Sign in with
Sign up | Sign in
Your question

FIX: EventSystem 4609 errors after installing XP SP2

Last response: in Windows XP
Share
Anonymous
June 10, 2005 8:13:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi,

I've been seeing a particular problem on certain Windows XP computers when
they are updated to Service Pack 2, and judging from posts in these
newsgroups and also on other Internet message boards, it's quite a common
problem. The symptoms are that after SP2 has been installed, and the machine
has been rebooted a few times, the following error message occurs in the
Application Event Log:

Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 10/06/2005
Time: 10:40:23
User: N/A
Computer: HISAD
Description:
The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80070005 from line 44 of
d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact
Microsoft Product Support Services to report this error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Some errors may be slightly different:

Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 10/06/2005
Time: 09:30:35
User: N/A
Computer: HISAD
Description:
The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 80080005 from line 44 of
d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact
Microsoft Product Support Services to report this error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

and at the same time errors similar to the following (sometimes with a
different GUID number) may occur in the System event log:

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10010
Date: 10/06/2005
Time: 09:53:34
User: NT AUTHORITY\SYSTEM
Computer: HISAD
Description:
The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM
within the required timeout.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I ummed and ahhed over this problem for a while, and eventually found the
following two articles relating to Windows 2000 Service Pack 4:

Overview of the "Impersonate a Client After Authentication" and the "Create
Global Objects" Security Settings (821546.KB.EN-US.2.2)
http://support.microsoft.com/?kbid=821546

Local Security Policy Values May Revert to the Values That Are Stored in
SecEdit.sdb After You Install Windows 2000 Service Pack 4
http://support.microsoft.com/?kbid=827664

It turns out that in Windows 2000 Service Pack 4 two new user rights were
added, "Impersonate a client after authentication" (SeImpersonatePrivilege)
and "Create Global Objects" (SeCreateGlobalPrivilege).

Even though the articles don't say so, it seems that they were also added in
Windows XP Service Pack 2.

However, it seems that *sometimes* something goes wrong in the XP SP2
installer when it sets up these two new user rights. I think this is why some
computers get the above error messages. It doesn't happen all the time, and I
can't see any rhyme or reason to which computers get messed up and which ones
don't. I reckon it's a race condition or some other similar bug in the
installer.

The reason that the problem doesn't always manifest itself straight away is
probably because by default Windows only 'refreshes' its security settings
every 16 hours, and if that refresh is a while away you might not see the
problem for a while. Some networks may also have turned up this refresh time,
so the problem is even worse.

Some sites may also have these settings set (possibly incorrectly) in their
Default Domain Policy group policy, which could also mess things up. However,
at my site we don't have these settings set on the domain anywhere, only in
the Local Security Settings, and yet we still have the problem.

Anyway, if the security settings upgrade goes wrong, you end up with the
error. Fortunately, it seems to be quite easy to fix:

On the affected workstation:
1) Go to Start/Settings/Control Panel/Administrative Tools
2) Run 'Local Security Policy'
3) Go to Security Settings/Local Policies/User Rights Assignments
4) Double click on 'Create global objects'.
The correct default settings are 'Administrators', 'INTERACTIVE' and
'SERVICE'.
5) Double click on 'Impersonate a client after authentication'.
The correct default settings are 'Administrators', 'ASPNET' (if you have
the .NET framework installed) and 'SERVICE'

Even if the settings are set correctly, you may need to 'refresh' them to
fix the problem.
To do this, on each policy, remove one of the entries ('SERVICE' is probably
the best to remove), then press OK to save the changes, and then go back in
and add it back in again (click 'Add User or Group...', type 'SERVICE' into
the white box, and press OK).

Then close the Local Security Settings box and reboot. If you are running in
a domain with Group Policy you might want to force a group policy refresh
before you reboot by running 'gpupdate /force'.

I hope this helps some people!

Regards,

Chris
Anonymous
June 17, 2005 8:00:01 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

As a followup to my own post, if the suggestion I made below doesn't help,
you can also try the workaround posted at TechRepublic here:

http://techrepublic.com.com/5138-10877_11-5657162.html

When is this problem going to be at least acknowledged on the Knowledge
Base, and a fix provided?!?

