Windows Event Log Messages

This page discusses some specific event log messages.

For more generalized information about the logs, see: Windows Event Logs.

This section is currently not meant to be an all-encompassing resource. There are already some of those available, as noted by Online resources related to Windows Event Log entries. Instead, this section contains information about some of the more uniquely interesting fixes, possibly providing solutions that are (in the opinion of whoever is maintaining this section of information) in some way more useful than what may be advised by some of the other sections.

Sorting by Event Source is recommended.

In theory, identical Event ID numbers definitely has the potential for very different meanings depending on what the Event Source is. However, there are also times where software (drivers) seem to be made from some sort of more universal template, and the result is that there are many cases where different Event Sources do use the same Event ID number to mean the same thing. So, if there is no relevant information found here when looking under the “Event Source” that has generated a log message, search for the Event ID number to see if any other Event Sources have information related to that Event ID number. (However, realize that the information may be extremely relevant, but might also be entirely unrelated. Judgement calls may impact whether a possible conclusion ends up being significantly helpful. In some cases, additional research can help a lot with adding clarity.)

There are definitely many more Event Log messages than what are shown here. These are just some of the possible event log messages. This collection may even focus fairly heavily on some of the event log messages where troubleshooting may be a bit less clear, or challenging in some other way.

Event Source
[#scamdkmd]: Event Source: amdkmdag
Log: System
Level/Type: Information
Event ID 62464
Event Category
The “Task Category” column says: “DVD_OV”
Description
UVD Information
Impact

Things are probably functioning okay. However, the System log may get many of these events... hundreds or thousands. The description of the message, which is “UVD Information”, is not extremely descriptive. Results of log spam can include CPU usage (creating logs), disk usage (storing logs), and slowing down troubleshooting processes (due to useless distraction) when there are more critical issues occurring.

According to Forum post, the ATI Catalyst Control Center is logging that “a peice of video has not passed HDCP checks (read: DRM for video).” This is also the conclusion from Forum post #10

This has been seen by a laptop that used a DVD drive and (S)VGA cable to a projector. The fact that video did not meet HDCP's requirements is not at all a surprise, so this message is really unnecessary.

Apparently UVD refers to “Unified Video Decoder”.

Resolution

petenetlive article indicated this got resolved by a driver update. Otherwise, the solution recommended by that forum post can be implemented by running:

REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\Atierecord /v eRecordEnable REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Atierecord /v eRecordEnable /t REG_DWORD /d 0

If that doesn't work, try:

REG ADD HKLM\SYSTEM\ControlSet001\Services\Atierecord /v eRecordEnable /t REG_DWORD /d 0 REG ADD HKLM\SYSTEM\ControlSet002\Services\Atierecord /v eRecordEnable /t REG_DWORD /d 0

... etc., based on how many control sets the registry already has.

Additional discussion

[#scapopup]: Event Source: Application Popup
Log: ???
Level/Type: Error
Event ID 333
Event Category
None
Description
Quoted from KB 951031 (US English): “An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry.”
Impact

This may mean that the system was unable to properly use the files that are part of the operating system's “registry”. This probably means the system has been unstable. This could be because the operating system is basically unable to write files correctly, and when the system reboots, the “Event Log” service may be unable to record a clean shutdown (so the “Event Log” service may record an Error with Event ID 6008).

Resolution

TOOGAM's log: This is something that has only been witnessed after the server reboots, and/or the system wasn't able to be logged into (remotely), so little information is available. However, this might be the cause of a shortage of some critical system resources such as NPP. (See Responding to the issue(s) of low pool memory.

This may be caused by some outdated software (which might be causing NPP issues?). e.g. MS KB 951031.

Level/Type: Info Events
Event ID 26

This logged event may be using a rather generic event ID, type, and source. Therefore, filtering based on these characteristics of the Event may not be safe (because other types of events could use the same Event ID/type/source). See the content of the message to determine what is being described.

Out of Virtual Memory

In Windows Vista (and probably anything newer), check the System Log for a Warning from Resource-Exhaustion-Detector, with Event ID 2004. If that exists, it may show the executable names, PIDs, and number of bytes that are consumed by the three programs that used more virtual memory than any other. If that possibly-available information is not sufficient (perhaps because it isn't actually available), see troubleshooting low memory.

