Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Source: Service Control Manager|
The <service name> service terminated unexpectedly. It has done this <n> time(s). The following corrective action will be taken in <no of ms> milliseconds: <action>.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is a service?
What is the role of the Service Control Manager?
What is a "corrective action"?
This error is not specific to the <service name> service but it is generated by the Service Control Manager when it detects that a specific service terminated ungracefully. In order to troubleshoot this error look for other events, logs, etc., that are specific to the service in question.
- Service: "McShield" - This is caused by a bug in the McAfee software, install the latest version.
- Service: "Print Spooler" - As per Microsoft, this problem may occur if a print job that contains an older version 3 DEVMODE structure that does not contain ICM information is submitted. When the spooler tries to reference this data, it causes the access violation. A post SP3 hotfix is available - see ME324183.
- Service: "IIS Admin Service" - See ME311517.
- Service: "Distributed Transaction Coordinator" - See ME290637.
- Service: "Microsoft ISA Server" - See ME288247.
- Service: "Remote Procedure Call (RPC)" - This may occur if the system is infected by the MSBlaster or LoveSAN Internet worm. See ME823980 for details. See also the Symantec Security Response on how to detect it and remove it.
Not a fix, but a way to work around occasional failures is to configure the "Recovery" option of the service to restart it if the service fails. I would not recommend setting all the 3 options to restart the service but only the first two "First failure" and "Second failure" - this way, you avoid an continuous failure/restart cycle. We used this for example with Adiscon MoniLog that failed occasionally. The Service Control Manager would simply restart it and the service worked fine.
Service "Microsoft Exchange Diagnostics" - See EV100634 (Exchange Diagnostics service crashing with the event 4999, 1007 and 7031 post CU6) for a situation when this event is recorded along with events 4999 and 1007. The resolution suggested is to ensure that the templates key are present under PLA registry key.
- Service: Apple Mobile Device - This event was recorded after an iTunes update. Restarting the computer fixed the problem.
Service RtcSrv - This may be caused by a bug in Office Communications Server 2007. See ME961252 for an update download location (ME961569).
Service: Logon Session Broker - Using Vista SP1 I was unable to logon. Managed to logon in safe mode with networking and I'm still investigating.
- Service: MOM - See ME936161 and ME949874 for hotfixes applicable to Microsoft Operations Manager (MOM) 2005.
- Service: Print Spooler - See ME890642 for a hotfix applicable to Microsoft Windows 2000 and Microsoft Windows Server 2003.
- Service: Cluster service - See ME923838 and ME938615.
- Service: Microsoft Firewall - See ME919515 and ME922440.
- Service: DCOM Server Process Launcher - See ME911106 for a hotfix applicable to Microsoft Windows Server 2003.
- Service: AntigenService - See ME928807 for a hotfix applicable to Microsoft Antigen for Exchange and Microsoft Antigen for SMTP Gateways.
- Service: BizTalk Service BizTalk Group: BizTalkServerApplication - See ME917848.
- Service: COM+ System Application - See ME916254.
- Service: Remote Procedure Call (RPC) - See "Cisco Support Document ID: 44465" and "Cisco Support Document ID: 44466".
- Service: MSSQLServer - See ME840856.
- Service: MSSQLServerOLAPService - See ME328876.
- Service: Symantec AntiVirus - See "Symantec Knowledge Base Document ID: 2005060211491948".
- Service: DNS - See ME555166.
- Service: Site Server ILS Service - See ME304166 and ME316612.
- Service: Network News Transport Protocol (NNTP) - See ME304166 and ME316612.
- Service: Microsoft Exchange POP3 - See ME304166 and ME316612.
- Service: Microsoft Exchange Information Store - See ME926676 for a hotfix applicable to Microsoft Exchange Server 2003 and the link to "Howtonetworking case study" for additional information.
- Service: Microsoft Exchange Routing Engine - See ME304166 and ME316612.
- Service: Microsoft Exchange IMAP4 - See ME304166 and ME316612.
- Service: Directory Synchronization Service - See ME811280.
- Service: Network News Transport Protocol (NNTP) - See ME821749.
- Service: Simple Mail Transport Protocol (SMTP) - See ME304166 and ME821749.
- Service: IISService - See ME899301.
- Service: Message Queuing - See ME842839.
- Service: Internet Mail Service - See ME884874 for a hotfix applicable to Microsoft Exchange Server 5.5.
- Service: Windows Management Instrumentation - See ME832250 for a hotfix applicable to Microsoft Windows Storage Server 2003 and Microsoft Server Appliance Kit 2.01.
- Service: File Replication Service – See ME896712 for a hotfix applicable to Microsoft Windows 2000.
