Windows Event ID Search

Test Post

2011-06-23T11:35:00.003-07:00

Event ID 6527 - Windows 2008 Server

2009-03-29T18:22:00.000-07:00

zone transfer from BIND to Windows
2008 DNS is not working correctly (usually, only SOA record is updated).
Also event 6527 is logged on Windows 2008.

Please understand we need some information to verify this issue. Before
going further, please help confirm this question with me:

Question : please double confirm: when you click "Reload from Master" on
Windows 2008, will DNS zone transfer finish successfully?

Thank you.

Problem Analysis:
==================================
Based on my research, event 6527 usually occurs if one of the following is
true:

1. Primary DNS zone has incorrect records.
2. Network between primary and secondary Server is not stable.

To troubleshoot this issue, we have to collect MPS report and network
monitor utility first. Thank you.

Troubleshooting Plan:
==================================

Suggestion : Try a Windows DNS zone:
======
1. please create a new forward lookup zone on Windows 2003 Server, and set
it to allow DNS zone transfer to Windows 2008.
2. create a new secondary DNS zone on Windows 2008, set the master Server
as Windows 2003.
3. please check if this DNS zone transfer works or not.

We will try this step to verify from which point we should start
troubleshooting. Thank you.
_________________
Step by step troubleshooting VISTA sharing
http://www.chicagotech.net/netforums/viewtopic.php?t=273

Troubleshooting Vista Wireless
http://chicagotech.net/netforums/viewtopic.php?t=300

Event ID 5805 - Net Logon

2009-03-29T18:20:00.000-07:00

Event ID 5805 - Net Logon

Cause: A machine account failed to authenticate, which is usually caused by either multiple instances of the same computer name, or the computer name has not replicated to every domain controller.

Event 6005 is Logged on Windows 2008

2009-03-29T18:10:00.000-07:00

Issue:
===========
event 6005 is logged on Windows 2008.

Assessment:
===========
Based on the discussion, we suspect the event 6005 is caused by Initial synchronization
of Active directory partitions. And this event is stopped when FSMO roles
are transferred to Windows 2008 Server. This is because Windows 2008 has
different loading logical for these partitions, especially, DNS partitions.
Also, it is recommended to host FSMO roles on Windows 2008 Server.

Resolution:
===========
Transfer FSMO roles to Windows 2008 Server.

Useful Article:
============
Windows Server? 2008 Active Directory? Domain Services
http://technet.microsoft.com/en-us/library/cc268216.aspx

Step by step troubleshooting VISTA sharing
http://www.chicagotech.net/netforums/viewtopic.php?t=273

Troubleshooting Vista Wireless
http://chicagotech.net/netforums/viewtopic.php?t=300

IP address to uniquely identify visitors

2008-07-14T21:12:00.001-07:00

Can I use IP address to uniquely identify visitors?
Not reliably.

Depending on the method of the user's connection, he or she may be sharing a single IP address with dozens of other users (as in the case of a corporate office accessing through a single server) or with thousands of other users (as in the case of AOL's huge proxy servers).

You could uniquely identify users by storing their information in a database on your side, and store a cookie on their machine that simply stores the primary key of the table, so you can look up their data easily (though you may want to encode it to prevent tampering). You could also store *all* information in a cookie. Both of these solutions, of course, require that cookies are enabled (which cannot always be relied upon, unless you require it for access to your site), and that they are persistent between visits.

A method I've used for maintaining state without cookies / session variables is to pass primary key information from page to page in hidden forms. For a simple example of doing this, check out our cookieless shopping cart article. You could easily extend this to add a username and password so people could look up their data on a successive visit.

Event ID 5

2008-07-14T21:10:00.000-07:00

How do I solve 'Event ID 5' errors?

Event ID 5 seems to be the generic catch-all ASP error logged to the event log. There is probably a lot more out there than what we've compiled here, but hopefully the following list of symptoms / resolutions will help you.

If you are seeing the following errors:

Script Engine Exception. A ScriptEngine threw expection 'C0000005'
in 'IActiveScript::SetScriptState()' from 'CActiveScriptEngine::ResetToUninitialized()'

or

Script Engine Exception. A ScriptEngine threw expection 'C0000005'
in 'IActiveScript::Close()' from 'CActiveScriptEngine::FinalRelease()'..

or

File /.asp. Unexpected error. A trappable error (C0000005)
occurred in an external object. The script cannot continue running.

This is usually an access violation error, but since it's coming from a component that the error message fails to identify, the only advice I can offer is to follow a similar debugging path as the ASP 0115 error (see Article #2171 and KB #262187). Sometimes the error is accompanied by an Event ID 4014 error, which can often contain CLSID information that will lead you to the component causing the error (you can search for the IID / CLSID string in the registry).

Before you go the long debugging route, however, consider upgrading the server to the most recent version of MDAC (MDAC Download Page) and the latest scripting engines (see Microsoft Script Downloads) and reboot... and make sure your server has the latest updates (see Article #2151). While this is not a proper, 'feel-good' debugging effort, the above steps have often resolved the problem entirely.

If you are getting an E06D7363 error in the following form:

Script Engine Exception. A ScriptEngine threw expection 'E06D7363'
in 'IActiveScript::SetScriptState()' from 'CActiveScriptEngine::ResetToUninitialized()'.

or

Script Engine Exception. A ScriptEngine threw expection 'E06D7363'
in 'IActiveScript::Close()' from 'CActiveScriptEngine::FinalRelease()'.

Uninstall Norton CrashGuard, as it is infamous for 'inventing' errors in kernel32.dll with this error code.

If these errors are accompanied by the following ASP errors:

Active Server Pages, ASP 0241 (0x80004005)
The CreateObject of '(null)' caused exception E06D7363.

or

Active Server Pages, ASP 0240 (0x80004005)
A ScriptEngine threw expection 'C0000005' in
'IActiveScript::GetScriptState()' from 'CActiveScriptEngine::ReuseEngine()'.

or

Active Server Pages, ASP 0240 (0x80004005)
A ScriptEngine threw expection 'C00000FD'
in 'IActiveScriptParse::ParseScriptText()' from 'CActiveScriptEngine::AddScriptlet()'.

or

Server object, ASP 0177 (0x8007000E)
Ran out of memory

This is probably a permissions issue. Whatever these pages are trying to write to, make sure the anonymous user (IUSR_MachineName) or the authenticated user(s) have access. For example, if you are trying to create a Lotus.NotesSession object, the IUSR account needs write access to the Lotus\Notes\ folder.

If you are using Project Server, you might have the following errors:

File /.asa Line Out of memory. Unable to allocate required memory.

and

Active Server Pages, ASP 0100 (0x80004004)
Unable to allocate required memory.
/ProjectServer/Global.asa, line 18.

This is often caused by global.asa being 'scanned' by Anti-virus programs and other services that might modify and/or lock various files on your server. See KB #323019 for a description and possible workarounds.

If this error is happening from Outlook Web Access, you're probably getting one of the following errors (among others):

A Active Server control or component performed an illegal
ole countinitialized call. Components used by Active Server Pages must
not do this.

or

File /.asp Unexpected error.

You should be able to eliminate the error by reinstalling OWA and the latest Exchange service pack(s), though sometimes it may require reinstallation of IIS as well. Also, see KB #196016 (XWEB: Outlook Web Access Fails Intermittently) and the OWA Troubleshooting Whitepaper.

If you are getting the following error:

The description for Event ID ( 5 ) in Source ( Active Server Pages )
could not be found. It contains the following insertion string(s):
File /.asp Unexpected error.

or

File /.asp Line 0 Out of memory. Unable to allocate required memory.

One possible kludge, or at least help in narrowing down the component causing the problem, is to increase the application protection to high (isolated).

If you are getting the following error:

Error while reading default settings. please do regsvr32 asp.dll.

This message can be ignored (see KB #290612), and re-registering asp.dll will probably not eliminate the error message anyway.

Rebuild the SYSVOL tree when none exists in Active Directory

2008-07-14T21:09:00.000-07:00

Knowing how to rebuild the SYSVOL tree from scratch isn't a skill that you'll use every day, but it's definitely one that you'll be glad you have.

Recently I talked to a Windows admin who had trouble promoting the second DC in a domain. It seems that AD replication was working and DNS was healthy, but FRS was not. No SYSVOL or Netlogon share, no SYSVOL tree on the second domain controller. The FRS event log was logging Event ID 13508 events but no 13509 events.

Tried forcing SYSVOL replication, using KB 290762 -- setting BURFLAGS value on the PDC to D4 and on the other DC to D2 -- but something went wrong and it wiped out the SYSVOL tree on the primary domain controller. It was as if it had replicated the empty SYSVOL to the PDC instead of the other way around. So we had no SYSVOL tree on either DC.

Yes, we could have started from scratch, but that would not have been a good political decision. And we really didn't have root cause to justify it.

The solution was to create the SYSVOL tree, including junction points and proper ACLs. Of course, we also had to create the default domain policy and the default domain controller policy.

There is a decent article on the Microsoft Help and Support site, KB 315457 How to rebuild the SYSVOL tree and its content in a domain, but like many articles of this nature, Microsoft tries to cover all the bases. At least for me, it was hard to follow at times.

