No events logged while VMS offline

Similar Messages

• Event Logs of VMs Migration in Hyper-V Cluster

  Hello All,
  We're running Failover Cluster of Win Server 2012 R2 Hyper-V hosts. If any host gets down unexpectedly (due to any reason power/bugcheck/hardware failure or what so ever), then the VMs on that host, of course, get migrated (either quick or live) to some
  other host within the cluster.
  I want to have logs/events of this VMs migration. I want to know that which of the VMs were residing on that host at that time of failure. Of course, we can't have this info in the Cluster events is Failover Cluster Manager. I am unable to find this info
  anywhere. I have searched in Event Viewer --> Administrative Roles --> Hyper-V. I have searched a lot in the SCVMM, but no success. We're using SCVMM 2012 R2 with UR5.
  Please help me in finding the exact location of these logs/events. I would also like to know that if the VM was quick migrated or live migrated, and to which host the VM got migrated.
  I'd be highly grateful.
  Thanks in anticipation.
  Regards,
  Hasan

  You have posted this same question in two different forums.  The answer on where to look is posted in the other forum. 
  https://social.technet.microsoft.com/Forums/en-US/7f0da2a8-debc-4dd8-9214-72ed46e3c76b/event-logs-of-vms-migration-in-failover-cluster-of-hyperv-hosts?forum=winserverhyperv
  In the future, forum etiquette requests that you do not cross-post.
  Again, when a host fails, there is no migration, quick or live, to another node of the cluster.  There is a restart.  When a host fails, the VMs on that host also fail.  The cluster detects the failure and the resources (VMs) that had
  been running on the failed node are restarted on another node.  You will see different events entered into the event log for a resource start than for a quick/live migration.
  The easiest way to see this is to do it.  Open up the event viewer on a host to which you plan to migrate a VM.  Perform a quick/live migration.  Refresh the event viewer and note the events that were logged.
  . : | : . : | : . tim

• Event Logs of VMs Migration in Failover Cluster of Hyper-V Hosts

  Hello All,
  We're running Failover Cluster of Hyper-V hosts of Windows Server 2012 R2. Using SCVMM 2012 R2 with UR5 for management.
  If any host gets down unexpectedly (due to any reason power/bugcheck/hardware failure or what so ever), then the VMs on that host, of course, get migrated (either quick or live) to some other host within the cluster.
  I want to have logs/events of this VMs migration. I want to know that which of the VMs were residing on that host at that time of failure. Of course, we can't have this info in the Cluster events is Failover Cluster Manager. I am unable to find this info
  anywhere. I have searched in Event Viewer --> Administrative Roles --> Hyper-V. I have searched a lot in the SCVMM, but no success.
  Please help me in finding the exact location of these logs/events. I would also like to know that if the VM was quick migrated or live migrated, and to which host the VM got migrated.
  I'd be highly grateful.
  Thanks in anticipation.
  Regards,
  Hasan Bin Hasib

  This post was cross-posted in the clustering forum.  As noted in that forum, a failure of a host does not initiate a quick or live migration.  Migration requires both the source and destination nodes be operational during the entire migration
  process.  Should a host fail, it is impossible for that host to participate in a migration.  In the case of a host failure, the VM is restarted on another node of the cluster.  You can still use the information provided by Elton for viewing
  events in the event log.  If you want to see the exact sequence of log entries, perform quick/live migrations in a lab and notices the changes in the event log.  You can also fail a host and see the sequence of log entries.
  . : | : . : | : . tim

• The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.

  Last night, some of our systems installed updates released on 11/13/2014.  
  KB3021674
  KB2901983
  KB3023266
  KB3014029
  KB3022777
  KB3020388
  KB890830
  Today, all of the servers running Windows Server 2008 R2 started logging the following error in the Security log over and over:
  Log Name:      Security
  Source:        Microsoft-Windows-Eventlog
  Date:          1/15/2015 11:12:39 AM
  Event ID:      1108
  Task Category: Event processing
  Level:         Error
  Keywords:      Audit Success
  User:          N/A
  Description:
  The event logging service encountered an error while processing an incoming event published from Microsoft-Windows-Security-Auditing.
  Servers running Windows Server 2008 that also installed the updates are not experiencing the problem.  It looks like one of the updates may have introduced this problem with Server 2008 R2.

  ...Did you for sure confirm that:
  https://technet.microsoft.com/library/security/MS15-001
  is the cause?
  I did.  I had a VM that was not experiencing the problem.  I took a snapshot and tested the patches one by one.  Installing only KB3023266 immediately caused the issue to occur (after reboot).  A similar process was used to confirm that
  installing KB2675611 resolved the problem.
  Note that I found the installation of KB2675611 is usually quick, but it took several hours hours to install on some of our systems.  We had installed this patch a few months ago on a couple of servers and it was always quick to install.  But,
  it seems like installing it on a symptomatic system can cause it to take a long time.

• "Error while attempting to save event log" On VPN3000

  My VPN have started to e-mail the following problem.
  54438 03/29/2008 14:55:06.660 SEV=2 EVENT/14 RPT=288
  Error while attempting to save event log (operation: fopen, code:
  Anybody have any idears, I have tried to reboot but need not fix anything.
  When I try click on "Save Needed", I get the following errror "Unable to Save
  File Write Error".
  I can see that my event log is getting updated with other stuff like "IKEDBG/79" - "Phase 1 failure against global IKE proposal".

  Try re-naming the existing files, and then do the save. I had a similar problem, and I think it was a corrupt file that the system could not overwrite, but could rename. Then you can delete the old one.

