Re: Server 2008 - Viewing Event Log Information

Can you give us more details on what you mean by it not being as complete?

Re: Server 2008 - Viewing Event Log Information

Hi,

An example would be for Event 4 in the System Log on one of our server.

If i log into the Server, this is the information displayed in the General Tab for that event.

File System Filter 'Datascrn' (Version 6.0, 4/10/2009 8:16:15 PM) failed to attach to volume '\Device\HarddiskVolumeFile2'. The filter returned a non-standard final status of 0xc000000d. This filter and/or its supporting applications should handle this condition. If this condition persists, contact the vendor.

If i use Hyena to view that event from my XP machine, this is what i see.

Event message could not be found, but contained these strings: 0xc000000d, 6, 0, 8, Datascrn, 2009-04-10T20:16:15.000Z, 27, \Device\HarddiskVolumeFile2

Re: Server 2008 - Viewing Event Log Information

Using the copy to clipboard command on the 2008 Server. The only item I changed was the computer name.

Log Name: System
Source: Microsoft-Windows-FilterManager
Date: 2/21/2010 12:19:42 AM
Event ID: 4
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: server.domain.int
Description:
File System Filter 'Datascrn' (Version 6.0, 4/10/2009 8:16:15 PM) failed to attach to volume '\Device\HarddiskVolumeFile2'. The filter returned a non-standard final status of 0xc000000d. This filter and/or its supporting applications should handle this condition. If this condition persists, contact the vendor.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-FilterManager" Guid="{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}" />
<EventID>4</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2010-02-21T08:19:42.236Z" />
<EventRecordID>28468</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5696" />
<Channel>System</Channel>
<Computer>server.domain.int</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="FinalStatus">0xc000000d</Data>
<Data Name="DeviceVersionMajor">6</Data>
<Data Name="DeviceVersionMinor">0</Data>
<Data Name="DeviceNameLength">8</Data>
<Data Name="DeviceName">Datascrn</Data>
<Data Name="DeviceTime">2009-04-10T20:16:15.000Z</Data>
<Data Name="ExtraStringLength">27</Data>
<Data Name="ExtraString">\Device\HarddiskVolumeFile2</Data>
</EventData>
</Event>

Using the copy clipboard command from Hyena.

Type: Warning
Source: Microsoft-Windows-FilterManager
Event ID: 4
Event Time: 2/21/2010 12:19:42 AM
User: NT AUTHORITY\SYSTEM
Computer: server.domain.int
Description:
Event message could not be found, but contained these strings: 0xc000000d, 6, 0, 8, Datascrn, 2009-04-10T20:16:15.000Z, 27, \Device\HarddiskVolumeFile2

Re: Server 2008 - Viewing Event Log Information

Do the majority of the event messages indicate that the 'event could not be found', and is your Windows XP computer 32-bit and your server a 64-bit computer ?

Re: Server 2008 - Viewing Event Log Information

Yes sir. Looking through the Event Logs, it appears that "Event message could not be found" appears in the Application, DFS Replication and System Logs for all Events.

My machine is XP, SP3, x86 with Hyena 8.0d.

Our 2008 Servers are a combination of x86, x86 SP2, and x64. The results are the same for all of the servers.

Please let me know if you need any other information.

Thanks!

Re: Server 2008 - Viewing Event Log Information

To eliminate one theory, go to the Command Prompt on your computer and type the following:

dir \\server\admin$\system32\

Do you get a file listing, or errors? If you get a file listing, try copying a file from that directory (any file should do) down to your local computer.

Re: Server 2008 - Viewing Event Log Information

If I type that command from my XP machine, I receive the following...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>dir \\server\admin$\system32\
The network path was not found.

C:\WINDOWS\system32>

Re: Server 2008 - Viewing Event Log Information

What Hyena does is reads the remote registry to find out what message file contains the messages, then that file has be loaded, and it does it by acessing it from \\server\admin$\system32\filename.dll. What is happening in your case is you are not able to get to that directory for some reason.

This could be a permissions issue, or the admin shares might be disabled on the server. I tested this earlier by disabling the admin shares on my Server 2003 box and had the same error you are seeing on all of my events.

If you can figure out why you are not able to get to that path, you should see correct information in Hyena.

Re: Server 2008 - Viewing Event Log Information

My bad. When I typed in the command "dir \\server\admin$\system32" I did not substitute the server name in the pathway.

If I replace it with one of the 2008 server names, I do get a massive listing of file and folder names. Sorry about that.

Re: Server 2008 - Viewing Event Log Information

Okay, confirm some more details for us:

You are on an XP computer, and this problem happens on one server, or any server? Please test this and let us know for sure if the servers you have this problem on are 64bit or 32bit.

For example if you are going 32bit to 32bit and not seeing any of the event messages that is one possible issue. If you are going from 32bit to 64bit and not seeing any of the event messages, that is another possible issue.

Look at multiple events to make sure it is across all or most of them too.

We need to try and narrow this down and the more specific the information we can get the better.

Re: Server 2008 - Viewing Event Log Information

This only happens on the 2008 servers, 32 or 64 bit. The 32 and 64 bit 2003 servers display the information just fine. I've gone through about 100 event log entries on our 2008 servers and the issue is consistent with each server.

Re: Server 2008 - Viewing Event Log Information

Are you able to install Hyena on one of your 2008 servers? We are trying to determine if it a remote/client issue or if it just won't work at all for you on 2008.

Re: Server 2008 - Viewing Event Log Information

I experienced the same results after installing Hyena on one of our 2008 servers. Here is a copy of the results from the same event log entry.

Type: Warning
Source: Microsoft-Windows-FilterManager
Event ID: 4
Event Time: 2/21/2010 12:19:42 AM
User: NT AUTHORITY\SYSTEM
Computer: server.domain.int
Description:
Event message could not be found, but contained these strings: 0xc000000d, 6, 0, 8, Datascrn, 2009-04-10T20:16:15.000Z, 27, \Device\HarddiskVolumeFile2

Re: Server 2008 - Viewing Event Log Information

Open regedt32 on your computer and go to the following registry key:

HKEY_local_machine\System\CurrentControlSet\Servic es\EventLog\<Event Log
Name>\<Event Source>

<Event Log Name> and <Event Source> will correspond to the log you are searching and the source for this particular event message.

When you find it, post the value of "EventMessageFile". Maybe something there will tell us why it's getting lost.