Win7 SP1 Update not installing - mismatched Mail file. 0x80004005

DukeS · 11 Jul 2012

Here it is ...

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>SC QC WERSVC
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WERSVC
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 4   DISABLED
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k WerSvcGroup
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Error Reporting Service
        DEPENDENCIES       :
        SERVICE_START_NAME : localSystem

C:\Windows\system32>SC QUERYEX WERSVC

SERVICE_NAME: WERSVC
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Windows\system32>SC SDSHOW WERSVC

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\system32>SC QSIDTYPE WERSVC
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: WERSVC
SERVICE_SID_TYPE:  UNRESTRICTED

C:\Windows\system32>SC QPRIVS WERSVC
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: WERSVC
        PRIVILEGES       : SeDebugPrivilege
                         : SeTcbPrivilege
                         : SeImpersonatePrivilege
                         : SeAssignPrimaryTokenPrivilege

Virus scan complete - no new nasties (hurray)

Tried a regedit to change the startup for wersvc from 4 (disabled) to 2 (automatic), rebooted and re-ran the results;

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>NET START WECSVC
The Windows Event Collector service is starting.
The Windows Event Collector service was started successfully.


C:\Windows\system32>SC QC WECSVC
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WECSVC
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\system32\svchost.exe -k NetworkService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Event Collector
        DEPENDENCIES       : HTTP
                           : Eventlog
        SERVICE_START_NAME : NT AUTHORITY\NetworkService

C:\Windows\system32>NET START WERSVC
The Windows Error Reporting Service service is starting.
The Windows Error Reporting Service service was started successfully.


C:\Windows\system32>SC QC WERSVC
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WERSVC
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k WerSvcGroup
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Error Reporting Service
        DEPENDENCIES       :
        SERVICE_START_NAME : localSystem

C:\Windows\system32>NET START EVENTLOG
The Windows Event Log service is starting.
The Windows Event Log service could not be started.

A system error has occurred.

The system cannot find message text for message number 0x1069 in the message fil
e for (null).

More help is available by typing NET HELPMSG 4201.


C:\Windows\system32>SC QC EVENTLOG
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: EVENTLOG
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k LocalServiceNetw
orkRestricted
        LOAD_ORDER_GROUP   : Event Log
        TAG                : 0
        DISPLAY_NAME       : Windows Event Log
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\LocalService

C:\Windows\system32>SC QC WERSVC
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: WERSVC
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k WerSvcGroup
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Windows Error Reporting Service
        DEPENDENCIES       :
        SERVICE_START_NAME : localSystem

C:\Windows\system32>SC QUERYEX WERSVC

SERVICE_NAME: WERSVC
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 3880
        FLAGS              :

C:\Windows\system32>SC SDSHOW WERSVC

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCR
RC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\system32>SC QSIDTYPE WERSVC
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: WERSVC
SERVICE_SID_TYPE:  UNRESTRICTED

C:\Windows\system32>SC QPRIVS WERSVC
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: WERSVC
        PRIVILEGES       : SeDebugPrivilege
                         : SeTcbPrivilege
                         : SeImpersonatePrivilege
                         : SeAssignPrimaryTokenPrivilege

C:\Windows\system32>

To my untrained eye, this looks like WERSVC is solved, correct?
Now the issue is the Event Log 4201 error.

NoelDP · 11 Jul 2012

Heh - you're learning fast!

Same procedure for eventlog as for wersvc....

SC QC EVENTLOG
SC QUERYEX EVENTLOG
SC SDSHOW EVENTLOG
SC QSIDTYPE EVENTLOG
SC QPRIVS EVENTLOG

NoelDP · 11 Jul 2012

(Bedtime for me - no hurry, as I won't be able to respond until about 1300 GMT or so.

DukeS · 11 Jul 2012

I was surprised by your post - figured you had already gone to bed.

Results:

Code:

C:\Windows\system32>SC QC EVENTLOG
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: EVENTLOG
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k LocalServiceNetw
orkRestricted
        LOAD_ORDER_GROUP   : Event Log
        TAG                : 0
        DISPLAY_NAME       : Windows Event Log
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\LocalService

C:\Windows\system32>SC QUERYEX EVENTLOG

SERVICE_NAME: EVENTLOG
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 4201  (0x1069)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Windows\system32>SC SDSHOW EVENTLOG

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCR
RC;;;SY)S:(AU;SA;DCRPWPDTCRSDWDWO;;;WD)(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\system32>SC QSIDTYPE EVENTLOG
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: EVENTLOG
SERVICE_SID_TYPE:  UNRESTRICTED

C:\Windows\system32>SC QPRIVS EVENTLOG
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: EVENTLOG
        PRIVILEGES       : SeChangeNotifyPrivilege
                         : SeImpersonatePrivilege

C:\Windows\system32>

Found this thread - trying it now.

DukeS · 11 Jul 2012

"Tah da!" - But it lasted only a minute.

