Solved Strange event logs

[Jackal]

Strange Events and BSOD

Hi guys
i dont really look into my event logs because usually, i dont have the need too.

i randomly decided to look into my event log (while doing some maintenance on my setup)
and found some strange events.

two distinct event logs which are somewhat related.

Problem 1. I can cause the following event by removing my iPod from my pc via iTunes (remove virtually not physically)

Following events have
Log name: Microsoft-Windows-WMI-Activity/Operational
Event ID: 5858
Level: Error

Event 1:
Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = SHADY-PC; User = NT AUTHORITY\SYSTEM; ClientProcessId = 2992; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WDMClassesOfDriver where ClassName = "MSStorageDriver_ClassErrorLogEntry"; ResultCode = 0x80041032; PossibleCause = Unknown

Event 2:
Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = SHADY-PC; User = NT AUTHORITY\SYSTEM; ClientProcessId = 2992; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WDMClassesOfDriver where ClassName = "MSStorageDriver_ClassErrorLog"; ResultCode = 0x80041032; PossibleCause = Unknown

Event 3:
Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = SHADY-PC; User = NT AUTHORITY\SYSTEM; ClientProcessId = 2992; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WMIBinaryMofResource where Name = "IDE\\DiskOCZ-VERTEX3_____________________________2.22____\\5&2b5975fc&0&0.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}"; ResultCode = 0x80041032; PossibleCause = Unknown

Event 4:
Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = SHADY-PC; User = NT AUTHORITY\SYSTEM; ClientProcessId = 2992; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WMIBinaryMofResource where Name = "IDE\\DiskWDC_WD2002FAEX-007BA0___________________05.01D05\\5&2785c9a&0&1.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}"; ResultCode = 0x80041032; PossibleCause = Unknown

Event 5:
Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = SHADY-PC; User = NT AUTHORITY\SYSTEM; ClientProcessId = 2992; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WDMClassesOfDriver where ClassName = "MSStorageDriver_SenseData"; ResultCode = 0x80041032; PossibleCause = Unknown

Event 6:
Id = {00000000-0000-0000-0000-000000000000}; ClientMachine = SHADY-PC; User = NT AUTHORITY\SYSTEM; ClientProcessId = 2992; Component = Unknown; Operation = Start IWbemServices::ExecQuery - root\wmi : select * from WDMClassesOfDriver where ClassName = "MSStorageDriver_ScsiRequestBlock"; ResultCode = 0x80041032; PossibleCause = Unknown



Problem 2:
the following errors occur when i insert a USB in my PC

Event 1:
The driver detected a controller error on \Device\Harddisk4\DR5.
*Note Hard disk 4 is the actual USB

Event 2 to 6 are the same as Problem 1: Events 1-6


I ran driver verifier with no apparent problems

uninstalled/reinstalled USB drivers
im stumped as to the cause of this problem.


thanks for any help in advance.


Motherboard is ASUSTeK Computer Inc. -Support- Drivers and Download Maximus IV Extreme

Windows 7 64bit

 

[Jackal]

anyone?

these errors only occur when removing a USB device.

 

[Jackal]

found the process id for the errors
it seems to be pointing at WmiPrvSE.exe

 

[DavidE]

In a web search for 0x80041032 WmiPrvSE i found this
WMI host throwing errors and using high CPU percentage - Microsoft Community

Try the suggested trouble shooter and scanning for malware to see they help.

I would also run a System File Check.
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

 

[carwiz]

You would have to check the process-ID at about the time the event is logged but I'd guess it's iTunes polling for devices or objects through IWBEM services (Windows Management Instrumentation). The result code 0x80041032 indicates a "WBEM_E_CALL_CANCELLED". This would indicate a driver or program problem. If you can create these events by removing the iPod from iTunes, there's most likely a programming error in iTunes.

In addition to what DavidE suggests, check to see if there's an update for iTunes. They're getting better. It used to cause numerous BSODs so you're lucky.

REF: https://support.microsoft.com/en-us/kb/295821

REF: https://msdn.microsoft.com/en-us/library/windows/desktop/aa392107(v=vs.85).aspx

Oh yes, Problem 2 might be a bad USB drive (thumb drive) if that's what you're inserting. They do wear out.

 

[Jackal]

You would have to check the process-ID at about the time the event is logged but I'd guess it's iTunes polling for devices or objects through IWBEM services (Windows Management Instrumentation). The result code 0x80041032 indicates a "WBEM_E_CALL_CANCELLED". This would indicate a driver or program problem. If you can create these events by removing the iPod from iTunes, there's most likely a programming error in iTunes.

The issue can be recreated by 'safely removing' a USB from the PC too so its not restricted to iTunes.

Also i am checking process ID at the time of event and it always comes back with wmiprvse.exe.

In a web search for 0x80041032 WmiPrvSE i found this
WMI host throwing errors and using high CPU percentage - Microsoft Community

i have done SFC scannow, also rebuilt WMI repository still nothing.

