Server 2008 Event Log Service stuck in "Starting"; Module Installer stopped working; SP2

Sponsored Links

I've installing and used Windows Server 2008 since early in the beta,
installed it on many physical computers as well as in virtual machines and
this is the first time I've encountered this problem, or anything like it
before.

I had two Server 2008 servers on which the Event Log service is always in
the "Starting" status and I got message boxes popping up saying that the
Windows Module Installer has stopped working. Because the Event Log service
is not running, I could not view the Event Logs.

Although I could logon locally, essentially no roles or features were
working correctly.
DNS service didn't start - this is Active Directory integrated - server
is a domain controller
could not connect to the computer over the network (shares, printers,
Remote Desktop Connection, Computer Management all failed)

I found a few references on the Internet about this situation, but none
provided a solution.

The first server is Windows Server 2008 Enterprise 64 bit with Hyper-V
installed. It has Active Directory Domain Services role and WSUS installed
in the Parent VM (not recommended I know, but this is a small, test
installation). This has been working fine ever since the RTM version of
Server 2008 was installed, a day or so after Server 2008 was initially
released. This server gets shutdown overnight.

When the problem happened, I tried various ways to fix the problem but none
worked. Since the Windows Server Backup wouldn't work, I could not restore
the server from a recent backup. However, eventually, by booting from the
Windows Server 2008 DVD, I was able to restore this server from the backup
and it again working OK (this was the only Domain Controller in this
domain).

The second server was a new clean install of Windows Server 2008 Standard 32
bit. The intent was to make this a second domain controller, transfer the
FSMO roles to it, run adprep for Windows Server 2008 R2, then upgrade it to
Windows Server 2008 R2. However, after installing all the available
updates, promoting it to be a domain controller and restarting, the Event
Log service failed to start. Perhaps coincidentally, after the next restart
of the first server, it got the same problem - Event Log service remained in
the Starting state; so now I had two, none functional domain controllers and
panic started. That's when, after trying various suggested methods to fix
this problem I restored the first domain controller from backup - this
backup was from a few days ago before the second domain controller was
added.

Next, I started all over again on the second server:
Clean install of Windows Server 2008 Standard 32 bit (RTM) w/o Hyper-V
Activated successfully
installed Service Pack 2
restart
Event Log service stuck in Starting status and pop up messages that Windows
Module Installer has stopped working.

Here's the corrective actions I've taken so far - without success:
1. changed the permissions for the Event Log account for the folder
c:\windows\system32\winevt to Full Control; restart
When I logon (local Administrator account) I get a message box that says
"Windows must be reinstalled. An unauthorized change was made to Windows.
Windows must be re-installed to activate. Insert the Windows installation
DVD or CD into your computer to begin the reinstallations process."

2. start over - boot from DVD, select to format the installation partition,
install Windows Server 2008 32 bit Standard (Full Installation) w/o Hyper-v
a. activated successfully
b. restarted
c. changed computer name
d. restarted
e. install Service Pack 2
f. restarted several times - problem did not resurface
g. in AD Users and Computers, create an OU and use GPMC to Block
Inheritance; create a new computer account for this server in this OU so no
GPOs get applied to this computer
h. join computer to domain; restart several times - system OK
i. remove the block inheritance setting so computer will get the GPOs
applied to the domain level (no other GPOs in the OU path at this point);
restart several times - no problem
j. move the computer account to the OU containing other servers - several
more GPOs are applied to this OU, including one that uses Restricted Groups
to populate the local groups (e.g. Administrators, Remote Desktop Users,
Power Users, Users), and one that configures WSUS.
k. restart; Windows Update Software 7.1.6001.65 was automatically
installed . Control Panel Programs and Features, Installed Updates does not
allow the update (955430) to be uninstalled.

The Event Log service is stuck in the Starting state - the problem is back!

l. install the HotFix from KB 952664- get the message "The update does not
apply to your system".