• While Installation of 11g database creation time error ORA-28056: Writing audit records to Windows Event Log failed Error

  Hi Friends,
  OS = Windows XP 3
  Database = Oracle 11g R2 32 bit
  Processor= intel p4 2.86 Ghz
  Ram = 2 gb
  Virtual memory = 4gb
  I was able to install the oracle 11g successfully, but during installation at the time of database creation I got the following error many times and I ignored it many times... but at 55% finally My installation was hanged nothing was happening after it..... 
  ORA-28056: Writing audit records to Windows Event Log failed Error  and at 55% my Installation got hung,,,, I end the installation and tried to create the database afterward by DBCA but same thing happened....
  Please some one help me out, as i need to install on the same machine .....
  Thanks and Regards

  AAP wrote:
  Thanks Now I am able to Create a database , but with one error,
  When I created a database using DBCA, at the last stage I got this error,
  Database Configuration Assistant : Warning
  Enterprise Manager Configuration Failed due to the Following error Listener is not up or database service is not registered with it.  Start the listener & Registered database service & run EM Configuration Assistant again....
  But when I checked the listener was up.....
  Now what was the problem,  I am able to connect and work through sqlplus,
  But  I didnt got the link of EM and when try to create a new connection in sql developer it is giving error ( Status : failure - Test Failed the Network Adapter could not establish the connection )
  Thanks & Regards
  Creation of the dbcontrol requires a connection via the listener.  When configuring the dbcontrol as part of database creation, it appears that the dbcontrol creation step runs before the dynamic registration of the databsase with the listener is complete.  Now that the database itself is completed and enough time (really, just a minute or two) has passed to allow the instance to register, use dbca or emca to create the dbcontrol.
  Are you able to get a sqlplus connection via the listener (sqlplus scott/tiger@orcl)?  That needs to be the first order of business.

• Windows Server 2008 R2 Security Event Log Maximum Size

  I have a customer with logging requirements on domain controllers that are exceeding the maximum log size they have configured for the security log.  When they attempted to increase the maximum size of the security event log via Group Policy, the settings
  did not take effect.  When an attempt was made to increase the security event log manually on the domain controller via the properties of the log, an error is generated whenever the value was changed.
  The Maximum Log Size specified is not valid.  It is too large or too small. The Maximum Log Size will be set to the following: 196608 KB
  The 196608 KB value is the value that it is currently set at.  Testing on other logs, application, system, has lead to the same result.  
  wevtutil.exe sl security /ms:<n> produces similar results.  There is no error message given but the value doesn't change when you run wevtutil.exe gl security
  When viewing the registry value MaxSize under HKLM\Current Control Set\Services\EventLog\Security the change is reflected, but the log does not seem to get any larger.  
  What one would expect to be a two minute change in a group policy object has turned into something much more difficult.  Any idea what could be causing this?
  Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

  I verified that it was not another policy - the domain is pretty simple without many policies, only policies applied are:
  Default Domain Policy (no event log settings)
  Company Domain Policy (no event log settings)
  Default Domain Controller Policy (no event logs settings)
  Company Domain Controller Policy (...\Event Log\Maximum security log size 4194240 kilobytes)
  The value was 196608 before, the plan was to change the group policy setting to 4194240 and I expected it to be that easy.  However, the values didn't change.
  4194240 is divisible by 64
  Used multiple tools to try and change
  Group Policy
  Event Viewer
  wevtutil.exe
  registry editor
  While some of the methods display a larger event log, the actual size of the event log still seems to be limited to 196608 kb.  
  Thanks,
  Joe
  Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator

• Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

  I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server. 
  I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online). 
  I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me). 
  Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
  Issue 1)
  After each reboot I get a Kernel-EventTracing 2 error.  I cannot find anything on this on the internet so I have no idea what it is.
  Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
  I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
  Issue 2)
  I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
  https://support.microsoft.com/kb/2870416?wa=wsignin1.0
  One of the perf counters fails to register using the script from the link above.
  66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
  New-PerfCounters : The performance counter definition file is invalid.
  At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
  +    New-PerfCounters -DefinitionFileName $f
  +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo         
  : InvalidData: (:) [New-PerfCounters], TaskException
      + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
     12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
  But that one seems unrelated to the ones that still throw errors. 
  Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
  Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
  exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
  is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
  The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
     at System.Diagnostics.PerformanceCounter.InitializeImpl()
     at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
  Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
     at System.Diagnostics.Process.GetProcessById(Int32 processId)
     at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
  Issue 3)
  I appear to have some issues related to the healthmailboxes. 
  I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
  SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
  lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
  I reran setup /prepareAD to try and remedy this but I am still getting some.
  Issue 4)
  I am getting an MSExchange RBAC 74 error. 
  (Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
  Issue 5)
  I am getting MSExchange Assistants 9042 warnings on both databases.
  Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
  skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
  Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server. 
  If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
  Issue 6)
  At boot I am getting an MSExchange ActiveSync warning 1033
  The setting SupportedIPMTypes in the Web.Config file was missing. 
  Using default value of System.Collections.Generic.List`1[System.String].
  I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

  Hi Eric
  Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3^rd time. 
  I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
  I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”. 
  If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
   So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering. 
  Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users. 
  I then applied an address policy to them and gave it the highest priority. 
  Then I set a default email address policy for the entire organization. 
  After reinstalling Exchange all of my system mailboxes were created with the internal domain name. 
  So issue number 3 above has not come up. 
  For issue number one above I have created a new thread:
  https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
  For issue number four I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
  Issue number Five I have managed to recreate and get rid of in more than one way. 
  If I create a new database in ECP and set the database and log paths where I want, then this error will appear. 
  If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear. 
  The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service. 
  If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away. 
  So my off hand guess is that these are caused by orphaned system mailboxes.
  For issue number six I have posted to this existing thread where there is so far no resolution:
  https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
  So for the remainder of this thread we can try and tackle issue number two which is the perf counters. 
  The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7. 
  Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five. 
  Using all of your suggestions so far has not removed these 5 remaining errors either.  Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
  to make them go away if possible.

