I have been searching the web and cannot seem to find a good answer on this.
I sort of understand the cause but need some help on the solution.
I use the following command to export windows system logs. I want/need them to be in evtx format for later use.
wevtutil epl system c:\SystemEvents.evtx
The goal is to send them to other people which will not be viewing them on the same server.
This of course cause the full event text to not be part of the exported log and the user will see something like this:
The description for Event ID XXX from source Server Administrator
cannot be found. Either the component that raises this event is not
installed on your local computer or the installation is corrupted. You
can install or repair the component on the local computer.
If the event originated on another computer, the display information
had to be saved with the event.
The following information was included with the event:
I was reading this page:
http://technet.microsoft.com/en-us/library/cc749339%28WS.10%29.aspx
and found this snip of info in it:
To troubleshoot events that were logged on a remote computer, you must
export and archive the log with the display information. The display
information for the saved events is stored in the LocaleMetaData
folder and should be moved with the log information when the
information is viewed on another computer.
I do not understand what location (or process) this statement is referring to.
There is no LocaleMetaData folder anywhere on the server so I am assuming that I need to somehow create and export some additional data along with the evtx file for it to then re-merge back on the viewing system.
Am I on the right track here and could someone tell me how to fully export the event log this with will full verbose messages?
I found the answer:
When you use this:
wevtutil al <FileName.evtx> [/l:<LocaleString>]
to export... the location of where the .evtx folder ends up, there will be a LocaleMetaData folder created with the .MTA file inside.
try this one out:
This explains the step to use Event Viewer to export windows log event .
https://www.ibm.com/support/pages/exporting-windows-event-logs-event-viewer
Related
Windows 8 has a feature: it can launch an application from the search panel (on the right side of the screen). It works like following:
Developer registers his or her application following this instruction. It is a bit legacy instruction, but the project I participate in uses this way to register its settings.
At user logon Windows creates (if none exists) a special .xml file in C:\User\<UserName>\AppData\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalState\Indexed\Settings\en-US with content shown below. This file has extension settingscontent-ms
As soon as user clicked on this file, the system launches the specified application (actually explorer calls for it, as I discovered by ProcMon).
Xml file content:
<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
<SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
<ApplicationInformation>
<AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
<DeepLink>%Canonical name or application path%</DeepLink>
<Icon>%App path%,-%Resource number%</Icon>
</ApplicationInformation>
<SettingIdentity>
<PageID>%GUID as in instruction above%</PageID>
<HostID>{7E0522FC-1AC4-41CA-AFD0-3610417A9C41}</HostID>
<Condition>shcond://v1#RegkeyExists;0;Regkey;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\%GUID as in instruction above%</Condition>
</SettingIdentity>
<SettingInformation>
<Name>#%App path%,-%Resource number%</Name>
<Description>#%App path%,-%Resource number%</Description>
<HighKeywords>%App decription%</HighKeywords>
</SettingInformation>
</SearchableContent>
</PCSettings>
We can see node with the name HostID. Windows writes specified in code GUID to this node, but it breaks the ability of my application to work. If I try to execute my app through this "shortcut" by clicking on xml file or chosing my app in search panel, the system shows me a message: "Unspecified error".
When I manually change the HostID value to {12B1697E-D3A0-4DBC-B568-CCF64A3F934D}, it starts to wrk fine.
I looked through registry in order to find something about these two GUIDs, but I didn't find anything. Also I looked for the difference between registry values corresponding to my app and to another, but working, app and didn't find any significand differences too.
Also I tried to delete this file and login into the system under ProcMon, I caught some moments: explorer tries to open the file and fails with ERROR_FILE_NOT_FOUND, explorer creates missing file, reads registry and writes something to created file, then it closes the file. But I didn't find anything interesting in between of these messages, that can help me to solve my problem.
I found out that registry key HKEY_CLASSES_ROOT\CLSID\%App GUID%\System.ApplicationName contains exactly the same with DeepLink tag (it was the first error in my app - specified key was empty), but the proble with "wrong" HostID remains.
Does anyone know, what it is and how to make Windows to write the rigth GUID to this tag, or at least some useful info about this tag? I just can't imagine anything else to change, but I think, that I need to change something in corresponding to my app registry keys.
I found the solution: just put app's GUID (the same as in PageID) into DeepLink.
To do this, you need to write this GUID as string value to HKEY_CLASSES_ROOT\CLSID\%App GUID%\System.ApplicationName.
That's the solution. However, I haven't found the meaning of HostID tag :(
Is there an easy way of generating the memory dump for the crashed application?
I have a situation in which the customer received the code which is generating the crash, as the code itself has no signal handlers for the backtrace generation on abort I was wondering if there is an easy way of telling windows to generate the memory dump of the crashing application.
Ideal solution wouldn't involve the installation of the debug tools (or the code modification) but if this is not possible, it would be really helpful to know.
One simple way to dump memory when application crashes is by using windows taskmanager.
