Windows 7 Event Log...
 
Notifications
Clear all

Windows 7 Event Log Help

8 Posts
4 Users
0 Likes
842 Views
(@matrix)
Posts: 21
Eminent Member
Topic starter
 

I am looking at the Microsoft-Windows-Application-Experience%4Program-Inventory event log from a Windows 7 system. Normally this log would contain EventID codes of 900, 901, 903, 904, 905, 906, 907, and 908. This system’s log only contains EventID code 800. Each of these EventID 800 contain an Exit code. These exit codes are 200, 221, 223, 228, and 400.

Does anyone know the meaning of each of these exit codes? The exit code of 200 and 400 seem to denote that the number of programs, add-ons, and new installations has been reset to zero.

Any assistance is greatly appreciated.

 
Posted : 02/03/2015 6:01 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

http//journeyintoir.blogspot.com/2014/03/exploring-program-inventory-event-log.html

http//windowsir.blogspot.com/2013/07/howto-determine-program-execution.html

 
Posted : 05/03/2015 4:50 pm
zoltandfw
(@zoltandfw)
Posts: 27
Eminent Member
 

This is probably the most complete exit code list I've ever seen, but even this one only has explanation of 200 and not the others you've listed. Since exit codes related to same type of error condition for codes starting with the same digit, I would guess that all the 2.. codes are code segment related errors. I hope, this will help.

http//www.symantec.com/connect/articles/windows-system-error-codes-exit-codes-description

 
Posted : 12/03/2015 7:30 am
(@athulin)
Posts: 1156
Noble Member
 

Does anyone know the meaning of each of these exit codes?

They seem to be undocumented.

The exit code of 200 and 400 seem to denote that the number of programs, add-ons, and new installations has been reset to zero.

I interpret the log entry differently. It looks more like it says 'I could not find any updates etc. to be performed, so none (0) of these activities (as listed) were performed in this session.'

I can't identify what the difference between 200 and 400 is, though.

 
Posted : 12/03/2015 10:40 pm
(@athulin)
Posts: 1156
Noble Member
 

This is probably the most complete exit code list I've ever seen, but even this one only has explanation of 200 and not the others you've listed.

There's also https://msdn.microsoft.com/en-us/library/ms681381%28v=vs.85%29.aspx

However keep in mind that system error codes and exit codes do not need to be the same thing.

System error codes are mainly used inside programs, and are used to identify an error from a windows system API call by severity, custom error or not, facility etc.

Exit codes are (at least where I have encountered them) the parameter that GUI software pass on to the WM_QUIT message, or other software return from the WinMain() function.

A bit like the difference between parameter to exit() and the variable errno in unix.

Noone stops a programmer from passing a system error code to exit/WM_QUIT, but general practice keeps them apart.

 
Posted : 12/03/2015 11:27 pm
zoltandfw
(@zoltandfw)
Posts: 27
Eminent Member
 

Since you had an EventID 800, does that mean that you have a DNS server running on this system? Based on athulin's great MSDN reference, it seems like if a zone transfer or update did not succeed due to segment fault, too large file size, file not being accessed properly for writing.

Is someone "messing" with your DNS config?

 
Posted : 13/03/2015 4:42 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Since you had an EventID 800, does that mean that you have a DNS server running on this system? Based on athulin's great MSDN reference, it seems like if a zone transfer or update did not succeed due to segment fault, too large file size, file not being accessed properly for writing.

Is someone "messing" with your DNS config?

It looks as if you're referring to this

https://technet.microsoft.com/en-us/library/cc735774%28v=ws.10%29.aspx

That's a different log file entirely from what the OP was asking about.

Most analysts don't realize that you can't just say "event ID 800" and have it mean the same thing to everyone; many event IDs have different entries in different Windows Event Log/*.evtx files.

Take a look at Corey's blog post
http//journeyintoir.blogspot.com/2014/03/exploring-program-inventory-event-log.html

Same event ID (800), but different log file, and completely different context.

This is why I've been recommending that event records be referred to as source/ID pairs…maybe one day, that'll catch on.

 
Posted : 13/03/2015 4:26 pm
zoltandfw
(@zoltandfw)
Posts: 27
Eminent Member
 

We do not have enough information to give a precise answer to his question. We only have the channel and not the provider info; DNS is one possible answer.

In order to provide the most accurate analysis, you would need to look at the eventID as it relates to the provider, the level ( WINMETA.XML ), the OpCode ( WINMETA.XML ), the exit code ( WinError.h ), and at least the Execution Process ID. You only need to worry about standard codes not being reliable indicators if the process not Microsoft product, so keep it simple and trust the codes until indicated otherwise. So, if the reporting process is still running, a simple tasklist |findstr <PID> can reveal the process or go deeper to analyze the thread the process belongs to ( use Process Explorer ).

If the events in question are reoccurring and you can not pinpoint the offending process, then create a task to drop the tasklist every time this event occurs ( Attach task to this event from event viewer ).

Blog posts are usually to specific and do not help in developing a generic approach methodology unless the problem matches exactly discussed in the post.

 
Posted : 13/03/2015 8:35 pm
Share: