Event log error 4201 - ERROR_WMI_INSTANCE_NOT_FOUND

Question

ERROR_WMI_INSTANCE_NOT_FOUND
4201 The instance name passed was not recognized as valid by a WMI data provider.

http://msdn2.microsoft.com/en-us/library/ms681387.aspx < this is the only error explanation I have found so far (it's really not very helpful) 

 

I cannot start the event log service no matter what I try as a workaround.  I really don't know what caused it to stop or what is causing the error above when I try to start it, but I have a hunch it is a compatibility issue.  This is a serious security concern and I need it fixed ASAP.  I hope MS addresses this issue in their next update...

Answer 1

I haven't seen anything in the bug database on a similar problem or a repro.

If you are having issues with starting your event log it's probably best to contact the main support line. Try to give them as much info as possible.

Here's the link for general Vista Issues:

http://windowshelp.microsoft.com/Windows/en-US/techsupport/default.mspx

It's another link that might help you as well, it has links to news groups and technet.

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=423586&SiteID=1

 

Answer 2

Matrixisrl wrote:

ERROR_WMI_INSTANCE_NOT_FOUND 4201 The instance name passed was not recognized as valid by a WMI data provider. http://msdn2.microsoft.com/en-us/library/ms681387.aspx < this is the only error explanation I have found so far (it's really not very helpful)    I cannot start the event log service no matter what I try as a workaround.  I really don't know what caused it to stop or what is causing the error above when I try to start it, but I have a hunch it is a compatibility issue.  This is a serious security concern and I need it fixed ASAP.  I hope MS addresses this issue in their next update...

I've only just rebuilt my PC with vista on and I am getting this... any idea what is stopping the event log service from starting?

Answer 3

Bruce N. Baker - MSFT wrote:

I haven't seen anything in the bug database on a similar problem or a repro. If you are having issues with starting your event log it's probably best to contact the main support line. Try to give them as much info as possible. Here's the link for general Vista Issues: http://windowshelp.microsoft.com/Windows/en-US/techsupport/default.mspx It's another link that might help you as well, it has links to news groups and technet. http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=423586&SiteID=1

 

I reported this problem to Microsoft Tech Support back in January or February (SRX070227600510) and it was escalated to upper level support, however a solution was never found!

 

I told them loud and clear that there are a lot of people having the issue and they could browse the Newsgroups to see all that are effected, and cannot believe that it still has not been fixed!

 

The system I am having trouble with is a development machine used with Visual Studio, and it is not practical for me to wipe and reload everything as Microsoft suggests!

 

I eventually ended up reloading everything back on in the above case, and everything worked fine until 5/18/2007.

 

This is when I lost my Event Viewer and my FAX service... there may be a couple of other services that are not functioning also.

 

One commonality I have discovered (though I am not sure this is the problem) is that in both instances, Windows DreamScene Content Pack was installed from Vista update, and then everything went south! I have uninstalled all of that and even went back as far as I could with System Restore to no avail.

 

I ran the WMIDiag, and send the logs to Microsoft Support, however they tell me there was nothing of any help in the logs even though the log has an entry that says there is a problem with WMI and it may not run correctly!

 

I wish someone from Microsoft would investigate this problem instead of arbitrarily telling me to wipe and reload!!!! Thats not always as simple as it seems, and obviously, the problem is going to come back as it did in my case.

 

 

Answer 4

I am not in a loop to assist you with this and unfortunately I did not see another bug exactly related to this issue or a KB. If issue was stop after being escalated did you try to recontact them?

 

What are in the dialogs for the event service properties, anything unusual in there?

Answer 5

Bruce N. Baker - MSFT wrote:

I am not in a loop to assist you with this and unfortunately I did not see another bug exactly related to this issue or a KB. If issue was stop after being escalated did you try to recontact them?   What are in the dialogs for the event service properties, anything unusual in there?

 

Bruce,

 

The only thing that I noticed was that when you go to the Logon tab of the Windows Event Log Service dialog, the login information on the entire tab is grayed out (even if I am on as administrator). I cannot change the logon for the service. The service is set to start automatically.

 

I have recontacted Microsoft support... The support engineer said that they are looking into it, but want me to reinstall, which I only want to do as an extreme last resort.

 

Here is the gentleman (below) helping me. I know it's not earth shattering or hazardous to my health, but I am sure that myself and the others that have this problem sure would like someone to take a serious look at the issue and fix it! If you do a Google search, there are a lot more folks running into this problem that are not part of the MS Newsgroups.

 

Nilesh Bhavsar

Microsoft Enterprise Support Engineer

* E-mail: v-11nibh@mssupport.microsoft.com

 

I cannot use my fax service as these are somehow connected... the Task Scheduler is not functioning either... if I look in Services.mmc the service is running, however if I attempt to open the Task Scheduler to see what is running, it says "The Task Scheduler Service is not available"

 

There are probably a couple more services that I am not aware of yet which are not functioning.

Answer 6

Huge font you use.

 

 

Those other services depend on Event Service that is why they are also not functioning.

Answer 7

All the better to see me with

 

Ok, so now if we can figure out why the event log service wont start,  we'd be happy campers!

 

Is there some way to find out how the event log service is being called? The error is saying that the "instance name passed was not recognized as valid by the WMI provider"... How is this parameter determined?

 

Answer 8

What are the properties of the Event Service. What account is it running under?

Answer 9

Bruce,

 

The Event Viewer service is logged on with Local Service, it is set to Automatic, and the command line shows c:\windows\system32\svchost.exe -k LocalServiceNetworkRestricted.

 

The Logon tab shows Local Service (with the second radio button checked), however the entire tab is grayed out.

 

Reading some of the other posts, I have tried the permissions angle, and checked the owner of the %windir%\system32\logfiles folder.

 

The frustrating part is this WAS working a couple of weeks ago... I am pretty sure the problem started on May 18th, and I used the System Restore to go back to the day before that (which was as far as they were available) but that did not change the problem.

 

Answer 10

have you changed any system passwords since then?

Answer 11

Bruce N. Baker - MSFT wrote:

have you changed any system passwords since then?

 

No... It was business as usual... Actually, I was getting an error when trying to run a backup to a folder on my server, so I went to open the Event Logs to see if I could figure out the problem, and found this trouble too...

 

My backup still is not working correctly in that it says the drive is no longer available (which it is), but thats another issue  (I hope).

 

I still have not heard back from MS Tech Support!

Answer 12

If you are a partner, let me know and we can create a case and have this case escalated.

Answer 13

Bruce N. Baker - MSFT wrote:

If you are a partner, let me know and we can create a case and have this case escalated.

 

Certified Partner Partner ID: ######  [Active]

 

I felt funny putting my partner ID in here, but I have one, of course.

 

 

Answer 14

Contact made, Sent Mail, Following up,Thanks, -Bruce

Answer 15

Just to update everyone that has this issue;

 

I have been in contact with Microsoft Tech Support and they have escalated the case to the developers to see if they can figure out what the problem is.

 

It does not currently appear to be a security issue at this point, although it has not been ruled out yet.

 

The MS developers are currently working on the problem.

 

Once a resolution has been determined I will post an update to let everyone know what has been found.

 

For those of you that have reloaded Vista, keep an eye on the updates downloaded/installed from MS, as I personally believe that one of the Patches/Updates that came down the line around May 18th 2007 may have caused the problem.

Answer 16

Thanks for taking the time to update this thread

Answer 17

Please let me know when you can get a resolution. I am having problems running the FTP publishing service, and what I have been told by other partners, is that the event log is needed in order to run FTP. I am currently running server 2008 build 6001.

(error msg located - http://boonedoggy.com/scr1.jpg )

jp@boonedoggy.com

Answer 18

I recently ran into the same issue that you are all having without being able to view or instantiate the Event Log Viewer.  I noticed this when my wireless, and cable networking capabilities crashed and stopped working.  After trying to track down a root cause, the only thing that i see is the fact that "the dependency service has failed to start."  Later, trying to view the Event View Log, i also noticed that failed to work as well.  This happened on a fresh install of Windows Vista Ultimate version 6.0.0666.16836 that i have been running for about 3 months.

 

Thank you for all the hard work going on in this thread because currently i can not use my laptop computer for internet access or to troubleshoot any of my problems.  I really dont feel like reinstalling this system, as MS suggests, only if it is a last resort.  But being that this has been a problem for such a long time, i would hope that MS takes much consideration in this issue because this definitely limits the power of the operating system of what it is suppose to do.

Answer 19

Which dependancy service failed to start?

Answer 20

Thank you much for responding Bruce,

 

I took screenshots of my desktop as the errors occurred, primarily right on start up:

 

The first issue i see is this:

 

"Failed to connect to a windows service -  Windows could not connect to the System Event Notification service.  This problem prevents limited users from logging on to the system.  As an administrator user, you can review the System Event Log for details about why the service didn't respond."

 

The issue i have with this, is the fact that i am logged on as administrator and that still does not make a difference, i am still unable to view the Event Log.  I tried starting and stopping, restarting from the "Services" topic in Computer Management, but i receive error codes such as this: Windows could not start the Nework Location Awareness on Local computer... error code 1073741502. 

 

Or from wired AUTOConfig, windows could not start the Wired AutoConfig service on local computer... Error 1747.

Or from WLAN AutoConfig, "                            "                  Wlan AutoConfig    "                  "                             "

 

When i attempt to start the Event Viewer from Computer Management I recieve the following error:

     Event Log service is unavailble. Verify that the service is running.

But where do i check to verif it is running?

 

I am honestly not much in tune with what a dependency service does, but i am well aware that whatever it is, my network hardware (Wlan and Lan) appears to be dependent upon this service to operate.

 

I recieve the following errors with the network service status:

  The dependcy service or group failed to start.

 

Also, with my ATI Catalyst Control Center: Monitoring program has stopped working.  A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.

 

Vista appears to have many problems with Wireless WPA2 networks as well, the network will appear sometimes in the tab, but Vista will not connect to it, even if one is close to the connection.

 

I do thank you all for taking the time to investigate this issue.  Like i said, i installed Vista close to 3 to 4 months ago and have been encountering problems quite a bit.

Answer 21

Hi everybody

I have the same EventLog issue. I’m using Windows Vista Business since February and everything was nice till some weeks ago.

All started when I tried to share some pictures using the Sharing Folder capability of Windows Live Messenger and suddenly it gave me this error “Sharing folders aren’t available yet. Please try again.”. I first thought that it was a temporary server error (but it wasn’t). Then I realized that the Sharing Folder Service (usnjsvc.exe) was always in the “starting” state (so.. it wasn’t working). I uninstalled Messenger 8 and reinstalled it several times, but nothing changed. (I also tried with the 8.5beta!).

Then I’ve got the idea to check my Event Viewer for a possible description of this issue… but also the EventLog wasn’t working: “Event Log service is unavailable. Verify that the service is running”.

