locked
Windows 2008 - Security Log Flood with Event ID 521 - Unable to log events to security log with Status code : 0xc0000008 RRS feed

  • Question

  • I'm getting an error message in Security Event Log. The Secuirty Event Log setting is default "Archive the log when full, do not overwrite events". This setting was cause the hard drive is running out of disk space!!!

    OS Name:                   Microsoft Windows Server 2008 R2 Standard
    OS Version:                6.1.7600 N/A Build 7600


    When i check the security event log, i found the log was flood with following error

    Log Name:      Security
    Source:        Security
    Date:          27/02/2011 7:04:51 a.m.
    Event ID:      521
    Task Category: System Event
    Level:         Information
    Keywords:      Classic,Audit Success
    User:          SYSTEM
    Computer:      ServerName.Domain
    Description:
    Unable to log events to security log:
      Status code   : 0xc0000008
      Value of CrashOnAuditFail : 0
      Number of failed audits  : 52

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Security" />
        <EventID Qualifiers="0">521</EventID>
        <Level>0</Level>
        <Task>1</Task>
        <Keywords>0xa0000000000000</Keywords>
        <TimeCreated SystemTime="2011-02-26T18:04:51.000000000Z" />
        <EventRecordID>170122906</EventRecordID>
        <Channel>Security</Channel>
        <Computer>ServerName.Domain</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data>0xc0000008</Data>
        <Data>0</Data>
        <Data>52</Data>
      </EventData>
    </Event>

    Any one have experience this and can provide the permanent solution on this?

    Saturday, February 26, 2011 7:10 PM

Answers

  • Hi,

     

    Error code 0xC0000008 (STATUS_INVALID_HANDLE) means an invalid HANDLE was specified. This could be caused by corrupt security event log. Please try to rename the security event log %SystemRoot%\System32\Winevt\Logs\Security.evtx to an old. Then restart the server to re-create a new security event log. See if the problem get resolved.

     

    Best Regards

    Dale


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Dale Qiao Friday, March 4, 2011 1:29 AM
    Monday, February 28, 2011 7:30 AM

All replies

  • These ones were the result of the disk filling up.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Saturday, February 26, 2011 7:59 PM
  • Hi, the server available free space is 20GB (our of 100GB).

    I still receive the same log:

    Unable to log events to security log:
      Status code   : 0xc0000008
      Value of CrashOnAuditFail : 0
      Number of failed audits  : 52

    Sunday, February 27, 2011 6:33 AM
  • Sorry, when you originally said the disk ran out of space I stopped looking.

    Sounds like the AutoBackupLogFiles enties may be missing.

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/92bc0865-2cc1-443e-84d5-ed26dcb40f73

     The event log stops logging events before reaching the maximum log size
    http://support.microsoft.com/kb/312571

     

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Sunday, February 27, 2011 3:23 PM
  • Hi Dave,

    I have confirmed the server free space is enough & AutoBackupLogFiles enties not missing BUT the security event log still flood with this event. Any idea?

    Currently the server disk space is 50GB(Out of 100GB) after i cleanup some Archive-Security-YYYY-MM-DD-HH-MM-SS-mmm file.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security AutoBackupLogFiles is alreaedy created (not missiong).

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security]
    "DisplayNameFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
      6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
      00,77,00,65,00,76,00,74,00,61,00,70,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
    "DisplayNameID"=dword:00000101
    "Isolation"=dword:00000002
    "PrimaryModule"="Security"
    "File"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
      00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,\
      69,00,6e,00,65,00,76,00,74,00,5c,00,4c,00,6f,00,67,00,73,00,5c,00,53,00,65,\
      00,63,00,75,00,72,00,69,00,74,00,79,00,2e,00,65,00,76,00,74,00,78,00,00,00
    "MaxSize"=dword:0fa00000
    "Retention"=dword:ffffffff
    "Security"=hex:01,00,14,80,8c,00,00,00,98,00,00,00,14,00,00,00,44,00,00,00,02,\
      00,30,00,02,00,00,00,02,40,14,00,72,01,0d,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,48,\
      00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,\
      00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,\
      00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,\
      00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
    "RestrictGuestAccess"=dword:00000001
    "warninglevel"=dword:0000005a
    "AutoBackupLogFiles"=dword:00000001
    "CustomSD"="O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;NS)"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\DS]
    "ParameterMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
      6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
      00,5c,00,4d,00,73,00,4f,00,62,00,6a,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\DS\ObjectNames]
    "Directory Service Object"=dword:00001e00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\FSRM Audit]
    "EventSourceFlags"=dword:00000000
    "EventMessageFile"=hex(2):73,00,72,00,6d,00,2e,00,64,00,6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\IIS-METABASE]
    "EventSourceFlags"=dword:00000001
    "EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
      00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
      5c,00,69,00,6e,00,65,00,74,00,73,00,72,00,76,00,5c,00,69,00,69,00,73,00,72,\
      00,65,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\LSA]
    "ParameterMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
      6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
      00,5c,00,4d,00,73,00,4f,00,62,00,6a,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\LSA\ObjectNames]
    "PolicyObject"=dword:00001600
    "SecretObject"=dword:00001610
    "TrustedDomainObject"=dword:00001620
    "UserAccountObject"=dword:00001630
    "AdtSecurity"=dword:00001f00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Eventlog]
    "ProviderGuid"="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"
    "EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
      00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
      5c,00,77,00,65,00,76,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
      00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Security-Auditing]
    "ProviderGuid"="{54849625-5478-4994-a5ba-3e3b0328c30d}"
    "EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
      00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
      5c,00,61,00,64,00,74,00,73,00,63,00,68,00,65,00,6d,00,61,00,2e,00,64,00,6c,\
      00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Quota Filter Audit]
    "TypesSupported"=dword:00000007
    "EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
      00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
      5c,00,49,00,6f,00,4c,00,6f,00,67,00,4d,00,73,00,67,00,2e,00,64,00,6c,00,6c,\
      00,3b,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,\
      25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,72,\
      00,69,00,76,00,65,00,72,00,73,00,5c,00,51,00,75,00,6f,00,74,00,61,00,2e,00,\
      73,00,79,00,73,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\SC Manager]
    "ParameterMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
      6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
      00,5c,00,4d,00,73,00,4f,00,62,00,6a,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\SC Manager\ObjectNames]
    "SC_MANAGER Object"=dword:00001c00
    "SERVICE Object"=dword:00001c10

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Security]
    "CategoryCount"=dword:00000009
    "CategoryMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
      6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
      00,5c,00,4d,00,73,00,41,00,75,00,64,00,69,00,74,00,45,00,2e,00,64,00,6c,00,\
      6c,00,00,00
    "EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
      00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
      5c,00,4d,00,73,00,41,00,75,00,64,00,69,00,74,00,45,00,2e,00,64,00,6c,00,6c,\
      00,00,00
    "ParameterMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
      6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
      00,5c,00,4d,00,73,00,4f,00,62,00,6a,00,73,00,2e,00,64,00,6c,00,6c,00,00,00
    "TypesSupported"=dword:0000001c

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Security\ObjectNames]
    "Channel"=dword:00001400
    "Desktop"=dword:00001a10
    "Device"=dword:00001100
    "Directory"=dword:00001110
    "Event"=dword:00001120
    "EventPair"=dword:00001130
    "File"=dword:00001140
    "IoCompletion"=dword:00001300
    "Job"=dword:00001410
    "Key"=dword:00001150
    "KeyedEvent"=dword:00001640
    "MailSlot"=dword:00001140
    "Mutant"=dword:00001160
    "NamedPipe"=dword:00001140
    "Port"=dword:00001170
    "Process"=dword:00001180
    "Profile"=dword:00001190
    "Section"=dword:000011a0
    "Semaphore"=dword:000011b0
    "SymbolicLink"=dword:000011c0
    "Thread"=dword:000011d0
    "Timer"=dword:000011e0
    "Token"=dword:000011f0
    "Type"=dword:00001200
    "WaitablePort"=dword:00001170
    "ALPC Port"=dword:00001170
    "WindowStation"=dword:00001a00
    "WMI Namespace"=dword:00004200

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Security Account Manager]
    "ParameterMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
      6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
      00,5c,00,4d,00,73,00,4f,00,62,00,6a,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Security Account Manager\ObjectNames]
    "SAM_ALIAS"=dword:00001530
    "SAM_DOMAIN"=dword:00001510
    "SAM_GROUP"=dword:00001520
    "SAM_SERVER"=dword:00001500
    "SAM_USER"=dword:00001540

