D
Daniel Mercourios
Hi,
Our company has a event collector server (windows event forwarding) where services unexpectedly terminates at regular intervals.
It receives the majority of it's logs in the "Forwarded events" channel
It has a custom event forwarding log for separate logs. Created from the steps in this guide:
Creating Custom Windows Event Forwarding Logs
The problem is that 6 services always terminates unexpectedly at different days
The services are:
The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
The DNS Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
The Workstation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
The Network Location Awareness service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
The Windows Event Collector service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
The Windows Remote Management (WS-Management) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
From the application log regarding the WEC-service crash:
Fault bucket 1310927034807908782, type 4
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: svchost.exe_Wecsvc
P2: 10.0.14393.0
P3: 57899b1c
P4: WsmSvc.DLL
P5: 10.0.14393.2791
P6: 5c5a474a
P7: c0000005
P8: 00000000001ada1e
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_Wecs_343ffe241619bbff11e9c9b8e2f4f617249be87_a6952575_1e297f4f
Analysis symbol:
Rechecking for solution: 0
Report Id: e6869167-7472-43ad-88b0-b34606eb1786
Report Status: 0
Hashed bucket: fb783bfe3a873836523159314c2e79ae
From the .wer-file (C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_Wecs_343ffe241619bbff11e9c9b8e2f4f617249be87_a6952575_1e297f4f) in the appcrash-log:
Version=1
EventType=APPCRASH
EventTime=131967653520897488
ReportType=2
Consent=1
UploadTime=131967653524051174
ReportIdentifier=f25a5efc-43d4-11e9-9143-00505694fbdd
IntegratorReportIdentifier=e6869167-7472-43ad-88b0-b34606eb1786
NsAppName=svchost.exe_Wecsvc
AppSessionGuid=00002258-0000-0064-0ae2-cd51ced5d401
TargetAppId=W:0000f519feec486de87ed73cb92d3cac802400000000!00000dac68816ae7c09efc24d11c27c3274dfd147dee!svchost.exe
TargetAppVer=2016//07//16:02:25:32!d1ac!svchost.exe
BootId=4294967295
Response.BucketId=fb783bfe3a873836523159314c2e79ae
Response.BucketTable=4
Response.LegacyBucketId=1310927034807908782
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=svchost.exe_Wecsvc
Sig[1].Name=Application Version
Sig[1].Value=10.0.14393.0
Sig[2].Name=Application Timestamp
Sig[2].Value=57899b1c
Sig[3].Name=Fault Module Name
Sig[3].Value=WsmSvc.DLL
Sig[4].Name=Fault Module Version
Sig[4].Value=10.0.14393.2791
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=5c5a474a
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=00000000001ada1e
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.14393.2.0.0.272.7
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1053
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=a945
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=a945f6bb826fb0113394db68764d24ff
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=1fd2
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=1fd2608212ec435f850deecac1db1d41
UI[2]=C:\Windows\System32\svchost.exe
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Windows Event Collector stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Windows\System32\svchost.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\System32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\System32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\System32\sechost.dll
LoadedModule[5]=C:\Windows\System32\RPCRT4.dll
LoadedModule[6]=C:\Windows\System32\ucrtbase.dll
LoadedModule[7]=C:\Windows\System32\combase.dll
