Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1004 Source: ApplicationError

Level
Description
Faulting application <application exe>, version <application version>, faulting module <module name>, version <module version>, fault address <hex memory address>
Comments
 
Application: VMotor.exe, from Velneo server in Windows 2003 Server. The problem comes from a bad configuration of the running applications. Delete "fuvm.vuf" file or swap from a backup copy.
Use this information to fix svchost errors with wuaueng.dll

1. Click Start->Run, type "services.msc" (without quotation marks) in the open box and click OK.
2. Double click the service "Automatic Updates".
3. Click on the Log On tab, please ensure the option "Local System account" is selected and the option "Allow service to interact with desktop" is unchecked.
4. Check if this service has been enabled on the listed Hardware Profile. If not, please click the Enable button to enable it.
5. Click on the tab "General ", make sure the "Startup Type" is "Automatic". Then please click the button "Start" under "Service Status" to start the service.
6. Repeat the above steps with the other service: Background Intelligent Transfer Service (BITS)

Re-register Windows Update components and Clear the corrupted Windows Update temp folder:
1. Click on Start and then click Run.
2. In the open field type "REGSVR32 WUAPI.DLL" (without quotation marks) and press Enter.
3. When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message, click OK.
4. Please repeat these steps for each of the following commands:

REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL

net stop wuauserv
rmdir c:\windows\softwaredistribution /s
net start wuauserv
- Application: Rtvscan.exe, module: Rtvscan.exe - See the link to "Symantec Knowledge Base Document ID: 2005082415100448".
- Application: store.exe, module: exchmem.dll - See ME938225 for a hotfix applicable to Microsoft Exchange Server 2003.
- Application: lsass.exe, module: ipsecsvc.dll - See ME938482.
- Application: lsass.exe, module: secur32.dll - See ME897648 for a hotfix applicable to Microsoft Windows Server 2003 and Microsoft Windows XP. Also, see ME870997 for a hotfix applicable to Microsoft Windows 2000 and Microsoft Windows XP.
- Application: winlogon.exe, module: rpcrt4.dll - See ME914048.
- Application: winlogon.exe, module: regapi.dll - See ME828664 for hotfixes applicable to Microsoft Windows Server 2003, Microsoft Windows XP and Microsoft Windows 2000 Server.
- Application: svchost.exe, module: ntdll.dll - See ME910666.
- Application: svchost.exe, module: rpcss.dll - From a newsgroup post: "I have been working on our scripted build of Win2k3 on proliants for our network. Regardless of the server to which it is built, after 1-4 days the RPC service stopped, and this event was logged. The problem was that a patch needed to be installed at build time as there was a virus loose on the network that killed the process. Install ME828741 at build time and you will be fine".
In one case, this event ID occurred when I tried to open the Windows 2003 Control Panel. This caused Explorer.exe to crash. The computer had been built from a Ghost image of another computer that had the Windows swap file on the “D:” drive. This computer only had a “C:” drive and this resulted in no swap file being used by Windows. This Event ID was followed by event ID 1000 from source Application Error. When the swap file was configured correctly and the computer restarted these events did not appear again.

In another case, this Event ID occurred when I tried to open the Windows 2003 Control Panel. It started to open but then caused explorer.exe to crash (Application: explorer.exe, module: shell32.dll). The computer had been built from a Ghost image of another computer that had the Windows swap file on the C: drive (so this is not the same situation as my previously reported problem). The computer was fully configured when this Event ID occurred. This Event ID was preceded by Event ID 1000 from source Application Error before the computer was restarted. When I tried to open the Control Panel after the restart nothing happened, it did not even start to open, and no further related Event IDs appeared. I restarted the computer and tried again, and the above cycle of errors repeated itself. I booted the computer in Safe Mode and was able to open the Control Panel without any problem. I booted normally, ran “sfc /scannow” (as suggested above for a similar problem) and restarted the computer, but the problem was still there. I then noticed that the Device Manager had two entries under "Display adapters", both of which were enabled. One was for the onboard video adapter and the other was for an additional video PCI card. I disabled the onboard video adapter, restarted the computer and these events did not appear again.

In another case, this Event ID occurred when I tried to open the Windows 2003 SP1 Control Panel. It started to open but then caused Explorer.exe to crash (Application: explorer.exe, module: unknown). The computer had been built from a Ghost image of another computer. This error was not related to the Windows swap file. There was only a single display adapter. I tried uninstalling/reinstalling the display adapter and minimising the refresh rate and resolution but still got the problem. I could open Control Panel with no problem in Safe Mode. A workaround is to disable the display adapter but this sets the screen resolution to "640 by 480 pixels" and the color quality to "Lowest (4 bit)".
- Application: dns.exe, module: ntdll.dll - See ME837088 for a hotfix.
- Application: mmc.exe, module: tsuserex.dll - See ME828664 for details.
- Application: ctxnotif.dll, module: ctxnotif.dll - See "Citrix Support Document ID: CTX107308".
- Application: w3wp.exe, module: CSRockall.DLL - See ME838466.

As per Microsoft: "The indicated program stopped unexpectedly. The message contains details on which program and module stopped. A matching event with Event ID 1001 might also appear in the event log. This matching event displays information about the specific error that occurred". See MSW2KDB for more details.


- Application: iexplore.exe – This problem can be caused by a corruption in the “Temporary Internet Files” or the actual directory itself is corrupt. You have to boot up with Winternals ERD Commander or some other utility with NTFS level file access to delete the directory as it is a system directory and cannot be deleted. Windows will create a new folder on boot and IE will work again.
- Application: megaserv.exe - HP NetRaid Assistant causes this problem. The software that is not compatible with the current OS version. In my case, I had to download the updated software from their web site in order to work with Windows 2003.
The application names can vary widely. This error is not given by the application itself but by the operating system that "caught" the problem (most probably the application is crashed at that point). This may indicate a bug in the application (or more precisely in the dll module listed there). You should verify that you have the latest version of that dll (hint - use the Microsoft DLL database to see what is the latest version).

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...