troubleshooting Question

Event 488 and 413 pop up after in-place server upgrade

Avatar of DenTechCO
DenTechCO asked on
Microsoft Server OS
4 Comments2 Solutions850 ViewsLast Modified:
I just upgraded our client's terminal server from 2012 to 2012 R2.  The upgrade seemed to go through without any major issues.  RDS is working correctly.  Went through event viewer to check for any issues afterwards, and I'm getting Event 488 and Event 413 after a reboot.  I've copied the two event details below.

Error      4/14/2017 8:17:01 PM      ESENT      488      General
Log Name:      Application
Source:        ESENT
Date:          4/14/2017 8:17:01 PM
Event ID:      488
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      TSERVER2012.BCPD.denver
Description:
svchost (804) An attempt to create the file "C:\Windows\system32\LogFiles\Sum\Apitmp.log" failed with system error 5 (0x00000005): "Access is denied. ".  The create file operation will fail with error -1032 (0xfffffbf8).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ESENT" />
    <EventID Qualifiers="0">488</EventID>
    <Level>2</Level>
    <Task>1</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-04-15T02:17:01.000000000Z" />
    <EventRecordID>58456</EventRecordID>
    <Channel>Application</Channel>
    <Computer>TSERVER2012.BCPD.denver</Computer>
    <Security />
  </System>
  <EventData>
    <Data>svchost</Data>
    <Data>804</Data>
    <Data>
    </Data>
    <Data>C:\Windows\system32\LogFiles\Sum\Apitmp.log</Data>
    <Data>-1032 (0xfffffbf8)</Data>
    <Data>5 (0x00000005)</Data>
    <Data>Access is denied. </Data>
  </EventData>
</Event>

Error      4/14/2017 8:17:01 PM      ESENT      413      Logging/Recovery
Log Name:      Application
Source:        ESENT
Date:          4/14/2017 8:17:01 PM
Event ID:      413
Task Category: Logging/Recovery
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      TSERVER2012.BCPD.denver
Description:
svchost (804) Unable to create a new logfile because the database cannot write to the log drive. The drive may be read-only, out of disk space, misconfigured, or corrupted. Error -1032.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ESENT" />
    <EventID Qualifiers="0">413</EventID>
    <Level>2</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-04-15T02:17:01.000000000Z" />
    <EventRecordID>58457</EventRecordID>
    <Channel>Application</Channel>
    <Computer>TSERVER2012.BCPD.denver</Computer>
    <Security />
  </System>
  <EventData>
    <Data>svchost</Data>
    <Data>804</Data>
    <Data>
    </Data>
    <Data>-1032</Data>
  </EventData>
</Event>

It looks like an ownership problem from what I can tell.  Any ideas would be greatly appreciated.
ASKER CERTIFIED SOLUTION
Adam Brown
Cloud Security Consultant

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Top Expert 2010

The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.

Join our community to see this answer!
Unlock 2 Answers and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros