3

Why does the output of logparser show

"The description for Event ID 203 in Source "Microsoft-Windows-StorageSpaces-Driver" cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer"

in the message field when exporting EVTX file to CSV? and is there a fix for this?

James L Gandy II
  • 31
  • 2

1 Answers1

1

All the messages you normally see in the Windows Event Viewer are actually format strings stored in DLLs and other binary files that come with the service that logged the event.

For example, when service XYZ wants to log "Cannot connect to 192.168.0.5" to the event viewer, it really logs something like "8843,'192.168.0.5'", where "8843" is the ID of a string that is to be found in a binary registered by service XYZ with the Windows Service Manager; the string would look something like "Cannot connect to %1".

Any application that wishes to report the same strings needs then the ability to access the binaries registered with the Windows Service Manager; often times these binaries cannot be found, for example because the service has been uninstalled, or because the event log has been exported out of its original host, or simply because the application doesn't have privileges to open the binaries.

In your particular case, if you're running LogParser on the same host as the event log, it could be that you need to run as administrator. Also, it could be that the DLLs have themselves long gone - can you see the actual message of that event when you look for it in the Event Viewer?

Gabriele Giuseppini
  • 1,541
  • 11
  • 19
  • Thank you for the reply. I exported the evtx files from another server and am looking at them on my win10 machine. I can open the exported evtx files on my machine and I do see the messages properly. I just see "Microsoft-Windows-StorageSpaces-Driver" cannot be found...." when I convert the evtx file to csv with logparser.exe. – James L Gandy II Jul 21 '18 at 18:02
  • It's entirely possible then that since LogParser was last shipped (2006), some Windows-specific event sources - like "Microsoft-Windows-StorageSpaces-Driver" - do not follow anymore the same mechanism as other services. – Gabriele Giuseppini Jul 22 '18 at 17:09
  • Ok. I understand. Is there a way to get this to work? Do I need to load a dll or something? – James L Gandy II Jul 23 '18 at 13:44
  • Well, it would help to know whether LogParser is able to resolve the message when running on the server itself, against the event log directly (not against the evtx files). Could you try that? – Gabriele Giuseppini Aug 06 '18 at 16:54
  • I tried to read the log on a server with role installed but I get the same message. So its not reading it from what I can tell on the server with the S2D role installed. Weird huh? – James L Gandy II Aug 09 '18 at 22:44
  • Then probably it's a new EventSource registration mechanism not supported by LogParser. Sorry about that! – Gabriele Giuseppini Aug 10 '18 at 17:42
  • Would having the MTA data help with this issue? – James L Gandy II Dec 13 '18 at 17:18