Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 2003 Source: Perflib

Source
Level
Description
The configuration information of the performance library <library> for the <service> service does not match the trusted performance library information stored in the registry. The functions of the library will not be treated as trusted.
Comments
 
- Service "MSSQLSERVER", library "perf-MSSQLSERVER-sqlctr11.4.7462.6.dll" - It is possible that during an update, the performance counters got out-of-sync with the updated files. Open command-line prompt and navigate to C:\Program Files\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQL\Binn, run:

unlodctr MSSQLSERVER

If you need the SQL performance counters, run the following command:

lodctr perf-MSSQLSERVERsqlctr.ini

This will reload the SQL performance counters.
- Service: TermService - As per ME932813 one should use:

lodctr /T:TermService

Microsoft claims it is a SP2 issue but notice the /T (while in Help and Support the msg is lodctr/t servicename). In my case the TermService isn't the problem it is the Perflib. Probable causes include:
- The trusted information stored in the registry is outdated.
- The configuration information for this performance library is outdated.
- A malicious user is attempting to attack your computer.

I guess lodctr/t or lodctr /T: will work. PSched is erroring out with a 1008 ID.
Service: C:\WINNT\system32\infoctrs.dll - I received this on a Windows Server 2000. I followed M267831 to unload/reload the IIS-related performance dlls:

unlodctr w3svc
unlodctr msftpsvc
unlodctr asp
unlodctr inetinfo

lodctr w3ctrs.ini
lodctr ftpctrs.ini
lodctr axperf.ini
lodctr infoctrs.ini

After you run these commands, you must restart your computer for the changes to take effect. This fixed this error, at least for me.
In my case the warning appears, when the nc_net service from Nagios is starts while the port 1248 is used by another application. The Trend Micro Control Manager sometimes uses this port and blocks the nc_net to connect the performance counters.
This event may be recorded if the IIS Admin service is stopped manually.

* * *

Microsoft confirmed this as a problem that was corrected in Windows 2000 Service Pack 2. Applying Service Pack 2 to an already affected system does not resolve the issue. See ME267831.

Service: MSFtpsvc - Received this error when the Windows 2003 server was restarted after a power failure.

* * *

When using lodctr to unload the counter for a certain service you will use the service name as specified in the event description. However, for unlodctr the trick is to find the right .ini file and in many cases it takes some guess work. For example, most of the performance counters .ini files are located under C:\Windows\System32 (or the corresponding folder if Windows is installed in a different location):
- W3SVC service - w3ctrs.ini
- TermService service - tslabels.ini
- MSFtpsvc service - ftpctrs.ini

After using the lodctr command you should see a new event id 1000 from PerfLib in the Application log confirming that the performance counters were loaded successfully.

Example for service W3SVC:
- Open a command prompt
- Type: unlodctr W3SVC
- The unloading should be confirmed with a message like this:
"Removing counter names and explain text for W3SVC
Updating text for language 009". In the Application event log, event id 1001 is recorded, saying: "Performance counters for the W3SVC  (World Wide Web Publishing Service ) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries. "
- Type: lodctr w3ctrs.ini
- There is no confirmation message from this command. However, an event is recorded in the Application log. Open the event log viewer and verify if an informational event id 1000 has been recorded. The description should say:
"Performance counters for the W3SVC  (World Wide Web Publishing Service ) service were loaded successfully. The Record Data contains the new index values assigned to this service."


- Service: TermService - This problem occurs because the size and the date of the Perfts.dll file in Windows Server 2003 SP2 do not match the size and the date that were stored earlier in the registry for the Perfts.dll file. See ME932813 for details.
- Service: W3SVC - Typically, the warning messages are related to the W3svc driver service or to the Active Server Pages (ASP) service. See ME928384 to solve this problem.
- Service: InetInfo - In my case, reinstalling IIS (Internet Information Services) solved the problem.
I removed the "Library Validation Code" value from registry and error went away. See the comments below for information on this value.
As per Microsoft: "The trusted information stored in the registry and the configuration information for this performance library do not match. Probable causes include:
- The trusted information stored in the registry is outdated.
- The configuration information for this performance library is outdated.
- A malicious user is attempting to attack your computer". See MSW2KDB for more details on this event.

See the link to " Citrix Support Document ID: CTX105011" for additional information on this event.
I experienced this symptom after installing IBM Director. Reinstalling SP4 seems to have resolved the problem.
I had the same problem that strangely appeared after installing the IBM Director Active PCI Service Plus Pack. If this is your case, reapply the IIS patch and that should solve your issue.
As per Microsoft: "If the "Library Validation Code" value exists for the named service in the Performance subkey, the data is checked against the file creation time and the file size of the named DLL. This error is posted if they do not match. If the error occurs, it may be corrected by removing and reinstalling the named service". See ME226494 for more details.
I can confirm that unloading and reloading the counters fixes the problem.
Troubleshooting this type of problems is not an easy task. For a general approach see ME152513 - "Troubleshooting Performance Monitor Counter Problems". See also ME300956 to find out how to manually rebuild performance counter library values.


Reinstallation of the update described in ME327696 helped to solve the problem. The "Library Validation Code" needs to be updated. Seems to be that the Registry wasn't updated via "Windows Update". Maybe Services like compaq Web Managment need to be stoped manually before reinstalling the patch.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...