Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1025 Source: MSExchangeISPublicStore

An error occurred. Function name or description of problem: <error description>
Error: "EcCategorizeMessage Error: 0xfffff9bf" - This problem occurs because search folders are created and added multiple times to the backlinks list of the folder(s) being searched. When the search folder is deleted, the additional entries of this search folder are not removed from the backlinks list.
From a newsgroup posting: “After further discussion with senior engineers in the development team, this error is a bit different from the symptom mentioned in article ME327997. At face value, this is an ignorable warning that does not affect the functionality of the system, and is not a cause for concern.
This message is logged when the Query Processor (QP) tries to use an index to perform a query optimization but, at the same time, that index was updated by a concurrent transaction. In this situation, the QP will just abandon the optimized path and revert to the default search algorithm.
The only exception to this is when a third party anti-virus program creates a locking situation that causes these errors. It still should not affect functionality, but checking with third party manufacturer for software updates would be a wise move as a precautionary measure".
See MSEX2KDB for information about this event.
Error: EcTestMsgRestriction, 0x8004011b.
Error: EcProcessSearchMessageEvent, 0x8004011b.
The Error code 0x8004011b (CdoE_CORRUPT_DATA or MAPI_E_CORRUPT_DATA see ME185136 and ME246076) is a signal to run ISINTEG utility.

Error: EcDoDeliverMessage, 0x4dd. Error code 0x4dd (decimal 1245) can be found in "ec.h" file as ecShutoffQuotaExceeded it means the mailbox of the Internet Mail Service has reached a quota. This quota is the one that is defined in the Exchange Server Administration program. This quota is defined when you click the server in the left pane, click Private Information Store in the right pane, and then click Properties on the File menu. On the General tab, there is an area called Storage limits that has three check boxes: Issue warning (K), Prohibit send (K), and Prohibit send and receive (K). Next to each check box, there is a box where you can specify the actual value. For other error codes use the "Error.exe" utility on the Exchange Server CD in the "Support\Utils\Platform" folder to determine exactly what the error means. It may also prove useful to convert the error to decimal and then search for the decimal error code.

See ME272570 to fond out how to recover from Information Store corruption.
As per Microsoft: "These problems occur when the maximum size paged of non-paged pool that can be allocated by one process has been limited on the Microsoft Exchange Server computer". See ME153480 for more details.

Error: FEqEntryId, Error: 0x80040107 - Symptoms: Whenever the error occurs it seems that the users can't send e-mail to a particular domain, the messages just pile up in the queue. However, e-mail addressed to any other domain gets sent correctly. Under "details", in the Internet Mail Service queue, it says that the message wasn't sent due to a "network error during host resolution".

From a newsgroup post: "The error occurs if the authoritative name server from the target domain cannot be contacted, or if the received answer is in error. Using RESTEST on the server running the Internet Mail Service can help to find more information about the problem. RESTEST is found on the Exchange 5.5 installation CD. The command to run it is:
RESTEST -debug <domain>
Be sure that the command window is large enough so you can scroll through the information to see where the error occurs."

Error: EcGetRestriction. Error: 0x57a - See ME183400 and ME247616.
Error: EcDoDeliverMessage Error: 0x80070005 - I got this event logged each and every morning directly after a couple of EventID 9548's (Source: MSExchangeIS) were logged for a specific disabled user account. I followed the workaround section of ME278966 to define a "msExchMasterAccountSID attribute" for that account and the error was no longer logged. I will be using the LDIF scripting method described in the above Q article soon to avoid both the above event and the 9548 events being logged in the future.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.