New
#61
It's a manufacturer's install, Jacee - OEM_SLP Key
Leave it for the moment - someone found a potential sinner :)
Please run the following command and post the output - note that this is ALL ONE LINE! (so copy/paste is kinda essential!)
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}
...or
Code:REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}
Last edited by NoelDP; 31 Oct 2012 at 05:05. Reason: add code block version
All right! :)
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\
{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B2
3F46E513E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-00000
0000000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805
fc79216}\EventClasses\{FAF53CC4-BD73-4E36-83F1-2B23F46E513E}-{00000000-0000-0000
-0000-000000000000}-{00000000-0000-0000-0000-000000000000}
Active REG_DWORD 0x1
EventClassID REG_SZ {FAF53CC4-BD73-4E36-83F1-2B23F46E513E}
EventClassName REG_SZ VssEvent
OwnerSID REG_SZ S-1-5-18
TypeLib REG_EXPAND_SZ %systemroot%\system32\EVENTCLS.DLL
AllowInprocActivation REG_DWORD 0xffffffff
FireInParallel REG_DWORD 0x0
EventClassPartitionID REG_SZ {00000000-0000-0000-0000-000000000000}
EventClassApplicationID REG_SZ {00000000-0000-0000-0000-000000000000}
C:\Windows\system32>
No joy - that's the correct settings.
Please run the following commands and post the results
Net Start EventSystem
SC QC EventSystem
SC QUERYEX EventSystem
There it is:
C:\Windows\system32>Net Start EventSystem
The requested service has already been started.
More help is available by typing NET HELPMSG 2182.
C:\Windows\system32>SC QC EventSystem
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: EventSystem
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : rpcss
SERVICE_START_NAME : NT AUTHORITY\LocalService
C:\Windows\system32>SC QUERYEX EventSystem
SERVICE_NAME: EventSystem
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1168
FLAGS :
C:\Windows\system32>
VERY interesting - looks like Tom was right!
Please run the following command, and attach the file in the same way.....
The we can see if there's a handy backup of the missing data :)Code:REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\VSS\Diag" /s > %USERPROFILE%\Desktop\ndp01.txt
Please also open Regedit and CAREFULLY navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS\Diag Key
right-click on it and select Permissions
What permissions exist, and for who??
Last edited by NoelDP; 31 Oct 2012 at 05:46. Reason: clarity