Then I checked the services and I realized that Windows Event Log service (“svchost.exe -k LocalServiceNetworkRestricted”) wasn’t running. If  I try to start it manually it gives the 4201 error (“The instance name passed was not recognized as valid by a WMI data provider.”).

I also checked again the Sharing Folder Service and I saw that one of its dependencies was the Windows Event Log (so.. maybe that is the reason why the Sharing Folder Service is unable to start).

Finally I checked the Reliability Monitor (under “Reliability and Performance” > “Monitoring Tools”) and I saw that the last report was on the 10th of June. It is strange because I have one report every day till that date (so… maybe something got wrong after that date – what about your Reliability Monitor reports?).

I’m looking for a solution! I really don’t have time (and I don’t want) to re-install Vista again.

Thanks  for your support.

Answer 22

Giorgio Gamberini wrote:

Hi everybody I have the same EventLog issue. I’m using Windows Vista Business since February and everything was nice till some weeks ago. All started when I tried to share some pictures using the Sharing Folder capability of Windows Live Messenger and suddenly it gave me this error “Sharing folders aren’t available yet. Please try again.”. I first thought that it was a temporary server error (but it wasn’t). Then I realized that the Sharing Folder Service (usnjsvc.exe) was always in the “starting” state (so.. it wasn’t working). I uninstalled Messenger 8 and reinstalled it several times, but nothing changed. (I also tried with the 8.5beta!). Then I’ve got the idea to check my Event Viewer for a possible description of this issue… but also the EventLog wasn’t working: “Event Log service is unavailable. Verify that the service is running”. Then I checked the services and I realized that Windows Event Log service (“svchost.exe -k LocalServiceNetworkRestricted”) wasn’t running. If  I try to start it manually it gives the 4201 error (“The instance name passed was not recognized as valid by a WMI data provider.”). I also checked again the Sharing Folder Service and I saw that one of its dependencies was the Windows Event Log (so.. maybe that is the reason why the Sharing Folder Service is unable to start). Finally I checked the Reliability Monitor (under “Reliability and Performance” > “Monitoring Tools”) and I saw that the last report was on the 10th of June. It is strange because I have one report every day till that date (so… maybe something got wrong after that date – what about your Reliability Monitor reports?). I’m looking for a solution! I really don’t have time (and I don’t want) to re-install Vista again. Thanks  for your support.

 

Update:

 

Even more developers are working on the problem now, and they spent most of yesterday 7/10/07 remoted into my system, but have yet to come up with a solution.

 

I may have to prepare an image of my system for them to use in their office, so this could take a little more time...

 

I promise I'll  let everyone know what happens when I get some answers.

 

Gary.

Answer 23

Hi

 

I have this very same issue as well. The last thing i did was clean out all shedualed tasks and hidden tasks because I hate when my computer does things I dont not choose to do. lol. let me what what you find out.

 

TJ

Answer 24

TJelly wrote:

Hi   I have this very same issue as well. The last thing i did was clean out all scheduled tasks and hidden tasks because I hate when my computer does things I don't not choose to do. Lil. let me what what you find out.   J

 

OK Ladies and Gentleman, here is what we have found;

 

Apparently, one of the Windows updates is causing corruption of the Access Control List (ACL's) in the registry. I had entire sections of my registry nodes that lost the ACL'S.

 

While I was researching the problem, I came across a website where someone had a similar problem with getting windows OS programs/services to run and they discovered that there was some registry corruption and missing ACL's.

 

There are two different options that I ended up doing to get the system back in operation.

 

It seems that running one or the other alone will not fix the problem, but doing both should get you back in service. 

1. Make a backup of your registry (and a complete backup of the system wouldn't hurt either!)
2. Go to Microsoft's website and download a program called subinacl.exe from this site; http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en
3. Install the subinacl.exe (it downloads as an MSI file).
4. Copy the code below into a text file and then name the text file reset.cmd.
5. I copied the command file to my temp folder to run, but as you can see from the cmd file, it contains the path to the executable subinacl.exe.

@echo off

title Resetting ACLs...

cd /d "%ProgramFiles%\Windows Resource Kits\Tools"

echo.

echo Resetting ACLs...

echo (this may take several minutes to complete)

echo.

echo ==========================================================================

echo.

echo.

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f

echo.

echo.

subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f

echo.

echo.

subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f

echo.

echo.

echo System Drive...

subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f

echo.

echo.

echo Windows Directory...

subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f

echo.

echo.

echo ==========================================================================

echo.

echo FINISHED.

echo.

echo Press any key to exit . . .

pause >NUL

 

3. As this command file runs it will show you the status of the reset and create a log that you can go back into and inspect for problems.

4. When this command file completes, you then need to open a command window (using Run As Administrator) and run the following command;

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose >c:\temp\secedit_output.txt (the redirect of output echos the programs output to a text file, but secedit also creates a log file. The program will show you the location of the log file when it is done).

 

These two actions combined will reset the permissions on the registry nodes back to their default settings.

 

Reboot and check your Event Log service... at this point it should be running.

 

After effects of this process which happened to me, were that the Network List Service would not run... I still had network and internet access, however the Network icon in the task notification area had a Red X, and mouse over displayed a tooltip that said "Server Execution Failed".  This was a result of resetting the ACL's.

 

The Network List Service (netprofm) would not run because it did not have permission to run.

 

 In order to correct this issue, you must open the Component Services snap-in and drill down under Computers/My Computer/DCOM Config/netprofm (this is for Vista!) and right click the node, and select Properties.

 

Click on the Security tab and make certain the correct user names are listed and that they have the appropriate permissions. I have 4 users listed with the same permissions; (your mileage may vary )

1. Administrators - Perms; Local Launch, Local activation
2. Interactive
3. Local Service
4. System

Next, go to the Identity tab and ensure that The System account (services only) is the item that is checked. Make sure the changes you make get applied.

 

Restart your computer so the ACL's are refreshed.

 

Once you come back up from the reboot, things should be pretty much back to normal.

 

You may find a stray program here and there that may need to have it's permissions reset, but you should be operational.

 

I directed the Microsoft engineers to this forum (and Goggle search it) so they can see this is getting to be an issue for a lot of people. They in fact have a brand new case (same problem) that was just escalated to them and they are going to take an Image of that persons system first thing so they can determine what is causing this, and if necessary put out a hotfix or service pack to correct it.

 

In the meantime, if you run into anyone else going through this problem, at least there was one solution that worked for me...

 

I cannot guarantee that this will work for everyone and the issue may effect each machine differently, so just be aware that this is not the blue pill!

 

I think that because the Registry database is so critical to the operation of Windows, Microsoft engineers should have some sort of utility that can repair and/or reset the registry and file permissions easily should something happen...

 

I personally believe that this should be part of the base operating system and we should not have to shell out extra bucks to third party vendors for these type of utilities, particularly if the registry is prone to corruption either by Microsoft's own hands or by a third party application.

 

I am not knocking third party programmers as I am one myself, I am just saying that this is Microsoft's OS and they should provide these easily accessible tools to keep us running!

 

Good Luck!

 

Answer 25

Great! It finally works!

Just two little adjustment:

1. when you run reset.cmd, you must run it as administrator (otherwhise it will not succed to fix all the files)

2. the right command is:
    secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
    with /cfg parameter (not /CF)

I had no problem with the Network List Service.

Thank you very much!

Answer 26

Thanks this worked great now someone should let microsoft know to create a KB for it.

Answer 27

Unfortunately i cant join the rest of the gang on saying that this corrected my problem.  After running as administrator, completing the steps described above the following happend:

 

Ran the Reset.cmd; it completed, however with 5 errors.

 

Ran the secedit...cmd; it completed successfully.

 

Went to Reboot my computer; computer hangs on Boot everytime.

 

Any suggestions?

Answer 28

Tuzz wrote:

Unfortunately i cant join the rest of the gang on saying that this corrected my problem.  After running as administrator, completing the steps described above the following happend:   Ran the Reset.cmd; it completed, however with 5 errors.   Ran the secedit...cmd; it completed successfully.   Went to Reboot my computer; computer hangs on Boot everytime.   Any suggestions?

 

Just like to add; after trying numerous times to reboot, computer finally rebooted, however, none of the problems appeared to be fix; my services are all still down as mentioned in previous blogs.

Answer 29

I just wanted to thank you for posting this resolution.  I had just used the Acronis Clone Disk tool to move my Vista x64 partition to a new hard drive, and upon booting it encountered this horror.  After giving up and putting my old hard disk back in, I discovered that it too had the same problem.  I have successfully used that tool with Vista x64 in the past and had no trouble.  Each time, I do have to use the Vista DVD to restore the boot dependencies (using Restore My Computer -then letting it detect the missing boot files.)  I am a little suspicious of this boot restore procedure.  I also had very recently moved all my "Known Folder"  junctions to my second hard drive (by telling Vista to move them, not by hacking it), and that is one of the only differences between the machine that failed to boot a backup image and the one that worked fine.

I am still waiting for the subinacl script to complete (it's been going for half an hour but no failures so far).  Fingers crossed.

Answer 30

I also remember that after moving some of my " Known Folders"  to a different drive, after rebooting, I was having some unusual behavior--like start menu shortcuts that had gone blank and that I had to recreate.  I think there is a good chance the problem occurred at this time and I just happened to clone it to the second drive (there is not really a good explanation for why it would appear on my source drive as well as target drive.).  I wonder if anyone else had moved these junctions (the special named folders) to a different location before having this problem?

Answer 31

This utility has been running for 7 hours.  It just passed the 4,900,000th registry key.  Is this normal?  I can't imagine what could be in the registry that is that big.

As far as I can tell, it's been stuck in HKLM/Software/Wow6432Node/Wow6432Node/Wow6432Node/Wow... [it cuts off there, but I can only imagine the horror.] for at least six of those hours. 

Ugh.

Answer 32

 

HI

 

I found this Topic while searching for a solution to my event log problem. I have this exact issue with the event logs not working. I have no idea what has caused it and it was working fine at least a week ago.

