Why is it that people think they can say, “Yeah I am getting Event ID 1000, do you know why that is?”
For the record, Event IDs are not UNIQUE. You need to know the Event Log, the Event Source, AND the Event ID.
Maybe it is the only Event ID 1000 that person who is asking the question has ever encountered, but why…. why would they assume that that is only possible Event ID 1000 that could possibly exist? If that is the only one you have encountered, the only thing you can assume is that you don’t have a clue if there are others. Assuming it is unique is hell of an assumption coming right out of the gate. It is like assuming because you saw a penguin as your first bird that all birds were flightless, black and white, ate a lot of fish, and are really good in movies…. THINK PEOPLE!!!
Just for those who think that possibly Event ID 1000 might be unique, I ran a little useful utility I have for myself (I might sell it one day if I get around to it) that dumps all of the events on a machine to a text file. I do that on my Windows Server 2003 laptop I am typing this on and then I run GREP across all of the text files produced for all of the event logs and it comes up with the following counts for Event ID 1000:
File k385002.joe.com – ADAM (instance1).txt:
2 lines match
File k385002.joe.com – Application.txt:
36 lines match
File k385002.joe.com – Security.txt:
3 lines match
File k385002.joe.com – System.txt:
11 lines match
That is 52, yes FIVE TWO, different Event ID 1000 events… 36 alone in the Application log. Say you narrowed it down to just the System Event Log, what do you have then? 11 events with that Event ID…
File k385002.joe.com – System.txt:
“1000” “1000” “” “%1” “c:\windows\microsoft.net\framework\v2.0.50727\eventlogmessages.dll” “System\MSDTC Gateway;System\MSDTC WS-AT Protocol”
“1000” “1000” “” “Your computer has lost the lease to its IP address %2 on the\nNetwork Card with network address %1.” “c:\windows\system32\dhcpcsvc.dll” “System\Dhcp”
“2164261864” “1000” “WARN” “%1” “c:\windows\system32\dmadmin.exe” “System\LDM”
“1000” “1000” “” “Faulting application %1, version %2, faulting module %3, version %4, fault address 0x%5.” “c:\windows\system32\faultrep.dll” “System\System Error”
“1073742824” “1000” “INFO” “The computer has rebooted from a bugcheck. The bugcheck was:\n%1.\nA full dump was not saved.” “c:\windows\system32\savedump.exe” “System\Save Dump”
“1000” “1000” “” “Unable to acquire a license for user ‘%1’, domain ‘%2’.” “c:\windows\system32\termsrv.dll” “System\TermService”
“1000” “1000” “” “The session directory failed to delete all the log files in the “%SystemRoot%\System32\tssesdir\” directory. The error code was %1.” “c:\windows\system32\tssdis.exe” “System\TermServSessDir”
“1000” “1000” “” “Processing media-specific event for [%1!ws!]” “c:\windows\system32\ws03res.dll”
“System\AeLookupSvc;System\Clussvc;System\DCOM;System\DfsSvc;System\Http;System\IPNATHLP;System\MSFTPSVC;System\PlugPlayManager;System\Print;System\RasMan;System\RemoteAccess;System\Service Control Manager;System\Tcpip;System\TermDD;System\TermServDevices;System\TermService;System\TermServLicensing;System\VolSnap;System\W32Time;System\W3SVC”
“2149581800” “1000” “WARN” “Unable to acquire a license for user ‘%1’, domain ‘%2’. Please check Citrix Licensing for diagnosing this issue.” “c:\windows\system32\ws03res.dll” “System\AeLookupSvc;System\Clussvc;System\DCOM;System\DfsSvc;System\Http;System\IPNATHLP;System\MSFTPSVC;System\PlugPlayManager;System\Print;System\RasMan;System\RemoteAccess;System\Service Control Manager;System\Tcpip;System\TermDD;System\TermServDevices;System\TermService;System\TermServLicensing;System\VolSnap;System\W32Time;System\W3SVC”
“3237938152” “1000” “ERROR” “%1” “c:\windows\system32\wshext.dll” “System\Windows Script Host”
“1000” “1000” “” “Processing media-specific event for [%1!ws!]” “c:\windows\system32\xpsp2res.dll” “System\DCOM”
So if you ask me, “Yeah I am getting Event ID 1000, do you know why that is?” and I respond with, “Which Event ID 1000?”, don’t look at me like I’m the one whose the idiot. Better yet, give me the Event ID and tell me the text of the message, that way I don’t even have to go try and look up the text which I will likely have to do anyway. The same machine I took the above info from has 26,199 events registered for it and it doesn’t have any real serious event log apps like Exchange, SMS, etc on it. And although I have had this machine for several years, there are still at least one or two, maybe more, of those events that I don’t have the text memorized for… Let’s be real… Most people aren’t memorizing eventids. The only time this is sort of acceptable is when there is context to a conversation and you are talking about say Exchange and someone is bitching to other Exchange people about say Event ID 9548. That is (or was – depends on your SP level of Exchange) such a huge pain point for people running Exchange in larger environments that it was usually said with a hiss and an evil look and an outstretched arm in the direction of Redmond and the Exchange developers. Context is everything… It is just like if I said “George W is an idiot…”, most people in the world are going to assume it is one specific idiot I am talking about and that I don’t mean the neighbor who lives 4 houses down on the right.
joe
[quote]don’t look at me like I’m the one whose the idiot[/quote]
You kill me… lol