Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

plain explanation of admin events


  • Please log in to reply
3 replies to this topic

#1 bluebird100

bluebird100

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 26 April 2012 - 02:45 AM

Hi,
I recently switched to Windows 7 under advice for added security -had a few issues /malware/virus/bugs with previous XP system.
I run my desktop through a wired ehthernet connection to bt home hub which also provides wireless connectivity for other home pc & laptop.
I have no network establised and file sharing etc is off. Three Users on computer: Admin & two other family members (non admin rights).Run Norton 360.

I'd be grateful if someone could explain what the following Admin event warnings mean, I really could do with a plain,simple (as much as possible) explanation of what these events mean. in context What is my pc apparently looking at/trying to do with : "Gatherer"? , " Search of CSC?" "sharepoint workspace"? and IE search History?, what does the S.I.D number represent?. Is there anything here that should concern me about intrusion on my pc or are these regular events?. Many thanks.
Here goes.......


Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 25/04/2012 22:59:37
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: downstairs
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
5 user registry handles leaked from \Registry\User\S-1-5-21-1270894132-2919628928-3103407009-1001:
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\My
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\CA
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\Disallowed

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-04-25T21:59:37.691549900Z" />
<EventRecordID>2088</EventRecordID>
<Correlation ActivityID="{02AC8A40-F800-0000-67B7-5641DC22CD01}" />
<Execution ProcessID="928" ThreadID="1372" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">5 user registry handles leaked from \Registry\User\S-1-5-21-1270894132-2919628928-3103407009-1001:
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\My
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\CA
Process 564 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1270894132-2919628928-3103407009-1001\Software\Microsoft\SystemCertificates\Disallowed
</Data>
</EventData>
</Event>


Log Name: Application
Source: Microsoft-Windows-Search
Date: 25/04/2012 22:29:55
Event ID: 3036
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: downstairs
Description:
The content source <SharePointWorkspaceSearch://{S-1-5-21-1270894132-2919628928-3103407009-1001}/> cannot be accessed.

Context: Application, SystemIndex Catalog

Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">3036</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-04-25T21:29:55.000000000Z" />
<EventRecordID>2082</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security />
</System>
<EventData>
<Data Name="ExtraInfo">

Context: Application, SystemIndex Catalog

Details:
A server error occurred. Check that the server is available. (HRESULT : 0x80041206) (0x80041206)
</Data>
<Data Name="URL">SharePointWorkspaceSearch://{S-1-5-21-1270894132-2919628928-3103407009-1001}/</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft-Windows-Search
Date: 24/04/2012 18:44:26
Event ID: 3036
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: downstairs
Description:
The content source <csc://{S-1-5-21-1270894132-2919628928-3103407009-1003}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog

Details:
(HRESULT : 0x80004005) (0x80004005)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">3036</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-04-24T17:44:26.000000000Z" />
<EventRecordID>1985</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security />
</System>
<EventData>
<Data Name="ExtraInfo">

Context: Windows Application, SystemIndex Catalog

Details:
(HRESULT : 0x80004005) (0x80004005)
</Data>
<Data Name="URL">csc://{S-1-5-21-1270894132-2919628928-3103407009-1003}/</Data>
</EventData>
</Event>

Log Name: Application
Source: Microsoft-Windows-Search
Date: 24/04/2012 18:44:26
Event ID: 3036
Task Category: Gatherer
Level: Warning
Keywords: Classic
User: N/A
Computer: downstairs
Description:
The content source <iehistory://{S-1-5-21-1270894132-2919628928-3103407009-1003}/> cannot be accessed.

Context: Windows Application, SystemIndex Catalog


Details:
(HRESULT : 0x80004005) (0x80004005)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Search" Guid="{CA4E628D-8567-4896-AB6B-835B221F373F}" EventSourceName="Windows Search Service" />
<EventID Qualifiers="32768">3036</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-04-24T17:44:26.000000000Z" />
<EventRecordID>1983</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>downstairs</Computer>
<Security />
</System>
<EventData>
<Data Name="ExtraInfo">

Context: Windows Application, SystemIndex Catalog

Details:
(HRESULT : 0x80004005) (0x80004005)
</Data>
<Data Name="URL">iehistory://{S-1-5-21-1270894132-2919628928-3103407009-1003}/</Data>
</EventData>
</Event>

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:17 AM

Posted 26 April 2012 - 04:48 AM

Hi -
Did you run the Windows 7 Upgrade Advisor Tool prior to installing Windows7 over your XP system ??
Some programs from XP will not directly install on Windows7 -

Thank You -

#3 bluebird100

bluebird100
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 26 April 2012 - 06:57 AM

No - techguy did a reformat & clean install of Windows 7. All data was on external hard drive so now crossover.

#4 PCCom

PCCom

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:17 PM

Posted 26 April 2012 - 10:50 AM

Hi,

Event ID 1530 I would probably ignore thinking you were shutting down the system while more than one account was open unless you see this event over and over.
In that case go here.

Event ID: 3036 refers to the indexing of your hard drives. I'd just turn off indexing but try this go to indexing options in control panel click advanced and then restore defaults. This will force a re-index of your drives that might fix the problem.

Hope this helps




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users