Geoff Chappell - Software Analyst
Events that SERVICES.EXE writes to the System log are most easily identified in the Event Viewer as the ones whose source is listed as Service Control Manager Eventlog Provider. However, that is just a localised friendly name, as picked up from a manifest. The formal name of the event provider itself is just Service Control Manager. This is what’s stored in the registry. It is what you will see on the Details tab for an event in the Event Viewer, and it is the name you need if controlling this provider through such tools as WEVTUTIL or the Reliability and Performance Monitor.
|Provider Name:||Service Control Manager|
|Symbolic Name for GUID:||S_Service_Control_Manager|
Events from this provider get to the System log in the Event Viewer because Windows is set up so that the registry has this provider already configured as a publisher to the Eventlog-System session.
It may be as well to explain here that when SERVICES fires these events to the System log, it is not a manifest-based provider despite coming with an instrumentation manifest, nor is it exactly what the documentation refers to as a classic provider. The way it fires events is a little exotic. Early versions are straightforward users of the functions that Microsoft documents for Event Logging, such as RegisterEventSource and ReportEvent, but there was a significant recoding for Windows XP. SERVICES is nowadays a Windows Management Instrumentation (WMI) event provider, and specifically a decoupled non-COM provider. The non-COM aspect is undocumented. Indeed, the page Provider Hosting and Security from the Windows SDK states explicitly that the Decoupled:Noncom hosting model is “for internal use only” and is “not supported”. SERVICES is one of its very few users. It relies on undocumented functions such as WmiEventSourceConnect, WmiCreateObjectWithFormat and WmiSetAndCommitObject that are implemented in NCOBJAPI.DLL.
The WMI provider in SERVICES calls itself the SCM Event Provider, in the root\cimv2 namespace. Aside from using the non-COM API, delivery into the event log is as straightforward as for any WMI event provider. Each possible event is a managed object and is represented by a WMI class. Parameters that can be passed with the event are represented as members of the class. The name of the class and the names of the parameters are hard-coded in SERVICES, which registers them at run-time with WMI. The mapping of these managed objects to Windows events depends on matching their names with definitions that have been compiled into the WMI repository from a source file named SCM.MOF (supplied in the WBEM subdirectory of the Windows system directory).
By contrast, consumption of these events in Windows Vista is bang up-to-date. Presentation in the Event Viewer depends on definitions in an instrumentation manifest, which Microsoft supplies as an <instrumentation> block within the manifest that represents SERVICES as an assembly. Refer to the separate note about SERVICES Versions for the name and location. The instrumentation manifest is also compiled into the SERVICES resources, as WEVT_TEMPLATE.
That these events are provided through MOF files but consumed through manifests turns out to have practical consequence, albeit very slight: as shown below, an error in the MOF file means that two events become one. Presumably, this has not confused anyone, else Microsoft might have corrected it by now.
Another consequence, but one which is noted only for completeness, is that the symbolic name for the provider GUID, as given in the manifest, is not actually used in the SERVICES code.
The large table that follows lists all the events that SERVICES registers with WMI for firing to the System log (not that this necessarily means that all these events actually can occur). Descriptions are reproduced from the relevant manifest and message-table resource in the SERVICES executable. Since the instrumentation manifest names the parameters only as param1, param2, etc, placeholders in the descriptions are instead resolved below from definitions in the SERVICES code and in SCM.MOF.
