none
Event Manager questions please

Answers

All replies

  • What was your question?
    Microsoft Corporation
    Tuesday, July 26, 2011 6:58 PM
  • What was your question?
    Microsoft Corporation

    Event Manager under the above I noted these events and would like clarification on the following with #1 being the first to 4 being the last or more recent.

    #1

    Log Name: Microsoft-Windows-Bits-Client/Operational
    Source: Microsoft-Windows-Bits-Client
    Date: 7/25/2011 11:09:22 AM
    Event ID: 3
    Task Category: None
    Level: Information
    Keywords:
    User: SYSTEM
    Computer: R-C-S-RCS-VAIO
    Description:
    The BITS service created a new job: WU Client Download, with owner NT AUTHORITY\SYSTEM

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Bits-Client" Guid="{EF1CC15B-46C1-414E-BB95-E76B077BD51E}" />
    <EventID>3</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2011-07-25T18:09:22.530084700Z" />
    <EventRecordID>653</EventRecordID>
    <Correlation />
    <Execution ProcessID="348" ThreadID="6132" />
    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
    <Computer>R-C-S-RCS-VAIO</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData>
    <Data Name="string">WU Client Download</Data>
    <Data Name="string2">NT AUTHORITY\SYSTEM</Data>
    <Data Name="string3">
    </Data>
    </EventData>
    </Event>

    #2

    Log Name: Microsoft-Windows-Bits-Client/Operational
    Source: Microsoft-Windows-Bits-Client
    Date: 7/25/2011 11:09:22 AM
    Event ID: 59
    Task Category: None
    Level: Information
    Keywords:
    User: SYSTEM
    Computer: R-C-S-RCS-VAIO
    Description:
    BITS started the WU Client Download transfer job that is associated with the http://download.windowsupdate.com/msdownload/update/software/defu/2011/07/am_delta_3a88f0d7d3fb099526439f395695f0d71f88761f.exe URL.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Bits-Client" Guid="{EF1CC15B-46C1-414E-BB95-E76B077BD51E}" />
    <EventID>59</EventID>
    <Version>1</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>1</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2011-07-25T18:09:22.592484800Z" />
    <EventRecordID>654</EventRecordID>
    <Correlation ActivityID="{EF74C916-3B8D-4CA8-9EC3-C3EC1EF2DB07}" />
    <Execution ProcessID="348" ThreadID="1612" />
    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
    <Computer>R-C-S-RCS-VAIO</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData>
    <Data Name="transferId">{EF74C916-3B8D-4CA8-9EC3-C3EC1EF2DB07}</Data>
    <Data Name="name">WU Client Download</Data>
    <Data Name="Id">{0082B716-1290-475B-B462-E58CA3F53AE3}</Data>
    <Data Name="url">http://download.windowsupdate.com/msdownload/update/software/defu/2011/07/am_delta_3a88f0d7d3fb099526439f395695f0d71f88761f.exe</Data>
    <Data Name="peer">
    </Data>
    <Data Name="fileTime">2011-07-25T13:35:39.000000000Z</Data>
    <Data Name="fileLength">788880</Data>
    <Data Name="bytesTotal">788880</Data>
    <Data Name="bytesTransferred">0</Data>
    <Data Name="bytesTransferredFromPeer">0</Data>
    </EventData>
    </Event>

    #3:

    Log Name: Microsoft-Windows-Bits-Client/Operational
    Source: Microsoft-Windows-Bits-Client
    Date: 7/25/2011 11:09:44 AM
    Event ID: 4
    Task Category: None
    Level: Information
    Keywords:
    User: SYSTEM
    Computer: R-C-S-RCS-VAIO
    Description:
    The transfer job is complete.
    User: NT AUTHORITY\SYSTEM
    Transfer job: WU Client Download
    Job ID: {0082b716-1290-475b-b462-e58ca3f53ae3}
    Owner: NT AUTHORITY\SYSTEM
    File count: 1
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Bits-Client" Guid="{EF1CC15B-46C1-414E-BB95-E76B077BD51E}" />
    <EventID>4</EventID>
    <Version>1</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2011-07-25T18:09:44.307722900Z" />
    <EventRecordID>656</EventRecordID>
    <Correlation />
    <Execution ProcessID="348" ThreadID="3444" />
    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
    <Computer>R-C-S-RCS-VAIO</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData>
    <Data Name="User">NT AUTHORITY\SYSTEM</Data>
    <Data Name="jobTitle">WU Client Download</Data>
    <Data Name="jobId">{0082B716-1290-475B-B462-E58CA3F53AE3}</Data>
    <Data Name="jobOwner">NT AUTHORITY\SYSTEM</Data>
    <Data Name="fileCount">1</Data>
    <Data Name="bytesTransferred">788880</Data>
    <Data Name="bytesTransferredFromPeer">0</Data>
    </EventData>
    </Event>

