Hello,
Thank you for your reply.
Have you done the same tests on other XP workstations? Was the winlogon
event log recorded correctly on other XP workstations?
Based on my research, this problem may occur when the
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\W
inlogon] registry key is corrupt. Please perform the following steps to
import the Winlogon registry key from a working computer to see whether it
works:
NOTE: As serious problems might occur if you modify the registry
incorrectly, please refer to the following KB article to back up the
registry before you modify it:
How to back up and restore the registry in Windows
http://support.microsoft.com/kb/322756/en-us
1. On the problematic computer, logon as administrator.
2. Locate the
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\W
inlogon] registry key.
3. Right click this key and rename it to winlogon_old.
4. On a working Windows XP computer, export the
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\W
inlogon] registry key to a file.
5. Copy this file to the corrupted computer and double click it to import
the key.
6. Reboot the server to test this issue again.
Thanks for your time and I look forward to hearing from you.
Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
| From: "gerryf" <
[email protected]>
| References: <
[email protected]>
<
[email protected]>
<#
[email protected]>
<
[email protected]>
| Subject: Re: Winlogon is not logging events in event viewer
| Date: Wed, 23 Apr 2008 10:09:46 -0400
| Lines: 1
| Message-ID: <
[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 8bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-PostID: {005A69AB-300B-4FE8-9415-69ED378BE6BF}
| X-MS-CommunityGroup-ThreadID: 9945714E-47E4-4FDA-B5B1-B81D48060C43
| X-MS-CommunityGroup-ParentID: 8020823E-83B8-4813-88E8-EB27989F0913
| Newsgroups: microsoft.public.windowsxp.help_and_support
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windowsxp.help_and_support:82399
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.windowsxp.help_and_support
|
| Thanks for your continued efforts
|
| Yes, it did run to completion running through all three phases--the
results
| screen just popped up so fast I was unable to read it.
|
| The workstation is completely up to date with all critical updates and
most
| recommended updates (don't care for WMP 11, so that was not installed.
|
|
|
|
| | > Hello,
| >
| > Thanks for your update.
| >
| > I'd like to verify whether the chkdsk.exe has been performed correctly
| > after the reboot.
| >
| > If the file system type of the volume which you'd like to check is
NTFS,
| > system will ask you whether to schedule this volume to be checked the
next
| > time the system restarts after the 'chkdsk /f' command is run. Please
| > press
| > 'Y' to accept the scheduled check. After the reboot, you will see the
| > screen of checking file system before you logon.
| >
| > Please check whether the file system checking is performed correctly
and
| > let me know the result.
| >
| > Meanwhile, I find there are some known issues about chkdsk utility,
for
| > example, chkdsk utility might incorrectly identify and delete in-use
| > security descriptors. These issues have been fixed with the latest
Service
| > Pack of Windows XP.
| >
| > So please check whether you have installed the latest Service Pack on
your
| > XP workstation.
| >
| > I look forward to hearing from you. Thanks.
| >
| > Sincerely,
| > Neo Zhu,
| > Microsoft Online Support
| > Microsoft Global Technical Support Center
| >
| > Get Secure! -
www.microsoft.com/security
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "gerryf" <
[email protected]>
| > | References: <
[email protected]>
| > <
[email protected]>
| > | Subject: Re: Winlogon is not logging events in event viewer
| > | Date: Tue, 22 Apr 2008 08:49:52 -0400
| > | Lines: 1
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | format=flowed;
| > | charset="iso-8859-1";
| > | reply-type=original
| > | Content-Transfer-Encoding: 8bit
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | Importance: Normal
| > | X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| > | X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| > | Message-ID: <#
[email protected]>
| > | Newsgroups: microsoft.public.windowsxp.help_and_support
| > | NNTP-Posting-Host: c-69-246-74-61.hsd1.mi.comcast.net 69.246.74.61
| > | Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl
| > microsoft.public.windowsxp.help_and_support:82296
| > | X-Tomcat-NG: microsoft.public.windowsxp.help_and_support
| > |
| > | Thank you for your response
| > |
| > | You're right...I tested another machine and no winlogon by
| > default....egads,
| > | how embarassing.
| > |
| > | But, as for chkdsk situation
| > |
| > | 1) I ran chkdsk /f on a single drive machine
| > |
| > | 2) I was looking for the results of a chkdsk report, the one that
| > normally
| > | looks like:
| > |
| > | Event Type: Information
| > | Event Source: Winlogon
| > | Event Category: None
| > | Event ID: 1001
| > | Date: 10/31/2006
| > | Time: 12:18:25 PM
| > | User: N/A
| > | Computer: Computername
| > | Description:
| > | Checking file system on C:
| > | The type of the file system is NTFS.
| > | Cleaning up minor inconsistencies on the drive.
| > | Cleaning up 6 unused index entries from index $SII of file 0×9.
