Interpreting event viewer logs

Similar Messages

• Typographical error found in Event Viewer log for Event 8003. The source is "bowser" not browser.

  I found a typographical error in the Event Viewer log.
  Error 5/19/2014 1:07:52 AM bowser 8003 None
  The body of the message is typical of the NetBIOS messages regarding master browser network control...
  The master browser has received a server announcement from the computer...
  Even though this is not critical, it should be updated at some point.
  John

  I found a typographical error in the Event Viewer log.
  Error 5/19/2014 1:07:52 AM bowser 8003 None
  The body of the message is typical of the NetBIOS messages regarding master browser network control...
  The master browser has received a server announcement from the computer...
  Even though this is not critical, it should be updated at some point.
  John
  it is deliberate, and, has been so, for 20years...
  http://blogs.msdn.com/b/larryosterman/archive/2006/03/14/551368.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Kereros error in event viewer logs.

  Hi All,
  We have configure Vintella SSO on XI3.1 previously and for some reasons now we have changed to NTLM SSO but still we are observing kerberos error in event viewer logs.
  Error1 : Kerberos error was received on log on session , client time and server time etc.
  Error 2: Kerberos client received KRB_AP_Error_Modified server host/fully qualified name .THis indicate that password encrypts the kerberos service ticket different than that on target server commonly this is due to identically named machine account in the target realm and the client releams.Please contact your adimistrator.
  Please help.
  THanks....

  That's a Microsoft Error coming from a Microsoft log, I can't be sure what's causing it, you need to consult Microsoft.
  Usually in their errors the service account that generated it (if by a service account) is one of the details or in the error message. You may need to stop running something with a service account...
  Regards,
  Tim

• How to save all event viewer log files in Windows 7 Professional

  Hello,
  I would like to save all Event Viewer logs from my Windows 7 Professional computer and be able to view them from another computer.  Currently I can only save one log at a time.  Please let me know how I can save all Event Viewer logs
  (Windows Logs, Applications and Service Logs, etc.).
  Thanks,
  Jason

  Hi Jason,
  There is no idea to save all categories log.
  It's recommend you ask in Official Scripting Guys forum for further help:
  http://social.technet.microsoft.com/Forums/en-US/home?forum=ITCG
  Besides that, this thread could be referred:
  http://social.technet.microsoft.com/Forums/en-US/d66c1bd7-0e61-4839-a5f6-cbe29661dccb/how-to-use-script-saving-log-from-event-viewer-into-csv-file?forum=ITCG
  Karen Hu
  TechNet Community Support

• Windows 8.1 event viewer logs.

  I am looking for the windows 8.1 event viewer logs and settings, online search fails to produce answer, and suggested .msc commands are not valid. 

  Hi @butface ,
  Thank you for visiting the HP Support Forums and Welcome. I have looked into your issue with your Windows 8.1 and the event viewer. Here is how to open Event Viewer by clicking the Start button, clicking Control Panel, clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer.
  I would be happy to assist if needed as there are many models of HP Notebook ,
  I would need the model number. How Do I Find My Model Number or Product Number?
  Please let me know.
  Thanks.
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the bottom to say “Thanks” for helping!

• How to interpret Event Viewer reference to "\Device\Harddisk3\DR3"

  My Win 7 Event Viewer is showing error messages saying
  > The driver detected a controller error on \Device\Harddisk3\DR3.
  and I need to relate that to a particular drive.  Is "DR3" = "Disk 3" in the Disk Management console?  If not, how do I determine the unit responsible for the error?

  I think you should forget about the "DR3" and just look at "Harddisk3" instead. On this computer the Harddisk number corresponds to the Disk number in Disk Management.
  Looking in both "Globals" and "Devices" in Winobj, I think that \Device\Harddisk3 is a namespace and DR3 seems to represent the device (Harddisk3) within that namespace.
  As noticed by Fleet Command in the afore-mentioned thread, removing and replugging a USB drive increments the "DR" number - for example, \Device\Harddisk7\DR7 becomes \Device\Harddisk7\DR8 and then \Device\Harddisk7\DR9 etc.
  Also, my System drive (\Device\Harddisk0\DR0) and my RAM drive (\Device\Harddisk5\DR0) both use "DR0"
  Looking at the partition entries for all drives in "Devices", Partition0 seems to always be a symbolic link to the drive itself eg HardDisk3\Partition0 points to Harddisk3\DR3 (try double clicking on Partition0). Also, GPT drives seem to have another
  extra partition listed. For example, in the Devices screenshot below Partition 0 through 5 are listed. After discounting Partiton0, that still leaves 5 partitions. The drive actually only has 4 partitions. All my GPT drives are the same - they show an extra
  partition - yet all the MBR drives show the "correct" number (but maybe there is another explanation).
  Anyway, most of my drives have a unique number of partitions and, at least on this computer, at this moment, the "Harddisk" number corresponds with the drive index as shown the left hand side of the bottom half of Disk Management - ie \Device\Harddisk3
  corresponds to Disk 3
  Double clicking on PhysicalDrive3 in the Globals section of Winobj (as below)
  Brings you here

• Multiple Event Viewer Error Ids, Corrupt Catalogs, System not working right. Please help.

   Since I could not find a list of the Event Ids that was accurate at all or not too general as to be useless and Microsoft won't let us know how to fix these ourselves without having a programming degree, I am begging for help from anyone who can help
  me get my computer working right again. I have some important things to get done which I can't do without my computer working. I have tried to get what I could get but I am blocked from many files which makes it difficult to get info. Please help. I appreciate
  any help I can get. Thank you,
  WhiteFox42
  I am not sure which one is more important.
  Event id 20
  Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, Windows Server 2008 R2 for x64-based Systems
  (KB2468871).
  Event id 11
  Possible Memory Leak.  Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 476) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)].  [allocate(all_nodes)] parameters are always
  reallocated; if the original pointer contained the address of valid memory, that memory will be leaked.  The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20).  User Action: Contact your application
  vendor for an updated version of the application.
  Event id 455
  taskhost (1348) WebCacheLocal: Error -1811 (0xfffff8ed) occurred while opening logfile R:\User\App Data\Roaming\Microsoft\Templates\Local\Microsoft\Windows\WebCache\V01.log.
  Event Xml:
  Event id 505
  wuaueng.dll (1012) SUS20ClientDataStore: An attempt to open the compressed file "C:\Windows\SoftwareDistribution\DataStore\DataStore.edb" for read / write access failed because it could not be converted to a normal file.  The open file operation
  will fail with error -4005 (0xfffff05b).  To prevent this error in the future you can manually decompress the file and change the compression state of the containing folder to uncompressed.  Writing to this file when it is compressed is not supported.
  Event id 513
  Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object
  Event id 1000
  Faulting application name: IEXPLORE.EXE, version: 11.0.9600.16428, time stamp: 0x525b664c
  Faulting module name: IEFRAME.dll, version: 11.0.9600.16476, time stamp: 0x52944cf2
  Exception code: 0xc0000005
  Fault offset: 0x00025f1d
  Faulting process id: 0x1854
  Faulting application start time: 0x01cf0735f0e5f0c7
  Faulting application path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  Faulting module path: C:\Windows\system32\IEFRAME.dll
  Report Id: e3dc1e9a-733f-11e3-b920-00215a2af202
  Event id 1000
  Faulting application name: msiexec.exe, version: 5.0.7601.17514, time stamp: 0x4ce79d93
  Faulting module name: msvcrt.dll, version: 7.0.7601.17744, time stamp: 0x4eeb033f
  Exception code: 0xc0000005
  Fault offset: 0x00000000000035e1
  Faulting process id: 0x1030
  Faulting application start time: 0x01cf01b77867a358
  Faulting application path: C:\Windows\system32\msiexec.exe
  Faulting module path: C:\Windows\system32\msvcrt.dll
  Report Id: f7253b17-6daa-11e3-b944-00215a2af202
  Event id 1002
  Computer:      w7mar-64  "I don't know why it has computer as this when it should not be."
  Description:
  The IP address lease 192.168.200.195 for the Network Card with network address 0x08002742F261 has been denied by the DHCP server 192.168.200.1 (The DHCP Server sent a DHCPNACK message).
  Event id 1008
  The Windows Search Service is starting up and attempting to remove the old search index {Reason: Index Corruption}.
  Event id 1008
  Computer:      w7mar-64
  Description:
  An errorUser:          LOCAL SERVICE
   occurred in initializing the interface. The error code is: 0x2.
  Event id 1014
  User:          NETWORK SERVICE
  Computer:    
  Description:
  Name resolution for the name wpad.westell.com timed out after none of the configured DNS servers responded.
  Event id 1015
  User:          N/A
  Computer:      w7mar-64
  Description:
  Event ID 1013 for the Windows Search Service has been suppressed 7 time(s) since 12:04:10 PM. This event is used to suppress Windows Search Service events that have occurred frequently within a short period of time.  See Event ID 1013 for further details
  on this event.
  Event id 1015
  Failed to connect to server. Error: 0x8007043C
  Event id 1018
  The description for Event ID 1018 from source EvntAgnt cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Event id 1020
  Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
  Event id 1028
  Windows Installer has determined that its configuration data cache folder was not secured properly. The owner of the key must be either Local System or Builtin\Administrators. The existing folder will be deleted and re-created with the appropriate security
  settings.
  Event id 1101
  .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile: System.Web.Entity.Design, Version=3.5.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil . Error code = 0x80010108
  Event id 1500
  The description for Event ID 1500 from source SNMP cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Event id 1530
  Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 
  Event id 1530
  Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  
   DETAIL -
   6 user registry handles leaked from \Registry\User\S-1-5-21-2959539970-205720217-4182857889-1000:
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Microsoft\Internet Explorer\Main
  Process 1020 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2959539970-205720217-4182857889-1000\Software\Policies
  Event id 3028
  Context: Windows Application, SystemIndex Catalog
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 3029
  Context: Windows Application, SystemIndex Catalog
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 3036
  The content source <csc://{S-1-5-21-2959539970-205720217-4182857889-1001}/> cannot be accessed.
  Event id 3036
  No protocol handler is available. Install a protocol handler that can process this URL type.  (HRESULT : 0x80040d37) (0x80040d37)
  Event id 4104
  Description:
  The backup was not successful. The error is: Access is denied. (0x80070005).
  Event id 4228
  TCP/IP has chosen to restrict the scale factor due to a network condition.  This could be related to a problem in a network device and will cause  degraded throughput.
  Event id 4321
  The name "WHITEFOXPC     :0" could not be registered on the interface with IP address 192.168.1.21. The computer with the IP address 192.168.1.19 did not allow the name to be claimed by this computer.
  Event id 4373
  The description for Event ID 4373 from source NtServicePack cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  Event id 4879
  MSDTC encountered an error (HR=0x80000171) while attempting to establish a secure connection with system WHITEFOXPC.
  Event id 6000
  The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
  Event id 6006
  The winlogon notification subscriber <TrustedInstaller> took 186 second(s) to handle the notification event (CreateSession).
  Event id 7000
  The Windows Audio service failed to start due to the following error:
  A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view
  the service configuration and the account configuration.
  Event id 7001
  The Computer Browser service depends on the Server service which failed to start because of the following error:
  The dependency service or group failed to start.
  Event id 7010
  The index cannot be initialized.
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 7023
  The Block Level Backup Engine Service service terminated with the following error:
  %%-2147024713
  Event id 7024
  The Windows Search service terminated with service-specific error %%-1073473535.
  Event id 7026
  The following boot-start or system-start driver(s) failed to load:
  aswKbd
  aswRvrt
  aswSnx
  aswSP
  aswTdi
  aswVmm
  discache
  spldr
  Wanarpv6
  Event id 7030 & 7031
  The dldw_device service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
  Event id 7032
  The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Installer service, but this action failed with the following error:
  An instance of the service is already running.
  Event id 7040
  The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.
  Event id 7042
  The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.
  Details:
      The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
  Event id 8210
  An unspecified error occurred during System Restore: (Installed Java 7 Update 45). Additional information: 0x80070003.
  Event id  9000
  The Windows Search Service cannot open the Jet property store.
  Details:
      0x%08x (0xc0041800 - The content index database is corrupt.  (HRESULT : 0xc0041800))
  Event id 10005
  DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server:
  {000C101C-0000-0000-C000-000000000046}
  Event id 10010
  15 of these with different server codes which I can't copy unless I copy all the details.
  The server {3EEF301F-B596-4C0B-BD92-013BEAFCE793} did not register with DCOM within the required timeout.
  Event id 12348
  Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{8e79517c-6c41-11e3-b621-cb03f0618d54}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning
  properly.  Check security on the volume, and try the operation again.
  Event id 15006
  9 of these.
  Description:
  Owner of the log file or directory \SystemRoot\System32\LogFiles\HTTPERR\httperr1.log is invalid. This could be because another user has already created the log file or the directory.
  Event id 31004
  33 of tese.
  The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
  The End.
  Kimberly D. White-Fox

  Please provide a copy of your System Information file. Type System Information in the Search Box above the start Button and press the ENTER key
  (alternative is Select Start, All Programs, Accessories, System Tools, System Information). Select File, Export and give the file a name noting where it is located. The system creates a new System Information file each time system information is accessed.
  You need to allow a minute or two for the file to be fully populated before exporting a copy. Please upload to your Sky Drive, share with everyone and post a link here. Please say if the report has been obtained in safe mode.
  Please upload and share with everyone copies of your System and Application logs from your Event Viewer to your Sky Drive and post a link here.
  To access the System log select Start, Control Panel, Administrative Tools, Event Viewer, from the list in the left side of the window select Windows
  Logs and System. Place the cursor on System, select Action from the Menu and Save All Events as (the default evtx file type) and give the file a name. Do the same for the Applications log. Do not provide filtered files.
  For help with Sky Drive see paragraph 9.3:
  http://www.gerryscomputertips.co.uk/MicrosoftCommunity1.htm
  Some Event Viewer reports are generated solely because the computer is in safe mode or safe mode with networking. You have at least one example of this in your long list. If you do not see the same report for a time when
  the computer was in normal mode then it can be disregarded.
  You will find some general advice on interpreting Event Viewer reports here:
  http://www.gerryscomputertips.co.uk/syserrors5.htm
  Hope this helps, Gerry

• How do you change the Event Viewer archive location in Server 2008 R2?

  We're wanting to redirect the security and system event viewer logs to the D:\ on a Server 2008 R2 box
  We've got the current logs to save there, however all archived system/security logs are still being saved on the c:\ in their default location in %windir%\system32... and killing the OS partition.
  I can write something up in PoSh and schedule it, but I'd rather use any built-in capabilities first...
  I've taken a peek in the HKLM\Services\CurrentControlSet... hive where the event viewer behavior is configured and do not see an option to set a path for the archive location...

  Unfortunately, you cannot customize the location of archived event logs in Windows. The logs will always be archived to %windir%\system32\Winevt\Logs\Archive-xxxxxx
  There'd be some scripts can help you automatically archived logs to another location. You can find them here: http://gallery.technet.microsoft.com/scriptcenter/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=security
  Regards,
  Zhang     
  TechNet Subscriber Support
  If you are
  TechNet Subscriptionuser
  and have any feedback, please send your feedback here.

• Windows is Scanning and repairing drive... (- Errors in Event Viewer)

  Long post, please be patient... :)
  I have a fairly new (purchased 8/2013) Lenovo ThinkPad T431s with Windows 8.1 Pro 64-bit (updated from 8.0 -> 8.1). It has a very tricky error coming basically 8 / 10 boots:
  Windows is Scanning and repairing drive...
  Error details from Windows Event Viewer (a new similar error appears on every boot to event viewer):
  A corruption was discovered in the file system structure on volume \?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984}.
  A file on the volume is no longer reachable from its parent directory. The parent file reference number is 0x2000000000002. The name of the parent directory is "". The parent index attribute is ":$I30:$INDEX_ALLOCATION". The file reference
  number of the file that needs to be reconnected is 0x400000003db80. There may be additional files on the volume that also need to be reconnected to this parent directory.
  What has been done 1st trying to fix that:
  SSD disk has been changed (image from previous SSD copied back) ->
  no solution, error remains
  chkdsk /F /R -> no solution, error remains
  SFC /scannow -> no solution, error remains
  dism /online /cleanup-image /restorehealth -> no solution, error remains after a few boots
  TRIED using Windows 8.1 "Update & Recovery -> Refresh Your PC without affecting your files" -> Inserted the Lenovo "Operating System Recovery Disk Windows 8 Pro (OEM Activation 3.0 Required)" BUT Windows did not accept
  that DVD claiming "The media inserted is not valid"... ???
  Ended up calling Lenovo Support and they instructed me to order the Recovery DVD from
  Lenovorecovery.com -> Unfortunatelly Windows does not recognice the DVD(s)...
  mountvol returns:
  \\?\Volume{4d337687-0033-42f7-8a8e-b6968b533cb3}\
  (This is my C:\ drive where Windows installation resides)
  \\?\Volume{e010cf9d-c04d-4c82-b517-3cda1b647fe7}\
  *** NO MOUNT POINTS ***
  \\?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984}\
  *** NO MOUNT POINTS ***
  \\?\Volume{33f0062f-0aff-4fd2-8402-1c7911d86897}\
  *** NO MOUNT POINTS ***
  Then running fsutil dirty query on each returns:
  Volume - \\?\Volume{4d337687-0033-42f7-8a8e-b6968b533cb3} is NOT Dirty
  Volume - \\?\Volume{e010cf9d-c04d-4c82-b517-3cda1b647fe7} is NOT Dirty
  Volume - \\?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984} is Dirty
  Volume - \\?\Volume{33f0062f-0aff-4fd2-8402-1c7911d86897} is NOT Dirty
  The chkdsk on the dirty volume
  \\?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984}\ returned:
  The type of the file system is NTFS.
  Insufficient storage available to create either the shadow copy storage file or
  other shadow copy data.
  A snapshot error occured while scanning this drive. Run an offline scan and fix.
  Diskpart output on the same volume:
  DISKPART> lis par
  Partition ### Type Size Offset
  Partition 1 Reserved 128 MB 17 KB
  Partition 2 Recovery 1000 MB 129 MB
  Partition 3 System 260 MB 1129 MB
  Partition 4 Primary 146 GB 1389 MB
  Partition 5 Recovery 350 MB 147 GB
  Partition 6 Recovery 19 GB 148 GB
  Questions:
  1) Are my Partitions OK, haven't "touched" anything?
  2) Excluded the dirty volume from boot checking with chkntfs /x
  -> still the Error appears in Event viewer log (but Scanning is skipped/not shown anymore during the boot).
  What is causing the error?
  3) Why do I have three (3) recovery partitions?

  What has happened in the past days:
  A) Lenovo on-site-Support changed the motherboard -> had no impact on the error (which I expected).
  B) I found
  instructions how to manually create USB Flash stick with a booting Custom (OEM) Recovery Image.
  C) Booted with USB and performed "Refresh your PC without affecting your files."
  D) Windows was refreshed but...
  -->>
  Still the error remains (Windows scanning and repairing drive \?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984} on each and every boot.
  1) Related Error in Event viewer (NTFS):
  A corruption was discovered in the file system structure on volume \?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984}.
  A file on the volume is no longer reachable from its parent directory. The parent file reference number is 0x2000000000002. The name of the parent directory is "". The parent index attribute is ":$I30:$INDEX_ALLOCATION". The file reference number of the
  file that needs to be reconnected is 0x400000003db80. There may be additional files on the volume that also need to be reconnected to this parent directory.
  2) Related Error in Event viewer (NTFS - Microsoft Windows NTFS):
  Volume \\?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984} (\Device\HarddiskVolume5) needs to be taken offline to perform a Full Chkdsk.  Please run "CHKDSK /F" locally via the command line, or run "REPAIR-VOLUME <drive:>" locally or remotely via
  PowerShell.
  -->>
  Now Lenovo support is proposing a full re-install (to be performed by myself) of Windows as this is SW issue.
  Summary:
  - Refreshing my T431s with OEM Image does not help
  - The error remains on \?\Volume{f62db2cf-efe4-4b55-a3f7-0e7db991a984} (\Device\HarddiskVolume5; Lenovo Recovery partition) OR at least Windows thinks so...

• Error showing on the Event Viewer

  Hello,
  I have installed the Oracle9iAS at win2k SP3, i have this error when i reboot my server where this showing in the event viewer log.
  The OracleOra9ias_homeWebCache service hung on starting.
  But when i go to the services, it show this service started. But it give error on the server.
  Do you have any idea to solve this problem??
  Thanks
  Regards,
  mingjade

  Hi Jordan,
  Actually i can't solve that problem. So, i formated the server since is not on production yet. So it run fine now.
  Thanks
  Regards,
  Ming Jade

• My Microsoft WSUS Update Services Issues/Event Viewer Service Issues

  Hello,
  So yesterday I began investigating why my PC's that were pointed to the WSUS weren't recieveing patches for their particular group. I checked to make sure it was approved and the client was in my client group. When I went to continue my troubleshooting today
  Update Services within the WSUS role gives me an Error: Connection Error. My Clients when I force them to check for updates also fail. I went to review my Event Viewer logs and it tells me to start the Event Viewer services. When I try to start the
  services it tells me Error 5 Access Is Denied. I've verfied that the policies allow my domain admin account access to the modify services and I've also rebooted it, still no joy.
  Any help anyone can offer with these series of issues would be greatly appreciated!
  -Russ Engelman
  P.S. I'm not very coinfident with registry edits so if you suggest I try to modify the registry, please make it barney style. Thanks.

  It seems these are two different problems, with Event viewer and with WSUS.
  1. Did this system worked recently (correctly) or it is new one?
  2. Make sure that you are logged as domain administrator (or better as buil-in AD administrator with highest priviledges.)
  3. Generally services can depend on another processes (services). If these processes do no run, then you would not start process that is depending on these services.
  4. WSUS: Clients could not receive (on demand) updates, when there was no initial synchronization.
  5. WSUS: Make sure that GPO and computer group are set correctly
  6. WSUS: Detect and reconnect clients with wuauclt
  7. WSUS: Share your configuration here as well as reports.
  Regards
  Milos

• MSE Event viewer errors

  Hi,
  recently I see two errors in the event viewer at every login. I think they are related to MSE. I already reformated my system but the errors occur right after I install MSE. The errors indicate that some rights are missing, but I use an administrator account,
  therefore access should be granted. Please note that this is a fresh windows 7 installation without any third party software. I just install windows (no OEM), every driver, sp1, all windows updates (also recommended). Then I install MSE. After rebooting (into
  an admin account) the errors appear.
  I tried to reproduce the errors in a virtual machine with only win7 installed and every (also recommended) update. At first the errors didn't appear. Then I reverted the VM back to the point before I install MSE (which is after every update is applied)
  and tried it again. I expected that these errors won't be there because I did just the same as before. But this time (after MSE was installed again) I rebooted multiple times and the errors appeared. I tried several other scenarios (admin/limited account etc)
  but wasn't able to track down the actual cause. I think that MSE is working despite these error messages. However, when I see that the network inspection is not working, I'm getting worried.
  Errors:
  1) Event ID 7006 The ScRegSetValueExW call failed for Start with the following error: 
  Access is denied.
  2) Event ID 3002 Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.
  Feature: Network Inspection System
  Error Code: 0x80070005
  Error description: Access is denied. 
  Reason: The system is missing updates that are required for running Network Inspection System. Install the required   updates and restart the computer
  Thank you!

