description for Event ID () in Source () cannot be found

Printable View

21-05-2007
Robert PremuÅ¾

description for Event ID () in Source () cannot be found

Hi!

On a MS Windows Server 2003 Standard Edition (with SP1) that is a
Domain Controller I sometimes see messages in the local Event Log that
contain the following text in the description:

The description for Event ID ( xxx ) in Source ( yyy ) cannot be found.
The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may
be able to use the /AUXSOURCE= flag to retrieve this description; see
Help and Support for details.

The event source is one of the following:
DNS, ESE, WUSyncService, HHCTRL.

AFAIK, it means that the Event Viewer cannot find some information
needed to display the description of an event in the Event Log. How is
it possible that the Event Viewer cannot find that information for the
events generated on the local computer?

I looked at http://support.microsoft.com/kb/312216/en-us
that describes how to run the Event Viewer with the /auxsource switch
if you have problems with viewing messages from a remote computer. But
the article does not say anything about such problems on local computer.

-- rpr. /Robert Premuz/
22-05-2007
Ashish

RE: description for Event ID () in Source () cannot be found

I looked into the event source:

DNS, ESE, WUSyncService, HHCTRL.

Looks like that either the DLL file responsible for generating the event for
these applcation are damaged or the account you are using doesn't have the
right to load these DLLs. This mostly happens with 3rd party applicaton where
it got installed with a user account and the service account doesn;t get
permission to pull the info about the required DLLs.

Although, if these applications are running fine there is no issue but if
you need to figure out the things, the specific application team can help you
out fixing the bug.

Hope this helps,

Regards,

Ashish

"Robert PremuÅ¾" wrote:

> Hi!
>
> On a MS Windows Server 2003 Standard Edition (with SP1) that is a
> Domain Controller I sometimes see messages in the local Event Log that
> contain the following text in the description:
>
> The description for Event ID ( xxx ) in Source ( yyy ) cannot be found.
> The local computer may not have the necessary registry information or
> message DLL files to display messages from a remote computer. You may
> be able to use the /AUXSOURCE= flag to retrieve this description; see
> Help and Support for details.
>
> The event source is one of the following:
> DNS, ESE, WUSyncService, HHCTRL.
>
> AFAIK, it means that the Event Viewer cannot find some information
> needed to display the description of an event in the Event Log. How is
> it possible that the Event Viewer cannot find that information for the
> events generated on the local computer?
>
> I looked at http://support.microsoft.com/kb/312216/en-us
> that describes how to run the Event Viewer with the /auxsource switch
> if you have problems with viewing messages from a remote computer. But
> the article does not say anything about such problems on local computer.
>
> -- rpr. /Robert Premuz/
22-05-2007
rpremuz@yahoo.com

Re: description for Event ID () in Source () cannot be found

On May 22, 10:38 am, Ashish wrote:
> I looked into the event source:
>
> DNS, ESE, WUSyncService, HHCTRL.
>
> Looks like that either the DLL file responsible for generating the event for
> these applcation are damaged or the account you are using doesn't have the
> right to load these DLLs. This mostly happens with 3rd party applicaton where
> it got installed with a user account and the service account doesn;t get
> permission to pull the info about the required DLLs.

OK. Let's analyze one such case:

The Microsoft DNS service runs "%SystemRoot%\system32\dns.exe" using
the Local System Account.

The System account and the built-in administrators group have full
access permissions on the following files (in %SystemRoot%\system32):
dns.exe
dnsapi.dll
dnsmgmt.msc
dnsmgr.dll
dnsperf.dll
dnsperf.h
dnsperf.ini
dnsrslvr.dll
dnswiz.exe

As the DNS service is working (tests of simple and recursive queries
are successful) and I can see its properties with the DNS management
console, I'd say that none of the above files are damaged.

The message strings written to the DNS Event Log are probably
contained in the dns.exe file. E.g. one of the strings contained in
the dns.exe is the following: "The DNS server has started" (this info
you can get using the Sysinternals Process Explorer).

So, when I log on the server as the administrator user (who is member
of the built-in administrators group, Domain Admins, Enterprise
Admins), and I look at the DNS Event Log with the Event Viewer, why am
I not able to see descriptions of all the events? For some events I
see just "The description for Event ID ( xxx ) in Source ( yyy )
cannot be found ...".

-- rpr. /Robert Premuz/