如何以编程方式确定事件ID的描述
[英]How can I programmatically determine the description of an Event ID
问题描述
I wrote a utility that allows me to view EventLog messages, filtering on their types, when they were written, etc. 
我编写了一个实用程序,使我可以查看EventLog消息,过滤它们的类型,编写时间等。
I see that I have had the following entry a gazillion times (give or take a few) in the last several months/since I purchased my laptop: 我发现自购买笔记本电脑以来的最近几个月中,我已经输入了数以千计的记录(给予或接受几次):
Type: Error
Source: WinMgmt
Time Generated: 06/11/2012 20:55:00
Message: The description for Event ID '-1073741814' in Source 'WinMgmt' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'//./root/CIMV2', 'SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99', '0x80041003'
Machine Name: MuleheadedAsteroid
Does anybody know how I might respond to such an err msg to get to the bottom of the problem? 有人知道我可能会如何响应这样的错误消息以便深入了解问题吗?
1 个解决方案
解决方案1
1 已采纳 2012-06-12 13:28:07
You're asking two questions, here. 您在这里问两个问题。 First, why is the event log entry not formatting correctly? 首先,为什么事件日志条目的格式不正确? (You're seeing the arguments to the message, but not the fully formatted message. First, we'll work on fixing the message. (您看到的是消息的参数,而不是完整格式的消息。首先,我们将修复消息。
Seems like a corrupt registry, or a missing message file dll. 似乎是注册表损坏或消息文件dll丢失。
Check to make sure these registry entries exist, and point to the correct place: 检查以确保这些注册表项存在,并指向正确的位置:
1) HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application\\WinMgmt 1)HKEY_LOCAL_MACHINE \\ SYSTEM \\ CurrentControlSet \\ services \\ eventlog \\ Application \\ WinMgmt
Name: ProviderGuid
Type: REG_EXPAND_SZ
Value: {1edeee53-0afe-4609-b846-d8c0b2075b1f}
2) HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Publishers\\{1edeee53-0afe-4609-b846-d8c0b2075b1f} 2)HKEY_LOCAL_MACHINE \\ SOFTWARE \\ Microsoft \\ Windows \\ CurrentVersion \\ WINEVT \\ Publishers \\ {1edeee53-0afe-4609-b846-d8c0b2075b1f}
Values present: 存在的值:
Name: MessageFileName
Type: REG_EXPAND_SZ
Value: %SystemRoot%\system32\wbem\WinMgmtR.dll
Name: ResourceFileName
Type: REG_EXPAND_SZ
Value: %SystemRoot%\system32\wbem\WinMgmtR.dll
3) Lastly, verify the existence of WinMgmtR.dll at %SystemRoot%\\system32\\wbem\\WinMgmtR.dll 3)最后,在%SystemRoot%\\ system32 \\ wbem \\ WinMgmtR.dll中验证WinMgmtR.dll的存在
Second, what is the event log trying to tell us. 其次,什么是事件日志试图告诉我们。 I googled for the error code, 0x80041003. 我用Google搜索了错误代码0x80041003。 This immediately took me to discussions about trying to query WMI with insufficient permissions, and in particular, a KB article: 这立即使我进入了有关尝试使用权限不足来查询WMI的讨论,尤其是有关知识库的文章:
Event ID 10 is logged in the Application log after you install Windows Vista Service Pack 1 or Windows Server 2008 安装Windows Vista Service Pack 1或Windows Server 2008后,在应用程序日志中记录事件ID 10
You'll notice that MS's example query is pretty much identical to yours So, it seems something is running and querying WMI without enough permission to do so. 您会注意到,MS的示例查询与您的示例查询几乎完全相同。因此,似乎正在运行某些东西,并且在没有足够权限的情况下查询WMI。
MS provides a script to stop entries from appearing in the resolution portion of the KB article. MS提供了一个脚本来阻止条目显示在KB文章的分辨率部分中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.