An event was detected indicating a service or driver failed to start.
This rule generates an alert when a Windows® service or device driver fails to start.
Sample Event:
This rule will generate an alert when any of the following events occur in the System Event Log:
The %1 service failed to start due to the following error: %n%2
The %1 service depends on the %2 service which failed to start because of the following error: %n%3
No backslash is in the account name.
Logon attempt with current password failed with the following error: %n%1
Second logon attempt with old password also failed with the following error: %n%1
The %1 service hung on starting.
The %1 service terminated with the following error: %n%2
At least one service or driver failed during system startup. Use Event Viewer to examine the event log for details.
The following boot-start or system-start driver(s) failed to load: %1
The %1 service was unable to log on as %2 with the currently configured password due to the following error: %n%3%n%nTo ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Source: Service Control Manager; Event ID: 7000; The %1 service failed to start due to the following error: %n%2
Source: Service Control Manager; Event ID: 7001; The %1 service depends on the %2 service which failed to start because of the following error: %n%3
Source: Service Control Manager; Event ID: 7008; No backslash is in the account name.
Source: Service Control Manager; Event ID: 7022; The %1 service hung on starting.
Source: Service Control Manager; Event ID: 7023; The %1 service terminated with the following error: %n%2
Source: Service Control Manager; Event ID: 7025; At least one service or driver failed during system startup. Use Event Viewer to examine the event log for details.
Source: Service Control Manager; Event ID: 7026; The following boot-start or system-start driver(s) failed to load: %1
Source: Service Control Manager; Event ID: 7038; The %1 service was unable to log on as %2 with the currently configured password due to the following error: %n%3%n%nTo ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
Source: Service Control Manager; Event ID: 7041; The %1 service was unable to log on as %2 with the currently configured password due to the following error.
A Windows service or device driver may fail to start for any one of the following reasons:
The account name defined for Log On is not formed correctly.
The password defined for Log On is invalid.
The service or driver stopped responding while starting.
The service or driver exited unexpectedly while starting.
This alert can generate a number of different events, each of which has unique resolution steps that you must follow. Refer to the events associated with this alert to determine the root cause, and then follow the appropriate set of resolution steps listed below.
Event ID: 7008 - Account name defined in for Log On is malformed.
Open the Services MMC snap-in.
Double-click the appropriate service and open the service’s property sheet.
Click the Log On tab.
Type a correct account name.
The password defined for Log On is invalid.
Open the Services MMC snap-in.
Double-click the appropriate service and open the service’s property sheet.
Click the Log On tab.
Type the correct password for the specified account name.
The service or driver stopped responding while starting.
Open the Services MMC snap-in.
Double-click the appropriate service.
Attempt to Start or Restart the service or driver using the menu options.
The service or driver exited unexpectedly while starting.
Services
Open the Services MMC snap-in.
Double-click the appropriate service.
Start or restart the service or driver using the menu options.
Drivers
a. Uninstall the device and rescan for hardware changes
b. Attempt to update the driver to a more recent version that you obtain from the vendor.
c. Disable the device.
Open the Device Manager MMC snap-in.
Double-click the device that is associated with the driver.
Using the menu, select one of the following options:a. Uninstall the device and rescan for hardware changes b. Attempt to update the driver to a more recent version that you obtain from the vendor.c. Disable the device.
Target | Microsoft.Windows.Server.6.2.OperatingSystem | ||
Category | EventCollection | ||
Enabled | False | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | System |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
EventDS | DataSource | Microsoft.Windows.EventProvider | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Windows.Server.6.2.OperatingSystem.ServiceOrDriverFailedToStart.Alert" Enabled="false" Target="WindowsServer!Microsoft.Windows.Server.6.2.OperatingSystem" ConfirmDelivery="true">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventSourceName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>Service Control Manager</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7000</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7001</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7002</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7003</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7008</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7022</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7023</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7025</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7026</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7038</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery>EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value>7041</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.6.2.OperatingSystem.ServiceOrDriverFailedToStart.Alert.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>