That thread pointed me to a backup folder & file that had hit the 2Gb limit. Makes me wonder about other huge log files that have years of old entries with no redeeming value anymore are taking up drive space.

While my Event Log was working just this once after removing the backup, it was quite pretty with all the little yellow and red decorations added in the last 24 hours. I wonder if I should actually look into them or call good enough, good enough. But now, after a reboot, I get the same error - the Event Viewer is unable to open. And here we go again ....

Code:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>SC QC EVENTLOG
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: EVENTLOG
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\svchost.exe -k LocalServiceNetw
orkRestricted
        LOAD_ORDER_GROUP   : Event Log
        TAG                : 0
        DISPLAY_NAME       : Windows Event Log
        DEPENDENCIES       :
        SERVICE_START_NAME : NT AUTHORITY\LocalService

C:\Windows\system32>SC QUERYEX EVENTLOG

SERVICE_NAME: EVENTLOG
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 4201  (0x1069)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\Windows\system32>SC SDSHOW EVENTLOG

D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCR
RC;;;SY)S:(AU;SA;DCRPWPDTCRSDWDWO;;;WD)(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\system32>SC QSIDTYPE EVENTLOG
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: EVENTLOG
SERVICE_SID_TYPE:  UNRESTRICTED

C:\Windows\system32>SC QPRIVS EVENTLOG
[SC] QueryServiceConfig2 SUCCESS

SERVICE_NAME: EVENTLOG
        PRIVILEGES       : SeChangeNotifyPrivilege
                         : SeImpersonatePrivilege

C:\Windows\system32>

DukeS · 11 Jul 2012

The error in the screenprint lead me to WMIDiag- a tool for disagnosing WMI, whatever that is. It does give some clues. (Report is also attached to make reading easier.)

Code:

