I need to troubleshoot some WMI crashes we are suffering from. Unfortunately the event log doesn't show any details as the descriptions are missing. This is what the log says:
The description for Event ID 5612 from source **Microsoft-Windows-WMI** cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
HandleCount
4116
4096
10508
I have already worked through Microsoft's knowledgebase article on how to troubleshoot the "event message not found" problem (https://support.microsoft.com/en-us/kb/166902) without any luck.
The registry key EventMessageFile under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\**WMI.NET Provider Extension** points to C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll which is existent.
Comparing the registry keys to a system where this specific event id gets shown correctly doesn't reveal any differences. Also the EventLogMessages.dll has the same version and checksum.
Am I looking at the right registry key?
The path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WinMgmt only contains a key called ProviderGuid. But that seems to be fine, as the descriptions are getting displayed on a system having the same (and only this) key.
[EDIT]
I indeed was looking at the wrong registry keys. The right one to look for is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Microsoft-Windows-WMI which was completely missing. Also a key called Enabled and the ChannelReferences subkeys where missing within the provider configuration which can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}.
Adding those keys made the WMI events to get displayed correctly. However it did only last till a reboot of the system. Now the registry keys are there as they should be, but still no proper display of the events… any ideas?
This are my exact registry settings that I have exported from a working system:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Microsoft-Windows-WMI]
"ProviderGuid"="{1edeee53-0afe-4609-b846-d8c0b2075b1f}"
"EventMessageFile"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,77,00,62,00,65,00,6d,00,5c,00,57,00,69,00,6e,00,4d,00,67,00,6d,00,74,\
00,52,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}]
@="Microsoft-Windows-WMI"
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,77,00,62,00,65,00,6d,00,5c,00,57,00,69,00,6e,00,4d,00,67,00,6d,00,74,\
00,52,00,2e,00,64,00,6c,00,6c,00,00,00
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,77,00,62,00,65,00,6d,00,5c,00,57,00,69,00,6e,00,4d,00,67,00,6d,00,74,00,\
52,00,2e,00,64,00,6c,00,6c,00,00,00
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}\ChannelReferences]
"Count"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{1edeee53-0afe-4609-b846-d8c0b2075b1f}\ChannelReferences\0]
@="Application"
"Id"=dword:00000009
"Flags"=dword:00000001
Best Answer
Missing event ids can easily be added using the EventCreate command line command. More information can be found at https://technet.microsoft.com/en-us/library/bb490899.aspx.