Audit Event Logging - attributes automatically converted to uppercase?

Similar Messages

• While Installation of 11g database creation time error ORA-28056: Writing audit records to Windows Event Log failed Error

  Hi Friends,
  OS = Windows XP 3
  Database = Oracle 11g R2 32 bit
  Processor= intel p4 2.86 Ghz
  Ram = 2 gb
  Virtual memory = 4gb
  I was able to install the oracle 11g successfully, but during installation at the time of database creation I got the following error many times and I ignored it many times... but at 55% finally My installation was hanged nothing was happening after it..... 
  ORA-28056: Writing audit records to Windows Event Log failed Error  and at 55% my Installation got hung,,,, I end the installation and tried to create the database afterward by DBCA but same thing happened....
  Please some one help me out, as i need to install on the same machine .....
  Thanks and Regards

  AAP wrote:
  Thanks Now I am able to Create a database , but with one error,
  When I created a database using DBCA, at the last stage I got this error,
  Database Configuration Assistant : Warning
  Enterprise Manager Configuration Failed due to the Following error Listener is not up or database service is not registered with it.  Start the listener & Registered database service & run EM Configuration Assistant again....
  But when I checked the listener was up.....
  Now what was the problem,  I am able to connect and work through sqlplus,
  But  I didnt got the link of EM and when try to create a new connection in sql developer it is giving error ( Status : failure - Test Failed the Network Adapter could not establish the connection )
  Thanks & Regards
  Creation of the dbcontrol requires a connection via the listener.  When configuring the dbcontrol as part of database creation, it appears that the dbcontrol creation step runs before the dynamic registration of the databsase with the listener is complete.  Now that the database itself is completed and enough time (really, just a minute or two) has passed to allow the instance to register, use dbca or emca to create the dbcontrol.
  Are you able to get a sqlplus connection via the listener (sqlplus scott/tiger@orcl)?  That needs to be the first order of business.

• Reporting Services not automatically starting. System event log 7009, Application event: 18456

  For the past month (since Oct 11,2012)  reporting services (SSRS 2008R2) is not starting after the server is rebooted. The service is set to automatically start and starts manually without a problem.  The system event log contains the following error:
  Event ID 7009: A timeout was reached (30000 milliseconds) while waiting for the SQL Server Reporting Services (MSSQLSERVER) service to connect.
  SQL logs :
  The SQL logs has many "Event 18456 Login Failed, State 38" errors when the database engine starts. I assume clients conections are failing because the databases  aren't online yet. None of these 18456 errors coorespond to the account reporting services
  runs under.
  The SQL logs indication Event 7009 occures before the "ReportingServer" database is online so im assuming there is a dependancy but I don't know how to avoid this.
  This problem is occuring on a number of our servers running SSRS (if not all)
  Any ideas?
  Paul

  Hi A141695,
  For Event ID 7009, you can try to do the steps below to resolve it.
      1. Click Start, click Run, type regedit, and then click OK.
      2. Locate and then click the following registry subkey:
          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
      3. Right-click Control, point to New, and then click DWORD Value.
      4. In the New Value #1 box, type ServicesPipeTimeout, and then press ENTER.
      5. Right-click ServicesPipeTimeout, and then click Modify.
      6. Click Decimal, type the number of milliseconds that you want to wait until the service times out, and then click OK.
  For example, to wait 60 seconds before the service times out, type 60000.
  Quit Registry Editor, and then restart the computer. For more information about it, please see:
  http://www.sqlservercentral.com/Forums/Topic850540-1550-1.aspx#bm851211
  http://myitforum.com/myitforumwp/2012/08/22/configmgr-2012-sms_srs_reporting_point-component-failure/
  If you have any questions, please feel free to ask.
  Regards,
  Charlie Liao
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.

• Audit/Log GPO changes and Logging of new addition of Domain Controllers in the Event Log

  Hi all, 
  We am trying to log the following items in the event log for Windows 2012. This applies to a domain controller. 
  1) Audit any changes made to the Group Policy
  2) Log the addition of new domain controllers added to the system.
  We need the windows event log to record the above events for security purposes. Can anyone advise if this is doable? If yes what are the steps. 
  Thank you

  Hi,
  >>1) Audit any changes made to the Group Policy
  We can enable audit for directory service object access and configure specific SACL for group policy files to do this.
  Regarding how to step-to-step guide for auditing changes of group policy, the following two blogs can be referred to for more information.
  Monitoring Group Policy Changes with Windows Auditing
  http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx
  Auditing Group Policy changes
  http://blogs.msdn.com/b/canberrapfe/archive/2012/05/02/auditing-group-policy-changes.aspx
  >>2) Log the addition of new domain controllers added to the system.
  Based on my knowledge, when a server is successfully promoted to be domain controller, event ID 29223 will be logged in the System log.
  Regarding this point, the following thread can be referred to for more information.
  Is an Event ID for a completed Domain Controller promotion logged on the PDC?
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/11b18816-7db0-49e2-9a65-3de0e7a9645e/is-an-event-id-for-a-completed-domain-controller-promotion-logged-on-the-pdc?forum=winserverDS
  Best regards,
  Frank Shen

• The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.

