Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4097 Source: EventSystem

The COM+ Event System detected a bad return code during its internal processing. HRESULT was <error code> from line 309 of .\eventsystem2.cpp. Please contact Microsoft Product Support Services to report this error.
Error code: 800705AA = "Insufficient system resources exist to complete the requested service" - This may occur if the system is infected by the MSBlaster or LoveSAN Internet worm. See ME823980 for details. See Symantec Security Response on how to detect it and remove it.

This event may also show up in other circumstances. See the links below for some conditions on which such event can occur.

See also the comments for Error code 0x800705AA.

Error code: 8000FFFF - Not a fix but for some additional information, see the comments for Error code 0x8000FFFF.
Error code: 80080005 - See the comments for Error code 0x80080005.
Error code: 0x80040111 - See the comments for Error code 0x80040111
- Error code: 800706BA (Error code 800706BA) - See "JSI Tip 7676".
- Error code: 80070057 - See ME268856.
To resolve this issue, download and install the Microsoft Windows 2000 security update that is described in ME823980.

From a newsgroup post: "Apparently, the following registry key got modified and did not have the right values. I exported this registry key from a functional server and imported it to the server with the issue after backing up the key.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]".

See ME830074, ME839880, and the link to "EventID 4097 from source DrWatson" for additional information on this issue.
In one case, this problem was due to Windows 2000 having reached the maximum registry size of 255MB.
This happened to me when the system was infected with the W32/Nachi.worm. After removing the worm and applying the latest RPC Patch, all problems were gone.

Error code: 8000FFFF - I got this after (successfully) installing either ME823980 or ME824146. This accompanies severe problems at reboot: no more task bar, no more start menu, no more desktop icons, explorer.exe cannot be launched from task manager, etc. Machine is unusable until patch is rolled back. Thoroughly checked for virus, none found.
In my case, this problem was fixed after I installed the latest Windows service pack.
This may be caused by an RPC vulnerability recently discovered on Windows servers. See: Windows RPC Vulnerability Fix for more details as well as the Microsoft Security Bulletin MS03-026.
If you had problems lately with IIS (Unexpected Crash - EventID 28 Or/And 37 in system log) and you get this event (id 4097) in your application log then have a look at ME282073.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.