A service has entered an unpredictable state.
This rule generates an alert when the Service Control Manager detects that a service has started with an invalid configuration. It is important to note that even though the Service Control Manager detected an invalid configuration, the service still started successfully.
The service may not be running as expected and may behave in an unpredictable manner. Additionally, the service may not be able to be restarted until the issue is resolved.
Sample Event:
This rule generates an alert whenever any of the following events occur and are recorded in the System Event Log:
The %1 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
The Service Control Manager encountered an error that has undone a configuration change to the %1 service. The service's %2 is currently in an unpredictable state. If you do not correct this configuration, you may not be able to restart the %1 service or you may encounter other errors. To ensure that the service is configured properly, use the Services snap-in in MMC.
Source: Service Control Manager; Event ID: 7030The %1 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
Source: Service Control Manager; Event ID: 7037The Service Control Manager encountered an error that has undone a configuration change to the %1 service. The service's %2 is currently in an unpredictable state. If you do not correct this configuration, you may not be able to restart the %1 service or you may encounter other errors. To ensure that the service is configured properly, use the Services snap-in in MMC.
This alert is generated whenever any of the following conditions occur:
The service is configured to run interactively but system policy is configured to prevent services from running in this mode.
An error occurred while attempting to configure the service.
There are two possible resolutions for this alert. Refer to the event that generated the alert and select the appropriate set of resolution steps.
Event ID: 7030
To resolve this alert, consult with a subject matter expert or the vendor to determine if the service must run interactively on the desktop. If not, follow these steps:
Open the Services MMC snap-in.
Double-click the appropriate Service and open that service’s property sheet.
Click the Log On tab.
Clear the Allow service to interact with desktop check box.
If the service must run interactively, you will need to change the “Allow service to interact with desktop” system policy. To do this, perform the following steps:
HKLM\System\CCC\Control\Windows
0 - Enabled
1 - Disabled
Open the Registry Editor.
Navigate to the registry value “NoInteractiveServices” at:HKLM\System\CCC\Control\Windows
Set the value from “0” to “1” 0 - Enabled1 - Disabled
Open the Services MMC snap-in.
Select the appropriate Service and restart it.
Event ID: 7037
Resolve this alert by doing the following:
Open the Services MMC snap-in.
Double-click the appropriate service and open that service’s property sheet.
Click each of the tabs and verify that the configuration information is appropriate. Update any configuration fields that have incorrect or corrupted data in them.
Restart the service and check the event log to determine whether another instance of event 7037 has occurred. If not, the issue has been resolved.
If a new instance of event 7037 occurs, use Sc.exe to examine the service’s advanced configuration settings and then update them as appropriate. Use the qc and config commands within Sc.exe to view and configure the service.
Target | Microsoft.Windows.Server.2003.OperatingSystem | ||
Category | EventCollection | ||
Enabled | True | ||
Event Source | Service Control Manager | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | System |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Windows.EventProvider | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Windows.Server.2003.OperatingSystem.ServiceEnteredUnpredictableState.Alert" Enabled="true" Target="Microsoft.Windows.Server.2003.OperatingSystem" ConfirmDelivery="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Service Control Manager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7037</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7030</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.2003.OperatingSystem.ServiceEnteredUnpredictableState.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>