  Last night, some of our systems installed updates released on 11/13/2014.  
  KB3021674
  KB2901983
  KB3023266
  KB3014029
  KB3022777
  KB3020388
  KB890830
  Today, all of the servers running Windows Server 2008 R2 started logging the following error in the Security log over and over:
  Log Name:      Security
  Source:        Microsoft-Windows-Eventlog
  Date:          1/15/2015 11:12:39 AM
  Event ID:      1108
  Task Category: Event processing
  Level:         Error
  Keywords:      Audit Success
  User:          N/A
  Description:
  The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
  Servers running Windows Server 2008 that also installed the updates are not experiencing the problem.  It looks like one of the updates may have introduced this problem with Server 2008 R2.

  ...Did you for sure confirm that:
  https://technet.microsoft.com/library/security/MS15-001
  is the cause?
  I did.  I had a VM that was not experiencing the problem.  I took a snapshot and tested the patches one by one.  Installing only KB3023266 immediately caused the issue to occur (after reboot).  A similar process was used to confirm that
  installing KB2675611 resolved the problem.
  Note that I found the installation of KB2675611 is usually quick, but it took several hours hours to install on some of our systems.  We had installed this patch a few months ago on a couple of servers and it was always quick to install.  But,
  it seems like installing it on a symptomatic system can cause it to take a long time.

• How to automatically convert to-do items into events

  Hi, I have a calendar which contains many to-do items with dates. I would like to have these to do items become events. Is there anyway to have ical automatically convert these to-do items into events using a script or plug-in?
  thank you for your help and consideration.
  deborah

  Deborah
  Try this. I suggest you save it in ~/Library/Scripts, so that it will be accessible from the drop-down scripts menu. I also suggest that you try it before using it seriously - in iCal, use File/Backup database, then if you don't like what happens, use File/Revert. Feel free to ask questions!
  AK
  click here to open this script in your editor<pre style="font-family: 'Monaco', 'Courier New', Courier, monospace; overflow:auto; color: #222; background: #DDD; padding: 0.2em; font-size: 10px; width:400px">tell application "iCal"
  set CalList to name of every calendar
  repeat with ThisCal in CalList
  set SomeTasks to todos of calendar ThisCal
  set SomeTasks to reverse of SomeTasks --otherwise delete causes problems
  repeat with ThisTask in SomeTasks
  try
  set DoItOn to (due date of ThisTask) + 3 * days --fails if no date
  tell calendar ThisCal
  set ThisEvent to make new event at end of events
  set summary of ThisEvent to summary of ThisTask
  set start date of ThisEvent to due date of ThisTask
  if (count of (description of ThisTask)) is not 0 then set description of ThisEvent to description of ThisTask
  if (count of (url of ThisTask)) is not 0 then set url of ThisEvent to (url of ThisTask) as text
  delete ThisTask
  end tell
  end try
  end repeat --ThisTask in SomeTasks
  end repeat --ThisCal in CalList
  end tell</pre>

• Data Access Service is unable to log audit events to the security event log

  Hi,
  Scenario: SCOM 2012 R2 UR4. (Windows 2012 R2)
  Today SCOM have generated 4 alerts Data Access Service is unable to log audit events to the security event log.
  The service account for "System Center Data Access Service" service is "Local System".
  The users at "Generate security audits" are: LOCAL SERVICE and NETWORK SERVICE.
  The question is:
  how to resolve this alert? (Where look for to obtain more information to resolve this problem)
  Thanks in advance!

  Local system account is differet to local service account. Fo detail description of these accounts, pls. refer
  LocalService Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684188(v=vs.85).aspx
  LocalSystem Account
  http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
  Generate security audits which is under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment of Group policy, determines which accounts can be used by a process to add entries to the security log. This user right
  is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.
  For identified the SDK account
  1) open services.msc
  2) From the system Center Data Access Service, you can see the SDK logon on as account 
  Roger

• Vista got corrupt after power failure. sfc reports error and Event log service is unable to start itself.

  Hi,
  After a sudden power failure, I guess vista file system is corrupt.   I am able to start vista in normal mode, but it seems there are errors like Event Log service unable to start itself,  when I start IE, it closes automatically , 
  Norton antivirus does not start itself.  and so on.
  After Bing search, I went to safe mode and executed sfc /scannow and it reported error as below.
  "Windows resource protection found corrupt files but was unable to fix some of them"
  Unfortunately I am unable to upload log file, so I am pasting CBS.log content here....   Please advice.
  Some parts of logs are removed due to limit of 60000 characters.
  Please advice.
  Regards
  2014-07-07 14:55:57, Info                  CBS    Loaded Servicing Stack v6.0.6002.18005 with Core: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\cbscore.dll
  2014-07-07 14:55:58, Info                  CSI   
  00000001@2014/7/7:09:25:58.062 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x6e9c8a50 @0x7147854e @0x714563a1 @0x341392 @0x341ed4 @0x3417cb)
  2014-07-07 14:55:58, Info                  CSI   
  00000002@2014/7/7:09:25:58.156 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x6e9c8a50 @0x714ae7b6 @0x71490f93 @0x341392 @0x341ed4 @0x3417cb)
  2014-07-07 14:55:58, Info                  CSI   
  00000003@2014/7/7:09:25:58.187 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x6e9c8a50 @0x73981a0d @0x73981794 @0x34360b @0x342be3 @0x3417cb)
  2014-07-07 14:55:58, Info                  CBS    NonStart: Checking to ensure startup processing was not required.
  2014-07-07 14:55:58, Info                  CBS    NonStart: Windows is in Safe Mode.
  2014-07-07 14:55:58, Info                  CSI    00000004 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL,
  phase = 0, pdwDisposition = @0x2dfe70
  2014-07-07 14:55:58, Info                  CBS    NonStart: Success, startup processing not required as expected.
  2014-07-07 14:55:58, Info                  CSI    00000005 CSI Store 4780952 (0x0048f398) initialized
  2014-07-07 14:56:03, Info                  CSI    00000006 [SR] Verifying 100 (0x00000064) components
  2014-07-07 14:56:03, Info                  CSI    00000007 [SR] Beginning Verify and Repair transaction
  2014-07-07 14:56:10, Info                  CSI    00000008 Repair results created:
  POQ 0 starts:
       0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\ca20037dc599cf01650000007806a403._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
      1: Move File: Source = [l:218{109}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa070f7dc599cf01660000007806a403.program_files_ffd0cbfc813cc4f1.cdf-ms", Destination = [l:130{65}]"\SystemRoot\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms"
      2: Move File: Source = [l:244{122}]"\SystemRoot\WinSxS\Temp\PendingRenames\6aca137dc599cf01670000007806a403.program_files_common_files_d7a65bb2f0e854e7.cdf-ms", Destination = [l:156{78}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_d7a65bb2f0e854e7.cdf-ms"
      3: Move File: Source = [l:278{139}]"\SystemRoot\WinSxS\Temp\PendingRenames\2a8d187dc599cf01680000007806a403.program_files_common_files_microsoft_shared_818c5a0e45020fba.cdf-ms", Destination = [l:190{95}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_818c5a0e45020fba.cdf-ms"
      4: Move File: Source = [l:286{143}]"\SystemRoot\WinSxS\Temp\PendingRenames\4ab11f7dc599cf01690000007806a403.program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms", Destination = [l:198{99}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms"
      5: Move File: Source = [l:292{146}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa12227dc599cf016a0000007806a403.program_files_common_files_microsoft_shared_ink_en_7a951cedcb9a5105.cdf-ms", Destination = [l:204{102}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_en_7a951cedcb9a5105.cdf-ms"
      6: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa28487dc599cf016b0000007806a403.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
      7: Move File: Source = [l:208{104}]"\SystemRoot\WinSxS\Temp\PendingRenames\6aeb4c7dc599cf016c0000007806a403.$$_ehome_40103e2da1d
  2014-07-07 14:56:10, Info                  CSI    121de.cdf-ms", Destination = [l:120{60}]"\SystemRoot\WinSxS\FileMaps\$$_ehome_40103e2da1d121de.cdf-ms"
  POQ 0 ends.
  2014-07-07 14:56:10, Info                  CSI    00000009 [SR] Verify complete
  2014-07-07 14:56:11, Info                  CSI    0000000a [SR] Verifying 100 (0x00000064) components
  2014-07-07 14:56:11, Info                  CSI    0000000b [SR] Beginning Verify and Repair transaction
  2014-07-07 14:56:19, Info                  CSI    0000000c Repair results created:
  POQ 1 starts:
  POQ 42 ends.
  2014-07-07 14:58:29, Info                  CSI    000000b1 [SR] Verify complete
  2014-07-07 14:58:30, Info                  CSI    000000b2 [SR] Verifying 100 (0x00000064) components
  2014-07-07 14:58:30, Info                  CSI    000000b3 [SR] Beginning Verify and Repair transaction
  2014-07-07 14:58:38, Info                  CSI    000000b4 Repair results created:
  POQ 43 starts:
       0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\4a5ad3d4c599cf01391100007806a403._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
