Microsoft KB Archive/173210
Article ID: 173210
Article Last Modified on 11/1/2006
- Microsoft Windows NT Workstation 3.5
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0 Developer Edition
- Microsoft Windows NT Server 3.5
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0 Standard Edition
This article was previously published under Q173210
An event ID 2000 may appear in the System Event log of a computer running Windows NT server when a remote network command fails. The following error message may appear as well:
An event 2000 may appear when a network application sends a Delete File command to the shared network drive of a computer running Windows NT Server if the file it is trying to delete does not exist on that server. A "STATUS_NO_SUCH_FILE" event ID 2000 with the following data will appear in the System Event Log:
0000: 00040000 00540001 00000000 c00007d0 0010: 00000000 c000000f 00000000 00000000 0020: 00000000 00000000 05180bc5
When you review an event 2000, pay particular attention to the second word in the second line of the event data (in this case, c000000f). The event that corresponds to c000000f is the one connected with the STATUS_NO_SUCH_FILE message.
If your computer is running Windows NT Server 4.0, you can determine the cause of the event by installing the Network Monitor Tools and Agent. You can do this in Control Panel, by double-clicking Network, clicking Services, and then clicking Add.
For instructions on setting up Network Monitor, see the following Microsoft Knowledge Base article:
148942 How to Capture Network Traffic with Network Monitor
If you need to monitor the network from an alternate platform, contact Microsoft Technical Support; or obtain Network Monitor from the Systems Management Server installation, if it is available.
The System.evt file can be monitored in the same time window to determine the time interval that may contain an event 2000 in the trace. Filtering event 2000s in Network Monitor makes reviewing the capture easier to read.
To filter in Network Monitor, use the following steps:
- Open a capture file; use any name ending in .cap.
- Click the Capture menu, and then click Display Captured Data, and then press F8 to show the Display Filter window.
- In the Display Filter window, double click the second line under AND where it reads ANY<->ANY.
- Click the Property tab.
- Click +SMB in the Protocol:Property window.
- Click Command, and then select Delete File from the Value column on the right.
- Click OK twice.
Network Monitor displays frames containing filtered data. Traces similar to the ones below will be displayed:
4207 SMB C delete file, File = \APPS\EIS\APL\PCDM\PCDMNNI\PCDMNNI.TAF 18.104.22.168 22.214.171.124 IP 4217 SMB R delete file - DOS Error, (2) FILE_NOT_FOUND 126.96.36.199 188.8.131.52 IP 5031 SMB C delete file, File = \APPS\EIS\APL\PCDM\PCDMNNI\PCDMNNI.ILM 184.108.40.206 220.127.116.11 IP 5040 SMB R delete file 18.104.22.168 22.214.171.124 IP
Frame 4207 shows that a computer with the address 126.96.36.199 is sending the Delete File command to delete the file Pcdmnni.taf. Frame 4217 shows that the computer running Windows NT Server with the address 188.8.131.52 responds with the message FILE_NOT_FOUND; this frame will correspond with the event 2000 listed in System.evt. Frame 5031 shows that the file has been renamed to Pcdmnni.ilm and that the command Delete File is sent again. Finally, frame 5040 shows that the file has been deleted successfully.
Keywords: kbhowto kbprb kbtshoot KB173210