Re: All events showing in each event log

From: Dave Patrick (mail_at_Nospam.DSPatrick.com)
Date: 11/15/04 

Date: Mon, 15 Nov 2004 09:29:34 -0700

No, I've never seen this one. Within each of the keys below is a
Reg_Multi_SZ string named 'Sources'. It sounds like they all contain the
same list. Here's what I have on a newly built Windows 2003 standard server.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

Application:
---------------------------
WSH
WMIAdapter
WmdmPmSN
WinMgmt
Winlogon
Windows Product Activation
Windows 3.1 Migration
WebClient
VxSvc_VMNT
VxSvc_pnp
VxSvc_PercPro
VxSvc_Perc2Pro
VxSvc_Mylex
VxSvc_mount
VxSvc_ftdisk
VxSvc_fsys
VxSvc_disk
VxSvc_ASPIPro
vxsvc_alert
vxsvc
VSS
VBRuntime
Userinit
Userenv
UploadM
TrustMonitor
Tlntsvr
SysmonLog
SQLSERVERAGENT
SQLFTHNDLR
SQLCTR
SpoolerCtrs
Software Installation
SclgNtfy
SceSrv
SceCli
safrslv
SAFrdms
Remote Assistance
PerfProc
PerfOS
PerfNet
Perfmon
Perflib
PerfDisk
Perfctrs
PassportManager
Offline Files
Oakley
ntbackup
Network Optional Components
MSSQLServerAgent
MSSQLServerADHelper
MSSQLSERVER/MSDE
MSSQLSERVER
MssCi
MsiInstaller
MSDTC Client
MSDTC
mnmsrvc
Microsoft Search
LoadPerf
LicenseService
HelpSvc
Folder Redirection
File Deployment
EventSystem
EventCreate
ESENT
DSReplicationProvider
DrWatson
DiskQuota
DataTransformationServices
crypt32
COM+
Ci
Chkdsk
CertEnterprisePolicy
AutoEnrollment
Autochk
Application Management
Application Hang
Application Error
apphelp
.NET Runtime
Application
---------------------------

System:
---------------------------
WZCSVC
Workstation
WMIxWDM
WLBS
WinHttpAutoProxySvc
Windows Script Host
Windows File Protection
Win32k
Wd
W32Time
Volume Shadow Copy Service Task
VolSnap
Virtual Disk Service
viaide
VgaSave
VDS Dynamic Provider 1.0
VDS Basic Provider 1.0
USER32
UPS
ultra
udfs
toside
TermServSessDir
TermServJet
TermService
TermServDevices
TermDD
tdi
TCPMon
Tcpip
System Error
sym_u3
sym_hi
symmpi
symc8xx
symc810
StillImage
Srv
Software Restriction Policy
sndblst
Simbad
SideBySide
sfloppy
Setup
Service Control Manager
Server Administrator
Server
serial
scsiport
Schedule
Schannel
SCardSvr
Save Dump
SAM
Removable Storage Service
RemoteAccess
redbook
Rdbss
RasMan
RasAuto
ql2300
ql2200
ql2100
ql1280
ql1240
ql12160
ql10wnt
ql1080
Processor
Print
PptpMiniport
PolicyAgent
PlugPlayManager
perc2
pcmcia
pciide
pci
Parvdm
partmgr
parport
OSPFMib
OSPF
null
NtServicePack
ntfs
npfs
Nla
nfrd960
Netlogon
NetDDE
NetBT
NetBIOS
NdisWan
ndis
Mup
msfs
msadlib
MrxSmb
MRxDAV
mraid35x
mouclass
Modem
LsaSrv
lp6nds35
LmHosts
LDMS
LDM
Kerberos
KDC
kbdclass
isapnp
IPXSAP
IPXCP
ipsraidn
IPSec
IPRouterManager
IPRIP2
IPNATHLP
IPMGM
IPBOOTP
intelide
iirsp
IGMPv2
i8042prt
i2omp
i2omgmt
Http
hpt3xx
hpn
ftdisk
fs_rec
flpydisk
Fips
fdc
fastfat
eventlog
efs
E1000
dpti2o
Dnscache
Dnsapi
dmio
dmboot
Distributed Link Tracking Server
Distributed Link Tracking Client
disk
Dhcp
DfsSvc
DfsDriver
dellcerc
DCOM
dac960nt
dac2w2k
cryptsvc
cpqfcalm
cpqcissm
cpqarry2
cpqarray
cmdide
changer
cdrom
Cdm
cdfs
cd20xrnt
cbidf2k
Browser
BITS
beep
Atmarpc
ati2mpad
atdisk
atapi
AsyncMac
Application Popup
ami0nt
aliide
Alerter
aic78xx
aic78u2
afcnt
AFAMGT
adpu320
adpu160m
acpiec
acpi
abiosdsk
System
---------------------------

Security:
---------------------------
Spooler
Security Account Manager
SC Manager
NetDDE Object
LSA
DS
Security
--------------------------- 

-- 
Regards,
Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
"Gabe Knuth" wrote:
| Hello,
|
| I have an odd problem, and a tough one to search for, although it could
| simply be too early in the morning.
|
| I've got a Win2k3 server that is sending all event log entries to each 
event
| log.  All the logs are identical - i.e. the App log has the exact same
| entries as the System and Security logs. It's almost like all events are
| getting logged to the same place, since each log contains all the other
| logs.  (Apps log has Security and System log info in it, ...).
|
| I checked the files that the logs were pointing to, and they are all
| different (and pointed to the correct locations).
|
| Has anyone seen this before?  It certainly is odd.
|
| Thanks,
| Gabe
|
|

Relevant Pages

  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • Re: All events showing in each event log
    ... for the security log. ... Here's what I have on a newly built Windows 2003 standard ... > TermServSessDir ... > Security Account Manager ...
    (microsoft.public.windows.server.general)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
    (Securiteam)