An event was collected indicating an unexpected service termination.
This rule generates an alert when a Windows® service unexpectedly terminates. In addition to the service termination event, a Windows Error Reporting event (Source: DrWatson; ID: 4097) is often created and will be collected by Operations Manager. This additional event may prove helpful when attempting to resolve the service termination Alert.
When a service unexpectedly terminates the application, Dr. Watson detects that the application has generated a general protection fault (GPF). A GPF occurs when an application attempts to read or write to a memory location that it does not have access to. This often results in the termination of the program and the loss of unsaved data.
When a service unexpectedly terminates, you can select one of the following options to address the issue:
Look for related support information at the software vendor’s Web site.
Install any service pack or product updates for the relevant application.
Install any service packs or updates for any relevant subsystems that the application depends on.
If the service terminates unexpectedly with unusual frequency, and related support information is unavailable, you should contact the software vendor for support.
Sample Event:
This rule generates an alert whenever any of the following events occur in the System Event Log:
About to revert to the last known good configuration because the %1 service failed to start.
The %1 service terminated with the following error: %n%2
The %1 service terminated with service-specific error %2.
The %1 service terminated unexpectedly. It has done this %2 time(s). The following corrective action will be taken in %3 milliseconds: %5.
The Service Control Manager tried to take a corrective action (%2) after the unexpected termination of the %3 service, but this action failed with the following error: %n%4
The %1 service terminated unexpectedly. It has done this %2 time(s).
Source: Service Control Manager; 7021 About to revert to the last known good configuration because the %1 service failed to start.
Source: Service Control Manager; 7023 The %1 service terminated with the following error: %n%2
Source: Service Control Manager; 7024 The %1 service terminated with service-specific error %2.
Source: Service Control Manager; 7031 The %1 service terminated unexpectedly. It has done this %2 time(s). The following corrective action will be taken in %3 milliseconds: %5.
Source: Service Control Manager; 7032 The Service Control Manager tried to take a corrective action (%2) after the unexpected termination of the %3 service, but this action failed with the following error: %n%4
Source: Service Control Manager; 7034 The %1 service terminated unexpectedly. It has done this %2 time(s).
| Target | Microsoft.Windows.Client.XP.OperatingSystem |
| Category | EventCollection |
| Enabled | False |
| Alert Generate | False |
| Remotable | True |
| Event Log | System |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| EventDS | DataSource | Microsoft.Windows.EventProvider | Default |
| WriteToDB | WriteAction | Microsoft.SystemCenter.CollectEvent | Default |
| WriteToDW | WriteAction | Microsoft.SystemCenter.DataWarehouse.PublishEventData | Default |
Home
ENU <Rule ID="Microsoft.Windows.Client.XP.OperatingSystem.ServiceTerminatedUnexpextedly.Alert" Enabled="false" Target="Microsoft.Windows.Client.XP.OperatingSystem">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Service Control Manager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7021</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7024</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7031</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7032</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7034</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WriteToDB" TypeID="SC!Microsoft.SystemCenter.CollectEvent"/>
<WriteAction ID="WriteToDW" TypeID="SCDW!Microsoft.SystemCenter.DataWarehouse.PublishEventData"/>
</WriteActions>
</Rule>