Cannot start event log service on Vista Ultimate
When I try to start the event log service I get the following error:
"Error 4201: The instance name passed was not recognized as valid by a WMI data provider"
Any ideas?
Thank you,
Mark
Answers
- I found this in another forum.
I struggled with this same issue for more than a few weeks. I finally managed to get my Event Services started again. I changed the owner on the %windir%\System32\Logfiles folder [and all children] to the Administrators group. Like magic, everything returned to normal. My gut feeling is that when you perform an upgrade on top of XP, some of the permissions don't quite get set correctly. Why the event services don't stop working until day 2 or 3, I don't know, or even have a guess. Do you remember doing a massive "Take Ownership" change from the root at all (after you upgraded to Vista)?
Strange thing is that I did an clean install and have the same problem. So it can't be the rights from XP in my case.
All Replies
- Sorry... No help... Just... Ditto! :(
- bump would also liek to know the answer
Make me number four (sigh). I wish MS would release software that didn't require at least one Service Pack to make it usable.
Chris
- I have the same problem. And I can't find a solution for this anywhere......
Error 4201 has something to do with WMI but I can't find the exact problem. add me to the list... task scheduler does not work either because it depends on the log service.
I even tried to look for the "manage as administrator" option when I fired up the management mmc... thought you might need special permissions for it to work.jk
- Yep, I have the same problem. Is there no answer to this one yet? It seems a lot of people have experienced this error.
- Same thing here, just dying to get an answer...
I found this problem after installing the latest round of updates. It wiped all my Program>MS Office> links. I went to under Office Diagnostics and it told me that it needed Windows Event View, which was not started. Went to start Event Viewer and same problem. Wondering if all these things are related somehow?
DCS
- same problem here but on windows business
- I have the same problem with Business. If I get the time at the weekend I may re-image and install updates manually one by one to see which update is causing the problem, if indeed it is the cause. Not only that I was receiving an error stating the the scheduling service was not running and it was. A restart of the service would not remove this error. All is not well in Vista town it seems. :-(
- I broke down and reinstalled it. The service is now running fine, and all critical and recommended updates have been applied. Apparently, this problem is just caused by a bad install. What made it bad, I have no idea. I did absolutely nothing differently.
Same problem here: No event log
4201 The instance name passed was not recognized as valid by a WMI data provider.
However I have already reinstalled Vista about a hundred times due to various bugs and I will not do it again.
- I am also having this problem. I did an upgrade instead of a re-install and everything worked again. After I re-installed Outlook 2002 I downloaded Service Pack 3 for Outlook 2002 and rebooted and when the system came back up the Event Viewer wasn't working anymore. So I guess one of the culprits is Service Pack 3 for Outlook 2002 (Also known as OfficeXP Service Pack 3)
orion007 wrote: I did an upgrade instead of a re-install and everything worked again. This is somewhat off topic but I'm curious what all do you have to reinstall if you do an upgrade? I assume its just the drivers but I have tweaked vista's settings a lot and I want to be sure I won't lose any.
- I found this in another forum.
I struggled with this same issue for more than a few weeks. I finally managed to get my Event Services started again. I changed the owner on the %windir%\System32\Logfiles folder [and all children] to the Administrators group. Like magic, everything returned to normal. My gut feeling is that when you perform an upgrade on top of XP, some of the permissions don't quite get set correctly. Why the event services don't stop working until day 2 or 3, I don't know, or even have a guess. Do you remember doing a massive "Take Ownership" change from the root at all (after you upgraded to Vista)?
Strange thing is that I did an clean install and have the same problem. So it can't be the rights from XP in my case. Add me to this list as well. Silly thing is it was running cos I viewed a 'crash' event yesterday and has been running OK since clean install two weeks ago. Suddenly this morning it won't run. Done nothing myself so I'm totally bemused.
Mine was a full install of 'Ultimate' so there was no link to an Upgrade. But I do dual boot with XP on another hard drive - maybe that's where the problem lies.
Big thanks to Pascal - Did as you suggested and it's all running again now. Don't understand why the premissions got messed up in the first place but all's well now.
- Ya... It can't be any outlook 2002 patch, since I don't have anything-2002 installed... It can't be a bad install because mine and others were working for some time before it broke.
But I'll have a go at this permissions thing - Thanks for the suggestion Pascal. - I did a clean install, but it's possible I've changed permissions due to wanting to be able to access certain directories from one of my XP booted partitions...
I'm surprised MS hasn't said anything about this yet. - Hey! It's WORKING again! - THANKS to Pascal for passing on that bit of adivce! :)
I dual boot - and had done a take owner from XP previously to try to get access to some directories I couldn't get at from XP...
So from Vista, I set the owner of the System32 (and all sub-dirs) to the group Administrators - and I couldn't right away start up the Event log service... But I just re-booted and it was back up and running again.
Anyone else who might have this as the cause could probably start from the Logfiles dir, as suggested - I only started at System32 because it was owned by an account unknown to Vista at that level (undoubtedly my XP account - it just showed the owner as an SID)
Many thanks to Pascal! -- And to whoever posted the original message wherever he got that quote from! :)
Cheers! It is not working for me here.
Also in a dual-boot configuration, but changing the owner for %windir%\system32\logfiles to the Administrators group does not help.
I even went as far as changing the entire System32 and Windows directory ownership to the Administrators group. The Windows Event Log service still will not start with the same 4201 error code.
I will probably end up reinstalling.
On that topic, perhaps
I recently resolved this issue on 2 systems.
The list of users that have access to the logfiles folder.
System
Administrators
Yourusername
1. Making sure all of the above have full access may lead to a working event viewer.
2.Adding a user Everyone" with full access if the above fails, should yield a result.
I assume evryone is aware of any security risk this may imply and recommend phasing out the access until you have it down to only system requirements. (removing evryone if possible)
please advise; i'm tracking this.
Me neither...
Did you have any additional info?
Thanks
We were also unable to "take ownership" of the folder.
We were able to allow "full control" to the above stated 4 usernames.
Have you tried allowing access vs taking ownership ?
I discovered right now that RtBackup folder did not inherited the above mentioned security permissions and I am not able to apply them.
I tried also to start with winpe in order to delete the folder, but it said "Access Denied"...
Try the following to reset your WMI:
This is a little different, and should only be tried if nothing else works.
- Start the computer in Safe Mode without networking.
- Open a command prompt as administrator
- Type "net stop winmgmt" without quotes and press enter to make certain the wmi service is not running.
- Go to the windows\system32\WBEM\ and rename the Repository folder.
- Restart the system to normal mode.
- Open a command prompt as administrator.
- Type "net stop winmgmt" without quotes and press enter to stop the wmi service.
- Type winmgmt /resetRepository and restart the system.
- Test the event viewer.
I concur with the Vista CSP, In addition to resetting the WMI repository....
Please list out the users which have access to the folder.
It may be that users are missing from the list and that they would need to be added.
Great!!!! It worked !!!!
Thanks a lot,
Luca
Luca,
What worked, can you tell us ?
the following steps worked:
-------------
Try the following to reset your WMI:
This is a little different, and should only be tried if nothing else works.
Start the computer in Safe Mode without networking.
Open a command prompt as administrator
Type "net stop winmgmt" without quotes and press enter to make certain the wmi service is not running.
Go to the windows\system32\WBEM\ and rename the Repository folder.
Restart the system to normal mode.
Open a command prompt as administrator.
Type "net stop winmgmt" without quotes and press enter to stop the wmi service.
Type winmgmt /resetRepository and restart the system.
Test the event viewer.----------------------
Luca
- Can you please list out the users that have access to the folder.
- Concerning "repository" folder, SYSTEM and ADMINISTRATORS have full control
Thank you,
You should be able to expect to not run into permission issues again after this.
Should the issue reoccur, look at the users with access first.
Glad, all is working.
Hi,
I tried the new solution and that didn't work for me either. I followed the instructions exactly, it took a while and several goes to get the winmgmt service to stop when relogging in after the safe mode changes had been made, but it did stop. I reset the repository and restarted but there was no change. Any further ideas?
Chris
Chris,
I assume that by new solution you refer to the reset of the repository combined with checking the access rights to the folder ?
What are the acccess rights of the folder presently ?
Past that, You could repeat the steps with UAC turned off.
After that, running wmidiag.vbs and reading the logs for errors should point us into the next direction.
http://www.microsoft.com/downloads/details.aspx?familyid=D7BA3CD6-18D1-4D05-B11E-4C64192AE97D
Admin
Hi,
I have also tried all the solutions described but without any luck ( I even repeated the steps with UAC turned off )
If anyone has any more solutions, then I would be very pleased ( dont want to reinstall Vista again :-( )
Ken
I too am having this problem.
I actually had it back in January when I first put Vista Ultimate on from an XP Pro upgrade. It reared it's ugly head again this week.
The fax service wont start either, and I am sure there are a few others.
I was on the phone and email for 2 weeks with Microsoft Tech Support, and we never found a resolution, so I decided to just wipe and start over (which was my extreme last resort!).
Now that it's back, can any of you guys verify the Dream Scene Content Pack was installed?
This program is making me suspicious, as I uninstalled the Dream Scene stuff when this came up again, but this program is on my list of installed updates but not listed in Add/Remove.
