0

I wrote a utility that allows me to view EventLog messages, filtering on their types, when they were written, etc.

I see that I have had the following entry a gazillion times (give or take a few) in the last several months/since I purchased my laptop:

Type: Error
Source: WinMgmt
Time Generated: 06/11/2012 20:55:00
Message: The description for Event ID '-1073741814' in Source 'WinMgmt' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'//./root/CIMV2', 'SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99', '0x80041003'
Machine Name: MuleheadedAsteroid

Does anybody know how I might respond to such an err msg to get to the bottom of the problem?

B. Clay Shannon-B. Crow Raven
  • 8,547
  • 144
  • 472
  • 862

1 Answers1

1

You're asking two questions, here. First, why is the event log entry not formatting correctly? (You're seeing the arguments to the message, but not the fully formatted message. First, we'll work on fixing the message.

Seems like a corrupt registry, or a missing message file dll.

Check to make sure these registry entries exist, and point to the correct place:

1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WinMgmt

Name:  ProviderGuid
Type:  REG_EXPAND_SZ
Value: {1edeee53-0afe-4609-b846-d8c0b2075b1f}

2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}

Values present:

Name:  MessageFileName
Type:  REG_EXPAND_SZ
Value: %SystemRoot%\system32\wbem\WinMgmtR.dll

Name:  ResourceFileName
Type:  REG_EXPAND_SZ
Value: %SystemRoot%\system32\wbem\WinMgmtR.dll

3) Lastly, verify the existence of WinMgmtR.dll at %SystemRoot%\system32\wbem\WinMgmtR.dll

Second, what is the event log trying to tell us. I googled for the error code, 0x80041003. This immediately took me to discussions about trying to query WMI with insufficient permissions, and in particular, a KB article:

Event ID 10 is logged in the Application log after you install Windows Vista Service Pack 1 or Windows Server 2008

You'll notice that MS's example query is pretty much identical to yours So, it seems something is running and querying WMI without enough permission to do so.

MS provides a script to stop entries from appearing in the resolution portion of the KB article.

Lynn Crumbling
  • 12,985
  • 8
  • 57
  • 95
  • Thanks! Great answer - I don't care whether people say your name conjures up images of the demolition of a Massachusetts Textile mill. – B. Clay Shannon-B. Crow Raven Jun 12 '12 at 15:59
  • Hah. Awesome. Did you end up having to recreate entries in the registry to get the error message formatting correctly? – Lynn Crumbling Jun 12 '12 at 16:55
  • Everything was as it should have been, except the value in that first registry setting, which I changed. I'll check now to see whether I'm still getting that same err msg. – B. Clay Shannon-B. Crow Raven Jun 13 '12 at 02:28
  • I shut down, restarted, ran my util, and still get the same exact err msg. BTW, Windows 7 stinks in comparison with XP. No wonder every company I know of has stuck with XP, even though it's older than my grandpa (in dog years). I hate the Search "functionality" and the new look of Explorer and how the "Most Recent Documents" is gone or hidden. For starters. – B. Clay Shannon-B. Crow Raven Jun 13 '12 at 02:45
  • So the message still isn't formatting correctly, plus running MS' script (in the kb article) didn't fix it? – Lynn Crumbling Jun 13 '12 at 16:01