Windows 11 22H2 and the event log (tak)

Atom | RSS

このサイトを検索 | Search this site

Original artile

Event log full of events

Since updating to Windows 11 22H2, a large number of event logs have been recorded.

There are several logs, including some nostalgic ones and some I've never seen before.

ID numbers include:

200, 201, 202, 10016, 6155, 1108, 28,...etc

200, 201, and 202 were investigated in the past but remain unresolved.

10016 is a DCOM error, so it might be possible to resolve it.

6155 is related to LSA (LsaSrv) logs, which are incomprehensible.

If used as a local user, it seems that the logs can be ignored, so I won't actively fix them. However, the errors in the 200 series are recorded in large quantities, which is annoying, so I stopped the recording.

If I feel like it, I might look for a way to fix them, so I'll keep a note of the logs.

First, DISM / SFC.

Some event logs may disappear when running the system file checker that comes with Windows 11/10.

There are two types of system file checkers and both should be run.

DISM/SFC
DISM	Deployment Image Servicing and Management
SFC	System File Checker

ID: 6155, 28, 1108 disappeared after DISM/SFC run.

How to use.

[Win11 22H2] After the update, start with DISM, SFC, and Component Services

ID: 200, 201, 202

It is recorded continuously every 18 minutes or so.

If it's because you're tethering on the go, I wouldn't worry about it.

Event Logs 200-202
ID	Message
200	Could not establish a connection to the Windows Update service.
201	Could not establish a connection to Windows Metadata and Internet Services (WMIS).
202	The Network List Manager reports that it is not connected to the Internet.

Not a fundamental solution, but...

For now, I have taken measures to prevent the logs from being recorded.

Search for the following and change Enabled=0 to stop the logs from being recorded. (Default value: 1)

* Editing the registry is at your own risk.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{fcbb06bb-6a2a-46e3-abaa-246cb4e508b2}

Detailed instructions are summarized in the following article.

[EventId 200] Could not establish a connection to the Windows Update service

[EventId 200,201,202] DeviceSetupManager の警告 | SC2

ID: 10016

10016 is a log involving DistributedCOM (DCOM).

Each time there is a major update like from 22H1 to 22H2, the issues that were previously fixed reappear.

The method to address the issue depends on the APPID in the log and the "User: xxx" specified as xxx.

The log message suggests that it might be possible to fix it using Component Services.

The users recorded this time are:

PC\User (local user), LOCAL SERVICE.

PC\User

The log indicates that PerAppRuntimeBroker requested access rights.

Event Log
Message	The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {2593F8B9-4EAF-457C-B68A-50F6B8EA6B54} and APPID {15C20B67-12E7-4BB6-92BB-7AFF07997402} to the user xxx\yyy SID (S-1-5-21-zzz) from address LocalHost (using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log Name	System
Source	DistributedCOM (DCOM)
Event ID	10016
Level	Error
User	Local User (pcName\UserAccount)

Repair method

Re[EventId 10016] PerAppRuntimeBroker reappeared with the 20H2 update

LOCAL SERVICE

The log indicates that ShellServiceHost requested access rights.

Event Log
Message	The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Log Name	System
Source	DistributedCOM (DCOM)
Event ID	10016
Level	Warning
User	LOCAL SERVICE

Repair method

ID: 6155

This log has been logged since the update to Windows 11 22H2.

It is a warning and sounds serious but can be left alone.

Event Log
Message	The LSA package is not signed as expected. This may cause unexpected behavior in Credential Guard. Package name: msv1_0
Log Name	System
Source	LSA (LsaSrv)
Event ID	6155
Level	Warning
User	SYSTEM

ID: 1108

This log has been logged since the update to Windows 11 22H2.

They say it is a security error.＿|￣|○

This log is apparently not recorded in isolation, but in response to the previous error.

The error recorded immediately before is ID 28 in the next section.

Event Log
Message	An error occurred in the event log service while processing an incoming event published from Microsoft-Windows-Security-Auditing.
Log Name	Security
Source	Eventlog
Event ID	1108
Level	Error
User	N/A

ID: 28

This log has been logged since the update to Windows 11 22H2.

Kernel error, that sounds serious!＿|￣|○

Event Log
Message	An error occurred in the feature settings of the provider {77811378-e885-4ac2-a580-bc86e4f1bc93}. Error: 0xC0000005
Log Name	Microsoft-Windows-Kernel-EventTracing/Admin
Source	Kernel-EventTracing
Event ID	28
Level	Error
User	SYSTEM