ETW provider security – fix event id 30

In february 2016, Robin ten Berge posted the following on the PM.org mailing list

…

The whole thread is archived here

I’ve also encountered this behavior (2 events) after rebooting and having patched 2012 R2 Hyper-V servers.
The event logging service encountered an error (5) while enabling publisher {0bf2fb94-7b60-4b4d-9766-e82f658df540} to channel Microsoft-Windows-Kernel-ShimEngine/Operational. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.

I was also able to reproduce the error by just enabling and disabling the Microsoft-Windows-Kernel-ShimEngine/Operational log when the server is running 🙂

To fix it, my google fu found this http://www.geoffchappell.com/studies/windows/win32/services/scm/events/diagnostic.htm and I just added the LOCAL SERVICE as suggested.

Here are the steps I used to fix it:

• Launch an elevated perfmon: C:\windows\system32\perfmon.exe
• Expand ‘Data Collector Sets’
• Expand ‘Event Trace Sessions’
• Right-click ‘Eventlog-System’ running session and click ‘Properties’
• In the ‘Trace providers’ list, scroll down to ‘Microsoft-Windows-Kernel-ShimEngine’ and select it.
• Click on the ‘Security’ button next to it



• Click ‘Add’, type ‘LOCAL SERVICE’, click ‘Check Names’ (adjust the location if required)
• Untick all permissions and just leave TRACELOG_GUID_ENABLE



• Just click “Apply” button in the ‘Security settings for this ETW trace provider’
• You don’t need to click “Apply” or “Ok” button in the parent (Eventlog-System properties( window or you’ll get an ‘Access Denied’ (normal, you are not allowed to modify a running trace)