I know this program was installed by Vista Update about the same time I started having the trouble... prior to this those services ran properly.This was the senario the first time also.
I tried system restore back to a period prior, however the problem still exists, which makes me believe there is probably a registry entry left awry that is causing the problem.
Any other ideas?
- Hello. I'm having the same problem. I've tried the suggestions above, but with no luck. I ran the WMI diagnostic program and got a huge log file with lots of warnings, but I don't know what to do with it now. Any suggestions? Thanks.
Regards,
Jim Crutchfield
Long Island City, NY - Not really. I gave up in the end and went back to XP SP2. I think I'll hang on now until SP1 has been released as from what I saw at the time and reading about this issue, and it seems be affecting a lot of people for some reason, it just didn't seem ready for release.
This issue has an unknown cause at present, but is likely due to ACL corruption and
can happen immediately after a clean install. The only posted resolutions at this
time are rebuilding the PC, or resetting the ACLs per the following steps:
** Backup the entire registry **
Download and install SubinACL from
<http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed
6985e3927b&displaylang=en>
As an administrator, run the following commands from a command prompt (switch to
the install directory for SubinACL first. Default is "C:\Program Files\Windows
Resource Kits\Tools\" for 32-bit, and "C:\Program Files (x86)\Windows Resource
Kits\Tools\" for 64 bit):
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
The first two commands can take considerable time to complete, however each command
can be run in a separate window to save time.
After completing all four of the above commands you have to reapply the default
security template by running the following command:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
Reboot and verify resolution.
None of the above solutions have worked for me. I'm running Vista Home Premium factory installed by HP so no upgrade issues here. Since Dreamscape is a Vista Ultimate add-on it's not at fault. For me this issue is preventing Diskeeper from running as well as the system event log viewer.
This is something Microsoft should be addressing by means of a patch ASAP.- It would still appear that 'joe public' are still 'BETA' testing Vista ! Disgraceful ain't it !
Ok. My OEM Vista Home Basic recent reinstall has the same issue. Attempted the above. Still no go.
Received one error during the following line:
'subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f '
Error:
''Last Failed: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009 - RegSetKeySecurity Error : 6 The handle is invalid.
One of the last things I did before noticing that the eventlog service failed to start was performing a 'take ownership' operation on all files of C: and setting the owner to my profile username which is set as a member of 'Administrators'.
I've examined registry/ process and file access while attempting to start the event log-service with process Monitor (from www.sysinternals.com) (http://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx)
Access was denied on c:\windows\system32\winevt\logs and on c:\windows\serviceprofiles\localservice\appdata\local\
Tried to set permissions from a working Vista PC, but could not find a user called 'EventLog' (which has full control on the winevt\logs directory on the working pc).
So I added 'everyone' with full control rights to the \winevt\logs dir and the service was starting fine.
Now I have to find out how to add the user 'EventLog' in place of 'everyone'.
Hope this info helps to get the solution for you!
- Proposed As Answer byNukeofwf Wednesday, September 23, 2009 2:36 AM
- Same thing with my Vista Business "Error 4201: The instance name passed was not recognized as valid by a WMI data provider" Apparently Microsoft doesn't make it work before selling their software.
I see there is still no answer to be found.
Dave Had the same problems as the rest of you and eventually figured out it was to do with the file permissions in this directory
C:\Windows\System32\LogFiles\WMI\RtBackup\
because I could not do anything to the 2 files, I had to use the movefile application from sysinternals to set-up a delete action pending reboot
http://technet.microsoft.com/en-gb/sysinternals/bb545027.aspx
after the reboot all was working again and 2 new files had joined the existing 2
- Hello,
I have this same problem with the event log not working. I found the folder and I see where you ran into problems with changing permissions on the two files.
EtwRTEventlog-Security.etl
EtwRTEventLog-System.etl
But, where I get a little confused is with the Sysinternals Suite download. I did not see the movefile application in the list of applications that comes with that download.
I download the Sysinternals Suite now could you give me step by step instructions on what to do next?
Like how to "movefile application from sysinternals to set-up a delete action pending reboot".
Also what permissions should I give the folder and files? Who should be set as the owner of the RtBackup folder?
Do I need to set permissions to the "event log viewers" as well?
I would be forever in your debt if you could help me a little more with these steps. So far your the first person who I've found to actually fix the problem so I'm waiting paitently for your response.
Thank you muchly!
Merry Christamas!!
Ibdreamy Hello Ibdreamy,
You need http://technet.microsoft.com/nl-nl/sysinternals/bb897556(en-us).aspx
In my case (as told earlier), access was denied on c:\windows\system32\winevt\logs and on c:\windows\serviceprofiles\localservice\appdata\local\
I tried to set permissions from a working Vista PC, but could not find a user called 'EventLog' (which has full control on the winevt\logs directory on the working pc).
