locked
Windows 10 Pro - Problems with Event Viewer and System Restore (0x81000203) RRS feed

  • Question

  • Hi guys,

    I have a spare PC I'm attempting to use a basic file server. I've only just loaded up Windows 10 Pro (latest build, 1511) and only done a few things with it past loading the drivers. I've noticed the following problems/symptoms:

    • System Restore encountered an error. Please try to run System Restore again. (0x81000203) when accessing the System Protection tab in System Properties.
    • In Event Viewer all logs are listed at zero size. Attempting to access any one gives the message Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long. The operation completed successfully (50)
    • File History won't run. Clicking the icon does nothing.

    I have checked that the Volume Shadow Copy and Windows Event Log services are running. I have also attempted the usual "Clean Reboot" and "sfc /scannow" tactics. Manually examining the log files suggest they stopped "recording" yesterday. The last events seem to relate to Microsoft Patches - not unusual on a fresh system.

    There are only two oddities I can mention about the system:

    1. There is an "archive" drive attached, formatted as ReFS, pulled from a previous server. Obviously the logs wererecording events after it was installed but drives for Windows 10 don't typically use this format.
    2. I installed Hyper-V to spin up an old VM to field a client support query. I only mention this as I couldn't get Hyper-V to install on a slightly older build of Windows 10 that updated to 1511 so I gave up, reformatted and installed 1511. Hyper-V then installed correctly.
    3. The User profile directory has been moved to a non-flash drive using Sysprep in Audit mode.

    As everything apart from the aforementioned services seems to be running fine (hard to tell without the Event Log!) Is there any way to fix this short of yet another fresh install?

    All I can think of is something that System Restore, Event Log and File History all rely on. That points to Volume Shadow Copy but how do I assess if it is running correctly without the Event Logs?

    Hmm... thinking along these lines VSSAdmin List Writers comes back with "Error: Internal Error" however, all the information related to this usually starts with "check you event logs..."

    Finally, one last bit of strangeness: a few Windows 10 Apps won't run, Calculator, Store and a few others. Definitely looks like a reload job :(

    Thank you for your time,

    Andy

    Tuesday, June 7, 2016 10:36 AM

Answers

  • Okay, so I've found the problem:

    ReFS

    While non-server versions of Windows can utilise ReFS there is no option to format a drive. The following registry "hack" is easy to find through search engines:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT]
    "AllowRefsFormatOverNonmirrorVolume"=dword:00000001

    ...and yes, this does allow ReFS formatting under Windows 10.

    Unfortunately by creating "MiniNT" some parts of Windows start behaving like WinPE and err... break quite badly :( The "AllowRefsFormat" key itself isn't damaging. But you can't have one without the other.

    Probably best to format a drive as ReFS under Windows Server. I suppose you could create the key and then delete it again before the next reboot.

    You have been warned :)

    • Marked as answer by POSitality Friday, June 24, 2016 12:31 AM
    Friday, June 24, 2016 12:31 AM

All replies

  • Update: reloaded the server again...

    Installed the usual bits and everything was fine until the last reboot which had the ominous notification: "Updates were installed" which now seems to be the Prophet of Doom!

    Back to square one :(

    Opening the event log files manually I can see plenty of events related to the system shutting down in Application and System but in Setup the last entry is:

    A reboot is necessary before package KB3156421 can be changed to the Installed state.

    Huh... and if I uninstall this one? Nope, still the same.

    Okay, tonight I will reload yet again as at least I can reproduce the problem. What I shall do though is load just the operating system and wait for the aforementioned update to be installed before doing anything else.