Anyone have any idea how to correct this problem?

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.

Hello Bruce,

Check out if the "EventLog" is added with Full control on the following folder:
windows\system32\winevt\logs

If not check if it is on winevt folder and use inheritance to get it also
to the logs folder.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I've installing and used Windows Server 2008 since early in the beta,
> installed it on many physical computers as well as in virtual machines
> and this is the first time I've encountered this problem, or anything
> like it before.
>
> I had two Server 2008 servers on which the Event Log service is always
> in the "Starting" status and I got message boxes popping up saying
> that the Windows Module Installer has stopped working. Because the
> Event Log service is not running, I could not view the Event Logs.
>
> Although I could logon locally, essentially no roles or features were
> working correctly.
> DNS service didn't start - this is Active Directory integrated -
> server
> is a domain controller
> could not connect to the computer over the network (shares,
> printers,
> Remote Desktop Connection, Computer Management all failed)
> I found a few references on the Internet about this situation, but
> none provided a solution.
>
> The first server is Windows Server 2008 Enterprise 64 bit with Hyper-V
> installed. It has Active Directory Domain Services role and WSUS
> installed in the Parent VM (not recommended I know, but this is a
> small, test installation). This has been working fine ever since the
> RTM version of Server 2008 was installed, a day or so after Server
> 2008 was initially released. This server gets shutdown overnight.
>
> When the problem happened, I tried various ways to fix the problem but
> none worked. Since the Windows Server Backup wouldn't work, I could
> not restore the server from a recent backup. However, eventually, by
> booting from the Windows Server 2008 DVD, I was able to restore this
> server from the backup and it again working OK (this was the only
> Domain Controller in this domain).
>
> The second server was a new clean install of Windows Server 2008
> Standard 32 bit. The intent was to make this a second domain
> controller, transfer the FSMO roles to it, run adprep for Windows
> Server 2008 R2, then upgrade it to Windows Server 2008 R2. However,
> after installing all the available updates, promoting it to be a
> domain controller and restarting, the Event Log service failed to
> start. Perhaps coincidentally, after the next restart of the first
> server, it got the same problem - Event Log service remained in the
> Starting state; so now I had two, none functional domain controllers
> and panic started. That's when, after trying various suggested
> methods to fix this problem I restored the first domain controller
> from backup - this backup was from a few days ago before the second
> domain controller was added.
>
> Next, I started all over again on the second server:
> Clean install of Windows Server 2008 Standard 32 bit (RTM) w/o Hyper-V
> Activated successfully
> installed Service Pack 2
> restart
> Event Log service stuck in Starting status and pop up messages that
> Windows
> Module Installer has stopped working.
> Here's the corrective actions I've taken so far - without success:
> 1. changed the permissions for the Event Log account for the folder
> c:\windows\system32\winevt to Full Control; restart
> When I logon (local Administrator account) I get a message box
> that says
> "Windows must be reinstalled. An unauthorized change was made to
> Windows.
> Windows must be re-installed to activate. Insert the Windows
> installation DVD or CD into your computer to begin the reinstallations
> process."
>
> 2. start over - boot from DVD, select to format the installation
> partition,
> install Windows Server 2008 32 bit Standard (Full Installation) w/o
> Hyper-v
> a. activated successfully
> b. restarted
> c. changed computer name
> d. restarted
> e. install Service Pack 2
> f. restarted several times - problem did not resurface
> g. in AD Users and Computers, create an OU and use GPMC to Block
> Inheritance; create a new computer account for this server in this OU
> so no
> GPOs get applied to this computer
> h. join computer to domain; restart several times - system OK
> i. remove the block inheritance setting so computer will get the
> GPOs
> applied to the domain level (no other GPOs in the OU path at this
> point);
> restart several times - no problem
> j. move the computer account to the OU containing other servers -
> several
> more GPOs are applied to this OU, including one that uses Restricted
> Groups
> to populate the local groups (e.g. Administrators, Remote Desktop
> Users,
> Power Users, Users), and one that configures WSUS.
> k. restart; Windows Update Software 7.1.6001.65 was automatically
> installed . Control Panel Programs and Features, Installed Updates
> does not
> allow the update (955430) to be uninstalled.
>
> The Event Log service is stuck in the Starting state - the problem is
> back!
>
> l. install the HotFix from KB 952664- get the message "The update
> does not apply to your system".
>
> Anyone have any idea how to correct this problem?
>
> It is perfectly useless to know the right answer to the wrong
> question.
>