      1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\4a5ad3d4c599cf013a1100007806a403.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
      2: Move File: Source = [l:234{117}]"\SystemRoot\WinSxS\Temp\PendingRenames\cadfdcd4c599cf013b1100007806a403.$$_help_windows_en-us_b594929e73669c5e.cdf-ms", Destination = [l:146{73}]"\SystemRoot\WinSxS\FileMaps\$$_help_windows_en-us_b594929e73669c5e.cdf-ms"
      3: Move File: Source = [l:228{114}]"\SystemRoot\WinSxS\Temp\PendingRenames\2a41dfd4c599cf013c1100007806a403.$$_help_help_en-us_91e6e7979a9bf9c6.cdf-ms", Destination = [l:140{70}]"\SystemRoot\WinSxS\FileMaps\$$_help_help_en-us_91e6e7979a9bf9c6.cdf-ms"
      4: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\ea0ef7d4c599cf013d1100007806a403.$$_apppatch_1143992cbbbebcab.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_apppatch_1143992cbbbebcab.cdf-ms"
      5: Move File: Source = [l:218{109}]"\SystemRoot\WinSxS\Temp\PendingRenames\ea241dd5c599cf013e1100007806a403.program_files_ffd0cbfc813cc4f1.cdf-ms", Destination = [l:130{65}]"\SystemRoot\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms"
      6: Create Directory: Directory = [l:48{24}]"\??\C:\Program Files\MSN", Attributes = 00000080
  POQ 43 ends.
  2014-07-07 14:58:38, Info                  CSI    000000b5 [SR] Verify complete
  2014-07-07 14:58:38, Info                  CSI    000000b6 [SR] Verifying 100 (0x00000064) components
  2014-07-07 14:58:38, Info                  CSI    000000b7 [SR] Beginning Verify and Repair transaction
  2014-07-07 14:58:43, Info                  CSI    000000b8 Repair results created:
  POQ 44 starts:
       0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\eac6f0d7c599cf01a31100007806a403._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
      1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa89f5d7c599cf01a41100007806a403.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
      2: Move File: Source = [l:216{108}]"\SystemRoot\WinSxS\Temp\PendingRenames\6a4cfad7c599cf01a51100007806a403.$$_resources_fbee56ab048ab239.cdf-ms", Destination = [l:128{64}]"\SystemRoot\WinSxS\FileMaps\$$_resources_fbee56ab048ab239.cdf-ms"
      3: Move File: Source = [l:230{115}]"\SystemRoot\WinSxS\Temp\PendingRenames\caadfcd7c599cf01a61100007806a403.$$_resources_themes_4d0d4910e83c2273.cdf-ms", Destination = [l:142{71}]"\SystemRoot\WinSxS\FileMaps\$$_resources_themes_4d0d4910e83c2273.cdf-ms"
      4: Move File: Source = [l:240{120}]"\SystemRoot\WinSxS\Temp\PendingRenames\caadfcd7c599cf01a71100007806a403.$$_resources_themes_aero_3fd78bf4cb5fa2c4.cdf-ms", Destination = [l:152{76}]"\SystemRoot\WinSxS\FileMaps\$$_resources_themes_aero_3fd78bf4cb5fa2c4.cdf-ms"
      5: Move File: Source = [l:252{126}]"\SystemRoot\WinSxS\Temp\PendingRenames\8a7001d8c599cf01a81100007806a403.$$_resources_themes_aero_shell_a91dfa5124b343c4.cdf-ms", Destination = [l:164{82}]"\SystemRoot\WinSxS\FileMaps\$$_resources_themes_aero_shell_a91dfa5124b343c4.cdf-ms"
      6: Move File: Source = [l:276{138}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa9408d8c599cf01a91100007806a403.$$_resources_themes_aero_shell_normalcolor_10be8ec981b35fb6.cdf-ms", Destination = [l:188{94}]"\SystemRoot\WinSxS\FileMaps\$$_resources_themes_aero_shell_normalcolor_10be8ec981b35fb6.cdf-ms"
      7: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\cab80fd8c599cf01aa1100007806a403.$$_schcache_f995a5d4decb8cc0.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_schcache_f995a5d4decb8cc0.cdf
  2014-07-07 14:58:43, Info                  CSI    -ms"
      8: Move File: Source = [l:212{106}]"\SystemRoot\WinSxS\Temp\PendingRenames\cad948d8c599cf01ab1100007806a403.$$_msagent_be90584645cb9b95.cdf-ms", Destination = [l:124{62}]"\SystemRoot\WinSxS\FileMaps\$$_msagent_be90584645cb9b95.cdf-ms"
      9: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\4a7578d8c599cf01ac1100007806a403.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
      10: Move File: Source = [l:242{121}]"\SystemRoot\WinSxS\Temp\PendingRenames\cafa81d8c599cf01ad1100007806a403.$$_system32_manifeststore_7d35b12f9be4c20e.cdf-ms", Destination = [l:154{77}]"\SystemRoot\WinSxS\FileMaps\$$_system32_manifeststore_7d35b12f9be4c20e.cdf-ms"
      11: Move File: Source = [l:224{112}]"\SystemRoot\WinSxS\Temp\PendingRenames\aae18dd8c599cf01ae1100007806a403.$$_msagent_chars_9a5bcb5da392f588.cdf-ms", Destination = [l:136{68}]"\SystemRoot\WinSxS\FileMaps\$$_msagent_chars_9a5bcb5da392f588.cdf-ms"
  POQ 107 ends.
  2014-07-07 15:08:01, Info                  CSI    00000213 [SR] Repair complete
  2014-07-07 15:08:01, Info                  CSI    00000214 [SR] Committing transaction
  2014-07-07 15:08:01, Info                  CSI    00000215 Creating NT transaction (seq 1), objectname [6]"(null)"
  2014-07-07 15:08:01, Info                  CSI    00000216 Created NT transaction (seq 1) result 0x00000000, handle @0x4cc
  2014-07-07 15:08:01, Info                  CSI   
  00000217@2014/7/7:09:38:01.060 CSI perf trace:
  CSIPERF:TXCOMMIT;5
  2014-07-07 15:08:01, Info                  CSI    00000218 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction 
  have been successfully repaired
  2014-07-07 15:15:58, Info                  CBS    Scavenge: Package store indicates there is no component to scavenge, skipping.
  