 

Ive followed the instructions that Gary Bouchard set out. The Secedit output txt file logged this

 

Completed 0 percent (0/115)  Process Privilege Rights area       
Completed 1 percent (1/115)  Process Privilege Rights area       
Completed 2 percent (2/115)  Process Privilege Rights area       
Completed 3 percent (3/115)  Process Privilege Rights area       
Completed 4 percent (4/115)  Process Privilege Rights area       
Completed 5 percent (5/115)  Process Privilege Rights area       
Completed 6 percent (6/115)  Process Privilege Rights area       
Completed 6 percent (7/115)  Process Privilege Rights area       
Completed 7 percent (8/115)  Process Privilege Rights area       
Completed 8 percent (9/115)  Process Privilege Rights area       
Completed 13 percent (15/115)  Process Privilege Rights area       
Completed 13 percent (15/115)  Process Group Membership area       
Completed 14 percent (16/115)  Process Group Membership area       
Completed 26 percent (30/115)  Process Group Membership area       
Completed 26 percent (30/115)  Process Registry Keys area       
Completed 27 percent (31/115)  Process Registry Keys area       
Completed 28 percent (32/115)  Process Registry Keys area       
Completed 29 percent (33/115)  Process Registry Keys area       
Completed 30 percent (34/115)  Process Registry Keys area       
Completed 31 percent (35/115)  Process Registry Keys area       
Completed 32 percent (36/115)  Process Registry Keys area       
Completed 33 percent (37/115)  Process Registry Keys area       
Completed 33 percent (38/115)  Process Registry Keys area       
Completed 34 percent (39/115)  Process Registry Keys area       
Completed 35 percent (40/115)  Process Registry Keys area       
Completed 36 percent (41/115)  Process Registry Keys area       
Completed 37 percent (42/115)  Process Registry Keys area       
Completed 38 percent (43/115)  Process Registry Keys area       
Completed 39 percent (44/115)  Process Registry Keys area       
Completed 40 percent (45/115)  Process Registry Keys area       
Completed 40 percent (46/115)  Process Registry Keys area       
Completed 41 percent (47/115)  Process Registry Keys area       
Completed 42 percent (48/115)  Process Registry Keys area       
Completed 43 percent (49/115)  Process Registry Keys area       
Completed 44 percent (50/115)  Process Registry Keys area       
Completed 45 percent (51/115)  Process Registry Keys area       
Completed 46 percent (52/115)  Process Registry Keys area       
Completed 46 percent (53/115)  Process Registry Keys area       
Completed 47 percent (54/115)  Process Registry Keys area       
Completed 48 percent (55/115)  Process Registry Keys area       
Completed 49 percent (56/115)  Process Registry Keys area       
Completed 50 percent (57/115)  Process Registry Keys area       
Completed 51 percent (58/115)  Process Registry Keys area       
Completed 52 percent (59/115)  Process Registry Keys area       
Completed 53 percent (60/115)  Process Registry Keys area       
Completed 53 percent (61/115)  Process Registry Keys area       
Completed 54 percent (62/115)  Process Registry Keys area       
Completed 55 percent (63/115)  Process Registry Keys area       
Completed 56 percent (64/115)  Process Registry Keys area       
Completed 57 percent (65/115)  Process Registry Keys area       
Completed 58 percent (66/115)  Process Registry Keys area       
Completed 59 percent (67/115)  Process Registry Keys area       
Completed 60 percent (68/115)  Process Registry Keys area       
Completed 60 percent (69/115)  Process Registry Keys area       
Completed 60 percent (69/115)  Process File Security area       
Completed 61 percent (70/115)  Process File Security area       
Completed 62 percent (71/115)  Process File Security area       
Completed 63 percent (72/115)  Process File Security area       
Completed 64 percent (73/115)  Process File Security area       
Completed 65 percent (74/115)  Process File Security area       
Completed 66 percent (75/115)  Process File Security area       
Completed 66 percent (76/115)  Process File Security area       
Completed 67 percent (77/115)  Process File Security area       
Completed 68 percent (78/115)  Process File Security area       
Completed 69 percent (79/115)  Process File Security area       
Completed 70 percent (80/115)  Process File Security area       
Completed 71 percent (81/115)  Process File Security area       
Completed 71 percent (81/115)  Process Services area       
Completed 72 percent (82/115)  Process Services area       
Completed 73 percent (83/115)  Process Services area       
Completed 73 percent (84/115)  Process Services area       
Completed 74 percent (85/115)  Process Services area       
Completed 75 percent (86/115)  Process Services area       
Completed 76 percent (87/115)  Process Services area       
Completed 77 percent (88/115)  Process Services area       
Completed 78 percent (89/115)  Process Services area       
Completed 80 percent (91/115)  Process Services area       
Completed 84 percent (96/115)  Process Services area       
Completed 84 percent (96/115)  Process Security Policy area       
Completed 86 percent (99/115)  Process Security Policy area       
Completed 90 percent (103/115)  Process Security Policy area       
Completed 93 percent (106/115)  Process Security Policy area       
Completed 95 percent (109/115)  Process Security Policy area       
Completed 100 percent (114/115)  Process Security Policy area       
                                                                          
The task has completed. Warnings occurred for some attributes during this operation. It's okay to ignore the warning.
See log %windir%\security\logs\scesrv.log for detail info.

 

Also the scesrv.log  from %windir%\security\logs  logged something a little disturbing

 

----Configure Registry Keys...
 Configure users\.default.
 Configure machine\software.
 Configure machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.
  Error setting security on machine\software\classes.
Warning 5: Access is denied.

 

Ive only posted some of these as the list of denied was massive.

I ran the cmd prompt as Admin and don't see why it would be access denied. I do need help with this as i wanted to check my event logs for a reason.

 

Any help on this issue would be much appreciated.

 

Answer 33

 

Also while continuing to look into this i found a post in a group where someone was talking about respective permissions on directories of log files. I found them in %windir%\system32\logfiles   - My account was in the list as special for the folder only. I was able to add my account and tick all the box's for the folders but it would not apply to all files and subfolders. I am also unable to take ownership of the folders and their contents either to place Administrator or myself as the owner. This is my home machine and my account is an administrator. Who could have permissions above me ?

Answer 34

I have this same problem and have done a search on MS Support site.  How widespread is this issue?  The fact that it has happened to several folks and the topic does not even exist when you search MS Support is pathetic.  In fact when I drop down a list of products to narrow down my search or "Error 4201" WINDOWS VISTA IS NOT EVEN LISTED! 

 

Can anyone provide any information at all as to the cause, and any steps toward a resolution.  Wipe and reload is not an acceptable resolution.

 

Has anyone that experienced this problem of Event Log Service failing to start... Error 4201 WMI object bullcrap?

 

Dominic 

 

Answer 35

 

I am another unfortunate with this problem (Installed twice)

 

error 4201: The instance name passed was not recognized as valid by a WMI data provider

Answer 36

I too am having this problem.  Am running the script from page 2 of this thread, but so far have over 1650 failures. I'm getting "RegSetKeySecurity Error : 5 Access is denied."

 

This has happened twice on the same computer, both of which were fresh installs of Vista Ultimate. I cannot install the Vista Ultimate Extras, which is how I saw this the second time (first time it was just the Event Log, now it's both the Event Log and the Ultimate Extras.)  I'm also getting the WMI error when trying to open the Event Log.

 

--------------

 

Possibly found a solution.  Found a post (http://forums.pugetsystems.com/showthread.php?t=2462) that someone asked "" Well, yes, I did do that...why, I don't know. It's late. Blame it on stupidity.  Anyway, checked the LogFiles folder, and lo and behold, the logged in account was specified in the security, but had no permissions. It SAID it was inheriting it from the parent folder (System32), so I went to that folder, but it wasn't listed. So I changed the permissions on System32 and told it to replicate down to subdirs. It's still running, so I'll check it in the morning and see if it works or not. Might do another fresh install (this is a test box, which will eventually become my son's gaming machine.) Still, this looks like it might be the cause of the problem. Did anyone else experiencing this problem do a take ownership on the root?

Answer 37

In spite of my computer being seriously messed up (I think there is a sort of infinite loop in the registry), Gary Bouchard's instructions saved me from having to reinstall.

Some issues I encountered that may help others:

1.  MAKE SURE THAT SUBINACL IS RUN WITH ADMINISTRATOR PRIVILEGES.  In Vista, you have to use the "Run as Administrator" version of the command prompt to execute the batch file.  Otherwise, you will get Access Denied on many things.
2.  In my case, subinacl crashed due to malformed registry entries in the Wow64 nodes (the nodes are like 12 deep, it's crazy) and worse they seem to be entries for Office 2007.  If this happens to you, after the crash, just REM out the items that already complete and the one that crashed, then run it again so it will complete.  If the script seems to be stuck for hours on end in Wow64 nodes, it is fine to break out of it and use the same procedure to run the rest of the script.  If you don't break out of it, it will eventually crash on its own due to running out of memory--it's just a matter of whether you want to wait 12 hours for that to happen.
3.  After the reboot, my event log was working again but many other things were broken, including tcpip.sys failing to load which is a major headache.  At this point though you can use your event log to address the problems one-by-one (including the Network Lister issue that was described). 

Answer 38

Azul,

 

I am glad you started making progress... I knew that the solution would probably not fit everyone's individual case.

 

The point you made about running the script AS ADMINISTRATOR is an important item and I am glad you reiterated that.

 

Perhaps that is why some of the other folks are having trouble getting it to run through...

 

I did have to do it a couple of times because of the seeming hangup but resisted the tempation to interupt the script until I could see what problem it was running into.

 

Hopefully Microsoft is monitoring this newsgroup, and I know that the several Microsoft Tech Support people that were helping me logged what they were finding.

 

They did tell my that they had another case submitted to them and they were going to get a complete image of that persons drive so they could study what was happening. Hopefully they will come up with a hotfix or address it in the monthly patches.

 

Good luck all!

Gary.

 

Answer 39

I gave up, and did a format & reinstall. Everything is fine now, Event Log is working, all updates installed.  I realize that's not an option for everyone, but rather than dealing with the headache of trying to figure out the solution, I just killed the install and redid it. Easier for me that way.  Best of luck to everyone else.

Answer 40

I've not tried the workaround earlier in this thread because I reckoned that it was Microsoft's job to put this right, not mine. But time goes by and I still have the problem and I haven't seen anything from Microsoft on the subject. Does anybody know if Microsoft has come up with an answer to this yet?

Mike

Answer 41

 

I too finally formatted and reloaded vista and hey presto it works.  Seems to be the only solution if you follow the instructions in this post to the letter and it doesn't work.

 

The only peice off advice i would give after re-installing is to stay away from a windows update called Dreamscene, i read something somewhere about it being the reson for this issue.

 

Answer 42

Hi guys,

          After doing many researches, I believe this problem is because we changed the permission of a folder incorrectly, the RtBackup folder which is under C:\Windows\System32\LogFiles\WMI\RtBackup .

         I solved the problem by rebooting the system-->safe mode--> go to RtBackup folder ---> reset the permission to defaut-->fixed.

 

         I hope this works for you.

Answer 43

That was a fantastic POST!!
Worked for me like a charm.

Answer 44

What do you mean by: "reset the permission to defaut"?

Answer 45

WOW! I got to work!

 

My RtBackup folder was unreadable. So I deleted it and rebooted. It recreated itself and all is working again.

 

Thx all!

 

Answer 46

Works like a charm, thank you from the bottom of my heart :-)

But I couldn't reset/delete it even in safe mode. So I used my ERD-Commander (bootable CD with Windows XP) to delete it.

Windows Event Log works again, and I could finally install SP1 RC.

Btw, the other solution with the ACL-resetting encountered many problems and lasted 10h till it crashed partially and so it didn't change anything. But thanks for the suggestions anyway!

