blkfoot
asked on
System cannot access one or more event logs after upgrade to Windows 2012 R2
Hello,
I recently upgraded a Windows 2008 R2 SP1 virtual VMware server to Windows 2012 R2. The upgrade went well and all applications are functioning properly. The only hiccup that I have is when I open the Server Manager Dashboard I get a warning the says "Refresh completed with one or more warning messages". In the Details I get the following:
Configuration refresh message: the system cannot access one or more event logs because of insufficient access rights, file corruption, or other reasons. For more information, see the Operational channel in the ServerManagerProvider error log on the target server.
Okay, no problem, I'm logged in as a domain admin so I don't think I really have a permissions issue so here I come Google. Not surprisingly I find a few posts that point to removing the Microsoft-Windows-DxpTaskR ingtone/An alytic registry key. I don't see that one in my registry. I find another article that talks about deleting 4 other registry keys:
HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WINEVT\Ch annels\Mic rosoft-Win dows-DxpTa skRingtone /Analytic
HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WINEVT\Ch annels\Mic rosoft-Win dows-IME-R oaming/Ana lytic
HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WINEVT\Ch annels\Mic rosoft-Win dows-IME-S CDICCOMPIL ER/Analyti c
HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WINEVT\Ch annels\Mic rosoft-Win dows-IME-S CTIP/Analy tic
HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \WINEVT\Ch annels\Mic rosoft-Win dows-SPB-H IDI2C/Anal ytic
I do that and still no love. Please help if you have any further words of wisdom.
Thanks!
I recently upgraded a Windows 2008 R2 SP1 virtual VMware server to Windows 2012 R2. The upgrade went well and all applications are functioning properly. The only hiccup that I have is when I open the Server Manager Dashboard I get a warning the says "Refresh completed with one or more warning messages". In the Details I get the following:
Configuration refresh message: the system cannot access one or more event logs because of insufficient access rights, file corruption, or other reasons. For more information, see the Operational channel in the ServerManagerProvider error log on the target server.
Okay, no problem, I'm logged in as a domain admin so I don't think I really have a permissions issue so here I come Google. Not surprisingly I find a few posts that point to removing the Microsoft-Windows-DxpTaskR
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
I do that and still no love. Please help if you have any further words of wisdom.
Thanks!
Before doing that, I would always clear the event logs because, most of the time, one of them actually got corrupted.
ASKER
Thanks, Bhanu. I verified the permission you asked about above as well as the KB article and all of the permissions are correctly set. I still get the same error.
Thanks, Davis. I did clear EVERY log and I still get the same error.
Thanks, Davis. I did clear EVERY log and I still get the same error.
What version of VMware and the 2012 is a guest (meaning virtualized)?
ASKER
We are running vmWare 5.5 and yes the Windows 2012 R2 server is virtualized.
ASKER
I guess I should add a little more history to this server in case it's relevant. This was a physical server that we cloned to vmWare 4.0 and then recently upgraded to vmWare 5.5. It has always been Windows 2008 R2 though since we virtualized it.
Leave out virtualization, it does not operate at that layer.
To find your problem, please run procmon while provoking the error, then search procmon's log for "access denied".
To find your problem, please run procmon while provoking the error, then search procmon's log for "access denied".
ASKER
Thanks. I'll give this a try as soon as my application upgrade finishes and let you know what I find.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Alright, no problem... glad it worked out for you.
Others forget their threads for several weeks and then come back as if nothing's happened ;)
Others forget their threads for several weeks and then come back as if nothing's happened ;)
ASKER
I had to rebuild this server for other reasons so I didn't need to continue pursuing a solution.
have you verified the permissions on the C:\windows\system32\winevt
Try setting the permissions on this folder and confirm if this fixes your issue.
http://social.msdn.microsoft.com/Forums/windowsserver/en-US/c231b5d0-2a36-4ddf-a457-e5f471667302/server-2008-event-log-restore?forum=winserver2008appcompatabilityandcertification
The above link gives the SID of eventlog account.
regards
Bhanu