• New Event Log Errors L355-S7902

  These two are recurring daily and showing up in Event Viewer>Windows>Diagnostic Performance>Operational.  I have noticed that shutdown is too long so I have copied the errors.
  Log Name:      Microsoft-Windows-Diagnostics-Performance/Operatio​nal
  Source:        Microsoft-Windows-Diagnostics-Performance
  Date:          8/11/2010 7:01:45 AM
  Event ID:      203
  Task Category: Shutdown Performance Monitoring
  Level:         Error
  Keywords:      Event Log
  User:          LOCAL SERVICE
  Computer:      Laptop
  Description:
  This service caused a delay in the system shutdown process:
       File Name        :    RasMan
       Friendly Name        :    Remote Access Connection Manager
       Version        :    6.0.6000.16386 (vista_rtm.061101-2205)
       Total Time        :    16925ms
       Degradation Time    :    16570ms
       Incident Time (UTC)    :    8/10/2010 7:44:55 PM
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/ev​ent">
    <System>
      <Provider Name="Microsoft-Windows-Diagnostics-Performance" Guid="{cfc18ec0-96b1-4eba-961b-622caee05b0a}" />
      <EventID>203</EventID>
      <Version>1</Version>
      <Level>2</Level>
      <Task>4007</Task>
      <Opcode>41</Opcode>
      <Keywords>0x8000000000010000</Keywords>
      <TimeCreated SystemTime="2010-08-11T12:01:45.242Z" />
      <EventRecordID>3327</EventRecordID>
      <Correlation ActivityID="{00000000-9B8C-0001-2EDB-D6AD4C39CB01}​" />
      <Execution ProcessID="2008" ThreadID="2144" />
      <Channel>Microsoft-Windows-Diagnostics-Performance​/Operational</Channel>
      <Computer>Laptop</Computer>
      <Security UserID="S-1-5-19" />
    </System>
    <EventData>
      <Data Name="StartTime">2010-08-10T19:44:55.195Z</Data>
      <Data Name="NameLength">7</Data>
      <Data Name="Name">RasMan</Data>
      <Data Name="FriendlyNameLength">33</Data>
      <Data Name="FriendlyName">Remote Access Connection Manager</Data>
      <Data Name="VersionLength">39</Data>
      <Data Name="Version">6.0.6000.16386 (vista_rtm.061101-2205)</Data>
      <Data Name="TotalTime">16925</Data>
      <Data Name="DegradationTime">16570</Data>
      <Data Name="PathLength">32</Data>
      <Data Name="Path">C:\Windows\System32\rasmans.dll</Data>
      <Data Name="ProductNameLength">37</Data>
      <Data Name="ProductName">Microsoft® Windows® Operating System</Data>
      <Data Name="CompanyNameLength">22</Data>
      <Data Name="CompanyName">Microsoft Corporation</Data>
    </EventData>
  </Event>
  Log Name:      Microsoft-Windows-Diagnostics-Performance/Operatio​nal
  Source:        Microsoft-Windows-Diagnostics-Performance
  Date:          8/9/2010 5:06:37 PM
  Event ID:      351
  Task Category: Standby Performance Monitoring
  Level:         Error
  Keywords:      Event Log
  User:          LOCAL SERVICE
  Computer:      Laptop
  Description:
  This driver responded slower than expected to the resume request while servicing this device:
       Driver File Name        :    \Driver\usbehci
       Driver Friendly Name        :    EHCI eUSB Miniport Driver
       Driver Version            :    6.0.6001.18000 (longhorn_rtm.080118-1840)
       Driver Total Time        :    271ms
       Driver Degradation Time    :    95ms
       Incident Time (UTC)        :    8/9/2010 10:11:50 PM
       Device Name            :    PCI\VEN_8086&DEV_293C&SUBSYS_FF661179&REV_03\3&21​436425&0&D7
       Device Friendly Name        :    Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293C
       Device Total Time        :    281ms
       Device Degradation Time    :    95ms
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/ev​ent">
    <System>
      <Provider Name="Microsoft-Windows-Diagnostics-Performance" Guid="{cfc18ec0-96b1-4eba-961b-622caee05b0a}" />
      <EventID>351</EventID>
      <Version>1</Version>
      <Level>2</Level>
      <Task>4003</Task>
      <Opcode>35</Opcode>
      <Keywords>0x8000000000010000</Keywords>
      <TimeCreated SystemTime="2010-08-09T22:06:37.507Z" />
      <EventRecordID>3311</EventRecordID>
      <Correlation ActivityID="{00000000-06C8-0000-2E38-015FCA37CB01}​" />
      <Execution ProcessID="236" ThreadID="996" />
      <Channel>Microsoft-Windows-Diagnostics-Performance​/Operational</Channel>
      <Computer>Laptop</Computer>
      <Security UserID="S-1-5-19" />
    </System>
    <EventData>
      <Data Name="StartTime">2010-08-09T22:11:50.769Z</Data>
      <Data Name="NameLength">16</Data>
      <Data Name="Name">\Driver\usbehci</Data>
      <Data Name="FriendlyNameLength">26</Data>
      <Data Name="FriendlyName">EHCI eUSB Miniport Driver</Data>
      <Data Name="VersionLength">42</Data>
      <Data Name="Version">6.0.6001.18000 (longhorn_rtm.080118-1840)</Data>
      <Data Name="TotalTime">271</Data>
      <Data Name="DegradationTime">95</Data>
      <Data Name="PathLength">40</Data>
      <Data Name="Path">C:\Windows\system32\DRIVERS\usbehci.sy​s</Data>
      <Data Name="ProductNameLength">37</Data>
      <Data Name="ProductName">Microsoft® Windows® Operating System</Data>
      <Data Name="CompanyNameLength">22</Data>
      <Data Name="CompanyName">Microsoft Corporation</Data>
      <Data Name="DeviceNameLength">61</Data>
      <Data Name="DeviceName">PCI\VEN_8086&amp;DEV_293C&amp;SU​BSYS_FF661179&amp;REV_03\3&amp;21436425&amp;0&amp;​D7</Data>
      <Data Name="DeviceFriendlyNameLength">58</Data>
      <Data Name="DeviceFriendlyName">Intel(R) ICH9 Family USB2 Enhanced Host Controller - 293C</Data>
      <Data Name="DeviceTotalTime">281</Data>
      <Data Name="DeviceDegradationTime">95</Data>
    </EventData>
  </Event>
  Hope I sent the right info this time.
  Donna in AR