    For reference, to reproduce the fault, I am loading:

    • Windows 10 Pro Build 1511
    • Automatically installed drivers and patches
    • Hyper-V (full install) and .NET version 3.5 (both from add/remove Windows features)
    • Intel's Driver Update Utility (drivers were downloaded but not installed)
    • Intel's Tuning Utility (installed but never run)
    • Serviio (licence installed, media scanning started)
    • Bubble UPnP Server
    • Latest 32-bit and 64-bit Java (end-user version)
    • Google Chrome
    • Classic Shell
    • Enable ReFS formatting registry entries for Windows 10
    • APC's PowerChute Personal Edition
    • SoftEther Server

    As they say in Sesame Street: "one of these things is not like the other!" At a guess, one of the above is not playing well with a patch as, after a few reboots, everything was fine until the Notification of Doom. Maybe I'll uninstall all the above first but somehow I think the damage is done.

    Regards,

    Andy

    Tuesday, June 7, 2016 11:39 AM
  • Preliminary results are in...

    After a fresh install I waited for Windows to load all its updates. I then proceeded to install the software mentioned in the previous post. For each program or app I rebooted the machine.

    The Event Log etc. stopped working after installing the PowerChute software. I was slightly suspicious of the program being so old and yet billed as a Windows 10 download.

    The most dangerous aspect is I cannot see how one would repair the damage. Uninstalling is not a fix.

    Could anyone recommend alternative UPS software?

    Tuesday, June 7, 2016 9:53 PM
  • Hi POSitality,

    "The Event Log etc. stopped working after installing the PowerChute software"
    So the culprit is the "PowerChute software"?
    I am glad you have found the culprit and thanks for updating. For the third party product, it is recommended to ask for help from the third party support.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, June 8, 2016 1:42 AM
  • So much for the PowerChute theory.

    Went to check my Event Logs today... been bust for over a week :(

    So back to the main symptoms: no System Restore, no Event Logs. FreeNAS is looking very tempting again ;D

    Tuesday, June 21, 2016 5:44 PM
  • Hi POSitality,

    Uninstalling that software will resolve the issue?

    If the issue is caused by the third party product, it is recommended to ask for help from the third party support. They are more familiar with their product and they may have more resources to help you.

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, June 22, 2016 1:54 AM
  • It sounds like compatibility issues to me.  Maybe drivers for this older hardware aren't really compatible with Windows 10.

    Danny Jeter, Owner Jeter IT Solutions, LLC

    Http://www.jeterit.com

    Wednesday, June 22, 2016 2:00 AM
  • Nope, on the forth re-install I didn't load PowerChute so pointing the finger at third party software was my mistake.

    As for "not compatible with Windows 10" I respectfully suggest everything is compatible given that the upgrade is forced on people almost without choice...

    Anyhoo, enough politics this is a very fresh, non-upgrade install of Windows 10 Pro on a Gigabyte H97 chipset board. Not the newest but certain enough to run Windows 10. Jeez... it ran it last year fine. Now I have less stuff on a fresh install and bigger problems :(

    Wednesday, June 22, 2016 2:04 AM
  • Hi POSitality,

    "on the forth re-install I didn't load PowerChute"

    How did you do that? Have you tried another installation media?

    Best regards


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, June 23, 2016 3:18 AM
  • I can't see how the installation media affects a problem that surfaces several days after boot up but anyway...

    I downloaded the ISO straight from microsoft.com. IIRC I used an older build initially, noticed the problem and then downloaded the latest for subsequent installs.


    Thursday, June 23, 2016 9:26 AM
  • Okay, so I've found the problem:

    ReFS

    While non-server versions of Windows can utilise ReFS there is no option to format a drive. The following registry "hack" is easy to find through search engines:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT]
    "AllowRefsFormatOverNonmirrorVolume"=dword:00000001

    ...and yes, this does allow ReFS formatting under Windows 10.

    Unfortunately by creating "MiniNT" some parts of Windows start behaving like WinPE and err... break quite badly :( The "AllowRefsFormat" key itself isn't damaging. But you can't have one without the other.

    Probably best to format a drive as ReFS under Windows Server. I suppose you could create the key and then delete it again before the next reboot.

    You have been warned :)

    • Marked as answer by POSitality Friday, June 24, 2016 12:31 AM
    Friday, June 24, 2016 12:31 AM