Answer 47

Dear fellows,

 

I've got a new laptop with Windows Vista and to get rid of the annoying security messages, I

• disabled UAC User Account Control and
• made my own user owner of the C-drive.

I suspect the latter to be the culprit for not being able to view nor start the event log.

 

When I try to view the Event Log I get this message:

Event Log service is unavailable. Verify that the service is running.

 

When I go to Services, select Windows Event Log and try to start this service I get

Windows could not start the Windows event log service on Local Computer.
Error 4201: The instance name passed was not recoganized as valid by a WMI data provider.

 

Deleting the directory

C:\Windows\System32\LogFiles\WMI\RtBackup

and rebooting, as mentioned in the penultimate post, solved my problem to.

Thanks for the good advice.

Willem

 

NB: In dutch...

Gebruikersaccountbeheer
Eigenaar van de C-drive

Ga naar Systeembeheer, Computerbeheer
Selecteer Systeemwerkset en Logboeken
Event Log-service is niet beschikbaar. Verifieer dat de service is opgestart.
Selecteer Services en toepassingen, selecteer Services, dubbelklik "Windows Event Log" en klik de knop Starten
Kan de Windows Event Log-services op Lokale computer niet starten.
Fout 4201: Een WMI-gegevensprovider heeft de doorgegeven exemplaarnaam niet als geldig herkend.

Answer 48

Having same problem. This is the most useful thread I've come across in researching this issue for which I thank those who have previously posted.

I am unable to delete the RtBackup folder or the EtwRTDiagLog.etl file contained therein.

I don't have access to ERD Commander so I tried Knoppix 5.1.1 but that also said I was denied access when I tried to delete the file. Knoppix shows full owner/group permissions for the file so I'm assuming it's somehow corrupted and therefore won't let me delete it.

Any other thoughts on how I might delete the RtBackup folder? I am very reluctant to reinstall Vista. (This was a clean install on a newly built PC by the way).

Thanks.

Answer 49

I had the same problem (at least same symptoms) and I was able to rename the ..\RtBackup directory in safe mode.  I could not delete it, but I renamed it to ..\xRtbackup.  after a normal restart, the Event Log started just fine.

 

now, on to the next problem that I was trying to solve when I found that the event log wasn't working.

Answer 50

Thanks Gary,

It solved the problem for me.

Event Logs are back up and running.

David

Answer 51

xmasgoose wrote:

Thanks Gary, It solved the problem for me. Event Logs are back up and running. David

 

David,

 

You're welcome... it obviously did not work for everyone, but my system has been holding steady since I got it corrected.

 

I read and see all the hub-bub about how people are dumping Vista, but I like it... Yeah, it can be a little sluggish at times (because of all the stuff I run) but not enough to make me want to go back to XP

 

Bring on the next one!

 

Answer 52

Works great! Thanks I have had no evenlog for ages (real pain) and now everything works fine, no issues.

Thanks for passing this on! Much appreciated!

Cheers!

 

Answer 53

I just wanted to take a second and thank you. This solution worked fine for me.

Brian

Answer 54

 

Me too! Gary Bouchard, you're amazing. I was hesitant to try it after reading the posts saying that it took 6+ hours to run, but mine finished in 10 minutes. Thanks!

Answer 55

Gary I am currently running your test here and hope to have success. I greatly appreciate your help with this issue.

*Edit*

It worked. Everything is back up and operational. Thank you VERY much.

Answer 56

Giorgio Gamberini wrote:

Great! It finally works! Just two little adjustment: 1. when you run reset.cmd, you must run it as administrator (otherwhise it will not succed to fix all the files) 2. the right command is:     secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose     with /cfg parameter (not /CF) I had no problem with the Network List Service. Thank you very much!

I a

m sure I am having this problem since rthe Event logger doesn't wprk for me and I cannot install Vbista X64 SP1 however the reset.CMD printout doesn't worj for me, it says the command has a syntax error and I shall check /h for  syntax.

Any help anybody please? I want to know this fixed, thanks in advance!

 ere is what I see:
Resetting ACLs...
(this may take several minutes to complete)

==========================================================================


LookupAccountName : HKEY_LOCAL_MACHINE:administrators 1337 Die Struktur der Sich
erheitskennung ist unzulässig.

Current object HKEY_LOCAL_MACHINE will not be processed


Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume
nts - HKEY_LOCAL_MACHINE


LookupAccountName : HKEY_CURRENT_USER:administrators 1337 Die Struktur der Siche
rheitskennung ist unzulässig.

Current object HKEY_CURRENT_USER will not be processed


Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume
nts - HKEY_CURRENT_USER


LookupAccountName : HKEY_CLASSES_ROOT:administrators 1337 Die Struktur der Siche
rheitskennung ist unzulässig.

Current object HKEY_CLASSES_ROOT will not be processed


Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume
nts - HKEY_CLASSES_ROOT


System Drive...
WARNING : /grant : Invalid option : C:\Program Files (x86)\Windows Resource Kits
\Tools
Use :
SubInacl /help to get the usage information
or
SubInAcl /help syntax to understand SubInAcl syntax.
Current object C:\Program Files (x86)\Windows Resource Kits\Tools will not be pr
ocessed


Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /grant : Invalid option : C:\Program Files (x86)\Win
dows Resource Kits\Tools


Windows Directory...
LookupAccountName : C:\Windows\*.*:administrators 1337 Die Struktur der Sicherhe
itskennung ist unzulässig.

Current object C:\Windows\*.* will not be processed


Elapsed Time: 00 00:00:00
Done: 0, Modified 0, Failed 0, Syntax errors 1
Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume
nts - C:\Windows\*.*


==========================================================================

FINISHED.
Press any key to exit . . .
 rücken Sie eine beliebige Taste .

Answer 57

Gary,

Thank you very much for the detailed instruction! It fixed the Event Log Service, working of which allowed to install the SP1, installation of which allowed file copy/move/delete do seamlessly in the local network environment.

Answer 58

falkie,

 

You are all most welcome... I just wish Microsoft would have figured this out by now and issued a fix!

 

Since the problem was fixed I have not any further problems with it, so that seemed to do the trick.

 

Answer 59

Awesome thread!  Renaming the C:\Windows\System32\LogFiles\WMI\RtBackup   folder FIXED the problem!!

Of course - - figuring out HOW to rename (or delete) that folder was a bit of a trick!!

The permissions on my drives had been modified, and I could NOT revert them.  I did run the Secedit program, and tried to return all to default settings, but could NOT gain permissions to rename that folder.  So I looked around for a DOS system that would load an NTFS interface.

The computer I've built uses RAID-1 for the "C" system drive, and RAID-5 for the 1TB data drive.  These are controlled by hardware on the motherboard, and unfortunately, the NTFS4DOS packages don't seem to allow addition of hardware drivers at boot time.

Then I found the ERD-Commander, also referenced in this thread.  This basically loads a WinXP-like OS from a bootable CD-ROM, and permits loading of your motherboard hardware drivers via the standard system-installation "F6" trick (you have to watch for it at boot time - you have about 6 seconds to press the "F6" key - - otherwise it defaults to 'none').  Select "NONE" when it asks which OS you wish to repair.  You then have unrestricted access to EVERY folder on your drives.

Renaming the RtBackup folder (I didn't want to delete it - - just in case), then rebooting back to Vista revealed that Windows Event Log Service was NOW RUNNING, and SP1 finally installed without a hitch.

MICROSOFT obviously needs to patch their SP1 installation routine to regain permissions to access the RtBackup folder.

AWESOME DUDES!!!  Great Job!!

Now, if I can only find out why I can't open a command prompt in administrator mode - - but that's another thread 

Merlin 

Answer 60

Merlin,

Have exactly the same problem as you but tried renaming rtBackup folder and could not do it with using Safe mode, turning off UAC etc.  Tried to download ERD-Commander - would appreciate knowing the site you used.  I've tried a couple - some just say MS bought this company out in 2006 whilst another allowed me to download an .rar file but you have to have password to extract it. 

Have already wasted hours on this - am frusted with Vista!!!

Di

Answer 61

Try this: http://ccollomb.free.fr/unlocker/

 

It worked for me. Note that if you are using UAC, you have to set "Run as administrator" on "Compatibility" tab for file C:\Program Files\Unlocker\Unlocker.exe

 

After installing and setting compatibility mode mentioned above, just go to C:\Windows\System32\LogFiles\WMI, right-click on "RtBackup", select "Unlocker", select "Rename" from drop-down list, type e.g. "RtBackup.bak" and click "OK" twice.

 

I hope it would work for you.

Answer 62

Hi Some1

Thanks for your reply.  I downloaded Unlocker and installed as per you instructions.  When I try to rename rtbackup I get the message "No locking handle found.  However Unlocker can help you deal with this Object.  Choose the action you want to perform on the Object"

I then select Rename from the combo box and then enter the "new" name.  A message then says "The object could not be renamed, do you want to perform the requested rename operation at next boot?".  I confirm this and reboot.  After reboot I get an extra folder called rtbackup.bak but the original rtbackup is still there.  It appears to me that the unlocker program is copying the rtbackup folder to rtbackup.bak but still can't delete the original rtbackup folder

I appreciate the time you took to reply to me - will take this matter up with MS tomorrow.  I've already wasted hours trying to fix this problem and to be honest my patience is wearing thin.

Thanks again though for your help.

Di

Answer 63

Hi Some1

Just thought I'd let you know.  After sending my earlier email had a thought that maybe the rtbackup folder had been deleted and then automatically recreated on the reboot.  I decided to apply the SP1 patch just in case. That must have been what happened as I applied the SP1 patch and it worked.  This was the 5th attempt at applying the patch so it would seem that the Event Log error certainly is the key to solving this problem.  Thanks again for your help - it WORKED!!

Di

Answer 64

Some1,

 

Thanks for the tip.  I've been on the phone for at least a week with MSoft about this (not being able to install SP1) and the Event Viewer problem.  Your suggested fix worked like a charm.  I've since called MSoft back and explained in detail how to get this fixed for anyone else.  I pointed them to your post here.  They were thrilled.  Again, Thanks for help and efforts to help other less talented people. Ha ! Have a good 1.

 

Answer 65

trei wrote:

Some1,   Thanks for the tip.  I've been on the phone for at least a week with MSoft about this (not being able to install SP1) and the Event Viewer problem.  Your suggested fix worked like a charm.  I've since called MSoft back and explained in detail how to get this fixed for anyone else.  I pointed them to your post here.  They were thrilled.  Again, Thanks for help and efforts to help other less talented people. Ha ! Have a good 1.

 

That is an unfortunate shame, because Microsoft Tech Support Engineers were in on finding the original solution...

 

I just cannot believe that this was not documented and addressed... I told them several times while I was working with them that there were a lot of folks having the same issue.... there are probably many more folks that do not even know there is a problem, because they dont use the event logs!!!

 

Microsoft needs to get their stuff together!