"Christopher Hill" wrote:

> Hi,
>
> I've been seeing a particular problem on certain Windows XP computers when
> they are updated to Service Pack 2, and judging from posts in these
> newsgroups and also on other Internet message boards, it's quite a common
> problem. The symptoms are that after SP2 has been installed, and the machine
> has been rebooted a few times, the following error message occurs in the
> Application Event Log:
>
> Event Type: Error
> Event Source: EventSystem
> Event Category: (50)
> Event ID: 4609
> Date: 10/06/2005
> Time: 10:40:23
> User: N/A
> Computer: HISAD
> Description:
> The COM+ Event System detected a bad return code during its internal
> processing. HRESULT was 80070005 from line 44 of
> d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact
> Microsoft Product Support Services to report this error.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Some errors may be slightly different:
>
> Event Type: Error
> Event Source: EventSystem
> Event Category: (50)
> Event ID: 4609
> Date: 10/06/2005
> Time: 09:30:35
> User: N/A
> Computer: HISAD
> Description:
> The COM+ Event System detected a bad return code during its internal
> processing. HRESULT was 80080005 from line 44 of
> d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact
> Microsoft Product Support Services to report this error.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> and at the same time errors similar to the following (sometimes with a
> different GUID number) may occur in the System event log:
>
> Event Type: Error
> Event Source: DCOM
> Event Category: None
> Event ID: 10010
> Date: 10/06/2005
> Time: 09:53:34
> User: NT AUTHORITY\SYSTEM
> Computer: HISAD
> Description:
> The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM
> within the required timeout.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> I ummed and ahhed over this problem for a while, and eventually found the
> following two articles relating to Windows 2000 Service Pack 4:
>
> Overview of the "Impersonate a Client After Authentication" and the "Create
> Global Objects" Security Settings (821546.KB.EN-US.2.2)
> http://support.microsoft.com/?kbid=821546
>
> Local Security Policy Values May Revert to the Values That Are Stored in
> SecEdit.sdb After You Install Windows 2000 Service Pack 4
> http://support.microsoft.com/?kbid=827664
>
> It turns out that in Windows 2000 Service Pack 4 two new user rights were
> added, "Impersonate a client after authentication" (SeImpersonatePrivilege)
> and "Create Global Objects" (SeCreateGlobalPrivilege).
>
> Even though the articles don't say so, it seems that they were also added in
> Windows XP Service Pack 2.
>
> However, it seems that *sometimes* something goes wrong in the XP SP2
> installer when it sets up these two new user rights. I think this is why some
> computers get the above error messages. It doesn't happen all the time, and I
> can't see any rhyme or reason to which computers get messed up and which ones
> don't. I reckon it's a race condition or some other similar bug in the
> installer.
>
> The reason that the problem doesn't always manifest itself straight away is
> probably because by default Windows only 'refreshes' its security settings
> every 16 hours, and if that refresh is a while away you might not see the
> problem for a while. Some networks may also have turned up this refresh time,
> so the problem is even worse.
>
> Some sites may also have these settings set (possibly incorrectly) in their
> Default Domain Policy group policy, which could also mess things up. However,
> at my site we don't have these settings set on the domain anywhere, only in
> the Local Security Settings, and yet we still have the problem.
>
> Anyway, if the security settings upgrade goes wrong, you end up with the
> error. Fortunately, it seems to be quite easy to fix:
>
> On the affected workstation:
> 1) Go to Start/Settings/Control Panel/Administrative Tools
> 2) Run 'Local Security Policy'
> 3) Go to Security Settings/Local Policies/User Rights Assignments
> 4) Double click on 'Create global objects'.
> The correct default settings are 'Administrators', 'INTERACTIVE' and
> 'SERVICE'.
> 5) Double click on 'Impersonate a client after authentication'.
> The correct default settings are 'Administrators', 'ASPNET' (if you have
> the .NET framework installed) and 'SERVICE'
>
> Even if the settings are set correctly, you may need to 'refresh' them to
> fix the problem.
> To do this, on each policy, remove one of the entries ('SERVICE' is probably
> the best to remove), then press OK to save the changes, and then go back in
> and add it back in again (click 'Add User or Group...', type 'SERVICE' into
> the white box, and press OK).
>
> Then close the Local Security Settings box and reboot. If you are running in
> a domain with Group Policy you might want to force a group policy refresh
> before you reboot by running 'gpupdate /force'.
>
> I hope this helps some people!
>
> Regards,
>
> Chris
>
Anonymous
June 28, 2005 8:01:17 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi Chris,

I have just installed XP Home Edition on a new PC, and am experiencing
random crashes. The event log shows an identical message to the one you
were talking about:

Christopher Hill Wrote:
>
> Event Type: Error
> Event Source: EventSystem
> Event Category: (50)
> Event ID: 4609
> Date: 10/06/2005
> Time: 10:40:23
> User: N/A
> Computer: HISAD
> Description:
> The COM+ Event System detected a bad return code during its internal
> processing. HRESULT was 80070005 from line 44 of
> d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please
> contact
> Microsoft Product Support Services to report this error.
>

The interesting thing is that I have NOT installed SP2.

Unfortunately, when I try your fix:
>
> On the affected workstation:
> 1) Go to Start/Settings/Control Panel/Administrative Tools
> 2) Run 'Local Security Policy'
>

I find no "Local Security Policy" under Control Panel/Administrative
Tools!

Actually, I suspect this d**n .Net Framework thing. I wouldn't have
installed it, but it comes with my scanner, an HP ScanJet 4070. After I
install the scanner, I get a Log on screen when I start Windows, asking
me to choose a user account - but only my own account is showing. When
I sought a solution so that I didn't have to go through this step every
time I boot, I was told to de-activate the user ASPNET. This I have
done, but is it possible to get rid of .NET Framework altogether? I
really don't need it, and honestly can't imagine why I would, but HP
insist on installing it so that their automatic update will work.

What can I do now to stop these crashes? I'm getting really frustrated
here. Hope you can point me in the right direction. Thank you in
advance.

Cheers,
Geoff


--
barrow_52
Related resources
Anonymous
July 2, 2005 4:55:50 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Christopher Hill Wrote:
> Hi,
>
> Did you try the fix I mentioned in my second post? See the following
> site:
> http://techrepublic.com.com/5138-10877_11-5657162.html
> --
>
Well actually I hadn't at the time of my last posting. In the meantime
I got so frustrated that I reformated the disk and did a complete new
installation of XP. Sort of hoped that might solve the problem, but no,
the error message was still in the Event Log, every time I booted
Windows, and it didn't take long before it crashed, just as before. So
I tried this other fix you pointed out, but that didn't exactly go as
planned, because when I go to the Remote Procedure Call page, the
option to set the log on to Local System account is grey and cannot be
changed. On the RPC Locator window, it -is- possible to make this
change, and I did so, but it didn't solve the problem.

Anyway, in the mean time I have noticed that the error message I get is
not -exactly- the same as in your original posting. The difference is
that mine says "HRESULT was C0000005 from line 44.....", not 80070005.


So maybe I have been barking up the wrong tree? When I googled for this
particular wording, I got a couple of hits, one of which is fairly
unhelpful, but the other is
http://www.pcreview.co.uk/forums/showthread.php?p=54947.... This appears
to be indicating that the problem may be a -hardware- fault, and nothing
to do with Windows. This is extremely upsetting, since I had come to the
conclusion that if this was a Windows problem, I could at least take it
to the local store where I bought the Windows licence. However, if it
may be a hardware problem I don't know -what- to do. The computer was
bought by mail order, so I guess I have to get on the supplier and
arrange to have it shipped back. I bought a 2 year extended warranty,
so I guess that is OK, but it's a lot of hassle, especially if it turns
out that the problem -is- the Windows installation....

Cheers,
Geoff


--
barrow_52
Anonymous
July 2, 2005 5:01:36 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Oh, by the way, in the course of all my googling, I found the
following:

http://support.microsoft.com/default.aspx?kbid=821546

- which does seem to indicate that Microsoft not only know about the
problem to which you were originally referring, but also that they have
provided a workaround, which is identical to the one you described.
Unfortunately, it doesn't help people like me, who don't have "Local
Security Policy" under "Administrative Tools".

Geoff


--
barrow_52
!