LoadedModule[8]=C:\Windows\System32\bcryptPrimitives.dll
LoadedModule[9]=C:\Windows\System32\kernel.appcore.dll
LoadedModule[10]=C:\Windows\System32\msvcrt.dll
LoadedModule[11]=C:\Windows\System32\user32.dll
LoadedModule[12]=C:\Windows\System32\win32u.dll
LoadedModule[13]=C:\Windows\System32\GDI32.dll
LoadedModule[14]=C:\Windows\System32\gdi32full.dll
LoadedModule[15]=c:\windows\system32\nlasvc.dll
LoadedModule[16]=C:\Windows\System32\cfgmgr32.dll
LoadedModule[17]=c:\windows\system32\IPHLPAPI.DLL
LoadedModule[18]=c:\windows\system32\dhcpcsvc.DLL
LoadedModule[19]=c:\windows\system32\WINNSI.DLL
LoadedModule[20]=c:\windows\system32\ncsi.dll
LoadedModule[21]=C:\Windows\System32\WS2_32.dll
LoadedModule[22]=C:\Windows\System32\NSI.dll
LoadedModule[23]=C:\Windows\SYSTEM32\WLDP.DLL
LoadedModule[24]=C:\Windows\System32\CRYPT32.dll
LoadedModule[25]=C:\Windows\System32\MSASN1.dll
LoadedModule[26]=C:\Windows\System32\WINTRUST.dll
LoadedModule[27]=c:\windows\system32\dnsrslvr.dll
LoadedModule[28]=C:\Windows\SYSTEM32\DNSAPI.dll
LoadedModule[29]=C:\Windows\System32\sspicli.dll
LoadedModule[30]=C:\Windows\SYSTEM32\Fwpuclnt.dll
LoadedModule[31]=C:\Windows\SYSTEM32\bcrypt.dll
LoadedModule[32]=C:\Windows\System32\dnsext.dll
LoadedModule[33]=C:\Windows\System32\USERENV.dll
LoadedModule[34]=C:\Windows\System32\profapi.dll
LoadedModule[35]=C:\Windows\System32\ssdpapi.dll
LoadedModule[36]=C:\Windows\SYSTEM32\gpapi.dll
LoadedModule[37]=C:\Windows\System32\powrprof.dll
LoadedModule[38]=C:\Windows\SYSTEM32\dhcpcsvc6.DLL
LoadedModule[39]=c:\windows\system32\WMICLNT.dll
LoadedModule[40]=C:\Windows\system32\mswsock.dll
LoadedModule[41]=c:\windows\system32\wkscli.dll
LoadedModule[42]=C:\Windows\SYSTEM32\wevtapi.dll
LoadedModule[43]=C:\Windows\SYSTEM32\netjoin.dll
LoadedModule[44]=C:\Windows\SYSTEM32\wtsapi32.dll
LoadedModule[45]=C:\Windows\SYSTEM32\CRYPTBASE.dll
LoadedModule[46]=C:\Windows\SYSTEM32\JoinUtil.dll
LoadedModule[47]=C:\Windows\SYSTEM32\WINSTA.dll
LoadedModule[48]=C:\Windows\SYSTEM32\netutils.dll
LoadedModule[49]=C:\Windows\System32\ADVAPI32.dll
LoadedModule[50]=c:\windows\system32\logoncli.dll
LoadedModule[51]=c:\windows\system32\DSROLE.dll
LoadedModule[52]=C:\Windows\System32\WLDAP32.dll
LoadedModule[53]=c:\windows\system32\DEVOBJ.dll
LoadedModule[54]=C:\Windows\System32\DSPARSE.dll
LoadedModule[55]=C:\Windows\system32\kerberos.DLL
LoadedModule[56]=C:\Windows\System32\cryptdll.dll
LoadedModule[57]=c:\windows\system32\WINHTTP.dll
LoadedModule[58]=c:\windows\system32\webio.dll
LoadedModule[59]=C:\Windows\System32\rasadhlp.dll
LoadedModule[60]=c:\windows\system32\cryptsvc.dll
LoadedModule[61]=C:\Windows\System32\crypttpmeksvc.dll
LoadedModule[62]=C:\Windows\System32\OLEAUT32.dll
LoadedModule[63]=C:\Windows\System32\msvcp_win.dll
LoadedModule[64]=C:\Windows\System32\cryptcatsvc.dll
LoadedModule[65]=C:\Windows\System32\ESENT.dll
LoadedModule[66]=C:\Windows\System32\VSSAPI.DLL
LoadedModule[67]=C:\Windows\System32\VssTrace.DLL
LoadedModule[68]=C:\Windows\System32\samcli.dll
LoadedModule[69]=C:\Windows\System32\SAMLIB.dll
LoadedModule[70]=C:\Windows\System32\clbcatq.dll
LoadedModule[71]=C:\Windows\System32\ES.DLL
LoadedModule[72]=C:\Windows\System32\PROPSYS.dll
LoadedModule[73]=C:\Windows\System32\shcore.dll
LoadedModule[74]=c:\windows\system32\wkssvc.dll
LoadedModule[75]=C:\Windows\System32\taskschd.dll
LoadedModule[76]=c:\windows\system32\wecsvc.dll
LoadedModule[77]=c:\windows\system32\WsmSvc.DLL
LoadedModule[78]=c:\windows\system32\pcwum.dll
LoadedModule[79]=c:\windows\system32\miutils.dll
LoadedModule[80]=c:\windows\system32\mi.dll
LoadedModule[81]=C:\Windows\System32\shell32.dll
LoadedModule[82]=C:\Windows\System32\windows.storage.dll