In addition, the Microsoft's KB assumes you have a SYSVOL tree in the domain -- which we did not -- so we had to generate a new default domain policy and default domain controller policy. We ran into an additional problem with other policies that had objects in AD but did not exist in SYSVOL.

I would recommend referring to the KB for details, but this is how you solve the problem of no SYSVOL on any DCs.

Step 1: Stop the FRS service on both DCs and create the SYSVOL tree on the PDC. This is pretty basic. Use Windows Explorer or a command prompt. I used a good DC I had in a lab as a guide. The tree looked like this:

SYSVOL
Domain

DO_NOT_REMOVE_NtFrs_PreInstall_Directory

Policies

Scripts

Staging

Staging Area

SYSVOL

Corp.net

Step 2: Set the ACLs. We just left the default ACLs on all directories except the DO_NOT_REMOVE_NtFrs_PreInstall_Directory. Again, looking at my lab domain, we removed all users and groups except domain administrators and System I and defined both of them to have "Special Permissions" only. I also set the "DO_NOT_REMOVE" directory attributes to Hidden and Read.

Step 3: Create the junction points. Remember the junction points connect a "real" directory to a "mirrored" directory. The \SYSVOL\domain is the real (Source) directory connected to \SYSVOL\SYSVOL\corp.net, a junction point. \SYSVOL\Staging\Domain is the real (Source) directory connected to \SYSVOL\Staging Areas\Corp.net.

KB 315457 shows how to determine the actual source directory if you need that information, but here is what we did:

Using the linkd command,

linkd "%systemroot%\SYSVOL\SYSVOL\Corp.net" %SYSTEMROOT%\SYSVOL\DOMAIN
linkd "%systemroot%\Sysvol\staging Areas\Corp.net" %systemroot%\sysvol\Staging\Domain

Step 4: Rebuild default domain policies. Using the DCGPOFix tool, available from Microsoft's download site, this was pretty easy. Just run the tool and it asks if you want to create a new default domain policy (answer yes) and if you want to create a new default domain controllers policy (answer yes). At this point, we double-checked to make sure the SYSVOL tree and the policies were all correct.

Step 5: Replicate SYSVOL. We had already found that using KB 290762 wiped out SYSVOL on the PDC, so we didn't want to do that again. Because we only had two DCs and because the file replication service had been stopped, it seemed logical that starting the FRS -- first on the PDC and then the other DC -- would jump-start FRS. SYSVOL was replicated, and we had the SYSVOL share.

This next part isn't really a step. It's something we ran into that you should be aware of. After Step 5, SYSVOL was shared but not NETLOGON. When SYSVOL was deleted from the PDC, it also deleted two custom Group Policies. When SYSVOL was replicated after the rebuild, errors were logged in the event log complaining about these two policies. Using ADSIEdit, we went to Corp.net\system\Policies and deleted the objects for the two deleted policies. Soon, the Netlogon share appeared, and the 1704 event in the application log validated replication of policy.

After doing an operation like this, it's a good idea to check the event logs for related errors and create a sample GPO and see if it replicates.

Event ID 4786

2008-07-14T20:54:00.000-07:00

Operating Systems Windows Server 2008
Category Account Management
Subcategory Application Group Management
Type Success
Legacy Events 690

The user in Subject: removed Member: from the application group identified in Group:.

Application groups are part of Windows's role based access control for applications and are maintained in the Authorization Manager MMC snap-in.

This event does not report the common name (cn) of the group you are accustomed to seeing in Authorization Manager where application groups are maintained. This is really bad because the account name reported in this event isn't displayed anywhere in Authorization Manager. To find out the common name of the group look for the Directory Service Changes events immediately following this event which do report the common name.

Event ID 3025

2008-07-14T20:52:00.000-07:00

The Windows Search service indexes information about the contents of your hard disk to facilitate your searches, making them much faster and more accurate.

Event Details
Product:
Windows Operating System

ID:
3025

Version:
6.0

Symbolic Name:
EVENT_GATHER_CRITICAL_ERROR

Message:
Critical error %2 occurred, and the index was shut down. The system is probably low on resources. Free up resources and restart the service.%1

Resolve
Free resource and restart the service
Determine whether your computer is low on system resources such as CPU performance, disk input/output (I/O) performance, or memory, and then restart the Windows Search service.

To identify what is causing your system to be low on resources, you can generate a System Diagnostics Report by using Reliability and Performance Monitor, or you can use Resource Monitor to determine (in real time) which applications or services are using too many system resources.

To generate a System Diagnostics Report, which will present system information collected for 60 seconds, use the procedure in the "Generate a System Diagnostics Report" section in this topic. To use Resource Monitor to monitor system resources in real time, use the procedure in the "Start Resource Monitor" section.

To perform these procedures, you must have membership in Administrators, or you must have been delegated the appropriate authority.

Generate a System Diagnostics Report
To collect system information for 60 seconds and generate a System Diagnostics Report:

1.
Open an elevated Command Prompt window. (Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.)

2.
At the command prompt, type perfmon /report and then press ENTER. Reliability and Performance Monitor will start collecting data to create the System Diagnostics Report.

3.
When the report is ready for viewing, locate the Diagnostic Results section of the report and check for any Warnings. You can follow links to additional help on resolving warnings from this section. In addition, you can expand each category in the Basic System Checks section to see more details about why warnings appear. Also, the Performance section provides process-level details about top consumers of resources.

Start Resource Monitor
To start Resource Monitor:

Important: Resource Monitor stops collecting information while a System Diagnostics Report is being generated. To start collecting information after a System Diagnostics Report has been completed, click Start in Monitor.

1.
Open an elevated Command Prompt window. (Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.)

2.
At the command prompt, type perfmon /res and then press ENTER. Resource Monitor will start running.

3.
Four scrolling graphs in the Resource Overview pane display the real-time usage of CPU, Disk, Network, and Memory. Four expandable sections below the graphs contain process-level details about each resource. Click the resource labels to see more information, or click a graph to expand its corresponding details. You can use the real-time usage information to identify top resource consumers. Click a column heading to sort the data in the table by the criterion in that column. Click the column heading again to reverse the sort order.

Restart the Windows Search service
To restart the Windows Search service:

1.
Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2.
At the command prompt, stop the Windows Search service by typing net stop wsearch.

3.
Restart the Windows Search service by typing net start wsearch.

Verify
To verify that files are being indexed:

1.
Click Start and then click Run.

2.
In the Run dialog box, type notepad.exe. Notepad should open.

3.
Type an unusual keyword or phrase in the new document, and then save the file to your My Documents directory or to another directory that is being indexed.

4.
Click Start, and then type your new keyword or phrase in the Search box. The file you created using Notepad should appear in the Search Results window.

Event ID 1218

2008-07-03T22:57:00.000-07:00

Event ID 1218 - You do not have access to logon to this Session.

1. Windows 2000 domain controllers running Terminal Services configured to use Remote Administration mode do not permit regular user logon, with the exception of two concurrent administrator accounts for server management. When a user attempts to connect to a Windows 2000-based domain controller running Terminal Services configured to use Remote Administration mode, the following error message is generated: You do not have access to logon to this Session.

2. Windows 2003 domain controllers running RDC do not permit regular user logon, with the exception of administrator accounts.

3. The user attempting to log on does not have sufficient permissions on the appropriate RDP-TCP connection. Modify the RDP-TCP permissions by using Terminal Services Configuration to grant the user or group the logon permission.

4. Terminal Services has a default connection security setting allows only administrators to log on. If the security attributes on a specified connection have not been set, the connection inherits these default security settings.

&&

Event ID 1106 & 1111

2008-07-03T22:55:00.000-07:00

Event ID 1106 – The printer could not be installed

Event ID 1111 – Driver Printer_name required for printer_Server Name_Shared nameis unknown.

Symptoms: when logon TS, System Event Viewer may receive the above messages.

Resolution: 1. Install the printer drive in the TS server.

2. You have to edit the Ntprint.inf file to fix this problem.

**

Event ID 1054

2008-07-03T22:53:00.000-07:00

Event ID 1054: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted). Group Policy processing aborted.

Symptoms: Your XP computer may experience an extremely slow logon when connecting to the domain. You also receive the Event ID 1054 in the application event log:

Event ID: 1054
Source: Userenv
Type: Error
Description:

Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted). Group Policy processing aborted.

Resolutions: This is mostly like DNS issue and it occurs because the client may not be able to reach the DNS or the configured preferred DNS server on the client is not valid.

If all XP computers have the same problem, check the DNS server settings; if only a few xp computers have this problem, make sure they have correct DNS settings. You may use ipconfig or nslookup to troubleshoot.

**

Event ID 1053

2008-07-03T22:52:00.000-07:00

Event ID 1053 - Userenv

Symptoms: your w2k/xp clients may receive this Event ID 1053 - Windows cannot determine the user or computer name. (). Group Policy processing aborted. Or error: "The specified user does not exist."

Resolutions: 1. Make sure that your internal DNS server is the server for the domain you are logging in to.

2. Verify the DNS Settings. This will occur if your DNS server is unable to resolve information about your domain.

3. Delete the problem computer from DNS records and re-create it.

**

Event ID 1051

2008-07-03T22:51:00.000-07:00

Event ID 1051: The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: yourdomainname.com

RESOLUTIONS:
1. Delete the DHCP on the router if you have two DHCP, one on the router and another one on your MS server.

