Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 2000 Source: Srv

The server's call to a system service failed unexpectedly.
Data: Words
0000: 00040000 00540001 00000000 c00007d0
0010: 00000000 <error code 1> 00000000 00000000
0020: 00000000 00000000 <error code 2>
There are many causes for this event. The relevant information is the actual error code listed in the "Data" portion of the event so don't troubleshoot this just based on the general "event id 2000" premisis. Depending on the error codes in the data segment there are various links about this error:
- c0000008 - See Error code 0xC0000008.
- c000000d = "INVALID_PARAMETER", and 028e0bc5: Caused by PC-cillin loaded on Windows 95 clients. See ME192732.
- c000000f (Error code 0xC000000F) = "STATUS_NO_SUCH_FILE", and 05180bc5: Caused by a client trying to delete a non-existent file on a NetWare server through Gateway Services for NetWare (GSNW). See ME173403 and ME173210.
- c000010a (Error code 0xC000010A) = STATUS_PROCESS_IS_TERMINATING - Some users reported this after installing VCS (Veritas Cluster Server) on Windows 2003. The error basically means that a program tried to terminate a process but the process was already being terminated. Not too helpful for the server administrators.
- c0000013 (STATUS_NO_MEDIA_IN_DEVICE) and 04e80bb9: The error occurs when the server tries to access a shared resource (for example, a CD-ROM or floppy disk) which has no media (that is, no disk) in the drive. See ME152846.
- c0000054 (STATUS_FILE_LOCK_CONFLICT) and 05930bd3: This behavior can occur when you have an early version of the Cheyenne Open File Agent program installed. See ME288301.
- c000009a ="STATUS_INSUFFICIENT_RESOURCES" - See Error code 0xC000009A for general information on this error.
- c000023a (STATUS_CONNECTION_INVALID) and 13830bbe: The size of request Buffers on your computer running Windows NT Server is too small. See ME136150
- c00007d0 and 12880bc5: See ME134759.

- Codes n/a. If the WinSock program does not correctly post a Receive to collect the incoming data from WinSock, Afd may endlessly buffer the data and use up all non-paged memory. Afd should check the MaxBufferredReceiveBytes value for the socket and then not buffer more than this value. See ME293841 and ME296265.
- c00000bb and 04c20337 - Resolved this error by removing Windows Update - KB958687.
- c000010a and 00bd0334 - Resolved this error by uninstalling a software called Unlocker.
- c0000010 - In my case I got this error due to having two spyware applications installed. Really dogged my computer, couldn't go more than 2 minutes without locking up all resources. The spyware apps where PC Tools and ETrust ITM.
- c0000184 (STATUS_INVALID_DEVICE_STATE) and 04a0031a - I had this combination on W2K3 server running RRAS. Restarting the SERVER and RRAS (in turn) services  solved the problem. Generally, a server restart will give better result, but in many cases this is impossible.

In my case, this issue occurred on a Windows 2003 file server with LiveVault, McAfee AV and ViceVersa Pro. Conflicts with the filter drivers and opportunistic locking caused the Server service to fail due to locking issues. Disabling "opportunistic locking" solved the problem. See ME296264 for information on configuring opportunistic locking in Windows.
- c00000bb and 04c20337 - Resolved this error by removing Windows Update - KB917159.
- c0000008 (Error code 0xC0000008) and 04c20337 - From a newsgroup post: "After uninstalling the KB896422 patch, problem was solved".

See ME321248 for a hotfix applicable to Microsoft Windows 2000.

See ME912376 for additional information about this event.
- c00000bb and 04c20337 - Resolved this error by removing Windows Update - KB896422.
- C0000056 (STATUS_DELETE_PENDING) - See ME176979.

- C000004 - From a newsgroup post: "This error code is sharing violation indicative. What is taking place here is that some files on the server are being accessed, locked and are not unlocked for others to use.
In many cases, this can only be determined correctly by analyzing a trace of the network traffic between the client and the server while running the application. However, a quick test can be performed by disabling oplocks and not caching open files. To disable oplocks and caching of open files on the server as a test, follow these steps:
Open the registry editor and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. Here change the following keys:
Key: EnableOplocks, type REG_DWORD, value: 0 or 1. Default: 1 (true). To disable oplocks, the value of EnableOplocks must be set to 0.
Key: CachedOpenLimit, type REG_DWORD, value: 0".

This event might also be related to by Norton AntiVirus Corporate Edition (NAVCE) 7. See Symantec Knowledge Base ID: 2001041808040048 for more details.

See the link to "EventID 2000 from source NCP Server" for additional information on this event.
For me, a program called Spyware Eliminator caused this error. I disabled the system preventions option (Active defense shield) and the problem was resolved.
- c0000054 (STATUS_FILE_LOCK_CONFLICT) and 0eb4bd3: In my case this event ID appears on the Windows 2000 Advance server every time remote MAC (OS 10.2.8) write files to the shared folder.
- c0000184 (STATUS_INVALID_DEVICE_STATE) and 04a0031a no info.
In my case, this event occurred after installation of LiveVault continuous online backup software on Windows NT4 Terminal Server sp6.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.