Event Viewer Troubleshooting

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting

What problem are you having?

  • When viewing an event in a saved event log on a remote computer, you are unable to view the Description or Category fields in the properties dialog box. Instead of a description in the Description field, you see an error message, or instead of a category in the Category field, you see a number.

  • When viewing an event in the details pane, you see a globally unique identifier (GUID) or security ID (SID) in the User field. You should see a user name.

  • You are unable to view the Security log, but can view other logs.

  • You are able to view the Security log, but are unable to view other logs.

  • You cannot access the Computer Management extension snap-ins on a remote computer.

When viewing an event in a saved event log on a remote computer, you are unable to view the Description or Category fields in the properties dialog box. Instead of a description in the Description field, you see an error message, or instead of a category in the Category field, you see a number.

Cause:  Event Viewer obtains event description and category information from the computer that contains the log. The event log might have been copied from the computer on which it was generated, to another computer, on which the service that logged these events is not installed.

Solution:  Open Event Viewer from the command-line using mmc.exe, and use the **/auxsource=**computername parameter. The **/auxsource=**computername parameter enables Event Viewer to obtain the information about events from a computer on which the event log service is installed. This can be the computer which generated the log or another computer on the network. You can use the **/auxsource=**computername parameter on computers running a Windows XP or later operating system. To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

Syntax

**mmc.exe X:\WINDOWS\system32\eventvwr.msc /auxsource=**computername

Where X:\WINDOWS\System32 is the default path to eventvwr.msc, and X is the drive where Windows is installed.

Note

  • To run a command-line utility, click Start, and then click Run. In the Open box, enter the command-line utility and parameters, and then click OK.

  • If category information is not available, you will also see a number instead of text in the Category field in the Event Viewer details pane for an event listing.

See also:  Mmc; Managing event logs from the command line

Cause:  You are attempting to view a log on a remote computer and are not a member of the Administrators group, or have not been delegated the appropriate authority on the remote computer.

Solution:  To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

You might also be able to obtain the same information from a different computer on your network. To do this, run Event Viewer at a command prompt (Eventvwr.msc) with the **auxsource=**ComputerName parameter. You can use this parameter to enable Event Viewer to obtain information from a computer on which the service is installed. This can be either the computer that generated the log or another computer on the network.

Cause:  You are attempting to view a log on a remote computer and the Remote Registry service on the remote computer is stopped. If the remote computer is running a Windows XP or later operating system, the Remote Registry service must be started for you to be able to see the Description or Category fields in the property page for an event log.

Solution:  On the remote computer, start the Remote Registry Service. You can manage the Remote Registry service through the Services and Applications snap-in in Computer Management.

To start the Remote Registry service

  1. In Computer Management, verify that you are in the console for the remote computer.

  2. In the console tree, under Services and Applications, click Services.

  3. In the details pane, double-click Remote Registry.

  4. In the General tab, under Service status, click Start. Click OK.

You might also be able to obtain the same information from a different computer on your network. To do this, run Event Viewer at a command prompt (Eventvwr.msc) with the **auxsource=**ComputerName parameter. You can use this parameter to enable Event Viewer to obtain information from a computer on which the service is installed. This can be either the computer that generated the log or another computer on the network.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • This parameter is available on computers running Windows XP or a product in the Windows Server 2003 family.

See also:  Remote Administration;Computer Management; Microsoft Management Console

When viewing an event in the details pane, you see a globally unique identifier (GUID) or security ID (SID) in the User field. You should see a user name.

Cause:  The computer on which you are running Event Viewer is unable to translate the GUID or SID into the user name.

Solution:  Run Event Viewer on the computer on which the event log was generated.

Cause: The user account referenced by the event has been deleted.

Solution:  You will not be able to retrieve this information through Event Viewer.

You are unable to view the Security log, but can view other logs.

Cause:  You are not a member of the Administrators group, or have not been delegated the appropriate authority on the target computer.

Solution:  To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

See also:  Use the Security Log

You are able to view the Security log, but are unable to view other logs.

Cause:  Your account has been added to the Guests group on the target computer, and is also a member of the Administrators group.

Solution:  Remove your account from the Guests group on the target computer:

  1. Open Computer Management. If the target computer is a remote computer, right-click Computer Management (Local), and then click Connect to another computer.

  2. Under Local Users and Groups, click Groups.

  3. In the details pane, double-click Guests.

  4. Select the account, and then click Remove.

  5. Click OK.

Notes

  • This problem typically develops when an administrator adds a group containing a broad category of users (such as the Everyone, INTERACTIVE, OR Authenticated users group) to the Guests group.

  • By default, members of the Guests group are explicitly denied access to resources such as event logs. Therefore, avoid adding groups containing users with administrative privileges to the Guests group.

  • You might need to log off, and then log back on for these changes to take effect.

See also:  Connect to another computer in Event Viewer.

You cannot access the Computer Management extension snap-ins on a remote computer.

Cause:  The Remote Registry service is not running on the remote computer.

Solution:  Ensure that the Remote Registry service is started on the remote computer. For more information, see Start, stop, pause, resume, or restart a service. You need appropriate permissions on the remote computer to start the service.

Note

  • You might also receive this error message if the remote computer is running Windows 95. Computer Management does not support remote access to computers that are running Windows 95.