When ever an exception or an application error occurs windows pops up an memory dialog and shows the address location which was causing a crash.Before you click ok on the message box open Task Manger and right click on the crashed application and select Create Dump file.Take a look at the screen shot below.
Select the file
2)Another way of generating user mode dumps is by adding the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting >\LocalDumps\application.exe
application.exe should be replaced by the application name which is under scanner.
under this key following values can be added
DumpFolder
The path where the dump files are to be stored. If you do not use the default path, then make sure that the folder contains ACLs that allow the crashing process to write data to the folder.
For service crashes, the dump is written to service specific profile folders depending on the service account used. For example, the profile folder for System services is %WINDIR%\System32\Config\SystemProfile. For Network and Local Services, the folder is %WINDIR%\ServiceProfiles.
DumpCount
The maximum number of dump files in the folder. When the maximum value is exceeded, the oldest dump file in the folder will be replaced with the new dump file.
DumpType
Specify one of the following dump types:
0: Custom dump
1: Mini dump
2: Full dump
CustomDumpFlags
The custom dump options to be used. This value is used only when DumpType is set to 0.
The options are a bitwise combination of the MINIDUMP_TYPE enumeration values.
I have found the answer myself, the msdn specifies the debug registery in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error\LocalDumps
The following values need to be set:
DumpFolder
DumpCount
DumpType
CustomDumpFlags
The extensive documentation is available here.
If the registers do not exist it is possible to create them manually and windows will pick it up.
Also this is possible without directly modifying the registry with following steps:
Click Start, and then click Control Panel.
Double-click System, and then click Advanced system settings.
Click the Advanced tab, and then click Settings under Startup and Recovery.
In the Write debugging information list, click Small memory dump (64k).
I am getting this error while installing oracle 11g enterprise edition on windows 7 professional 64 bit. I checked the registry as some people have mention but the correct thing is already there. If try starting the service from Services.msc it says the service wss not found also
I ran into this same issue and this solved it:
When you get the error pop-up, leave it opened, open regedit and modify the ImagePath in the following key to point to the proper location:
computer\hkey_local_machine\system\controlset001\service\OracleMTSRecoveryService
The proper location may be something like this:
C:\app\myaccount\product\11.2.0\dbhome_1\bin\omtsreco.exe
All credit to:
http://yuanmengblog.blogspot.com/2011/08/oracle-standard-db-install-issue-with.html
The oracle download was split into two parts.
If you tried to install with only one part it will show many bugs and after installation oracle won't work.
Download two parts of oracle from the official site and extract in same place. The files will merge automatically into the same folder.
Now install the oracle. If you already installed the oracle once. It should taken some path like below.
In my system it took "E:\app\INDP\product\11.2.0\dbhome_1..."
If you are installing second time installation will take path, "E:\app\INDP\product\11.2.0\dbhome_2..."
Now the above erorr will come because of registry.
So, now yo need to edit the registry value like below.
ctrl+R will bring the run window. Type regedit and press ok
Then Under Computer, select HKEY_LOCAL_MACHINE -> SYSTEM ->ControlSet001-> Services -> OracleMTSRecoveryService.
Double click on ImagePath. It will prompt a window with old path or with wrong path under value data.
Now, you need to edit it with your curent path like below.
E:\app\INDP\product\11.2.0\dbhome_2\bin\omtsreco.exe OracleMTSRecoveryService
Now press "retry" button of the window, which shown that error. Now, it will work like charm.
I am creating an new installation package for one of our products and I'm having significant trouble getting the event message description DLL to be used by Windows to provide event descriptions to the Event Viewer. I always get the following message in the Event properties:
The description for Event ID ( 39 ) in Source ( MyProduct) cannot be
found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following
information is part of the event: MyProduct, , , , , , , , ,
MyProduct.
My previous installer seems to work fine on other systems. The target operating systems here are WinXP SP3 and Server 2008 R2 and I see the same issue on both. The event message file is registered under the Eventlog\Application key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services with the EventMessageFile and TypesSupported present set to the correct values.
I have tried the following in an attempt to resolve the issue:
Moving the event message DLL to the System32 folder
making sure the Event Log service has full access to the event message DLL (2008 only - WinXP is not on a domain so does not have the Security tab in file properties.
Any ideas as I'm running out of options and can't find anything online other than to setup the registry, which I have done from the start.
In the end it turned out there was a compilation error in our Event Message DLL(!)
Somehow, the Application Event log count ended up to 18,446,744,073,709,551,499. This causes MMC snap-in to fail when I want to see the event using Event Viewer, giving a System.OverflowException (Value was either too large or too small for an Int64.). Any thoughts, or should I just clear the log?
Maybe it helps if you activate the option to override old eventlogs when the log is full. This should prevent you from loosing the newest log entries when reaching the limit.
To activate navigate to your eventlog and go to their settings. There you find an option to override old entries if the log is full.
Before clearing the Application log I first tried "Save All Events As...", but the file it produced was empty.
I then copied C:\Windows\System32\winevt\Logs\Application.evtx to my desktop and that file DID open correctly. Not great, but an acceptable work-around for my needs.