Friday, April 18, 2008

Two PowerShell Event Logs on Exchange 2007 Servers

When PowerShell 1.0 is installed an Event Log called "Windows PowerShell" is created.  When Exchange 2007 is then installed, a second Event Log called "PowerShell" is created.  When this log is created, multiple entries are added each time the Exchange Management Shell is opened, so this log rapidly fills up and you will get errors unless you go and change the configuration of the Event Log.  More interestingly, the entries in the "PowerShell" Event Log are unable to be resolved so that the description can be presented.  A typical entry in this log looks like this:

Event Type:      Information
Event Source:      PowerShell
Event Category:      (4)
Event ID:      403
Date:            5/12/2007
Time:            2:45:55 AM
User:            N/A
Computer:      MYCOMPUTER
Description:
The description for Event ID ( 403 ) in Source ( PowerShell ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: Stopped, Available,       NewEngineState=Stopped
      PreviousEngineState=Available
      SequenceNumber=20
      HostName=Default MSH Host
      HostVersion=1.0.0.0
      HostId=2afe9b64-5601-4df3-8478-6efc5cf2c471
      EngineVersion=1.0.0.0
      RunspaceId=433e6992-c711-47a8-b732-728a45104767
      PipelineId=
      CommandName=
      CommandType=
      ScriptName=
      CommandPath=
      CommandLine=.

To resolve this issue, simply delete the following registry key, which will delete the "PowerShell" Event Log:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\PowerShell

A reboot is required for the change to take effect.  Once the "PowerShell" log is deleted and the server is rebooted, the PowerShell events will flow into the "Windows PowerShell" Event Log without issue, and you will be able to properly view the description of the events.

Note though, that updates or service packs for Exchange may put this Event Log back in, so check for it after any update and simply delete the registry key again if it appears.

2 comments:

Tony Dew said...

Awesome info; thanks!

I'd fixed this problem in the past, but couldn't remember how when it came back...

Simon Burnand said...

I had fixed this once, but it came back and broke the backups. The server could not backup the System State. It failed every time with:
------
Volume shadow copy creation: Attempt 1.
"Event Log Writer" has reported an error 0x800423f4. This is part of System State. The backup cannot continue.

Error returned while creating the volume shadow copy:800423f4
Aborting Backup.
------
I deleted the Event Log \PowerShell key again and the System States backup now works again.