[#scci]: Source: CI (Task category: )
What is it?
Content Indexer, related to (Index Service service?), similar/related to “Windows Search” service
Level/Type: ???
Event ID 4127

Event ID on CI quotes a (source which is unidentified, from an equally unidentified) newsgroup: “is a facility you may not want anyway. It builds indexes of the documents on the disk based on their content, to speed up complicated searches on the basis of looking for text contained in files. This is fine for a big office with very many related documents but is rarely appropriate for a stand-alone or family machine, and can generate a lot of background disk activity. You could turn it off”.

[#scdisk]: Source: Disk
System Log
Type/Level: Warning
Event ID: 51
Description

An example: “An error was detected on device \Device\Harddisk5\DR10 during a paging operation.”

Potential cause

This has been intentionally caused by removing a USB drive forcibly, improperly, while data was being written to the drive.

More Information

If the event alert refers to a device located under \Device\ and if there is a need to identify which device (e.g. which hard drive) is being referred to, then helpful details may be obtained using information from device namespace: Identifying a (named, data storage) “\Device\. (At the time of this writing, the recommended steps are in the section titled “A process”.)

(Alternatively, there may be some additional useful information elsewhere in the broader section about working with a device namespace.)

Microsoft KB Q244780: Information about Event ID 51 (Section about “How to decode the data section of an Event ID 51 event message”) (previously at http://support.microsoft.com/support/kb/articles/Q244/7/80.ASP#how ) has info for Win2K, XP, and 2003.

Example: an image (seen thanks to a reference by a comment, by barlop, responding to crokusek's answer to a Superuser.com question by “j riv”.)

Unknown Log
Microsoft KB Q244780: Information about Event ID 51 (Section about “How to decode the data section of an Event ID 51 event message”) (previously at http://support.microsoft.com/support/kb/articles/Q244/7/80.ASP#how )
[#scese]: Source: ESE

This is the “Extensible Storage Engine”. This may be identified as a source called ESE, or ESENT.

For further details, see the section on a source called ESENT.

[#scesent]: Source: ESENT

This is the “Extensible Storage Engine”. This may be identified as a source called ESE, or ESENT.

In practice, it is believed that this may often related to Microsoft Exchange Server. KB 982018 has a note stating, “Applications that are built on ESENT include Windows Update, Active Directory, Windows Desktop Search, certification authority (CA), WINS, DHCP, and Windows Live Mail.” So, this is probably related to either E-Mail, or often something even more important (user authentication, name resolution), and so probably is worth looking into.

Unknown Log
Type/Level: Unknown
Event ID 507, 508, 509, or 510
Description

To quote TechNet: page about ESE Event ID 507: “<%1> (<%2>) <%3> A request to read from the file "<%4>" at offset <%5> for <%6> bytes succeeded, but took an abnormally long time (<%7> seconds) to be serviced by the OS. This problem is likely due to faulty hardware. Please contact your hardware vendor for further assistance diagnosing the problem.”

Other events may be similar, and also cite faulty hardware as the likely cause, as seen by TechNet: Documentation about ESE Event ID 508.

Actual cause of issue

The hardware did not respond in a timely fashion.

What to do

Do not readily accept the statement, “This problem is likely due to faulty hardware.” There may be other reasons that the hardware did not respond to Exchange quickly, such as the hardware simply being busy performing other tasks. Check the nearby logs, and any schedules of automated activity, to see if there were any disk-intensive tasks. It could be that the disk wasn't very readily available to Exchange because of some sort of disk defragmentation procedure or anti-virus scanning.

If so, the cause is not faulty hardware. In this case, the issue is no longer one of hardware reliability, but a potential performance issue. Hopefully this happened during automated maintenance during non-business hours when nobody at all was likely to be affected. If that isn't the case, see about re-scheduling the maintenance to a time that doesn't overlap with other activity (including human activity and other automated computer activity occuring on that computer). Perhaps investigate whether there are any settings to lower the priority of the other disk-intensive task(s).

If the logs don't indicate such an activity, see about setting up an alert which will automatically record what is running at the time that this happens. (For details, see how to determine what is running for an automated solution involving a command line, and “Behind the scenes” activities about reporting/alerting and running a command line when this happens.)

Application Log
Error
Event ID 412

Error text: wuaueng.dll (936) SUS20ClientDataStore: Unable to read the header of log file C:\Windows\Distribution\DataStore\Logs\edb.log. Error -546.