  Hi,
  First, I would suggest you using last known good configuration:
  Using Last Known Good Configuration
  http://windows.microsoft.com/en-in/windows/using-last-known-good-configuration#1TC=windows-vista
  if this cannot bring your Windows Vista back to good state, I suggest you perform in-place upgrade to fix the corrupted files:
  How to Perform an In-Place Upgrade on Windows Vista, Windows 7, Windows Server 2008 & Windows Server 2008 R2
  http://support.microsoft.com/kb/2255099/en-us
  If you have any feedback on our support, please click
  here
  Alex Zhao
  TechNet Community Support

• Remote desktop fails, can still connect to event log and services.

   I am unable for some reason to remote into a machine that I've been able to before.  This occurred after it installed automatic updates.  At the moment I can connect to
  services and the event log from another machine with the same credentials, but I can't log onto the machine itself.  Is there any way to reset this info or such.  This machine is a part of a domain and can read credentials from the domain controller. 
  I also do know that remote desktop is enabled.
  The following error occurs in the even log on the affected machine.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2013-03-21 10:28:23 AM
  Event ID:      5061
  Task Category: System Integrity
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      ****
  Description:
  Cryptographic operation.
  Subject:
      Security ID:        SYSTEM
      Account Name:        ****$
      Account Domain:        *******
      Logon ID:        0x3e7
  Cryptographic Parameters:
      Provider Name:    Microsoft Software Key Storage Provider
      Algorithm Name:    RSA
      Key Name:    TSSecKeySet1
      Key Type:    Machine key.
  Cryptographic Operation:
      Operation:    Decrypt.
      Return Code:    0xc000000d
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5061</EventID>
      <Version>0</Version>
      <Level>0</Level>
      <Task>12290</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2013-03-21T14:28:23.339874500Z" />
      <EventRecordID>937125</EventRecordID>
      <Correlation />
      <Execution ProcessID="500" ThreadID="548" />
      <Channel>Security</Channel>
      <Computer>**********</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SubjectUserSid">S-1-5-18</Data>
      <Data Name="SubjectUserName">*******$</Data>
      <Data Name="SubjectDomainName">********</Data>
      <Data Name="SubjectLogonId">0x3e7</Data>
      <Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
      <Data Name="AlgorithmName">RSA</Data>
      <Data Name="KeyName">TSSecKeySet1</Data>
      <Data Name="KeyType">%%2499</Data>
      <Data Name="Operation">%%2484</Data>
      <Data Name="ReturnCode">0xc000000d</Data>
    </EventData>
  </Event>

   
  Hi,
  The following methods could be used to resolve some of the most common problems.
  Potential issues that may be seen:
  1.) Remote Desktop endpoint is missing
  Each virtual machine that is created should have a remote desktop endpoint for the VM at port 3389. If this endpoint is deleted then a new endpoint must be created. The public port can be any available port number. The private port (the port on the VM) must
  be 3389.
  2.) RDP fails with error: "The specified user name does not exist. Verify the username and try logging in again. If the problem continues, contact your system administrator or technical support."
  RDP connection may fail when there are cached credentials. Please see the following article to resolve this problem:
  http://www.c-sharpcorner.com/uploadfile/ae35ca/windows-azure-fixing-reconnect-remote-desktop-error-the-specified-user-name-does-not-exist-verif/
  3.) Failure to connect to uploaded VHD
  When a VHD is uploaded to Windows Azure you must make sure that Remote Desktop is enabled on the VHD and an apporopriate firewall rule is enabled on the VM to open port 3389 (Remote Desktop port).
  Hope this helps!
  Regards.
  Vivian Wang
  TechNet Community Support

• Unable to capture Exchange Mailbox Auditing events for email creation

  We are looking to capture Owner mailbox auditing events using the native Exchange 2013 auditing tools (Search-MailboxAuditLog). I have auditing enabled with all actions for Owner, and capture items performed via Outlook, except for new emails created.
  If I create new emails via OWA, I am able to capture the event, but as soon as I go back to Outlook and create a new message, I don’t see anything audited. I also tried this is our Dev environment and seeing the same behavior. Has anyone else experience this
  behavior?

  Hi,
  I have a test in my environment. If I create a message on Outlook as a owner, the mailbox audit logging can't record it.
  If I create a message on Outlook as a delegate, when using the Search-MailboxAuditLog cmdlet to search the audit log, it will be displayed as follows:
  The operation is "SendAs", not "Create".
  Hope this can be helpful to you.
  Best regards,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Amy Wang
  TechNet Community Support

• Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2

  I got the following problem:
  I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.
  Also, SQL Agent Service won't run
  The only change that day was security
  update KB2964444 - Security
  Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...
  When I try to start Windows Event Log via net
  start eventlog or via Services
  panel, I get an error:
  C:\Users\Administrator>net start eventlog
  The Windows Event Log service is starting.
  The Windows Event Log service could not be started.
  A system error has occurred.
  System error 2 has occurred.
  The system cannot find the file specified.
  I tried:
  restarted the OS (virtual on the host's VMWare).
  re-checked the settings in services menu -they are like in the link.
  checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog -
  the identity is NT
  AUTHORITY\LocalService
  gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
  ran fc /scannow - Windows Resource Protection did not find any integrity violations.
  went to the file %windir%\logs\cbs\cbs.log -
  all clean, [SR] Repairing 0 components
  EDIT: Uninstalled the recent system updates and rebooted - didn't help
  EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):
  filters:
  process name is svchost.exe : include
  operation contains TCP : exclude
  the events captured are:
  21:50:33.8105780 svchost.exe 772 Thread Create SUCCESS Thread ID: 6088
  21:50:33.8108848 svchost.exe 772 RegOpenKey HKLM SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
  21:50:33.8109134 svchost.exe 772 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0
  21:50:33.8109302 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services REPARSE Desired Access: Read
  21:50:33.8109497 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
  21:50:33.8110051 svchost.exe 772 RegCloseKey HKLM SUCCESS
  21:50:33.8110423 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services SUCCESS Query: HandleTags, HandleTags: 0x0
  21:50:33.8110705 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
  21:50:33.8110923 svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
  21:50:33.8111257 svchost.exe 772 RegOpenKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS Desired Access: Read
  21:50:33.8111547 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services SUCCESS
  21:50:33.8111752 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS
  21:50:33.8111901 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
  21:50:33.8112148 svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters SUCCESS
  21:50:33.8116552 svchost.exe 772 Thread Exit SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
  NOTE: previoulsy, for
  21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
  I also got NAME
  NOT FOUND error ,so I created the new string value for the Parameters with
  the name ServiceDll and
  data %SystemRoot%\System32\wevtsvc.dll (copied
  from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key)
  and this event now is
  21:46:31.6130476 svchost.exe 772 RegQueryValue HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
  I also checked for the presence of wevtsvc.dll in
  the place and it's there.
  Also, I tried to capture all events with path containing 'event' and
  got following events firing every several seconds:
  21:38:38.9185226 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Tag NAME NOT FOUND Length: 16
  21:38:38.9185513 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup NAME NOT FOUND Length: 268
  21:38:38.9185938 services.exe 492 RegQueryValue HKLM\System\CurrentControlSet\services\EventSystem\Group NAME NOT FOUND Length: 268
  Also, I tried to capture all the events containing 'file',
  excluding w3wp.exe,
  chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start
  the event logger (if run from cmd - there are several hits by net executable,
  not present if run from the panel).
  What can be done?

  Hi,
  I don’t found the similar issue, if you have the IE 11 please try to update system automatic or install the MS14-029 update.
  The related KB:
  MS14-029: Security update for Internet Explorer 11 for systems that do not have update 2919355 (for Windows 8.1 or Windows Server 2012 R2) or update 2929437 (for Windows 7
  SP1 or Windows Server 2008 R2 SP1) installed: May 13, 2014
  http://support.microsoft.com/kb/2961851/en-us
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Windows service write to event log

  Have strange conduct of code within my application. I've created windows service the same as according to MSDN default instruction:
  https://msdn.microso...=vs.110%29.aspx
  its working and logging to event log correctly. After that i copied that project and based on it i started to create second one almost similar one. my issue is within below part of code belongs to ProjectInstaller.vb when i installed it and tried to Start i
  get message that Windows service started and stoped imedietly.
  Imports System.ComponentModel
  Imports System.Configuration.Install
  Public Class ProjectInstaller
  Public Sub New()
  MyBase.New()
  'This call is required by the Component Designer.
  InitializeComponent()
  'Add initialization code after the call to InitializeComponent
  End Sub
  Protected Overrides Sub OnBeforeInstall(ByVal savedState As IDictionary)
  Dim parameter As String = "MySvcDeon2"" ""MyLogFileSvcDeon2"
  Context.Parameters("assemblypath") = """" + Context.Parameters("assemblypath") + """ """ + parameter + """"
  MyBase.OnBeforeInstall(savedState)
  End Sub
  End Class
  Within this line: Dim parameter As String = "MySvcDeon2"" ""MyLogFileSvcDeon2"
  When i change it to this form then service its starting correctly without any error meassage:
  Dim parameter As String = "MySvcDeon1"" ""MyLogFileSvcDeon1"
  its working. But Deon2 is already created by my first windows service. Whats wrong?