Answer 66

Gary Bouchard wrote:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose >c:\temp\secedit_output.txt (the redirect of output echos the programs output to a text file, but secedit also creates a log file. The program will show you the location of the log file when it is done).

 

The process of using the Reset.cmd file does indeed work to fix problems related to the Vista SP1 installation which kills the Event Log process (and thereby EventViewer) and resulting in a 4201 error message when Event Log restart is attempted.  This was exactly the problem I had and I was able to fix it by following these instructions.

 

Be aware though that the secedit command can mess with your other user profiles.  I lost the ability (due to the security change) to log into a standard user account immediately after running this.  In searching the internet, it appears that this command is directly related.  All of the files for the other (lost) users still exist, but the account cannot be recreated as an error message like "file names that contain */!?@ cannot be used" (I am paraphrasing the error but the suggestion is that a non-alphanumeric character is being used).

 

Also, the subinacl.msi file will not run if UAC is on - it gives a message about installer couldn't be run due to invalid installer credentials (again paraphrased).  I thought at first this was related to the system requirements on the download site that did not list Vista.  It does run on Vista Sp1...just turn off UAC and reboot first.

 

Lastly, I had no luck at all (even in SAFE mode) with getting permissions over the WMI\RtBackup file.  I even tried the Unlocker software.  I had full permissions over the Logfile and WMI folders, and the file itself, but could not get permissions over the System32 folder.  But the Reset.cmd method works!  Many thanks!

Answer 67

Rick Win wrote:

I had the same problem (at least same symptoms) and I was able to rename the ..\RtBackup directory in safe mode.  I could not delete it, but I renamed it to ..\xRtbackup.  after a normal restart, the Event Log started just fine.   now, on to the next problem that I was trying to solve when I found that the event log wasn't working.

 I get a permissions denied error no matter what I do to try and set permissions and take ownership it won't allow me to rename it or delete it. HELP. I need this thing to work.


Edit: I figured it out. Thank you!

Answer 68

Some1 wrote:

Try this: http://ccollomb.free.fr/unlocker/   It worked for me. Note that if you are using UAC, you have to set "Run as administrator" on "Compatibility" tab for file C:\Program Files\Unlocker\Unlocker.exe   After installing and setting compatibility mode mentioned above, just go to C:\Windows\System32\LogFiles\WMI, right-click on "RtBackup", select "Unlocker", select "Rename" from drop-down list, type e.g. "RtBackup.bak" and click "OK" twice.   I hope it would work for you.

Some1,

Thank you so much! This worked for me! Finally! I couldn't delete the folder but it did allow me to rename it after reboot which is the option it gave me when it failed to delete it.

I rebooted and it recreated the RtBackup folder.

Now my Windows Log Viewer is working and I can install the Windows Service Pack 1! I quoted you in another forum because this seems to be an issue a lot of people are having now that it's time to install a Service Pack their either noticing that their Windows Event Log is no longer working or like me they're finally forced to do something about it. I just feel bad for the ones who don't know there is a connection.

Thread at Re: Error Code 800706B5 on SP1 Failed Install

Answer 69

Thank you very much!!!!

It worked. I had problem installing Windows Vista SP1, and I was on the phone with microsoft for 3 days no one couldn't help. They're going to call me today again to try to fix my problem wich I solved last night with this fix.
I found this page because I was trying to fix the problem I had with the event viewer. The event is now fixed and working beautifully.
It worked beautifully I checked windows update history I saw Windows Vista SP1 "successfull" Just by following the steps you describe, you're genius.

It works not only for the event viewer and also Vista SP1, I think even other installation related problems.

This saved my 4 hrs I would have spent with microsoft on the phone today, now I won't pick up the phone when they will call, just carry on with my day and not having to worry about my computer.

Thanks again!!!

Answer 70

cesco wrote:

Thank you very much!!!! It worked. I had problem installing Windows Vista SP1, and I was on the phone with microsoft for 3 days no one couldn't help. They're going to call me today again to try to fix my problem wich I solved last night with this fix. I found this page because I was trying to fix the problem I had with the event viewer. The event is now fixed and working beautifully. It worked beautifully I checked windows update history I saw Windows Vista SP1 "successfull" Just by following the steps you describe, you're genius. It works not only for the event viewer and also Vista SP1, I think even other installation related problems. This saved my 4 hrs I would have spent with microsoft on the phone today, now I won't pick up the phone when they will call, just carry on with my day and not having to worry about my computer. Thanks again!!!

 

Your Welcome... Now, when Microsoft calls you back, hammer them for not putting this info in the Tech Support database!!!

 

It's been over a year, with many more people having this problem and I cannot believe that they havent addressed this!

 

I'll bet there are a whole lot more folks that dont even realize that it's not working.

 

Answer 71

And again - Thank you! 

 

One minor (untested) suggestion.  Because "Standard Users" seeem to lose their login rights as a result of this procedure (all files remain intact, so it's not too bad), perhaps you should consider upgrading them to Administrator just prior to running this fix.  Once you are back in business, you can reset them to Standard Users.

 

Answer 72

I was able to resolve the 4201 error (could not start event log service) simply by reenabling UAC. This was after checking/changing all the permissions and was unable to delete that system32/logfiles file.

Answer 73

Gary Bouchard, I Love You!

I have had this problem since Feb 2008 and several services would not run. I have tried just about everything and was not finding a solution until I finally received the error code  4201 so I could do a search under that instead of "event viewer ...."
I Followed your directions and all is well. You're awesome.!!!!

Answer 74

tami528 wrote:

Gary Bouchard, I Love You! I have had this problem since Feb 2008 and several services would not run. I have tried just about everything and was not finding a solution until I finally received the error code  4201 so I could do a search under that instead of "event viewer ...." I Followed your directions and all is well. You're awesome.!!!!

 

Tami528,

 

I'm very glad this worked for you... as you can see, it doesn't work for everyone, but there are usually other circumstances that prevent it from working.

 

I jumped into Vista in January '08 (when they went RTM) and found the problem right away because I use my event logs...

 

It still irks me to no end that MS has not at least issued a patch for the problem...

 

I directed the MS-Support engineers to this thread so they could see a lot of people are having this problem, but....

 

Believe it or not, this has been the only issue I have had with Vista.... (knock on wood )

 

Enjoy

 

Answer 75

Found the easy way to correct the log file problem and it is so simple.

1. Reboot you machine with you Windows Vista instulation disk.

2. Accept the default language selection

3. On the install Vista screen select Repair Vista installation.

4. On the repair Vista Installation selection screet select DOS prompt

5. at the DOS prompt chanhe to you C drive.

6. Change directory to the C:\windows\system32\logfiles\wmi\RtBackup directory

7. Do a DEL *.* and reply "Y"

8. Change back one directory "CD .."

9. Do a "RD RtBackup"

10 Exit Dos and reboot you system without you instulation disk. New RtBackup directory will then be created. No need to worry about permission with this way

 

Answer 76

okay I haven't been able to install the SP1 update and noticed that my event viewer wasn't working either.  I did remove the files in the Rtbackup and tried event log again and it work, so I decided to try installing SP1 again and still it won't install, it reverts back.

 

My question, if I try the other thing you suggested what profiles will I exactly lose.  For some reason I have 2 listed in profiles one that says Debbie PC/Administrater and one that says Debbie PC/Debbie.  I'm figuring this is why I can't instal SP1 all the way.  It wil let me delete or move the one that says administrater but not the other one, when I go under user profiles.

 

Any help will be greatly appreciated.

Answer 77

1.  Are you running in a Domain? If so you will need to logon to you system as a non Domain client with theMain administrator account.

2.  Do you have access to System Administrator tools? If not they can be turn on through the toolbar properties/start menn/customize/System Administrator tools/Display on the ALL Programs menu and Start Menu.

3. Is the System administrator account active Not Debbie PC/Administrater. If not you will ned to activate it.

  3a. to activate the system administrator account from the administrator tool start Local Security Policies.

  3b. In the policies window; Expand Local Policies/Security Options.

  3c. Double click on: Accounts: Administrator account status. and enable it.

  3d. Scroll all the way to the bottom of this window and Disable all User Accounts Control items listed except for the two  that begin with the word Behavior. They should be Elevate Without... and Prompt for ....

  3e. Close the policies window

4. Start System Configuration utility from the Administrators tool menus

in the utility disable all Startup Items. Then go to the services tab and check the Hide all Microsoft Services. then click on the disable all button. Click on the apply and then ok buttons. You will then be ask to reboot you system.

5. Reboot the system and logon as the non domain system administrator. IE Computer name/Administrator

    example like pro300/administrator where PRO300 is the name of my computer. This will log you on to your system as a non-Domain system administrator. This may take a few munites longer to get you logon as the system need to create the administrator account.

6. Once you are logon this way you should be able to start the Vista SP1 update and it should install fully.

7. Before you return to normal pc activies you will need to turn back on all startup item and non microsoft services. Follow steps # 2. and # 4. In Step # 4 from the General tab just select Normal Startup. This will turn everthing back on. Click APPLY and OK and do a system reboot logoning on as you normaly do. 

 

Answer 78

I just wanted to give a HUGE thank you to Gary Bouchard - I followed his instructions and was able to get SP1 installed on Vista Ultimate x64.  I went about following Gary's instructions like this:
1. run the reset.cmd script as Administrator
2. kill the command window (subinacl process) running the reset.cmd script once it started reporting failures in the Wow6432Node registry node
3. modify the first reset.cmd script registry reference to (added SYSTEM):

subinacl /subkeyreg HKEY_LOCAL_MACHINE/SYSTEM /grant=administrators=f /grant=system=f

4. save reset.cmd
5. rerun reset.cmd as Administrator
6. run this command from Gary: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose >c:\temp\secedit_output.txt
7. reboot
8. install Vista SP1 from Windows Update

Also, I did not have to delete or rename System32\LogFiles\WMI\RtBackup to get my Windows Event Log service to run.

Thank you again, Gary!

Answer 79

I tried installing Vista SP1 five times.. but every time it failed. I was not sure why it was failing, untill I came across this post. Thanks a lot .... I have finally been able to install SP1.