  Satellite L355-S7902 
  Donna, I wouldn't worry that Rasman (the Remote Access Connection Manager service) takes 17 seconds to shut down. And certainly the 0.095 seconds taken by the Usbehci.sys driver is inconsequential.
  My Event Viewer is filled with stuff like this. Most users don't know to look here. Best to ignore it.
  Pay more attention to what's in the Application and System logs under Windows Logs.
  Hope I sent the right info this time.
  In the future, leave out the stuff beginning with the line..
     Event Xml:
  -Jerry

• Script to Export Pervious Day Events Logs to CSV

  HI,
  I am trying to export all the previous day's application event logs to a CSV file. I found the following script on net. But for this script to work I need to enter in the Event ID's I wont to export. Does anyone have any idea how I can change thsi script
  to export all event ID's or have another script that can?
  'Description : This script queries the event log for...whatever you want it to! Just set the event 'log name and event ID's!
  'Initialization  Section
  Option Explicit
  Const ForReading   = 1
  Const ForWriting   = 2
  Const ForAppending = 8
  Dim objDictionary, objFSO, wshShell, wshNetwork
  Dim scriptBaseName, scriptPath, scriptLogPath
  Dim ipAddress, macAddress, item, messageType, message
  On Error Resume Next
     Set objDictionary = NewDictionary
     Set objFSO        = CreateObject("Scripting.FileSystemObject")
     Set wshShell      = CreateObject("Wscript.Shell")
     Set wshNetwork    = CreateObject("Wscript.Network")
     scriptBaseName    = objFSO.GetBaseName(Wscript.ScriptFullName)
     scriptPath        = objFSO.GetFile(Wscript.ScriptFullName).ParentFolder.Path
     scriptLogPath     = scriptPath & "\" & IsoDateString(Now)
     If Err.Number <> 0 Then
        Wscript.Quit
     End If
  On Error Goto 0
  'Main Processing Section
  On Error Resume Next
     PromptScriptStart
     ProcessScript
     If Err.Number <> 0 Then
        MsgBox BuildError("Processing Script"), vbCritical, scriptBaseName
        Wscript.Quit
     End If
     PromptScriptEnd
  On Error Goto 0
  'Functions Processing Section
  'Name       : ProcessScript -> Primary Function that controls all other script processing.
  'Parameters : None          ->
  'Return     : None          ->
  Function ProcessScript
     Dim hostName, logName, startDateTime, endDateTime
     Dim events, eventNumbers, i
     hostName      = wshNetwork.ComputerName
     logName       = "application"
     eventNumbers  = Array("1001","1")
     startDateTime = DateAdd("n", -21600, Now)
     'Query the event log for the eventID's within the specified event log name and date range.
     If Not QueryEventLog(events, hostName, logName, eventNumbers, startDateTime) Then
        Exit Function
     End If
     'Log the scripts results to the scripts
     For i = 0 To UBound(events)
        LogMessage events(i)
     Next
  End Function
  'Name       : QueryEventLog -> Primary Function that controls all other script processing.
  'Parameters : results       -> Input/Output : Variable assigned to an array of results from querying the event log.
  '           : hostName      -> String containing the hostName of the system to query the event log on.
  '           : logName       -> String containing the name of the Event Log to query on the system.
  '           : eventNumbers  -> Array containing the EventID's (eventCode) to search for within the event log.
  '           : startDateTime -> Date\Time containing the date to finish searching at.
  '           : minutes       -> Integer containing the number of minutes to subtract from the startDate to begin the search.
  'Return     : QueryEventLog -> Returns True if the event log was successfully queried otherwise returns False.
  Function QueryEventLog(results, hostName, logName, eventNumbers, startDateTime)
     Dim wmiDateTime, wmi, query, eventItems, eventItem
     Dim timeWritten, eventDate, eventTime, description
     Dim eventsDict, eventInfo, errorCount, i
     QueryEventLog = False
     errorCount    = 0
     If Not IsArray(eventNumbers) Then
        eventNumbers = Array(eventNumbers)
     End If
     'Construct part of the WMI Query to account for searching multiple eventID's
     query = "Select * from Win32_NTLogEvent Where Logfile = " & SQ(logName) & " And (EventCode = "
     For i = 0 To UBound(eventNumbers)
        query = query & SQ(eventNumbers(i)) & " Or EventCode = "
     Next
     On Error Resume Next
        Set eventsDict = NewDictionary
        If Err.Number <> 0 Then
           LogError "Creating Dictionary Object"
           Exit Function
        End If
        Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!\\" & hostName & "\root\cimv2")
        If Err.Number <> 0 Then
           LogError "Creating WMI Object to connect to " & DQ(hostName)
           Exit Function
        End If
        'Create the "SWbemDateTime" Object for converting WMI Date formats. Supported in Windows Server 2003 & Windows XP.
        Set wmiDateTime = CreateObject("WbemScripting.SWbemDateTime")
        If Err.Number <> 0 Then
           LogError "Creating " & DQ("WbemScripting.SWbemDateTime") & " object"
           Exit Function
        End If
        'Build the WQL query and execute it.
        wmiDateTime.SetVarDate startDateTime, True
        query          = Left(query, InStrRev(query, "'")) & ") And (TimeWritten >= " & SQ(wmiDateTime.Value) & ")"
        Set eventItems = wmi.ExecQuery(query)
        If Err.Number <> 0 Then
           LogError "Executing WMI Query " & DQ(query)
           Exit Function
        End If
        'Convert the property values of Each event found to a comma seperated string and add it to the dictionary.
        For Each eventItem In eventItems
           Do
              timeWritten = ""
              eventDate   = ""
              eventTime   = ""
              eventInfo   = ""
              timeWritten = ConvertWMIDateTime(eventItem.TimeWritten)
              eventDate   = FormatDateTime(timeWritten, vbShortDate)
              eventTime   = FormatDateTime(timeWritten, vbLongTime)
              eventInfo   = eventDate                          &
              eventInfo   = eventInfo & eventTime              & ","
              eventInfo   = eventInfo & eventItem.SourceName   & ","
              eventInfo   = eventInfo & eventItem.Type         & ","
              eventInfo   = eventInfo & eventItem.Category     & ","
              eventInfo   = eventInfo & eventItem.EventCode    & ","
              eventInfo   = eventInfo & eventItem.User         & ","
              eventInfo   = eventInfo & eventItem.ComputerName & ","
              description = eventItem.Message
              'Ensure the event description is not blank.
              If IsNull(description) Then
                 description = "The event description cannot be found."
              End If
              description = Replace(description, vbCrLf, " ")
              eventInfo   = eventInfo & description
              'Check if any errors occurred enumerating the event Information
              If Err.Number <> 0 Then
                 LogError "Enumerating Event Properties from the " & DQ(logName) & " event log on " & DQ(hostName)
                 errorCount = errorCount + 1
                 Err.Clear
                 Exit Do
              End If
              'Remove all Tabs and spaces.
              eventInfo = Trim(Replace(eventInfo, vbTab, " "))
              Do While InStr(1, eventInfo, "  ", vbTextCompare) <> 0
                 eventInfo = Replace(eventInfo, "  ", " ")
              Loop
              'Add the Event Information to the Dictionary object if it doesn't exist.
              If Not eventsDict.Exists(eventInfo) Then
                 eventsDict(eventsDict.Count) = eventInfo
              End If
           Loop Until True
        Next
     On Error Goto 0
     If errorCount <> 0 Then
        Exit Function
     End If
     results       = eventsDict.Items
     QueryEventLog = True
  End Function
  'Name       : ConvertWMIDateTime -> Converts a WMI Date Time String into a String that can be formatted as a valid Date Time.
  'Parameters : wmiDateTimeString  -> String containing a WMI Date Time String.
  'Return     : ConvertWMIDateTime -> Returns a valid Date Time String otherwise returns a Blank String.
  Function ConvertWMIDateTime(wmiDateTimeString)
     Dim integerValues, i
     'Ensure the wmiDateTimeString contains a "+" or "-" character. If it doesn't it is not a valid WMI date time so exit.
     If InStr(1, wmiDateTimeString, "+", vbTextCompare) = 0 And _
        InStr(1, wmiDateTimeString, "-", vbTextCompare) = 0 Then
        ConvertWMIDateTime = ""
        Exit Function
     End If
     'Replace any "." or "+" or "-" characters in the wmiDateTimeString and check each character is a valid integer.
     integerValues = Replace(Replace(Replace(wmiDateTimeString, ".", ""), "+", ""), "-", "")
     For i = 1 To Len(integerValues)
        If Not IsNumeric(Mid(integerValues, i, 1)) Then
           ConvertWMIDateTime = ""
           Exit Function
        End If
     Next
     'Convert the WMI Date Time string to a String that can be formatted as a valid Date Time value.
     ConvertWMIDateTime = CDate(Mid(wmiDateTimeString, 5, 2)  & "/" & _
                                Mid(wmiDateTimeString, 7, 2)  & "/" & Left(wmiDateTimeString,
  4) & " " & _
                                Mid(wmiDateTimeString, 9, 2)  & ":" & _
                                Mid(wmiDateTimeString, 11, 2) & ":" & _
                                Mid(wmiDateTimeString, 13, 2))
  End Function
  'Name       : NewDictionary -> Creates a new dictionary object.
  'Parameters : None          ->
  'Return     : NewDictionary -> Returns a dictionary object.
  Function NewDictionary
     Dim dict
     Set dict          = CreateObject("scripting.Dictionary")
     dict.CompareMode  = vbTextCompare
     Set NewDictionary = dict
  End Function
  'Name       : SQ          -> Places single quotes around a string
  'Parameters : stringValue -> String containing the value to place single quotes around
  'Return     : SQ          -> Returns a single quoted string
  Function SQ(ByVal stringValue)
     If VarType(stringValue) = vbString Then
        SQ = "'" & stringValue & "'"
     End If
  End Function
  'Name       : DQ          -> Place double quotes around a string and replace double quotes
  '           :             -> within the string with pairs of double quotes.
  'Parameters : stringValue -> String value to be double quoted
  'Return     : DQ          -> Double quoted string.
  Function DQ (ByVal stringValue)
     If stringValue <> "" Then
        DQ = """" & Replace (stringValue, """", """""") & """"
     Else
        DQ = """"""
     End If
  End Function
  'Name       : IsoDateTimeString -> Generate an ISO date and time string from a date/time value.
  'Parameters : dateValue         -> Input date/time value.
  'Return     : IsoDateTimeString -> Date and time parts of the input value in "yyyy-mm-dd hh:mm:ss" format.
  Function IsoDateTimeString(dateValue)
     IsoDateTimeString = IsoDateString (dateValue) & " " & IsoTimeString (dateValue)
  End Function
  'Name       : IsoDateString -> Generate an ISO date string from a date/time value.
  'Parameters : dateValue     -> Input date/time value.
  'Return     : IsoDateString -> Date part of the input value in "yyyy-mm-dd" format.
  Function IsoDateString(dateValue)
     If IsDate(dateValue) Then
        IsoDateString = Right ("000" &  Year (dateValue), 4) & "-" & _
                        Right (  "0" & Month (dateValue), 2) & "-" & _
                        Right (  "0" &   Day (dateValue), 2)
     Else
        IsoDateString = "0000-00-00"
     End If
  End Function
  'Name       : IsoTimeString -> Generate an ISO time string from a date/time value.
  'Parameters : dateValue     -> Input date/time value.
  'Return     : IsoTimeString -> Time part of the input value in "hh:mm:ss" format.
  Function IsoTimeString(dateValue)
     If IsDate(dateValue) Then
        IsoTimeString = Right ("0" &   Hour (dateValue), 2) & ":" & _
                        Right ("0" & Minute (dateValue), 2) & ":" & _
                        Right ("0" & Second (dateValue), 2)
     Else
        IsoTimeString = "00:00:00"
     End If
  End Function
  'Name       : LogMessage -> Writes a message to a log file.
  'Parameters : logPath    -> String containing the full folder path and file name of the Log file without with file extension.
  '           : message    -> String containing the message to include in the log message.
  'Return     : None       ->
  Function LogMessage(message)
     If Not LogToCentralFile(scriptLogPath & ".csv", IsoDateTimeString(Now) & "," & message) Then
        Exit Function
     End If
  End Function
  'Name       : LogError -> Writes an error message to a log file.
  'Parameters : logPath  -> String containing the full folder path and file name of the Log file without with file extension.
  '           : message  -> String containing a description of the event that caused the error to occur.
  'Return     : None       ->
  Function LogError(message)
     If Not LogToCentralFile(scriptLogPath & ".err", IsoDateTimeString(Now) & "," & BuildError(message)) Then
        Exit Function
     End If
  End Function
  'Name      : BuildError -> Builds a string of information relating to the error object.
  'Parameters: message    -> String containnig the message that relates to the process that caused the error.
  'Return    : BuildError -> Returns a string relating to error object.  
  Function BuildError(message)
     BuildError = "Error " & Err.Number & " (Hex " & Hex(Err.Number) & ") " & message & ". " & Err.Description
  End Function
  'Name       : LogToCentralFile -> Attempts to Appends information to a central file.
  'Parameters : logSpec          -> Folder path, file name and extension of the central log file to append to.
  '           : message          -> String to include in the central log file
  'Return     : LogToCentralFile -> Returns True if Successfull otherwise False.
  Function LogToCentralFile(logSpec, message)
     Dim attempts, objLogFile
     LogToCentralFile = False
     'Attempt to append to the central log file up to 10 times, as it may be locked by some other system.
     attempts = 0
     Do
        On Error Resume Next
           Set objLogFile = objFSO.OpenTextFile(logSpec, ForAppending, True)
           If Err.Number = 0 Then
              objLogFile.WriteLine message
              objLogFile.Close
              LogToCentralFile = True
              Exit Function
           End If
        On Error Goto 0
        Randomize
        Wscript.sleep 1000 + Rnd * 100
        attempts = attempts + 1
     Loop Until attempts >= 10
  End Function
  'Name       : PromptScriptStart -> Prompt when script starts.
  'Parameters : None
  'Return     : None
  Function PromptScriptStart
     MsgBox "Now processing the " & DQ(Wscript.ScriptName) & " script.", vbInformation, scriptBaseName
  End Function
  'Name       : PromptScriptEnd -> Prompt when script has completed.
  'Parameters : None
  'Return     : None
  Function PromptScriptEnd
     MsgBox "The " & DQ(Wscript.ScriptName) & " script has completed successfully.", vbInformation, scriptBaseName
  End Function
  Thanks