|7000||Error||The Service service failed to start due
to the following error:
|7001||Error||The Service service depends on the
DependedOnService service which failed to start
because of the following error:
|7002||Error||The Service service depends on the Group group and no member of this group started.|
|7003||Error||The Service service depends the following service: NonexistingService. This service might not be installed.|
|7005||Error||The FunctionName call failed with the following
|7006||Error||The FunctionName call failed for
Argument with the following error:
|7007||Error||The system reverted to its last known good configuration. The system is restarting....|
|7008||Error||No backslash is in the account name. The account name must be in the form domain\user.|
|7009||Error||A timeout was reached (Milliseconds milliseconds) while waiting for the Service service to connect.|
|7010||Error||A timeout was reached (Milliseconds milliseconds) while waiting for ReadFile.|
|7011||Error||A timeout was reached (Milliseconds milliseconds) while waiting for a transaction response from the Service service.|
|7012||Error||The message returned in the transaction has incorrect size.|
|7013||Error||Logon attempt with current password failed with the following error:
|7015||Error||Boot-start or system-start driver (Driver) must not depend on a service.|
|7016||Error||The Service service has reported an invalid current state State.|
|7017||Error||Detected circular dependencies demand starting Service. Check the service dependency tree.|
|7018||Error||Detected circular dependencies auto-starting services. Check the service dependency tree.|
|7019||Error||The Service service depends on a service in a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.|
|7021||Error||About to revert to the last known good configuration because the Service service failed to start.|
|7022||Error||The Service service hung on starting.|
|7023||Error||The Service service terminated with the
|7024||Error||The Service service terminated with service-specific error Error|
|7026||Error||The following boot-start or system-start driver(s) failed to load: DriverList|
|7028||Error||The Registry key RegistryKey denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.|
|7030||Error||The Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.|
|7031||Error||The Service service has terminated unexpectedly. It has done this TimesFailed time(s). The following corrective action will be taken in ActionDelay milliseconds: Action.|
|7032||Error||The Service Control Manager tried to take a corrective action (Action)
after the unexpected termination of the Service
service but this action failed with the following error:
|7034||Error||The Service service terminated unexpectedly. It has done this TimesFailed time(s).|
|7035||Information||The Service service was successfully sent a Control control.|
|7036||Information||The Service service entered the Control state.|
|7037||Error||The Service Control Manager encountered an error undoing a configuration change to the Service service. The service's ConfigField is currently in an unpredictable state. If you do not correct this configuration, you may not be able to restart the Service service or may encounter other errors. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).|
|7038||Error||The Service service was unable to log on
as Account with the currently configured password
due to the following error:
To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
|7039||Warning||A service process other than the one launched by the Service Control Manager
connected when starting the Service service.
The Service Control Manager launched process ExpectedPID
and process ActualPID connected instead.
Note that if this service is configured to start under a debugger, this behavior is expected.
|7040||Information||The start type of the Service service was changed from OldStartType to NewStartType.|
|7041||Error||The Service service was unable to log on
as Account with the currently configured password
due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Domain and account: Account
This service account does not have the required user right "Log on as a service."
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.
|7042||Information||The Service service was successfully sent
a Control control.
The reason specified was Reason [ReasonText]
|7043||Error||The Service service did not shut down properly after receiving a preshutdown control.|
|7044||Warning||The following service is taking more than StartupTime
minutes to start and may have stopped responding:
Contact your system administrator or service vendor for approximate startup times for this service.
If you think this service might be slowing system response or logon time, talk to your system administrator about whether the service should be disabled until the problem is identified.
You may have to restart the computer in safe mode before you can disable the service.
Event 7019 is unusual in that it originates in SERVICES.EXE as two distinct events. (The WMI class names are MSFT_NetDependOnLaterService and MSFT_NetDependOnLaterGroup.) That SCM.MOF translates them both to 7019 looks to be an editing error. The latter would better translate to 7020, which is indeed what the manifest gives as the value for the event that it represents as EVENT_DEPEND_ON_LATER_GROUP. The obvious experiment of setting a service’s DependOnGroup to name a later-loading group does indeed produce event 7019 instead of 7020, confirming that these events are delivered into the event log classically, i.e., using MOF files rather than a manifest.
In the description given above for event 7036, the second placeholder is reproduced correctly as Control, though clearly it does not stand for a control but a status. See the SCM.MOF entry for MSFT_NetServiceStatusSuccess. The grammatical error in the description of event 7003 is also reproduced from Microsoft.
A few events have parameters that are not used for the descriptions. Events 7031 and 7032 have an ActionType, as the fourth and first parameter respectively. Events 7035, 7040 and 7042 each have a sid as the last parameter. Event 7041 has an Error as the last parameter, but it can only be 0x0569 (ERROR_LOGON_TYPE_NOT_GRANTED), else the event would have been 7038.
For several events, comments in SCM.MOF suggest descriptive text that is slightly different (and sometimes very different) from what is shown above. They are just comments. What counts for display in the Event Viewer is what’s found in the manifest. That said, the manifest and the message-table resource in SERVICES.EXE both provide the following messages for IDs which SERVICES.EXE cannot ever fire as events and which SCM.MOF does not translate. Except for 7020, as discussed above, they are perhaps obsolete.
|7014||Second logon attempt with old password also failed with the following error:
|7020||The Service service depends on a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.|
|7025||At least one service or driver failed during system startup. Use Event Viewer to examine the event log for details.|
|7027||Windows could not be started as configured. Starting Windows using a previous working configuration.|
|7029||Service Control Manager %0|
|7033||The Service Control Manager did not initialize successfully. The security configuration server (scesrv.dll) failed to initialize with the following error Error. The system is restarting...|