Hello Bruce,

Did some more searching about this 'Group' "Eventlog" which is not to find
on local computer or in AD. It is a builtin service group? If you use in
a command prompt:

sc showsid eventlog

you can see that it exists, this is default on all 2008 machines, tested
it on 3 different one's.

If that group type is missing on logs folder and you have to recreate it
for testing you can use the command from this article:
http://social.msdn.microsoft.com/For...7-e5f471667302

In this one it is also metioned in the Q&A section:
http://blogs.technet.com/askds/archi...and-vista.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I've installing and used Windows Server 2008 since early in the beta,
> installed it on many physical computers as well as in virtual machines
> and this is the first time I've encountered this problem, or anything
> like it before.
>
> I had two Server 2008 servers on which the Event Log service is always
> in the "Starting" status and I got message boxes popping up saying
> that the Windows Module Installer has stopped working. Because the
> Event Log service is not running, I could not view the Event Logs.
>
> Although I could logon locally, essentially no roles or features were
> working correctly.
> DNS service didn't start - this is Active Directory integrated -
> server
> is a domain controller
> could not connect to the computer over the network (shares,
> printers,
> Remote Desktop Connection, Computer Management all failed)
> I found a few references on the Internet about this situation, but
> none provided a solution.
>
> The first server is Windows Server 2008 Enterprise 64 bit with Hyper-V
> installed. It has Active Directory Domain Services role and WSUS
> installed in the Parent VM (not recommended I know, but this is a
> small, test installation). This has been working fine ever since the
> RTM version of Server 2008 was installed, a day or so after Server
> 2008 was initially released. This server gets shutdown overnight.
>
> When the problem happened, I tried various ways to fix the problem but
> none worked. Since the Windows Server Backup wouldn't work, I could
> not restore the server from a recent backup. However, eventually, by
> booting from the Windows Server 2008 DVD, I was able to restore this
> server from the backup and it again working OK (this was the only
> Domain Controller in this domain).
>
> The second server was a new clean install of Windows Server 2008
> Standard 32 bit. The intent was to make this a second domain
> controller, transfer the FSMO roles to it, run adprep for Windows
> Server 2008 R2, then upgrade it to Windows Server 2008 R2. However,
> after installing all the available updates, promoting it to be a
> domain controller and restarting, the Event Log service failed to
> start. Perhaps coincidentally, after the next restart of the first
> server, it got the same problem - Event Log service remained in the
> Starting state; so now I had two, none functional domain controllers
> and panic started. That's when, after trying various suggested
> methods to fix this problem I restored the first domain controller
> from backup - this backup was from a few days ago before the second
> domain controller was added.
>
> Next, I started all over again on the second server:
> Clean install of Windows Server 2008 Standard 32 bit (RTM) w/o Hyper-V
> Activated successfully
> installed Service Pack 2
> restart
> Event Log service stuck in Starting status and pop up messages that
> Windows
> Module Installer has stopped working.
> Here's the corrective actions I've taken so far - without success:
> 1. changed the permissions for the Event Log account for the folder
> c:\windows\system32\winevt to Full Control; restart
> When I logon (local Administrator account) I get a message box
> that says
> "Windows must be reinstalled. An unauthorized change was made to
> Windows.
> Windows must be re-installed to activate. Insert the Windows
> installation DVD or CD into your computer to begin the reinstallations
> process."
>
> 2. start over - boot from DVD, select to format the installation
> partition,
> install Windows Server 2008 32 bit Standard (Full Installation) w/o
> Hyper-v
> a. activated successfully
> b. restarted
> c. changed computer name
> d. restarted
> e. install Service Pack 2
> f. restarted several times - problem did not resurface
> g. in AD Users and Computers, create an OU and use GPMC to Block
> Inheritance; create a new computer account for this server in this OU
> so no
> GPOs get applied to this computer
> h. join computer to domain; restart several times - system OK
> i. remove the block inheritance setting so computer will get the
> GPOs
> applied to the domain level (no other GPOs in the OU path at this
> point);
> restart several times - no problem
> j. move the computer account to the OU containing other servers -
> several
> more GPOs are applied to this OU, including one that uses Restricted
> Groups
> to populate the local groups (e.g. Administrators, Remote Desktop
> Users,
> Power Users, Users), and one that configures WSUS.
> k. restart; Windows Update Software 7.1.6001.65 was automatically
> installed . Control Panel Programs and Features, Installed Updates
> does not
> allow the update (955430) to be uninstalled.
>
> The Event Log service is stuck in the Starting state - the problem is
> back!
>
> l. install the HotFix from KB 952664- get the message "The update
> does not apply to your system".
>
> Anyone have any idea how to correct this problem?
>
> It is perfectly useless to know the right answer to the wrong
> question.
>

Meinolf: Thanks for your posts.

I recall that I had the same problem some months ago on a virtual machine
(Windows Server 2008 RTM 64 bit), but it was both "experimental" and I
didn't pursue the issue. It still exista and I started it one of them - it
still has the same problem - Event Log service stuck in the "starting"
state.

I've included details below relating to permissions on the winevt folder,
but based on what actually fixed the problem, this would seem to be all a
red herring.

After spending quite a bit of time fussing with the permissions on the
winevt/logs files, I found a reference to
http://pieter.wigleven.com/it/archives/54 that suggests fixing a similar,
but not identical, symptom by setting the Regional and Language Options to
English (United States) - several settings in this dialog. Did that (I
normally use English (Canada) with the Short Date Format set to dd-mmm-yy
and Measurement System to US) then restarted the server - lo and behold, the
Event Log service starts normally and everything appears to be working
again!

Set the TCP/IP NetBIOS Helper, DHCP Client services back to start
automatically and started them - no problems.

Restart the server again. Seems to be working fine now.

------------------------------------------------------------------------------------------------------------------------------------------------------------------

Here's some (possibly extraneous) information and results of investigating
and fussing with the winevt folder and its permissions:

This "EventLog" account (or whatever it is) certainly seems to be a somewhat
mysterious entity.
- It is not listed in http://support.microsoft.com/kb/243330 (Well-known
security identifiers in Windows operating systems)
- it seems to have the same SID on all the Server 2008 and Vista machines
I've checked (3 Windows Server 2008 in three different domains, one Vista
SP1 in one of the domains)
(SERVICE SID:
S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)

On all the 2008 servers I've checked (including several that are functioning
normally and the one that has the Event Log service stuck in the "starting"
state), the permissions on the %systemroot%\system32\winevt, the sub folders
and the files is identical:

\winevt
Event Log - This folder, subfolders and files (not inherited)
Traverse folder / execute file
List folder / read data
Read Attributes
Read Extended Attributes
Create files / write data
Create folders / append data
Write attributes
Write extended attributes
Delete subfolders and files
Read permissions
SYSTEM - This folder, subfolders and files (not inherited)
Full Control
Administrators - This folder, subfolders and files (not inherited)
Full Control
Authenticated Users - This folder and subfolders (not inherited)
List folder / read data
Read Attributes
Read Extended Attributes
Read permissions

\winevt\Logs
Event Log - This folder, subfolders and files (not inherited)
Full Control
SYSTEM, Administrators and Authenticated Users - same as for winevt (not
inherited)

\winevt\TraceFormat - all inherited from \winevt

\winevt\Logs - files - all permissions inherited from winevt\logs

On the system with the problem and one without the problem, I ran the
command
CACLS c:\windows\system32\winevt\logs\security.evtx /S
as suggested in
http://blogs.technet.com/askds/archi...and-vista.aspx.

The result was identical in both cases:
c:\windows\system32\winevt\logs\Security.evtx
"D:AI(A;ID;FA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)(A;ID;FA;;;SY)(A;ID;FA;;;BA)"

As an experiment on the system with the problem, I opened the Advanced
Security dialog for c:\windows\system32\winevt\logs
1. click Edit
2. click Continue (UAC prompt)
3. add check mark to "Replace all existing inheritable permissions on all
descendants with inheritable permissions from this object"
4. click OK
5. on the Windows Security message box (warns that this action will replace
all the permissions on the descendant objects - all the files in the
winevt\Logs folder in this case); click Yes
6. click OK; click OK (closes the Properties dialogs)
This operation completed with no errors or messages

I checked the permissions on a few of the .evtx files in winevt\logs and
EventLog had Full Control

Restarted the problematic server; the problem is still the same - Event Log
services stuck in the "Starting" state.

Checked the permissions on the winevt, winevt\logs and some of the .evtx
files and they are still the same as stated above.

Another suggestion I saw was to delete all the files in the winevt\Logs
folder, so I did that, but three files didn't get deleted:

Microsoft-Windows-Security-Configuration-Wizard%4Diagnostic.etl
Microsoft-Windows-Security-Configuration-Wizard%4Operational.etl
Microsoft-Windows-ServerManager%4Analytic.etl

Windows Explorer reports these as having a size of 0 bytes.

When I try to examine the permissions on these, I don't see any permissions,
just a dialog that says the Owner can not be determined and offers to allow
me to change the Ownership. If I user the CACLS command to display the
permissions, I get Access is denied.

When I try to take ownership of these files, I get Access is denied - I
tried with a domain user account that is a member of the local
Administrators group and also with the local Administrator user account -
same result.

restarted the system anyway - same problem

I noticed that there were other services stuck in the starting status (e.g.
TCP/IP NetBIOS Helper, DHCP Client), so I changed there Startup type to
Disabled and started the server again.

Even though the Event Log service is still set to start automatically, now
it doesn't seem to even try to start (or maybe starts and stops before I can
open the Services mmc).