  i also tried from official msdn site  but same error, anyhow, see my code below:
  ProjectInstaller.vb:
  Imports System.ComponentModelImports System.Configuration.InstallPublic Class ProjectInstaller    Public Sub New()        MyBase.New()        'This call is required by the Component Designer.        InitializeComponent()        'Add initialization code after the call to InitializeComponent    End SubEnd Class
  ProjectInstaller.Designer.vb
  <System.ComponentModel.RunInstaller(True)> Partial Class ProjectInstaller    Inherits System.Configuration.Install.Installer    'Installer overrides dispose to clean up the component list.    <System.Diagnostics.DebuggerNonUserCode()> _    Protected Overrides Sub Dispose(ByVal disposing As Boolean)        Try            If disposing AndAlso components IsNot Nothing Then                components.Dispose()            End If        Finally            MyBase.Dispose(disposing)        End Try    End Sub    'Required by the Component Designer    Private components As System.ComponentModel.IContainer    'NOTE: The following procedure is required by the Component Designer    'It can be modified using the Component Designer.      'Do not modify it using the code editor.    <System.Diagnostics.DebuggerStepThrough()> _    Private Sub InitializeComponent()        Me.ServiceProcessInstaller1 = New System.ServiceProcess.ServiceProcessInstaller()        Me.ServiceInstaller1 = New System.ServiceProcess.ServiceInstaller()        '        'ServiceProcessInstaller1        '        Me.ServiceProcessInstaller1.Account = System.ServiceProcess.ServiceAccount.LocalSystem        Me.ServiceProcessInstaller1.Password = Nothing        Me.ServiceProcessInstaller1.Username = Nothing        '        'ServiceInstaller1        '        Me.ServiceInstaller1.Description = "Chorus windows service collector"        Me.ServiceInstaller1.DisplayName = "SvcChorusCollector"        Me.ServiceInstaller1.ServiceName = "SvcChorusCollector"        Me.ServiceInstaller1.StartType = System.ServiceProcess.ServiceStartMode.Automatic        '        'ProjectInstaller        '        Me.Installers.AddRange(New System.Configuration.Install.Installer() {Me.ServiceProcessInstaller1, Me.ServiceInstaller1})    End Sub    Friend WithEvents ServiceProcessInstaller1 As System.ServiceProcess.ServiceProcessInstaller    Friend WithEvents ServiceInstaller1 As System.ServiceProcess.ServiceInstallerEnd Class
  SvcChorusCollector.vb:
  Public Class SvcChorusCollector
      Private Const EvtLogSource As String = "MySourceSvcChorusCollector"
      Private Const EvtLogName As String = "MyLogSvcChorusCollector"
      Private syncRoot As New Object
      Dim timer As System.Timers.Timer = New System.Timers.Timer()
      Sub New()
          ' This call is required by the designer.
          InitializeComponent()
          ' Add any initialization after the InitializeComponent() call.
          If Not System.Diagnostics.EventLog.SourceExists(EvtLogSource) Then
              System.Diagnostics.EventLog.CreateEventSource(EvtLogSource, EvtLogName)
          End If
          EventLog1.Source = EvtLogSource
      End Sub
      Protected Overrides Sub OnStart(ByVal args() As String)
          ' Add code here to start your service. This method should set things
          ' in motion so your service can do its work.
          EventLog1.WriteEntry("In OnStart")
          ' Set up a timer to trigger every minute.
          timer.Interval = 1000 ' 1 seconds
          'unfortunetly OnTimer event handler will be executed even already one is running if Interval is riched by default.
          'This is because it will go multiple threading and not in main thread unless a SynchronizingObject is supplied. (Which it wasn't.) below :
          'timer.SynchronizingObject = Me
          'this is solving problem. OTher way is to make lock within OnTimer event handler as its done right now.
          AddHandler timer.Elapsed, AddressOf Me.OnTimer
          timer.Start()
      End Sub
      Protected Overrides Sub OnStop()
          ' Add code here to perform any tear-down necessary to stop your service.
          EventLog1.WriteEntry("In OnStop")
      End Sub
      Protected Overrides Sub OnContinue()
          EventLog1.WriteEntry("In OnContinue.")
      End Sub
      Private Sub OnTimer(ByVal sender As Object, ByVal e As Timers.ElapsedEventArgs)
      End Sub
  End Class
  SvcChorusCollector.Designer.vb
  Imports System.ServiceProcess<Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()> _Partial Class SvcChorusCollector    Inherits System.ServiceProcess.ServiceBase    'UserService overrides dispose to clean up the component list.    <System.Diagnostics.DebuggerNonUserCode()> _    Protected Overrides Sub Dispose(ByVal disposing As Boolean)        Try            If disposing AndAlso components IsNot Nothing Then                components.Dispose()            End If        Finally            MyBase.Dispose(disposing)        End Try    End Sub    ' The main entry point for the process    <MTAThread()> _    <System.Diagnostics.DebuggerNonUserCode()> _    Shared Sub Main()        Dim ServicesToRun() As System.ServiceProcess.ServiceBase        ' More than one NT Service may run within the same process. To add        ' another service to this process, change the following line to        ' create a second service object. For example,        '        '   ServicesToRun = New System.ServiceProcess.ServiceBase () {New Service1, New MySecondUserService}        '        ServicesToRun = New System.ServiceProcess.ServiceBase() {New SvcChorusCollector}        System.ServiceProcess.ServiceBase.Run(ServicesToRun)    End Sub    'Required by the Component Designer    Private components As System.ComponentModel.IContainer    ' NOTE: The following procedure is required by the Component Designer    ' It can be modified using the Component Designer.      ' Do not modify it using the code editor.    <System.Diagnostics.DebuggerStepThrough()> _    Private Sub InitializeComponent()        Me.EventLog1 = New System.Diagnostics.EventLog()        CType(Me.EventLog1, System.ComponentModel.ISupportInitialize).BeginInit()        '        'EventLog1        '        '        'SvcChorusCollector        '        Me.ServiceName = "SvcChorusCollector"        Me.CanStop = True                   'if this is not set to true then will be not possible to stop service manually from service window services.msc !!!        Me.AutoLog = True        CType(Me.EventLog1, System.ComponentModel.ISupportInitialize).EndInit()    End Sub    Friend WithEvents EventLog1 As System.Diagnostics.EventLogEnd Class
  The second service is on same basis, of course service names, source,logname are diffrent. What i do wrong? Error message appearing really fast after ~8 sec

