Author Topic: Why avast is not closing some of the user profile handles at normal shutdown,?  (Read 13964 times)

0 Members and 1 Guest are viewing this topic.

Offline kwiq

  • Avast team
  • Sr. Member
  • *
  • Posts: 254
Hi jraju,
In case you have corrupted registry hives I would recommned
https://support.microsoft.com/en-sg/help/822705/registry-troubleshooting-steps-for-advanced-users
 

Offline jraju

  • Poster
  • *
  • Posts: 417
Hi, I only suspect that it would have been. But i think that avast is not closing the registry handles , and this is the only program that is listed in my user warning.
The other point is :
The windows 7 gives this warning if any application is not closing its handles in the registry when shut down and eventhough , the windows 7 shut down processes closes those handles before restarting the computer and thus killilng the Avast handles.
It also came to light, that this was fixed in windows 8, as it is shown as just information , rather than warning.
Ok, my point is , why avast team could not lookout , where it is not closing the registry handles. Though, the picture would have shrinked the letters in my pictures i posted in this thread,i had attached one or two pictures of the same, which could be seen by you
If it is found and avast makes all the handles closing on restart, then would it not be normal as any other program?
The link is given below
https://social.technet.microsoft.com/wiki/contents/articles/3134.user-profile-service-event-1530-the-windows-operating-system-detected-that-your-registry-file-is-still-in-use-by-other-applications-or-services.aspx
Hi, kwiq, did not the log suggest any thing
I will post the warning details , if i get, but let me say, that avast is not closing the registry handles as a bug and would request your team members to fix it in the next update

Offline kwiq

  • Avast team
  • Sr. Member
  • *
  • Posts: 254
Hi jraju
I found 8066 registry events so it takes time to go through all of them.
Event trace reported that avastsvc.exe had opened handle to S-1-5-21-2510130899-2858772224-4042820923-1000 key.
There isnt any entry with this SID - I suspect that it is HKCR (currently logger user sid)
« Last Edit: May 15, 2018, 08:07:02 AM by kwiq »

Offline jraju

  • Poster
  • *
  • Posts: 417
Hi, Kwiq,
It is Hklm key, and my log in user id.
I have checked the same and no doubt about that.
How did you notice that in HKCR.
I had not looked in to that profile list.
But, when i check the user id in c: and in HKLm, those two tallies in profile image path.
Am I making clear?
I thought about ntuser corruption, but came to know that it is personal preferences of programs and settings and it has nothing to do with the pro;file corruption.
Hi, Users, do nobody has this peculiar phenemena of registry .
I see in one of the Posts in some other forum, that it is because of avast probing  and the user has just uninstalled avast for creating it.
I do not want to discontinue , your antivirus, as each menu and settings are known to me and it gives maximum protection
Expecting replies

Offline jraju

  • Poster
  • *
  • Posts: 417
Hi, kwig, I am enclosing the details of 1014 error log
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

 DETAIL -
 2 user registry handles leaked from \Registry\User\S-1-5-21-2510130899-2858772224-4042820923-1009:
Process 1740 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-2510130899-2858772224-4042820923-1009
Process 1740 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-2510130899-2858772224-4042820923-1009

i wish to mention here that i have changed my log in user from intel to the present new user and i set this as default login without pw

Offline jraju

  • Poster
  • *
  • Posts: 417
Hi, Why no reply is being received for my pertinent query. I enclosed all logs and given all the details. Why avast is not closing all its handles in windows 7.Ofcourse, the OS is disabling all the handles . But i want avast to close all its handles on the shut down process. No other application is having this problem.please and hope to get suitable solution from avast team or moderators

Offline kwiq

  • Avast team
  • Sr. Member
  • *
  • Posts: 254
Hi jraju,
when we stop AvastSvc.exe via service control manager manually there are no warning messages in event logs but when windows stops AvastSvc.exe in shutdown there are 6 registry keys left :
\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AVAST MAIL SCANNER TRUSTED
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
\REGISTRY\USER\.DEFAULT\CONTROL PANEL\INTERNATIONAL
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\CRYPT32.
\REGISTRY\MACHINE
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\SORTING\VERSIONS
When AvastSvc.exe process terminates all its handles are released by system and as you can see it is not a leak which would lead to low memory conditions.   
Except \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AVAST MAIL SCANNER TRUSTED all other keys are opened by system dlls not by avast code ! In vm image where I induce it I saw this errors also for svchost.exe.

I will try to find why we open \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AVAST MAIL SCANNER TRUSTED and keep its handle till shutdown.
Sorry for late response and thank you for report ! 


Offline jraju

  • Poster
  • *
  • Posts: 417
hI, kWIQ
Thanks for your answer. So accroding to you , that not all but one handle is not clsing when shutdown takes place. Is it?
So, it is related to mail shield settings that is not closing the handle. am i correct?
Could you  say in plain terms what it is not closing during the process of shut down.
Also is it that , more than avast, some system process handles are still open other than avast during the shut down process. please give a clear picture.
But event viewer does not list those, am i correct?
Is there any connection, that the emails , for eg, gmails could be accessed by android phone also, having the same account open in android also.
If i enable mail sheild in gmail in pc, the same email is also accessed , or could beaccessed with android with gmail sync.
expecting plain as well technical details in this regard

Offline kwiq

  • Avast team
  • Sr. Member
  • *
  • Posts: 254
Hi jraju,
I induced it in my vm image and wrote a script which traced all registry handles from PC start to shutdown those 6 registry keys left as possible handle leaks.I will try to find a reason why \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AVAST MAIL SCANNER TRUSTED  is properly closed  when I stop AvastSvc manually before PC shutdown and let you know.

Rest of resitry keys were opened by system not by avast itself  so I dont know who is responsible for closing them
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
\REGISTRY\USER\.DEFAULT\CONTROL PANEL\INTERNATIONAL
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\CRYPT32.
\REGISTRY\MACHINE

Offline jraju

  • Poster
  • *
  • Posts: 417
Hi, Thanks , are those entries in HKLM? in the regedit.
« Last Edit: June 01, 2018, 11:57:29 AM by jraju »

Offline jraju

  • Poster
  • *
  • Posts: 417
Hi, Why no reply to my query? is there any news on the poin of avast mail.
I had to reply so tha it gets  the atention of  the staff or moderator, because, otherwise, it will be going back to 2,3 pages , which i doubt any body would peruse

Offline kwiq

  • Avast team
  • Sr. Member
  • *
  • Posts: 254
Hi jraju
\REGISTRY\MACHINE\ = local machine
\REGISTRY\USER\ = users

Offline jraju

  • Poster
  • *
  • Posts: 417
I induced it in my vm image and wrote a script which traced all registry handles from PC start to shutdown those 6 registry keys left as possible handle leaks.I will try to find a reason why \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AVAST MAIL SCANNER TRUSTED  is properly closed  when I stop AvastSvc manually before PC shutdown and let you know.
Hi, Kwiq, did you see why?