Event log full of events
Since updating to Windows 11 22H2, a large number of event logs have been recorded.
There are several logs, including some nostalgic ones and some I've never seen before.
ID numbers include:
200, 201, 202, 10016, 6155, 1108, 28,...etc
200, 201, and 202 were investigated in the past but remain unresolved.
10016 is a DCOM error, so it might be possible to resolve it.
6155 is related to LSA (LsaSrv) logs, which are incomprehensible.
If used as a local user, it seems that the logs can be ignored, so I won't actively fix them. However, the errors in the 200 series are recorded in large quantities, which is annoying, so I stopped the recording.
If I feel like it, I might look for a way to fix them, so I'll keep a note of the logs.
First, DISM / SFC.
Some event logs may disappear when running the system file checker that comes with Windows 11/10.
There are two types of system file checkers and both should be run.
| DISM | Deployment Image Servicing and Management |
| SFC | System File Checker |
ID: 6155, 28, 1108 disappeared after DISM/SFC run.
How to use.
![[Win11 22H2] After the update, start with DISM, SFC, and Component Services](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTpyqIY01I_0y8AGQmoOn3KH57b9LIDKxW_YAugbvBspN9rSW8ivA-jv_Qe6g1Yzyt8NqYTJ9bajOpDLT_jPbuvMgDoW0MBqW0SuW5Bt2IFAaUYkVYwAbpknsV5v7GhvDj9JMCUj65pZkvNWFjdH4FAUrWbwYswlR-Jg0Ca-rUNa6v5rW3OfSiCgcOVg/w1200-h630-p-k-no-nu/wu11.png)
[Win11 22H2] After the update, start with DISM, SFC, and Component Services
After updating to Windows 11 22H2, it is recommended to run DISM and SFC to check the integrity of system files. It is likely that running SFC will find corrupted files. At the same time, it is also important to check for errors in Component Services.
kzstock.blogspot.comID: 200, 201, 202
It is recorded continuously every 18 minutes or so.
If it's because you're tethering on the go, I wouldn't worry about it.
| ID | Message |
| 200 | Could not establish a connection to the Windows Update service. |
| 201 | Could not establish a connection to Windows Metadata and Internet Services (WMIS). |
| 202 | The Network List Manager reports that it is not connected to the Internet. |
Not a fundamental solution, but...
For now, I have taken measures to prevent the logs from being recorded.
Search for the following and change Enabled=0 to stop the logs from being recorded. (Default value: 1)
* Editing the registry is at your own risk.
Detailed instructions are summarized in the following article.
![[EventId 200] Could not establish a connection to the Windows Update service](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN6dqRB2WfXdfAKB10FDjdJ2p22frW5ahcNd07xf7-Dux9uDfiM1RGf7v6iO-QRooVfr3FsZNkpRKcO8Or0JcmQeJ5ud_ns3dfE7tQwoVZB2bsZbTKUaxVjG_CqSTho3hre6kT7T4mOBGz/w1200-h630-p-k-no-nu/redyellow_317x.gif)
[EventId 200] Could not establish a connection to the Windows Update service
Warning log with Event ID 200, Source: DeviceSetupManager was recorded. It was recorded every few minutes, which was annoying, so I took measures to prevent it from being logged. I suspect this log is caused by the Wi-Fi link being disconnected when Windows resumes from sleep mode.
kzstock.blogspot.comID: 10016
10016 is a log involving DistributedCOM (DCOM).
Each time there is a major update like from 22H1 to 22H2, the issues that were previously fixed reappear.
The method to address the issue depends on the APPID in the log and the "User: xxx" specified as xxx.
The log message suggests that it might be possible to fix it using Component Services.
The users recorded this time are:
PC\User (local user), LOCAL SERVICE.
PC\User
The log indicates that PerAppRuntimeBroker requested access rights.
| Message | The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user xxx\yyy SID (S-1-5-21-zzz) from address LocalHost (using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool. |
| Log Name | System |
| Source | DistributedCOM (DCOM) |
| Event ID | 10016 |
| Level | Error |
| User | Local User (pcName\UserAccount) |
Repair method
Re[EventId 10016] PerAppRuntimeBroker reappeared with the 20H2 update
When updating to Windows v20H2, Event ID 10016, PerAppRuntimeBroker was recorded. It can be fixed using Component Services.
kzstock.blogspot.comLOCAL SERVICE
The log indicates that ShellServiceHost requested access rights.
| Message | The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool. |
| Log Name | System |
| Source | DistributedCOM (DCOM) |
| Event ID | 10016 |
| Level | Warning |
| User | LOCAL SERVICE |
Repair method
re:[EventId 10016] How to grant access rights to ShellServiceHost
A possible way to deal with notified logs is to use a component service to grant access rights to the ShellServiceHost.
kzstock.blogspot.comID: 6155
This log has been logged since the update to Windows 11 22H2.
It is a warning and sounds serious but can be left alone.
| Message | The LSA package is not signed as expected. This may cause unexpected behavior in Credential Guard. Package name: msv1_0 |
| Log Name | System |
| Source | LSA (LsaSrv) |
| Event ID | 6155 |
| Level | Warning |
| User | SYSTEM |
ID: 1108
This log has been logged since the update to Windows 11 22H2.
They say it is a security error._| ̄|○
This log is apparently not recorded in isolation, but in response to the previous error.
The error recorded immediately before is ID 28 in the next section.
| Message | An error occurred in the event log service while processing an incoming event published from Microsoft-Windows-Security-Auditing. |
| Log Name | Security |
| Source | Eventlog |
| Event ID | 1108 |
| Level | Error |
| User | N/A |
ID: 28
This log has been logged since the update to Windows 11 22H2.
Kernel error, that sounds serious!_| ̄|○
| Message | An error occurred in the feature settings of the provider {77811378-e885-4ac2-a580-bc86e4f1bc93}. Error: 0xC0000005 |
| Log Name | Microsoft-Windows-Kernel-EventTracing/Admin |
| Source | Kernel-EventTracing |
| Event ID | 28 |
| Level | Error |
| User | SYSTEM |
Summary
- Many logs were found after the 22H2 update.
- 200, 201, 202, 10016, 6155, 1108, 28, ...
- There are many new logs, but some familiar faces have returned.
- Since there are no particular issues, I think it's okay to leave it until MS fixes it.
- Let's avoid looking at the event logs because it's causing concern.
このサイトを検索 | Search this site
![[Pixel 6a] 13は落ちてこないけど sideload はガマン](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjA4LVK-l4bknVBNsrXqSL_7HmSotLjBZMVofTzAVEej73LrzU049spQVIHCCptr4SEw7lAG_W5HKIfs78ZKhpW2XJmWK7putErLGcbw9aP3D3jknKeZJCIpNgBrA2t4sfV1iQ63zKe4pkN7C8kZr1tLT1-NTaTiGNBxcqmp7-yNFFEXw1GmqESxA-mhg/w680/pixel6asage.png){kind=tracking}
ブロトピ:今日のブログ更新){kind=link}
0 コメント