• Office 2013 Click-to-Run Event Logs

  Anyone know what the event logs are (Source, Event ID, etc) for Office 2013 Click-to-Run version? Specifically, I'm trying to find out when my installation was last updated (automatic updates are enabled). In general it would also be nice to know
  what all of the different events are that the program will log.
  Shaun

  Hi,
  To view the Office updates log, we can just go to Control Panel > All Control Panel Items > Windows Update and click
  View update history.
  If you want to know all the event logs related to Microsoft Office, we can use Event Viewer.
  http://windows.microsoft.com/en-in/windows/open-event-viewer#1TC=windows-7
  To find Office-related logs, click Event Viewer > Applications and Services Logs > Microsoft Office Alerts in the Event Viewer window.
  Regards,
  Steve Fan
  Forum Support
  Come back and mark the replies as answers if they help and unmark them if they provide no help.
  If you have any feedback on our support, please click
  here

• Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

  I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server. 
  I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online). 
  I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me). 
  Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
  Issue 1)
  After each reboot I get a Kernel-EventTracing 2 error.  I cannot find anything on this on the internet so I have no idea what it is.
  Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
  I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
  Issue 2)
  I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
  https://support.microsoft.com/kb/2870416?wa=wsignin1.0
  One of the perf counters fails to register using the script from the link above.
  66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
  New-PerfCounters : The performance counter definition file is invalid.
  At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
  +    New-PerfCounters -DefinitionFileName $f
  +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo         
  : InvalidData: (:) [New-PerfCounters], TaskException
      + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
     12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
  But that one seems unrelated to the ones that still throw errors. 
  Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
  Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
  exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
  is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
  The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Issue 3)
  I appear to have some issues related to the healthmailboxes. 
  I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
  SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
  lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
  I reran setup /prepareAD to try and remedy this but I am still getting some.
  Issue 4)
  I am getting an MSExchange RBAC 74 error. 
  (Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
  Issue 5)
  I am getting MSExchange Assistants 9042 warnings on both databases.
  Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
  skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
  Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server. 
  If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
  Issue 6)
  At boot I am getting an MSExchange ActiveSync warning 1033
  The setting SupportedIPMTypes in the Web.Config file was missing. 
  Using default value of System.Collections.Generic.List`1[System.String].
  I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

  Hi Eric
  Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3^rd time. 
  I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
  I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”. 
  If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
   So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering. 
  Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users. 
  I then applied an address policy to them and gave it the highest priority. 
  Then I set a default email address policy for the entire organization. 
  After reinstalling Exchange all of my system mailboxes were created with the internal domain name. 
  So issue number 3 above has not come up. 
  For issue number one above I have created a new thread:
  https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
  For issue number four I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
  Issue number Five I have managed to recreate and get rid of in more than one way. 
  If I create a new database in ECP and set the database and log paths where I want, then this error will appear. 
  If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear. 
  The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service. 
  If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away. 
  So my off hand guess is that these are caused by orphaned system mailboxes.
  For issue number six I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
  So for the remainder of this thread we can try and tackle issue number two which is the perf counters. 
  The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7. 
  Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five. 
  Using all of your suggestions so far has not removed these 5 remaining errors either.  Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
  to make them go away if possible.

• How can I turn off Event ID 5156 AND 5145 in the Security Event Log?

  Hi,
  I have a high volume web service.   Everytime there is a connection from the outside, it logs this in my security event log.
  I want to turn this off.
  How can I stop the logging of event id 5156 on the web server and 5145 on the file server?
  Thanks!
  Dane!

  Hi,
  Thanks for posting in Microsoft TechNet forums.
  The problem can be related to Audit settings. Please check the following threads to see if the information can be useful during the troubleshooting:
  auditing file share on windows 2008 R2
  http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/9e633bad-cda6-4ec4-8f04-c01de57ce767
  Event ID 5156 filling up event logs. Probably due to anti-virus software (SEP 11)
  http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/8044fb62-f5ea-45b5-b717-3f6592af77e0
  Regards
  Kevin
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback
  on our support quality, please send your feedback here.