2. Delete the DHCP servers from Active Directory Sites and Services, and then reauthorize the DHCP servers.

3. Authorize the DHCP servers by using Adsiedit.msc, which is an administrative tool included in the w2k support tools CD.

**

Event ID 1041

2008-07-03T22:50:00.000-07:00

Event ID 1041 - The DHCP service is not servicing any clients because none of the active network interfaces have statically configured IP addresses or there are no active interfaces.

Causes: 1. Bad NIC.
2. Incorrect NIC hardware settings.
3. Incorrect TCP/IP settings.

@@

Event ID 1010

2008-07-03T22:45:00.000-07:00

Event ID 1010 - Perflib

Symptoms: The Event Viewer may shows Event ID 1010 ""The Collect procedure for the "tcpip" service in DLL "C:\WINNT\SYSTEM32\PERFCTRS.DLL" generated an exception or returned an invalid status. Performance data returned by counter DLL will not be returned in perf data block."

Resolutions:
1. Changing to 0 the value of the register [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Performance]
or refer to MS Q300956.

2. Download and install exctrlst.exe from Resource kit from Microsoft web site. Mark tcpip and reboot the server.

##

Event ID 1000 and 1001

2008-07-03T22:44:00.002-07:00

Event ID 1000 and 1001 - Windows cannot read the history of GPOs from the registry

- The computer has rebooted from a bugcheck.

- Security policy cannot be propagated.

- The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (3).

If a multihomed domain controller does not have File and Printer Sharing bound to it, the following multiple problems are logged or displayed when you attempt to work with Group Policy objects on the domain controller:

1)UserEnv 1000 The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (3).
2) SceCli 1001 Security policy cannot be propagated. Cannot access the template. Error code = 3. \\domain name\sysvol\domain name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
3) UserEnv 1000 Windows cannot access the registry information at \\domain name\sysvol\domain name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (51).
4) Attempting to gain access to the Group Policy objects by using the Domain Security policy and the Default Domain Controller Security policy displays a "Group Policy Error" error message. The text of the message states: "Failed to Open Group Policy Object. You may not have appropriate rights. Details: The network path not found."
5) Attempting to access the Group Policy objects by using the Active Directory Users and Computers snap-in or Group Policy Editor displays a "Domain Controller for Domain domain name not found" error message. There are several options, none of which work.
6) Attempting to open the Sysvol share by using \\domain name\sysvol causes a "Remote Computer not available" error message.

RESOLUTION:
1) Change the binding order of the network adapters so that the adapter that is listed at the top of the Connections list has File and Printer Sharing bound to it.
2) Make sure File and Printer Sharing for Microsoft Networks is enabled on the interface.
3) Disable unplugged network adapters if you have more than one adapters in the computers.
4) Restore \\winnt\sysvol from a backup.

&&

Event ID 41

2008-07-03T22:44:00.001-07:00

Event ID 41 - Description: The file system structure on the disk is corrupt and unusable.

Causes: 1. The CPUs in your computer are not all at the same stepping level, and Windows writes an informational message to the Event log.
2. Chkdsk reports the wrong text message in the event log.

@@

Event ID 29

2008-07-03T21:47:00.000-07:00

Event ID 29 - W32time

The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.

Resolution: 1. Synchronize the computer with the DC.
2. You may want to setup NTP time. To setup the NTP time on the server, use this command: Net Time /Setsntp:IP_Address or DNS name.

@@

Event ID: 21 and 41

2008-07-03T21:45:00.000-07:00

TS license Error message 0x13A7, or 0x1391. 0x13A4, 0xFA1.

Event ID:21 and 41, Source: TermServLicensing

Symptoms: When trying to install terminal Server CALs in a Terminal Server, you may receive the following errors.

Licensing Wizard was unable to install the client license key pack. Please verify your entry and try this operation again. Message Number 0x13A7, or 0x1391. 0x13A4, 0xFA1.
License already activated.
Event ID: 21, Source: TermServLicensing, Description: The Terminal Server Licensing server (server name) has no permanent licenses for product 'Windows Server 2003 - Terminal Server Per Device CAL Token'. Use Terminal Server Licensing administrative tool to register more licenses. The Terminal Server '10.0.0.15' was refused licenses of type 'Windows Server 2003 - Terminal Server Per Device CAL Token' due to this condition.
Event ID: 41, Source: TermServLicensing, Description: Can't initialize policy module because of error 'Missing Policy module registry entry for product Microsoft Corporation, company 004'
Causes:

You have installed the same license on another server.
You have installed the same license on another unavailable server.
The Terminal Services Licensing component is corrupted or missing.
The Terminal Services registry key has incorrect settings.
You are trying to install a Microsoft Windows Server 2003 CAL pack on a Windows 2000-based license server.

Resolutions: 1. If the Terminal Services Licensing component (Tls236.dll) is corrupted or missing, remove the TS Licensing server and then reinstall it.

2. Make sure that the Terminal Services Licensing registry key contains the correct settings, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TermServLicensing\Policy\MicrosoftCorporation\A02, and the registry subkey contains the following entry:

•
String Name: DLL

•
String Value: %systemroot%\System32\tls236.dll

3. Contact the Microsoft Registration Authority and Clearinghouse at (888) 571-2048 to install the CALs.

@@

Event ID 18

2008-07-03T21:44:00.000-07:00

Event ID 18: authenticator attribute that is not valid

Event Type: Error
Event Source: IAS
Event ID: 18

Description:
An Access-Request message was received from RADIUS client WLC with a message authenticator attribute that is not valid.

Cause and solution: The secure password doesn't match between IAS and AP/WLC. Re-entering fixed the problem.

##

Event ID 14

2008-07-03T21:41:00.000-07:00

Event ID 14: Attempt to set time which differs by more than

Q: Any suggestions?

Event Type: Warning
Event Source: w32time
Event Category: None
Event ID: 14
Description:
Attempt to set time which differs by more than 12 hours aborted
Data:
0000: 00 00 00 00 ....

A: I know the PDC is the Windows 2000 Server. I would like to say the w32time
event 14 is a expected behavior. It is decided by the
MaxAllowedClockErrInSecs registry entry in the following registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters.

The default value is 43,200 (12hours). The recommended value is 900 (15
minutes) or even lower, depending on time source, network condition and
security requirement. This also depends on the poll interval. We recommend
the poll interval to be one hour (Period = 24). We highly recommend that
you configure the authoritative time server to gather the time from a
hardware source. When configure the authoritative time server syncing with
Internet time source, there is no authentication for manual mode. You must
reconfigure the MaxAllowedClockErrInSecs registry entry.

For more information, please view the URL below:

Configuring the Windows Time service against a large time offset
http://support.microsoft.com/kb/884776

Event ID 13

2008-07-03T21:39:00.000-07:00

Event ID 13: RADIUS message was received from invalid client

Situation: The client setup Cisco 1300 wireless bridge for public access, secured wireless using WPA and WPA2-Ent-PEAP. The public and WPA connections work fine. However, WPA2-Ent-PEAP doesn't. The IAS receives Event ID 13 and 1300 bridge receives RADIUS server 10.0.0.12:1645,1645 has returned.

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 13
Computer: IAS

Description:
A RADIUS message was received from the invalid RADIUS client IP address 10.0.30.70.

Troubleshooting: Run IAS and find the IAS doesn't have the AP listed in the RADIUS clients. Added it fixed the problem.

Event ID 11

2008-07-03T21:09:00.000-07:00

There are multiple accounts with name host/printsrv.chicagotech.net of type 10.

Event ID 11

Two same print server names in one Domain.
Situation: Our printer server had a hardware issue. So, we used print migration tool to export the all printers' settings to a new server. Renamed the existing printer server name from printsrv to printsrv1 and then rename the new server as same as the old printer server name printsrv so that we don't need to re-set printers in every workstation. Every thing works fine except we always see two same name printers listed when installing a printer. How can we purge or keep only one printer listed?

Troubleshooting:

Run adsiedit.msc. but can’t find another computer called printsrv.
LostAndFound doesn’t list it either.
We also receive the Event ID 11 - There are multiple accounts with name host/printsrv.chicagotech.net of type 10. That tells us there is a duplicate SPN (ServicePrincipalName) value in the Active Directory tree.
To locate and delete the duplicate SPN:
1) Run LDP. This is an Active Directory search tool included in the Windows 2000/2003 Support Tools.

2) Select Connection Connect OK (with nothing in the Server box).

3) Select Connection Bind OK (with all fields blank).

4) Select View Tree OK (with the BaseDN window blank).

5) Select Browse Search. Set the BaseDN as DC=chicagotech DC=net, where chicagotech is domain name.

