A Service Terminated Unexpectedly

Microsoft.Windows.Server.6.2.OperatingSystem.ServiceTerminatedUnexpextedly.Alert (Rule)

An event was collected indicating an unexpected service termination.

Knowledge Base article:

Summary

This rule generates an alert when a Windows® service unexpectedly terminates. In addition to the service termination event, a Windows Error Reporting event (Source: DrWatson; ID: 4097) is often created and will be collected by Operations Manager. This additional event may prove helpful when attempting to resolve the service termination Alert.

Causes

When a service unexpectedly terminates the application, Dr. Watson detects that the application has generated a general protection fault (GPF). A GPF occurs when an application attempts to read or write to a memory location that it does not have access to. This often results in the termination of the program and the loss of unsaved data.

Resolutions

When a service unexpectedly terminates, you can select one of the following options to address the issue:

Look for related support information at the software vendor’s Web site.
Install any service pack or product updates for the relevant application.
Install any service packs or updates for any relevant subsystems that the application depends on.

If the service terminates unexpectedly with unusual frequency, and related support information is unavailable, you should contact the software vendor for support.

Sample Event:

This rule generates an alert whenever any of the following events occur in the System Event Log:

About to revert to the last known good configuration because the %1 service failed to start.

The %1 service terminated with the following error: %n%2

The %1 service terminated with service-specific error %2.

The %1 service terminated unexpectedly. It has done this %2 time(s). The following corrective action will be taken in %3 milliseconds: %5.

The Service Control Manager tried to take a corrective action (%2) after the unexpected termination of the %3 service, but this action failed with the following error: %n%4

The %1 service terminated unexpectedly. It has done this %2 time(s).

Source: Service Control Manager; 7021; About to revert to the last known good configuration because the %1 service failed to start.
Source: Service Control Manager; 7023; The %1 service terminated with the following error: %n%2
Source: Service Control Manager; 7024; The %1 service terminated with service-specific error %2.
Source: Service Control Manager; 7031; The %1 service terminated unexpectedly. It has done this %2 time(s). The following corrective action will be taken in %3 milliseconds: %5.
Source: Service Control Manager; 7032; The Service Control Manager tried to take a corrective action (%2) after the unexpected termination of the %3 service, but this action failed with the following error: %n%4
Source: Service Control Manager; 7033; The Service Control Manager did not initialize successfully. The security configuration server (scesrv.dll) failed to initialize with error %1. The system is restarting...
Source: Service Control Manager; 7034; The %1 service terminated unexpectedly. It has done this %2 time(s).

Element properties:

Target

Microsoft.Windows.Server.6.2.OperatingSystem

Category

EventCollection

Enabled

False

Alert Generate

True

Alert Severity

Warning

Alert Priority

Normal

Remotable

True

Alert Message

Service terminated unexpectedly

{0}

Event Log

System

Member Modules:

ID	Module Type	TypeId	RunAs
EventDS	DataSource	Microsoft.Windows.EventProvider	Default
GenerateAlert	WriteAction	System.Health.GenerateAlert	Default

Source Code:

<Rule ID="Microsoft.Windows.Server.6.2.OperatingSystem.ServiceTerminatedUnexpextedly.Alert" Enabled="false" Target="WindowsServer!Microsoft.Windows.Server.6.2.OperatingSystem" ConfirmDelivery="true">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>System</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventSourceName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>Service Control Manager</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <Or>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery>EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value>7021</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery>EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value>7024</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery>EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value>7031</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery>EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value>7032</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery>EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value>7033</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

              <Expression>

                <SimpleExpression>

                  <ValueExpression>

                    <XPathQuery>EventDisplayNumber</XPathQuery>

                  </ValueExpression>

                  <Operator>Equal</Operator>

                  <ValueExpression>

                    <Value>7034</Value>

                  </ValueExpression>

                </SimpleExpression>

              </Expression>

            </Or>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Windows.Server.6.2.OperatingSystem.ServiceTerminatedUnexpextedly.Alert.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>