can not connect via remote desktop after a restart
in [Windows Servers]
|
Prev: NoDomainUI And windows 2008
Next: Renew a Certificate
From: loki on 2 Oct 2009 15:14 Yes of course... nothing work :( also some strange bug in IIS (i can not see the web site configuration details for exemple) i not understand why nothing work just after a simple restart ! Is this is already happen to someone ? thanks you by advance stephane "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message news:%23XOra12QKHA.5032(a)TK2MSFTNGP05.phx.gbl... > "loki" <loki5100-newsgroup(a)yahoo.fr> wrote in message > news:A67A6C89-49B2-424E-ACB4-D22F54EFDC3E(a)microsoft.com... >> Hello Lanwench, >> >> 1. yesterday we restart the computer but we absolutely do nothing on it >> (no install or no update, just a normal reboot) >> 2. after the reboot it's was impossible to login via rdp to the computer >> ! the HTTP service was also not working. But the ping was >> working ! >> 3. we try to manually reboot the server (switch off/on the power) nothing >> change! can still ping the server but can not access >> it via remote desktop and http service still not answer. >> 4. we try to login localy (not remotely), but impossible to login, >> because for long time we see : 'Apply user settings' without any >> harddrive activity >> no other choice to reboot the computer >> 5. we retart the computer un safe mode and this time we can log in it. i >> copy all the event log but anazing their is absolutely >> nothing wrong in it ! no error ! no clues about what can forbid us to >> connecte via remote desktop or the IIS to answer. >> >> in the log, their is no error but i notice that normally i see this entry >> after a reboot : >> >> MSDTC started with the following settings: ... >> The Terminal Services Configuration service entered the running state. >> The Server service entered the running state. >> The World Wide Web Publishing Service service entered the running state. >> etc.. >> >> but from the reboot of yesterday i don't see this entry >> >> also i notice all the missing line are after this event : >> File System Filter 'luafv' (6.0, 2008-01-19T05:59:06.000Z) has >> successfully loaded and registered with Filter Manager. >> the next line is normally : >> The Plug and Play service entered the running state. >> >> What do you thing the probleme can be ? what to do ? >> Remembered, we don't install anything on the computer, just restart it... >> >> many thanks by advance >> stephane >> >> > > If they're stopped, have you trid to manually start the IISAdmin service, > and the web publishing service? > > Ace >
From: Ace Fekay [MCT] on 2 Oct 2009 15:22 "loki" <loki5100-newsgroup(a)yahoo.fr> wrote in message news:3721A299-A5A8-466E-BFD0-5D3DA207D01A(a)microsoft.com... > Yes of course... nothing work :( also some strange bug in > IIS (i can not see the web site configuration details for > exemple) > > i not understand why nothing work just after a simple > restart ! Is this is already happen to someone ? > > thanks you by advance > stephane > No, that's not supposed to happen. It could be something else is causing it. Post an ipconfig /all from the server, as well as the EventID# and Source Names and the error messages in the events that you see from errors in the event logs. This will better help than the descriptions you've provided. Ace
From: loki on 2 Oct 2009 16:06 the problem is that now i can not anymore login under the server :( for what i see when i was logged (but in safe mode) is that in the event they was no error message at all ! this was supprised me, i was hopping to see some error why all the service not start... nothing !! just i notice that in the event log we miss some entry like : MSDTC started with the following settings: ... The Terminal Services Configuration service entered the running state. The Server service entered the running state. The World Wide Web Publishing Service service entered the running state. that mean the service not start ! but no explanation why they not start, no error ! so it's look like the process do an infinite loop somewhere between "File System Filter 'luafv' (6.0, 2008-01-19T05:59:06.000Z) has successfully loaded and registered with Filter Manager" and "The Plug and Play service entered the running state" that delay all the other event to happen ! network card driver error ? (but in safe mode i have the internet...) other driver error ? but why no error in the event log ... below all the event just after a reboot for the 1rt time the server : ********************************** ********************************** ********************************** SYSTEM ********************************** ********************************** ********************************** !!and nothing more still the next hard reboot!! Information 10/2/2009 12:23:29 AM Microsoft-Windows-FilterManager 6 None File System Filter 'luafv' (6.0, 2008-01-19T05:59:06.000Z) has successfully loaded and registered with Filter Manager. Information 10/2/2009 12:23:21 AM Tcpip 4201 None The system detected that network adapter Local Area Connection was connected to the network, and has initiated normal operation. Information 10/2/2009 12:23:21 AM Tcpip 4201 None The system detected that network adapter Local Area Connection was connected to the network, and has initiated normal operation. Information 10/2/2009 12:23:21 AM l2nd 9 None Broadcom BCM5708C: Network controller configured for 100Mb full-duplex link. Information 10/2/2009 12:23:21 AM Tcpip 4201 None The system detected that network adapter Local Area Connection 2 was connected to the network, and has initiated normal operation. Information 10/2/2009 12:23:21 AM Tcpip 4201 None The system detected that network adapter Local Area Connection 2 was connected to the network, and has initiated normal operation. Information 10/2/2009 12:23:21 AM l2nd 9 None Broadcom BCM5708C: Network controller configured for 100Mb full-duplex link. Warning 10/2/2009 12:23:19 AM l2nd 4 None Broadcom BCM5708C: The network link is down. Check to make sure the network cable is properly connected. Warning 10/2/2009 12:23:18 AM l2nd 4 None Broadcom BCM5708C: The network link is down. Check to make sure the network cable is properly connected. Information 10/2/2009 12:23:18 AM l2nd 16 None Broadcom BCM5708C: Driver initialized successfully. Information 10/2/2009 12:23:18 AM b06bdrv 18 None \Device\NTPNP_PCI0030: Ndis device bound successfully. Information 10/2/2009 12:23:18 AM l2nd 16 None Broadcom BCM5708C: Driver initialized successfully. Information 10/2/2009 12:23:18 AM b06bdrv 18 None \Device\NTPNP_PCI0032: Ndis device bound successfully. Information 10/2/2009 12:23:18 AM Microsoft-Windows-Kernel-Processor-Power 4 None "Processor 0 exposes the following: 1 idle state(s) 0 performance state(s) 0 throttle state(s)" Information 10/2/2009 12:23:18 AM Microsoft-Windows-Kernel-Processor-Power 4 None "Processor 3 exposes the following: 1 idle state(s) 0 performance state(s) 0 throttle state(s)" Information 10/2/2009 12:23:18 AM Microsoft-Windows-Kernel-Processor-Power 4 None "Processor 2 exposes the following: 1 idle state(s) 0 performance state(s) 0 throttle state(s)" Information 10/2/2009 12:23:18 AM Microsoft-Windows-Kernel-Processor-Power 4 None "Processor 1 exposes the following: 1 idle state(s) 0 performance state(s) 0 throttle state(s)" Information 10/2/2009 12:23:16 AM Tcpip 4201 None The system detected that network adapter Loopback Pseudo-Interface 1 was connected to the network, and has initiated normal operation. Information 10/2/2009 12:23:16 AM Tcpip 4201 None The system detected that network adapter Loopback Pseudo-Interface 1 was connected to the network, and has initiated normal operation. Information 10/2/2009 12:23:16 AM b06bdrv 12 None \Device\NTPNP_PCI0030: Driver initialized successfully. Information 10/2/2009 12:23:16 AM b06bdrv 12 None \Device\NTPNP_PCI0032: Driver initialized successfully. Information 10/2/2009 12:23:29 AM EventLog 6013 None The system uptime is 39 seconds. Information 10/2/2009 12:23:29 AM EventLog 6005 None The Event log service was started. Information 10/2/2009 12:23:29 AM EventLog 6009 None Microsoft (R) Windows (R) 6.00. 