Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 137 Source: ntfs

The default transaction resource manager on volume <drive letter> encountered a non-retryable error and could not start. The data contains the error code.
According to EV100450 (VMware KB: 2006849), you may experience this type of problem when using the new version of VMware Tools in ESXi/ESX 4.1 Update 1 or Update 2 or ESXi 5.x. A patch is available as well as workarounds using ME2853247 and ME885688.
If the volume id is not clearly indicating which drive is affected, you can use the mountvol.exe utility to identify it. For example, it can show the following:




See EV100606 (Displaying the Volume GUID of a volume) for more details.
According to EV100607 (ArcServe KB TEC526409), systems running ArcServer D2D Backup Software on Windows 2008 can ignore this message.
From a support forum:
This issue occurs if the Windows file system transaction log is corrupted. The Windows file system uses the transaction log to recover system transactions when a file error occurs.The Common Log File System (CLFS) transaction logs may be left in an inconsistent state. When the CLFS transaction logs are in an inconsistent state.
To resolve this problem, delete the .blf files and the .regtrans-ms files from the %Windir%\System32\SMI\Store\Machine folder.
After you restart the computer, the registry regenerates the deleted files. These regenerated files are in a consistent state.
1. Click Start Image, type cmd in the Start Search box, and then right-click cmd in the Programs list.
2. Click Run as administrator, and then click Continue (If you are prompted for an administrator password or for confirmation, type the password, or click Allow.)
3. At a command prompt, type the following command, and then press ENTER:

fsutil resource setautoreset true c:\

Note These steps assume that Windows is installed in the default location, on drive C. If this is not the case, adjust the drive letter of the folder path to match your configuration.
4. Restart the computer.
If you have the Virtuozzo application installed, see EV100562 (Event ID 137 for container appears on the hardware node).

I get this error message pretty frequently while System State backups are running. I look at the logs and if the System State backup has no errors, I ignore this event.

Server 2008:

Server 2003:
C:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data
(username is the name that the backup runs under)
I get this error about 50% of the time when some of my Server 2008 machines are creating System State backups. Before the error, I can see events indicating Shadow Copy has started. After the error, Shadow Copy unloads. (I am not using Shadow copy on any of the volumes. It is just loading for System State)

I am not sure if I am getting good System State backups.
If you have eFolder backup software installed, see EV100451 (NTFS error The default transaction resource manager could not start).
Some instances of this problem can be fixed by updating the ntfs.sys driver as described in ME981166.
In our case the drive specified in the event was a mounted virtual drive (an encrypted drive created using TrueCrypt). It only happened one time.
Error code: 0xC00000BB - According to ME971905, this event may be recorded when certain operations are repeated through a script (writing data to a volume, unmounting it, synchronization by RAID etc, see the article for details). The problem occurs because Common Log File System driver (CLFS.SYS) does not properly handle a name conflict in the transaction log. The article provides a workaround this issue.
See EV100449 (A painful Vista) for a web log troubleshooting this problem on Windows Vista.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.