none
Win10 1809 broke psloglist? "The stub received bad data" errors towards remote computers RRS feed

  • Question

  • Getting this error now when trying to run psloglist towards a remote computer:

    C:\temp>psloglist \\testsrv -d 1

    PsLoglist v2.71 - local and remote event log viewer
    Copyright (C) 2000-2009 Mark Russinovich
    Sysinternals - www.sysinternals.com

    System log on \\testsrv:
    Could not open System event log on testsrv:
    The stub received bad data.

    Tested on several win10 1809 clients - all fail towards all remote operating systems (2008/2008R2/2012R2/7/win10 1803), except if the remote client is running win10 1809.

    This is not a network problem, wireshark confirms connection to the remote computer, but when the client is trying to get the event logs the last request is "OpenEventLogA request" - and the remote computer returns a "nca_s_fault_ndr" error

    The response should have been a "OpenEventlogA response" (which I do get from a remote win10 1809 client)

    Some changed security setting in 1809 perhaps? I'm not very familiar with the inner workings of DCE/RPC...

    Powershell get-eventlog / get-winevent seems to work fine...

    Monday, January 28, 2019 12:45 PM

Answers

  • Hello

    quick update on this. I was able to reproduce and confirmed that this was an issue with the non-Unicode version of OpenEventLog. For PSLogList I have resolved the issue by calling OpoenEventLogW but I have also passed this onto the Windows Event log team so that the root cause can be resolved.

    The fix will be available in version 2.81 which we will publish in the next couple of days. In the meantime if you require a copy of the fixed version please contact me offline at syssite@microsoft.com and I can make this available to you.

    MarkC (MSFT)

    • Marked as answer by AxelThirud Monday, March 4, 2019 8:50 AM
    Friday, February 1, 2019 8:49 PM

All replies

  • Hi AxelThirud

    thanks for making us aware of this. I will take a look and get back to you

    MarkC (MSFT)

    Monday, January 28, 2019 3:26 PM
  • Hello

    quick update on this. I was able to reproduce and confirmed that this was an issue with the non-Unicode version of OpenEventLog. For PSLogList I have resolved the issue by calling OpoenEventLogW but I have also passed this onto the Windows Event log team so that the root cause can be resolved.

    The fix will be available in version 2.81 which we will publish in the next couple of days. In the meantime if you require a copy of the fixed version please contact me offline at syssite@microsoft.com and I can make this available to you.

    MarkC (MSFT)

    • Marked as answer by AxelThirud Monday, March 4, 2019 8:50 AM
    Friday, February 1, 2019 8:49 PM
  • That's great, I can wait for the published fix.

    Thx!

    Axel

    Monday, February 4, 2019 9:37 AM
  • Hi,

    I am interested with the fix for psloglist, because i am using it in scripts when I supervise servers.

    Any news about the possible release date of 2.81 version ?

    thanks for your help.

    Gilles

    Wednesday, February 13, 2019 9:39 PM
  • Hello

    the 2.81 version has now been published. Please let me know if you experience any further issues.

    MarkC (MSFT)

    Tuesday, March 5, 2019 7:00 PM
  • Wonderful ! It works like a charm :)

    Many thanks again for this fixed version

    Regards

    Gilles

    Wednesday, March 6, 2019 1:36 PM
  • Sorry for the delay in responding but I've been out of the office.

    Thanks for validating the fix and for working with us to resolve the issue.

    MarkC (MSFT)

    Monday, April 1, 2019 9:29 AM
  • Dear MarkC,

    I have similar problem with my application which use ElfrRegisterEventSourceA.

    I am upgrading win10 build 1803 to 1809 LTSC. And I have a program which use MS_EVEN (RPC) update the eventlog of Windows Server 2008. However, the update eventlog process get fail after I change to 1809 LTSC. I also try in build 1809 Pro version and the same problem occur.

    I have checked the tcp messages of those cases:

    In 1803:

    After client send out a EVEN:ElfrRegisterEventSourceA request, a response is recevied.

    In 1809:

    After client send out a EVEN:ElfrRegisterEventSourceA request, a MSRPC: c/o Fault (Error: 0x00006f7 RPC_X_BAD_STUB_DATA – Data Parse fail) is received.

    After I compare the EVEN:ElfrRegisterEventSourceA request, I found that the different is the PRC_String content.

    In 1803, the ModuleName(RPC_STRING) byte pattern is :
    Msg Len(2Byte)+Max Len(2Byte)+Pointer(4Byte)+Max Len(2Byte)+"0000"(2Byte)+Message(21Byte)+"00"(1Byte)

    In 1809, the RPC_STRING byte pattern is :
    Msg Len(2Byte)+Max Len(2Byte)+Pointer(4Byte)+Max Len(2Byte)+"00000000000000"(6Byte)+Msg Len(2Byte)+"0000"(2Byte)+Message(21Byte)+"00"(1Byte)

    I tested this problem in following combinations:

    1. Windows 10 build 1803 connect to Windows Server 2008 -- success
    2. Windows 10 build 1809 LTSC connect to Windows Server 2008 -- fail
    3. Windows 10 build 1809 LTSC connect to Windows 10 build 1809 LTSC -- success
    4. Windows 10 build 1809 LTSC connect to Windows Server 2016 -- fail
    5. Windows 10 build 1809 Pro connect to Windows Server 2008 -- fail

    Is the RPC version changed in 1809? Or is it a bug of 1809? How can I fix this problem in 1809? Thanks!

    Alex.

    Tuesday, July 30, 2019 6:13 AM