  Here is a script that will copy the previous days events and save them to "C:\". The file name be yesterdays date ex "04-18-2010-Events.csv"
  Const strComputer = "."
  Dim objFSO, objWMIService, colEvents, objEvent, outFile
  Dim dtmStartDate, dtmEndDate, DateToCheck, fileDate
  Set objFSO = CreateObject("Scripting.FileSystemObject")
  Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
  Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")
  'change the date form "/" to "-" so it can be used in the file name
  fileDate = Replace(Date - 1,"/","-")
  Set outFile = objFSO.CreateTextFile("C:\" & fileDate & "-Events.csv",True)
  DateToCheck = Date - 1
  dtmEndDate.SetVarDate Date, True
  dtmStartDate.SetVarDate DateToCheck, True
  Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  Set colEvents = objWMIService.ExecQuery _
  ("Select * from Win32_NTLogEvent Where TimeWritten >= '" _
  & dtmStartDate & "' and TimeWritten < '" & dtmEndDate & "'")
  For each objEvent in colEvents
  outFile.WriteLine String(100,"-")
  outFile.WriteLine "Category = " & objEvent.Category
  outFile.WriteLine "ComputerName = " & objEvent.ComputerName
  outFile.WriteLine "EventCode = " & objEvent.EventCode
  outFile.WriteLine "Message = " & objEvent.Message
  outFile.WriteLine "RecordNumber = " & objEvent.RecordNumber
  outFile.WriteLine "SourceName = " & objEvent.SourceName
  outFile.WriteLine "TimeWritten = " & objEvent.TimeWritten
  outFile.WriteLine "Type = " & objEvent.Type
  outFile.WriteLine "User = " & objEvent.User
  outFile.WriteLine String(100,"-")
  Next
  outFile.Close
  MsgBox "Finished!"
  v/r LikeToCode....Mark the best replies as answers.

• Error 41 - Kernel Power in event log after clean shutdown - Windows 8.0

  HP Envy H9-1405A - 16MB RAM,  Windows 8.0, and up to date with updates. (16 months old but under extended h/w warranty).  All user data backed-up daily.
  After problems earlier today I noticed that after a controlled shutdown and start from cool (ie on/off button on PC, not mains power at the wall) the startup took over 10 minutes.  Event browser showed error 41 - Kernel Power - "after system crash or lost power unexpectedly",  which it definitely hadn't as I was testing a controlled shutdown.
  When starting from overnight sleep mode this morning it came up with  blue screen and an error mssage something like 'hard disk driver error', or similar (before first coffee so I wasn't really awake).  PC wouldn't restart in anything like reasonable time until powered off at wall, after which it struggled up and ran normally for a while.  Went out for a couple of hours and on return again the PC wouldn't re-start from sleep mode.  Again used the wall power switch to effect the restart and PC and after very slow restart it ran normally.  Event log showed Startup Repair ran due to a corrupted registry hive, and reboot used an earlier version.
  Checkdisk ran clean and the HP Support Assistant diags just looped for ever.
  I then tried a system restart, which worked but took a long time, and then a controlled power down and start from cool which also took a long time as described above.  I've temporarily turned off sleep mode so as to keep working.
  Question - do I have a transient software problem which might be fixable with Recovery, or failing hardware that should be covered by warranty, and where might I find some hardware diagnostics to show to the supplier?  Thanks.

  Hello @mikerb,
  I have read your post on how your desktop computer is displaying an error message in regards to a Kernel event log, and I would be happy to assist you in this matter!
  To further diagnose this issue, I recommend following the steps in this document on Windows Kernel event ID 41 error "The system has rebooted without cleanly shutting down first". This should help to resolve the critical error message.
  Just to be on the safe side, I also suggest following this resource on Testing for Hardware Failures (Windows 8); which should help determine if there is a hardware defect with one or multiple hardware components on your computer.
  Please re-post with the results of your troubleshooting, and I look forward to your reply!
  Regards
  MechPilot
  I work on behalf of HP
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the right to say “Thanks” for helping!

• Reporting Services not automatically starting. System event log 7009, Application event: 18456

  For the past month (since Oct 11,2012)  reporting services (SSRS 2008R2) is not starting after the server is rebooted. The service is set to automatically start and starts manually without a problem.  The system event log contains the following error:
  Event ID 7009: A timeout was reached (30000 milliseconds) while waiting for the SQL Server Reporting Services (MSSQLSERVER) service to connect.
  SQL logs :
  The SQL logs has many "Event 18456 Login Failed, State 38" errors when the database engine starts. I assume clients conections are failing because the databases  aren't online yet. None of these 18456 errors coorespond to the account reporting services
  runs under.
  The SQL logs indication Event 7009 occures before the "ReportingServer" database is online so im assuming there is a dependancy but I don't know how to avoid this.
  This problem is occuring on a number of our servers running SSRS (if not all)
  Any ideas?
  Paul

  Hi A141695,
  For Event ID 7009, you can try to do the steps below to resolve it.
      1. Click Start, click Run, type regedit, and then click OK.
      2. Locate and then click the following registry subkey:
          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
      3. Right-click Control, point to New, and then click DWORD Value.
      4. In the New Value #1 box, type ServicesPipeTimeout, and then press ENTER.
      5. Right-click ServicesPipeTimeout, and then click Modify.
      6. Click Decimal, type the number of milliseconds that you want to wait until the service times out, and then click OK.
  For example, to wait 60 seconds before the service times out, type 60000.
  Quit Registry Editor, and then restart the computer. For more information about it, please see:
  http://www.sqlservercentral.com/Forums/Topic850540-1550-1.aspx#bm851211
  http://myitforum.com/myitforumwp/2012/08/22/configmgr-2012-sms_srs_reporting_point-component-failure/
  If you have any questions, please feel free to ask.
  Regards,
  Charlie Liao
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.

• Cannot open eventlog service on computer '.'. (Windows Event Log service doesn't exist)

  This problem used to be solved after moving a computer object into the appropriate OU and restarting, and if that didn't work, it used to be solved when uninstalling and reinstalling Microsoft FEP (restarts in-between).  Now, the only way to access
  event logs is by logging in as a domain admin, or by accessing event logs through remote manage.
  If a machine object is added to the domain, dropped into the computers container, and restarted, we get this error when going into Computer Management:
  "Cannot open eventlog service on computer '.'."
  The original problem was noticed on our VMs, but I also tried it with a Lenovo Windows 7 build out of the box, added it to our domain, and the problem occurred. When our desktops are built, SCCM's task manager drops it into the appropriate OU immediately,
  so desktops don't have issues.  With VMs, they are dropped into the computers container and restarted, so once this problem occurs, it almost never leaves.  SOMETIMES, removing it from the domain solves the problem, but not always.
  I've tried all of the suggestions I've seen online and none of them have worked, such as cleaning up the policies (through registry, and the appropriate system folders), adding the proper NTFS permissions on the RtBackup folder and %SystemRoot%\System32\winevt\logs, netsh
  winsock reset, cleanboot, etc.
  I did notice that I'm unable to find the NT Service\EventLog user group. I wanted to add it to %systemroot%\system32\winevt\logs, but the group cannot be found on the local computer. Even if that's the problem, why is it missing?
  It doesn't seem like anyone else on the internet gets this exact error.

