More on User Profile Service functionality

We might get into a situation where an application starts failing because of User Profile Service functionality of forcing the unload of the user profile when the user logs off. This happens on Windows Vista+ OS's.
The warning message that shows up in the application event logs are:

Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: Date
Event ID: 1530
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: ComputerName

Description: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

To resolve this we have to enable the policy which says: "Do not forcefully unload the user registry at user logoff".
The policy can be found in the group policy editor (gpedit.msc): Computer Configuration->Administrative Templates->System-> UserProfiles

When the policy is enabled, Windows does not forcefully unload the registry and waits until all other processes complete their use of the user registry before it unloads it. Sometimes, earlier versions of Windows failed to unload the registry portion of the user profile. Many times this failure prevented the user from subsequent logons to the same computer – which is the risk.

Windows Vista and above OS’s always unloads the registry portion of the user profile, even if it must forcefully do so, prior to synchronizing the profile to the profile server. Windows, when forcefully unloading profiles, writes an event message to the event log. The description of the event contains the name of the process that prevented the registry from unloading and the closed registry path.

Here is the logic behind what the user profile service is doing.

1. The User Profile Service will try and unload a registry hive. If we fail to unload the hive because an application has an open key in the hive, the following warning is reported:

"Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. %n%n DETAIL - %n %1"

   Event ID is 1530.

NOTE: This warning is for reporting purposes only and will always be logged as a warning in the event log if a registry hive cannot be unloaded irrespective of the value of DisableForceUnload in the registry.

2. If unloading the hive failed then there is a second attempt to unload the hive.

a. If DisableForceUnload is set to 1 then we try what is called a delayed unload (not forcefully unloaded).
b. If DisableForceUnload is set to 0 (or net set) then the hive is forcefully unloaded.

3. If either (2a) or (2b) fails then the following event is reported. This is reported as an error event whereas the previous event is an event warning. 

The error you see is:

Windows cannot unload your registry file. The memory used by the registry has not been freed. This problem is often caused by services running as a user account. Try configuring services to run in either the LocalService or NetworkService account.

 

Reference:

Comments

  • Anonymous
    October 09, 2015
    When EventID 1530 shows on Windows Server 2008 R2 - Process 6352 (DeviceHarddiskVolume2WindowsSystem32inetsrvw3wp.exe) has opened key REGISTRYUSERS-1-5-21-1206157109-414143516-1849977318-38596 Would this cause IIS site to crash?  Thanks.

  • Anonymous
    January 13, 2016
    Event ID: 1530 is a warning message which says that if an application is using a specific registry hive, it might start failing as the User Profiles Service will unload the registry hive. This might result in a "service unavailable" error. Whether it leads to crash or not is something that needs to be determined. Ideally should not crash a process.   When the policy is enabled, Windows does not forcefully unload the registry and "waits" until all other processes complete their use of the user registry before it unloads it.

  • Anonymous
    January 13, 2016
    Event ID: 1530 is a warning message that says it cannot unload a registry hive as it is in use. If unloading the hive failed then there is a second attempt to unload the hive and if DisableForceUnload is set to 0 (or net set) then the hive is forcefully unloaded. This does not mean that the process which is using a hive will crash. It can lead to application failures such as "Service Unavailable". Where a process crashes because of forceful unload of a registry hive needs to be investigated. Ideally it should not.