Okay, this is a bit ridiculous. If the error is -546, then why is the Event ID 412? Anyway, the presence of “wuau” (Windows Update: Automatic Update) and SUS (“Software Update Services”, the name used before Windows Server Update Services) all indicate this is related to updates. See MS KB 982018 about an available software update.

[#scevtlog]: Source: Event Log
System Log

TechNet: Event Log Performance Montioring Events (from Windows Server 2008 documentation) lists possible events.

The Event Log source tends to be used to document system a system is shut down or started up. Windows logs related to rebooting. The Event Log source also regularly documents uptime.

[#scftdisk]: Source: Ftdisk

Wayback Machine @ Archive.org's cache of TechNet's “How Basic Disks and Volumes Work” identifies Ftdisk.sys as being the “Basic disk I/O driver”.

So what does FT stand for? The answer is seen in Microsoft KB Q100012's description of FTDISK.SYS: “Fault tolerance disk driver”. Another answer comes from TechNet Win2K RK: Fault-Tolerant Disk Management's description: “Ftdisk was used in Windows NT to manage partitions and all fault-tolerant volumes. In Windows 2000, FTDisk is used to manage basic partitions and fault-tolerant volumes from Windows NT 4.0.” (Hyperlink added to quoted material.) Also, “Ftdisk manages basic disks”. “A basic partition does not provide fault tolerance or multiple disk volume functionality.” What this handling of “basic” partitions/disks shows is that the driver is used even when NT's “fault tolerance” isn't being implemented.

If the event alert refers to a device located under \Device\ and if there is a need to identify which device (e.g. which hard drive) is being referred to, then helpful details may be in the the section about device names.

[#sckrnprc]: Kernel-Processor-Power
(? Log)
Event ID 37
description
“The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for # seconds since the last report.”
Actual cause of error
  • This seems to be intentional system design
  • There may also be other contributing factors, which may be actual problems
  • Ultimately, this ought to be adjustable. (However, whether it is a good idea, or not, might be a different story.)
What to do

Here are some things to check:

In each of these cases, the problem did seem to be caused by intentional system design. You could try checking if the system seems clean (especially the fans), and maybe check CPU temperature, but other causes may not be problems (unless the person does express more interest in system speed than battery charge or, perhaps, system longevity).

[#mswinsc]: Microsoft-Windows-* (Anything starting with “Microsoft-Windows-”)

It does seem like Microsoft Windows will sometimes report things using an event source that starts with “Microsoft-Windows-”. For example, an entry related to the Event Logger may show up as “Microsoft-Windows-Eventlog” or as “Event Log”. (For documentation showing an example of the latter, see TechNet: Info about Event ID 1105.) This seems to unfortunately complicate things with no real strong benefit.

Rather than duplicate a bunch of information here, this guide simply recommends chopping off the “Microsoft-Windows-” from the start of the named source, and then use the remaining name for searching (especially when searching this documentation). Check documentation for a source very similar to that name (perhaps adding space characters, if needed).

[#scmrxsmb]: mrxsmb???
System Log
Level/Type: Error
Event ID 50
Event ID 3013
Description
Quoting Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server, “The redirector has timed out a request to ComputerName.” (That page refers to the source as being “MrxSmb / Rdr”.)
Resolution
Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server refers to Source: Rdr Event ID 3013. (This informational resource has placed resolution by that event, and so much of it might not be duplicated here.)
Level/Type: Warning
Event ID 50
Description
Quoting Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server, “{Lost Delayed-Write-Data} The system was attempting to transfer file data from buffers to \Device\LanmanRedirector. The write operation failed, and only some of the data may have been written to the file.
Resolution
Perhaps see: Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server
[#scrdr]: Event Source: Rdr
System Log

The information from this section came from some documentation found. As the information may not have identified the event level/type, they are not categorized here.

Level/Type: Error
Event ID 3013
Description
Quoting Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server, “The redirector has timed out a request to ComputerName.” (That page refers to the source as being “MrxSmb / Rdr”.)
Resolution

Microsoft KB Q317249: How to troubleshoot Event ID 2021 and Event ID 2022 says, “Many of the troubleshooting steps that are discussed in this article can also be used to resolve Event ID 3013 errors.”

Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server mentions this. That might indicate that the issue may be related to running out of pool memory, in which case there might be some helpful information at: see Responding to the issue(s) of low pool memory.