33639 19:39:34 (0) ** WMIDiag v2.1 started on Wednesday, July 11, 2012 at 19:31.
33640 19:39:34 (0) ** 
33641 19:39:34 (0) ** Copyright (c) Microsoft Corporation. All rights reserved - July 2007.
33642 19:39:34 (0) ** 
33643 19:39:34 (0) ** This script is not supported under any Microsoft standard support program or service.
33644 19:39:34 (0) ** The script is provided AS IS without warranty of any kind. Microsoft further disclaims all
33645 19:39:34 (0) ** implied warranties including, without limitation, any implied warranties of merchantability
33646 19:39:34 (0) ** or of fitness for a particular purpose. The entire risk arising out of the use or performance
33647 19:39:34 (0) ** of the scripts and documentation remains with you. In no event shall Microsoft, its authors,
33648 19:39:34 (0) ** or anyone else involved in the creation, production, or delivery of the script be liable for
33649 19:39:34 (0) ** any damages whatsoever (including, without limitation, damages for loss of business profits,
33650 19:39:34 (0) ** business interruption, loss of business information, or other pecuniary loss) arising out of
33651 19:39:34 (0) ** the use of or inability to use the script or documentation, even if Microsoft has been advised
33652 19:39:34 (0) ** of the possibility of such damages.
33653 19:39:34 (0) ** 
33654 19:39:34 (0) ** 
33655 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33656 19:39:34 (0) ** ----------------------------------------------------- WMI REPORT: BEGIN ----------------------------------------------------------
33657 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33658 19:39:34 (0) ** 
33659 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33660 19:39:34 (0) ** Windows 7 - Service Pack 1 - 64-bit (7601) - User 'HP-8710W\DUKE' on computer 'HP-8710W'.
33661 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33662 19:39:34 (0) ** Environment: ........................................................................................................ OK.
33663 19:39:34 (0) ** System drive: ....................................................................................................... C: (Disk #0 Partition #1).
33664 19:39:34 (0) ** Drive type: ......................................................................................................... IDE (ST9500421AS).
33665 19:39:34 (0) ** There are no missing WMI system files: .............................................................................. OK.
33666 19:39:34 (0) ** There are no missing WMI repository files: .......................................................................... OK.
33667 19:39:34 (0) ** WMI repository state: ............................................................................................... CONSISTENT.
33668 19:39:34 (0) ** AFTER running WMIDiag:
33669 19:39:34 (0) ** The WMI repository has a size of: ................................................................................... 20 MB.
33670 19:39:34 (0) ** - Disk free space on 'C:': .......................................................................................... 14743 MB.
33671 19:39:34 (0) **   - INDEX.BTR,                     4399104 bytes,      7/11/2012 7:32:07 PM
33672 19:39:34 (0) **   - MAPPING1.MAP,                  52092 bytes,        7/11/2012 7:32:07 PM
33673 19:39:34 (0) **   - MAPPING2.MAP,                  52136 bytes,        7/11/2012 6:36:09 PM
33674 19:39:34 (0) **   - OBJECTS.DATA,                  16048128 bytes,     7/11/2012 7:32:07 PM
33675 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33676 19:39:34 (0) ** INFO: Windows Firewall status: ...................................................................................... ENABLED.
33677 19:39:34 (0) ** Windows Firewall Profile: ........................................................................................... PRIVATE.
33678 19:39:34 (0) ** Inbound connections that do not match a rule BLOCKED: ............................................................... ENABLED.
33679 19:39:34 (0) ** => This will prevent any WMI remote connectivity to this computer except
33680 19:39:34 (0) **    if the following three inbound rules are ENABLED and non-BLOCKING:
33681 19:39:34 (0) **    - 'Windows Management Instrumentation (DCOM-In)'
33682 19:39:34 (0) **    - 'Windows Management Instrumentation (WMI-In)'
33683 19:39:34 (0) **    - 'Windows Management Instrumentation (ASync-In)'
33684 19:39:34 (0) **    Verify the reported status for each of these three inbound rules below.
33685 19:39:34 (0) ** 
33686 19:39:34 (0) ** Windows Firewall 'Windows Management Instrumentation (WMI)' group rule: ............................................. DISABLED.
33687 19:39:34 (0) ** => This will prevent any WMI remote connectivity to/from this machine.
33688 19:39:34 (0) **    - You can adjust the configuration by executing the following command:
33689 19:39:34 (0) **    i.e. 'NETSH.EXE ADVFIREWALL FIREWALL SET RULE GROUP="Windows Management Instrumentation (WMI)" NEW ENABLE=YES'
33690 19:39:34 (0) ** Note: With this command all inbound and outbound WMI rules are activated at once!
33691 19:39:34 (0) **       You can also enable each individual rule instead of activating the group rule.
33692 19:39:34 (0) ** 
33693 19:39:34 (0) ** Windows Firewall 'Windows Management Instrumentation (ASync-In)' rule: .............................................. DISABLED.
33694 19:39:34 (0) ** => This will prevent any WMI asynchronous inbound connectivity to this machine.
33695 19:39:34 (0) **    - You can adjust the configuration of this rule by executing the following command:
33696 19:39:34 (0) **    i.e. 'NETSH.EXE ADVFIREWALL FIREWALL SET RULE NAME="Windows Management Instrumentation (ASync-In)" NEW ENABLE=YES'
33697 19:39:34 (0) ** 
33698 19:39:34 (0) ** Windows Firewall 'Windows Management Instrumentation (WMI-Out)' rule: ............................................... DISABLED.
33699 19:39:34 (0) ** => This will prevent any WMI asynchronous outbound connectivity from this machine.
