Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1000 Source: ApplicationError

Level
Description
Faulting application <application name>, version <version number>, faulting module <module name>, version <version number>, fault address <hex address>.
Comments
 
This is a very generic error and it doesn't tell much about what caused it. Some applications may fail with this error when the system is left unstable by another faulty program. Usually, a reboot is recommended when this type of error is showing up. If the error is persistent, then one can start digging further (i.e. update the application that is listed in the event), install latest hotfixes, check for viruses and so on).

If the application is iexplore.exe and you cannot do "New window" without crashing the browser, then see ME316593 (there used to be another article, ME272322 but it was removed from Microsoft's support site).

This may also occur if the application is not compatible with the operating system. For example, trying to run games designed for Windows 9x/ME on Windows 2000/XP.

According to ME967227, an application that uses the RPCRT4.dll module on a computer that is running Windows Vista SP1 or Windows Server 2008 may stop and generate this message. A hotfix is available from Microsoft.
Application: explorer.exe, Exception code: 0xc0000005 - Windows Explorer crashed and this event was recorded when I deleted some photos while Picasa was compacting its cache. Explorer.exe simply restarted and there were no other issues. Most probably a bug in Picasa.
Application Beserver.exe - See EV100563 (Symantec TECH223209).
Application name: octave-3.2.4.exe - This event was recorded when the Octave (programming language) console was closed using the application window x close button (on the top right of the window) instead of typing "exit" in Octave window (so this is a bug in the Octave interface).
Application: VMotor.exe, from Velneo server in Windows 2003 Server. The problem comes from a bad configuration of the running applications. Delete "fuvm.vuf" file or swap from a backup copy.


Application vmtoolsd.exe - From a support forum: "During the installation of VMware tools I was getting the warning message that if I wanted to use shadow services, I would need to start the COM+ System Application Properties service and one other service I can't remember before installing VMware tools if I wanted to use shadow services. Since I didn't want shadow services, I ignored the warning.  Deinstalling the tools and paying attention to the warning and starting the services (even though I don't need shadow services) solved the problem. The COM+ System Application Properties was more involved because it depends on COM+ Event System, Remote Procedure Call (RPC) and System Event Notification Service. If you are getting these messages, be sure to look right click on each service cited and open its properties dialog and click on the Dependencies tab and run all those services as well."
Application: svchost.exe, module: rpcss.dll - Hotfix ME2401588 solves this problem for Windows 2008 Server R2 SP1.
- Application: TrustedInstaller.exe - I started getting this event after I changed edited the security and the user ID that runs this services under component services in an attempt to resolve another error (every 5 seconds after restarting the server). I then changed the security and the user that runs the service back to what it was.
- Application: excel.exe - I had this issue with an older formatted Excel file (version 2003) that still had an xls file extension. We are using Excel 2007 here and the file shows "Compatibility Mode" in the header. The problem was fixed by saving it in Excel 2007 (xlsx) format.
Environment: Windows 2003 SP2, module kernel32.dll, error address 0x000237e2 - I have solved issue stopping spooler service, deleting all files in c:\windows\system32\spool\printers and starting spooler service.
I got faulting application winword.exe (Office 2003 SP3 on Win7 64bit). Starting Word takes a long time, on closing it crashes. As a matter of course it impacts Outlook too. As mentioned here in another thread / event source: the reinstallation of office didn't solve the problem, but deleting the normal.dot seems to solve the issue (tested about half a day).
Application: spoolsv.exe, Module: wsdapi.dll, Exception code: 0xc0000005, OS: Windows server 2008 R2 - Spooler service crashed in average every 10 minutes or so. wsdapi.dll (Web Services on Devices ) is commonly used for scanning, which in my case was not used on that particular server.

Solution :
Check for WSD-ports on the server, and if they are present, and not connected to any printers, they should be deleted. To delete the port, you would need to create a new (fake) printer, connected to that particular port, and the delete the printer.

