WINDOWS VISTA HOME PREMIUM (currently at SP2). I have debated whether or not to post any information concerning this Eventlog service failure issue. NONETHELESS, I have decided to add my perspective. I have noticed with great interest how most of the solutions concerning this Eventlog service failure has been solved through: Security/Ownership, NTFS permissions, subinacl, SDDL review, CustomSD and so forth. MY EVENTLOG SERVICE failure was not solved by any of these solutions and in actuality the "ERROR: 4201 The instance name passed was not recognized as valid by a WMI data provider", was merely a symptom of an underlying cause of; 0x000005aa (decimal 1450). This error was found in the REGISTRY at; HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\("whatEverLoggerYourLookingFor") -> STATUS value.
The error: 1450 (0x000005aa) means; ERROR_NO_SYSTEM_RESOURCES (Insufficient system resources exist to complete the requested service). Thus, there was a system resource contention. After reviewing the STARTED EVENT TRACE SESSIONS (through the MMC snap-in EVENT TRACE SESSIONS) I noticed that the NT KERNEL LOGGER trace session was started. The EVENTLOG TRACE SESSION (Eventlog service - wevtsvc.dll) AND the NT KERNEL LOGGER trace session BOTH UTILIZE REAL-TIME SYSTEM RESOURCES; namely: SYSTEM CLOCK and REAL TIME STREAM MODE. I stopped the NT KERNEL LOGGER and ensured that it would not restart at boot, AND subsequently the Eventlog service restarted and I HAD ACCESS TO EVENT VIEWER. I agree with those who have indicated that without EVENT VIEWER there is great concern (i.e., security, reliability, monitoring, etc.). IN my case other significant infrastructures were affected by the failure of EVENTLOG service (4201 and 1450). THE WdiContextLog (Windows Diagnostics Infrastucture was not running), NBSMBLOGGER, RdrLog, Ntfslog, PEAuthLog, SQMLogger (Software Quality Monitoring), Reliability and Performance Monitor and TCPIPLOGGER. Moreover, without the EVENTLOG SERVICE running, you cannot apply a Service Pack (because the service pack process generates event signatures to be recorded through the EVENTLOG SERVICE). In all aspects with EVENTLOG SERVICE failure AND with no EVENT VIEWER; you are flying BLIND. I rely on RELIABILITY AND PERFORMANCE MONITORING TO TRACK the software installs/de-installs, Application failures, Hardware Failures, Windows Failures and Miscellaneous Failures. I hope that somewhere and at sometime that this SUPERFLUOUS information helps someone. UPDATE (04/04/2010).THE ABOVE REGISTRY PATH/VALUE was modified as of this writing to reflect the CurrentControlSet. This will reflect the CURRENT STATUS of your loggers, The other ControlSets will reflect what status has lingered (like an archive).
- Moved by Esther FanMicrosoft employee Sunday, October 24, 2010 12:31 AM (From:Architecture General)
Greetings back to you Programmer Live,
Thank you for your direction, however; I have all the infrastructures mentioned in this forum now running and have monitored all event signatures to ensure a healthy resolution. I have decided to leave "NT KERNEL LOGGER" stopped until I need this type of data for problem resolution or as directed by Microsoft Technical Support. This self-soltuion has been a good exercise in the General Architecture of Windows NT 6.0 (Vista Home Premium) SP2.
Being my FIRST attempt to communicate information through this Microsoft vehicle; I am unsure if I should close or remove this dialog.
Thanks for the response.
To NOFEAR ADMIN:
Thank you for your comment. I am unsure exactly what you are suggesting, but am all ears. I have all my probelm analysis steps documented in a hardcopy format (to include personal notes), with regard to my solution. I analyzed this issue myself because I have a pre-installed version of Windows Vista and Hewlett-Packard is my first point of contact. Therefore, Microsoft wanted a fee for troubleshooting. I needed this self-internals analysis of: WMI, MMC, Event Viewer, WDI, SMBLogger, TCPIPLogger, NTFSLog, RDRLOG, TDI, etc., to strengthen my knowledge of internals. I cross-referenced and made heavy use of the Microsoft SDK's and DDK documentation, WinDbg, KDB, and CD. It was a great experience for me after serving so long on mainframes since the mid 1970's. I saw some OS2 similiarities as I slowly looked under the hood. If you feel that I should document step-by-step my analysis and solution, please advise in what format, location to supply documentation, etc.
I thank you for responding. I do not want to waste cpu cycles on superfluous information, given that I am new to these forums and still attentive to my lacking knowledge of protocol and etiquette.
Once again, NOFEAR ADMIN, thank you for your communication.
John M. Schellenberg
1. Start Windows in Safe mode
2. Open the "C:\Windows\System32\LogFiles\WMI" folder
3. Right-click on the RtBackup folder and choose Properties
4. Click the Security tab, and click the Edit button.
5. Click Add
6. Type SYSTEM and hit ENTER
7. Enable "Full control" Permission to "Allow"
8. Click OK, and then click Yes when asked for confirmation
9. Restart Windows (in Normal mode), and verify if the Windows Event Service has started.
Unable to assign permissions for the RtBackup folder?
If you’re unable to assign permissions for the RtBackup folder, try taking ownership of the folder, and then repeat the steps 1-9 above.
The folder Rtbackup has nothing to do with this solution. There is more than one way to skin a cat. As stipulated in the original description of my solution NTFS permissions, SDL, or CUSTOMSD's have nothing to do with the solution on my platform. I have noticed with great interest how Rtbackup permissions have been the solution. In my case it was not.
John M. Schellenberg