Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 3012 Source: LoadPerf

The performance strings in the Performance registry value is corrupted. The Record Data contains BaseIndex value from Performance registry in DWORD 0, LastCounter value in DWORD 1, and LastHelp value in DWORD 2.
As per T775053, the registry settings used by the Performance counters might be corrupted (or missing). Rebuild the list of available counters using the lodctr /r command. One however should also investigate the reasons why these settings got corrupted (malfunctioning software, hardware failures, malware, etc...) as these can be signs of other type of problems.

In certain conditions, uninstalling a software may lead to improper changes in the Performance counters settings and this event is recorded. See the "I Donít Have Grey Hair (yet)" link for an example of such problem.
To rebuild all Performance counters including extensible and third party counters in Windows Server 2003, type the following commands at a command prompt. Press ENTER after each command.
cd \windows\system32
lodctr /R (Note /R is uppercase)

Windows Server 2003 rebuilds all the counters because it reads all the .ini files in the C:\Windows\inf\009 folder for the English operating system.

Note: If you are running a Cluster or Datacenter product, you must fail over the node to refresh the counter list after doing the preceding steps for both base counters and extensible counters.

Note: On systems that are running applications that add their own performance counters, such as Microsoft Exchange or SQL Server, the .ini file that is used to load the performance counter may not be located in %Systemroot%\System32. These .ini files can usually be found under the applications folder structure.
This event was preceded by event 3011 (source LoadPerf) and event 41 (source WinMgmt). All performance counters were corrupted and not being loaded. Our solution was to reload default performance counters manually as per ME300956. Please note, the Q article refers to registry Values: "FirstCounter", "FirstHelp", etc... should be "First Counter", "First Help" - there is a space in the Value Name. Also, use EXCTRLST.EXE to identify performance registry keys.
Use ExCtrLst.exe utility from W2K Resource Kit to deal with this error. Retrieve the DWORD values from event's record data. Then use these values and search in ExCtrLst in order to find the performance counter that is corrupted. Then you may disable it on the "Performance Counter Enabled" checkbox.
If really need the perf counter, you may remove it using UnlodCtr "Performance Service Name" then add it back with LodCtr <File.ini>. These are default system utilities, but adding a counter is not an easy job...

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.