Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 7026 Source: Service Control Manager

Level
Description
The following boot-start or system-start driver(s) failed to load: <device name>
Comments
 
If a device is not working properly, its driver fails to load when Windows starts. A device can be related to a backup tape, cdrom driver, zip drive, any type of hardware actually. The message is quite typical to occur when a a tape drive is removed from a server.

See the following articles, applicable to the devices indicated:
- ME129115 for PRLNTSS.SYS
- ME157678 and ME152346 for 4mmdat.sys
- ME178558 for HPDANT
Device: cdrom - According to ME933757, this problem may occur if a device is not connected to the computer but the driver service of the device is enabled. The article provides a description of registry keys that can be updated to fix it.
This appeared on a Windows 7 machine that was freshly installed with a USB CDrom. The event was logged on system startup when the device was detached.

Connecting the drive and uninstalling it from device manager didn't solve the issue.

Uninstalling the "ghost" device (non available device saved in registry) didn't work either (ME315539).

Finally just deleting the service worked fine. Even more, if the drive is needed in the future, it can be reattached without issues. The deletion doesn't mean it can't be reinstalled automatically by Windows.

sc delete cdrom

or

sc config cdrom start=disabled
Device: bnistack - From a Citrix support forum: Try going into the device manager, enabled "Show hidden devices" and remove any additional NIC cards that appear. Reboot and see then if it attaches correctly.
Device: SBRE - This was due to a Viper (GFI) product being uninstalled. It apparently doesn't remove all the registry keys and it keeps trying to start a nonexistent driver. You can delete the registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SBRE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SBRE

If you can't delete one of the keys, right click on that key and choose permissions, then click advanced then go to the owner tab and add yourself as the owner. Then you should be able to delete the keys.


The following steps helped me to remove a driver, which was causing the issue:
1. Open regedit (e.g. click Start, key regedit and press Enter)
2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers
3. Under this key, there will be the keys Version-2 and Version-3 (one or the other of these may be absent - not a problem). The sub-keys under these contain the printer driver configuration information
4. Delete all the sub-keys inside Version-2 and Version-3, but not these keys themselves. M312052 lists some other registry entries to delete, but this is not usually necessary.
5. Open a Command Prompt window
6. Key the commands

  net stop spooler
  net start spooler

See EV100284 for the complete article.
A list of drivers recorded with this event:
- PCIIde = PCI IDE driver - Used by IDE drives connected to the PCI Local Bus
- MpFilter = mpfilter.sys - Microsoft Windows Malware protection system driver
- FVXSCSI = Fvxscsi.sys - FarStone SCSI Miniport driver
- crcdisk = crcdisk.sys - Disk Block Verification Filter driver
- TfFsMon = TfFsMon.sys - ThreatFire Filesystem Monitor (part of PC Tools)
- intelppm = intelppm.sys - Intel processor driver
- Fips = Fips.sys - FIPS Crypto Driver
- SAVRT = savrt.sys - Part of Symantec AntiVirus AutoProtect drivers
- SYMTDI = symtdi.sys - Part of Symantec Security drivers
- arcsas = arcsas.sys - Adaptec SAS RAID system driver
Device storflt - Apparently, this event can be safely ignored. See ME971527 for details.
Device: halfinchVRTS - Resolution may involve loading the Symantec plug and play device drivers for tape drives. Additionally, though not in my case, can be related to SCSI driver conflicts. We were working with an old version of Veritas 9.1. Pending an update to see if the error goes away. See Symantec Document ID 281781.
Device: nvport - Error occured after Nvidia Pure Video Decoder was uninstalled from the system. The file is removed from the system32/drivers directory but remains in registry.

To resolve this issue go to the registry editor and delete the following keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\nvport]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nvport]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\nvport]

Please perform a backup of the existing registry before removing any registry keys.
- Device: IPMIDRV - The Intelligent Platform Management Interface server management system does not work in Windows Server 2003 R2. See ME912134 for details.
- Device: i8042prt - In my case deleting the registry key: [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt] solved this issue.
- Device: i8042prt - In my case, there was an issue with Hotplugging of the USB keyboard. I solved this problem by opening the registry, going to [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters] and changing the value Headless data to 0x1 (Allow Hotplugging).
- Device: i2oexec iopbus - See "Intel Support Solution ID: CS-001293".
- Device: Adsmscsi - See the link to "IBM Support Reference #1111729".
- Device: Cpq32fs2.sys - See ME244984.
- Device: i8042prt - From a newsgroup post: "i8042prt is a keyboard or a mouse driver. Try deleting this driver and see if Windows operates normally and then reinstall your device (either keyboard or mouse) relating to this driver". Make a back-up first.


- Device: SAVRT - See the link to "Symantec Support Document ID: 2004072905471148".

See ME184208 and MSW2KDB for information regarding this event.
- Device: cmosa - As per ME319129, "This issue may occur after you apply Microsoft's BIOS3 Y2K Update (Biosfixi.exe) to a computer that was installed by using Dell Computer Corporation's OpenManage Client computer imaging software. The computer contains drivers that are leftover from the imaging process". Contact Dell to resolve this problem.
Device: i8042prt - it could be because you have an USB-connected keyboard but PS/2 keyboard support is still enabled in BIOS.
Device: IMOUFLTR - Found it to be associated with the Logitech mouse driver. Removed and reinstalled software and the error went away.
Device: "Otman4" - Otman4.sys is the driver which is Open File Option (OFO). It is used to make the static volume OFO uses to protect open/changed files. If the file is missing or corrupt, this error could occur. To resolve this error OFO must be reinstalled.
A Windows 2000 professional workstation kept getting this error along with blue screen of death with STOP: 0x0000007B (INACCESSIBLE_BOOT_DEVICE). The cable to the hard drive was good so I got the computer to boot into safe mode, then updated the driver on the hard drive and ran CHKDSK /F. The computer then rebooted normally. I still need to replace the hard drive, it is making a lot of noise while running.
Device: Cdrom - I got this problem on my Dell PowerEdge after I received a problem with an IDE drive on the same cable. However, after fixing the bad block problem the hard drive, the CD drive failed to load and I could not see it in my computer. To fix this go into the BIOS at startup (F2). Turn on the Num Lock, Scroll Lock and Caps Lock keys (ensure all light are on on the keyboard). Then press Alt-E and Alt-F to reset the BIOS. Reboot the machine and the CD Rom drive will be available again. This also works for Optiplex and newer Dimension systems. Note: you will have to reset any other changes you made to the BIOS before the reset.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...