Friday, October 11, 2013

Fix problem with flooded event viewer with 326 and 327 messages from ESENT source

On Windows you may face with the problem that your event viewer is flooded with 326 and 327 messages from ESENT source. New events appear each several seconds, so it is not possible to use event viewer for troubleshooting. Here are messages for these events:

326:

svchost (6224) The database engine attached a database (2, C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.
Saved Cache: 1

2

327:

svchost (6224) The database engine detached a database (2, C:\Windows\system32\LogFiles\Sum\SystemIdentity.mdb). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000.
Revived Cache: 0

3

Solution is to stop User Access Logging Service from Windows services:

1

After that evens should stop flooding the event log.

5 comments:

  1. Do you know the cause of the problem?

    ReplyDelete
  2. hi,
    when I investigated the problem I remember several posts where people said that it is related with SQL server somehow. However steps for solving the issue from these posts didn't help. So reason is still opened here.

    ReplyDelete
  3. The following KB explains a fix for this issue, yes it is only in japanese (use google translate if needed) if you require usage of the UALs on any windows DC

    http://support.microsoft.com/kb/2900773/ja

    ReplyDelete
  4. Do mind the following cleanup had been done before as well:
    Windows update cleanup, using disk cleanup from the desktop experience feature and adding the Network Service account with full rights on the C:\windows\system32\LogFiles\Sum directory

    ReplyDelete