Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4609 Source: EventSystem

Source
Level
Description
The COM+ Event System detected a bad return code during its internal processing. HRESULT was <error code> from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Comments
 
As a general consideration, please note that each combination of error code and line number points to a different type of problem so the troubleshooting suggestions for one code should only be applied to the same type of error code.

The actual line number and the subsequent reference to the C++ page (.cpp) points to the original programming source of the COM Event System. For Windows Vista, the reported code page is d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp.

* * *

Reported error codes:
- 8007041F = The service database is locked - See Error code 0x8007041F.
- 800706BF = From a newsgroup post: "This error is associated with a misbehaving DCOM call". See Error code 0x800706BF for more details.

For code 800706BA see the virus removal procedure in the link to Symantec.

- 80070005 = Correlated with events 4689 and 778 this may indicate a corrupted COM+ catalog. Articles ME315296 (and to lesser extent ME246499) provide details on how to reset the catalog:
1. Rename the %WinDir%\System32\Clbcatq.dll file to %WinDir%\System32\~Clbcatq.dll. Make sure that you include the tilde (~) at the start of the file name.
2. Restart the computer.
3. Start Registry Editor (Regedt32.exe).
4. Locate and delete the following key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
5. At a command prompt, type cd %windir%, and then press ENTER.
6. At a command prompt, type rmdir /s Registration, and then press ENTER. This is the location folder of the registration database.
7. Click the Start button, point to Settings, and then click Control Panel.
8. Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
9. Click Next to go through the reinstallation process, to reinstall COM+.
10. If IIS is installed on the computer, IIS creates several COM+ applications. These applications will now be missing. To re-create these applications, run the following command at a command prompt:
rundll32 %windir%\system32\inetsrv\wamreg.dll, CreateIISPackage
If Windows File Protection blocks the renaming and deletion, restart the computer in Safe mode, and follow these steps again.

Note If you have MS04-012 installed, you must now re-install MS04-012. For more information about security update MS04-012 see ME828741.
- Error code: 0x80070005 - See Error code 0x80070005.

See ME896728 for information on the Windows XP COM+ Hotfix Rollup Package 10.

See the links to "Configure and troubleshoot COM+ Event System service" and "EventID 4609 from source VSS" for additional information on this event.
- Error code: 80070005 - See ME916254.
- Error code: 80004002 - See ME286021 and Error code 0x80004002.
- Error code: C0000005 - From a newsgroup post: "I had the same problem and finally I disabled MSN 7.1 from running at startup and the error ceased to appear". See Error code 0xC0000005 for general information about this error.
- Error code: C0000005 (Error code 0xC0000005) - I used to get this error message after each boot. The problem seems to be caused by the fact that I deleted the user account that appeared after installing .NET Framework 1.1 called "ASP.NET Machine A…". I corrected the problem by reconfiguring .NET with the following command:

%systemroot%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe /i .
- Error code: C0000005 (Error code 0xC0000005) - I would get this event on every boot, and like another user who posted here, it was caused by having MSN Messenger 7.5 starting automatically when Windows starts. If I run MSN Messenger after the boot has completed (i.e. manually start it), there is no COM error recorded. To disable Messenger from running automatically, open MSN Messenger, and go to Tools -> Options -> General -> and uncheck "Automatically run Messenger when I log on to Windows".


