Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 3011 Source: LoadPerf

Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The Error code is DWORD 0 of the Record Data.
0000: f2 03 00 00 3b 07 00 00
- Service: Outlook - I received this event along with events 3003 and 3009 from the same source. The issue was Outlook 2003 on a 2003 server. Deleting the "HKLM\System\Current Control Set\Services\Outlook\Performance" registry key fixed the issue.
When using Citrix\Terminal Services, if you install Office 2003 you must login as an administrator to complete the configuration of the Performance Counters. An event ID 1000 will confirm the load\unload of performance counters. After that, all users should be able to launch Outlook without any errors being written to the event log.
As per Microsoft: "The performance counter could not unload the strings for the specified service. The registry might be corrupted". See MSW2KDB for additional information about this event.
From a newsgroup post: "Every time you install something that turns on a performance counter and then uninstall it, you get all these errors in the event log since the counters are not turned off with the uninstall. You usually can find where to shut them off in the registry".
- Service: FileReplicaSet - This event was preceided by event 3012 (source LoadPerf) and event 41 (source WinMgmt). All performance counters were corrupted and not being loaded. Our solution was to reload default perfomance counters manually as per ME300956. Please note, the Q article refers to registry Values: "FirstCounter", "FirstHelp", etc... should be "First Counter", "First Help" - there is a space in the Value Name. Also, use EXCTRLST.EXE to identify performance registry keys.

Reported as occuring after applying the suggestions in ME267831
This event occurred running Windows 2000 Server on a Dell Poweredge 4600. It was eliminated by running the following command:
lodctr /r: c:\winnt\system32\perfstringbackup.ini

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.