Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 10 Source: WinMgmt

Event filter with query '<query syntax>' could not be (re)activated in namespace "root\cimv2" because of error <error code>. Events may not be delivered through this filter until the problem is corrected.
For error 0x80041003 - See ME2545227 for Microsoft Fix it 50688.
In our case, several events like this were recorded on a Windows 7 workstation after a power failure. The computer seemed to work fine.
The event description can differ from the above mentioned. If it is like following: "Log Name: Event filter with query "select * from __instancemodificationevent within 30 where targetinstance isa ''Win32_PerfFormattedData_PerfDisk_LogicalDisk'' and targetinstance.PercentFreeSpace < 1 and targetinstance.Name != ''_Total''" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041002. Events cannot be delivered through this filter until the problem is corrected."

See ME2001247. A following restart of vmm-service at regarded host changed status from "host is not responding" to "running" so that vms could be migrated by scvmm.
Read ME950375 in the Microsoft knowledge database. There is a script that fixes this issue.
This event can be recorded for different queries/namespaces and all the troubleshooting steps should be taken considering that (do no apply fixes for different queries or namespaces). The 0x80041010 error indicates an invalid WMI class (i.e. the specified WMI information does not exist).

Example of queries / namespaces:
- Query: "select * from __InstanceModificationEvent within 10 where TargetInstance isa 'Win32_Service'", namespace "//./root/Microsoft/SqlServer/ComputerManagement" - This can be recorded when starting the SQL Management interface (SQL Object Explorer is using a different component to create the ManagementScope) and some support forums suggest that it was fixed in SQL 2005 SP2.
- Query: "SELECT * FROM __InstanceDeletionEvent  WITHIN 600 WHERE  TargetInstance isa "Win32_PnPEntity", namespace: "//./root/cimv2" - Combined with Error code 0x8004106c it may indicate an overloaded system.
- Query "select * from __InstanceModificationEvent within 30 where TargetInstance ISA "Citrix_Zone" AND TargetInstance.ZoneName = ", Namespace "//./root/Citrix" - See Citrix Document ID: CTX108911.

* * *

T727148 provides information on how to examine the event registration by using the WMI Event Registration tool included with CIM Studio. This is a very generic approach and it won't help if this is caused by a bug in the software causing this.

Try winmgmt /resyncperf
This problem occurs because an access violation occurs in the Wmiprvse.exe host process. See ME938911 and ME942907 for information on solving this problem.
As per Microsoft: "Windows Management Instrumentation could not activate or reactivate the query in the namespace. As a result, the events meeting the Event Filter query criteria cannot be displayed". See MSW2KDB for more details.
The error code is a WMI (Windows Management Instrumentation) error. The error description can help to solve the event. For example the Error code 0x80042002 means: "a WITHIN clause was not used in this query". See Microsoft WMI Error Constants link below.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.