I had around 30 WSD ports, and when i started deleting the ports, the spooler crashes stopped right away.
Application IE8 with Windows XP SP3 module : dzdd.dll - I uninstalled Google Toolbar and everything went normal again.
A good tip above is try to run IE without anything (run -> iexplore.exe -nohome -extoff).
Application: splwow64.exe, corrupt module: ScriptSn.20110324101647.dll - We had some troubles printing out of 32 bit applications on 64 bit operating systems (Windows 7) with several printer drivers. Deactivating the McAfee ScriptScanner solved our issues. We are waiting for a hotfix to reactivate our script scan.


USER32.DLL was the module. Only happened to one user on the Terminal Server. Everyone else could log in. The user had a disconnected session on the TS. I forced a logoff using Task Manager->Users, and user was able to log back in.
Application wmiprvse.exe - See EV100229 (WMI leaks memory on Server 2008 R2 monitored agents) for a possible fix.
Application: explorer.exe, module: MSVCR80.dll - In my case the error was generated by the extension "DivX Thumbnail Provider", filename "DivXThumbnailProvider.dll" (located at C:\Program Files\DivX\DivX Plus Media Foundation Components\). Comes with DivX Plus 8.1.2.

After disabling this extension (DivX Thumbnail Provider) with ShellExView (EV100231) and killing all opened "explorer.exe" applications the error does not occur any more.

Probably this issue is addressed to an faulty video file or an malfunction in this module.

Additional change the file association via right click context menu option "open with" from DivX to another player (for example VLC).
In my case, the application needed .Net Framework 2.0 (that was not installed on the computer).
Application: outlook.exe, module outllib.dll - All I did was to replace outllib.dll with a copy from another computer and the problem was fixed.
- Application: "Explorer.EXE", module: "sharemedia.dll" - Always happens when I use any of my 8GB USB sticks which have only few MB left in free space. The Event Viewer says the source is Explorer.exe which is what crashes but the sharemedia.dll file/module is found in my RealPlayer SP directory and the videos on my USB sticks are mostly assigned to RealPlayer SP to play.

The Explorer.exe restarts and then usually it's ok but eventually, it happens again. This could be a bug in RealPlayer that leaves Explorer.exe unstable.
- Application iexplore.exe version 8.0.6001.18702, faulting module comctl32.dll  - Running Windows XP SP3, IE8.

Symptoms: When you start IE8 it crashes on loading the start page (even if that's blank). After few seconds, an application error pop-up appears - the one with sending report to Microsoft and after that, another one with drwatsn32 (IE is not responsive). In the event log there are 3 errors: app:iexplore module: hungapp app:iexplore module:comctl32 app:drwatsn32 module:hungapp.

Solution: Try running IE without extensions and with a blank start page (run -> iexplore.exe -nohome -extoff). If it starts with no problems, then reset IE Advanced settings (ME923737 worked for me)
- Application: lsass.exe - On Windows Server 2003 Service Pack 2 (SP2) with IIS 6.0 installed and hotfixes KBKB970430 or update KB973917 applied, this issue occurs because a bug in one of the Windows system files (Strmfilt.dll). A hotfix is availble - see ME979730.
Application: application shmgrate.exe - I believe that this is related to the failed attempt in copying over the default user profile.


Application: WINWORD.EXE - In my case, this was caused by a corrupt printer driver. I uninstalled my current printer and found this fixed my problem.
Application: spoolsv.exe, module: zsr.dll - Caused by a faulty print driver for the HP 1020. Resolved by removing old print drivers using M324757 and installing the latest full feature drivers (see the HP LaserJet Full Feature Software and Drivers link).
The problem I had was with Internet Explorer 7 crashing on Exit (Send Error Report to MS) and I resolved it by disabling Adobe PDF Help Linker under IE/Tools/Manage Add On. I uninstalled and re-installed Adobe Reader 9.1 but the problem remained, so I left the Adobe Add-on disabled and this did not prevent PDF document from being loaded into IE7.
I ran across this error on a windows xp home system. On startup, Data Execution Prevention prevented explorer.exe from starting up. Windows would start up only in safe mode. The problem was contributed to corrupted system files caused by a index.exe trojan virus. I installed the latest version of avast antirus in safe mode and scheduled a boot scan for avast. It deleted 26 instances of win32 trojan viruses. It booted up instantly but Windows still had many problems.  I ran the scan again with more results, adjusted services, and ran sfc scan to bring the system back with no personal data lost.
Application: spoolsv.exe, Module: cpmmon.dll - The print spooler kept crashing and could not be restarted (it would crash again). I could not clear the print jobs stuck in the queues as a result of this as well. The CTX102628 hotfix from Citrix corrected the issue (see the link below, in the Links section).
- Application: tsadmin.exe, module tsadmin.exe - ME961151 describes a situation when this event can be recorded when you start the Terminal Services Manager tool in Windows Server 2003. A hotfix is available from Microsoft for Windows 2003 Service Pack 1 or 2.
- Application: sitecomp.exe, module: kernel32.dll - See ME954214 for a hotfix applicable to Microsoft System Center Configuration Manager 2007.
- Application: printdrvstress.exe, module: ntdll.dll - See ME934013.
- Application: exshell.exe, module: ntdll.dll - See ME950112.
- Application: vds.exe, module: ntdll.dll - See ME948699 and ME949001 for hotfixes applicable to Microsoft Windows Server 2003.
- Application: nissvc.exe, module: msvcrt.dll - See ME945166 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: Rtvscan.exe, module: Rtvscan.exe - See EV100004.
- Application: grovel.exe, module: grovel.exe - See ME939383 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: mcupdate.exe, module: kernel32.dll - See ME935685 for a hotfix applicable to Windows Vista.
- Application: devenv.exe, module: ntdll.dll - See ME935842 for a hotfix applicable to Microsoft Visual Studio 2005.
- Application: WinCal.exe, module: WinCal.exe - See ME933942 for a hotfix applicable to Windows Vista.
- Application: msoobe.exe, module: urlmon.dll - See ME932442.
- Application: lsass.exe, module: secur32.dll - See ME897648 for a hotfix applicable to Microsoft Windows Server 2003 and Microsoft Windows XP, and ME870997 for a hotfix applicable to Microsoft Windows 2000 and Microsoft Windows XP.
- Application: emsmta.exe, module: kernel32.dll - See ME924835 for a hotfix applicable to Microsoft Exchange Server 2003.
- Application: setup.exe, module: wizardui.dll - See ME842466.
- Application: spoolsv.exe, module: unknown - From a newsgroup post: "Disabling DEP (Data Execution Protection) solved the problem". See ME875352 for a detailed description of the Data Execution Prevention (DEP) feature.
- Application: mmc.exe, module: hipobjects.dll - See ME930285 for a hotfix applicable to Microsoft Host Integration Server 2006.
- Application: mmc.exe, module: aclui.dll - See ME870995 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: fs9.exe, module: mfc70.dll - See ME555608.
- Application: w3wp.exe, module: davex.dll - See ME945401 for a hotfix applicable to Microsoft Exchange Server 2003.
- Application: w3wp.exe, module: rpcrt4.dll - See ME917781 and ME933729.
- Application: w3wp.exe, module: exprox.dll - See ME329067 and ME953539.
- Application: w3wp.exe, module: mscorwks.dll - See ME913384 for a hotfix applicable to Microsoft .NET Framework 2.0.
- Application: w3proxy.exe, module: LinkTrans.dll - See ME915411 for a hotfix applicable to Microsoft Internet Security and Acceleration Server 2000.
- Application: winlogon.exe, module: rpcrt4.dll - See ME914048.
- Application: winlogon.exe, module: ntdll.dll - See ME914048.
- Application: outlook.exe, module: rtfhtml.dll - See ME318658.
- Application: tecadwins001.exe, module: msvcrt.dll - See EV100013
- Application: mapsvc.exe, module: mapper.dll - See ME883520 for a hotfix applicable to Microsoft Windows Services for UNIX 3.5.
- Application: svchost.exe, module: qmgr.dll - See ME939159 for a hotfix applicable to Windows Vista.
- Application: svchost.exe, module: ntdll.dll - See ME910666.
