I was recently doing some routine maintenance on a SharePoint 2010 server and I happened to check the event viewer logs. Wow was I surprised! It seemed that every minute, we were getting the error message below.

Event ID 6481:
Application Server job failed for service instance Microsoft.Office.Server.Search.Administration.SearchServiceInstance (GUID).

Reason: Requested Registry Access is not Allowed.

Requested registry access is not allowed SharePoint 2010





Obviously we have a good idea where to fix the issue (regedit), but what registry key is too restricted, and for which account? To find that out, we need to do some monitoring. What amazing tool exists that will do this magic for us? 
Process Monitor, another tool from Sysinternals, can be used to monitor the registry and determine what is going wrong. If you need to get more info on how to use Process Monitor, watch this video on Channel 9.

Once you do your monitoring by excluding successes and including ACCESS DENIED messages, you will see these two messages that seem to correspond with the event log times:

process monitor


process monitor properties

Now we know what registry key, but what user was trying to access it? Double-click on the entry, or right-click –> Properties –> Process tab to see this one was the NETWORK SERVICE. The other entry was the app pool service account if I remember correctly. Armed with this new information, go and grant the Read permission on that reg key for that user. 

In my case I didn't have to reboot; I just refreshed the event log and watched as the errors stopped. It didn’t seem to be causing any errors in the interface that I could tell, but it sure muddied the event log! As always, be a good administrator by backing up your registry first, and if you’re lucky to have this in a test environment, always test there first.

If you'd like more information on this post or C5 Insight's services and solutions, please
contact us.