Posts Tagged event viewer
I’ve been seeing this error on one of our domain controllers for awhile.
It’s a not a big deal, but annoying so I looked at fixing it today. Found this page about it and looked in the registry to check the settings it walks your through. The only thing that I needed to change was adding ,0x1 to the end of the servers since we weren’t using the IP addresses. I’ll check on it later to see if the error is still popping up.
This registry entry specifies a space-delimited list of stratum 1 time servers from which the local computer can obtain reliable time stamps. The list may consist of one or more DNS names or IP addresses (if DNS names are used then you must append ,0x1 to the end of each DNS name). For example, to synchronize the PDC Emulator in your forest root domain with tock.usno.navy.mil, an open-access SNTP time server run by the United States Naval Observatory, change the value of the NtpServer registry entry from time.windows.com,0x1 to tock.usno.navy.mil,0x1 here. Alternatively, you can specify the IP address of this time server, which is 22.214.171.124 instead.
I’ve been working a lot on our SMTP server configuring and watching a new spam filter. One of the features hasn’t been working quite right so went searching through the event log for anything that could possibly be related. This is what the event viewer looked like:
Not pretty. Every 15 minutes, on the dot, there was 6 errors in a row. So the hunt began. I wasn’t sure if this was related to the problem I was having but my spam filter is mentioned in one of the errors so I figured it wouldn’t hurt to fix it and if it helps, then great. Here are the details of the 3 errors I was repeatedly seeing:
I started Googling to see what I could find and it turns out that there are quite a few things that will cause these errors to show up. The problem is that the errors aren’t specific enough to tell me which of the solutions would work. I can’t remember what sites I went to but the one solution that kept showing up was installing one of two Microsoft Visual C++ Redistributable Packages – either 2005 or 2008.
I tried 2005 but that didn’t make a difference at all. I then tried the 2008 package and ever since I installed it my event viewer has been perfectly clean – no errors at all. I also installed a critical windows update, the net framework 3.5 I think is what it was. But I don’t think that was related to it. It would have been nice if the package I needed showed up in windows updates when I did the custom scan. But that would be too easy.
Continuing on my path of figuring out group policy I came across some errors on our Windows XP machines in the event log that I’ve been trying to repair for awhile now. For some reason the printers aren’t deploying to our Windows XP machines and I’m thinking it’s because the machines are having problems pulling the policy off the domain controller. I also needed to use the system information tool to send to our anti-virus company so they could troubleshoot an issue we’re having with their software. But when I went to system information it said it could not collect the data. It was event ID 1090, the source is Userenv, and it says:
I’ve been looking up this error for weeks trying to decipher how to repair Windows Management Instrumentation. Nearly every site and forum I found said either to empty the c:\windows\system32\wbem\repository folder, re-register the dll files associated with WMI, or do a repair installation of Windows XP. I emptied that folder I don’t know how many times. I tried using system file checker to replace any corrupted system files. I also ran the WMI diagnostic tool you can download from Microsoft to see if that would point me in any other directions, but I didn’t find it terribly helpful – except for one thing I found in the log file that it generates.
I came across the same error when I tried to re-register the dll files and when I ran the diagnostic tool.
!! ERROR: WMI CONNECTION errors occured for the following namespaces:
.1581 14:13:07 (0) ** – Root, 0x80070005 – Access is denied..
.1582 14:13:07 (0) ** – Root, 0x80070005 – Access is denied..
.1583 14:13:07 (0) ** – Root/Default, 0x80070005 – Access is denied..
.1584 14:13:07 (0) ** – Root/CIMv2, 0x80070005 – Access is denied..
.1585 14:13:07 (0) ** – Root/WMI, 0x80070005 – Access is denied..
Access denied? I had no idea why access would be denied. I’m the admin and have full permissions. Well today I finally figured out the problem. Since I was having problems today using the system information tool, I googled that error and came across this forum that had a script in it. When I tried to run the script the first time on my account I got the access denied errors again. So I went to the run box and typed services.msc. I looked at the WMI service to see what account it was logging on as, it says local administrator account. Well that’s good, so I next look at the remote procedure call (RPC) service and that one originally said log on as NT Authority or some other network account.
Well I changed that one to local administrator, rebooted the machine in safe mode so that no services were running, and ran the script from that forum again. It took awhile but I noticed it wasn’t throwing any access denied errors. I rebooted the machine, logged in on my regular network account and did not see a single RSoP error in the event log. Success.
Copy this script into notepad or some other text editor and save it as fixwmi.cmd. When you go to save as you’ll have to select all files in the file type so it doesn’t save as a text file.
cd /d c:\temp
if not exist %windir%\system32\wbem goto TryInstall
cd /d %windir%\system32\wbem
net stop winmgmt
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
if not exist wmicore.exe goto End
net start winmgmt
Now I’m seeing another error related to to group policy, but hey, at least it isn’t a WMI error.
I came across these three problems while trying to figure out why someone’s computer is locking up and taking forever to log in. Whether they are actually related to the symptoms she has been seeing has yet to be seen. Hopefully I’ll find out that I fixed it tomorrow when she gets into work.
Errors 1505 & 1508
I saw a lot of errors with both of those codes in the event log. I wasn’t finding much help until I went to eventid.net and saw one of the comments suggest renaming the UsrClass.dat file. It just rebuilds the file when you log in next time. It worked for me. You can find the file in C:\Documents and Settings\<user account>\local settings\application data\Microsoft\windows.
Computer Associates PestPatrol
We had the old computer associates anti-virus installed a long time ago and and removed it back in October of last year when we switched to something else. On the same computer I noticed the above errors on, I saw a couple services running that were related to PestPatrol (ppRemoteService.exe). The strange thing is that there was no entry in add/remove programs for it since obviously we removed it months ago when we installed something else. Uninstalling it never removed that service so it’s been taking up memory and CPU usage because it’s been running ever since.
I came across this post on their support forum about how to remove it manually.
Go to control Panel: Administrative Tools: Services stop the PestPatrol Remote Service. Open up command prompt and type cd \windows\system32. (if you are using winnt, the command would be cd\winnt\system32) Then type ppRemoteService -unregserver. Now you want to delete using the following command: del ppRemoteService.exe. Check Control Panel: Administrative Tools: Services and make sure PestPatrol Remote Service is gone. Remove the directory c:\Program Files\Common Files\PestPatrol.
Search Enhancement Pack – SeaPort.exe
Apparently this is part of the Windows Live Essentials or Windows Live Toolbar download that you can get. Microsoft always sneaks things in there that are completely unnecessary. It’s a service that runs at all times in the background, slowing things down quite a bit in some cases.
You have two options; either disable the service so it doesn’t automatically start every time you turn your computer on, or remove it altogether.
- Go to start -> run and type services.msc.
- Scroll down to SeaPort and right-click on it and go to properties.
- First choose to stop the service, then next to startup type choose disabled.
- If you want to completely remove it then go to \Program Files\Microsoft\Search Enhancement Pack\SeaPort\ and either rename seaport.exe or delete it. This way it doesn’t have a chance to start again if it does try again sometime in the future.