Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. You may lose some events when you subscribe to some events that are in multiple event logs on a computer that is running Windows Server 2008 or Windows Vista

You may lose some events when you subscribe to some events that are in multiple event logs on a computer that is running Windows Server 2008 or Windows Vista

View products that this article applies to.

Symptoms

An application or service subscribes to some events that are in multiple event logs by using Windows Management Instrumentation (WMI) or Windows APIs on a computer that is running Windows Server 2008 or Windows Vista.

In this scenario, the application or service may miss some expected events. This issue causes function failure in the application or service.

For example, an application subscribes to an event to monitor the user accounts that are created. Because of this issue, some newly created user accounts are not detected by this application.

↑ Back to the top

Cause

This issue occurs because the Windows Event Log service misses some events when the service sends the notifications.

The Windows Event Log service maintains a unique view for all event logs. By using the unique view, the service retrieves newly added records from different event log channels and then sends notification to subscribers. Some examples of some event log channels are the security, application, and system event logs.

If no more records are found, the Windows Event Log service enters into an EOF state. When a new record arrives, the state is reset and the service continues to read new record.

When the state is reset, the Windows Event Log service does not scan all event log channels to detect all new records. The service only scans the current event log channel. This behavior causes the service to miss the new records in the other event log channels.

↑ Back to the top

Resolution

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, the computer must be running one of the following operating systems:
  • Windows Vista Service Pack 1 (SP1)
  • Windows Vista Service Pack 2 (SP2)
  • Windows Server 2008
  • Windows Server 2008 Service Pack 2 (SP2)

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfix.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

For all supported x86-based versions of Windows Server 2008 and of Windows Vista SP1
File nameFile versionFile sizeDateTimePlatform
Wevtsvc.dll6.0.6001.225241,015,29616-Sep-200912:26x86
For all supported x86-based versions of Windows Server 2008 SP2 and of Windows Vista SP2
File nameFile versionFile sizeDateTimePlatform
Wevtsvc.dll6.0.6002.222271,017,85616-Sep-200911:57x86
For all supported Itanium-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Wevtsvc.dll6.0.6001.225242,700,80016-Sep-200912:08IA-64
For all supported Itanium-based versions of Windows Server 2008 SP2
File nameFile versionFile sizeDateTimePlatform
Wevtsvc.dll6.0.6002.222272,702,33616-Sep-200914:32IA-64
For all supported x64-based versions of Windows Server 2008 and of Windows Vista SP1
File nameFile versionFile sizeDateTimePlatform
Wevtsvc.dll6.0.6001.225241,491,45616-Sep-200912:50x64
For all supported x64-based versions of Windows Server 2008 SP2 and of Windows Vista SP2
File nameFile versionFile sizeDateTimePlatform
Wevtsvc.dll6.0.6002.222271,491,96816-Sep-200912:03x64

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More information

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates


Additional file information for Windows Server 2008 and for Windows Vista


Additional files for all supported x86-based versions of Windows Server 2008 and of Windows Vista

File nameFile versionFile sizeDateTimePlatform
Package_for_kb973995_client_1~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,36717-Sep-200903:55Not Applicable
Package_for_kb973995_client_2~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,69417-Sep-200903:55Not Applicable
Package_for_kb973995_client~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,71317-Sep-200903:55Not Applicable
Package_for_kb973995_sc_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,42117-Sep-200903:55Not Applicable
Package_for_kb973995_sc_1~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,69017-Sep-200903:55Not Applicable
Package_for_kb973995_sc~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,70117-Sep-200903:55Not Applicable
Package_for_kb973995_server_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,42517-Sep-200903:55Not Applicable
Package_for_kb973995_server_1~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,69417-Sep-200903:55Not Applicable
Package_for_kb973995_server~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,71317-Sep-200903:55Not Applicable
Package_for_kb973995_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,42217-Sep-200903:55Not Applicable
Package_for_kb973995_winpesrv~31bf3856ad364e35~x86~~6.0.1.0.mumNot Applicable1,43017-Sep-200903:55Not Applicable
X86_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6001.22524_none_dd3c61cd2c036128.manifestNot Applicable47,71516-Sep-200917:34Not Applicable
X86_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6002.22227_none_df25d49329270251.manifestNot Applicable47,71516-Sep-200913:32Not Applicable

Additional files for all supported Itanium-based versions of Windows Server 2008

File nameFile versionFile sizeDateTimePlatform
Ia64_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6001.22524_none_dd3e05c32c016a24.manifestNot Applicable47,97316-Sep-200913:36Not Applicable
Ia64_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6002.22227_none_df27788929250b4d.manifestNot Applicable47,97316-Sep-200919:32Not Applicable
Package_for_kb973995_sc_0~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,42517-Sep-200903:55Not Applicable
Package_for_kb973995_sc_1~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,53017-Sep-200903:55Not Applicable
Package_for_kb973995_sc~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,70617-Sep-200903:55Not Applicable
Package_for_kb973995_server_0~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,42917-Sep-200903:55Not Applicable
Package_for_kb973995_server_1~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,53317-Sep-200903:55Not Applicable
Package_for_kb973995_server~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,71817-Sep-200903:55Not Applicable
Package_for_kb973995_winpesrv_0~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,42617-Sep-200903:55Not Applicable
Package_for_kb973995_winpesrv~31bf3856ad364e35~ia64~~6.0.1.0.mumNot Applicable1,43417-Sep-200903:55Not Applicable

Additional files for all supported x64-based versions of Windows Server 2008 and of Windows Vista

File nameFile versionFile sizeDateTimePlatform
Amd64_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6001.22524_none_395afd50e460d25e.manifestNot Applicable47,98316-Sep-200920:39Not Applicable
Amd64_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6002.22227_none_3b447016e1847387.manifestNot Applicable47,98316-Sep-200913:37Not Applicable
Package_for_kb973995_client_1~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,37517-Sep-200903:55Not Applicable
Package_for_kb973995_client_2~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,70617-Sep-200903:55Not Applicable
Package_for_kb973995_client~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,72317-Sep-200903:55Not Applicable
Package_for_kb973995_sc_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,42917-Sep-200903:55Not Applicable
Package_for_kb973995_sc_1~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,70217-Sep-200903:55Not Applicable
Package_for_kb973995_sc~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,71117-Sep-200903:55Not Applicable
Package_for_kb973995_server_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43317-Sep-200903:55Not Applicable
Package_for_kb973995_server_1~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,70617-Sep-200903:55Not Applicable
Package_for_kb973995_server~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,72317-Sep-200903:55Not Applicable
Package_for_kb973995_winpesrv_0~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43017-Sep-200903:55Not Applicable
Package_for_kb973995_winpesrv~31bf3856ad364e35~amd64~~6.0.1.0.mumNot Applicable1,43817-Sep-200903:55Not Applicable

↑ Back to the top

References

For more information about how to subscribe to events in an event log, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb671202.aspx
For more information about "Receiving a WMI Event," visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/aa393013(VS.85).aspx
For more information about how to receive an event, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/bb404682.aspx
For more information about the EvtNext Function, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/aa385405(VS.85).aspx

↑ Back to the top

Keywords: kbhotfixserver, kbautohotfix, kbexpertiseadvanced, kbqfe, kbsurveynew, KB973995

↑ Back to the top

Article Info
Article ID : 973995
Revision : 1
Created on : 10/15/2009
Published on : 10/15/2009
Exists online : False
Views : 280