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\ServiceModel 3.0.0.0]
    "ParameterMessageFile"="C:\\Windows\\Microsoft.NET\\Framework64\\v3.0\\Windows Communication Foundation\\ServiceModelEvents.dll"
    "TypesSupported"=dword:0000001f
    "CategoryCount"=dword:00000003
    "CategoryMessageFile"="%SystemRoot%\\System32\\MsAuditE.dll"
    "EventSourceFlags"=dword:00000001
    "EventMessageFile"="C:\\Windows\\Microsoft.NET\\Framework64\\v3.0\\Windows Communication Foundation\\ServiceModelEvents.dll"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Spooler]
    "ParameterMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
      6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
      00,5c,00,4d,00,73,00,4f,00,62,00,6a,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Spooler\ObjectNames]
    "Document"=dword:00001b20
    "Printer"=dword:00001b10
    "Server"=dword:00001b00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\TCP/IP]
    "ParameterMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
      6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
      00,5c,00,4d,00,73,00,4f,00,62,00,6a,00,73,00,2e,00,64,00,6c,00,6c,00,00,00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\TCP/IP\ObjectNames]
    "InternetPort"=dword:00001f80

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\VSSAudit]
    "EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
      00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
      5c,00,56,00,53,00,53,00,56,00,43,00,2e,00,45,00,58,00,45,00,00,00
    "EventSourceFlags"=dword:00000000

     

     

    Sunday, February 27, 2011 3:35 PM
  • Tried to clear the security log, still receive the same event....

    Log Name:      Security
    Source:        Security
    Date:          28/02/2011 4:55:40 a.m.
    Event ID:      521
    Task Category: System Event
    Level:         Information
    Keywords:      Classic,Audit Success
    User:          SYSTEM
    Computer:      computername.domain
    Description:
    Unable to log events to security log:
      Status code:  0xc0000008
      Value of CrashOnAuditFail: 0
      Number of failed audits: 50

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Security" />
        <EventID Qualifiers="0">521</EventID>
        <Level>0</Level>
        <Task>1</Task>
        <Keywords>0xa0000000000000</Keywords>
        <TimeCreated SystemTime="2011-02-27T15:55:40.000000000Z" />
        <EventRecordID>170128652</EventRecordID>
        <Channel>Security</Channel>
        <Computer>computername.domain</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data>0xc0000008</Data>
        <Data>0</Data>
        <Data>50</Data>
      </EventData>
    </Event>

    Sunday, February 27, 2011 3:56 PM
  • I'll assume you have restarted since adding the AutoBackupLogFiles enties.

    You may have to call Microsoft product support or wait for support engineer to answer.

     

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Sunday, February 27, 2011 4:16 PM
  • Hi Dave, AutoBackupLogFiles enties is not missing. So i have no reboot the servers...

    Sunday, February 27, 2011 4:37 PM
  • Yes, I know.

    You may have to call Microsoft product support or wait for support engineer to answer.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]
    Sunday, February 27, 2011 4:43 PM
  • Hi,

     

    Error code 0xC0000008 (STATUS_INVALID_HANDLE) means an invalid HANDLE was specified. This could be caused by corrupt security event log. Please try to rename the security event log %SystemRoot%\System32\Winevt\Logs\Security.evtx to an old. Then restart the server to re-create a new security event log. See if the problem get resolved.

     

    Best Regards

    Dale


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Dale Qiao Friday, March 4, 2011 1:29 AM
    Monday, February 28, 2011 7:30 AM
  • We had the same issue, and resolved it by rebooting the server.

    See also: http://www.myeventlog.com/search/show/781

    • Proposed as answer by WizardOz Monday, March 19, 2012 2:56 PM
    Monday, March 19, 2012 2:56 PM
  • Hi Dale,

    I have the same issue in one of the production server. I cant rename the Security.evtx, becuase its used by the eventviwer. I need the solution without reboot of the machine. Please help me.

    Friday, November 29, 2013 10:27 AM
  • No idea what the deal was but a reboot solved it for us as well.
    Thursday, January 30, 2014 9:45 PM
  • Hi, A reboot resolved this issue & after reboot it's started showing new events. I am not sure if restart of "Windows Event Log" service can resolve this issue instead of server reboot. Dhiraj
    Thursday, March 20, 2014 11:28 AM
  • I am unable to rename security.evtx it showing in use. I tried to stop windows event log service, but it also throw an error 5 access denied. 

    Windows Event log dependency service task scheduler showing as grayed out and not giving option to stop.

    Ned help :-( 

    Wednesday, April 23, 2014 6:02 AM
  • I tried to rename security log file, But shows the access denied error. So I attempt to stop Windows event service but it throw an error "access denied" I wonder about it because I logged in as domain superuser :-(

    My server is in production so waiting for downtime so that I can try my luck by restarting it.

    Tuesday, May 13, 2014 6:26 AM
  • This thread is marked answered and more than three years old so I'd start a new thread.

    (FYI you have to set event log service to disabled, boot box, delete file, then set back to automatic, boot box again)

     

     

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Tuesday, May 13, 2014 2:38 PM