to Windows 7 under advice for added security -had a few issues /malware/virus/bugs with previous XP system.
I run my desktop through a wired ehthernet connection to bt home hub which also provides wireless connectivity for other home pc & laptop.
I have no network establised and file sharing etc is off. Three Users on computer: Admin & two other family members (non admin rights).Run Norton 360.
I'd be grateful if someone could explain what the following Admin event warnings mean, I really could do with a plain,simple (as much as possible) explanation of what these events mean. in context What is my pc apparently looking at/trying to do with : "Gatherer"?
, " Search of CSC?" "sharepoint workspace"? and IE search History?, what does the S.I.D number represent?. Is there anything here that should concern me about intrusion on my pc or are these regular events?. Many thanks.
Here goes.......
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 25/04/2012 22:59:37
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: downstairs
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
5 user registry handles leaked from \Registry\User\S-1-5-21-1270894132-2919628928-3103407009-1001:
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\My
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\CA
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\Disallowed
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-04-25T21:59:37.691549900Z" />
<EventRecordID>2088</EventRecordID>
<Correlation ActivityID="{02AC8A40-F800-0000-67B7-5641DC22CD01}" />
<Execution ProcessID="928" ThreadID="1372" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-1270894132-2919628928-3103407009-1001:
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\My
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\CA
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\Disallowed
</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Search
Date: 25/04/2012 22:29:55
Event ID: 3036
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: downstairs
Description:
The content source <SharePointWorkspaceSearch://{S-1-5-21-1270894132-2919628928-3103407009-1001}/> cannot be accessed.
Context: Application, SystemIndex Catalog
Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">3036</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-04-25T21:29:55.000000000Z" />
<EventRecordID>2082</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security />
</System>
<EventData>
<Data Name="ExtraInfo">
Context: Application, SystemIndex Catalog
Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)
</Data>
<Data Name="URL">SharePointWorkspaceSearch://{S-1-5-21-1270894132-2919628928-3103407009-1001}/</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Search
Date: 24/04/2012 18:44:26
Event ID: 3036
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: downstairs
Description:
The content source <csc://{S-1-5-21-1270894132-2919628928-3103407009-1003}/> cannot be accessed.
Context: Windows Application, SystemIndex Catalog
Details:
(HRESULT : 0x80004005) (0x80004005)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">3036</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-04-24T17:44:26.000000000Z" />
<EventRecordID>1985</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security />
</System>
<EventData>
<Data Name="ExtraInfo">
Context: Windows Application, SystemIndex Catalog
Details:
(HRESULT : 0x80004005) (0x80004005)
</Data>
<Data Name="URL">csc://{S-1-5-21-1270894132-2919628928-3103407009-1003}/</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Search
Date: 24/04/2012 18:44:26
Event ID: 3036
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: downstairs
Description:
The content source <iehistory://{S-1-5-21-1270894132-2919628928-3103407009-1003}/> cannot be accessed.
Context: Windows Application, SystemIndex Catalog
Details:
(HRESULT : 0x80004005) (0x80004005)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">3036</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-04-24T17:44:26.000000000Z" />
<EventRecordID>1983</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security />
</System>
<EventData>
<Data Name="ExtraInfo">
Context: Windows Application, SystemIndex Catalog
Details:
(HRESULT : 0x80004005) (0x80004005)
</Data>
<Data Name="URL">iehistory://{S-1-5-21-1270894132-2919628928-3103407009-1003}/</Data>
</EventData>
</Event>
April 26th, 2012 8:03am
Hi,
Regarding the Event ID 1530, this behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows 7 does this when
Windows 7 tries to close a user profile.
Regarding the Event ID 3036,
this issue is related with Windows Search. CSC here may mean Client Side Caching (Offline Files). You can try the following steps.
Method 1: Restore Index to its original settings
Heres how:
a. Go to Start > Control Panel.
b. Double click on the Indexing Options.
c. Click on the Advanced button.
d. Click on Restore Defaults.
Method 2: Rebuild index:
http://windows.microsoft.com/en-US/windows7/Change-advanced-indexing-options
You can refer to the following KB for reference:
Event ID: 1530 may be logged in the Application log on a Windows Vista or newer computer
http://support.microsoft.com/kb/947238
Hope this helps
Vincent Wang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2012 5:15am
Thank You Vincent,
are there any security issues here for me to be concerned about or to put is simply, are these warnings related to various processes within Windows 7 ?. I don't use windows search or share point workspace. Is my PC possibly
compromised?
April 27th, 2012 5:52am
Hi,
I would like to tell you that Event warnings are used to communicate tolerable failures in the system that are not immediately significant, which requires an administrator to determine whether
it is an error. Regarding your case, windows search is a feature in Windows 7 and will not affect your security issue. If you still worry about this, please try the steps in my previous post to test the issue.
Windows Search Features
http://technet.microsoft.com/en-us/library/dd744686(v=ws.10).aspx
Hope this helps.
Vincent Wang
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2012 4:21am