What the...?

Something bad happened

We're not sure what, but we have a few guesses.

Problem: Cannot get inner content of SectionSponsor because the contents are not literal.
Ticket: 249253
Server: RA-Web2
Troubleshooting Events in Event Viewer - RootAdmin Click here to Skip to main content
Click here to Skip to main content

Tagged as

Troubleshooting Events in Event Viewer

, 30 Jul 2012 CPOL
  Poor Excellent
Add a reason or comment to your vote: x
  This post will deal with troubleshooting two recent events on a Windows Vista Ultimate 64 Bit system. (my system) Problem # 1 When you go to the event viewer and see something like this. Naturally you want to look … Continue reading →

This post will deal with troubleshooting two recent events on a Windows Vista Ultimate 64 Bit system. (my system)

Problem # 1

When you go to the event viewer and see something like this.

LotsOfEventViewerErrors

Naturally you want to look and see what is going on. So you open one of them and see this.

ErrorEventprops1

Ok that’s real helpful what is that CLSID ? Now you can use a registry search tool, but you may or may not find it.

What happened to me first was when I did a search using a 32 bit registry search tool on a 64 bit system was, I was unknowingly being redirected to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\ key rather than the HKEY_CLASSES_ROOT\CLSID key ,where I thought I was searching. Of course I didn’t find that CLSID till I searched by hand in regedit. Windows Vista has redirection for only certain keys in the registry, see more info on “Registry Keys Affected by WOW64” Here on MSDN.

I discovered the redirection by running Sysinternals Process  Monitor in the background while running the registry search tool to figure out why I wasn’t finding the key.

Now the info on the general tab is somewhat helpful if you know what it means but lets go to the Details tab and see what more it has to offer.

EventPropDetail1

Starting from the top of this at the Provider section lets go thru and see what this all means.

Name: tells us what is trying to do the starting here.

GUID: is the Id of the “Name”

EventSourceName: Is the more friendly name we see, in this case it is DCOM.

The Event ID you can look up on line or click on the link in the general tab to see what Microsoft has to say about the event. Here it was Event ID 10016

Event Qualifiers: I found there is little information on it besides what the data type is.

Version: I’m not real sure that it pertains to figuring things out and haven’t looked that item up yet.

Time: the time can help narrow down  what else may have been happening at the time.

Event Record: just gives us the record number in the event log.

Process ID and Thread ID: can help If it is still running, then just use Sysinternals Process Explorer to locate the Process ID then go to the threads tab and check the Thread ID and see what is happening, but most of the time the operation will probably be stopped by the time you see the log so those values may not be of much help.

Channel: may or may not lead you in the right direction. In this case it is System, and the param7 S-1-5-18 is the same as  User ID= S-1-5-18  which is the the SID for the System account.

Then we have all of the rest of the parameters.

So what does all of this tell us so far ? DCOM and parameter 8  tells us it is a networking component. Next Parameter 2 and 3 tell us it was something trying to launch locally. Parameters 5,6,7 tell us it was probably going to be started as a system service.

Now that leaves us with what the actual Item at parameter 4. As I said at the beginning I was getting redirected to a different key, so I made a new program for helping me track down these items easier.  Here is what it looks like searching for the Listed CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}. Most of the searches for this CLSID will be done with the top left button “Go HKCR” but I added the other 2 for alternate locations in case you cant find it in the main one.

ClsidSearch2

As you can see from this my system has 5,805 CLSID’s listed in the root CLSID key.

Next we right click on the listing in the program and click  Go to Key. Which lands us here.

CLSIDreg1

O yeah, It’s the  Associated Device Presence Class. What’s that? Well lets see if the Local Service sub folder will help.

If we follow the App ID It just tells us it is a Local service and gives a regbinary version of information of the start permissions. Not as useful for this search.

CLSIDreg2

Ok now we know it has to do with IPBusEnum but what is that ? A internet search tells us it is a service for enumerating Plug and Play Network Devices. One link here. I happen to have a network printer installed on my local network.