Answer 80

Gary Bouchard wrote:

TJelly wrote: Hi   I have this very same issue as well. The last thing i did was clean out all scheduled tasks and hidden tasks because I hate when my computer does things I don't not choose to do. Lil. let me what what you find out.   J   OK Ladies and Gentleman, here is what we have found;   Apparently, one of the Windows updates is causing corruption of the Access Control List (ACL's) in the registry. I had entire sections of my registry nodes that lost the ACL'S.   While I was researching the problem, I came across a website where someone had a similar problem with getting windows OS programs/services to run and they discovered that there was some registry corruption and missing ACL's.   There are two different options that I ended up doing to get the system back in operation.   It seems that running one or the other alone will not fix the problem, but doing both should get you back in service.  Make a backup of your registry (and a complete backup of the system wouldn't hurt either!) Go to Microsoft's website and download a program called subinacl.exe from this site; http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en Install the subinacl.exe (it downloads as an MSI file). Copy the code below into a text file and then name the text file reset.cmd. I copied the command file to my temp folder to run, but as you can see from the cmd file, it contains the path to the executable subinacl.exe. @echo off title Resetting ACLs... cd /d "%ProgramFiles%\Windows Resource Kits\Tools" echo. echo Resetting ACLs... echo (this may take several minutes to complete) echo. echo ========================================================================== echo. echo. subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f echo. echo. subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f echo. echo. subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f echo. echo. echo System Drive... subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f echo. echo. echo Windows Directory... subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f echo. echo. echo ========================================================================== echo. echo FINISHED. echo. echo Press any key to exit . . . pause >NUL   3. As this command file runs it will show you the status of the reset and create a log that you can go back into and inspect for problems. 4. When this command file completes, you then need to open a command window (using Run As Administrator) and run the following command; secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose >c:\temp\secedit_output.txt (the redirect of output echos the programs output to a text file, but secedit also creates a log file. The program will show you the location of the log file when it is done).   These two actions combined will reset the permissions on the registry nodes back to their default settings.   Reboot and check your Event Log service... at this point it should be running.   After effects of this process which happened to me, were that the Network List Service would not run... I still had network and internet access, however the Network icon in the task notification area had a Red X, and mouse over displayed a tooltip that said "Server Execution Failed".  This was a result of resetting the ACL's.   The Network List Service (netprofm) would not run because it did not have permission to run.    In order to correct this issue, you must open the Component Services snap-in and drill down under Computers/My Computer/DCOM Config/netprofm (this is for Vista!) and right click the node, and select Properties.   Click on the Security tab and make certain the correct user names are listed and that they have the appropriate permissions. I have 4 users listed with the same permissions; (your mileage may vary ) Administrators - Perms; Local Launch, Local activation Interactive Local Service System Next, go to the Identity tab and ensure that The System account (services only) is the item that is checked. Make sure the changes you make get applied.   Restart your computer so the ACL's are refreshed.   Once you come back up from the reboot, things should be pretty much back to normal.   You may find a stray program here and there that may need to have it's permissions reset, but you should be operational.   I directed the Microsoft engineers to this forum (and Goggle search it) so they can see this is getting to be an issue for a lot of people. They in fact have a brand new case (same problem) that was just escalated to them and they are going to take an Image of that persons system first thing so they can determine what is causing this, and if necessary put out a hotfix or service pack to correct it.   In the meantime, if you run into anyone else going through this problem, at least there was one solution that worked for me...   I cannot guarantee that this will work for everyone and the issue may effect each machine differently, so just be aware that this is not the blue pill!   I think that because the Registry database is so critical to the operation of Windows, Microsoft engineers should have some sort of utility that can repair and/or reset the registry and file permissions easily should something happen...   I personally believe that this should be part of the base operating system and we should not have to shell out extra bucks to third party vendors for these type of utilities, particularly if the registry is prone to corruption either by Microsoft's own hands or by a third party application.   I am not knocking third party programmers as I am one myself, I am just saying that this is Microsoft's OS and they should provide these easily accessible tools to keep us running!   Good Luck!

Thanks Gary..Worked wonders for me & i was even able to install SP1 wchich was bugging me since two days

Answer 81

 

Ditto from me, Gary. I had no idea I had this problem until today when, of course, I was in a crunch to figure it out. I followed your instructions and was back in business within 20 minutes. THANK YOU!!!!!!!

 

Laura

 

Answer 82

Hi Everyone

 

It has taken me almost 3 months to sort out why my Live Messenger Shared Folders would not work on my HP Compaq 6820s laptop but since finding this site - I have solved it in one morning !!  It also looks as if I will now be able to install SP1 (Vista) but I have not tried yet.

 

I could not delete the rtbackup folder however much I tried because it kept saying Access is Denied so I downloaded the program Unlocker found at http://ccollomb.free.fr/unlocker/ and whilst it could not delete the folder whilst in Windows, it gave me the option for the program to delete the folder when next doing a re-start - and that is exactly what it did!

 

All I can say to anyone is - Don't give up hope !! and keep trying because when I investigated asking Microsoft for help, I found out that I would be charged £40 - £50 for the privelege of asking them a question ?? !!! 

 

I am just hoping now that after 8 attempts to install SP1 that I will be able to do it. As a by the by - all HP could do to help with these problems is to tell me to re-install Vista which would of course completely clean my programs and everything else - thank you HP and Microsoft for being so helpful - NOT

 

Will keep you all posted

 

Cheers to everyone who has posted on this issue - very much appreciated and you have saved my sanity !

 

Liana

Answer 83

 

Laura,

 

I am really glad it worked out for you... as you can see from the entries on this thread, the problem still effects a lot of people, yet Microsoft still has no clue!

 

I am definately noticing the pattern... most folks do not have the exact same issue I had but apparently the resolution corrects a whole host of problems folks are running into.

 

Answer 84

You can try to open a command window (using Run As Administrator) and run the following command:

icacls C:\Windows\System32\winevt /grant *S-1-5-80-880578595-1860270145-4826
43319-2788375705-1540778122:F /T 

 

Or you would check whether the WMI Repository corrupt:

net start winmgmt

run %windir%\system32\wbem\Wbemtest.exe

and connect the root\cimv2 (or Root\Default)

If conk out, perhaps should rebuild the WMI Repository:

net stop winmgmt

cd /d %windir%\system32\wbem
ren Repository Rep_bak

restart your computer.

 

good luck.

 

Answer 85

If you want to delete the C:\Windows\System32\LogFiles\WMI\RtBackup folder, you should restart with safe mode with command prompt, as following steps:

 

Please validate your  superuser account (default name "Administrator") is enabled.

 

restart, hit F8 key, and the choose menu showing:

Choose Advanced Options for: Microsoft Windows Vista

 

Please select the third - "Safe Mode with Command Prompt", press ENTER key.

 

Login with Administrator. (or you had already renamed the superuser's name, pls login in your superuser.)

 

In the command window, run the following command:

 

icacls C:\Windows\System32\LogFiles\WMI\RtBackup /grant Administrator:F /T

(or you had already renamed the superuser's name, pls replace the Administrator with your superuser's name.

also replace the Administrator with the Administrators, Administrators is a user group, include superuser.

if you installed the Vista in other driver, pls replace the C: with your system driver sign)

 

rd /s C:\Windows\System32\LogFiles\WMI\RtBackup

Affirm pls enter y (yes).

In this manner, you would delete the C:\Windows\System32\LogFiles\WMI\RtBackup folder.

then restart your computer.

 

Wish you luck!

Answer 86

Hi Gary

 

What I did not make clear in my post ( I am new at this ) is that I had the Error 4201 and was unable to start the Event Service.

 

I did not realise that this was affecting the SP1 installation until today and I only searched on the '4201' error because I noticed that the Messenger USN Journal depended on the Event Service so I gave up on trying to fix the Sharing Folders and concentrated on the Event 4201 error.

 

(not being picky, but my name is Liana  not Laura - and as you can see, I am a little cheeky !!)

 

Thanks once again and tomorrow morning I am going to try and install SP1 - for the 8th time !!   Wish me luck

 

Liana

 

 

 

Answer 87

Lazymare wrote:

Hi Gary   What I did not make clear in my post ( I am new at this ) is that I had the Error 4201 and was unable to start the Event Service.   I did not realise that this was affecting the SP1 installation until today and I only searched on the '4201' error because I noticed that the Messenger USN Journal depended on the Event Service so I gave up on trying to fix the Sharing Folders and concentrated on the Event 4201 error.   (not being picky, but my name is Liana  not Laura - and as you can see, I am a little cheeky !!)   Thanks once again and tomorrow morning I am going to try and install SP1 - for the 8th time !!   Wish me luck   Liana

 

Liana,

 

I apologize for the confusion, however I was replying to Laura's message to me that was a few entries above yours.

 

I was trying to figure out some other problem when I learned that my event viewer service was not working, and that is what opened the can of worrns in the first place. I would not have even known there was a problem until I came across it looking for something else.

 

Keep your fingers crossed! I heard from someone else that was trying to do the same thing (install SP1) and this apparently fixed it.

 

Answer 88

Hi Gary and All

 

Eureka !!!

 

SP 1 has finally installed

 

Thanks to Gary and everyone

 

Have a couple of other problems I need to investigate but thats another story

 

Thanks again

 

Liana x

 

(PS Gary - sorry I didn't check the other posts re the name confusion - my fault    )

Answer 89

Thanks Gary!

Your post on page 2 helped me to resolve the "event log" issue and finally install SP1 for my Vista Home Premium!

But everybody should remember to run reset.cmd also as Administrator (i.e. right click the reset.cmd file and choose run as administrator), if UAC (user account control ) is enabled. Only then it'll work as it supposed to.

I didn't have to do any of DCOM config. The only issue that I had was that I had to reinstall the sound drivers, but that just nothing comparing to the SP1 installation.



Thanks again

Answer 90

thanks to all of you, you are great!!!!!

 

after 2 months of desperate attempts......reading this 3D i fixed the problem event log error 4201, now Windows Event Log works again, and I could finally install SP1

 

I was unable to delete the RtBackup folder from Vista, and i have not access to ERD Commander. for people in the same condition i can suggest

 

 

1-Boot your PC, press F8 and select "startup mode with Command Prompt

   2-in DOS rename the Folder RtBackup (i was no able to delete it)

   3-reboot

 

and everything magically works!!!!

 

thanks you again

 

Answer 91

Gary,

 

I have been experiencing this issue since March of this year. This appears to be the first thread that has real help available!

 

I went through two weeks of throwing every quick fix at my notebook that the "special" Microsoft Vista SP1 Support Team asked me to do. Never did they suggest anything like this. Also, when I told thenm about the Event Log problems occurring at the same time as SP1 failing to install, they insisted that the two problems were definitely NOT related. ("They" being the support tech, Deland, and the supervisor that he supposedly was working with).

 

I am on my desktop currently but I'll give this a try tomorrow on my notebook and post back my results.

 

Thanks again!

 

Jim

Answer 92

Jim,

 

You know... it's unfortunate that Microsoft has turned into a giant bureaucracy!

 

As you can see from the 7 pages of this thread (so far), there are a lot of people having this problem and I am sure there are many more that don't even realize they are having the problem!!!

 

I am starting to wonder if some corporations that decided to kick Vista to the curb ran into this difficulty and thought the OS was too unstable to use.

 

I do have to say that once I got this problem figured out, I have not had any problems with the OS since, and I use my machine for VB6 software development.... if anything would make a system come apart it would be that!!!

 

Anyway, the best of luck to all of you that found this thread, and I suggest following the direction of the good people that contributed to this fix.

 

Gary.