    #4

    Log Name: Microsoft-Windows-Bits-Client/Operational
    Source: Microsoft-Windows-Bits-Client
    Date: 7/25/2011 11:09:22 AM
    Event ID: 3
    Task Category: None
    Level: Information
    Keywords:
    User: SYSTEM
    Computer: R-C-S-RCS-VAIO
    Description:
    The BITS service created a new job: WU Client Download, with owner NT AUTHORITY\SYSTEM
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Bits-Client" Guid="{EF1CC15B-46C1-414E-BB95-E76B077BD51E}" />
    <EventID>3</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2011-07-25T18:09:22.530084700Z" />
    <EventRecordID>653</EventRecordID>
    <Correlation />
    <Execution ProcessID="348" ThreadID="6132" />
    <Channel>Microsoft-Windows-Bits-Client/Operational</Channel>
    <Computer>R-C-S-RCS-VAIO</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData>
    <Data Name="string">WU Client Download</Data>
    <Data Name="string2">NT AUTHORITY\SYSTEM</Data>
    <Data Name="string3">
    </Data>
    </EventData>
    </Event>

    I have several questions regarding information in these event notifications. When I requested more information on them through the MS Tech Library, (following the link on the event), no information was found.

    Is this update coming from the right place?

    I am not connected to any other computer or do not work in a Peer environment but in the last event #4 note that File Count appears to be 1 with 788,880 bytes transferred from Peer??

    I understand NT Authority is a common ID found in the event manager. In #3 what is this type of event/owner and user mean? System is the User and Windows NT is the Job Owner???

    I understand that the User ID S-1-5-18 is a common security id number but I recently noted an event performed by User S-1-5-19. It was a questionable event with no information on the MS website. Who or what association does S-1-5-19?

    Last, I would like clarification on the following question (which may sound odd but without going into detail...) would it be possible to impersonate an id such as S-1-5-18 or NT Authority? It is possible that my system is comprimised or accessible physically or through my internet connection by a member of my household who is too smart for his own good. 'Nuff said. :)

    I hope that someone can help me understand what these events represent. Thank you in advance.

    Suzanne


    Suzanne McIlrath
    Tuesday, July 26, 2011 7:41 PM
  • apperently you are downloading the windows update client with the bits service. anyway this is the wrong forum for these questions.
    Rob Korving
    http://jama00.wordpress.com/
    Wednesday, July 27, 2011 8:32 AM
  • "Apparently I am using the wrong format to download Windows Updates"...I did not make any changes to how my computer downloads anything in the background or the foreground. So what do I do?

    And what forum do I use to get this information?  I appreciate your help and would like to be directed to the correct place, please.

    Thanks!


    Suzanne McIlrath
    Wednesday, July 27, 2011 5:00 PM
  • I see no issue called out in these informational messages.  Perhaps you are just looking at the log and curious? 


    Microsoft Corporation
    Wednesday, July 27, 2011 6:55 PM
  •  

    Hi Suzanne,

     

    I found this should be a normal behavior:

     

    Event ID 3 — Jobs

    http://technet.microsoft.com/en-us/library/dd408508(WS.10).aspx

     

    Event ID 59 — Jobs

    http://technet.microsoft.com/en-us/library/dd408518(WS.10).aspx

     

    Event ID 4 — Jobs

    http://technet.microsoft.com/en-us/library/dd408580(WS.10).aspx

     

    I you want to find the forum to get more information about the Events, please also provide us more detail information, such as how this computer gets updates, the version of Windows installed on this computer, etc. At this time, I would like to share the following with you for your reference. If you still could not find the corresponding forum, please feel free to let us know.

     

    If you are using Windows 7, you can try Windows 7 IT Pro Forums:

     

    Windows 7 IT Pro Forums:

    http://social.technet.microsoft.com/Forums/en-US/category/w7itpro

     

    If the client is configured to get updates via WSUS, you can also visit WSUS Forum:

     

    WSUS Forum

    http://social.technet.microsoft.com/Forums/en-US/winserverwsus/threads

     

    Hope this helps.

     

    Thanks.
    Nicholas Li - MSFT
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 29, 2011 6:32 AM
    Moderator