RE: Crash! Help with Dr. Watson and Event Viewer Log Interpretation

Here is what the System Event Log looks like for that day. It looks like a
reinstall was initiated by whatever I did in TrendMicro. I have just included
a list of the significant events along with the descriptions to save time.
Most of the events were like the fifth one down, where an attempt was made to
replace various system files and drivers, but they were restored. There were
lot of these so I didn't include them. Hopefully this shed some insight as to
the best way to restore the system. Thanks.

Type Date Time Source Category Event User Computer

Information 11/24/2007 5:32:24 AM eventlog None 6006 N/A Laptop
Information 11/24/2007 5:31:27 AM Service Control Manager None 7036 N/A Laptop
Information 11/24/2007 5:29:52 AM Service Control Manager None 7036 N/A Laptop
Information 11/24/2007 5:29:51 AM Service Control
Manager None 7035 SYSTEM Laptop
Information 11/24/2007 5:28:27 AM Windows File
Protection None 64002 N/A Laptop
Information 11/24/2007 5:28:27 AM Windows File
Protection None 64002 N/A Laptop
Information 11/24/2007 5:28:27 AM Windows File
Protection None 64002 N/A Laptop
.. . . . . . . .
.. . . . . . . .
.. . . . . . . .
.. . . . . . . .
.. . . . . . . .

Information 11/24/2007 5:26:28 AM Application Popup None 26 N/A Laptop
Error 11/24/2007 5:26:19 AM sr None 1 N/A Laptop
Information 11/24/2007 5:26:19 AM Windows File
Protection None 64002 N/A Laptop
.. . . . . . . .
.. . . . . . . .
.. . . . . . . .

Information 11/24/2007 5:26:01 AM Windows File
Protection None 64002 N/A Laptop
Information 11/24/2007 4:56:35 AM Tcpip None 4201 N/A Laptop
Information 11/24/2007 4:40:35 AM Tcpip None 4201 N/A Laptop
Information 11/24/2007 3:39:35 AM Tcpip None 4201 N/A Laptop
Information 11/24/2007 1:16:49 AM WPDMTPDriver (16) 14000 N/A Laptop

---------------------------------------------------------------------
Event Type: Information
Event Source: EventLog
Event Category: None
Event ID: 6006
Date: 11/24/2007
Time: 5:32:24 AM
User: N/A
Computer: Laptop
Description:
The Event log service was stopped.

Data:
0000: ff 00 00 00 ÿ...


Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 11/24/2007
Time: 5:31:27 AM
User: N/A
Computer: Laptop
Description:
The Windows Installer service entered the stopped state.


Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7036
Date: 11/24/2007
Time: 5:29:52 AM
User: N/A
Computer: Laptop
Description:
The Windows Installer service entered the running state.


Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 11/24/2007
Time: 5:29:51 AM
User: NT AUTHORITY\SYSTEM
Computer: Laptop
Description:
The Windows Installer service was successfully sent a start control.

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 11/24/2007
Time: 5:28:27 AM
User: N/A
Computer: Laptop
Description:
File replacement was attempted on the protected system file wstcodec.sys.
This file was restored to the original version to maintain system stability.
The file version of the system file is 5.3.0.900.

..
..
..
..
..

Event Type: Information
Event Source: Application Popup
Event Category: None
Event ID: 26
Date: 11/24/2007
Time: 5:26:28 AM
User: N/A
Computer: Laptop
Description:
Application popup: Windows File Protection : Possible reasons for this
problem:
• You have inserted the wrong CD. (i.e., a

different Windows product CD than the version installed)
• The CD-ROM drive in your system is not functioning.

For more

information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: sr
Event Category: None
Event ID: 1
Date: 11/24/2007
Time: 5:26:19 AM
User: N/A
Computer: Laptop
Description:
The System Restore filter encountered the unexpected error '0xC0000056'
while processing the file 'gm.dls.new' on the volume

'HarddiskVolume1'. It has stopped monitoring the volume.

Data:
0000: 04 00 00 00 04 00 4e 00 ......N.
0008: 00 00 00 00 01 00 00 c0 .......À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 11/24/2007
Time: 5:26:19 AM
User: N/A
Computer: Laptop
Description:
File replacement was attempted on the protected system file
c:\windows\system32\drivers\ntfs.sys. This file was restored to the original
version to maintain system stability. The file version of the system file is
5.1.2600.3081.
..
..
..
..
Event Type: Information
Event Source: Tcpip
Event Category: None
Event ID: 4201
Date: 11/24/2007
Time: 4:56:35 AM
User: N/A
Computer: Laptop
Description:
The system detected that network adapter
\DEVICE\TCPIP_{A2ED5440-DDCB-4A96-A9A0-51EAB0C91BA1} was connected to the
network,

and has initiated normal operation over the network adapter.

Data:
0000: 00 00 00 00 02 00 50 00 ......P.
0008: 00 00 00 00 69 10 00 40 ....i..@
0010: 02 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
..
..
..

Event Type: Information
Event Source: WPDMTPDriver
Event Category: (16)
Event ID: 14000
Date: 11/24/2007
Time: 1:16:49 AM
User: N/A
Computer: Laptop
Description:
The description for Event ID ( 14000 ) in Source ( WPDMTPDriver ) cannot be
found. The local computer may not have the necessary registry information or
message DLL files to display messages from a remote computer. You may be able
to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event: MTP WPD
Driver.















.

Relevant Pages

  • Re: How long should it take an Information Store to start with no edb.chk
    ... On this occasion we were not getting a 109 event in the event log. ... We have since performed another restore of the Information store from ... CPU is less than 10%. ...
    (microsoft.public.exchange.admin)
  • Re: Application Event Log File is Corrupt
    ... I have discussed with colleagues, and our conclusion is, you can restore to ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Application Event Log File is Corrupt ...
    (microsoft.public.windows.server.sbs)
  • Re: Restore Point feature inaccessible
    ... As for the event log, I just went into system Properties, clicked the System ... You can access Event Viewer by selecting Start, Control Panel, ... It is likely that your old restore points are unusable. ... Events display also shows Error messages having to do with Event ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: WINS server using CPU cycles
    ... So here is the original error message received in the event log: ... WINS encountered a database error. ... WINS and that presented the "Restore database" function in WINS admin. ... Does that rebuild the DB or try to restore the DB? ...
    (microsoft.public.windows.server.sbs)
  • Cannot install Windows Server 2003 Service Pack 1 Administration T
    ... SP1 files. ... I get this error in my event log: ... The Windows Installer service cannot update one or more protected ... SFP Error: 1223. ...
    (microsoft.public.windows.server.general)