 

Answer 93

llevo aproximadamente 2 meses revisando distintos foros y no hay solucion al problema de este error, entre algunas soluciones se ha dicho que se debe borrar carpeta "\system32\logfiles\wmi" pero esa carpeta no se puede borrar, ni renombrar, ni cambiar de propietario. Mas aún el archivo que hay en su interior *.etl, que es al parecer quien tiene el problema, no tiene propietario. Creo que hay un problema

 

Answer 94

Gary,

Sorry for not checking back in sooner. Your fix did get me going again. Amazing detective work, sir. I thank you! I agree that Vista seems to work fine once this was fixed - thanks to you, not MS. Pretty shameful of them to ignore this. After all I spent a week and a half corresponding with a support tech from their Vista SP1 Special Support Group and got no good help at all. I mean, he did have me try a lot of standard things: sfc, running the Vista SP1 Compatibility program, etc. But he was completely clueless as to the cause of this, and he assured me that the Event Log errors and the inability to install SP1 were not related.

The six months and many, many hours I have spent trying to solve this issue, along with the absolutely horrendous shape of the hardware drivers that my Vista notebook shipped with, have really soured the entire Vista experience for me. As I said, it seems to be running great now - very fast - but I have spent much more time messing with these problems than I have with any previous Windows installation - and I was around for the initial Windows launch - the horrible one prior to what most people think of as the "original" 3.1. Six months playing with this issue - with Microsoft's "help" - is a disgrace, IMO.

Again, I really thank you for this solution. Without it I was going to dump the notebook and was considering a Mac instead. Actually I am still considering getting a Mac next! I haven't used one since I had an original Lisa and the first Mac that followed, but I am getting weary of this kind of problem - I've seen way too many. Especially finding out that even Windows 7 will still not be the "Longhorn" experience we were promised, but basically an upgrade of Vista. If I am not pleased with my near-future experiments with Ubuntu, I am pretty sure I will be looking to Steve Jobs again.

Jim

PS - Can anyone explain to me why after submitting a post I am thrown back to Page 1 of this thread? With no button to take me to the last page of the thread like even old versions of most forum software does? MS never ceases to disappoint me...

Answer 95

Jim,

 

I feel you're pain, but be careful what you wish for...

 

Steve Jobs makes it sound like MAC users are always at Disney World, but if you look at the newsgroups, MAC users and particually the OS is not much different than Windows, and with similar problems.

 

In other words, there all about equal, just different issues.

 

I'm glad you got it working. Hopefully folks will find this thread if they search the right keywords... It comes up in Google at least.

 

Peace,

Gary

 

Answer 96

Hi Gary,

I am aware of the issues with Apple computers, but I don't want to get into a Windows vs. Mac discussion here. Suffice it to say that friends and relatives of mine using Mac's are never tikkering, hacking, and fixing their OS nearly as much as I am. And they seem very happy about that!

Thanks!

Jim

Answer 97

Wow What a workaround. Wel done.

However, I am unable to do this for some reason. I would be really, really, grateful if someone could help me.

I reinstalled last week due to the same errors.  It also stopped my schedular from working correctly (backups too) aswell as event viewer.

Please help.

I have copied the txt's above as a txt file, into the dir C:win:temp. (as you have done)

However even though I am using run as Admin, it says file not found. (what have I done wrong? )


I typed: cd\ windows.

C: dir>temp>reset.cmd.

Nothing...

I'm not sure if I am doing this correctly at all.

Could someone please put me in the right direction?

I have tried and tried, but I'm getting nowhere.

I certainly don't want to have to format again.

Thanks very much in advance for any help you can give me.

Answer 98

EDIT:

I have managed to run the command but have the following error txt output:
-------------------------------------------
30 September 2008 14:38:58
----Configuration engine was initialized successfully.----

----Reading Configuration Template info...


----Configure User Rights...
        SeImpersonatePrivilege must be assigned to administrators. This setting is adjusted.
        SeImpersonatePrivilege must be assigned to SERVICE. This setting is adjusted.
    Configure S-1-5-19.
    Configure S-1-5-20.
    Configure S-1-5-32-544.
    Configure S-1-5-32-551.
    Configure S-1-5-32-559.
    Configure S-1-5-32-545.
    Configure S-1-1-0.
    Configure S-1-5-6.
    Configure S-1-5-21-4223068241-1154151717-3306758368-501.
    Configure S-1-5-32-555.

    User Rights configuration was completed successfully.


----Configure Group Membership...
    Configure Users.

    Group Membership configuration was completed successfully.


----Configure Registry Keys...
    Configure users\.default.
    Configure machine\software.
Warning 1336: The access control list (ACL) structure is invalid.
     Error setting security on machine\software\Audible.

    Configuration of Registry Keys was completed with one or more errors.


----Configure File Security...
    Configure c:\program files\common files\speechengines\microsoft\tts.
Warning 2: The system cannot find the file specified.
     Error setting security on c:\program files\common files\speechengines\microsoft\tts.
    Configure c:\programdata\microsoft\windows\drm.
    Configure c:\programdata\microsoft\windows\drm\cache.
    Configure c:\windows\repair\default.
Warning 3: The system cannot find the path specified.
     Error setting security on c:\windows\repair\default.
    Configure c:\windows\repair\ntuser.dat.
Warning 3: The system cannot find the path specified.
     Error setting security on c:\windows\repair\ntuser.dat.
    Configure c:\windows\repair\sam.
Warning 3: The system cannot find the path specified.
     Error setting security on c:\windows\repair\sam.
    Configure c:\windows\repair\security.
Warning 3: The system cannot find the path specified.
     Error setting security on c:\windows\repair\security.
    Configure c:\windows\repair\software.
Warning 3: The system cannot find the path specified.
     Error setting security on c:\windows\repair\software.
    Configure c:\windows\repair\system.
Warning 3: The system cannot find the path specified.
     Error setting security on c:\windows\repair\system.
    Configure c:\windows\system32\wbem\mof.
    Configure c:\windows\system32\windows media.
Warning 2: The system cannot find the file specified.
     Error setting security on c:\windows\system32\windows media.

    File Security configuration was completed successfully.


----Configure General Service Settings...
    Configure sysmonlog.
Error 1060: The specified service does not exist as an installed service.
     Error opening sysmonlog.
    Configure SamSs.
    Configure ntmssvc.
Error 1060: The specified service does not exist as an installed service.
     Error opening ntmssvc.
    Configure netddedsdm.
Error 1060: The specified service does not exist as an installed service.
     Error opening netddedsdm.
    Configure netdde.
Error 1060: The specified service does not exist as an installed service.
     Error opening netdde.
    Configure dmserver.
Error 1060: The specified service does not exist as an installed service.
     Error opening dmserver.
    Configure clipsrv.
Error 1060: The specified service does not exist as an installed service.
     Error opening clipsrv.
    Configure Browser.

    General Service configuration was completed successfully.


----Configure available attachment engines...

    Configuration of attachment engines was completed successfully.


----Configure Security Policy...
    Configure password information.
    Administrator account is disabled.
    Guest account is disabled.

    System Access configuration was completed successfully.
    LSA anonymous lookup names setting : existing SD = DD;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS)(A;;0x1000;;;S-1-5-17).
    Configure LSA anonymous lookup setting.
    Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel.
    Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand.
    Configure machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount.
    Configure machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon.
    Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
    Configure machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption.
    Configure machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername.
    Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption.
    Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext.
    Configure machine\software\microsoft\windows\currentversion\policies\system\scforceoption.
    Configure machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon.
    Configure machine\software\microsoft\windows\currentversion\policies\system\undockwithoutlogon.
    Configure machine\software\policies\microsoft\windows\safer\codeidentifiers\authenticodeenabled.
    Configure machine\system\currentcontrolset\control\lsa\auditbaseobjects.
    Configure machine\system\currentcontrolset\control\lsa\crashonauditfail.
    Configure machine\system\currentcontrolset\control\lsa\disabledomaincreds.
    Configure machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous.
    Configure machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy\enabled.
    Configure machine\system\currentcontrolset\control\lsa\forceguest.
    Configure machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
    Configure machine\system\currentcontrolset\control\lsa\limitblankpassworduse.
    Configure machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
    Configure machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec.
    Configure machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec.
    Configure machine\system\currentcontrolset\control\lsa\nolmhash.
    Configure machine\system\currentcontrolset\control\lsa\restrictanonymous.
    Configure machine\system\currentcontrolset\control\lsa\restrictanonymoussam.
    Configure machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers.
    Configure machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive.
    Configure machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown.
    Configure machine\system\currentcontrolset\control\session manager\protectionmode.
    Configure machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect.
    Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff.
    Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
    Configure machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionpipes.
    Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
    Configure machine\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess.
    Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword.
    Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature.
    Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature.
    Configure machine\system\currentcontrolset\services\ldap\ldapclientintegrity.
    Configure machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange.
    Configure machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage.
    Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.
    Configure machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey.
    Configure machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel.
    Configure machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel.

    Configuration of Registry Values was completed successfully.
    Configure log settings.

    Audit/Log configuration was completed successfully.


----Configure available attachment engines...

    Configuration of attachment engines was completed successfully.


----Un-initialize configuration engine...


Does anybody know what I can do?

Can anyone help?

Kind Regards

Answer 99

muchas gracias, problema solucionado

 

Answer 100

Hi Thanks for that, I applied all the steps but still no event viewer working. The WMI is also not running in task manager amongst other things. MY PC reboots fine and everything else seems to be working OK apart from the Windows programs Event Viewer, Reliability and Performance monitor and Generate a System Health Report.. Disk Defrag is fine.. I am now going to try System Restore back to when I know my system was healthy. If that does not work then I will try to restore from my backup.. if that does not work I will go back to putting XP Pro back on my new Laptop as I really can't be arsed trying to sort MS windows Vista problems.. will wait about 1 year and then try again..

 

Answer 101

Hey SOMEONE1

 

Your suggestion has worked for me.. after I rebooted my system.. Event Viewer is now working... and all my other parts of my OS.

 

So to anyone out there who needs to change the access permissions and rename or delete windows system folders just download unlocker. forget all the other suggestions regarding ERD COMMANDER (its an XP only app), UAC, rename in SAFE Mode... etc etc They did not work for me. Access Permissions always prevented me from doing anything to the RTBackup folder or any file within it.

 

I also ran the script posted on page 1 but still did not work.. So I was about to give up..

 

The lesson I have learnt from all this is probably to start at the end of the forum posts and work your way back.. Microsoft you have wasted hours of our time on this problem and I have only just purchased my new laptop Oct 2008 and the problem in Vista is still there.. The source of the grief for me began when I played with UAC control and/or reset permissions on my C: root directory after using Vista's file transfer feature to port my files from my old Laptop.