- Application: svchost.exe, module: iassam.dll - See ME894538 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: svchost.exe, module: rpcss.dll - Microsoft article ME326964 describes a similar situation. Also, several newsgroup posts suggest that installing ME823980 solves the problem.
- Application: svchost.exe, module: msi.dll - See ME927385 and ME939273.
- Application: snalink.exe, module: snaipdlc.dll - See ME898555 for a hotfix applicable to Microsoft Host Integration Server 2004.
- Application: msimn.exe, module: msoe.dll - See ME898807.
- Application: mngcli.exe, module: snatrc.dll - See ME883850.
- Application: store.exe, module: unknown - See ME947174 for a hotfix applicable to Microsoft Exchange Server 2003.
- Application: store.exe, module: store.exe - See ME833817 for a hotfix applicable to Microsoft Exchange Server 2003, and ME933398 for additional information on this event.
- Application: store.exe, module: exoledb.dll - See ME903935 for a hotfix applicable to Microsoft Exchange Server 2003 and ME945938 for additional information.
- Application: store.exe, module: EXWIN32.DLL - See EV100009.
- Application: dllhost.exe, module: DasServer.dll - See ME924394.
- Application: dllhost.exe, module: scrrun.dll - See ME906092 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: dllhost.exe, module: ntdll.dll - See ME898921.
- Application: dllhost.exe, module: sqloledb.dll - See ME838976 for a hotfix applicable to Microsoft Data Access Components.
- Application: explorer.exe, module: kernel32.dll - See ME898051 for a hotfix applicable to Microsoft Windows Server 2003 and ME322687 for additional information.
- Application: explorer.exe, module: shlwapi.dll - See EV100002.
- Application: explorer.exe, module: rkadmin.dll – See ME900004 for information on this event.
- Application: explorer.exe, module: ntdll.dll - See ME824136 for a hotfix applicable to Microsoft Windows XP and Microsoft Windows 2000.
- Application: wmiprvse.exe - See ME914831 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: wmiprvse.exe, module: unknown - See ME948730.
- Application: wmiprvse.exe, module: HMonitor.dll - From a newsgroup post: "Adjusting configuration and security for WMI namespace, solved the problem. See ME325353 for information on how to do this".
- Application: wmiprvse.exe, module: svrenumapi.dll - See ME938911 for a hotfix applicable to Microsoft SQL Server 2005 and ME942907 for additional information.
- Application: wmiprvse.exe, module: Fastprox.dll - See ME835438 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: wmiprsve.exe, module: mngbase.dll - See ME916137 for a hotfix applicable to Microsoft Host Integration Server 2000 and 2004.
- Application: wmiprvse.exe - See EV100012
- Application: inetinfo.exe, module: unknown - See ME930952 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: inetinfo.exe - From a newsgroup post: "I got the hotfix (ME827214) the other day and applied it. It did require a reboot of the box. I have not had any problems since I applied the hotfix".
- Application: java.exe, module: symcjit.dll - From a newsgroup post: "Please change the symcjit.dll file name to another name. (make a backup for that file). Run "Services.msc" on the SBS 2003 command line. Find the Oracle_POHTTPServer service, right-click on it to change its property to manual, stop the service and then click Apply and OK to save these changes. Change the name of the symcjit.dll file back the way it was. If the problem still exists, please contact Oracle for more support".
- Application: iexplore.exe, module: mshtml.dll - See ME923996 and ME949922.
- Application: iexplore.exe, module: browseui.dll - See EV100002.
- Application: iexplore.exe, module: urlmon.dll - From a newsgroup post: "The problem was found by running the "Filemon utility" (see EV100014). In the Filemon log, just as a file was downloaded and IE crashed, there was another program installed that also had a file called URLMON.DLL that was registered as well in the registry. When I renamed this file, everything worked as it should". Also, see ME946627 for additional information about this event.
- Application: locator.exe, module: locator.exe - From a newsgroup post: "It seems to only happen when I am using the computer and it is not connected to the domain. As soon as I connect to the network where the DC resides, the error stops popping up. Removing NAI VirusScan 8i and going back to 7.1.0 fixed this problem".
- Application: Rtvscan.exe, module: PATCH32I.DLL - From a newsgroup post: "We just got off the phone with Symantec. A definition update caused the problem. According to them, our server was set up to aggressively receive updates once every few minutes, rather than the standard schedule, so we pulled an update that was not "fully tested" yet. Right now, about 30 servers and an unknown number of clients are infected. We have to run an executable that Symantec supplied and then manually start the SAV service on each affected box. We are going to patch and fix the servers manually and throw the client fix in a logon script".