6) Set the filter to serviceprincipalname=Host/printsrv.chicagotech.net, where printsrv is the computer to search. Set the scope to Subtree and click Run. The duplicate SPN should appear like below:

***Searching...

ldap_search_s(ld, "DC=chicagotech,DC=net", 2, "serviceprincipalname=host/ printsrv.chicagotech.net ", attrList, 0, &msg)

Result <0>: (null)

Matched DNs:

Getting 2 entries:

>> Dn: CN= printsrv1,CN=Computers,DC=chicagotech,DC=net

1> canonicalName: chicagotech.net/Computers/printsrv1;

1> cn: printsrv1;

1> distinguishedName: CN= printsrv1,CN=Computers,DC=chicagotech,DC=net;

5> objectClass: top; person; organizationalPerson; user; computer;

1> name: printsrv1;

>> Dn: CN= printsrv,CN=Computers,DC=chicagotech,DC=net

1> canonicalName: chicagotech/Computers/ printsrv;

1> cn: printsrv;

1> distinguishedName: CN=printsrv,CN=Computers,DC=chicagotech,DC=net;

5> objectClass: top; person; organizationalPerson; user; computer;

name: printsrv;

Open the ADSI Editor (Adsiedit.msc).
Go to the duplicate SPN value, which you located in step 6, and delete printsrv1. Close the ADSI Editor.
That fixes the duplicate name issue.

$$

Event ID 10

2008-07-03T21:06:00.000-07:00

FTP Folder Error - The connection with the server was reset

I/O Error - Connection reset

Event ID 10 - User administrator at host x.x.x.x has timed-out after 120 seconds of inactivity

Symptoms: When trying to access Windows FTP server, you may have following situations.

1. You receive “FTP Folder Error – An error occurred opening that folder on the FTP server. Make sure you have permission to access that folder – The connection with the server was reset” if you use Internet explorer in a PC.

2. You receive I/O Error - Connection reset.

3. The server Event Viewer lists ID 10 - User administrator at host x.x.x.x has timed-out after 120 seconds of inactivity.

Resolution: 1. For PC users, uncheck Use Passive FTP. To do that, open IE>Tools>Internet Options>Advanced, uncheck Use Passive FTP (for firewall and DSL modem compatibility).

2. For Mac users, select Active (instead of Passive).

3. In the server side, try to turn on TCP port 20 and 21 in your router/firewall.

For Windows system admin stuff - Log on to
http://sytsadmin-stuff.blogspot.com

@@

Event ID 3

2008-07-03T21:04:00.000-07:00

Symptom: When a user tries to use wireless which is setup WPA Enterprise via Windows certificate or IAS, he can’t establish the connection. The Windows IAS receives the following error:

Event ID 3
Event Type: Error
Event Source: IAS
Event Category: None

Description:
Access request for user 2220\blin was discarded.
Fully-Qualified-User-Name = 2220\blin
NAS-IP-Address = 10.0.30.52
NAS-Identifier = REG
Called-Station-Identifier = 0015.f909.a470
Calling-Station-Identifier = 0019.d230.941a
Client-Friendly-Name = AP-C
Client-IP-Address = 10.0.30.52
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 503
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Reason-Code = 5
Reason = The user account domain cannot be accessed.

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 5052
Date: 4/15/2007
Time: 2:32:07 PM
User: N/A
Computer: chicagotech
Description:
There is no domain controller available for domain 2220

Cause and resolution: the user is logging on local computer. To use IAS, he should logon domain.

@@

Event ID 2

2008-07-03T20:58:00.000-07:00

Symptom: The IAS may receive this event;
Event Type: Warning
Event Source: IAS
Event ID 2 - Reason-Code = 8

Description:
User host/4010 was denied access.
Fully-Qualified-User-Name = DOMAIN\host/4010
NAS-IP-Address = 10.0.30.54
NAS-Identifier = REG
Called-Station-Identifier = 0015.c628.8690
Calling-Station-Identifier = 000e.3539.4fd3
Client-Friendly-Name = AP-E
Client-IP-Address = 10.0.30.54
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 3593
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = EAP
EAP-Type =
Reason-Code = 8
Reason = The specified user account does not exist.

Cause and Resolution: The user hasn’t logged on or he specified user account does not exist in the domain.

Event ID 1

2008-07-03T20:56:00.000-07:00

ThinPrint – Incorrect function Error in function number 3, error #: 11e0001

Event ID 1

No suitable protocol found

There was an error found when printing the document “Test Page” to TS003

Symptom: 1. When logon Terminal Server, you may receive “No suitable protocol found”.

2. There is Event ID 1 - ThinPrint – Incorrect function (Printer: ThinPrint Output Gateway Port: Thinport:, Document: Test Page, Error in function number 3, error #: 11e0001).

3. There was an error found when printing the document “Test Page” to TS003.

Causes: 1. The TP Client is not installed in the client.

2 The TP client configuration doesn’t match the TP server configuration. For example, the TP Client is configured as a TCP/IP client while the TP server is configured for RDP client.

@@

Event ID 0

2008-07-03T20:37:00.000-07:00

The following fatal error occurred in the Remote Web Workplace Application

Event ID 0

Symptoms:
1. after logon RWW, you may receive a "Page Not Found” or "The page cannot be d played" message when trying to log on either a client or server.
2. You receive Event ID 0: The following fatal error occurred in the Remote Web Workplace Application after install Windows 2003 SBS SP1.
3. You receive this “Installation Status: Failure. Error Message: An error occurred while copying files for the Administration component. See C:\Program Files\Microsoft Integration\Windows Small Business Server 2003\Logs\SBSMSI-GPMC.LOG for the list of files that were not copied. You may want to run Setup again and reinstall the component” when installing Windows SBS 2003 SP1.

Causes:

1. you installed Windows 2003 SP1 instead of Windows SBS 2003 SP1.
2. The installation of Windows SBS 2003 failed or the downloaded SP1 was corrupted.
3. You have had GPMC 1.02 installed before the SP1.

Solutions:

1. Uninstall Windows 2003 SP1 and install Windows SBS 2003 SP1.
2. Uninstall Windows SBS 2003 SP1 and re-install it following these steps.
3. Uninstall GPMC and re-install it from a file called gpmc.msi from the SBS CD. Re-install the SBS SP1 after reboot.

**

Windows Event ID List and Fixing

2008-07-03T20:25:00.000-07:00

Event ID 1000 and 1001
Event ID 1051:
Event ID: 2011
Event ID: 3095
Event ID: 4319 - Duplicate Names on the Network
Event ID: 4320 - Duplicate name has been detected on the TCP network
Event ID: 7024
Event id: 8021
Event id: 8032

Event ID 1000 and 1001: If a multihomed domain controller does not have File and Printer Sharing bound to it, the following multiple problems are logged or displayed when you attempt to work with Group Policy objects on the domain controller:

1)UserEnv 1000 The Group Policy client-side extension Security was passed flags (17) and returned a failure status code of (3).

2) SceCli 1001 Security policy cannot be propagated. Cannot access the template. Error code = 3. \\domain name\sysvol\domain name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

3) UserEnv 1000 Windows cannot access the registry information at \\domain name\sysvol\domain name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol with (51).

4) Attempting to gain access to the Group Policy objects by using the Domain Security policy and the Default Domain Controller Security policy displays a "Group Policy Error" error message. The text of the message states: "Failed to Open Group Policy Object. You may not have appropriate rights. Details: The network path not found."

5) Attempting to access the Group Policy objects by using the Active Directory Users and Computers snap-in or Group Policy Editor displays a "Domain Controller for Domain domain name not found" error message. There are several options, none of which work.

6) Attempting to open the Sysvol share by using \\domain name\sysvol causes a "Remote Computer not available" error message.

RESOLUTION:
1) Change the binding order of the network adapters so that the adapter that is listed at the top of the Connections list has File and Printer Sharing bound to it.
2) Make sure File and Printer Sharing for Microsoft Networks is enabled on the interface.
3) Disable unplugged network adapters if you have more than one adapters in the computers.
4) Restore \\winnt\sysvol from a backup.

Event ID 1051: The DHCP/BINL service has determined that it is not authorized to service clients on this network for the Windows domain: yourdomainname.com

RESOLUTIONS:
1. Delete the DHCP on the router if you have two DHCP, one on the router and another one on your MS server.

2. Delete the DHCP servers from Active Directory Sites and Services, and then reauthorize the DHCP servers.

3. Authorize the DHCP servers by using Adsiedit.msc, which is an administrative tool included in the w2k support tools CD.

Event ID: 2011 When accessing shares on a server from a client, you may receive "Not enough server storage is available to process this command." error. .

Resolution: The registry value IRPstackSize may be not explicitly present. To increase the value of the parameter, go to the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ LanmanServer\Parameters. If the key is not present, choose Add Value in the Registry Editor. The Value Name should be IRPStackSize and the Data Type is REG_DWORD. Refer to MS Q106167 and Q177078 for more details.

Event ID: 3095 - Source: NETLOGON - This Windows NT computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

RESOLUTION:
1. Since the Netlogon service should not be configured to start automatically on a server that is not a domain member (a stand-alone server ora non-networked Windows NT-based computer), configure the Netlogon service so that its startup type is set to "Manual."

2. Make workstation service is running and restart

Event ID 4319: Duplicate Names on the Network

SYMPTOMS: When you start the computer, the NetBIOS name resolution over your Transmission Control Protocol/Internet Protocol (TCP/IP)-based network may not succeed, and Event Viewer may report Event ID 4319 with the following error message: A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to check which name is in the conflict state.

RESOLUTION:
1) To resolve this issue, delete the static WINS mappings and clean (scavenge) the WINS database. To delete the static mappings, go to WINS Manager>Mappings Static Mappings>WINS Static Mapping, and then click Delete Mapping. To clean the WINS database, click Initiate Scavenging in WINS Static.

