locked
Windows update KB2964444 broke Event Logging Service and SQL Agent Service on Windows Server 2008 R2 RRS feed

  • Question

  • I got the following problem:

    I discovered that on my Windows Server 2008R2 machine the event logging stopped working on 04/May/2014 at 03:15.

    Also, SQL Agent Service won't run

    The only change that day was security update KB2964444 - Security Update for Internet Explorer 11 for Windows Server 2008 R2for x64-based Systems, that was installed exactly 04/May/2014 at 03:00. Apparently, that's what broke my machine...

    When I try to start Windows Event Log via net start eventlog or via Services panel, I get an error:

    C:\Users\Administrator>net start eventlog
    The Windows Event Log service is starting.
    The Windows Event Log service could not be started.
    
    A system error has occurred.
    
    System error 2 has occurred.
    
    The system cannot find the file specified.
    

    I tried:

    1. restarted the OS (virtual on the host's VMWare).
    2. re-checked the settings in services menu -they are like in the link.
    3. checked the identity in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eventlog - the identity is NT AUTHORITY\LocalService
    4. gave all Authenticated Users full access to C:\Windows\System32\winevt\Logs
    5. ran fc /scannow - Windows Resource Protection did not find any integrity violations.
    6. went to the file %windir%\logs\cbs\cbs.log - all clean, [SR] Repairing 0 components

    EDIT: Uninstalled the recent system updates and rebooted - didn't help

    EDIT: Sysinternals Process Monitor results when running start service from services panel (procmon in elevated mode):

    1. filters:

      process name is svchost.exe : include
      operation contains TCP : exclude
      

      the events captured are:

      21:50:33.8105780    svchost.exe 772 Thread Create       SUCCESS Thread ID: 6088
      21:50:33.8108848    svchost.exe 772 RegOpenKey  HKLM    SUCCESS Desired Access: Maximum Allowed, Granted Access: Read
      21:50:33.8109134    svchost.exe 772 RegQueryKey HKLM    SUCCESS Query: HandleTags, HandleTags: 0x0
      21:50:33.8109302    svchost.exe 772 RegOpenKey  HKLM\System\CurrentControlSet\Services  REPARSE Desired Access: Read
      21:50:33.8109497    svchost.exe 772 RegOpenKey  HKLM\System\CurrentControlSet\Services  SUCCESS Desired Access: Read
      21:50:33.8110051    svchost.exe 772 RegCloseKey HKLM    SUCCESS 
      21:50:33.8110423    svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services  SUCCESS Query: HandleTags, HandleTags: 0x0
      21:50:33.8110705    svchost.exe 772 RegOpenKey  HKLM\System\CurrentControlSet\services\eventlog SUCCESS Desired Access: Read
      21:50:33.8110923    svchost.exe 772 RegQueryKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS Query: HandleTags, HandleTags: 0x0
      21:50:33.8111257    svchost.exe 772 RegOpenKey  HKLM\System\CurrentControlSet\services\eventlog\Parameters  SUCCESS Desired Access: Read
      21:50:33.8111547    svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services  SUCCESS 
      21:50:33.8111752    svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog SUCCESS 
      21:50:33.8111901    svchost.exe 772 RegQueryValue   HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll   SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
      21:50:33.8112148    svchost.exe 772 RegCloseKey HKLM\System\CurrentControlSet\services\eventlog\Parameters  SUCCESS 
      21:50:33.8116552    svchost.exe 772 Thread Exit     SUCCESS Thread ID: 6088, User Time: 0.0000000, Kernel Time: 0.0000000
      

      NOTE: previoulsy, for

      21:46:31.6130476    svchost.exe 772 RegQueryValue   HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll   SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
      

      I also got NAME NOT FOUND error ,so I created the new string value for the Parameters with the name ServiceDll and data %SystemRoot%\System32\wevtsvc.dll (copied from the upper HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog key) and this event now is

      21:46:31.6130476    svchost.exe 772 RegQueryValue   HKLM\System\CurrentControlSet\services\eventlog\Parameters\ServiceDll   SUCCESS Type: REG_SZ, Length: 68, Data: %SystemRoot%\System32\wevtsvc.dll
      

      I also checked for the presence of wevtsvc.dll in the place and it's there.

    2. Also, I tried to capture all events with path containing 'event' and got following events firing every several seconds:

      21:38:38.9185226    services.exe    492 RegQueryValue   HKLM\System\CurrentControlSet\services\EventSystem\Tag  NAME NOT FOUND  Length: 16
      21:38:38.9185513    services.exe    492 RegQueryValue   HKLM\System\CurrentControlSet\services\EventSystem\DependOnGroup    NAME NOT FOUND  Length: 268
      21:38:38.9185938    services.exe    492 RegQueryValue   HKLM\System\CurrentControlSet\services\EventSystem\Group    NAME NOT FOUND  Length: 268
      
    3. Also, I tried to capture all the events containing 'file', excluding w3wp.exe, chrome.exe, wmiprvse.exe, wmtoolsd.exe, System and it shows NO attempts to access any file ih the time I try to start the event logger (if run from cmd - there are several hits by net executable, not present if run from the panel).

    What can be done?

    Wednesday, May 21, 2014 10:39 AM

Answers

All replies