In my case, the problem appeared because the "DCOM Service Process Launcher" service not running. Once the service was started the problem disappeared.
- Error code: 80070005 - See ME909444 and Error code 0x80070005.
I've been seeing a particular problem on certain Windows XP computers when they are updated to Service Pack 2, and judging from posts in these newsgroups and also on other Internet message boards, it's quite a common problem. The symptoms are that after SP2 has been installed, and the machine has been rebooted a few times, this error message appears in the Application Event log.
I searched information on this problem for a while, and eventually found the following two articles relating to Windows 2000 Service Pack 4: ME821546 and ME827664. It turns out that in Windows 2000 Service Pack 4 two new user rights were added, "Impersonate a client after authentication" (SeImpersonatePrivilege) and "Create Global Objects" (SeCreateGlobalPrivilege). Even though the articles do not say so, it seems that they were also added in Windows XP Service Pack 2. However, it seems that sometimes something goes wrong in the XP SP2 installer when it sets up these two new user rights. I think this is why some computers get the above error messages. It does not happen all the time and I cannot see any reason to which some computers are messed up and some ones are not. I reckon it is a race condition or some other similar bug in the installer.
The reason that the problem does not always manifest itself straight away is probably because by default Windows only “refreshes” its security settings every 16 hours, and if that refresh is a while away you might not see the problem right away. Some networks may also have turned up this refresh time, so the problem is even worse.
Some sites may also have these settings set (possibly incorrectly) in their Default Domain Policy group policy, which could also mess things up. However, at my site we don’t have these settings set on the domain anywhere, only in the Local Security Settings, and yet we still have the problem. Anyway, if the security settings upgrade goes wrong, you end up with the error. Fortunately, it seems to be quite easy to fix.
On the affected workstation:
1) Go to Start -> Settings -> Control Panel -> Administrative Tools.
2) Run “Local Security Policy”.
3) Go to Security Settings -> Local Policies -> User Rights Assignments.
4) Double click on “Create global objects”. The correct default settings are “Administrators”, “INTERACTIVE”, and “SERVICE”.
5) Double click on ''Impersonate a client after authentication''. The correct default settings are “Administrators”, “ASPNET” (if you have the .NET Framework installed) and “SERVICE”.
Even if the settings are set correctly, you may need to “refresh” them to fix the problem. To do this, on each policy, remove one of the entries (“SERVICE” is probably the best to remove), then press OK to save the changes, and then go back in and add it back in again (click “Add User or Group...”, type “SERVICE” into the white box, and press OK). Then close the Local Security Settings box and reboot. If you are running in a domain with Group Policy, you might want to force a group policy refresh before you reboot by running “gpupdate /force”.
- Error code: 80070005 (Error code 80070005) - In one case this happed on a Windows XP SP2 computer after it was added to a Windows 2003 domain and the computer was restarted twice (once as part of the procedure for adding the computer to the domain and an extra one). No Windows 2003 computers configured the same way had this problem. Other symptoms: Alternate-clicking "My Network Places" resulted in an empty dialog box. Starting NTBACKUP resulted in an extra dialog box with the message "The Backup Utility cannot connect to the Removable Storage service". Starting Norton Ghost 2003 resulted in a dialog box with the message: "Couldn't contact Ghost Start Agent. (0x80070005)". When I tried to install the Microsoft Windows XP SP2 Support Tools, I got a dialog box with the message "Microsoft Installer failed".

The Event ID appeared on a domain controller running Windows 2003 and the computer named in the description was a workstation running Windows XP SP2. This appeared after Group Policy changes on the domain controller were made and after the workstation was restarted twice (once to pick up the change in Group Policy and again to be affected by it at Windows startup).

The relevant part of the Default Domain Policy that caused this is shown in condensed form below:

Console Root
  {Group Policy}
    Computer Configuration
      Software Settings
        Windows Settings
          Scripts (Startup/Shutdown)
          Security Settings
            Account Policies
            Local Policies
              Audit Policy
                User Rights Assignment
                  Impersonate a client after authentication <MyGroup>.

Resolution: Change the above policy setting for Impersonate a client after authentication to: Administrators, <MyGroup>, SERVICE.

Restart the workstation twice (once to pick up the change in Group Policy and again to be affected by it at Windows startup).
In my case this error appeared on the Widows 2000 server. SP4 adds a group policy that, in my case did not include the users as it should have. See ME821546 to resolve this problem. You need to add the appropriate users to this policy. You may need to run and OS repair as well. After that, all worked well for me and I had no more problems with the 4 systems I was working with.
- Error code: 800706BF - See the link to "Events for OpenVMS" and ME325409 for information related to this error code.
Error code 80070422 - Tried to run Windows Messenger 5.0 and received this error. Under "Services", COM+ Event System and COM+ System Application were disabled. After enabling these services, the errors stopped and Windows Messenger works fine.
Error code 800706BA = "The RPC server is unavailable". In my case, this was caused by the W32.BLASTER.COM virus. See MS Security bulletin MS03-026 (ME823980).
- Error code: 8007043C. Usually this event is followed by event id 8193 from "VSS". From a Microsoft support person (from a newsgroup post): "If the events occurred on a machine that was running in Safe Mode, these events are benign and you can ignore them - unfortunately they will always appear whenever you reboot the machine in Safe Mode. We plan to fix this bug for future versions of Windows (it is already fixed in Windows Server 2003)."


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...