Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1016 Source: Perflib

The data buffer created for the <service name> service in the <DLL name> library is not aligned on an 8-byte boundary. This may cause problems for applications that are trying to read the performance data buffer. Contact the manufacturer of this library or service to have this problem corrected or to get a newer version of this library.
As per Microsoft: "When developing and debugging your Performance Monitor extensible counter on Windows 2000, the system may automatically disable it, generating event id 1016." See ME249138.

We got several reports on this error occurring on regular systems (not used for development or debugging), especially MS SQL 7 on Windows 2000 Server.

- Service: IAS - The event was reported when the system was restarted after a power failure. The IAS service was not started (the startup mode configured to "Manual").
- Service: EXOLEDB - The event was reported when the system was restarted after a power failure.
See ME942955 for a hotfix applicable to Microsoft Windows Server 2003.
We had this error and it was because of Trend Micro SMEX 7.0. After we applied ScanMail for Microsoft Exchange 7.0 Patch 5, the problem was solved. The read the readme for the patch see “ScanMail for Microsoft Exchange 7.0 Patch 5 Readme”.
- Service: AppleTalk - See ME324712 for more information.
- Service: ESENT - See ME828341.
- Service: BlackBerry Server - See the link to "BlackBerry Support Article Number: KB-00674".
- Service: MSMQ - See the link to "Veritas Support Document ID: 273250".
- Service: MQSeriesServices - Read IBM Support Reference #: IC45158.

ME247226 has information on how to fully uninstall a performance monitor extension.

As per Microsoft: "Windows requires performance counters to conform to 8-byte data block sizes. The specified service does not conform to this requirement". See MSW2KDB for more details on this event.
In our case, the event for "EXCOLEDB" and "MsExchangeChat" was being generated every 6-8 minutes. We simply used a utility "ExCtrLst.exe" from Win2K Resource Kit to disable corresponding performance counters. Same can be done by going directly to the registry under HTLM\System\CurrentControlSet\Services\<Service_Name>\Performance and creating a new DWORD value " Disable Performance Counters " (keep the spaces) use REG_Dword = 1 to disable or 0 to re-enable.

In my case, the problem appeared after I installed a performance monitoring software, namely "Performance Monitoring Protocol" developed by Eastbow Lab.
Article ME226494 describes how to control the error checking and reporting by registry settings and list the possible event information. This is useful for testing and validating a Performance Monitor Extension. This is also helpful to diagnose problems with performance monitor extensions that are installed as part of a vendor's server application or device driver.

When the performance data buffer returned by a performance extension DLL is not aligned on an 8-byte boundary, the performance library (PERFLIB) part of ADVAPI32.dll will report a warning 1016 to the Application Log in Event Viewer.
ME262335 explains how a performance extension DLL can align the performance data on an 8-byte boundary.
As per ME280074:
"Microsoft SQL Server 7.0 uses 4-byte alignment for performance data. However, starting with Windows 2000 and later, the alignment changes to 8-byte alignment. Because Microsoft Windows 2000 was released after Microsoft SQL Server 7.0, 8-byte alignment is only propagated in versions of SQL Server released after Windows 2000, starting with SQL Server 2000.
Because this problem is fixed in SQL Server 2000, upgrading to SQL Server 2000 resolves the problem."
If you use Windows NT Performance Monitor to check the performance of the Microsoft Mobile Information Server or the Microsoft SharePoint Portal Server or Microsoft Exchange Server 5.5 see Microsoft article ME288077 for solution.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.