System cannot access one or more event logs after upgrade to Windows 2012 R2

Hello,
I recently upgraded a Windows 2008 R2 SP1 virtual VMware server to Windows 2012 R2.  The upgrade went well and all applications are functioning properly.  The only hiccup that I have is when I open the Server Manager Dashboard I get a warning the says "Refresh completed with one or more warning messages".  In the Details I get the following:

Configuration refresh message:  the system cannot access one or more event logs because of insufficient access rights, file corruption, or other reasons.  For more information, see the Operational channel in the ServerManagerProvider error log on the target server.

Okay, no problem, I'm logged in as a domain admin so I don't think I really have a permissions issue so here I come Google.  Not surprisingly I find a few posts that point to removing the Microsoft-Windows-DxpTaskRingtone/Analytic registry key.  I don't see that one in my registry.  I find another article that talks about deleting 4 other registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-DxpTaskRingtone/Analytic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-IME-Roaming/Analytic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-IME-SCDICCOMPILER/Analytic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-IME-SCTIP/Analytic
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-SPB-HIDI2C/Analytic

I do that and still no love.   Please help if you have any further words of wisdom.

Thanks!
blkfootAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bhanukir7Commented:
Hi blkfoot,

have you verified the permissions on the C:\windows\system32\winevt this needs to have permissions for "eventlog" user and authenticated users normally these two accounts have special permissions.

Try setting the permissions on this folder and confirm if this fixes your issue.

http://social.msdn.microsoft.com/Forums/windowsserver/en-US/c231b5d0-2a36-4ddf-a457-e5f471667302/server-2008-event-log-restore?forum=winserver2008appcompatabilityandcertification

The above link gives the SID of eventlog account.

regards
Bhanu
0
Davis McCarnOwnerCommented:
Before doing that, I would always clear the event logs because, most of the time, one of them actually got corrupted.
0
blkfootAuthor Commented:
Thanks, Bhanu.  I verified the permission you asked about above as well as the KB article and all of the permissions are correctly set.  I still get the same error.

Thanks, Davis.  I did clear EVERY log and I still get the same error.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Davis McCarnOwnerCommented:
What version of VMware and the 2012 is a guest (meaning virtualized)?
0
blkfootAuthor Commented:
We are running vmWare 5.5 and yes the Windows 2012 R2 server is virtualized.
0
blkfootAuthor Commented:
I guess I should add a little more history to this server in case it's relevant.  This was a physical server that we cloned to vmWare 4.0 and then recently upgraded to vmWare 5.5.  It has always been Windows 2008 R2 though since we virtualized it.
0
McKnifeCommented:
Leave out virtualization, it does not operate at that layer.
To find your problem, please run procmon while provoking the error, then search procmon's log for "access denied".
0
blkfootAuthor Commented:
Thanks.  I'll give this a try as soon as my application upgrade finishes and let you know what I find.
0
blkfootAuthor Commented:
Sorry, McKnife.  I forgot to respond to this.  I ran procmon but did not find any access denied when I recreated the problem.  I did find that I was having a problem with one of my third party apps though on this server that required me to build a replacement server and migrate away from this server.

I think I had more problems with my upgrade than I thought.

Thanks all for your efforts but this time a rebuild was required.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Alright, no problem... glad it worked out for you.
Others forget their threads for several weeks and then come back as if nothing's happened ;)
0
blkfootAuthor Commented:
I had to rebuild this server for other reasons so I didn't need to continue pursuing a solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.