Hi, I recently switched to Windows 7 under advice for added security -had a few issues /malware/virus/bugs with previous XP system. I run my desktop through a wired ehthernet connection to bt home hub which also provides wireless connectivity for other home pc & laptop. I have no network establised and file sharing etc is off. Three Users on computer: Admin & two other family members (non admin rights).Run Norton 360. I'd be grateful if someone could explain what the following Admin event warnings mean, I really could do with a plain,simple (as much as possible) explanation of what these events mean. in context What is my pc apparently looking at/trying to do with : "Gatherer"? , " Search of CSC?" "sharepoint workspace"? and IE search History?, what does the S.I.D number represent?. Is there anything here that should concern me about intrusion on my pc or are these regular events?. Many thanks. Here goes....... Log Name: Application Source: Microsoft-Windows-User Profiles Service Date: 25/04/2012 22:59:37 Event ID: 1530 Task Category: None Level: Warning Keywords: User: SYSTEM Computer: downstairs Description: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 5 user registry handles leaked from \Registry\User\S-1-5-21-1270894132-2919628928-3103407009-1001: Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001 Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001 Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\My Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\CA Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\Disallowed Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" /> <EventID>1530</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2012-04-25T21:59:37.691549900Z" /> <EventRecordID>2088</EventRecordID> <Correlation ActivityID="{02AC8A40-F800-0000-67B7-5641DC22CD01}" /> <Execution ProcessID="928" ThreadID="1372" /> <Channel>Application</Channel> <Computer>downstairs</Computer> <Security UserID="S-1-5-18" /> </System> <EventData Name="EVENT_HIVE_LEAK"> <Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-1270894132-2919628928-3103407009-1001: Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001 Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001 Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\My Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\CA Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\Disallowed </Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Search Date: 25/04/2012 22:29:55 Event ID: 3036 Task Category: Gatherer Level: Warning Keywords: Classic User: N/A Computer: downstairs Description: The content source <SharePointWorkspaceSearch://{S-1-5-21-1270894132-2919628928-3103407009-1001}/> cannot be accessed. Context: Application, SystemIndex Catalog Details: A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206) Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" /> <EventID Qualifiers="32768">3036</EventID> <Version>0</Version> <Level>3</Level> <Task>3</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2012-04-25T21:29:55.000000000Z" /> <EventRecordID>2082</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>downstairs</Computer> <Security /> </System> <EventData> <Data Name="ExtraInfo"> Context: Application, SystemIndex Catalog Details: A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206) </Data> <Data Name="URL">SharePointWorkspaceSearch://{S-1-5-21-1270894132-2919628928-3103407009-1001}/</Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Search Date: 24/04/2012 18:44:26 Event ID: 3036 Task Category: Gatherer Level: Warning Keywords: Classic User: N/A Computer: downstairs Description: The content source <csc://{S-1-5-21-1270894132-2919628928-3103407009-1003}/> cannot be accessed. Context: Windows Application, SystemIndex Catalog Details: (HRESULT : 0x80004005) (0x80004005) Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" /> <EventID Qualifiers="32768">3036</EventID> <Version>0</Version> <Level>3</Level> <Task>3</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2012-04-24T17:44:26.000000000Z" /> <EventRecordID>1985</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>downstairs</Computer> <Security /> </System> <EventData> <Data Name="ExtraInfo"> Context: Windows Application, SystemIndex Catalog Details: (HRESULT : 0x80004005) (0x80004005) </Data> <Data Name="URL">csc://{S-1-5-21-1270894132-2919628928-3103407009-1003}/</Data> </EventData> </Event> Log Name: Application Source: Microsoft-Windows-Search Date: 24/04/2012 18:44:26 Event ID: 3036 Task Category: Gatherer Level: Warning Keywords: Classic User: N/A Computer: downstairs Description: The content source <iehistory://{S-1-5-21-1270894132-2919628928-3103407009-1003}/> cannot be accessed. Context: Windows Application, SystemIndex Catalog Details: (HRESULT : 0x80004005) (0x80004005) Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" /> <EventID Qualifiers="32768">3036</EventID> <Version>0</Version> <Level>3</Level> <Task>3</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2012-04-24T17:44:26.000000000Z" /> <EventRecordID>1983</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>downstairs</Computer> <Security /> </System> <EventData> <Data Name="ExtraInfo"> Context: Windows Application, SystemIndex Catalog Details: (HRESULT : 0x80004005) (0x80004005) </Data> <Data Name="URL">iehistory://{S-1-5-21-1270894132-2919628928-3103407009-1003}/</Data> </EventData> </Event>

Hi, Regarding the Event ID 1530, this behavior occurs because Windows automatically closes any registry handle to a user profile that is left open by an application. Windows 7 does this when Windows 7 tries to close a user profile. Regarding the Event ID 3036, this issue is related with Windows Search. CSC here may mean Client Side Caching (Offline Files). You can try the following steps. Method 1: Restore Index to its original settings Heres how: a. Go to Start > Control Panel. b. Double click on the Indexing Options. c. Click on the Advanced button. d. Click on Restore Defaults. Method 2: Rebuild index: http://windows.microsoft.com/en-US/windows7/Change-advanced-indexing-options You can refer to the following KB for reference: Event ID: 1530 may be logged in the Application log on a Windows Vista or newer computer http://support.microsoft.com/kb/947238 Hope this helps Vincent Wang TechNet Community Support

Thank You Vincent, are there any security issues here for me to be concerned about or to put is simply, are these warnings related to various processes within Windows 7 ?. I don't use windows search or share point workspace. Is my PC possibly compromised?

Hi, I would like to tell you that Event warnings are used to communicate tolerable failures in the system that are not immediately significant, which requires an administrator to determine whether it is an error. Regarding your case, windows search is a feature in Windows 7 and will not affect your security issue. If you still worry about this, please try the steps in my previous post to test the issue. Windows Search Features http://technet.microsoft.com/en-us/library/dd744686(v=ws.10).aspx Hope this helps. Vincent Wang TechNet Community Support