Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 2001 Source: rasctrs

The description for Event ID ( 2001 ) in Source ( rasctrs ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: .
In my case, I solved the issue by setting the Remote Access Connection Manager and Telephony services startup type to "Manual".
This event can also be caused by a conflict between Symantec/Veritas tape drivers and the Routing and Remote Access service. As per ME842696, try to reinstall the drivers and reboot. It worked for me.
This event can be ignored if it occurred when Windows was started in Active Directory Restore mode or some other form of Safe Mode.
As per Microsoft: "There was a problem with System Monitor's communication with the Routing and Remote Access driver using a device IOCTL. Verify that the NDISWAN.SYS file is in your Systemroot\system32\drivers folder. Also restart the server". See MSW2KDB for more details.
From the link below, the message actually reads: "Load of Rasctrs.dll failed. Make sure the DLL file is in the PATH. WIN32 Error number is returned in the data."
For Windows NT, according to Microsoft: "This behavior can occur if you install RAS on a computer that already has Service Pack 4 (SP4) installed but do not then reapply SP4 or apply the latest service pack before you restart the computer."

For Windows 2000, this may occur after the installation of Service Pack 4. See ME823405.

Edit the following registry key [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Performance] as follows:
First Counter to decimal 1848
First Help to decimal 1849
Last Counter to decimal 1886
Last Help to decimal 1887

This fixes the problem.
You get this 2001 error after disabling Remote Access service. Here is my fix:
Value name: Library
Data type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\rasctrs.dll

create a new String:
Value name: Library
Data type: REG_SZ
Data: %SystemRoot%\System32\rasctrs.dll

All it takes to fix, is getting rid of the EXPAND data type. Reboot and verify that the error is gone.
I got this event on a Windows 2000 Server after disabling the Remote Access Services. I used the exctrlst.exe utility from the resource kit, scrolled down to the "RemoteAccess" extensible performance counter, and unchecked "Performance Counters Enabled" for this service. That solved the problem for me.
Windows 2000 (any edition) issue that is caused when the following three services are disabled: Remote Access Auto Connection Manager, Remote Access Connection Manager, Telephony (all of which are set to Manual by default). Typically, someone would disable these services on Domain Controllers (or other editions) to reduce the number of unncessary services running, of which, these three are not needed as long as RAS is not needed. This message can be especially troublesome on a DC due to it appearing every 60 seconds and filling up/creating large "Application" event log file. However, it is a harmless error.
To resolve:
1. Run "unlodctr rasctrs.dll" to unload the counter.
2. Delete the performance counter registry key: HKLM\System\CurrentControlSet\Services\RemoteAccess. Delete the entire "Performance" key.
The error will cease.
Note: This problem is fixed in Windows XP.
Started occuring after I disabled the Telephony and Remote Access Connection Manager services with a security template. Whenever attempting to run performance counters against this server the Application Event log would fill with this error. Setting these services back to Manual (thus allowing them to start when Perfmon hit them) solved the problem.
See Microsoft article ME811089 link below.
To work around this problem, run the following commands prompt in the %SystemRoot% \System 32 folder to unload and reload performance dynamic-link libraries (DLLs).
unlodctr rasctrs.dll
lodctr rasctrs.ini

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.