2) If the server is a multihomed WINS server, disable the WINS client on one of the network adapters. To disable the WINS client, go to Control Panel>Network>Bindings, In the Show Bindings For list, click All Adapters, right-click WINS Client (TCP/IP), and then click Disable.

3) If the WINS service on WINS server stops unexpectedly or does not start again after it is stopped. Obtain the latest service pack for Windows 2000.

Event ID 4320 - Source: NetBT. Description: Another machine has sent a name release message to this machine probably because a duplicate name has been detected on the TCP network. The IP address of the node that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state. This article may also apply to Event ID: 4319.

Resolutions:
1. If two computers on the Network with the same name, use the nbtstat -n command to find out these two computers, for example, using nbtstat -n to check the name and ip of the local computer, and then using nbtstat -a command with the IP address to get the another computer name.

2. If identical username is logging on to multiple computers, the usernames will register with a <03h>, and that may cause the name conflict in the network. Ask the user to log off of all computers and log back on to just one computer.

3. This may be occurred because of inactive or duplicate names in the WINS Database. Go to the WINS server, check the database and delete the inactive or duplicated names.

4. This my be occurred because of a possibly corrupted DHCP database. To clear DHCP related entries or clean out old settings in the registry, delete any .mib files, and then reinstall DHCP.

5. This may be occurred because of conflicting NICs in a Multihomed Computer. To fix this problem, you may want to stop Computer Browser service or uncheck one of Client for MS Network.

6. This may be ocurred because IPCONFIG /ALL returns incorrect host name. To change computer name in the TCP/IP parameters section, run regedit.exe, and locate the HOSTNAME value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip \Parameters, and then edit the string data.

Event ID: 7024 - Source: Service Control Manager - The Net Logon service terminated with service-specific error 3095.

Resolution: refer to Event ID: 3095

Event id: 8021 - Source: Browser - Description: The browser was unable to retrieve a list of servers from the browser master on the network \device\. The data is the error code.

Resolution: Fixing Browser Problem.

Event id: 8032 - Source: Browser - Description: The browser service has failed to retrieve the backup list too many times on transport of . The backup browser is stopping.

Resolution: Fixing Browser Problem.

Read for Windows system administration stuff on

http://sysadmin-stuff.blogspot.com

*****

Manually rebuild Performance Counter Library values

2008-06-16T18:49:00.000-07:00

<=================================================>

How to manually rebuild Performance Counter Library values

SUMMARY

This article describes how to manually rebuild the performance counter library values.

MORE INFORMATION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

(http://support.microsoft.com/kb/322756/)
How to back up and restore the registry in WindowsWhen you use the System Monitor tool, some counters may be missing or do not contain counter data. The base set of performance counter libraries may become corrupted and may need to be rebuilt along with any extensible counters. This behavior may occur if certain extensible counters corrupt the registry, or if some Windows Management Instrumentation (WMI)-based programs modify the registry. Extensible counter information is stored in both of the following locations:
•
The following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Perflib\009
•
The %Systemroot%\System32\Perfc009.dat file and the %Systemroot%\System32\Perfh009.dat file.To rebuild the base performance counter libraries manually:

1.
Expand the Perfc009.dat file and the Perfh009.dat file. These files are located on the Windows 2000 CD-ROM. The compressed files are found at DriveLetter:\i386\perfc009.da_ and at DriveLetter:\i386\perfh009.da_. Replace the files that are in the %Systemroot%\System32 folder.

2.
Start Registry Editor, and then locate the following key in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib

3.
In the registry, change the LastCounter value to 1846 (decimal), and change the LastHelp value to 1847 (decimal).

4.
Locate the following registry key to search for services that have a Performance subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

5.
Remove the following values from the Performance subkey (if they exist):

•
FirstCounter
•
FirstHelp
•
LastCounter
•
LastHelpYou can also use the Exctrlst.exe tool to locate the performance counter dynamic-link library files (DLLs) that are installed, and then access the registry to remove the DWORD values. You now have a workable performance registry that contains only system base counters.After you have completed this procedure, you must re-add the extensible counters from the list of services. Before you do so, however, you must identify the .ini file that is used to load the counters:

1.
Open a command prompt window.
2.
At the command prompt, type cd %Systemroot%\System32, and then press ENTER.
3.
At the command prompt, type findstr drivername *.ini, and then press ENTER.
4.
Note the name of the .ini file for each drivername in the list.
5.
At the command prompt, type the following line, and then press ENTER:
lodctr inifilewhere inifile is the name of the .ini file for the driver that you want to reload. For example, if you want to reload the ASP driver, the list that you noted in step 4 shows that Axperf.ini is the .ini file for the ASP driver (axperf.ini:drivername=ASP). Therefore, to reload the ASP driver, type lodctr axperf.ini at the command prompt, and then press ENTER.
6.
Repeat step 5 for each .ini file in the list.
7.
Restart your computer.To rebuild all Performance counters including extensible and third party counters in Windows Server 2003, type the following commands at a command prompt.

Press ENTER after each command.

cd \windows\system32

lodctr /R

Note /R is uppercase.

Windows Server 2003 rebuilds all the counters because it reads all the .ini files in the C:\Windows\inf\009 folder for the English operating system.

Note
If you are running a Cluster or Datacenter product, you must fail over the node to refresh the counter list after doing the preceding steps for both base counters and extensible counters.Note On systems that are running applications that add their own performance counters, such as Microsoft Exchange or SQL Server, the .ini file that is used to load the performance counter may not be located in %Systemroot%\System32. These .ini files can usually be found under the applications folder structure.Note If you receive an error message about the performance library when you use the preceding steps, you may have to unload and reload the IIS performance dynamic link libraries (DLLs). For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

267831 (http://support.microsoft.com/kb/267831/) Event ID 2003 Warning message logged when loading performance counters

<=================================================>

Event ID 4163

2008-06-16T18:43:00.000-07:00

<========================================>

When you open the Component Services Microsoft Management Console (MMC), your receive:
An error occurred while processing the last operation.

Error code: 8004e00f - COM+ was unable to talk to the MSDTC.The event log may contain additional troubleshooting information.

The Application event log may contain: Event Type: Error
Event ID 4163

Event Source: MSDTC Event
Category: LOG
Event ID: 4163
Description: MS DTC log file not found.

Event Type: Error
Event Source: MSDTC Event
Category: TM
Event ID: 4185
Description: MS DTC Transaction Manager start failed. LogInit returned error 0x2.

Event Type: Error
Event Source: MSDTC Event
Category: SVC Event
ID: 4112

Description:
Could not start the MS DTC Transaction Manager.These erros are a result of a missing or damaged MS DTC (Microsoft Distributed Transaction Coordinator).
Make sure that all Resource Manager that are coordinated by MS DTC have no "in-doubt" transactions.

To fix the problem:

1. Use Windows Explorer to expand the %SystemRoot%\System32\Dtclog folder.

2. If a Msdtc.log file exists, rename it to Msdtc.old.

3. Opens NOTEPAD and save an empty file as %SystemRoot%\System32\Dtclog\Msdtc.log.

5. Open a CMD prompt and type: msdtc -resetlog and press Enter.

<========================================>

Monitoring and Troubleshooting Using Event Logs

2008-06-12T04:21:00.000-07:00

This article reviews best practices for working with Windows event logs including how to interpret event messages, how to configure event logs, how to search and filter events, how to view events on remote systems, and how to use EventCombMT.exe and other tools to monitor events on multiple systems.

The event logs on Windows systems are helpful for both troubleshooting when things go wrong and monitoring performance and behavior. An event log is a file that contains events, which are entries to the log that notify the user of some occurrence relating to the operating system or applications running on the system. An event includes information about the type of occurrence, the date and time when it occurred, the computer where it happened and the user who was logged on at the time, and other information such as event ID, the event category, and the source of the event. Events may also include further detailed information concerning the event and possibly a link to where more information can be found.

Figure 1 below illustrates an example of an event from the DNS Server event log on a Windows Server 2003 domain controller:

Figure 1: Example of an event.

Finding More Information About an Event
If an event contains a link and you click on it, a dialog box opens warning you that information about the event will be sent to Microsoft to see if they have more information available concerning the event:

Figure 2: Sending event information to Microsoft.

Clicking Yes opens the Help and Support Center and checks to see if there is any more information about the event that may be helpful. Figure 3 shows a typical response:

Figure 3: Additional help concerning the event.

How many times have you been frustrated by the lack of helpful information available this way concerning some obscure event? In the example above, the additional help provided is that “this error could be caused by either a high load on the domain controller or the failure of other domain controller services” and the suggested remedy is to “restart the DNS Server service” and check the event log for anything else that happened at the same time and could be a clue. In other words, its like the old mantra “when all else fails, try rebooting.” Where can you find more help?

Altair Technologies maintains a helpful site called EventID.net where users can search for additional information about obscure Windows events to help you interpret them. This site is community-based, meaning that users post their comments concerning events to create a community database that can then be searched by others. If you search EventID.net for information about the above event (source = DNS, event ID = 4004) the following is displayed:

Figure 4: Searching EventID.net for more information about event ID 4004 for DNS.

The really useful feature is under Details, where you can click the link “Comments and links for event id 4004 from source DNS” to see comments posted by other users:

Figure 5: Comments on event ID 4004 for DNS posted by users of EventID.net

The last comment is particularly useful as it indicates MS is aware of why this event occurs and suggests it can usually be safely ignored. Help and Support never told us that!