  Hi Kate!
  Yes, the Windows Event Log service is missing. I had already tried your method (#3), and I did try it again. This is the error I get:
  "The specified service already exists."
  If you check services.msc, it's still not there. If you try to start the Event Viewer, the same error comes up:
  Cannot open eventlog service on computer '.'.
  Hi, 
  Please check for the existence of this key. If not found, create a *.reg file from another machine and import.
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
  Then, check the issue again.
  If this doesn't work, let's run System file checker tool to repair system:
  Run SFC command in elevated command prompt
  SFC /scannow
  Any error message, please post here to let me know.
  Keep post.
  Kate Li
  TechNet Community Support

• Connection Timeout Expired in Windows Event Logs

  I just recently installed SharePoint 2013 SP1 on a Windows Server 2008 R2 SP1 server and have been receiving this error message in the Windows Event logs:
  Cannot connect to SQL Server.  <database server name> not found.  Additional error information from SQL Server is included below.
  Connection Timeout Expired.  The timeout period elapsed during the post-login phase.  The connection could have timed out while waiting for server to complete the login process and respond; Or it could have timed out while attempting to create
  multiple active connections.  The duration spent while attempting to connect to this server was - [Pre-Login] initialization=12; handshake=6; [Login] initialization=0; authentication=0; [Post-Login] complete=14000;
  I have never seen this error message before in my life on any prior installation of SharePoint that I have ever done.  It is only occurring on this one particular installation of SharePoint.  The environment is corporate built, so I have no idea
  as to how to troubleshoot or determine the root cause of this error message.
  I looked at the value of the database-connection-timeout in stsadm and it gets back a value of 15, however, I am unable to alter the database connection timeout using stsadm since I either get an "Object reference not sent to an instance of an object"
  error message or "This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database.  To connect this server to the server farm, use the SharePoint
  Products Configuration Wizard, located on the Start menu in Microsoft SharePoint 2010 Products."
  Please advise. 

  What is specification of your SQL server? i think its more CPU, RAM, I/O issue with SQL server.
  under which account you are running the stsadm command?
  check this one
  http://stackoverflow.com/questions/21230927/sql-azure-the-timeout-period-elapsed-during-the-post-login-phase
  may be you fall in this bug
  http://connect.microsoft.com/VisualStudio/feedback/details/821803/connection-timeout-expired-the-timeout-period-elapsed-during-the-post-login-phase
  Please remember to mark your question as answered &Vote helpful,if this solves/helps your problem. ****************************************************************************************** Thanks -WS MCITP(SharePoint 2010, 2013) Blog: http://wscheema.com/blog

• SRUDB.dat Event Log - about 117 per hour!

  After getting my first Windows 8 Blue Screen (I made it one year and one month from the purchase of a new Lenovo Laptop) I checked the event log.  I am getting approximately 2 of these errors EVERY MINUTE!
  I looked up what was running under this process id and these are the services:
  svchost.exe                   1724 BFE, DPS, MpsSvc
  Base Filtering Engine, Diagnostic Policy Service, Windows Firewall
  Makes me think this is a network driver issue, but my wireless and cabled network both perform well.
  svchost (1724) SRUJet: The database page read from the file "C:\WINDOWS\system32\SRU\SRUDB.dat" at offset 7938048 (0x0000000000792000) (database page 1937 (0x791)) for 4096 (0x00001000) bytes failed verification due to a page checksum mismatch. 
  The stored checksum was [a042abbbf0884b06] and the computed checksum was [00000791fd3b01cb].  The read operation will fail with error -1018 (0xfffffc06).  If this condition persists then please restore the database from a previous backup.  This
  problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
  Ran checkdisk in offline mode "chkdsk /f
  /r" with no bad sectors reported.  Also ran system file checker "sfc /scannow "
   and Deployment Image Servicing and Management "DISM.exe /Online /Cleanup-Image /RestoreHealth " successfully.
  Updated Anti-Virus (Avast Free) and ran boot time scan which shows 1 CAB file as corrupted. 
  C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp>dir
   Volume in drive C is Windows8_OS
   Volume Serial Number is 706C-5AB7
   Directory of C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp
  03/11/2015  11:27 PM       127,159,032 mpam-8ca7e919.exe
  03/23/2015  08:23 PM        22,913,024 mpam-abc6940c.exe
  03/23/2015  08:25 PM             8,642 MpCmdRun.log
                 3 File(s)    150,080,698 bytes
                 2 Dir(s)  857,925,300,224 bytes free
  Any idea how to repair this file assuming that is the issue?
  Otherwise, how to stop the twice a minute event logs? 

  svchost (1820) SRUJet: The database page read from the file "C:\WINDOWS\system32\SRU\SRUDB.dat" at offset 7938048 (0x0000000000792000) (database page 1937 (0x791)) for 4096 (0x00001000) bytes failed verification due to a page checksum mismatch. 
  The stored checksum was [a042abbbf0884b06] and the computed checksum was [00000791fd3b01cb].  The read operation will fail with error -1018 (0xfffffc06).  If this condition persists then please restore the database from a previous backup.  This
  problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.
  System
  Provider
  Name]
  ESENT
  EventID
  474
  Qualifiers]
  0
  Level
  2
  Task
  2
  Keywords
  0x80000000000000
  TimeCreated
  SystemTime]
  2015-04-14T23:39:00.000000000Z
  EventRecordID
  229398
  Channel
  Application
  Computer
  JMOORE-Z710
  Security
  EventData
  svchost
  1820
  SRUJet:
  C:\WINDOWS\system32\SRU\SRUDB.dat
  7938048
  (0x0000000000792000)
  4096
  (0x00001000)
  -1018
  (0xfffffc06)
  [a042abbbf0884b06]
  [00000791fd3b01cb]
  1937
  (0x791)