Performance registry corruption

Microsoft.Windows.Server.10.0.OperatingSystem.PerformanceRegistryCorruption.Alert (Rule)

Corruption was detected in the registry related to performance counters.

Knowledge Base article:

Summary

There were problems registering the Performance Counter provider specified in the event in the registry, or the integrity of the registry interface that is used to maintain performance counters has become corrupted.

The performance counter infrastructure uses the registry interface to maintain a list of the performance counters that have been installed on the system for each localized language.

Until the problem is resolved, applications that query performance counters will find that some or all of the counters specified in the event are not available. One such application is Windows System Monitor.

Causes

Registry keys for the performance infrastructure have been manually edited and corrupted the integrity of the infrastructure.

Another application that exposes performance counters have written over existing keys or incorrectly changed the values.

The LODCTR tool provided by Microsoft and used to install performance counters failed to install the performance counter provider.

Resolutions

On Windows® Server™ 8 systems, the registry integrity can be restored by typing Lodctr /R at the command line.

On earlier versions of Windows, you must rebuild the registry integrity. For more information about rebuilding performance counter library values, see KB article 300956, “How to Manually Rebuild Performance Counter Library Values,” at http://go.microsoft.com/fwlink/?LinkId=28515.

External

For more information about troubleshooting performance counters, see Microsoft Knowledge Base Article: 152513, “Troubleshooting Performance Monitor Counter Problems,” at http://go.microsoft.com/fwlink/?LinkId=30322.

Element properties:

TargetMicrosoft.Windows.Server.10.0.OperatingSystem
CategoryEventCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
Performance registry corruption
{0}
Event LogApplication

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Windows.EventProvider Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Windows.Server.10.0.OperatingSystem.PerformanceRegistryCorruption.Alert" Enabled="true" Target="ServervNext!Microsoft.Windows.Server.10.0.OperatingSystem" ConfirmDelivery="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventSourceName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>loadperf</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>2004</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>2006</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>2007</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>3000</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
<Expression>
<Or>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>3001</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>3002</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>3012</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>3018</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>3015</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.10.0.OperatingSystem.PerformanceRegistryCorruption.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>