- Service: IIS Admin Service - See ME899472 for a hotfix applicable to Microsoft IIS 5.0, ME910618 for a hotfix applicable to Microsoft Exchange Server 2003, and the links to ME919789, ME919790 and ME925038 for additional information about this event.
- Service: FTP Publishing Service - See ME899472 for a hotfix applicable to Microsoft IIS 5.0. Also check ME304166, ME316612, ME821749 and the link to "Trend Micro Support Solution ID: 15065" for additional information on this event.
- Service: World Wide Web Publishing Service - See ME899472 for a hotfix applicable to Microsoft IIS 5.0. Also check ME304166, ME821749, ME919789 and the link to "Trend Micro Support Solution ID: 15065" for additional information on this event.
- Service: Pop3 Connector - First thing to try if the service is continually stopping, is to go to the folder "C:\Program Files\Microsoft BackOffice\Connectivity\Incoming"
and delete or move any of the mail in there. More often than not, a corrupt email is causing this issue. This can save a lot of time.
- Service: GFI virusdef updater - See the link to "GFI Support KBID002282".
- Service: Archive Manager - This is a problem with Quest Archive Manager. Quest support has said that the August update will contain a fix for this problem.
- Service: "Microsoft Shared Fax" - Under Windows 2000 SBS (maybe also work under Windows 2003 SBS) the serviced crashed with an access violation error. I solved it by deleting all files in the fax queue: C:\Document & Settings\All User\Application Data\Microsoft\Shared Fax\Queue.
- Service: "Windows Management Instrumentation" - The service would crash every time it attempted to start. I cleared the repository (C:\winnt\system32\wbem\repository) and restarted the service as suggested to resolve the problem.
IISAdmin service kept stopping randomly. I called Microsoft support, just to find out that Symantec Mail Security form Microsoft Exchange 5.0 is the culprit. See “Symantec Knowledge Base Document ID: 2006120116344254” to resolve the problem.
- Service: Print Spooler - This problem occurs if an access violation occurs in the Print Spooler service. This occurs if the size of the print buffer is not sufficient, therefore it must be reallocated, however, in the call to reallocate the buffer, the GetPrinterInfo function allocates a 0 byte buffer and an access violation occurs. Check ME820550, ME888191, ME888196, and ME888206 to fix the problem.
- Service: Remote Procedure Call (RPC) - See ME327148.
- Service: Microsoft Exchange Information Store - See ME317482, ME814924, ME822949, ME824467, ME831276, ME835437, ME842000, ME891005, and ME892208.
- Service: Microsoft Exchange System Attendant - See ME301364.
- Service: World Wide Web Publishing Service - See ME308600.
- Service: Cluster - See ME258469, ME272129, ME295091 and ME321531.
- Service: Windows Installer - See ME329819.
- Service: Message Queuing - See ME826820 and ME830639.
- Service: File Replication Service - See ME255759.
- Service: Information Store - See ME329817.
- Service: DNS Server - See ME258073.
- Service: Remote Registry Service - See ME833777.
- Service: IIS Admin Service - See ME819865, ME821749, ME827214, ME836177, ME885264, and the link to "Symantec Support Document ID:2004040209303954".
- Service: Telnet - See ME832459 for a hotfix applicable to Microsoft Windows 2000.
- Service: Diagnostic Facility COM Server - See "Citrix Support Document ID: CTX104533".
- Service: Quota Advisor - See "Veritas Support Document ID: 270419".
- Service: Symantec AntiVirus - See the link to "Symantec Support Document ID:2004093011032448".
- Service: Backup Exec Remote Agent - See the link to "Veritas Support Document ID: 242153".
- Service: BlackBerry Mobile Data Server - See "BlackBerry Support Article Number: KB-02041".
- Service: RightFax Connector - See "Captaris Support Answer ID 1277".
- Service: Trend Micro Anti-Spyware for Enterprise (ASEE) 3.0 Server Agent - See "Trend Micro Support Solution ID: 1031154".
- Service: Microsoft Connector for POP3 Mailboxes - From a newsgroup post: "The cause of this event could be due to a junk mail message with a long string, which could bring down POP3. The solution is to delete the pop connector and reinstall it. If you wish to try this, then go to Control Panel -> Add Remove Programs -> Microsoft SBS. Find the pop connector and uninstall it. Then delete or move the folder for the pop3 installation, C:\Program Files\Microsoft BackOffice\connectivity. After this, re-install the pop3 connector".
According to Microsoft: "The specified service could not continue. This service is configured to report the number of failures and, after a specific number of failures are reported, the Service Control Manager will perform the recovery action configured for the specified service". See MSW2KDB for more details on this event.
See ME286350 to find out how to use the ADPlus tool to troubleshoot "Hangs" and "Crashes".
