Microsoft KB Archive/917463

= A Service Control Manager (SCM) event cannot be logged in the System event log on a Windows Server 2003-based computer =

Article ID: 917463

Article Last Modified on 11/27/2007

-

APPLIES TO

 Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise x64 Edition

 Microsoft Windows Server 2003, Standard x64 Edition</li></ul>

 Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li></ul> </li> Microsoft Windows Server 2003 Service Pack 2, when used with:  Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)</li></ul>

 Microsoft Windows Server 2003, Enterprise x64 Edition</li></ul>

 Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li></ul>

 Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li></ul>

 Microsoft Windows Server 2003, Standard x64 Edition</li></ul>

 </li></ul> </li></ul>

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
A Service Control Manager (SCM) event cannot be logged in the System event log on a Windows Server 2003-based computer when the following conditions are true:
 * You apply Windows Server 2003 Service Pack 1 or Service Pack 2 on this computer.
 * You run the Sysprep.exe command on this computer, or you run the Active Directory Installation Wizard (Dcpromo.exe) on this computer.

Additionally, if you enable the Audit logon events local policy on the computer, the following event ID error message is logged in the Security log: Event Type: Failure Audit

Event Source: Security

Event ID: 537

Description:

Logon Failure:

Reason: An error occurred during logon

Authentication Package: Kerberos

Status code: 0xC000040A

<div class="cause_section">

CAUSE
This issue occurs when the user who is logged on is not the user who is registered in the Windows Management Instrumentation (WMI) repository. WMI will not allow for events to be written to the System event log if the user who is logged on is not registered in the WMI repository.

<div class="workaround_section">

WORKAROUND
To work around this issue, follow these steps: <ol> Click Start, click Run, type control panel, and then click OK.</li> <li>Double-click Scheduled Tasks, click Advanced, and then click AT Service Account.</li> <li>In the AT Service Account Configuration dialog box, select System Account.</li> <li>Click Start, click Run, type cmd, and then click OK.</li> <li>At the command prompt, type the following command:

AT /i mofcomp %windir%\system32\wbem\scm.mof

Note This step re-compiles the Scm.mof file.

Note The AT command schedules commands and programs to run on a computer at a specified time and date, such as /every: date[2005:05:16:12:00:00]. You can run the /every: date[ ] command on each specified day of the week or month. If the date is omitted, the current day of the month is assumed. The Schedule service must be running to use the AT command. The /i switch allows for the job to interact with the desktop of the user who is logged on when the job runs.</li> <li>Close the command prompt, and then restart the computer.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Additional query words: scm, at, 53520

Keywords: kbserver kbscm kbtshoot kbbug KB917463

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.