33700 19:39:34 (0) **    - You can adjust the configuration of this rule by executing the following command:
33701 19:39:34 (0) **    i.e. 'NETSH.EXE ADVFIREWALL FIREWALL SET RULE NAME="Windows Management Instrumentation (WMI-Out)" NEW ENABLE=YES'
33702 19:39:34 (0) ** 
33703 19:39:34 (0) ** Windows Firewall 'Windows Management Instrumentation (WMI-In)' rule: ................................................ DISABLED.
33704 19:39:34 (0) ** => This will prevent any WMI inbound connectivity to this machine.
33705 19:39:34 (0) ** Note: The rule 'Windows Management Instrumentation (WMI-In)' rule must be ENABLED to allow incoming WMI connectivity.
33706 19:39:34 (0) **    - You can adjust the configuration of this rule by executing the following command:
33707 19:39:34 (0) **    i.e. 'NETSH.EXE ADVFIREWALL FIREWALL SET RULE NAME="Windows Management Instrumentation (WMI-In)" NEW ENABLE=YES'
33708 19:39:34 (0) ** 
33709 19:39:34 (0) ** Windows Firewall 'Windows Management Instrumentation (DCOM-In)' rule: ............................................... DISABLED.
33710 19:39:34 (0) ** => This will prevent any DCOM WMI inbound connectivity to this machine.
33711 19:39:34 (0) ** Note: The rule 'Windows Management Instrumentation (DCOM-In)' rule must be ENABLED to allow incoming DCOM WMI connectivity.
33712 19:39:34 (0) **    - You can adjust the configuration of this rule by executing the following command:
33713 19:39:34 (0) **    i.e. 'NETSH.EXE ADVFIREWALL FIREWALL SET RULE NAME="Windows Management Instrumentation (DCOM-In)" NEW ENABLE=YES'
33714 19:39:34 (0) ** 
33715 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33716 19:39:34 (0) ** DCOM Status: ........................................................................................................ OK.
33717 19:39:34 (0) ** WMI registry setup: ................................................................................................. OK.
33718 19:39:34 (0) ** INFO: WMI service has dependents: ................................................................................... 1 SERVICE(S)!
33719 19:39:34 (0) ** - Internet Connection Sharing (ICS) (SHAREDACCESS, StartMode='Disabled')
33720 19:39:34 (0) ** => If the WMI service is stopped, the listed service(s) will have to be stopped as well.
33721 19:39:34 (0) **    Note: If the service is marked with (*), it means that the service/application uses WMI but
33722 19:39:34 (0) **          there is no hard dependency on WMI. However, if the WMI service is stopped,
33723 19:39:34 (0) **          this can prevent the service/application to work as expected.
33724 19:39:34 (0) ** 
33725 19:39:34 (0) ** RPCSS service: ...................................................................................................... OK (Already started).
33726 19:39:34 (0) ** WINMGMT service: .................................................................................................... OK (Already started).
33727 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33728 19:39:34 (0) ** WMI service DCOM setup: ............................................................................................. OK.
33729 19:39:34 (0) ** WMI components DCOM registrations: .................................................................................. OK.
33730 19:39:34 (0) ** WMI ProgID registrations: ........................................................................................... OK.
33731 19:39:34 (2) !! WARNING: WMI provider DCOM registrations missing for the following provider(s): ..................................... 2 WARNING(S)!
33732 19:39:34 (0) ** - ROOT/MSAPPS11, OffProv11 ({F7107F37-C761-4748-B686-055F45889DCD}) (i.e. WMI Class 'Win32_PowerPointSummary')
33733 19:39:34 (0) **   Provider DLL: ''
33734 19:39:34 (0) ** - ROOT/MSAPPS12, OffProv12 ({DBF82DC7-E750-4CCF-B09C-D8AECEF7158E}) (i.e. WMI Class 'Win32_PowerPoint12Tables')
33735 19:39:34 (0) **   Provider DLL: ''
33736 19:39:34 (0) ** => This is an issue because there are still some WMI classes referencing this list of providers
33737 19:39:34 (0) **    while the DCOM registration is wrong or missing. This can be due to:
33738 19:39:34 (0) **    - a de-installation of the software.
33739 19:39:34 (0) **    - a deletion of some registry key data.
33740 19:39:34 (0) **    - a registry corruption.
33741 19:39:34 (0) ** => You can correct the DCOM configuration by:
33742 19:39:34 (0) **    - Executing the 'REGSVR32.EXE <Provider.DLL>' command.
33743 19:39:34 (0) **    Note: You can build a list of classes in relation with their WMI provider and MOF file with WMIDiag.
33744 19:39:34 (0) **          (This list can be built on a similar and working WMI Windows installation)
33745 19:39:34 (0) **          The following command line must be used:
33746 19:39:34 (0) **          i.e. 'WMIDiag CorrelateClassAndProvider'
33747 19:39:34 (2) !! WARNING: Re-registering with REGSVR32.EXE all DLL from 'C:\WINDOWS\SYSTEM32\WBEM\'
33748 19:39:34 (0) **          may not solve the problem as the DLL supporting the WMI class(es)
33749 19:39:34 (0) **          can be located in a different folder.
33750 19:39:34 (0) **          You must refer to the class name to determine the software delivering the related DLL.
33751 19:39:34 (0) ** => If the software has been de-installed intentionally, then this information must be
33752 19:39:34 (0) **    removed from the WMI repository. You can use the 'WMIC.EXE' command to remove
33753 19:39:34 (0) **    the provider registration data.
33754 19:39:34 (0) **    i.e. 'WMIC.EXE /NAMESPACE:\\ROOT\MSAPPS12 path __Win32Provider Where Name='OffProv12' DELETE'
33755 19:39:34 (0) ** => If the namespace was ENTIRELY dedicated to the intentionally de-installed software,
33756 19:39:34 (0) **    the namespace and ALL its content can be ENTIRELY deleted.
33757 19:39:34 (0) **    i.e. 'WMIC.EXE /NAMESPACE:\\ROOT path __NAMESPACE Where Name='MSAPPS12' DELETE'
33758 19:39:34 (0) **    - Re-installing the software.
33759 19:39:34 (0) ** 
