Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 2012 Source: PerfOS

Unable to get system process information from system. Status code returned is data DWORD 0.
0000: 05 00 00 c0
Data a1 00 00 c0 translates to Error code 161 (The specified path is invalid.) so some of the files required for the OS-related performance monitors might be missing or the configuration may point to the wrong location.

In one instance, this particular error was caused on several servers across the domain by a memory leak in one of the third party software packages installed on them. The memory leak caused the exhaustion of resources leading to several symptoms such as unresponsiveness, errors when accessing shares, and so on. Removing the 3-rd party software (an antivirus) fixed the problem.
In my case Symantec Endpoint Protection 12.x††was the cause for Sybase SQL stopping to work. It lead in less then 2000 (average 1400) PTE. A simple folder exclusion did not resolve the problem. After deinstallation the PTE value raised instantly to 3000. Error code was 0xc000009a.
See EV100415 (How to troubleshoot low System Page Table Entries (System PTEís)) for some troubleshooting suggestions for this event.
There is a Microsoft white paper on this issue. Changing the boot.ini resolved our issue on 2003 SP2. See EV100293 (Detection, Analysis, and Corrective Actions for Low Page Table Entry Issues).
See ME316739 on how to use /userva=nnnn switch for more precise tuning of user and kernel virtual memory space.

I had the same situation as Brian and it was caused by a printer driver ZSHP2600.exe of the infamous HP Color LaserJet 2600n. This driver was running many times. To stop it you have to net stop the print spooler, kill the processes and re-start the spooler. HP is aware of the problem, and  (apparently) does nothing to solve it.
From a newsgroup post: "These types of errors usually occur in the following situations:
1. You do not have enough page file (ensure the page file has enough room to grow)
2. You have a leaky application
Perfmon should be able to help in the second situation; if you are still having troble resolving this I suggest you log a support call with your support provider or Microsoft GTSC."

The 5 in the data portion of the event may point to Error code 5 ("Access denied").

Data code c000009a may indicate that the system is running out of resources. A restart may fix the problem.
We had exactly the same problem as Brian Dwyer described in his comment. Without any application started, the PTEs number was only 15000. With applications started, the PTEs number dropped to 2000. The number of PTEs also decreased during network perturbations and sometimes was less than 600. I solved the problem by changing the value for "HKLM\CurrentControlSet\Control\Session Manager\Memory Management\SystemPages" from 0 to 50000. It increased the number of PTEs to 42500 (no applications started).
This is a possible indication that the System Page Table Entries (PTEs) have reached a dangerously low level. Run performance (system) monitor on the server and add the memory counter "Free System Page Table Entries". A healthy number for a server operating normally should be anywhere from 2, 000 to as high as 10, 000 and more. The higher the number, the better. Another strange behavior you may observe if this is the case is that no processes may show in the task manager even though they are actively running.
If the number you see is below 2000 you most likely have some sort of driver and/or process that is causing a memory leak or is failing. In one instance, I found that a custom application registered as a service was causing application initialization popup errors on the server console. There were hundreds of these errors that were not acknowledged. Additionally, there were over 50 orphaned instances of the application process itself loaded in memory. By clearing/acknowledging the errors and killing the orphaned processes, the system PTEs returned to in excess of 14, 000.
Keep in mind that drivers (especially video and SCSI drivers) can also cause this type of behavior. However, be aware of application popups at the server console.
If you donít want to receive this warning anymore you can use the Exctrlst.exe Tool and uncheck PerfOS.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.