Configuring Event Logs
One of the first things you should do after you install a new Windows system is configure the event logs on that system. This is particularly important for servers where event logs can provide critical information to help you troubleshoot when things go wrong. Before we look at how to configure event logs, we need some background information on the different logs available, and Table 1 provides this below:

Table 1: Summary of Windows event logs
By default all event logs are:

Stored in the %Windir%\system32\config folder
Have a maximum size of 16 MB (Windows Server 2003) or 512 KB (Windows 2000/XP)
Overwrite events more than 7 days old

Figure 6: Default configuration of DNS Server event log on a Windows Server 2003 DNS server.

Before you put your new Windows server into production, you should decide if these default settings are appropriate. Suggested best practices for configuring event logs on servers include the following:

Increase the size of each event log to at least 50 MB. Since a typical event is about half a kilobyte in size, this means you’ll be able to store 100,000 events in each log. Note that the maximum supported size of each event log is about 300 MB. If your system drive has insufficient space for your event logs, you can move them to a separate volume by editing the subkey for each log under the HKLM\SYSTEM\CurrentControlSet\Services\Eventlog using Registry Editor, see Microsoft Knowledge Base article 315417 for more information.

Change the overwrite behavior for the Security log to Do Not Overwrite Events if your enterprise is a high security environment. That way if the Security log fills up the system will shut down to ensure that no events in the Security log are lost. If you do this, make sure you also archive and then clear your Security log regularly to prevent such a shutdown from occurring unexpectedly.

Change the overwrite behavior for the other event logs to Overwrite Events As Needed so that no overwriting occurs until the entire log becomes full. Again, be sure to regularly archive and clear your event logs to prevent the log from filling up and losing events because of overwrites.

If you have a number of computers and are running Active Directory on your network, you can also use Group Policy to configure event log settings. These settings are found under Computer Configuration/Windows Settings/Security Settings/Event Log in Group Policy Object Editor:

Figure 7: Group Policy settings for configuring event logs.

Searching and Filtering Events
While scrolling through the Event console lets you easily examine the most recent events that have been logged on your system, this quickly becomes impractical on busy systems where event logs are tens of megabytes in size. If you’re looking for instances of a particular kind of event however, you can use the Find and Filter options to speed things up.

Say you want to find all instances of Event ID 4004 in the DNS Server log as shown previously in Figure 1 above. To use the Find feature to accomplish this, right-click on the DNS Server log and select View --> Find, then fill in the Event ID and log name in the Find box:

Figure 8: Finding instances of Event ID 4004 in the DNS Server log.

Click the Find Next button and the first instances of this event is displayed in Event Viewer:

Figure 9: An instance of Event ID 4004 displayed in Event Viewer.

Then click Find Next to display the next instance of this event, and so on.

The frustrating thing about this approach is that the Find interface is not built directly into the Event Viewer window. So let’s try a different approach and use Filter instead. Right-click the DNS Server log again and select View --> Filter, then fill in the Event ID in the Filter tab of the DNS Server Properties sheet:

Figure 10: Filtering the DNS Server log for Event ID 4004.

Click OK and Event Viewer and the only events displayed in the DNS Server log are those having Event ID 4004:

Figure 11: All instances of Event ID 4004 are displayed.

From this information we could conclude that this was only a transient problem that happened a couple of weeks ago when we rebooted the DNS server.

Viewing Events on Remote Systems
Event Viewer also lets you connect to remote systems to view their event logs. The procedure is simple: right-click on the root (top) node in the console tree of Event Viewer and select Connect To Another Computer:

Figure 12: Connecting to a remote computer to view its event logs.

Then either type the name (NetBIOS or FQDN) of the remote computer or click Browse to find it in Active Directory. Click OK to connect:

Figure 13: Can’t connect to a remote computer to view event logs.

Oops, can’t connect! And the error message is cryptic. What went wrong? Typically this error message either indicates one of the following:

You are not logged on with an account that has local Administrator access to the remote machine (a Domain Admins account should work).
The Remote Registry service is not running or has been disabled on the remote machine.

Correct the situation and you should be able to connect to the remote machine and view its event logs.

Using EventCombMT.exe
In a previous article on WindowsSecurity.com we looked at the Account Lockout and Management Tools (ALTools.exe) download from Microsoft. One of these tools is EventCombMT.exe, which can be used to consolidate event logs from multiple computers into a single location for analysis. To use this tool double-click on EventCombMT.exe in the folder where you installed it, then specify the domain, servers, and kinds of events you want to find. For example, say you want to find all W32Time events on two servers (TEST230 and TEST235) in the testtwo.local domain:

Figure 14: Using EventCombMT to search for W32Time events on two servers.

Click Search and when the operation is finished a folder will open up displaying the results files generated:

Figure 15: Results files generated by our EventCombMT search.

Double-clicking on one of the two server files displays a comma-delimited list of W32Time events for that server:

Figure 16: Comma-delimited list of W32Time events on server TEST230.

You could then import these files into Excel to consolidate them for further analysis. EventCombMT also has a number of built-in queries you can use for common tasks like searching for locked-out accounts:

Figure 17: Searching for locked-out accounts using EventCombMT.

Other Event Monitoring Tools

EventCombMT.exe is useful but it isn’t very friendly to use. If you have a lot of computers whose event logs you want to monitor, you’re better off purchasing a commercial-quality tool for this purpose. We’ll end this article by mentioning two such tools:

Microsoft Operations Manager (MOM)

MOM is a Windows Server System product from Microsoft that lets you monitor events, health, and performance of computers on your network in real-time, consolidate such information in a central repository, and generate graphical web-based reports. MOM 2000 is showing its age however and will soon to be replaced by MOM 2005, which has a new Operator Console, greater security, enhanced rules, and improved reports. MOM 2005 also supports agentless monitoring, internationalization, and 64-bit agent support. For more information see this link on Microsoft’s web site.

GFI LANguard SELM

GFI LANguard Security Event Log Monitor (SELM) is a tool from GFI that lets you manage event logs on remote machines, consolidate event logs from multiple machines into a single repository, and view, report and filter events network-wide with easy and simplicity. You can also create your own custom alerts based on event ID, contents, and event condition so you can monitor specify issues across your network. SELM even lets you analyze event details, something MOM won’t let you do. GFI products are excellent--I speak from personal experience here--so this is one solution you should consider when looking for tools to monitor and troubleshoot event logs across your network.
____________________________________________________________________________________

Auditing Event Logs

2008-06-12T04:19:00.000-07:00

Auditing Event Logs

Increasingly, companies and other organizations are being required by law to maintain vast volumes of log information, in anticipation of an audit many weeks or months after down the road. When auditors come knocking at the door, IT staff need to be in a position to quickly recall certain types of data from a certain date range rapidly, and also be able to present the auditors with a copy of that data in various formats.

Collecting event log entries into databases

If the speed of recalling log entries is of concern to an organization in the face of an audit, a database system should be employed in the storage and organization of event log entries. By default, most event log entries are stored in flat files located throughout an organization's many servers. Attempting to traverse many different flat files in search of certain types of events is cumbersome for an administrator facing an audit. When event log data is routinely collected into a database, that same data can be indexed and optimized for fast retrieval. Moreover, when event log entries are stored this way, cross-computer analysis is made much easier, allowing administrators to produce a top-down view of all of their servers when preparing data for an audit, or even for general trend analysis.

Retaining event log entries in native formats

While placing event log entries into a database server has many benefits, in many cases it is also important to hold on to logs in their original format, as to provide compelling forensic data if necessary in a court of law. Furthermore, database storage of event logs often requires significantly more space than the original files themselves, so it is much more costly and labor-intensive to maintain many years worth of entries in a database. Many organizations have opted to keep event log data in both formats to satisfy both analysis and long-term auditing needs.

Routine reporting on trends and activity

Once a data storage format is chosen (database, flat files, or both), it is important to routinely mine the data for trends and different sorts of activity. Since many network administrators do not have the time to be full-time database administrators, it is important that whatever system is used to generate reports is flexible, reliable, and automated. Preferably, a reporting solution will shield administrators from the finer points of database administration, but will remain flexible enough to provide customized reporting and filtering capabilities, if very specific types of data are sought during an audit.

--------------------------------------------------------------------------------

Monitoring Event Logs

2008-06-12T04:17:00.000-07:00

Monitoring Event Logs

A successful strategy for monitoring event logs must take several factors into consideration, specifically what items to monitor, how often to monitor the logs, total bandwidth available for monitoring, reducing false positives among detected events, and how to notify appropriate parties when an alarm is triggered.

What items must I monitor?

Every organization has different rules on what sorts of events they must monitor. Typically, IT departments often focus on security events almost to the exclusion of everything else. While security is of paramount importance to any network administrator, it is important not to ignore vital information about network health placed in other event logs. For example, the System event log often records information about FTP server activity such as bad logons, and the Application event log is typically the best place to look for virus detections by third-party anti-virus solutions.

Furthermore, the amount of data you monitor affects the total amount of bandwidth used by your monitoring solution, and adds to the overhead of that system. In general, less is better - meaning, the fewer events you must monitor in real time, the lower the hardware and available bandwidth requirements must be to meet your objectives.

How often should I monitor my logs?

Most administrators like to perform either continuous or episodic monitoring.

Continous monitoring involves the continual checking of event logs for critical incoming events in real time. To accomplish this, administrators typically rely on an automated piece of software to poll each event log of interest at a recurring interval and notify them when a log entry of interest is detected.

Episodic monitoring involves the close scrutiny of one or more event logs as dictated by a recent event - e.g. a server crash, a virus outbreak, etc. While episodic monitoring does not require automated software (a clever administrator can manually sift through her logs daily), it is often enhanced by such software. In some cases, administrators will simply focus their software on specific logs when needed.

In all cases, make sure that the system you use for the automated monitoring of event logs offers the administrator the ability to adjust its log polling interval. As bandwidth consumption is a function of data moved over time, reducing the frequency of polling can reduce bandwidth needs.

How can I minimize bandwidth costs?

Every network is different, and so it's very important to take into account your network topology when rolling out an event log monitoring solution. The impact of continuous monitoring on a 100-MBit switched network, for instance, will be much less than the same level of monitoring on an unswitched 10-Mbit network. Fortunately, there are several ways to reduce bandwidth demands placed on your network by a monitoring solution:

Only audit (e.g. log) the events you are most concerned about. For example, turning on object access auditing for all files and all groups will flood the security log with events and add greatly to auditing overhead.

Install monitoring software at different network locations to take advantage of high bandwidth areas. For example, many companies use a switched, gigabit backplane to connect their mission-critical servers. Consider installing monitoring software on one of the servers in the backplane, and let it monitor the other machines in the backplane.

Install monitoring software locally on servers that perform a high volume of auditing. This will minimize bandwidth, as traffic may only travel on the wire when an event is actually detected.

How can I reduce false positives?

The effectiveness of any log monitoring solution is marginalized by false positives, or in other words, the detection of events with little significance to the administrator. Whenever possible, define thresholds for certain types of events to reduce the detection of trival issues. For example, consider adding thresholds to logon failures, so that notification only takes place after a certain number of logon failures occur within a specific time frame (e.g. 10 minutes). Adding a threshold here will prevent benign notifications related to users forgetting their passwords when logging on, but will still catch most brute-force hacking attempts.

What are the best methods of notification?

In the past, pager notifications were one of the best ways to alert IT staff of an impending problem. However, most pagers have a limit on the amount of information they can receive in a single notification. Since most wireless communication devices (e.g. cell phones) can receive e-mail, sending notifications via e-mail will most likely be the preferred method on most modern networks.

In addition, the administrator should consider adding database storage as part of their notification strategy, so that they have a history of events that triggered notifications for additional analysis purposes.

--------------------------------------------------------------------------------

Event ID List

2008-06-11T21:59:00.000-07:00

Event Viewer display no information

Symptom: One of our servers is running Windows 2000 server with SP4. If I open Event Viewer, click Application or System, there is not information on the left panel. It is empty. These are what I did.

If I press F5 in System to refresh, the System Events display. However, that doesn’t work in Application Event.

The AppEvent.evt is located in c:\winnt\system32\config. The size is 1023KB and the date is 7/28/2004 (it 6 months old).

If I go to the properties of the Application event>Filter, all event type are checked. The problem is the both From and To are current date and time, for example 3/9/2005, 3.20.03 PM. They are gray out and can’t be changed. However, If I switch From/To to Event On, I may be able to change the date and time. But that doesn’t any changes. Just not information display.

If I try to Restore Default, The Filter will come back and both From and To are the same date and time.

Resolutions:
1. To fix this problem, you may want to delete the *.evt files. To do this, you should stop the Event Log Service by following these steps:

Right-click on My Computer>Manage>Services and Applications>Services>Event Log Service>General, set the "Startup Type:" to "Disabled" restart the computer, then delete or rename the corrupt *.evt file(s) from %systemroot%\system32\config then set the Event Log Service "Startup Type:" back to "Automatic", restart the service.

2. Install a hotfix based on this article Event logs are corrupted.

Event ID 0 - The following fatal error occurred in the Remote Web Workplace Application

Symptoms:

1. After logon RWW, you may receive a "Page Not Found” or "The page cannot be d played" message when trying to log on either a client or server.

2. You receive Event ID 0: The following fatal error occurred in the Remote Web Workplace Application after install Windows 2003 SBS SP1.

3. You receive this “Installation Status: Failure. Error Message: An error occurred while copying files for the Administration component. See C:\Program Files\Microsoft Integration\Windows Small Business Server 2003\Logs\SBSMSI-GPMC.LOG for the list of files that were not copied. You may want to run Setup again and reinstall the component” when installing Windows SBS 2003 SP1.

Causes:
1. you installed Windows 2003 SP1 instead of Windows SBS 2003 SP1.

2. The installation of Windows SBS 2003 failed or the downloaded SP1 was corrupted.

3. You have had GPMC 1.02 installed before the SP1.

Solution:
1. Uninstall Windows 2003 SP1 and install Windows SBS 2003 SP1.
2. Uninstall Windows SBS 2003 SP1 and re-install it following these steps.
3. Uninstall GPMC and re-install it from a file called gpmc.msi from the SBS CD. Re- install the SBS SP1 after reboot.

Event ID 1
ThinPrint – Incorrect function Error in function number 3, error #: 11e0001
No suitable protocol found

There was an error found when printing the document “Test Page” to TS003

Symptom: 1. When logon Terminal Server, you may receive “No suitable protocol found”.

2. There is Event ID 1 - ThinPrint – Incorrect function (Printer: ThinPrint Output Gateway Port: Thinport:, Document: Test Page, Error in function number 3, error #: 11e0001).

3. There was an error found when printing the document “Test Page” to TS003.

Causes: 1. The TP Client is not installed in the client.

2 The TP client configuration doesn’t match the TP server configuration. For example, the TP Client is configured as a TCP/IP client while the TP server is configured for RDP client.

How to view and manage event logs in Event Viewer in Windows XP

2008-06-11T21:53:00.000-07:00

Event Viewer

In Windows XP, an event is any significant occurrence in the system or in a program that requires users to be notified, or an entry added to a log. The Event Log Service records application, security, and system events in Event Viewer. With the event logs in Event Viewer, you can obtain information about your hardware, software, and system components, and monitor security events on a local or remote computer. Event logs can help you identify and diagnose the source of current system problems, or help you predict potential system problems.

Event Log Types
A Windows XP-based computer records events in the following three logs: •

Application log
The application log contains events logged by programs. For example, a database program may record a file error in the application log. Events that are written to the application log are determined by the developers of the software program.

• Security log
The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log.

• System log
The system log contains events logged by Windows XP system components. For example, if a driver fails to load during startup, an event is recorded in the system log. Windows XP predetermines the events that are logged by system components.

How to View Event Logs

To open Event Viewer, follow these steps: 1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.

2. In the console tree, click Event Viewer.

The Application, Security, and System logs are displayed in the Event Viewer window.

How to View Event Details

To view the details of an event, follow these steps: 1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.

2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.

3. In the details pane, double-click the event that you want to view.

The Event Properties dialog box containing header information and a description of the event is displayed.

To copy the details of the event, click the Copy button, then open a new document in the program in which you want to paste the event (for example, Microsoft Word), and then click Paste on the Edit menu.

To view the description of the previous or next event, click the UP ARROW or DOWN ARROW.

How to Interpret an Event
Each log entry is classified by type, and contains header information, and a description of the event.

Event Header
The event header contains the following information about the event: • Date

The date the event occurred.
• Time

The time the event occurred.
• User

The user name of the user that was logged on when the event occurred.
• Computer

The name of the computer where the event occurred.
• Event ID

An event number that identifies the event type. The Event ID can be used by product support representatives to help understand what occurred in the system.

• Source

The source of the event. This can be the name of a program, a system component, or an individual component of a large program.

• Type

The type of event. This can be one of the following five types: Error, Warning, Information, Success Audit, or Failure Audit.

• Category

A classification of the event by the event source. This is primarily used in the

security log.

Event Types

The description of each event that is logged depends on the type of event. Each event in a log can be classified into one of the following types: • Information

An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully.

• Warning

An event that is not necessarily significant, however, may indicate the possible occurrence of a future problem. For example, a Warning message is logged when disk space starts to run low.

• Error

An event that describes a significant problem, such as the failure of a critical task. Error events may involve data loss or loss of functionality. For example, an Error event is logged if a service fails to load during startup.

• Success Audit (Security log)

An event that describes the successful completion of an audited security event. For example, a Success Audit event is logged when a user logs on to the computer.

• Failure Audit (Security log)

An event that describes an audited security event that did not complete successfully. For example, a Failure Audit may be logged when a user cannot access a network drive.

How to Find Events in a Log

The default view of event logs is to list all its entries. If you want to find a specific event, or view a subset of events, you can either search the log, or you can apply a filter to the log data.

How to Search for a Specific Log Event

To search for a specific log event, follow these steps: 1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the
Event Viewer snap-in.

2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.

3. On the View menu, click Find.

4. Specify the options for the event that you want to view in the Find dialog box, and then click Find Next.

The event that matches your search criteria is highlighted in the details pane. Click Find Next to locate the next occurrence of an event as defined by your search criteria.

How to Filter Log Events

To filter log events, follow these steps: 1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.

2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.