6002 Service Pack 2 Multiprocessor Free. Information 10/2/2009 12:21:29 AM EventLog 6006 None The Event log service was stopped. Information 10/2/2009 12:21:28 AM Service Control Manager 7036 None The Group Policy Client service entered the stopped state. Information 10/2/2009 12:21:28 AM Service Control Manager 7036 None The Windows Update service entered the stopped state. Information 10/2/2009 12:21:28 AM Service Control Manager 7036 None The Windows Modules Installer service entered the running state. Information 10/2/2009 12:21:28 AM Microsoft-Windows-DistributedCOM 10029 None "DCOM started the service TrustedInstaller with arguments """" in order to run the server: {752073A1-23F2-4396-85F0-8FDB879ED0ED}" Information 10/2/2009 12:21:28 AM USER32 1074 None "The process C:\Windows\system32\winlogon.exe (SERVER10) has initiated the restart of computer SERVER10 on behalf of user SERVER10\Administrator for the following reason: No title for this reason could be found Reason Code: 0x500ff Shutdown Type: restart Comment: " Information 10/2/2009 12:21:26 AM USER32 1074 None "The process Explorer.EXE has initiated the restart of computer SERVER10 on behalf of user SERVER10\Administrator for the following reason: Application: Maintenance (Planned) Reason Code: 0x84040001 Shutdown Type: restart Comment: " ********************************** ********************************** ********************************** APPLICATION ********************************** ********************************** ********************************** !!and nothing more still the next hard reboot!! Information 10/2/2009 12:23:35 AM Microsoft-Windows-Security-Licensing-SLC 902 None "The Software Licensing service has started. " Information 10/2/2009 12:23:34 AM Microsoft-Windows-Security-Licensing-SLC 1005 None "The result of Windows Right consumption is: hr=0x0 " Information 10/2/2009 12:23:34 AM Microsoft-Windows-Security-Licensing-SLC 1003 None "The Software Licensing service has completed licensing status check. Application Id=55c92734-d682-4d71-983e-d6ec3f16059f Licensing Status= {1,[15a581b4-f839-4d26-943c-b7e72f219849, 0, 0x0,0x0],[0x0,0x0,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0x0,0xFFFFFFFF,0x0,0,0,0x0],[0,0,0x0]} {1,[56df4151-1f9f-41bf-acaa-2941c071872b, 8, 0xC004F014,0x0]} {1,[603504f9-109f-49f0-9271-8c66f7878f58, 8, 0xC004F014,0x0]} {1,[7acd9eb8-e300-444c-b38a-47cdbe065508, 8, 0xC004F014,0x0]} {1,[ad2542d4-9154-4c6d-8a44-30f11ee96989, 8, 0xC004F014,0x0]} {1,[bb1d27c4-959d-4f82-b0fd-c02a7be54732, 8, 0xC004F014,0x0]} {1,[c90d1b4e-8aa8-439e-8b9e-b6d6b6a6d975, 8, 0xC004F014,0x0]} " Information 10/2/2009 12:23:34 AM Microsoft-Windows-Security-Licensing-SLC 1033 None "These policies are being excluded since they are only defined with override-only attribute. Policy Names=(Microsoft-Windows-AuxiliaryDisplay-EnableAPI) (Microsoft-Windows-AuxiliaryDisplay-EnableCPL) (Microsoft-Windows-AuxiliaryDisplay-EnableCPL_w) (Microsoft-Windows-AuxiliaryDisplay-EnableDriver) (Microsoft-Windows-AuxiliaryDisplay-EnableDriver_w) (Microsoft-Windows-AuxiliaryDisplay-EnableSDP) (Microsoft-Windows-AuxiliaryDisplay-EnableSDP_w) (Microsoft-Windows-CertificateServices-CA-AdvancedTemplateSupport) (Microsoft-Windows-CertificateServices-CA-AdvancedTemplateSupport_w) (Microsoft-Windows-CertificateServices-CA-CertificateManagerRestrictionSupport) (Microsoft-Windows-CertificateServices-CA-CertificateManagerRestrictionSupport_w) (Microsoft-Windows-CertificateServices-CA-ExitModuleSMTPSupport) (Microsoft-Windows-CertificateServices-CA-ExitModuleSMTPSupport_w) (Microsoft-Windows-CertificateServices-CA-RoleSeparationSupport) (Microsoft-Windows-CertificateServices-CA-RoleSeparationSupport_w) (Microsoft-Windows-Fax-Common-DeviceLimit) (Microsoft-Windows-Fax-Common-EnableServerPolicy) (PeerToPeerBase-IdManager-EnabledPolicy) (PeerToPeerBase-IdManager-EnabledPolicy_w) (PeerToPeerBase-Pnrp-EnabledPolicy) (PeerToPeerBase-Pnrp-EnabledPolicy_w) (Printing-Spooler-Pmc-Licensing-Enabled) (Printing-Spooler-Pmc-Licensing-Enabled_w) (SecureStartupFeature-Enabled) (SecureStartupFeature-Enabled-Driver) (SecureStartupFeature-Enabled_w) (SecureStartupFeature-PerfWarning) (TSProxy-EdgeAdapter-MaxConnections) (Telnet-Client-EnableTelnetClient) (Telnet-Client-EnableTelnetClient_w) (Telnet-Server-EnableTelnetServer) (Telnet-Server-EnableTelnetServer_w) (nfs-admincmdtools-enabled) (nfs-adminmmc-enabled) (nfs-clientcmdtools-enabled) (nfs-clientcore-enabled) (nfs-servercmdtools-enabled) (nfs-servercore-enabled) (psync-Enabled) (snis-Enabled) (snis-Enabled_w) (sua-EnableSUA) App