- Service: Print Spooler - After a long and intense search, I found the cause of the problem in the PC-Duo Remote Control Client version 8.6. After uninstalling this software, everything was fine. Version 9.0 from PC-Duo Remote Control does not have the issue anymore.
- Service: Print Spooler - One of our printers had a corrupt driver and every time someone printed to this printer, it would stop the spooler service and generate EventID 7031. Because the spooler was stopped now one could print. I found that one of the printers was giving an error when I tried to open the properties page. I deleted this printer from the server. I restarted the spooler and everyone was able to print. I then reinstalled the printer that I had removed using the latest print drivers and that resolved the problem.
- Service: "COM+ System Application" - See ME895200 for a hotfix applicable to Microsoft Windows XP.
- Service: IISAdmin - On a Windows 2003 / Exchange 2003 server, the IISAdmin crashed and shut down a number of other services. All but the SMTP service could be manually restarted. The “C:\Program Files\Exchsrvr\MailRoot\vsi 1\BadMail” directory contained far more than 1.000.000 entries. After deleting all (using the command prompt), applying SP1, and rebooting the server, the problem was solved.
- Service: Print Spooler - I fixed this problem by stopping the spooler services and then removing the “.spl” and “.shd” files from "<drive>:\<windows directory>\system32\spool\printers".
- Service: "Lotus Domino server" - It appears the Lotus Domino service hung up. A reboot followed by a reinstall of the transaction DB fixed the issue.
- Service: Microsoft Exchange Information Store - In our case, this problem appeared after we changed the user credentials for the service (i.e. switched from LocalSystem account to Administrator). We switched back and everything was back in order.
Service: "Print Spooler" on Windows 2000 SP3. After installing ME329170 the service won't start. I solved it by restoring the C:\WINNT\system32\LOCALSPL.DLL file from backup.
Service: "Print Spooler" - If you are using Terminal Server (i.e. Citrix) and you leave the server in "install" mode (change user /install) your print spooler will continue to stop every 3 (three) minutes. Go to Start/Run and type: change user /execute. This will allow the service to continue to run without interruption.
Service: "Print Spooler" - I had this error occur when a user had connected to the server remotely. The default printer got changed to their printer somehow and all print jobs were essentially being routed back to them and then to the printer. When their machine was down it obviuosly would not connect.
We recently experienced a problem where IIS, WWW, POP, SMTP, and IMAP4 services were restarting repeatedly with this message. At the same time, our server’s Adaptec 39320D-R SCSI RAID controller was verifying 2 of its mirrors. Once the mirrors were verified, the problem with the restarts went away.
I experienced this error with the Backup Exec 9 Remote Agent service on my Exchange 5.5 server when running a mailbox backup. The problem was caused by different versions of Mapi32.dll. The issue was resolved by copying the Mapi32.dll file from my Exchange server to the Backup exec server.
I was running a Win2K server SP3 installed. My computer was consistently crashing when I tried to look at printer properties or when I tried to add a new printer. I resolved the problem by reapplying the Service Pack, in my case SP3.
From a newsgroup post: "It appears that the Print Spooler has failed, and was unable to (or not configured to) restart itself. When the Print Spooler is not running, printers will not be visible in the Printers folder, and you will be unable to add any new printers. Any number of things could cause the Print Spooler to fail. These include corrupt print jobs, incompatible or problematic printer drivers or port monitors, file or disk corruption, and even other applications or processes interfering with the spooler in memory. If you attempt the restart the Print Spooler manually and it immediately fails, it may be trying to process a corrupt print job after starting. This is one common cause for Print Spooler failures that occur immediately. If the Print Spooler starts and printing functionality returns for some time before failing again, then a driver or port monitor is likely the cause of the problem.
To remove spooled print jobs that could be causing this problem, simply remove (or delete) files with extensions of ".spl" or ".shd" from the Spool location while the Print Spooler is stopped. This location is generally "c:\<windows directory>\system32\spool\printers" (it could have been manually changed). Once any existing spool files have been removed, try restarting the Print Spooler again to see if it runs normally. If there are no spooled print jobs (.spl or .shd files), or if removing existing spooled print jobs does not change the behavior, then a driver or port monitor may be to blame. ME260142 provides more in-depth information that will be helpful while troubleshooting further".
Service: "Print Spooler" - Immediately after a system reboot the service terminated with error 7031. Deleting the content of the folder “%windir%\system32\spool\printers" solved the problem for me. It seems that some too big print jobs prevented the service to start correctly.
If you are running Win Xp and after you connect to the internet in 5 minutes you receive the system shutdown message, here is what you should do:
Go to system services and applications, go to services, then select remote procedure call locator (RPC), right click, go to properties, go to logon, select logon as local system account and apply. Restart the machine. Then it doesn’t give any message for shut down when you connect to internet.
