afokkema Windows

Event ID: 7001 VSS


image

After extending a VMDK file from a Windows file server. The following Event ID entered the Application log:

image

In the print screen above, you see a VSSVolumeGUID. You can check with the vssadmin command which volumes are active.

Open a command prompt en run the commando: vssadmin list volumes

image

As you can see in the previous print screen, the volume \\?\Volume{df695619-3a35-11de-a195-806e6f6e6963}\ doesn’t exist anymore.

So how can I remove this error? The solution is simple, open the Scheduled Tasks folder in the Control Panel and remove the ShadowCopyVolume task with the VSSVolumeGUID that doesn’t exist anymore.

image

Source: KB833779

Advertisement
afokkema Windows

Windows: Export and Analyze the Windows Eventlog


 

Aleks over at http://www.virtualistic.nl has posted a nice article about exporting the Windows eventlogs to a central share on the network via a scheduled job.

Since I reboot my Terminal Servers every day, I’ve made saving the eventlogs a part of my daily reboot script.

First off, download the tools DUMPEVT, LOGEVENT  and PSLOGLIST (=optional, you can also use DUMPEVT to clear the logs). These tools will help us save the logfiles, clear the logfiles and tell the eventlog what we’re doing.

My rebootscript is written in kixscript but this is up to you. (use cmd, vbscript or powershell if you know how).

A little chunk of the script looks like this (click).

The following things happen in this example:
1) A directory is created to save the logfiles (YEAR-MONTH-DAY)
2) We then use DUMPEVT to save the System, Application and the Security logs and save that to the location specified in step 1
3) PSLogList is used to clear the eventlogs we saved in step 2
4) Then we use LogEvent to log that we cleared the logs (are u still there?)
If everything went smoothly you should see this list at the fileserver location where the eventlogs have been stored.

I asked Aleks which tool he used for analyzing his evelogs.csv files. He came up with the tool Ultraedit and I must say, it works fantastic but I wanted to see if there where more options. First I wanted to analyze the logfiles with Powershell but this was too heavy for me (at the moment 😉 ). A couple of days ago I saw the tool called BareGrep.exe. This is grep (linux command) with a Windows gui. Baregrep is a single executable, so you don’t have to install anything.

After downloaden BareGrep.exe just double click to start the tool. Select the options you want to use, enter the folder/path and the final step, enter your keyword(s) and press return.

image 

After a couple of seconds, depends on how much logfiles you want to search in. You’ll see the following output in BareGrep:

image

You can open the specific file with a double click on the line.

Conclusion: you can build a central store for al the eventlogs and analyze these files with different tools. I like BareGrep for this job, because it’s free, a single file, and easy to use.