Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
Failed to CoGetClassObject for provider "<application name>". EXE has error in image (<error code>).
|English: Request a translation of the event description in plain English.|
Application: CIMW32Ex Error: 0x800401F9 - no info
When this error message is seen on a Windows 2000 system it is usually the result of someone's attempt to uninstall, reinstall, or upgrade the WMI components. The typical scenario involves someone first deleting the WBEM registry key and SYSTEM32\WBEM folder, followed by an attempt to reinstall WMI via either SMS or the wbemsdk included with SMS. The result is a system with a build 698 registry structure, a 698 repository (and MOFs), and build 1085 binaries. You can confirm this corruption by viewing the WMI version number using the WMI control snap-in.
MyComputer -> Manage -> Services and Applications -> WMI Control ->Properties -> General
The "WMI Version" is listed in the dialog under the General tab. If the WMI Version on Windows 2000 is anything other than "1085.0005" (i.e. 698.0014) you've got a corrupted WMI install.
Here is a rough outline of a plan that may work....
- Stop WMI (net stop winmgmt)
- Delete the WBEM registry key (HKLM\SOFTWARE \Microsoft\WBEM)
- Delete all of the contents of the "%systemroot%\system32\wbem" folder and all of
the contents of the subfolders (Repository, Logs, Mofs, etc). When you do this you
will notice that Windows 2000 SFP will restore most of the binaries (this is a good
- Export the WBEM registry key from an identically configured "working" system.
Import this data on the non-working system.
- Copy all of the contents of the "%systemroot%\system32\wbem" tree from an
identically configured "working" system to the non-working system.
- Delete all of the contents of the "%systemroot%\system32\wbem\repository" folder
on the non-working system again.
- Restart WMI (net start winmgmt)
If you're very lucky, the repository will automatically rebuild and you will be back in business. If it doesn't work, it's time to reinstall the OS from scratch.
WMI is a core component of Windows 2000. Any attempt to remove or reinstall WMI will corrupt the operating system. The only way to recover is to reinstall the operating system.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated