Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The Collect Procedure for the <service name> service in DLL <DLL name> generated an exception or returned an invalid status. Performance data returned by counter DLL will not be returned in Perf Data Block. Exception or status code returned is DWORD 0.
0000: <status code>
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is a DLL?
What is an exception?
What are the performance counters?
What is a DWORD?
This event can occur when an application was uninstalled but references to its performance counters remained. Also, improper registration of the counters dll may have the same effect as well as corrupted dlls.
Suggestions from newsgroups: "First, make sure the dll file exists, and exist in the proper locations. Once you've confirmed the location of the DLL, type REGSVR32 /U <DLL name> to unregister the DLL, then drop the /U and run it again to re-register the DLL in its current location. When you unregister the DLL, use the path from the Event Viewer. When you register it, use the path of the file in its current location. That should work."
Service: DTSPipeline, dll: DTSPipelinePerf.dll - As per ME967316, this problem occurs because SSIS pipeline counters are created in the session that Dtexec.exe first runs. See the article for the hotfix information.
For entries referring to the "Spooler" service in DLL "C:\WINNT\system32\winspool.drv”, check to see if the Print Spooler service has been disabled. If you want to keep it disabled then use exctrlst.exe to disable the performance counters for it.
Running “winmgmt /resyncperf” from the command-line solved my problem with performance counters.
Per Microsoft: “This behavior may occur if you use certain types of network adapters. The network adapter driver may return description strings to the CollectTcpIpPerformanceData function that do not contain null terminators. The sprintf function copies the description strings to a local variable. However, the sprintf function does not check to make sure that the strings are not too large for the local variable to hold. As a result, a buffer overflow may occur. Because the buffer is stored on the stack, the stack becomes corrupted. This corruption causes an access violation.” See ME819716.
From a newsgroup post: "Try the following steps to resolve the Event ID 1010 errors:
1. Use Regedt32 to add the EventLogLevel value with a Reg_Dword value of 0 to the following value to the registry: "HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\PerfLib\"
2. Use the SBS Administrator Console to open the computer Management snap-in, or right click My Computer and select Manage.
3. Expand out the list under Services and Applications.
4. Right click the WMI Control, and select Properties.
5. Choose the Logging tab and set the Logging level to Disabled, then click OK to close the WMI Properties.
6. Select Services, right click the Windows Management Instrumentation service, and then restart the service".
- Service: SnaServr, dll: "snapeSnaServr.dll" - This problem has been corrected in the latest U.S. Service Pack for SNA Server version 4.0. See ME185743 for more details.
- Service: InetInfo, dll: "infoctrs.dll" - See ME275494 for information.
- Service: Spooler, dll: "winspool.drv" - See ME839397 for a hotfix.
- Service: Tcpip, dll: "Perfctrs.dll" - See ME888044.
- Service: PerfDisk, dll: "perfdisk.dll" - See ME842900.
Use Exctrlst.exe (Extensible Performance Counter List) and turn off the spooler, “winspool.drv” in our case. This solved the error messages for us.
I had the same error. In my case the LicenceloggingService hung, it could not be stopped or killed in the task manager. After rebooting the server, this service started successfully and the 1010 event did not appear again.
Woodrow Wayne Collins
Troubleshooting this type of problems is not an easy tasks. For a general approach see ME152513 - "Troubleshooting Performance Monitor Counter Problems".
In the case of corrupted dll you can manually rebuild Performance Counter Library values. See ME152513, ME275659 and ME300956.
Article ME226494 describes how to control the error checking and reporting by registry settings and list the possible event information. This is useful for testing and validating a Performance Monitor Extension. This is also helpful to diagnose problems with performance monitor extensions that are installed as part of a vendor's server application or device driver.
"PerfDisk", DLL name: "perfdisk.dll" - In the case of remote disk monitoring, both physical and logical, an administrator account is needed. Without administrator rights on the target machine, the counters for physical or logical disks will not appear. Administrator rights to access two files (PERFC009.DAT and PERFH009.DAT) is also required for disk monitoring.
"SnaServr", DLL name: "snaperf.dll" - See ME186713.
Service name: "Spooler", DLL name: "winspool.drv" - The status code in the data section was 0x000006ba (or 1722 decimal) and that means The RPC server is unavailable (see the Error code 1722 link). In my case this makes sense because it happened during a reboot. That is why the server was unavailable. See ME177446 on how to test Microsoft remote procedure call performance.
Service name: Tcpip, DLL name: Perfctrs.dll
- Status code 0000013d = ERROR_MR_MID_NOT_FOUND = The system cannot find message for message number 0x%1 message file for %2. - no additional info
- Status code c0000005 - This behavior may occur if you use certain types of network adapters. The network adapter driver may return description strings to the CollectTcpIpPerformanceData function that do not contain null terminators. The sprintf function copies the description strings to a local variable. However, the sprintf function does not check to make sure that the strings are not too large for the local variable to hold. As a result, a buffer overflow may occur. Because the buffer is stored on the stack, the stack becomes corrupted. This corruption causes an access violation. See ME819716.
Service name: "Msgbldsvc" - ME229021 describes similar errors related to the Site Server 3.0 message builder service. Errors for msbldsvc will occur occurs at each update interval of Performance Monitor if the message builder service is not started.
PerfOS, perfos.dll - Here is some info I found on Google which solved the same issue for me: "I have recently configured a script to use WMI to obtain basic performance information (disk space, CPU and memory utilization) from a number of HP/Compaq servers on a nightly basis (for health checking and performance monitoring purposes). The script works fine with servers ruinning SP2 (except for some timeouts on win32_logicaldisk, but we are in the process of upgrading to SP3). After applying SP3, the events appear to start when the script runs, and ends at some point in the future (3-4 hours is not unusual), with 1-2 events reported per second during this period. We tried to use exctrlst to remove the perfOS counters, but then the script stopped running. These issues only occur on servers that have been updated to SP3 (also HP Smartstart 6.2 at the same time). I resolved this issue myself. Apparently by changed from using win32_processor.LoadPercentage to calculating the CPU load from win32_perfrawdata_perfos_processor it stopped all of the error messages and came up with sensible values for the CPU utilization.
According to Microsoft, this could be caused by Compaq (in our case) or another hardware manufacturer installing their own perfomance conters. From Microsoft point of view, this error should be ignored - for them there is no fix to disable the error, other then removing the non-MS performance counters.
Service name: "Spooler", DLL name: "winspool.drv" - From a newsgroup post: "I found that I could not print, add a printer or even delete a printer from my printer list. I tracked it down to a corrupt print driver. It would appear that in Windows 2K or NT 4.0, the spool Spooler service terminated unexpectedly whenever I did anything. To correct this issue I had to delete the rogue driver entries from the registry. In my case it was a fax driver but it could be anything."
Service name: "Tcpip", DLL name: "Perfctrs.dll" - Download and install exctrlst.exe from Resource kit from Microsoft web site. Mark tcpip and reboot the server. See HP Support link below.
Set KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ <service name>\Performance\Disable Performance Counters - with a value of 0x1. This will disable the performance counters for that <service>.
Another fix would be to execute the Win2000 Resource Kit tool: exctrlst.exe and disable the Performance Counters you do not want monitored.
This error appears also when the service start is set to "manual" or "disable" in the services. By setting the service to automatic will stop the error showing up. Like previously said, the registry entry for the service should be disabled if you need to disable the service, otherwise errors in the logs will occur."
|Private comment: Subscribers only. See example of private comment|
|Links: Disable Performance Counters, exctrlst.exe, HP Support|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated