Event Viewer (Win7x64) complains about WSA opening Registry Entries

Discussion in 'Prevx Releases' started by Muddy3, Nov 21, 2012.

Thread Status:
Not open for further replies.
  1. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    243
    Location:
    Belgium
    I have the following event and message in Event Viewer:

    SOURCE: User Profile Service
    DATE & TIME: 21/11/2012 at 17:45 European time

    ORIGINAL:
    Windows a détecté que votre fichier de Registre est toujours utilisé par d’autres applications ou services. Le fichier va être déchargé. Les applications ou services qui ont accès à votre Registre risquent de ne pas fonctionner correctement après cela.

    TRANSLATION:
    Windows has detected that your Registry file is still being used by other applications or services. The file will be "unloaded" (correct translation??). The applications or services which have access to your Registry risk not functioning correctly after this.

    DÉTAIL -
    15 user registry handles leaked from \Registry\User\S-1-5-21-1868736425-1749135435-1172674007-1001:
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Policies\Microsoft\SystemCertificates
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Policies\Microsoft\SystemCertificates
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Policies\Microsoft\SystemCertificates
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Policies\Microsoft\SystemCertificates
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Microsoft\SystemCertificates\TrustedPeople
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Microsoft\SystemCertificates\Disallowed
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Microsoft\SystemCertificates\Root
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Microsoft\SystemCertificates\My
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Microsoft\SystemCertificates\CA
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Microsoft\SystemCertificates\trust
    Process 632 (\Device\HarddiskVolume2\Program Files\Webroot\WRSA.exe) has opened key \REGISTRY\USER\S-1-5-21-1868736425-1749135435-1172674007-1001\Software\Microsoft\SystemCertificates\SmartCardRoot

    Is this complaint and "unloading" action by Windows normal o_O

    EDIT: And, looking at my Event Viewer Log, this complaint recurs regularly: at times every 24 hours, at times every few days.
     
    Last edited: Nov 21, 2012
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is a normal complaint - it's caused because WSA is monitoring Windows itself as it loads/unloads user accounts. It's monitoring from the SYSTEM context so it can see everything as it happens, which is why the monitoring persists between login/logout.
     
  3. Muddy3

    Muddy3 Registered Member

    Joined:
    May 31, 2010
    Posts:
    243
    Location:
    Belgium
    Thanks Joe. That's reassuring :).
     
  4. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    a similar thing happens with avira as well ...
     
Thread Status:
Not open for further replies.