我需要排除一些我们遇到的 WMI 崩溃故障。不幸的是,事件日志没有显示任何详细信息,因为缺少描述。以下是日志内容:
The description for Event ID 5612 from source **Microsoft-Windows-WMI** cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
HandleCount
4116
4096
10508
我已经阅读了微软知识库文章,了解如何解决“未找到事件消息”问题(https://support.microsoft.com/en-us/kb/166902),但没有任何运气。
EventMessageFile指向的HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\**WMI.NET Provider Extension**注册表项C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll是存在的。
将注册表项与正确显示此特定事件 ID 的系统进行比较,未发现任何差异。此外,EventLogMessages.dll版本和校验和也相同。
我查看的注册表项是否正确?
该路径HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WinMgmt仅包含一个名为的键ProviderGuid。但这似乎没问题,因为描述显示在具有相同(且仅此)键的系统上。
[编辑]
我确实查看了错误的注册表项。要查找的正确项是 ,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Microsoft-Windows-WMI它完全缺失了。此外,在提供程序配置中缺少一个名为 的项Enabled和ChannelReferences子项,可在 中找到HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}。
添加这些键后,WMI 事件可以正确显示。但是,这种情况只持续到系统重新启动。现在注册表键已按应有的方式存在,但仍然无法正确显示事件...有什么想法吗?
这是我从工作系统导出的确切注册表设置:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Microsoft-Windows-WMI]
"ProviderGuid"="{1edeee53-0afe-4609-b846-d8c0b2075b1f}"
"EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,77,00,62,00,65,00,6d,00,5c,00,57,00,69,00,6e,00,4d,00,67,00,6d,00,74,\
00,52,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}]
@="Microsoft-Windows-WMI"
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,77,00,62,00,65,00,6d,00,5c,00,57,00,69,00,6e,00,4d,00,67,00,6d,00,74,\
00,52,00,2e,00,64,00,6c,00,6c,00,00,00
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,77,00,62,00,65,00,6d,00,5c,00,57,00,69,00,6e,00,4d,00,67,00,6d,00,74,00,\
52,00,2e,00,64,00,6c,00,6c,00,00,00
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}\ChannelReferences]
"Count"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}\ChannelReferences\0]
@="Application"
"Id"=dword:00000009
"Flags"=dword:00000001
答案1
可以使用 EventCreate 命令行命令轻松添加缺失的事件 ID。更多信息可参见https://technet.microsoft.com/en-us/library/bb490899.aspx。
答案2
重新启动事件查看器。遇到了同样的问题,在 Google 上搜索,找到了答案。
“由于您在注册表中添加了 EventMessageFile 条目,因此事件查看器未重新启动。事件查看器会缓存它为事件源加载的 DLL。如果您在事件查看器启动后更改了注册表以提供正确的目录或源名称,则需要重新启动事件查看器。”-ref:请参阅第 6 点https://support.microsoft.com/en-us/help/166902/howto-troubleshooting-the-event-message-not-found-message
答案3
将格式从 RenderedText 更改为 Events
韦科特
wecutil ss“订阅”/cf:事件