Id=55c92734-d682-4d71-983e-d6ec3f16059f Sku Id=15a581b4-f839-4d26-943c-b7e72f219849" Information 10/2/2009 12:23:30 AM Microsoft-Windows-EventSystem 4625 None The EventSystem sub system is suppressing duplicate event log entries for a duration of 86400 seconds. The suppression timeout can be controlled by a REG_DWORD value named SuppressDuplicateDuration under the following registry key: HKLM\Software\Microsoft\EventSystem\EventLog. Information 10/2/2009 12:23:30 AM Microsoft-Windows-Security-Licensing-SLC 900 None "The Software Licensing service is starting. " Information 10/2/2009 12:23:30 AM Microsoft-Windows-User Profiles Service 1531 None "The User Profile Service has started successfully. " Information 10/2/2009 12:21:28 AM Microsoft-Windows-CertificateServicesClient 2 None Certificate Services Client has been stopped. Information 10/2/2009 12:21:27 AM Microsoft-Windows-CertificateServicesClient 2 None Certificate Services Client has been stopped. Information 10/2/2009 12:21:28 AM Microsoft-Windows-MSDTC 4111 SVC The MS DTC service is stopping. Warning 10/2/2009 12:21:27 AM Microsoft-Windows-User Profiles Service 1530 None "Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2358723158-3070534255-1126232614-500: Process 296 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2358723158-3070534255-1126232614-500\Printers\DevModePerUser " Information 10/2/2009 12:21:27 AM Desktop Window Manager 9009 None The Desktop Window Manager has exited with code (0x40010004) ********************************** ********************************** ********************************** SECURITY ********************************** ********************************** ********************************** !!and nothing more still the next hard reboot!! Information 10/2/2009 12:23:44 AM Microsoft-Windows-Security-Auditing 5061 System Integrity "Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: le-a5c12300-65be-4527-930d-9f95b4932d62 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0" Information 10/2/2009 12:23:44 AM Microsoft-Windows-Security-Auditing 5058 Other System Events "Key file operation. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: Not Available. Key Name: 88c4852146f789bc45b56e90f302b52c_58334793-82d1-4e55-8e35-8995a7752bb1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\88c4852146f789bc45b56e90f302b52c_58334793-82d1-4e55-8e35-8995a7752bb1 Operation: Read persisted key from file. Return Code: 0x0" Information 10/2/2009 12:23:32 AM Microsoft-Windows-Security-Auditing 5024 Other System Events The Windows Firewall Service has started successfully. Information 10/2/2009 12:23:32 AM Microsoft-Windows-Security-Auditing 5033 Other System Events The Windows Firewall Driver has started successfully. Information 10/2/2009 12:23:30 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege" Information 10/2/2009 12:23:30 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x268 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." Information 10/2/2009 12:23:30 AM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: SYSTEM Account Domain: NT AUTHORITY Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x268 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�?Ts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command." Information 10/2/2009 12:23:30 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege" Information 10/2/2009 12:23:30 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x268 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." Information 10/2/2009 12:23:30 AM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: SYSTEM Account Domain: NT AUTHORITY Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x268 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�?Ts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command." Information 10/2/2009 12:23:29 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege" Information 10/2/2009 12:23:29 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e5 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x268 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." Information 10/2/2009 12:23:29 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege" Information 10/2/2009 12:23:29 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3e4 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x268 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." Information 10/2/2009 12:23:29 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege" Information 10/2/2009 12:23:29 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x268 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." Information 10/2/2009 12:23:29 AM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: SYSTEM Account Domain: NT AUTHORITY Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x268 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�?Ts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command." Information 10/2/2009 12:23:28 AM Microsoft-Windows-Security-Auditing 4902 Audit Policy Change "The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0xcdf1" Information 10/2/2009 12:23:27 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 0 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1000100000004 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." Information 10/2/2009 12:23:27 AM Microsoft-Windows-Security-Auditing 4608 Security State Change "Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized." Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634 Logoff "An account was logged off. Subject: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x1c264 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634 Logoff "An account was logged off. Subject: Security ID: S-1-5-21-2358723158-3070534255-1126232614-1001 Account Name: www.MOUTYHNE.com Account Domain: SERVER10 Logon ID: 0x1c337 Logon Type: 4 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634 Logoff "An account was logged off. Subject: Security ID: S-1-5-17 Account Name: IUSR Account Domain: NT AUTHORITY Logon ID: 0x3e3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634 Logoff "An account was logged off. Subject: Security ID: S-1-5-21-2358723158-3070534255-1126232614-500 Account Name: Administrator Account Domain: SERVER10 Logon ID: 0x199b2b4 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4634 Logoff "An account was logged off. Subject: Security ID: S-1-5-21-2358723158-3070534255-1126232614-500 Account Name: Administrator Account Domain: SERVER10 Logon ID: 0x199c722 Logon Type: 10 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege" Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x270 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested." Information 10/2/2009 12:21:28 AM Microsoft-Windows-Security-Auditing 4648 Logon "A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: SERVER10$ Account Domain: MOUTYHNE Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: SYSTEM Account Domain: NT AUTHORITY Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x270 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�?Ts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command." Information 10/2/2009 12:21:29 AM Microsoft-Windows-Eventlog 1100 Service shutdown The event logging service has shut down. Information 10/2/2009 12:21:27 AM Microsoft-Windows-Security-Auditing 4647 Logoff "User initiated logoff: Subject: Security ID: S-1-5-21-2358723158-3070534255-1126232614-500 Account Name: Administrator Account Domain: SERVER10 Logon ID: 0x199c722 This event is generated when a logoff is initiated but the token reference count is not zero and the logon session cannot be destroyed. No further user-initiated activity can occur. This event can be interpreted as a logoff event." thanks for all! stephane "Ace Fekay [MCT]" <aceman(a)mvps.RemoveThisPart.org> wrote in message news:OFyilW5QKHA.4600(a)TK2MSFTNGP05.phx.gbl... > "loki" <loki5100-newsgroup(a)yahoo.fr> wrote in message > news:3721A299-A5A8-466E-BFD0-5D3DA207D01A(a)microsoft.com... >> Yes of course... nothing work :( also some strange bug in >> IIS (i can not see the web site configuration details for >> exemple) >> >> i not understand why nothing work just after a simple >> restart ! Is this is already happen to someone ? >> >> thanks you by advance >> stephane >> > > No, that's not supposed to happen. It could be something else is causing > it. Post an ipconfig /all from the server, as well as the EventID# and > Source Names and the error messages in the events that you see from errors > in the event logs. This will better help than the descriptions you've > provided. > > Ace > > >
From: Ace Fekay [MCT] on 2 Oct 2009 21:19 "loki" <loki5100-newsgroup(a)yahoo.fr> wrote in message news:C2E312C0-149E-460A-8F78-3ED2F856AA2C(a)microsoft.com... > the problem is that now i can not anymore login under the server :( > for what i see when i was logged (but in safe mode) is that > in the event they was no error message at all ! this was supprised me, > i was hopping to see some error why all the service not > start... nothing !! just i notice that in the event log we miss > some entry like : > MSDTC started with the following settings: ... > The Terminal Services Configuration service entered the running state. > The Server service entered the running state. > The World Wide Web Publishing Service service entered the running state. > > that mean the service not start ! but no explanation why they not start, > no error ! > so it's look like the process do an infinite loop somewhere between > "File System Filter 'luafv' (6.0, 2008-01-19T05:59:06.000Z) has > successfully > loaded and registered with Filter Manager" > and > "The Plug and Play service entered the running state" > > that delay all the other event to happen ! > network card driver error ? (but in safe mode i have the internet...) > other driver error ? but why no error in the event log ... > > > below all the event just after a reboot for the > 1rt time the server : <snipped> Lot's of info. Thank you. :-) However, nothing specific stands out. I can't find anything specific with the "The File System Filter 'luafv' issue" The informational stuff is just letting you know what's starting, etc. How about the ipconfig /all? Was anything installed or changed prior to this all happening? Ace
From: loki on 3 Oct 2009 02:50
> Lot's of info. Thank you. :-) > > However, nothing specific stands out. I can't find anything specific with > the "The File System Filter 'luafv' issue" The informational stuff is just > letting you know what's starting, etc. > > How about the ipconfig /all? > > Was anything installed or changed prior to this all happening? > > Ace you see like me, nothing wrong in the event log ! i can not believe it ! it like i do a bad nightmare. unfortunatly i don't have anymore access to the server i don't remembered about the ipconfig / all, but i thing this was ok (because we can use the internet from the server, i connect to it in safe mode by vnc) i don't install anything on this server this year (except the windows update) and for the 3 last week we haven't installed any windows update. what i know : 1/ the server was reboot 2 week ago du to a power faillure. but work well after. 2/ we reboot the server around 1 time a week for the maintenance of the IIS application 3/ we have 3 other server that are exactly the same that still work very well (the server are dell PowerEdge 2950, 4 go of memory, sas hard drive) 3/ it's a web server, more than 20 000 people everyday on it. could it be an attack that destroy the server ? a fail in php ? but in this case why the server crash only after we do a reboot ? 4/ when the guy connect in normal mode (but the first time it's was impossible for him because it's was "apply user settings for undefinite time), he notice some probleme with the driver of the network card (also he notice that the windows seam very unstable some device are not show in the device manager for exemple) 5/ also i notice some strange but in IIS (but i don't know if it's was because i was in safe mode). for exemple i can not see the website configuration detail panel of one website, alway i receive an error when i try to do it given me an empty configuration panel thank again for you help ! stephane |