So I added 'everyone' with full control rights to the \winevt\logs dir and the service was starting fine.
So far... solved the problem.
The only thing I had to find out was how to add the user 'EventLog' in place of 'everyone', but after a few time I found out the ACL's on the whole windows-directory and all subdirectories where replaced with administrators/ full control by a person... So we have decided to reinstall the pc completely.
Have a good 2008!
Hi,
I've tried this fix and it works fine. What you need to do is as follows:-
Download the file MoveFile from http://technet.microsoft.com/en-gb/sysinternals/bb545027.aspx (it's a download on it's own further down the page - not the full package which I think you might have downloaded)
Once downloaded, extract the zip file follow the instructions that are on the website. To delete the files in questions you need to run (from a command line - navigate to the folder containing the executable movefile.exe) and then type the following commands with the names of the 2 files (I can only remember the name of one of the files):-
movefile EtwRTDiagLog.etl ""
movefile OtherFileName ""
Bobs your uncle and Fanny is your Aunt.- The service WinRM not only enables Windows event collector, but is also provides access to sufficient and accurate WMI data that is needed for the resolution of Windows event log service not being able to start. Windows event collector will start and run, maybe not that effectively, even though it is dependent on Windows event log, because it is a network service. Windows event log is not dependent on anything, but it is started/being run on local computer, whereas WinRM and Windows event collector work on the network. So, what worked for me, briefly in that event log came back on, but when you log out of windows and your connection to the local computer, you also once again lose Win.event log. But, I enabled both HTTP and WinRM services, which allowed be to start task scheduler, then Win.event collector, then Win event log. This worked, even though briefly, until logging out of Windows. Not a complete answer, but we're getting closer.
- The service WinRM not only enables Windows event collector, but is also provides access to sufficient and accurate WMI data that is needed for the resolution of Windows event log service not being able to start. Windows event collector will start and run, maybe not that effectively, even though it is dependent on Windows event log, because it is a network service. Windows event log is not dependent on anything, but it is started/being run on local computer, whereas WinRM and Windows event collector work on the network. So, what worked for me, briefly in that event log came back on, but when you log out of windows and your connection to the local computer, you also once again lose Win.event log. But, I enabled both HTTP and WinRM services, which allowed be to start task scheduler, then Win.event collector, then Win event log. This worked, even though briefly, until logging out of Windows. Not a complete answer, but we're getting closer.
- The service WinRM not only enables Windows event collector, but is also provides access to sufficient and accurate WMI data that is needed for the resolution of Windows event log service not being able to start. Windows event collector will start and run, maybe not that effectively, even though it is dependent on Windows event log, because it is a network service. Windows event log is not dependent on anything, but it is started/being run on local computer, whereas WinRM and Windows event collector work on the network. So, what worked for me, briefly in that event log came back on, but when you log out of windows and your connection to the local computer, you also once again lose Win.event log. But, I enabled both HTTP and WinRM services, which allowed be to start task scheduler, then Win.event collector, then Win event log. This worked, even though briefly, until logging out of Windows. Not a complete answer, but we're getting closer.
- Please excuse the repitition, was not meant to sent three times.
This worked for me finally as i did have to set everyone as access to these directories. Thank you very much PCScootI've examined registry/ process and file access while attempting to start the event log-service with process Monitor (from www.sysinternals.com ) (http://www.microsoft.com/technet/sysinternals/processesandthreads/processmonitor.mspx )
Access was denied on c:\windows\system32\winevt\logs and on c:\windows\serviceprofiles\localservice\appdata\local\
Tried to set permissions from a working Vista PC, but could not find a user called 'EventLog' (which has full control on the winevt\logs directory on the working pc).
So I added 'everyone' with full control rights to the \winevt\logs dir and the service was starting fine.
Now I have to find out how to add the user 'EventLog' in place of 'everyone'.
Hope this info helps to get the solution for you!
- Hi there
I also had lost the permissions on the folder c:\windows\system32\winevt\logs for a user called eventlog.
I got problems as the eventlog service could not recreate new Eventlog files in this folder on a Windows 7 / Win7 PC.
In a Enterprise, I would not recommend giving Everyone Full Access to those folders for security reasons.
Solution:
Dump ACL with jcacls from a working pc and restore it on failed one and you will have the eventlog user back again :-)
The eventlog user SID is also a bit strange and it will never show up in any management console, but it's working.
How to avoid it:
If you work with MDT or create your Master Image manually - do not install DELL OMCI Software (In my case).
btw - unfortunately we have to run several thousands DELL PC's here and I never had any piece of DELL software yet received which was running without any problems.
So this was the first piece of software I was looking for as soon I had this issue...