LoadedModule[83]=C:\Windows\System32\shlwapi.dll
LoadedModule[84]=c:\windows\system32\HTTPAPI.dll
LoadedModule[85]=C:\Windows\system32\Ntdsapi.dll
LoadedModule[86]=C:\Windows\System32\FirewallAPI.dll
LoadedModule[87]=C:\Windows\System32\fwbase.dll
LoadedModule[88]=C:\Windows\System32\FWPolicyIOMgr.dll
LoadedModule[89]=C:\Windows\system32\wevtfwd.dll
LoadedModule[90]=C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
LoadedModule[91]=C:\Windows\system32\WsmWmiPl.dll
LoadedModule[92]=C:\Windows\system32\wbem\fastprox.dll
LoadedModule[93]=C:\Windows\SYSTEM32\wbemcomn.dll
LoadedModule[94]=C:\Windows\system32\wbem\wbemprox.dll
LoadedModule[95]=C:\Windows\system32\wbem\wbemsvc.dll
LoadedModule[96]=C:\Windows\system32\wbem\wmiutils.dll
LoadedModule[97]=C:\Windows\system32\wbem\xml\wmi2xml.dll
LoadedModule[98]=C:\Windows\System32\netprofm.dll
LoadedModule[99]=c:\windows\system32\CRYPTNET.dll
LoadedModule[100]=C:\Windows\SYSTEM32\Cabinet.dll
LoadedModule[101]=C:\Windows\SYSTEM32\CRYPTSP.dll
LoadedModule[102]=C:\Windows\system32\rsaenh.dll
LoadedModule[103]=C:\Windows\system32\msv1_0.DLL
LoadedModule[104]=C:\Windows\System32\NtlmShared.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Windows Event Collector
AppPath=C:\Windows\System32\svchost.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=81C4DD498676CC6A44A6866B363102EE
MetadataHash=1975714724
These 6 services crash every 3-5 days.
Sometimes they automatically restart sometimes we have to take action and restart the services to get the event-collector to work again. Very frustrating for a very important applications.
I have run "sfc /scannow"
C:\Windows\system32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection did not find any integrity violations.
Any thoughts on what the next step is?
/Daniel
Continue reading...
Our company has a event collector server (windows event forwarding) where services unexpectedly terminates at regular intervals.
It receives the majority of it's logs in the "Forwarded events" channel
It has a custom event forwarding log for separate logs. Created from the steps in this guide:
Creating Custom Windows Event Forwarding Logs
The problem is that 6 services always terminates unexpectedly at different days
The services are:
The Cryptographic Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
The DNS Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
The Workstation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
The Network Location Awareness service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
The Windows Event Collector service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.
The Windows Remote Management (WS-Management) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
From the application log regarding the WEC-service crash:
Fault bucket 1310927034807908782, type 4
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: svchost.exe_Wecsvc
P2: 10.0.14393.0
P3: 57899b1c
P4: WsmSvc.DLL
P5: 10.0.14393.2791
P6: 5c5a474a
P7: c0000005
P8: 00000000001ada1e
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_Wecs_343ffe241619bbff11e9c9b8e2f4f617249be87_a6952575_1e297f4f
Analysis symbol:
Rechecking for solution: 0
Report Id: e6869167-7472-43ad-88b0-b34606eb1786
Report Status: 0
Hashed bucket: fb783bfe3a873836523159314c2e79ae
From the .wer-file (C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_Wecs_343ffe241619bbff11e9c9b8e2f4f617249be87_a6952575_1e297f4f) in the appcrash-log:
Version=1
EventType=APPCRASH
EventTime=131967653520897488
ReportType=2
Consent=1
UploadTime=131967653524051174
ReportIdentifier=f25a5efc-43d4-11e9-9143-00505694fbdd
IntegratorReportIdentifier=e6869167-7472-43ad-88b0-b34606eb1786