If your computer is running Microsoft Windows Services for UNIX 3.5, and all Interix applications stop responding, see ME914680 for a hotfix applicable to Microsoft Windows Services for UNIX 3.5.
- Application: LogWatNT.exe,   module: unknown - It indicates that LogWatNT tried to write part of the operating system memory, typically a sign of a software bug in the application.
- Application: dsm_om_connsvc32.exe, module: msvcr80.dll - We had this problem with Dell's OpenManage Agent 5.3 and 5.4 A01. After looking at everything, it turned out that the problem was related to the NTFS permissions that were too tight on the drive and folder it was installed to. We never figured out the correct permissions but reinstalling OM on another drive with "default" permissions allowed it to run correctly.


- Application: explorer.exe – Explorer crashed when I pressed the right mouse button on the Start button in Vista Business Edition. The problem was due to installing PowerZip, which tried to add itself into the context menu for the right mouse click. The solution was to uninstall PowerZip and use WinRAR.
- Application: cqmghost.exe, module: cpqperf.dll - To resolve this issue, recommended steps include uninstalling VCA (Version Control Agent) and HP Insight Management Agents, restart server and install v7.91 of the PSP (Proliant Support Pack). If the issue still persists, to prevent the Foundation Agent for Windows from experiencing an application fault again, disable the Performance Monitor subagent from the HP Insight Management Agents applet in the Windows Control Panel by performing the following steps:

1.  Launch the HP Management Agents applet located in the Windows Control Panel.
2.  Select the "Services" tab.
3.  Select the "Performance Monitor" subagent located in the "Active Agents" panel.
4.  Click the "Remove" button to move the subagent to the "Inactive Agents" panel.
5.  Click OK and exit the HP Management Agents applet.

A future version of the HP Insight Management Agents for Windows 2000/Windows Server 2003 will prevent this condition from occurring.
Application: activation.exe - On a Small Business Server, Data Execution Prevention was stopping activation.exe from functioning properly. I added C:\Program Files\Windows Server for Small Business\licensing\activation.exe to DEP as an application to ignore. To do that, open System Properties, Advanced, Performance Settings, DEP, and add activation.exe to the list.
- Application: lmgrd.exe - This is caused by FLEXlm licence manager having an expired or incorrect licence file. Make sure that the licences have not expired and that the MAC addresses and hostnames within the licence.dat file matches the servers involved. I had a typo in one of the MAC addresses, as soon as I re-entered the MAC address and restarted the FLEXlm licence service. All started working fine.
- Application: w3wp.exe - The cause of this on my system was PHP 5. My fix was to add w3wp.exe to DEP (Data Execution Prevention) exceptions. Apparently, this can appear after SP1 is installed on Windows Server 2003.
If the application is Exchange 2000 and you are running Windows Server 2003, then the error occurs because Exchange 2000 is not supported on Windows Server 2003. You cannot run Exchange 2000 on a Windows Server 2003-based computer. See ME822884 for more information about this error.