 

[Jackal]

i inserted my USB and removed it a few times with the errors coming up and i received a BSOD
minidump is attached if anyone can help.

 

[Golden]

fffff880`0d1514c8  00000000`000007ff
fffff880`0d1514d0  00000000`0000000c
fffff880`0d1514d8  fffff800`02fa0300 nt!ObpQueryNameString
fffff880`0d1514e0  fffff880`02676a22Unable to load image \SystemRoot\system32\DRIVERS\tdrpm251.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for tdrpm251.sys
*** ERROR: Module load completed but symbols could not be loaded for [B][COLOR="Red"]tdrpm251.sys[/COLOR][/B]
 tdrpm251+0x53a22
fffff880`0d1514e8  fffff800`02c57000 nt!KiSelectNextThread <PERF> (nt+0x0)
fffff880`0d1514f0  fffff800`02ef02ec nt!BBTBuffer <PERF> (nt+0x2992ec)
fffff880`0d1514f8  fffff800`02c57000 nt!KiSelectNextThread <PERF> (nt+0x0)
fffff880`0d151500  fffff800`02ef0580 nt!BBTBuffer <PERF> (nt+0x299580)
fffff880`0d151508  fffff880`02623000 tdrpm251
fffff880`0d151510  fffff880`027729f8 tdrpm251+0x14f9f8
fffff880`0d151518  fffff880`02623000 tdrpm251

At first glance, the issue appears to be a Acronis driver issue, but I think Norton is screwing you over as evidenced below:

fffff880`0d151910  00000000`00000000
fffff880`0d151918  00000000`00000004
fffff880`0d151920  fffff880`0457b940Unable to load image \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for [B][COLOR="red"]SYMEVENT64x86.SYS[/COLOR][/B]
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT64x86.SYS
 SYMEVENT64x86+0x22940
fffff880`0d151928  fffff880`04572d33 SYMEVENT64x86+0x19d33
fffff880`0d151930  00000000`00000000
fffff880`0d151938  fffff880`0d1519a0

fffff880`0d1510e8  00000000`00000000
fffff880`0d1510f0  00000000`019701c0
fffff880`0d1510f8  00000000`77a0e12a
fffff880`0d151100  fffff880`04f73758Unable to load image \??\C:\Program Files (x86)\Norton 360\NortonData\21.1.0.18\Definitions\BASHDefs\20150408.001\BHDrvx64.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for [B][COLOR="red"]BHDrvx64.sys[/COLOR][/B]
*** ERROR: Module load completed but symbols could not be loaded for BHDrvx64.sys
 BHDrvx64+0x151758
fffff880`0d151108  fffff8a0`047c9458
fffff880`0d151110  00000000`00000000
fffff880`0d151118  00000000`00001f80
fffff880`0d151120  fffffa80`0ca38b30

Recommend replacing Norton with soemthing less instrusive, and checking to see if Acronis can be updated.

   Note

For future reference in case you need to post about more BSOD's:
http://www.sevenforums.com/bsod-help-support/96879-blue-screen-death-bsod-posting-instructions.html

 

[Jackal]

i will uninstall and report back asap.

 

[Jackal]

also @Golden
for future reference debugging
how did you pull those troubled drivers

windbg analyze v only brings up the ntkrnlpl.exe
and third party software shows fastfat.sys as a likely cause

 

[Jackal]

good news! i no longer get BSOD's now that ive uninstalled norton
my USB works as it should, i also get no more controller error logs in my event log.

however the only problem i have now are the incoherent event logs when i "safely remove" a USB device.
i have attached a copy of the event log errors i receive once i remove my USB device.

 

[Jackal]

any ideas what that eventlog could be referencing?

 

[Golden]

Sorry no idea at this stage.

 

[Jackal]

Sorry no idea at this stage.

only thing i know is that its related to WMI.
i take it that this error is by design since it only happens when removing a USB device

 

[carwiz]

WMI is just the servicing agent. It's doing what its told.

 

[Jackal]

WMI is just the servicing agent. It's doing what its told.

so the errors i receive by WMI are by design?
if so i shouldnt need to worry.

 

[carwiz]

Yes, of course, error handling is by design. Otherwise, you'd get a blue screen. An error is an error. Whether it's serious depends on what the software was trying to do. I've already suggested that it might be iTunes. I have one of my own I'm trying to track down and it bugs me. While not serious or affecting the system, it's still an error and shouldn't be there. (Mine)

I would suggest you do a Clean Start and see if your errors continue. If they disappear, add back ONE of the startups at a time until you locate the offender.

 

[Jackal]

Yes, of course, error handling is by design. Otherwise, you'd get a blue screen. An error is an error. Whether it's serious depends on what the software was trying to do. I've already suggested that it might be iTunes. I have one of my own I'm trying to track down and it bugs me. While not serious or affecting the system, it's still an error and shouldn't be there. (Mine)

I would suggest you do a Clean Start and see if your errors continue. If they disappear, add back ONE of the startups at a time until you locate the offender.

thanks
ill mark this as solved as the BSOD are no longer happening.