NOTE: "This is most likely caused by MSBlaster worm. You should run an antivirus on your system, or see the Symantec Security Response on how to detect it and remove it".
- Service: "Print Spooler" - It also happens when you have Microsoft Publisher XP running on terminal server, with Win2k Terminal server. You get Print spooler crashing and you can not restart it until you kill all Publisher sessions.
I found that a new site and ip address was added to one of the interface cards for Exchange. They were not in the Active Directory sites and services linking it to the main site. Exchange did not know which site it was supposed to belong to.
Service: ServeRAID Manager Agent - As per IBM tip H03520, this means that you have an IBM server and you are using ServeRAID software. This message does not indicate any failure in ServeRAID function or data. This event and message can be safely ignored. On Windows shutdown, all programs are given three seconds to close. Should the service still be resident in memory after three seconds, Event ID 7031 and the message described in the Symptom section will be generated. The message can not be disabled, nor can the three second limit be extended. It has been determined that this event is non-detrimental and is not related to any data I/O. This is only a "minor annoyance" problem.
Service: Print Spooler - There is a common problem that Microsoft kb and others forums couldnt find. Some third party products uninstall themselves (usually print/fax software) and then you may receive this error. The common "fix" is ME820550. The solution is typically to restore Localspl.dll file from a backup. This suggestion should be used only if the Localspl.dll resides on your system.
- Service: IISAdmin, IMAP4, NNTP, POP3, MSE Routing Engine, SMTP, WWW. Appeared after installing an SMTP event sink for MS Exchange 2000. Resolution: unregister the sink. If this fails unregister the DLL of the sink and restart Windows. See ME313404 on how to register an SMTP event sink.
Woodrow Wayne Collins
- Service: "Backup Exec 8.x Job Engine" - From the Veritas Newsgroups: - "This event started occurring immediately after BRICK-LEVEL backups of the Exchange 2000 server (running on another server) were added to the backup selections. Prior to that change, only server-level backups were being performed without the error. Unfortunately, while the 7031 error is resolved, and the backups are again running, brick-level backups of the Exchange 2000 Server are still elusive."
- Service: "Print Spooler" - I fixed this problem on a W2K station by reinstalling service pack 3.
- Service: "Proxy Client" - I had received this error after updating DNS info on my proxy server and the Windows 2000 DC. I reinstalled the WSP client and this resolved the issue.
- Services: IIS, Exchange. Exchange Databases are not mounted and event logs contain 7031 errors. See ME304166.
- Services: IIS, WWW, SMTP, see Microsoft ME316612. Possibly caused by Code Red Worm.
- Service "CA ArcServe". We needed a license for the Windows NT/200 Client Agent.
Joseph 'Radar' Mann
I found this Article as it relates to Systems Management Server 2.0 - ME283472.
- Service: "RPC" - See ME326964.
Service: "Microsoft Exchange Information Store". - If Exchange 2000 Information Store does not start after you apply SP1 or SP2 or SP3 on a server that runs Symantec Norton AntiVirus see ME312428.
Service: "Microsoft Firewall Service" - The Internet Security and Acceleration (ISA) Server Firewall service may not start if you add more than 85 IP addresses to the external network adapter. See ME318005.
Service: "Print Spooler" - We have a Datamax XL Printer with a MPS 100 (Micro Printer Server) attached. The power cable to the MPS has been damaged and is loose. The event occurs when the power is knocked out and back in quickly.
Mario Enrique Santoyo
- Service: "DNS" - This problem may occur if a parenthesis appears in a hostname that is contained in the DNS zone file. Contact Microsoft Product Support Services to obtain the fix. See ME813425.
- Service: "Cluster Service". See Microsoft ME296594.
- Service: "Print Spooler" In my case the solution was to update HPDCMON.dll to version 4.20. This was done in C:\WINNT\System32 and in C:\WINNT\System32\spool\drivers\w32x86.
|Private comment: Subscribers only. See example of private comment|
|Links: Symantec Security Response, Symantec Knowledge Base Document ID: 2005060211491948, Symantec Knowledge Base Document ID: 2006120116344254, Trend Micro Support Solution ID: 1031154, Veritas Support Document ID: 270419, Veritas Support Document ID: 242153, Symantec Support Document ID:2004040209303954, Symantec Support Document ID:2004093011032448, BlackBerry Support Article Number: KB-02041, Howtonetworking case study, Captaris Support Answer ID 1277, Cisco Support Document ID: 44465, Cisco Support Document ID: 44466, GFI Support KBID002282|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (3) - More links...|
Send comments or solutions
- Notify me when updated