| > | Cleaning up 6 unused index entries from index $SDH of file 0×9.
| > | Cleaning up 6 unused security descriptors.
| > | CHKDSK is verifying file data (stage 4 of 5).
| > | File data verification completed.
| > | CHKDSK is verifying free space (stage 5 of 5).
| > | Free space verification is complete.
| > |
| > | 78108029 KB total disk space.
| > | 17970008 KB in 53725 files.
| > | 18016 KB in 4671 indexes.
| > | 0 KB in bad sectors.
| > | 128749 KB in use by the system.
| > | 65536 KB occupied by the log file.
| > | 59991256 KB available on disk.
| > |
| > | 4096 bytes in each allocation unit.
| > | 19527007 total allocation units on disk.
| > | 14997814 allocation units available on disk.
| > |
| > | Internal Info:.........................
| > |
| > | There is no winlogon event id of 1001 at all
| > |
| > | Neither
| > | chkdsk /f c:
| > | or
| > | chkdsk /f
| > | records a winlogon event.
| > |
| > |
message
| > | | > | > Hello,
| > | >
| > | > Thank you for your post.
| > | >
| > | > I have done several tests in my lab environment. If I run 'Chkdsk
/F
| > C:'
| > | > and reboot the computer, the only recorded winlogon application
log
of
| > | > event viewer is the 1001 event. By default, there is no other
winlogon
| > log
| > | > recorded.
| > | >
| > | > To troubleshoot this issue efficiently, please help me collect the
| > | > following information so that we can have a better idea as to the
| > exact
| > | > issue:
| > | >
| > | > 1. Which chkdsk command did you run on the problematic client?
| > | > 2. Could you please let me know the exact Winlogon event that you
| > would
| > | > like to check?
| > | >
| > | > Meanwhile, please run the "chkdsk /f c:" command on the
problematic
| > client
| > | > and then reboot the computer. Is a winlogon event logged properly?
If
| > so,
| > | > I
| > | > think that the event logging function of winlogon should be
working
| > | > properly.
| > | >
| > | > I look forward to hearing from you soon. Thanks.
| > | >
| > | > Sincerely,
| > | > Neo Zhu,
| > | > Microsoft Online Support
| > | > Microsoft Global Technical Support Center
| > | >
| > | > Get Secure! -
www.microsoft.com/security
| > | > =====================================================
| > | > When responding to posts, please "Reply to Group" via your
newsreader
| > so
| > | > that others may learn and benefit from your issue.
| > | > =====================================================
| > | > This posting is provided "AS IS" with no warranties, and confers
no
| > | > rights.
| > | >
| > | > --------------------
| > | > | From: "gerryf" <
[email protected]>
| > | > | Subject: Winlogon is not logging events in event viewer
| > | > | Date: Mon, 21 Apr 2008 22:05:40 -0400
| > | > | Lines: 2
| > | > | Message-ID: <
[email protected]>
| > | > | MIME-Version: 1.0
| > | > | Content-Type: text/plain;
| > | > | format=flowed;
| > | > | charset="iso-8859-1";
| > | > | reply-type=original
| > | > | Content-Transfer-Encoding: 7bit
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | Importance: Normal
| > | > | X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| > | > | X-MS-CommunityGroup-MessageCategory:
| > | > {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| > | > | X-MS-CommunityGroup-PostID:
{9945714E-47E4-4FDA-B5B1-B81D48060C43}
| > | > | Newsgroups: microsoft.public.windowsxp.help_and_support
| > | > | Path: TK2MSFTNGHUB02.phx.gbl
| > | > | Xref: TK2MSFTNGHUB02.phx.gbl
| > | > microsoft.public.windowsxp.help_and_support:82257
| > | > | NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| > | > | X-Tomcat-NG: microsoft.public.windowsxp.help_and_support
| > | > |
| > | > | Well, this is a new one for me. I was working on a computer
today
| > and
| > | > ran
| > | > a
| > | > | chkdsk, rebooted, and then went to see the results in the
winlogon
| > event
| > | > | notice in the application log of event viewer and there was no
| > event.
| > | > | Thinking that was odd, I looked for past winlogon notations and
| > there
| > | > hasn't
| > | > | been one in a long time---in fact, so long that if there ever
was
| > one,
| > | > the
| > | > | application log was so long that it had been deleted.
| > | > |
| > | > | So, I am puzzled. The system seems to be working fine and from
what
| > I
| > | > can
| > | > | see all other normal events are being logged--just not winlogon
| > | > |
| > | > | I've found only one other mention of a similar issue like this
in
| > the
| > | > | newsgroups and the person's solution was to run sfc /scannow,
but
| > that
| > | > did
| > | > | not fix this problem.
| > | > |
| > | > | What causes winlogon to register an event that might be failing
| > here?
| > | > |
| > | > |
| > | >
| > |
| >
|
