msiexec.exe running at all times

skysky

New Member
Messages
7
Somehow msiexec.exe always starts and if I stop it, it starts again.
The service is set as manual and the field is greyed out, so I can't change it.
It doesn't use CPU, just sitting on the memory.

Here are what I've tried so far with no luck.

1. Disable system restore.
2. Turn off fast startup.
3. Cleaned out Temp folder.
4. Virus and malware scan. Nothing found.
5. Unregister and reregister Windows Installer.
6. SFC Scan. No problem found.
7. Clean registry using jetclean.

Any idea? Thanks.

BTW, I don't know if this is related: I've notice this warning.

Log Name: ApplicationSource: Microsoft-Windows-User Profiles Service
Date: 2/3/2013 6:29:46 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: Desktop-PC
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.


Code:
DETAIL - 
 17 user registry handles leaked from \Registry\User\S-1-5-21-3241246610-606297703-3174275145-1001:
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1164 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\CA
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall
Process 1164 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Policies\Microsoft\SystemCertificates
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Policies\Microsoft\SystemCertificates
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Policies\Microsoft\SystemCertificates
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Policies\Microsoft\SystemCertificates
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\Root
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\trust
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\Disallowed


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1530</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2013-02-04T02:29:46.638442500Z" />
    <EventRecordID>2974</EventRecordID>
    <Correlation ActivityID="{FB126B5E-0279-0000-7E6B-12FB7902CE01}" />
    <Execution ProcessID="1164" ThreadID="1868" />
    <Channel>Application</Channel>
    <Computer>Desktop-PC</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">17 user registry handles leaked from \Registry\User\S-1-5-21-3241246610-606297703-3174275145-1001:
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1164 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\CA
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall
Process 1164 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Policies\Microsoft\SystemCertificates
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Policies\Microsoft\SystemCertificates
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Policies\Microsoft\SystemCertificates
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Policies\Microsoft\SystemCertificates
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\Root
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\TrustedPeople
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\trust
Process 1276 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3241246610-606297703-3174275145-1001\Software\Microsoft\SystemCertificates\Disallowed
</Data>
  </EventData>
</Event>
 
Last edited by a moderator:

My Computer

System One

  • OS
    Windows 8
    System Manufacturer/Model
    Dell
    CPU
    Core 2 Quad Q6600
    Memory
    6 GB
    Graphics Card(s)
    ATI Radeon™ HD 5450
Some things maybe I might try;
C:\Windows\System32\WSReset.exe ..resets and cleans the store cache (prompt or run)
DISM /Online /Cleanup-Image /RestoreHealth ..repairs store = 40 minute?? (elevated prompt)
Windows Updates. run the repair.

Move the stuff out of download folder and reboot?

Boot to safe mode surf or whatever for a while there. That fixed a few security related open handles for me.
 

My Computer

System One

  • OS
    win8.1
    Computer type
    Laptop
    System Manufacturer/Model
    lenovo
Thanks mikiep for your reply.
As you suggested, I tried WSREset.exe, DISM RestoreHealth, and moved stuff out of download folder, but msiexec.exe still loads.

Here are a little more information.
msiexec.exe doesn't load in safe mode, and it loads 2~3 mins after normal boot.
 

My Computer

System One

  • OS
    Windows 8
    System Manufacturer/Model
    Dell
    CPU
    Core 2 Quad Q6600
    Memory
    6 GB
    Graphics Card(s)
    ATI Radeon™ HD 5450
Look in applications in the Event viewer 2-3 minutes after normal boot ?
I might be unchecking a couple of different non-windows services from starting in msconfig each new boot. And looking in Process Explorer from Microsoft sysinternals.
 

My Computer

System One

  • OS
    win8.1
    Computer type
    Laptop
    System Manufacturer/Model
    lenovo
There are three events that are associated with msiexec.exe.
The database engine or PackageRepository.edb is triggering the msiexec.exe?
What do I do now?? Thanks

Code:
msiexec (2672) Instance: The database engine (6.02.9200.0000) is starting a new instance (0).

msiexec (2672) Instance: The database engine started a new instance (0). (Time=0 seconds) 
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.016, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000.

msiexec (2672) Instance: The database engine attached a database (1, C:\ProgramData\Microsoft\Windows\AppRepository\PackageRepository.edb). (Time=0 seconds) 
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. 
Saved Cache: 1
 

My Computer

System One

  • OS
    Windows 8
    System Manufacturer/Model
    Dell
    CPU
    Core 2 Quad Q6600
    Memory
    6 GB
    Graphics Card(s)
    ATI Radeon™ HD 5450
Back
Top