So where does that leave us? So what could cause an error of  “The application-specific permission settings do not grant Local Launch permission for….” , well there are a few things I can think of, The link in the event said possibly DCOM security permissions, Not this time. The User May not have have the permissions to launch the application, Most likely not this either, as it is the  System account trying to start the service. Well maybe the service is not installed.  So we check the Services Utility for it.

When I looked I discovered that the service was installed, but it was disabled and  I, um , remembered I Disabled it checking something a few days or so before and didn’t re enable it, so it started filling my log to get back at me. One strange thing that happened was, when I changed it from disabled to manual it changed itself to automatic (delayed start).

Here is a screen shot of the current setting.

services1cropa

After Just re enabling the service, that solved the problem and no more events logged for that problem.

As it turns out in this case the information in the link from the event log (Here) was misleading in a way, as it was trying to get the user to check in COM/DCOM for the problem.  The reason it didn’t have permissions was, because the service was not started and not able to get the permissions to run. So check if the service is installed and running is the quickest thing to check first before trying to mess with DCOM settings.

Problem #2

This is another somewhat misleading event that was listed. It got logged while checking some information with one of my tools.

EventErrorMine

This time after using my tool to search for the CLSID, It tells me that the COM Server application that is trying to start is “VSSCoordinator Class”, well VSS sounds familiar . Ok, this time I need to use a different button on my new tool and getting the app id from the first registry key and use the app id button on the tool to look it up and see if it gets me more information.

What I found was, it is “Volume Shadow Copy Service” and the Local Service is “VSS”.

So what caused that error ? This time it  was this little program here that uses Win32_ShadowCopy to enumerate the Shadow copy’s on the system.

ShadowCopy

What actually caused the error was since the information the program was accessing needed elevated privileges it would throw an error, so the very next entry was a success after right clicking and running it as Administrator. Using just a simple try catch block with msgbox(ex.message) for error handling in this program and  here is what we see when run as a standard user.

ShadowCopyError 

That’s a real helpful message. But since I built the application I knew what the problem was, the program needed to be run as Administrator. So if you see the last part in another WMI application that says “ Initialization Failure” then you may check if it needs to be run as an Administrator. (Some WMI Classes do not return all property’s If Administrator rights are required, or just throw an error like this one)

Well that’s it for this time, I hope the information here is helpful for your investigations.

My Tools:

My tools can be found on my sky drive Here. (along with several others I have posted)

The tools associated with this post are Win32_ShadowCopy.zip, Windows Restore Point Viewer.zip(just threw that one in) , Enum 64 Bit CLSID.zip, and ServiceDetail.zip to get the info on the services.

Note:

The tool called Enum 64 Bit CLSID when run on a 32 bit system will pop up an error dialogue when you try to use the two “64” bit specific buttons, as the registry keys don’t exist on the 32 bit system.

As usual all utility’s are free to use and are as is. These only retrieve info and not write to the system except maybe to the application data folder if I forgot to uncheck the save setting on shutdown while building them.

Please let me know if you have any questions or if you find any bugs in the programs and I will try and resolve any issues in them. Remember Some or most of these will need to be run elevated to get at some of the information. They are Admin tools after all.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

ledtech3
PC's Xcetra
United States United States
My first experience with computers was when my mom gave a Timex Sinclair 1000 to me for Christmas some time in the late 70's (I still have it)There I learned to copy code from magazines to save to cassette tapes for playing games.
 
Since then I have dabbled in:
Basic,Qbasic,ruby,python,Java Script, HTML, CSS, C#, C++, Perl, and a few other I can't think of off hand.
Now I Mainly work with VB Script and VB.Net
I Prefer to build programs that make use of the GUI so I don't have to remember all of the syntax for console apps. I realy don't care much for HTML because of the way you build and then run to see if it looks right. Also the new WPF is to much like HTML so I steer clear of it for now.
Most of what I build is for getting information from a system to use in system repair.I make heavy use of the WMI classes. Why reinvent something.

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Terms of Use | Mobile
RA-Web2 | 2.8.141030.1 | Last Updated 30 Jul 2012
Article Copyright 2012 by ledtech3
Everything else Copyright © RootAdmin, 1999-2014
Layout: fixed | fluid