[#scrsexhd]: Event Source: Resource-Exhaustion-Detector
??? Log
Level/Type: Warning Events
Event ID 2004

The Task Category is “Resource Exhaustion Diagnosis Events”.

The end user may have seen a dialog box. The System log may also show an Info Event ID 26 from the source Application Popup.

[#scscsidr]: Event source: ???
MS KB Q182335 identifies source as ScsiDrv but perhaps that is example text: MS KB Q154690 does appear to be example text when it references [scsi miniport driver].
[#scserver]: Event Source: ???
System Log
Event ID 2510
Description
Quoting Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server: “The server service was unable to map error code 1722.
1722 = RPC_S_SERVER_UNAVAILABLE = RPC Service is unavailable.”
Resolution
Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server mentions this. That might indicate that the issue may be related to running out of pool memory, in which case there might be some helpful information at: see Responding to the issue(s) of low pool memory.
[#scsrvccm]: Event Source: “Service Control Manager”

Some official documentation (for Windows Server 2008 R2) has been seen here: TechNet: Windows Server 2008 R2 Service Events Logging. (Namely, check out some of the hyperlinks, such as TechNet: Windows Server 2008 R2 Service Events Logging: Basic Service Operations.)

System Log
Event ID 7xxx
Description
...
Resolution
...
[#scsrv]: Event Source: Srv

Page about memory pool resources mentions “the Server Service (srv.sys).”

System Log
Level/Type: Warning Events
Event ID 2019
Description:
“The server was unable to allocate from the system NonPaged pool because the pool was empty.” (It would not be very surprising if this quoted text might vary between different operating systems.)
Impact:

Several, and bad. Software may be unable to start. Running software may stop to function well. This could lead to data loss, as shown by Mark Russinovich's Blog Entry (where a screenshot shows a “Windows - Delayed Write Failed” error box: “Windows was unable to save all the data for the file \Device\HarddiskVolume1\$Mft. The data has been lost. This error may”\n“be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.” (That last sentence is probably a terrible suggestion considering what “file” name the error was referring to.) Users of 32-bit operating systems earlier than Vista may be quite prone to seeing some of the issues related to NPP on 32-bit operating systems, such as being unable to log on. Programs may fail to work properly, including IIS being unable to serve web pages.

Resolution

To resolve this, see Responding to the issue(s).

Event ID 2020
Description
“The server was unable to allocate from the system NonPaged pool because the pool was empty.” (It would not be very surprising if this quoted text might vary between different operating systems.)
Resolution
To resolve this, see Responding to the issue(s) of low pool memory.
Unknown Log

The information from this section came from some documentation found. As the information may not have identified the event level/type, they are not categorized here.

Level/Type: Unknown

The information from this section came from some documentation found. As the information may not have identified the event level/type, they are not categorized here.

Event ID 2000

Microsoft KB Q136150 says, “NOTE: There are many causes for Srv 2000 error messages. The data segment” (where the log says “DATA WORDS” may have more details to help narrow this down. The 21st through 24th bytes (bytes 20-23, the sixth bunch of six bytes) may be a “Status Code” that helps narrow down this cause, so try putting that into an Internet search engine.

Microsoft KB 912376: How to monitor and troubleshoot the use of paged pool memory in Exchange Server 2003 or in Exchange 2000 Server suggests this may be caused by pool memory. (Perhaps see also: Responding to the issue(s) of low pool memory.)

Event ID 2021
Perhaps see Microsoft KB Q317249: How to troubleshoot Event ID 2021 and Event ID 2022, Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server
Event ID 2022
Perhaps see Microsoft KB Q317249: How to troubleshoot Event ID 2021 and Event ID 2022, Microsoft KB 822219: Your system stops responding, you experience slow file server performance, or delays occur when you work with files that are located on a file server
Unknown sources

(These may be some older notes that were recently merged into this section, or some very recent notes which haven't yet been fully categorized...)

Unknown/misc

... This section may have details about information which could be useful, although it may need further research to determine the source(s), etc.

Event ID 4319 and 4320: http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Accounts/Nbtstatrevealswhoisloggedon.html says may be related to RAS and nbtstat. An IP address might be identified by reversing the last 4 hex digits (and then converting each digit to decimal if the standard dotted-quad format is desired).

Computer Master Browser: MS Q188305: Troubleshooting the Microsoft Computer Browser Service may refer to using BrowStat. It also refers to: ftp://ftp.microsoft.com/developr/drg/cifs/cifsbrow.doc