- Application: dns.exe, module: ntdll.dll - See ME837088 for a hotfix.
- Application: lsass.exe, module: authz.dll - See ME818080 for a hotfix.
- Application: lsass.exe, module: schannel.dll - See ME875534 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: lsass.exe, module: ntdsa.dll - See ME886174 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: tsadmin.exe, module: unknown - See ME833890 for a hotfix applicable to Microsoft Windows Server 2003.
- Application: explorer.exe, module: comctl32.dll - From a newsgroup post: "Running “sfc /scannow” fixed the problem in my case".
- Application: explorer.exe, module: msvcrt.dll - This problem might be caused by ME903234. See EV100006 for details.
- Application: miiserver.exe, module: miiserver.exe - See ME884192 and ME842531.
- Application: dbbackup.exe, module: mfc42u.dll - See the link to "Veritas Support Document ID: 272708".
- Application: icw.exe, module: unknown - See ME888817.
- Application: bengine.exe, module: ntdll.dll - See EV100005
- Application: w3wp.exe, module: mscsups.dll - See ME828868 and ME838466.
- Application: STORE.EXE, module: EXWIN32.DLL - See ME810591.
- Application: ntbackup.exe - See ME894390.
- Application: Iexplore.exe, module: Mshtml.dll - See ME899102.
- Application: IWSSHTTPMain.exe, module: CerberianIFX.dll - See the link to "Trend Micro Support Solution ID: 23801".
- Application: wfshell.exe - See EV100007 and EV100008.
- Application: MMC.exe, module: mcvcr71.dll - read McAfee solution kb46794.
- Application: W3WP.exe - Read McAfee solution kb46835. Go to the "McAfee Knowledge Search" page and search for the specified solution.
- Application: dllhost.exe, module: SpamRouter.dll - Read McAfee solution kb46675.
- Application: outlook.exe, module: outllib.dll - Read McAfee solution kb46395.
- Application: ehrecvr.exe - From a newsgroup post: "A network driver issue typically causes this behavior. I suggest updating your PC's Ethernet card drivers to the latest version available from your PC OEM's website. In my case, once I updated the Network Card drivers, everything worked great".

As per Microsoft: "The indicated program stopped unexpectedly. The message contains details on which program and module stopped. A matching event with Event ID 1001 might also appear in the event log. This matching event displays information about the specific error that occurred". See MSW2KDB for more details.

If you are running Windows XP check ME823772 for more information.

This issue can occur if you use keyboard commands to load the registry hive. In this case see ME817448 for more details.


- Application: outlook.exe, module: fldpub.dll - From a newsgroup post: "This dll is a Netfolder component. ME229962 article is a general troubleshooter for Netfolders. Also ME266732 may help. Thirdly if you are not using Netfolders you may still have the add-in installed. It can be uninstalled by going to Tools > Options > Other > Advanced Options > Add-in Manager> if it is listed just uncheck".

- Application: wmplayer.exe, module: clvsd.ax - From a newsgroup post: "I was unable to play DVDs on my PC. I have been able to play them in the past. I have recently installed Windows Media Player 9. If I tried to play a DVD in Windows Media Player 9 or other DVD software player, the programs crash, reporting a fault in module “clvsd.ax”. I finally solved this by rolling back the NVIDIA driver to an earlier version".

- Application: rundll32.exe - From a newsgroup post: "Click Start ->Run. Type sfc /scannow. Select the OK button. Follow the prompts throughout the System File Checker process. Reboot the computer when System File Checker completes".
When you run ASP.NET 2.0 on a domain controller check permissions on the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ASP.NET_2.0.50727\Names .
When ASP.NET 2.0 is installed, the local group IIS_WPG is given special permissions on this key. When the server is a domain controller the IIS_WPG group becomes a domain group (there are no local groups on domain controllers) and the NETWORK SERVICE account cannot be a member of it as it is a BUILTIN account. What you will need to do is give the NETWORK SERVICE account specific permissions to that key. Start Regedit and navigate to that key. Right-click "Names" and select “Permissions” on the context menu. Click Add and enter NETWORK SERVICE, click "Check Names" and click "Ok". With NETWORK SERVICE highlighted in the "Groups or User Names" list, click "Advanced". On the "Advanced Security Settings for Names" dialogue highlight NETWORK SERVICE and click "Edit". In the "Permission entry for Names" dialogue check that the "Name" box is showing "NETWORK SERVICE" and put check marks against "Query Value", "Set Value", "Create Subkey", "Enumerate Subkeys", "Notify" and "Read Control". Click Ok on all the dialogues and close Regedit. Ensure your application pools are reconfigured to run as NETWORK SERVICE (or at least all the ones you want to be) and restart them.
After a restart, there should be no more errors.
- Application: svchost.exe, module: msi.dll - See the link to "Tech Blender Blog" for a solution to this problem.
- Application: spoolsv.exe, module: ntdll.dll - As similarly reported by someone else, uninstalling the Lexmark T640 series software in Add/Remove Programs solves the problem.


We were getting the error related to shell32.dll randomly with either Dr.Watson or the Explorer. We tried as many of the steps that applied here with no luck. One thing that was unique was it only happened on our Dual Core machines. It turns out that ME896256 addresses issues with multi-core processing on XP SP2 machines. So far, this appears to have resolved our issue. It looks as though this also applies to Hyper-threading machines.
- Application: iexplore.exe, module: ntdll.dll - This problem was caused by the Google toolbar after installing IE7. After I reinstalled the Google toolbar, the problem disappeared.
- Application: RPCServ.exe, module: Common.dll - See "McAfee Support Document ID: KB47356".
- Application: iexplore.exe, module: kernel32.dll - In my case, Iexplore crashed on WinXP Pro workstation when trying to open it and this event was logged. I changed the default home page to "Use Blank" and I unchecked the "Work Offline" option from the file menu. IE is back to normal and now I can set a default home page.
- Application: spoolsv.exe, module: ntdll.dll - Uninstalling the Lexmark software in add/remove programs solved the problem. After this, the printers work properly, and the spool service does not stop any more.
- Application: explorer.exe, module: unknown - I started to get random explorer restarts when scrolling through some directories, especially C:\Windows. I seem to have fixed it by disabling the "show hidden files and folders" option.
- Application: wmiprvse.exe, module: provDisk.dll - This is related to Intel Server Manager 8.x running on Windows 2003 server. There is a problem with the provided provdisk.dll. An explanation and replacement can be found in EV100014.
- Application: outlook.exe - I had an issue with my MS Outlook 2000, which is installed on a Windows XP Service Pack 2 machine. If I composed a message and then tried to send it or if I closed Outlook, this error appeared in my event log.
The issue appeared to be a conflict with MS Outlook 2000 and the MSN Search Toolbar. Once I removed MSN Toolbar, the problem was resolved.
- Application: svchost.exe, module: msi.dll - Looks like the msi.dll file became somehow damaged. I reinstalled Windows Installer 3.1 Redistributable (v2) from Microsoft and the problem was fixed. This problem happened after the last update from Microsoft.


- Application: TMproxy.exe - I have experienced various event ID 1000 Application Errors. Many of them have been related to TMproxy.exe or ccProxy.exe (Trend Micro/Symantec). It seems to happen only on two of our four machines. Both are HP hyper-threading machines. I searched on HP's, Microsoft’s, and Symantec’s sites, as well as many others (this has been an ongoing issue since December 2005). It turns out there are compatibility issues related to hyper-threading machines. I am waiting for Trend Micro to get back to me regarding a patch for hyper-threading machines. So far, the only other suggestion has been to disable hyper-threading (which defeats the purpose).
- Application: TNSLSNR.EXE, module: orantcp.dll - Orantcp9.dll is the dll file that interfaces Oracle and the TCP layer. Oracle Listener service fails to start and the listener process crashes with a Windows OS dialogue box saying: "TNSLSNR.EXE has encountered a problem and needs to close". This might be due to some malicious software. Run a spyware checker on your system. If that does not work, reset TCP WINSOCK. See ME299357 for details on how to do that.
- Application: wmiprvse.exe, module: msvcrt.dll - I received this error on my Windows 2003 Server after installing SP1 and OpenManage 4.4. I found that the SNMP service was causing the problem. I reconfigured the SNMP communities on the server and allowed an XP workstation that had IT Assistant console version 7 (Dell software product for managing multiple servers running OpenManage) installed on it, to poll the server. Rebooted the server and the error ceased to occur.
- Application: tcpsvcs.exe, module: ntdll.dll - We have been receiving this error on our Windows 2003 domain controller, which happens to be both a DHCP and RIS server for a remote office. ME842608 appears to clear up the issue.
- Application name: dllhost.exe, module: ntdll.dll - See ME896989 for a hotfix applicable to Microsoft Operations Manager (MOM) 2005, when used with Microsoft Windows Server 2003 Service Pack 1.
In one case, this event ID occurred when I tried to open the Windows 2003 Control Panel. This caused Explorer.exe to crash. The computer had been built from a Ghost image of another computer that had the Windows swap file on the “D:” drive. This computer only had a “C:” drive and this resulted in no swap file being used by Windows. This Event ID was followed by event ID 1004 from source Application Error. When the swap file was configured correctly and the computer restarted these events did not appear again.