 

Now who was it who said never bother to upgrade any MS O/S because it will always cause you problems. Always best to start with a clean install and I suggest don't consider using File Transfer in Vista to pull files out from XP. If you look at what Vista does it creates a mesh of old XP programs (which I have not yet installed on the new machine) and the new vista programs in one program directory..Yuk the same applies to data files. You will then spend hours of time working out what access permissions you should or should not change.in order to erase files you don't want. it actually brought across the Admin account permissions from my old laptop. Maybe I am missing the point here but if your going to pull files across to a new PC, better to inherit the admin rights of the new PC.. will save quite a bit of agro. Having said all that I commend MS for making Vista very secure against being able to easily delete system files.. and UAC is obviously included to prevent dumb asses from destroying their O/S.. My only other problem I need to resolve is getting IE  history to work.. which is where I was 3 days ago before all this blew up in my face..

 

Have checked my Event Viewer log.. it has obviously been busy tracking all the problems I have experienced

Log Name:      Microsoft-Windows-Diagnostics-Performance/Operational
Source:        Microsoft-Windows-Diagnostics-Performance
Date:          27/09/2008 10:31:39 p.m.
Event ID:      100
Task Category: Boot Performance Monitoring
Level:         Critical
Keywords:      Event Log
User:          LOCAL SERVICE
Computer:      scooby-PC
Description:
Windows has started up:
     Boot Duration  : 226042ms
     IsDegradation  : true
     Incident Time (UTC) : 27/09/2008 10:27:21 a.m.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Diagnostics-Performance" Guid="{cfc18ec0-96b1-4eba-961b-622caee05b0a}" />
    <EventID>100</EventID>
    <Version>1</Version>
    <Level>1</Level>
    <Task>4002</Task>
    <Opcode>34</Opcode>
    <Keywords>0x8000000000010000</Keywords>
    <TimeCreated SystemTime="2008-09-27T10:31:39.898Z" />
    <EventRecordID>70</EventRecordID>
    <Correlation ActivityID="{00000000-B6C8-0000-8B23-2CA08B20C901}" />
    <Execution ProcessID="2036" ThreadID="1892" />
    <Channel>Microsoft-Windows-Diagnostics-Performance/Operational</Channel>
    <Computer>scooby-PC</Computer>
    <Security UserID="S-1-5-19" />
  </System>
  <EventData>
    <Data Name="BootTsVersion">2</Data>
    <Data Name="BootStartTime">2008-09-27T10:27:21.656Z</Data>
    <Data Name="BootEndTime">2008-09-27T10:31:35.795Z</Data>
    <Data Name="SystemBootInstance">21</Data>
    <Data Name="UserBootInstance">3</Data>
    <Data Name="BootTime">226042</Data>
    <Data Name="MainPathBootTime">168742</Data>
    <Data Name="BootKernelInitTime">20</Data>
    <Data Name="BootDriverInitTime">14969</Data>
    <Data Name="BootDevicesInitTime">7406</Data>
    <Data Name="BootPrefetchInitTime">32479</Data>
    <Data Name="BootPrefetchBytes">192364544</Data>
    <Data Name="BootAutoChkTime">0</Data>
    <Data Name="BootSmssInitTime">20441</Data>
    <Data Name="BootCriticalServicesInitTime">5371</Data>
    <Data Name="BootUserProfileProcessingTime">906</Data>
    <Data Name="BootMachineProfileProcessingTime">10</Data>
    <Data Name="BootExplorerInitTime">10854</Data>
    <Data Name="BootNumStartupApps">18</Data>
    <Data Name="BootPostBootTime">57300</Data>
    <Data Name="BootIsRebootAfterInstall">false</Data>
    <Data Name="BootRootCauseStepImprovementBits">8</Data>
    <Data Name="BootRootCauseGradualImprovementBits">0</Data>
    <Data Name="BootRootCauseStepDegradationBits">13632000</Data>
    <Data Name="BootRootCauseGradualDegradationBits">13632000</Data>
    <Data Name="BootIsDegradation">true</Data>
    <Data Name="BootIsStepDegradation">true</Data>
    <Data Name="BootIsGradualDegradation">true</Data>
    <Data Name="BootImprovementDelta">0</Data>
    <Data Name="BootDegradationDelta">42060</Data>
    <Data Name="BootIsRootCauseIdentified">true</Data>
  </EventData>
</Event>

 

Anybody fancy making sense of all the above...

Answer 102

Thanks, I couldn't be bothered to try out the suggestions on the first page, so I came to the fifth page (just luck). I saw your simple method and gave it a go. SP1 installed! And event log works! You are awesome! I must say though, sitting and waiting for SP1 to install and then wait in despair while it uninstalled after is just plain boring.
Also, every program that is useful is some way gets to stay on my system, and Unlocker is staying!
Thanks again for the useful help (and simple/non-boring/quick)

Answer 103

I had this very same issue. Could not open event viewer nor instal sp1. I had run an ownership command accidently on the entire windows directory. I could not delete or fix it with any of the directions here, though Im sure they work I simply do not have enough patience to do them right. I did however figure something out that did work. Went into RTBackup/Properties/Security. Sure enough SYSTEM was not in the Group or users name. I clicked edit then click add and wrote in SYSTEM gave it full control and rebooted. Everything works and SP1 installed without a hitch.
  Without this thread I never would have found the right file. Thanks!

Answer 104

I couldn’t get Windows Vista Service Pack 1 to instal on my computer. The service pack would install through the 3 steps, but it would fail at the last minute and revert. I was getting the Event Log error 4201, which means that it can’t start the Event Log. I used the solution above by doing these steps:

1. Navigate to C:\Windows\System32\LogFiles\WMI\RtBackup 
   
2. Right-click on RtBackup and select Properties > Security 
   
3. In the list of “Group or user names” is “SYSTEM” listed? 
   
4. If not, click Edit > Add . . . and type in “SYSTEM” in the dialog box and click OK. 
   
5. Restart your computer and try installing Windows Vista Service Pack 1 again.
   

This worked for me. I bloged about it (http://www.bloomingthorn.com/pages/read/instal-error-with-windows-vista-service-pack-1/)

Answer 105

Some1 wrote:

Try this: http://ccollomb.free.fr/unlocker/   It worked for me. Note that if you are using UAC, you have to set "Run as administrator" on "Compatibility" tab for file C:\Program Files\Unlocker\Unlocker.exe   After installing and setting compatibility mode mentioned above, just go to C:\Windows\System32\LogFiles\WMI, right-click on "RtBackup", select "Unlocker", select "Rename" from drop-down list, type e.g. "RtBackup.bak" and click "OK" twice.   I hope it would work for you.

Use Unlocker to rename the RtBackup folder to RtBackup.bak. It will ask for a restart, and after that there should be two things in the WMI folder, RtBackup (folder) and RtBackup.bak. The Vista SP1 installation should work now.
It just shows how useful trailing through old posts is...

Answer 106

This forum has offered exceptionally useful information.  I wound up here when i was trouble shooting a Sierra Wireless air card that had recently been working properly on Vista Home Prem - which did have SP1.  Someone rebuilt the machine and then the card would not work at all; not in the Watcher software and nor could I set up DUN. Interestingly, even though the air card modem and the internal fax modem showed up in Device Man as functioning properly, when i tried to set up DUN in Vista, it did not find any modems.  I went to Event Viewer and discovered that i could not start the service - and thus noticed the 4201 error message.  After trying a few other the other suggestions in this thread i downloaded Mr. Collomb's Unlocker and followed the instructions above.  It worked perfectly.  Upon reboot, Event Viewer was back in action and the air card worked immediately; both in DUN and in the Watcher software. Thanks to all - especially Mr. C. 

 

Cary M

Answer 107

thanks, gary. i had the same sp1 install as everyone else. i searched for days for an answer. finally found this linked in another site forum. sp1 installed with no problems after following your instructions. microsoft had nothing i could find on their site. apparently they don't think it's worth the time. my computer is now running well and none of the glitches left after it reverted from the many attempts to install.

Answer 108

 

 

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f

Marvelles !

Small point to be added: If the user's system is run in an other langueage than english, s/he  should run a "search and replace" where "administrators" is replaced by native term, e.g. German: administratoren or Danish: administratorer .

Otherwhise the script won't run.

As soon as I figures that one out, this worked as a charm. I'll buy you a pint, if you get to Copenhagen :-)

Answer 109

I researched several forums and none of the suggestions worked.  So I compared the folder permissions to c:\windows\system32\logfiles\wmi\RTbackup to a working machine.  Navigate to RTbackup properties and check security settings.  It requires SYSTEM - full control.  I added this permission and rebooted PC to fix the issue.  I can now access my event viewer.

Answer 110

I was getting a similar error when trying to view system log in windows vista. It wasn't logging anything for system. Was telling me to check to make sure event service was running. I checked and it was "windows event service". Went back to event viewer and cleared log, viola, it started logging events. Strange........

Answer 111

We have experienced the same issue on a fresh Windows 7 Enterprise installation too. For us, deleting the folder actually didn't work.

Answer 112

I researched several forums and none of the suggestions worked.  So I compared the folder permissions to c:\windows\system32\logfiles\wmi\RTbackup to a working machine.  Navigate to RTbackup properties and check security settings.  It requires SYSTEM - full control.  I added this permission and rebooted PC to fix the issue.  I can now access my event viewer.

Worked like a charm for me in Windows 7, I had the same issue on two PC's, seems that taking ownership of said folder messed up the permissions, so manually re adding system with full permissions worked for me.

Great work seubanks!

Answer 113

Worked for me on Windows 7 Pro. I had the same situation where I needed to take ownership of some directories and subs., and then lost the event veiwer. Just find that file and give System full control and reboot. Worked like a charm. I could not find this anywhere else on the net and was ready to re-install.

Thanks to seubanks---great job!!

Can anyone tell me what the problem is here, and why this works?

Harry.

Answer 114

I also had taken ownership of Windows and have run into a handful of problems.  My Event Viewer symptom was only prohibiting the Security logs.  But the fix for rtbackup as SYSTEM  control fixed things up! Yea!  

One problem down... at least 3 or 4 to go.  sad and happy...

[win 7 ultimate not upgrade...brand new]
 
too bad windows can't let user know in an alert style that a critical service is not running. That would be a start to solving this fluky symptoms.    I suppose that's not so easy a task tho. 

Answer 115

Hi all,

I have been using Windows 7 Professional for one month and

Deleting the directory

C:\Windows\System32\LogFiles\WMI\RtBackup

and rebooting, as mentioned some of the above posts, solved my problem too. Many thanks for this good and valuable advice. 

I have recognized the problem while checking the backup of SQL 2008 databases. I saw that recent backup was made 2 days ago although it should be done everyday.
First of all, I went to check SQL Server Agent Service and it was stopped. I tried to start more than 3 times but it was not starting. I decided to check Event Logs after unsuccessful attempts.

Ooops!.. I have  got the same issue at that time. Some other services including SQL Server Agent also that depend on Windows Event Log were stopped at that time...

Thanks again...