  TImbir
  Can we get your event viewer logs?  Please also run a system file check
  Please provide us with your Event Viewer administrative logs by following these steps:
  Click Start Menu
  Type eventvwr into Search programs and files (do not hit enter)
  Right click eventvwr.exe and click Run as administrator
  Expand Custom Views
  Click Administrative Events
  Right click Administrative Events
  Save all Events in Custom View As...
  Save them in a folder where you will remember which folder and save as Errors.evtx
  Go to where you saved Errors.evtx
  Right click Errors.evtx -> send to -> compressed (zipped) folder
  Upload the .zip file to Onedrive or a file sharing service and put a link to it in your next post
  If you have updated to win 8.1 and you get the error message "the system cannot find the file specified" it is a known problem.
   The work around is to edit the registry.  If you are not comfortable doing this DONT.  If you are, backup the key before you do
  Press Win+"R" and input regedit
  Navigate to:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels. Delete "Microsoft-Windows-DxpTaskRingtone/Analytic"
  Please run a system file check (SFC) & DISM if you are on win 8 or higher
  All instructions are in our Wiki article below...
  Should you have any questions please ask us.
  System file check (SFC) Scan and Repair System Files
  Wanikiya and Dyami--Team Zigzag

• P6N Sli Platinum event viewer error

  On my new P6N Sli Platinum mainboard, every time I boot up I get the following error in the event viewer log:
  "The ForceWare IP service service failed to start due to the following error:
  The system cannot find the path specified. "
  I think this has to do with Nvidia network drivers. The network seems to work ok, although I have by default two network controlelrs: one labelled "1394 Net Adapter" and another "NVIDIA nForce Networking Controller". Which of these that handles the actual connection seems to change randomly, but it doesn't seem to affect the performance.
  I'm running Windows XP Pro SP2 with all the updates from winupdate.
  Does anyone else have the same issue?

  Quote from: Isandhlwana on 20-April-07, 21:51:28
  On my new P6N Sli Platinum mainboard, every time I boot up I get the following error in the event viewer log:
  "The ForceWare IP service service failed to start due to the following error:
  The system cannot find the path specified. "
  I still get this error in event viewer each time I start up. I went to administrative tools->services and tried to enable the Forceware IP Service manually: system cannot find the path specified. The path box in the service properties is empty.
  After googling I found that the service corresponds to the following executable: nsvcip.exe. This file is not found in my system. Is this normal? Does anyone else of you have this file?
  Apart from the error message in event viewer my system is functioning perfectly.

• How to enable the Exchange 2010 Admin Audit logs in Event Viewer

  How to enable the Exchange 2010 Admin Audit(Mailbox Auditing) logs in Event Viewer.
  - Sivashankar. Please mark as answer/useful if my contribution is helpful

  Hi Siva,
  We could execute the command below to view Administrator Audit Logging settings:
  Get-AdminAuditLogConfig
  If it is not enabled, please run the command below:
  Set-AdminAuditLogConfig -AdminAuditLogEnabled $True
  In addition, here are some references for you to utilize this feature:
  Configure Administrator Audit Logging :
  http://technet.microsoft.com/en-us/library/dd335109(v=exchg.141).aspx
  Search the Administrator Audit Log :
  http://technet.microsoft.com/en-us/library/ff459262(v=exchg.141).aspx
  Regards,
  Rebecca Tu
  TechNet Community Support

• Event viewer filtered log not exported correctly

  Hi all,
  I have a very strange problem, or better, I'm missing something.
  I can open the event viewer and there are many events in there (45'000). I can filter for the last 7 days and this shows me only 1925 events which is correct.
  Now, if I click on SAVE FILTERED LOG FILE AS, I can save the file in XML or TXT format (or others). It's not important the format because the export is incorrect! What I mean is that once the file has been exported to a TXT or others file's format, it contains
  just some events, in this case maybe 50-60 events, not more! The strange thing is that in that file I can see ONLY the events from the most recent day in the filter (right now the 14 of june).
  Now the funny part: if I save THE SAME LOG as .XML, it doesn't show all the events, but more than the TXT file (in this case, it shows until the 2nd of june), but the last event on the filtered event viewer, is on 13 may.
  I hope somebody can help me, and excuse me for my explanation.

  Hi ripp3r,
  Thank you for your post.
  I test to save event log following your description with same result. When I save log to evtx format file, the log show correctly.
  Then I find KB2417105 (for Windows 2008) to express that logs are truncated because the saving event log operation is not synchronized appropriately with the fetching-event operation.
  When I installed the KB2417105, event log saved to txt file successful.
  If your server OS is Windows 2008 R2, please install
  KB981466.
  If there are more inquiries on this issue, please feel free to let us know.
  Regards,
  Rick Tan