3. On the View menu, click Filter.

4. Click the Filter tab (if it is not already selected).

5. Specify the filter options that you want, and then click OK.
Only events that match your filter criteria are displayed in the details pane.

To return the view to display all log entries, click Filter on the View menu, and then click Restore Defaults.

How to Manage Log Contents
By default, the initial maximum of size of a log is set to 512 KB, and when this size is reached, new events overwrite older events as needed. Depending on your requirements, you can change these settings, or clear a log of its contents.

How to Set Log Size and Overwrite Options

To specify log size and overwrite options, follow these steps: 1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.

2. In the console tree, expand Event Viewer, and then right-click the log in which you want to set size and overwrite options.

3. Under Log size, type the size that you want in the Maximum log size box.

4. Under When maximum log size is reached, click the overwrite option that you want.

5. If you want to clear the log contents, click Clear Log.

6. Click OK.

How to Archive a Log

If you want to save your log data, you can archive event logs in any of the following formats: • Log-file format (.evt)

• Text-file format (.txt)

• Comma-delimited text-file format (.csv)

To archive a log, follow these steps:

1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.

2. In the console tree, expand Event Viewer, and then right-click the log in which you want to archive, and then click Save Log File As.

3. Specify a file name and location where you want to save the file. In the Save as type box, click the format that you want, and then click Save.

The log file is saved in the format that you specified.

Windows 2000 Security Event Descriptions

2008-06-11T20:33:00.000-07:00

Event ID: 512 (0x0200)
Type: Success Audit
Description: Windows NT is starting up.

Event ID: 513 (0x0201)
Type: Success Audit

Description: Windows NT is shutting down. All logon sessions will be terminated by this shutdown.

Event ID: 514 (0x0202)
Type: Success Audit

Description: An authentication package has been loaded by the Local Security Authority.

This authentication package will be used to authenticate logon attempts.
Authentication Package Name: %1

Event ID: 515 (0x0203)
Type: Success Audit

Description: A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.

Logon Process Name: %1

Event ID: 516 (0x0204)
Type: Success Audit
Description: Internal resources allocated for the queuing of audit messages have been
exhausted, leading to the loss of some audits.
Number of audit messages discarded: %1

Event ID: 517 (0x0205)
Type: Success Audit
Description: The audit log was cleared
Primary User Name: %1 Primary Domain: %2
Primary Logon ID: %3 Client User Name: %4
Client Domain: %5 Client Logon ID: %6

Event ID: 518 (0x0206)
Type: Success Audit
Description: An notification package has been loaded by the Security Account Manager.
This package will be notified of any account or password changes.
Notification Package Name: %1

Event ID: 528 (0x0210)
Type: Success Audit
Description: Successful Logon:
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4
Logon Process: %5 Authentication Package: %6
Workstation Name: %7

Event ID: 529 (0x0211)
Type: Failure Audit
Description: Logon Failure
Reason: Unknown user name or bad password
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 530 (0x0212)
Type: Failure Audit
Description: Logon Failure
Reason: Account logon time restriction violation
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 531 (0x0213)
Type: Failure Audit
Description: Logon Failure
Reason: Account currently disabled
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 532 (0x0214)
Type: Failure Audit
Description: Logon Failure
Reason: The specified user account has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 533 (0x0215)
Type: Failure Audit
Description: Logon Failure
Reason: User not allowed to logon at this computer
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 534 (0x0216)
Type: Failure Audit
Description: Logon Failure
Reason:The user has not been granted the requested
logon type at this machine
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 535 (0x0217)
Type: Failure Audit
Description: Logon Failure
Reason: The specified account's password has expired
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 536 (0x0218)
Type: Failure Audit
Description: Logon Failure
Reason: The NetLogon component is not active
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 537 (0x0219)
Type: Failure Audit
Description: Logon Failure
Reason: An unexpected error occurred during logon
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 538 (0x021A)
Type: Success Audit
Description: User Logoff
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4.

Event ID: 539 (0x021B)
Type: Failure Audit
Description: Logon Failure
Reason: Account locked out
User Name: %1 Domain: %2
Logon Type: %3 Logon Process: %4
Authentication Package: %5 Workstation Name: %6

Event ID: 540 (0x021c)
Type: Success Audit
Description: Successful Network Logon
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4
Logon Process: %5 Authentication Package: %6
Workstation Name: %7

Event ID: 541 (0x021d)
Type: Success Audit
Description: IKE security association established.
Mode: %1 Peer Identity: %2
Filter: %3 Parameters: %4

Event ID: 542 (0x021e)
Type: Success Audit
Description: IKE security association ended.
Mode: Data Protection (Quick mode)
Filter: %1 Inbound SPI: %2
Outbound SPI: %3

Event ID: 543 (0x021f)
Type: Success Audit
Description: IKE security association ended.
Mode: Key Exchange (Main mode)
Filter: %1

Event ID: 544 (0x0220)
Type: Failure Audit
Description: IKE security association establishment failed because peer could not
authenticate. The certificate trust could not be established.
Peer Identity: %1 Filter: %2

Event ID: 545 (0x0221)
Type: Failure Audit
Description: IKE peer authentication failed.
Peer Identity: %1 Filter: %2

Event ID: 546 (0x0222)
Type: Failure Audit
Description: IKE security association establishment failed because peer
sent invalid proposal.
Mode: %1 Filter: %2
Attribute: %3 Expected value: %4
Received value: %5

Event ID: 547 (0x0223)
Type: Failure Audit
Description: IKE security association negotiation failed.
Mode: %1 Filter: %2
Failure Point: %3 Failure Reason: %4

Event ID: 560 (0x0230)
Type: Success Audit
Description: Object Open
Object Server: %1 Object Type: %2
Object Name: %3 New Handle ID: %4
Operation ID:{%5,%6} Process ID: %7
Primary User Name: %8 Primary Domain: %9
Primary Logon ID: %10 Client User Name: %11
Client Domain: %12 Client Logon ID: %13
Accesses %14 Privileges %15

Event ID: 561 (0x0231)
Type: Success Audit
Description: Handle Allocated
Handle ID: %1 Operation ID:{%2,%3}
Process ID: %4

Event ID: 562 (0x0232)
Type: Success Audit
Description: Handle Closed
Object Server: %1 Handle ID: %2
Process ID: %3

Event ID: 563 (0x0233)
Type: Success Audit
Description: Object Open for Delete
Object Server: %1 Object Type: %2
Object Name: %3 New Handle ID: %4
Operation ID:{%5,%6} Process ID: %7
Primary User Name: %8 Primary Domain: %9
Primary Logon ID: %10 Client User Name: %11
Client Domain: %12 Client Logon ID: %13
Accesses %14 Privileges %15

Event ID: 564 (0x0234)
Type: Success Audit
Description: Object Deleted
Object Server: %1 Handle ID: %2
Process ID: %3

Event ID: 565 (0x0235)
Type: Success Audit
Description: Object Open
Object Server: %1 Object Type: %2
Object Name: %3 New Handle ID: %4
Operation ID:{%5,%6} Process ID: %7
Primary User Name: %8 Primary Domain: %9
Primary Logon ID: %10 Client User Name: %11
Client Domain: %12 Client Logon ID: %13
Accesses %14 Privileges %15
Properties:%16%17%18%19%20%21%22%23%24%25

Event ID: 566 (0x0236)
Type: Success Audit
Description: Object Operation
Operation Type %1 Object Type: %2
Object Name: %3 Handle ID: %4
Operation ID:{%5,%6} Primary User Name: %7
Primary Domain: %8 Primary Logon ID: %9
Client User Name: %10 Client Domain: %11
Client Logon ID: %12 Requested Accesses %13

Event ID: 576 (0x0240)
Type: Success Audit
Description: Special privileges assigned to new logon:
User Name: %1 Domain: %2
Logon ID: %3 Assigned: %4

Event ID: 577 (0x0241)
Type: Success Audit
Description: Privileged Service Called
Server: %1 Service: %2
Primary User Name: %3 Primary Domain: %4
Primary Logon ID: %5 Client User Name: %6
Client Domain: %7 Client Logon ID: %8
Privileges: %9

Event ID: 578 (0x0242)
Type: Success Audit
Description: Privileged object operation
Object Server: %1 Object Handle: %2
Process ID: %3 Primary User Name: %4
Primary Domain: %5 Primary Logon ID: %6
Client User Name: %7 Client Domain: %8
Client Logon ID: %9 Privileges: %10

Event ID: 592 (0x0250)
Type: Success Audit
Description: A new process has been created
New Process ID: %1 Image File Name: %2
Creator Process ID: %3 User Name: %4
Domain: %5 Logon ID: %6

Event ID: 593 (0x0251)
Type: Success Audit
Description: A process has exited
Process ID: %1 User Name: %2
Domain: %3 Logon ID: %4

Event ID: 594 (0x0252)
Type: Success Audit
Description: A handle to an object has been duplicated
Source Handle ID: %1 Source Process ID: %2
Target Handle ID: %3 Target Process ID: %4

Event ID: 595 (0x0253)
Type: Success Audit
Description: Indirect access to an object has been obtained
Object Type: %1 Object Name: %2
Process ID: %3 Primary User Name: %4
Primary Domain: %5 Primary Logon ID: %6
Client User Name: %7 Client Domain: %8
Client Logon ID: %9 Accesses: %10