33760 19:39:34 (2) !! WARNING: WMI provider CIM registrations missing for the following provider(s): ...................................... 1 WARNING(S)!
33761 19:39:34 (0) ** - ROOT/WMI, Provider_BIOSInterface (i.e. WMI Class 'HPBIOS_BIOSEvent')
33762 19:39:34 (0) **   MOF Registration: ''
33763 19:39:34 (0) ** => This is an issue because there are still some WMI classes referencing this list of providers
33764 19:39:34 (0) **    while the CIM registration is wrong or missing. This can be due to:
33765 19:39:34 (0) **    - a de-installation of the software.
33766 19:39:34 (0) **    - a deletion of some CIM registration information.
33767 19:39:34 (0) ** => You can correct the CIM configuration by:
33768 19:39:34 (0) **    - Manually recompiling the MOF file(s) with the 'MOFCOMP <FileName.MOF>' command.
33769 19:39:34 (0) **    Note: You can build a list of classes in relation with their WMI provider and MOF file with WMIDiag.
33770 19:39:34 (0) **          (This list can be built on a similar and working WMI Windows installation)
33771 19:39:34 (0) **          The following command line must be used:
33772 19:39:34 (0) **          i.e. 'WMIDiag CorrelateClassAndProvider'
33773 19:39:34 (0) **    - Re-installing the software.
33774 19:39:34 (0) ** => If the software has been de-installed intentionally, then this information must be
33775 19:39:34 (0) **    removed from the WMI repository. You can use the 'WMIC.EXE' command to remove the provider
33776 19:39:34 (0) **    registration data and its set of associated classes.
33777 19:39:34 (0) **    i.e. 'WMIC.EXE /NAMESPACE:\\ROOT\WMI path __Win32Provider Where Name='Provider_BIOSInterface' DELETE'
33778 19:39:34 (0) **    i.e. 'WMIC.EXE /NAMESPACE:\\ROOT\WMI Class HPBIOS_BIOSEvent DELETE'
33779 19:39:34 (0) ** => If the namespace was ENTIRELY dedicated to the intentionally de-installed software,
33780 19:39:34 (0) **    the namespace and ALL its content can be ENTIRELY deleted.
33781 19:39:34 (0) **    i.e. 'WMIC.EXE /NAMESPACE:\\ROOT path __NAMESPACE Where Name='WMI' DELETE'
33782 19:39:34 (0) ** 
33783 19:39:34 (0) ** WMI provider CLSIDs: ................................................................................................ OK.
33784 19:39:34 (0) ** WMI providers EXE/DLL availability: ................................................................................. OK.
33785 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33786 19:39:34 (0) ** INFO: User Account Control (UAC): ................................................................................... DISABLED.
33787 19:39:34 (0) ** INFO: Local Account Filtering: ...................................................................................... ENABLED.
33788 19:39:34 (0) ** => WMI tasks remotely accessing WMI information on this computer and requiring Administrative
33789 19:39:34 (0) **    privileges MUST use a DOMAIN account part of the Local Administrators group of this computer
33790 19:39:34 (0) **    to ensure that administrative privileges are granted. If a Local User account is used for remote
33791 19:39:34 (0) **    accesses, it will be reduced to a plain user (filtered token), even if it is part of the Local Administrators group.
33792 19:39:34 (0) ** 
33793 19:39:34 (0) ** Overall DCOM security status: ....................................................................................... OK.
33794 19:39:34 (0) ** Overall WMI security status: ........................................................................................ OK.
33795 19:39:34 (0) ** - Started at 'Root' --------------------------------------------------------------------------------------------------------------
33796 19:39:34 (0) ** INFO: WMI permanent SUBSCRIPTION(S): ................................................................................ 1.
33797 19:39:34 (0) ** - ROOT/SUBSCRIPTION, NTEventLogEventConsumer.Name="SCM Event Log Consumer".
33798 19:39:34 (0) **   'select * from MSFT_SCMEventLogEvent'
33799 19:39:34 (0) ** 
33800 19:39:34 (0) ** WMI TIMER instruction(s): ........................................................................................... NONE.
33801 19:39:34 (0) ** INFO: WMI namespace(s) requiring PACKET PRIVACY: .................................................................... 4 NAMESPACE(S)!
33802 19:39:34 (0) ** - ROOT/CIMV2/SECURITY/MICROSOFTTPM.
33803 19:39:34 (0) ** - ROOT/CIMV2/SECURITY/MICROSOFTVOLUMEENCRYPTION.
33804 19:39:34 (0) ** - ROOT/CIMV2/TERMINALSERVICES.
33805 19:39:34 (0) ** - ROOT/SERVICEMODEL.
33806 19:39:34 (0) ** => When remotely connecting, the namespace(s) listed require(s) the WMI client to
33807 19:39:34 (0) **    use an encrypted connection by specifying the PACKET PRIVACY authentication level.
33808 19:39:34 (0) **    (RPC_C_AUTHN_LEVEL_PKT_PRIVACY or PktPrivacy flags)
33809 19:39:34 (0) **    i.e. 'WMIC.EXE /NODE:"HP-8710W" /AUTHLEVEL:Pktprivacy /NAMESPACE:\\ROOT\SERVICEMODEL Class __SystemSecurity'
33810 19:39:34 (0) ** 
33811 19:39:34 (0) ** WMI MONIKER CONNECTIONS: ............................................................................................ OK.
33812 19:39:34 (0) ** WMI CONNECTIONS: .................................................................................................... OK.
33813 19:39:34 (1) !! ERROR: WMI GET operation errors reported: ........................................................................... 33 ERROR(S)!
33814 19:39:34 (0) ** - Root/CIMV2, MSFT_NetInvalidDriverDependency, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33815 19:39:34 (0) **   MOF Registration: ''
33816 19:39:34 (0) ** - Root/CIMV2, Win32_OsBaselineProvider, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33817 19:39:34 (0) **   MOF Registration: ''
33818 19:39:34 (0) ** - Root/CIMV2, Win32_OsBaseline, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33819 19:39:34 (0) **   MOF Registration: ''
33820 19:39:34 (0) ** - Root/CIMV2, Win32_DriverVXD, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33821 19:39:34 (0) **   MOF Registration: ''
