Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Comments for event ID 36 currently in the processing queue.

Note: We have not reviewed this information yet so it is unfiltered, exactly how it was submitted by our contributors.

Event ID: 36
Event Source: TerminalServices-PnPDevices
Event Type: Warning
Event Description: Redirection of additional supported devices is disabled by policy.
Comment: This is redirection to Mobile devices (MTP PTP POS) blocked by policy.
"media players based on the Media Transfer Protocol (MTP) and digital cameras based on the Picture Transfer Protocol (PTP) as well as devices that use Microsoft Point of Service (POS) for .NET 1.11."
Microsoft TechNet "Event ID 36 — Supported Plug and Play Device Redirection" Published: January 8 2010 URL: http://technet.microsoft.com/en-us/library/ee890869(WS.10).aspx
Event ID: 36
Event Source: volsnap
Event Type: Error
Event Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
Comment:
Event ID: 36
Event Source: ccSvcHst
Event Type: Information
Event Description: Log Name:      Application
Source:        ccSvcHst
Date:          7/06/2012 12:54:46 PM
Event ID:      36
Task Category: None
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      DELL
Description:
The ''ccSetMgr'' service is stopping.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ccSvcHst" />
    <EventID Qualifiers="16384">36</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2012-06-07T04:54:46.000Z" />
    <EventRecordID>3207</EventRecordID>
    <Channel>Application</Channel>
    <Computer>DELL</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>ccSetMgr</Data>
  </EventData>
</Event>
Comment:
Event ID: 36
Event Source: W32Time
Event Type: -
Event Description: -
Comment: "W32Time. Event ID 36. The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized."

When a user sees this Event ID 36 being thrown, even though the computer is synchronizing regularly and/or manually, it is being caused by a specific application (in my case it was Mozilla Sunbird) calling w32Time directly to try to effect a resynchronization. If that specific synchronization fails, then this error message is thrown. The error message is not truly descriptive or accurate regarding what has actually occurred. The number 49152 quoted is simply an artifact, being derived directly from a calculation based on the value of MaxPollInterval, and the number actually has no bearing on the true amount of time that has expired unsynchronized.  

An error message more along the lines of "W32Time was unable to perform the synchronization requested by an application," without mention of any "elapsed time unsynchronized," would be more precise and useful. It appears that the coder simply didn't bother to develop the better error message, instead re-purposing the error message already available. Or perhaps the error is just dropping out of the bottom of the error subroutine, defaulting to this message.

The above-referenced calculation is 2 raised to the MaxPollInterval power x 1.5. The default MaxPollInterval value is 15. 2 to the 15th power = 32,768. 32,768 seconds x 1.5 = 49,152 seconds. Thus the intent is that W32Time should wait no longer than 32,768 seconds to attempt a synchronization. And that 49,152 should be the point at which W32Time throws an Event ID 36 error to the inform the user if no successful synchronization occurs by that time.

However most users do not see Event ID 36 throw in every-day/default usage because MinPollInterval and MaxPollInterval value are being superseded by the value of SpecialPollInterval. Such is the case when the entries for the time servers to be polled (listed in the NtpServer key) are appended with ",0x1". And, indeed, "time.windows.com, 0x1" is, historically, the default entry. (And typical instructions regarding how to adjust the list of time servers include the appending of ", 0x1".) The default entry for SpecialPollInterval is 604,800 (seconds, or exactly 7 days). So, in every-day/default usage, Event ID 36 will not throw unless 10.5 days has passed without a successful synchronization. (If the NtpServer key entries are not appended, then the MinPollInterval and MaxAPollInterval are indeed in force.)

If the computer is not connected to the Internet (ie, not connected to a domain), then the polling interval does not increment at all, as the scenario is such that it is not possible for the computer to synchronize at all.

Again, if a user sees this EventID 36 W32Time error message -- and the computer hasn't actually expired its allotted time limit before the error message ought normally occur, and/or it is known that the computer is regularly and/or manually synching correctly -- then the cause is an application calling W32Time to synchronize and then that specific synchronization failed. So W32Time throws its/this standard "couldn't synch" error message, where the message isn't truly informing what occurred and the number it contains is not accurate.

MaxPollInterval is found at HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
MinPollInterval is found at HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config
SpecialPollInterval is found at HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient

NtpServer is found at HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Index: 1405

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...