In another case, this Event ID occurred when I tried to open the Windows 2003 Control Panel. It started to open but then caused explorer.exe to crash (Application: explorer.exe, module: shell32.dll). The computer had been built from a Ghost image of another computer that had the Windows swap file on the C: drive (so this is not the same situation as my previously reported problem). The computer was fully configured when this Event ID occurred. This Event ID was followed by Event ID 1004 from source Application Error after the restart of the computer. When I tried to open the Control Panel after the restart nothing happened, it did not even start to open, and no further related Event IDs appeared. I restarted the computer and tried again, and the above cycle of errors repeated itself. I booted the computer in Safe Mode and was able to open the Control Panel without any problem. I booted normally, ran “sfc /scannow” (as suggested above for a similar problem) and restarted the computer, but the problem was still there. I then noticed that the Device Manager had two entries under "Display adapters", both of which were enabled. One was for the onboard video adapter and the other was for an additional video PCI card. I disabled the onboard video adapter, restarted the computer and these events did not appear again.
- Application: SAVFMSESp.exe, module: SAVFMSESp.exe - See EV100003.
- Application: "winword.exe", module: "fm20.dll" - Tried deleting "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word" key and let Office re-create what it needed, but still no good. Re-installed MS Office 2002, restarted the PC and everything is ok now. Microsoft suggested repairing the Windows XP installation using the CD as per ME823772.
In my case, the event came when trying to uninstall McAfee Anti Virus. Something was wrong in the registry. I deleted Network Associates in HKEY_LOCAL_MACHINE\Software\, and then I reinstalled all components of McAfee and then uninstalled it.


Had this problem with MSPAINT. Deleted the users profile and recreated it and that fixed it.
Application: hl.exe (related to Half Life Sierra game) - According to various newsgroup posts this error occurs on Win XP and the cause is the video adapter. Updating the video drivers can solve the problem.
In my case the error was generated by mmc.exe, version, 5.1.2600.0. It turns out I was missing the mscat32.dll and minnls.dll files from the system32 folder. I replaced them from a backup.
In my case the error was generated by winword.exe. It turns out something was corrupt in the registry. I deleted the HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word key and everything came back to normal.
In our case, event ID 1000 related to a FrontPage Extensions error...
Microsoft FrontPage Server Extensions: Error #3005f Message: Unable to read configuration for Microsoft Internet Information Server.
This problem was caused by the deletion of the default web site after we had created a new web site.
From the IIS management console, right click on Internet Information Services and choose properties.  Under Master Properties , click WWW Service , and then click Edit. Select the Service tab and set the default web site.
For more information see MS Knowledgebase article - ME308193.
I was having this problem with IE 6 crashing constantly. I went to dllworld.com and got and older version of the msls31.dll file and IE seems to be very stable so far.
In my case the error was generated by msnmsgr.exe, I noticed EBegin's comments about winword.exe so I deleted the HKEY_CURRENT_USER\Software\Microsoft \MSNMessenger key, rebooted and Messenger stopped crashing after that.
We were experiencing this problem on an Outlook97 running on Windows XP SP1. Dr. Watson flagged outlook.exe and user32.dll in the error report. I checked the documents and settings folder and found the user had two folders, one for the domain, one for the local machine. Deleted both, deleted user, and rebooted. Recreated user, still same problem (though only one user folder in docs & settings now).

I checked the profile settings for the user and found that this was a person that logged into 3 types of machines-- Win98, WinNT4.0, and WinXP. As we all know, profiles between the different OS don't play well. Win98 likes profiles to be stored by default in a home folder, NT in a Users folder, and now XP likes a separate Profiles folder. So I took a look at the XP profiles folder and discovered that the NT User.dat and System.dat were carrying over. I deleted those, deleted the folders off the local machine so they'd recopy down correctly, and logged back in. Problem fixed.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...