33822 19:39:34 (0) ** - Root/CIMV2, Win32_PerfFormattedData_BITS_BITSNetUtilization, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33823 19:39:34 (0) **   MOF Registration: ''
33824 19:39:34 (0) ** - Root/CIMV2, Win32_PerfRawData_BITS_BITSNetUtilization, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33825 19:39:34 (0) **   MOF Registration: ''
33826 19:39:34 (0) ** - Root/CIMV2, Win32_PerfFormattedData_Counters_GenericIKEandAuthIP, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33827 19:39:34 (0) **   MOF Registration: ''
33828 19:39:34 (0) ** - Root/CIMV2, Win32_PerfRawData_Counters_GenericIKEandAuthIP, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33829 19:39:34 (0) **   MOF Registration: ''
33830 19:39:34 (0) ** - Root/CIMV2, Win32_PerfFormattedData_Counters_IPsecAuthIPv4, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33831 19:39:34 (0) **   MOF Registration: ''
33832 19:39:34 (0) ** - Root/CIMV2, Win32_PerfRawData_Counters_IPsecAuthIPv4, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33833 19:39:34 (0) **   MOF Registration: ''
33834 19:39:34 (0) ** - Root/CIMV2, Win32_PerfFormattedData_Counters_IPsecAuthIPv6, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33835 19:39:34 (0) **   MOF Registration: ''
33836 19:39:34 (0) ** - Root/CIMV2, Win32_PerfRawData_Counters_IPsecAuthIPv6, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33837 19:39:34 (0) **   MOF Registration: ''
33838 19:39:34 (0) ** - Root/CIMV2, Win32_PerfFormattedData_Counters_IPsecIKEv4, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33839 19:39:34 (0) **   MOF Registration: ''
33840 19:39:34 (0) ** - Root/CIMV2, Win32_PerfRawData_Counters_IPsecIKEv4, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33841 19:39:34 (0) **   MOF Registration: ''
33842 19:39:34 (0) ** - Root/CIMV2, Win32_PerfFormattedData_Counters_IPsecIKEv6, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33843 19:39:34 (0) **   MOF Registration: ''
33844 19:39:34 (0) ** - Root/CIMV2, Win32_PerfRawData_Counters_IPsecIKEv6, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33845 19:39:34 (0) **   MOF Registration: ''
33846 19:39:34 (0) ** - Root/CIMV2, Win32_PerfFormattedData_TermService_TerminalServices, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33847 19:39:34 (0) **   MOF Registration: ''
33848 19:39:34 (0) ** - Root/CIMV2, Win32_PerfRawData_TermService_TerminalServices, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33849 19:39:34 (0) **   MOF Registration: ''
33850 19:39:34 (0) ** - Root/CIMV2, Win32_Service='WSCSVC', 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33851 19:39:34 (0) **   MOF Registration: ''
33852 19:39:34 (0) ** - Root/WMI, ReserveDisjoinThread, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33853 19:39:34 (0) **   MOF Registration: ''
33854 19:39:34 (0) ** - Root/WMI, ReserveLateCount, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33855 19:39:34 (0) **   MOF Registration: ''
33856 19:39:34 (0) ** - Root/WMI, ReserveJoinThread, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33857 19:39:34 (0) **   MOF Registration: ''
33858 19:39:34 (0) ** - Root/WMI, ReserveDelete, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33859 19:39:34 (0) **   MOF Registration: ''
33860 19:39:34 (0) ** - Root/WMI, ReserveBandwidth, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33861 19:39:34 (0) **   MOF Registration: ''
33862 19:39:34 (0) ** - Root/WMI, ReserveCreate, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33863 19:39:34 (0) **   MOF Registration: ''
33864 19:39:34 (0) ** - Root/WMI, SystemConfig_PhyDisk, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33865 19:39:34 (0) **   MOF Registration: ''
33866 19:39:34 (0) ** - Root/WMI, SystemConfig_Video, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33867 19:39:34 (0) **   MOF Registration: ''
33868 19:39:34 (0) ** - Root/WMI, SystemConfig_IDEChannel, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33869 19:39:34 (0) **   MOF Registration: ''
33870 19:39:34 (0) ** - Root/WMI, SystemConfig_NIC, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33871 19:39:34 (0) **   MOF Registration: ''
33872 19:39:34 (0) ** - Root/WMI, SystemConfig_Network, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33873 19:39:34 (0) **   MOF Registration: ''
33874 19:39:34 (0) ** - Root/WMI, SystemConfig_CPU, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33875 19:39:34 (0) **   MOF Registration: ''
33876 19:39:34 (0) ** - Root/WMI, SystemConfig_LogDisk, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33877 19:39:34 (0) **   MOF Registration: ''
33878 19:39:34 (0) ** - Root/WMI, SystemConfig_Power, 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found.
33879 19:39:34 (0) **   MOF Registration: ''
33880 19:39:34 (0) ** => When a WMI performance class is missing (i.e. 'Win32_PerfRawData_TermService_TerminalServices'), it is generally due to
33881 19:39:34 (0) **    a lack of buffer refresh of the WMI class provider exposing the WMI performance counters.
33882 19:39:34 (0) **    You can refresh the WMI class provider buffer with the following command:
33883 19:39:34 (0) ** 
33884 19:39:34 (0) **    i.e. 'WINMGMT.EXE /SYNCPERF'
33885 19:39:34 (0) ** 
33886 19:39:34 (0) ** WMI MOF representations: ............................................................................................ OK.
33887 19:39:34 (0) ** WMI QUALIFIER access operations: .................................................................................... OK.
33888 19:39:34 (0) ** WMI ENUMERATION operations: ......................................................................................... OK.
33889 19:39:34 (0) ** WMI EXECQUERY operations: ........................................................................................... OK.
33890 19:39:34 (0) ** WMI GET VALUE operations: ........................................................................................... OK.
33891 19:39:34 (0) ** WMI WRITE operations: ............................................................................................... NOT TESTED.
33892 19:39:34 (0) ** WMI PUT operations: ................................................................................................. NOT TESTED.
33893 19:39:34 (0) ** WMI DELETE operations: .............................................................................................. NOT TESTED.
33894 19:39:34 (0) ** WMI static instances retrieved: ..................................................................................... 1899.
33895 19:39:34 (0) ** WMI dynamic instances retrieved: .................................................................................... 0.
33896 19:39:34 (0) ** WMI instance request cancellations (to limit performance impact): ................................................... 1.
33897 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33898 19:39:34 (0) ** # of Event Log events BEFORE WMIDiag execution since the last 20 day(s):
33899 19:39:34 (0) **   DCOM: ............................................................................................................. ERROR!
33900 19:39:34 (0) **   WINMGMT: .......................................................................................................... ERROR!
33901 19:39:34 (0) **   WMIADAPTER: ....................................................................................................... ERROR!
33902 19:39:34 (0) ** 
33903 19:39:34 (0) ** # of additional Event Log events AFTER WMIDiag execution:
33904 19:39:34 (0) **   DCOM: ............................................................................................................. ERROR!
33905 19:39:34 (0) **   WINMGMT: .......................................................................................................... ERROR!
33906 19:39:34 (0) **   WMIADAPTER: ....................................................................................................... ERROR!
33907 19:39:34 (0) ** 
33908 19:39:34 (0) ** 33 error(s) 0x80041002 - (WBEM_E_NOT_FOUND) Object cannot be found
33909 19:39:34 (0) ** => This error is typically a WMI error. This WMI error is due to:
33910 19:39:34 (0) **    - a missing WMI class definition or object.
33911 19:39:34 (0) **      (See any GET, ENUMERATION, EXECQUERY and GET VALUE operation failures).
33912 19:39:34 (0) **      You can correct the missing class definitions by:
33913 19:39:34 (0) **      - Manually recompiling the MOF file(s) with the 'MOFCOMP <FileName.MOF>' command.
33914 19:39:34 (0) **      Note: You can build a list of classes in relation with their WMI provider and MOF file with WMIDiag.
33915 19:39:34 (0) **            (This list can be built on a similar and working WMI Windows installation)
33916 19:39:34 (0) **            The following command line must be used:
33917 19:39:34 (0) **            i.e. 'WMIDiag CorrelateClassAndProvider'
33918 19:39:34 (0) **      Note: When a WMI performance class is missing, you can manually resynchronize performance counters
33919 19:39:34 (0) **            with WMI by starting the ADAP process.
33920 19:39:34 (0) **    - a WMI repository corruption.
33921 19:39:34 (0) **      In such a case, you must rerun WMIDiag with 'WriteInRepository' parameter
33922 19:39:34 (0) **      to validate the WMI repository operations.
33923 19:39:34 (0) **    Note: ENSURE you are an administrator with FULL access to WMI EVERY namespaces of the computer before
33924 19:39:34 (0) **          executing the WriteInRepository command. To write temporary data from the Root namespace, use:
33925 19:39:34 (0) **          i.e. 'WMIDiag WriteInRepository=Root'
33926 19:39:34 (0) **    - If the WriteInRepository command fails, while being an Administrator with ALL accesses to ALL namespaces
33927 19:39:34 (0) **      the WMI repository must be reconstructed.
33928 19:39:34 (0) **    Note: The WMI repository reconstruction requires to locate all MOF files needed to rebuild the repository,
33929 19:39:34 (0) **          otherwise some applications may fail after the reconstruction.
33930 19:39:34 (0) **          This can be achieved with the following command:
33931 19:39:34 (0) **          i.e. 'WMIDiag ShowMOFErrors'
33932 19:39:34 (0) **    Note: The repository reconstruction must be a LAST RESORT solution and ONLY after executing
33933 19:39:34 (0) **          ALL fixes previously mentioned.
33934 19:39:34 (2) !! WARNING: Static information stored by external applications in the repository will be LOST! (i.e. SMS Inventory)
33935 19:39:34 (0) ** 
33936 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33937 19:39:34 (0) ** Unexpected, wrong or missing registry key values: ................................................................... 1 KEY(S)!
33938 19:39:34 (0) ** INFO: Unexpected registry key value:
33939 19:39:34 (0) **   - Current:  HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\Logging (REG_SZ) -> 0
33940 19:39:34 (0) **   - Expected: HKLM\SOFTWARE\Microsoft\WBEM\CIMOM\Logging (REG_SZ) -> 1
33941 19:39:34 (0) **     From the command line, the registry configuration can be corrected with the following command:
33942 19:39:34 (0) **     i.e. 'REG.EXE Add "HKLM\SOFTWARE\Microsoft\WBEM\CIMOM" /v "Logging" /t "REG_SZ" /d "1" /f'
33943 19:39:34 (0) ** 
33944 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33945 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33946 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33947 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33948 19:39:34 (0) ** 
33949 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33950 19:39:34 (0) ** ------------------------------------------------------ WMI REPORT: END -----------------------------------------------------------
33951 19:39:34 (0) ** ----------------------------------------------------------------------------------------------------------------------------------
33952 19:39:34 (0) ** 
33953 19:39:34 (0) ** ERROR: WMIDiag detected issues that could prevent WMI to work properly!.  Check 'C:\USERS\DUKE\APPDATA\LOCAL\TEMP\WMIDIAG-