Tried to start the Event Log service manually - get "Windows could not start
the Windows Event Log service on Local Computer. Error 87: The parameter is
incorrect."
--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662238d8cb9b229ea71003@msnews.microsoft.com...
> Hello Bruce,
>
> Did some more searching about this 'Group' "Eventlog" which is not to find
> on local computer or in AD. It is a builtin service group? If you use in a
> command prompt:
>
> sc showsid eventlog
>
> you can see that it exists, this is default on all 2008 machines, tested
> it on 3 different one's.
>
> If that group type is missing on logs folder and you have to recreate it
> for testing you can use the command from this article:
> http://social.msdn.microsoft.com/For...7-e5f471667302
>
> In this one it is also metioned in the Q&A section:
> http://blogs.technet.com/askds/archi...and-vista.aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I've installing and used Windows Server 2008 since early in the beta,
>> installed it on many physical computers as well as in virtual machines
>> and this is the first time I've encountered this problem, or anything
>> like it before.
>>
>> I had two Server 2008 servers on which the Event Log service is always
>> in the "Starting" status and I got message boxes popping up saying
>> that the Windows Module Installer has stopped working. Because the
>> Event Log service is not running, I could not view the Event Logs.
>>
>> Although I could logon locally, essentially no roles or features were
>> working correctly.
>> DNS service didn't start - this is Active Directory integrated -
>> server
>> is a domain controller
>> could not connect to the computer over the network (shares,
>> printers,
>> Remote Desktop Connection, Computer Management all failed)
>> I found a few references on the Internet about this situation, but
>> none provided a solution.
>>
>> The first server is Windows Server 2008 Enterprise 64 bit with Hyper-V
>> installed. It has Active Directory Domain Services role and WSUS
>> installed in the Parent VM (not recommended I know, but this is a
>> small, test installation). This has been working fine ever since the
>> RTM version of Server 2008 was installed, a day or so after Server
>> 2008 was initially released. This server gets shutdown overnight.
>>
>> When the problem happened, I tried various ways to fix the problem but
>> none worked. Since the Windows Server Backup wouldn't work, I could
>> not restore the server from a recent backup. However, eventually, by
>> booting from the Windows Server 2008 DVD, I was able to restore this
>> server from the backup and it again working OK (this was the only
>> Domain Controller in this domain).
>>
>> The second server was a new clean install of Windows Server 2008
>> Standard 32 bit. The intent was to make this a second domain
>> controller, transfer the FSMO roles to it, run adprep for Windows
>> Server 2008 R2, then upgrade it to Windows Server 2008 R2. However,
>> after installing all the available updates, promoting it to be a
>> domain controller and restarting, the Event Log service failed to
>> start. Perhaps coincidentally, after the next restart of the first
>> server, it got the same problem - Event Log service remained in the
>> Starting state; so now I had two, none functional domain controllers
>> and panic started. That's when, after trying various suggested
>> methods to fix this problem I restored the first domain controller
>> from backup - this backup was from a few days ago before the second
>> domain controller was added.
>>
>> Next, I started all over again on the second server:
>> Clean install of Windows Server 2008 Standard 32 bit (RTM) w/o Hyper-V
>> Activated successfully
>> installed Service Pack 2
>> restart
>> Event Log service stuck in Starting status and pop up messages that
>> Windows
>> Module Installer has stopped working.
>> Here's the corrective actions I've taken so far - without success:
>> 1. changed the permissions for the Event Log account for the folder
>> c:\windows\system32\winevt to Full Control; restart
>> When I logon (local Administrator account) I get a message box
>> that says
>> "Windows must be reinstalled. An unauthorized change was made to
>> Windows.
>> Windows must be re-installed to activate. Insert the Windows
>> installation DVD or CD into your computer to begin the reinstallations
>> process."
>>
>> 2. start over - boot from DVD, select to format the installation
>> partition,
>> install Windows Server 2008 32 bit Standard (Full Installation) w/o
>> Hyper-v
>> a. activated successfully
>> b. restarted
>> c. changed computer name
>> d. restarted
>> e. install Service Pack 2
>> f. restarted several times - problem did not resurface
>> g. in AD Users and Computers, create an OU and use GPMC to Block
>> Inheritance; create a new computer account for this server in this OU
>> so no
>> GPOs get applied to this computer
>> h. join computer to domain; restart several times - system OK
>> i. remove the block inheritance setting so computer will get the
>> GPOs
>> applied to the domain level (no other GPOs in the OU path at this
>> point);
>> restart several times - no problem
>> j. move the computer account to the OU containing other servers -
>> several
>> more GPOs are applied to this OU, including one that uses Restricted
>> Groups
>> to populate the local groups (e.g. Administrators, Remote Desktop
>> Users,
>> Power Users, Users), and one that configures WSUS.
>> k. restart; Windows Update Software 7.1.6001.65 was automatically
>> installed . Control Panel Programs and Features, Installed Updates
>> does not
>> allow the update (955430) to be uninstalled.
>>
>> The Event Log service is stuck in the Starting state - the problem is
>> back!
>>
>> l. install the HotFix from KB 952664- get the message "The update
>> does not apply to your system".
>>
>> Anyone have any idea how to correct this problem?
>>
>> It is perfectly useless to know the right answer to the wrong
>> question.
>>
>
>