locked
Event forwarding not displaying full message RRS feed

  • Question

  • Hi

    I've set up evetn forwarding and its great but some messages do not display the full description. The collector is Server 2008 R2 SP1 and the clients are Windows XP SP3

    This seem to be quite a common isssue and I've read the following article

    http://social.technet.microsoft.com/Forums/en/winserverManagement/thread/7c652d50-0440-4b40-8b5d-0f96d96ea239

    and impletmented the solutions.

    So as an example for a forwarded event from userenv the description is

    The description for Event ID 1041 from source Userenv cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    {7B849a69-220F-451E-B3FE-2CB811AF94AE}

    If I look in the registry the following key exists

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv and points to userenv.dll in the system32 folder which also exists.

    I've also changed the format to Events but I still don't get the full description. The userenv.dll is a different version on the client and server so I copied the dll from the client to the server and pointed the registry entry at is and rebooted but still no joy.

    Any suggestions?

    • Edited by Mr P Tuesday, May 8, 2012 10:05 AM
    Tuesday, May 8, 2012 10:03 AM

Answers

  • Hi

    I eventually solved this one. I'll illustrate the fix using the example of events from userenv.

    On the collector server I opened up

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv

    and noted the EventMessageFile string. It read %SystemRoot%\System32\userenv.dll

    I found a copy of the userenv.dll on a Windows XP PC and copied it to a file c:\XP_DLL on the 2008 server

    I then pointed the

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv\EventMessageFile

    to c:\XP_DLL\userenv.dll

    Also in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv there was a value ProviderGUID. I renamed this string OLD_ProviderGUID.

    After making these changes I rebooted the server and all the messages for userenv displayed correctly.

    Cheers

    P

    • Marked as answer by Mr P Monday, May 21, 2012 12:26 PM
    Monday, May 21, 2012 12:26 PM

All replies

  • Hi,

    I suggest you go to MSDN forum for better support, hope this helps.

    http://social.msdn.microsoft.com/Forums/en-US/category/windowsdesktopdev

    In addition, please check the event forwarding configuration, some Microsoft materials for your reference.

    Configure Computers to Forward and Collect Events
    http://technet.microsoft.com/en-us/library/cc748890.aspx

    Forwarding Security Events from Windows XP, Server 2003, and Vista/Server 2008
    http://blogs.technet.com/b/otto/archive/2009/06/22/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx


    Jeff Ren TechNet Community Support beneficial to other community members reading the thread.


    • Edited by Jeff Ren Tuesday, May 15, 2012 5:38 AM
    • Marked as answer by Jeff Ren Tuesday, May 15, 2012 6:03 AM
    • Unmarked as answer by Mr P Monday, May 21, 2012 12:14 PM
    Tuesday, May 15, 2012 5:31 AM
  • Hi

    I eventually solved this one. I'll illustrate the fix using the example of events from userenv.

    On the collector server I opened up

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv

    and noted the EventMessageFile string. It read %SystemRoot%\System32\userenv.dll

    I found a copy of the userenv.dll on a Windows XP PC and copied it to a file c:\XP_DLL on the 2008 server

    I then pointed the

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv\EventMessageFile

    to c:\XP_DLL\userenv.dll

    Also in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Userenv there was a value ProviderGUID. I renamed this string OLD_ProviderGUID.

    After making these changes I rebooted the server and all the messages for userenv displayed correctly.

    Cheers

    P

    • Marked as answer by Mr P Monday, May 21, 2012 12:26 PM
    Monday, May 21, 2012 12:26 PM