V2.1_WIN7_.CLI.SP1.64_HP-8710W_2012.07.11_19.30.51.LOG' for details.
33954 19:39:34 (0) ** 
33955 19:39:34 (0) ** WMIDiag v2.1 ended on Wednesday, July 11, 2012 at 19:39 (W:61 E:290 S:

The log file is attached.

The report suggests some registry changes to fix WMI. I would appreciate expert eyes on this before I just go execute the changes since the tool predates W7.

Thank you!

NoelDP · 12 Jul 2012

Interesting - did you see the post by GaryBouchard in
Event log error 4201 - ERROR_WMI_INSTANCE_NOT_FOUND
??
That one seems to have cured the problem for many people - I'm busy most of the day and have a pool match this evening, but I'd like to test it in a VM at some stage before advising you to try it in Win7!!

Have a read of the thread anyhow, while you're waiting (it may take that long!) :)

DukeS · 12 Jul 2012

I read that thread yesterday. My short summary, one of the security updates misparses the registry and apparently sets permissions wrong for a range of keys in the vicinity of the Vista Dreamscape? (sp?) feature, one of which must be resetting the permissions for the RtBackup folder when an event-related service is running.

The solution is a tool that walks the registry resetting permissions back to the defaults, which in this context of WMI/Events may fix the issue (not 100% success) but in other contexts can mess up installed applications. It seems to be a sledge hammer registry-wide approach instead of a targeted approach dealing with just the WMI-related keys.

I have found that because the WER service cannot start, the contents of the RtBackup folder are not locked and are deletable without going to safe mode. This seems like a functional alternative to renaming the folder, which is locked. On a reboot following such a deletion, the services start and the Event Viewer is available, but only for that session. On a subsequent reboot, the presence of the files prevents the service from starting and I am surmising that it is because the service can create the files in the first place, but failes when it cannot alter them. There are several posts in the thread concurring that it is a permissions issue, but no consensus as to what permissions/ownership is appropriate.

The folders whose inheritable permissions (or containing corrupted evt or repository files) seem to trigger the issue are:
windows/system32/logfiles
windows/system32/wbem/repository
windows/system32/winevt/logs
(someone also suggested windows/logs but I think that's from XT days when evt files were stored there.)

I lead off by doing a post-sp1 SFC and it made a number of changes.
Per one suggestion, I have also tried changing ownership for these folders from my user account to the group Administrators. (SYSTEM and TrustedInstaller were not in the list of available possible owners.)
Per another suggestion, I deleted and rebuilt the wbem/repository folder.

Where I can get the Event Viewer to work throughout a boot session by the workaround, I am nervous about using the global registry permissions reset sledge hammer in view of the side effects that are being reported for mature installations like mine, particularly where this is a pre-Win7 tool applicable to a Vista-related update and with logic that may not understand and deal with new structures that are added by Win7.

The EV screencap follows.

DukeS · 12 Jul 2012

Re-reading the thread as you suggested, I saw posts relating to Win7 that say the ONLY issue to solve is giving SYSTEM ownership and full privileges to RtBackup. I have done that and it seems the service is surviving a reboot. I'll report again after exercising it a bit more. This would imply that the sledgehammer "subinacl" discussion in that thread is relevant only to the Vista update. In the context of Win 7, the only issue is NTFS folder permissions; not registry settings. Fingers crossed.

NoelDP · 12 Jul 2012

Making the WBEM\Repository files read-only results in a specific error in an MGADiag report - so I doubt that's it (ISTR that we had a look and it was clean? -in a hurry so I'll check later)