NsAppName=svchost.exe_Wecsvc
AppSessionGuid=00002258-0000-0064-0ae2-cd51ced5d401
TargetAppId=W:0000f519feec486de87ed73cb92d3cac802400000000!00000dac68816ae7c09efc24d11c27c3274dfd147dee!svchost.exe
TargetAppVer=2016//07//16:02:25:32!d1ac!svchost.exe
BootId=4294967295
Response.BucketId=fb783bfe3a873836523159314c2e79ae
Response.BucketTable=4
Response.LegacyBucketId=1310927034807908782
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=svchost.exe_Wecsvc
Sig[1].Name=Application Version
Sig[1].Value=10.0.14393.0
Sig[2].Name=Application Timestamp
Sig[2].Value=57899b1c
Sig[3].Name=Fault Module Name
Sig[3].Value=WsmSvc.DLL
Sig[4].Name=Fault Module Version
Sig[4].Value=10.0.14393.2791
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=5c5a474a
Sig[6].Name=Exception Code
Sig[6].Value=c0000005
Sig[7].Name=Exception Offset
Sig[7].Value=00000000001ada1e
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.14393.2.0.0.272.7
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1053
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=a945
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=a945f6bb826fb0113394db68764d24ff
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=1fd2
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=1fd2608212ec435f850deecac1db1d41
UI[2]=C:\Windows\System32\svchost.exe
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Windows Event Collector stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Windows\System32\svchost.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\System32\KERNEL32.DLL
LoadedModule[3]=C:\Windows\System32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\System32\sechost.dll
LoadedModule[5]=C:\Windows\System32\RPCRT4.dll
LoadedModule[6]=C:\Windows\System32\ucrtbase.dll
LoadedModule[7]=C:\Windows\System32\combase.dll
LoadedModule[8]=C:\Windows\System32\bcryptPrimitives.dll
LoadedModule[9]=C:\Windows\System32\kernel.appcore.dll
LoadedModule[10]=C:\Windows\System32\msvcrt.dll
LoadedModule[11]=C:\Windows\System32\user32.dll
LoadedModule[12]=C:\Windows\System32\win32u.dll
LoadedModule[13]=C:\Windows\System32\GDI32.dll
LoadedModule[14]=C:\Windows\System32\gdi32full.dll
LoadedModule[15]=c:\windows\system32\nlasvc.dll
LoadedModule[16]=C:\Windows\System32\cfgmgr32.dll
LoadedModule[17]=c:\windows\system32\IPHLPAPI.DLL
LoadedModule[18]=c:\windows\system32\dhcpcsvc.DLL
LoadedModule[19]=c:\windows\system32\WINNSI.DLL
LoadedModule[20]=c:\windows\system32\ncsi.dll
LoadedModule[21]=C:\Windows\System32\WS2_32.dll
LoadedModule[22]=C:\Windows\System32\NSI.dll
LoadedModule[23]=C:\Windows\SYSTEM32\WLDP.DLL
LoadedModule[24]=C:\Windows\System32\CRYPT32.dll
LoadedModule[25]=C:\Windows\System32\MSASN1.dll
LoadedModule[26]=C:\Windows\System32\WINTRUST.dll
LoadedModule[27]=c:\windows\system32\dnsrslvr.dll
LoadedModule[28]=C:\Windows\SYSTEM32\DNSAPI.dll
LoadedModule[29]=C:\Windows\System32\sspicli.dll
LoadedModule[30]=C:\Windows\SYSTEM32\Fwpuclnt.dll
LoadedModule[31]=C:\Windows\SYSTEM32\bcrypt.dll
LoadedModule[32]=C:\Windows\System32\dnsext.dll
LoadedModule[33]=C:\Windows\System32\USERENV.dll
LoadedModule[34]=C:\Windows\System32\profapi.dll
LoadedModule[35]=C:\Windows\System32\ssdpapi.dll
LoadedModule[36]=C:\Windows\SYSTEM32\gpapi.dll
LoadedModule[37]=C:\Windows\System32\powrprof.dll
LoadedModule[38]=C:\Windows\SYSTEM32\dhcpcsvc6.DLL
LoadedModule[39]=c:\windows\system32\WMICLNT.dll
LoadedModule[40]=C:\Windows\system32\mswsock.dll
LoadedModule[41]=c:\windows\system32\wkscli.dll
LoadedModule[42]=C:\Windows\SYSTEM32\wevtapi.dll
LoadedModule[43]=C:\Windows\SYSTEM32\netjoin.dll
LoadedModule[44]=C:\Windows\SYSTEM32\wtsapi32.dll
LoadedModule[45]=C:\Windows\SYSTEM32\CRYPTBASE.dll
LoadedModule[46]=C:\Windows\SYSTEM32\JoinUtil.dll
LoadedModule[47]=C:\Windows\SYSTEM32\WINSTA.dll
LoadedModule[48]=C:\Windows\SYSTEM32\netutils.dll
LoadedModule[49]=C:\Windows\System32\ADVAPI32.dll
LoadedModule[50]=c:\windows\system32\logoncli.dll
LoadedModule[51]=c:\windows\system32\DSROLE.dll
LoadedModule[52]=C:\Windows\System32\WLDAP32.dll
LoadedModule[53]=c:\windows\system32\DEVOBJ.dll
LoadedModule[54]=C:\Windows\System32\DSPARSE.dll
LoadedModule[55]=C:\Windows\system32\kerberos.DLL
LoadedModule[56]=C:\Windows\System32\cryptdll.dll
LoadedModule[57]=c:\windows\system32\WINHTTP.dll
LoadedModule[58]=c:\windows\system32\webio.dll
LoadedModule[59]=C:\Windows\System32\rasadhlp.dll
LoadedModule[60]=c:\windows\system32\cryptsvc.dll
LoadedModule[61]=C:\Windows\System32\crypttpmeksvc.dll
LoadedModule[62]=C:\Windows\System32\OLEAUT32.dll
LoadedModule[63]=C:\Windows\System32\msvcp_win.dll
LoadedModule[64]=C:\Windows\System32\cryptcatsvc.dll
LoadedModule[65]=C:\Windows\System32\ESENT.dll
LoadedModule[66]=C:\Windows\System32\VSSAPI.DLL
LoadedModule[67]=C:\Windows\System32\VssTrace.DLL
LoadedModule[68]=C:\Windows\System32\samcli.dll
LoadedModule[69]=C:\Windows\System32\SAMLIB.dll
LoadedModule[70]=C:\Windows\System32\clbcatq.dll
LoadedModule[71]=C:\Windows\System32\ES.DLL
LoadedModule[72]=C:\Windows\System32\PROPSYS.dll
LoadedModule[73]=C:\Windows\System32\shcore.dll
LoadedModule[74]=c:\windows\system32\wkssvc.dll
LoadedModule[75]=C:\Windows\System32\taskschd.dll
LoadedModule[76]=c:\windows\system32\wecsvc.dll
LoadedModule[77]=c:\windows\system32\WsmSvc.DLL
LoadedModule[78]=c:\windows\system32\pcwum.dll
LoadedModule[79]=c:\windows\system32\miutils.dll
LoadedModule[80]=c:\windows\system32\mi.dll
LoadedModule[81]=C:\Windows\System32\shell32.dll
LoadedModule[82]=C:\Windows\System32\windows.storage.dll
LoadedModule[83]=C:\Windows\System32\shlwapi.dll
LoadedModule[84]=c:\windows\system32\HTTPAPI.dll
LoadedModule[85]=C:\Windows\system32\Ntdsapi.dll
LoadedModule[86]=C:\Windows\System32\FirewallAPI.dll
LoadedModule[87]=C:\Windows\System32\fwbase.dll
LoadedModule[88]=C:\Windows\System32\FWPolicyIOMgr.dll
LoadedModule[89]=C:\Windows\system32\wevtfwd.dll
LoadedModule[90]=C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
LoadedModule[91]=C:\Windows\system32\WsmWmiPl.dll
LoadedModule[92]=C:\Windows\system32\wbem\fastprox.dll
LoadedModule[93]=C:\Windows\SYSTEM32\wbemcomn.dll
LoadedModule[94]=C:\Windows\system32\wbem\wbemprox.dll
LoadedModule[95]=C:\Windows\system32\wbem\wbemsvc.dll
LoadedModule[96]=C:\Windows\system32\wbem\wmiutils.dll
LoadedModule[97]=C:\Windows\system32\wbem\xml\wmi2xml.dll
LoadedModule[98]=C:\Windows\System32\netprofm.dll
LoadedModule[99]=c:\windows\system32\CRYPTNET.dll
LoadedModule[100]=C:\Windows\SYSTEM32\Cabinet.dll
LoadedModule[101]=C:\Windows\SYSTEM32\CRYPTSP.dll
LoadedModule[102]=C:\Windows\system32\rsaenh.dll
LoadedModule[103]=C:\Windows\system32\msv1_0.DLL
LoadedModule[104]=C:\Windows\System32\NtlmShared.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Windows Event Collector
AppPath=C:\Windows\System32\svchost.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=81C4DD498676CC6A44A6866B363102EE
MetadataHash=1975714724
These 6 services crash every 3-5 days.
Sometimes they automatically restart sometimes we have to take action and restart the services to get the event-collector to work again. Very frustrating for a very important applications.
I have run "sfc /scannow"
C:\Windows\system32>sfc /scannow
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection did not find any integrity violations.
Any thoughts on what the next step is?
/Daniel
Continue reading...