locked
Windows Event Log Service Crash RRS feed

  • Question

  • Hi

    I have an Active Directory Domain with Win2008R2 DCs and Win7 clients.
    From about 2 months ago some of my clients complain about time of the system which is behind the DC time.
    When I nailed the problem I noticed permissions of folder
    "C:\Windows\System32\LogFiles\wmi\RtBackup" folder is the key to the problem. Group 'System' should have access to this folder and
    based on some unknown reasons this permission is deleted.
    Because of this permission problem, 'Windows Event Log' service is stopped either.
    When I correct the permission and reboot the clients, every thing works fine.


    Do you know what is causing this problem? What is changing permissions of RtBackup folder?

    • Edited by mohsenov Tuesday, November 3, 2015 5:03 AM
    Monday, November 2, 2015 3:24 PM

Answers

  • Hi mohsenov,

    "Do you know what is causing this problem? What is changing permissions of RtBackup folder?"
    Have you made any modifications to these machines recently?
    Since the issue has happened, it is hard to troubleshoot the culprit. I hope there is something recorded in the Event Viewer.

    If the issue occurred again, we could try to audit this folder to capture the culprit next time.
    1.In the local policy (or applicable GPO) of the computer, enable Success audits via one of the following:
     •Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy | Audit Object Access
    •Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | Object Access | Audit File System

    2.Enable auditing on your directory by right-clicking on the directory in Windows Explorer and selecting Properties | Security | Advanced | Auditing | Edit... | Add.... Next, enter Everyone as the security principal to audit. Last, check the "Successful" box for "Change permissions".
    3.In the Security event log, look for event 4663 or 4670.

    Best regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Tuesday, November 3, 2015 6:15 AM