Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Our Troubleshooting Approach for Windows Event IDs

"Give a man a fish and you feed him for a day.
Teach a man how to fish and you feed him for a lifetime."

Ever wondered how come some people know how to fix various problems with minimal exposure to that specific issue? How can someone know the answer to so many things? How do they do that? How do all the MVPs and other computer gurus come up with their answers as one can see in newsgroups and other forums? It is not hard to guess that they do not have access to much more resources that you do but still, that's how it seems like!

This is what "Our Approach" is all about. As we are trying to understand various events and issues, you are guided through our path of thought. You will learn out methodology, our tricks and our challenges. In time we hope that we can do that for most of the events listed at EventID.Net. This information is only available through an EventID.Net Subscription, a modest price for lots of work done by our consultants.

Of course, we are not perfect, so we may not necessarily have the best approach on troubleshooting various events but at least we are trying our best! Some of the articles may not be 100% technically correct as we had to compromise some of the accuracy in order to explain the concepts.

Here is an example, for event ID 2506:

Event ID: 2506
Source: Server
Type: Error
Description: The value named <value name> in the server's Registry key <registry key> was invalid. The value was ignored, and processing continued.

Reported <value names>: IRPStackSize, MaxMpxCt

Here is how we approached the troubleshooting of this event:

By the format of the message, this event seems to be a generic one, generated by the Server service when one of its parameters is not within the expected limits. So, if a value is invalid, that means it is either too small, too big or it's not there at all. Our first step would be to check the registry and verify if the value is there and if it is, what is it. How can a good, default valued, be changed to an invalid one? Well, there can be registry corruption (faulty hardware, i.e. hard disks), software bugs - poorly designed programs may overwrite the registry with incorrect values. Viruses can also modify system registry to hide themselves or to create problems.

In order to understand the cause or eventually the effect of such message, our approach would be to get as many details as we can about the registry values mentioned in the event description. Based on that, maybe we can find what changed this value.

Various registry have been reported:

1. "MaxMpxCt" under LanmanServer\Parameters. Let's see what MaxMpxCt is. The first "natural" place to search for it is of course Microsoft's site. Searching for "MaxMpxCt" at returned a couple of Q articles. Browsing through them, Q232476 seems to offer a description of this registry value: "MaxMpxCt allows a server to provide a suggested maximum number of simultaneous outstanding client requests to a particular server.". The article provides more details about this value. So, every time a client computer connects to a server, this parameter is provided to the client so it will know not to send too many simultaneous requests. If it does, the server performance may be affected. The article points us to Q191370 for more details about how a server's performance can be affected.
So what are the correct values? The article mentioned above specifies that 50 is the minimal value that can be assigned so if less, this message is recorded. As per Q191370, the maximum value is 65535. Q232476 provides some guidelines on how to estimate the values of these parameters.
We did a search on Windows 2000 registries and there is no such value. From article Q271148 we know that Windows 2000 is still using this but it has a default value of 50 which can be increased to 64,535 (!!!) if necessary by installing SP2. Just continuing reading the Q articles, we see that various server components can be affected: IIS - Q221790, Terminal Server (a few).

2. "IRPStackSize" under LanmanServer\Parameters. Again, searching for "IRPStackSize" at returns several Q articles. An MSDN article describes IRPStackSize as the size of the "I/O Request Packets" stack. So, in other terms, all the Input/Output request like hard disk activity, network, printing, etc... are stored in a queue from where the operating system retrieves them one by one for processing. We can guess that in certain conditions, depending on what applications are installed on the server this parameter needs to be modified so you don't run into problems. However, as per Q225782, for NT this value is by default 4 and can go up to 12. For Windows 2000, the IRPStackSize starts at 15 (with a minimum of 11) - see Q238316. So, our guess is that some applications are trying to adjust this parameter without considering the differences between Windows 2000 and NT and assign an invalid value."

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.