Windows Server – System Channel Event ID Error 36888

July 28, 2020

When your event viewer is flooded by the Channel Event ID 36888 alerts.



Turn this off by changing the registry key value :


From 1 to 0



MS SQL Server – Error SQLWRITER Event ID 24581

May 29, 2020

When you see this event appearing after a backup has ran.

Event ID 24581 SQLWRITE Error SQL Server Instance XXX is empty.


It means that you have not granted permission to the account


Solutions :

Grant SYSADMIN access to NT AUTHORITY\System Account

User this command :


Or open the SSMS and add the ROLE SYSADMIN to the user NT AUTHORITY\System Account



Windows Server 2019 – Hyper-V VMMS Errors Event ID 19100

March 25, 2020

On the internet I found this nice visual that helps understanding the Hyper-V and Backup Infrastructure.


After we installed a Hyper-V on a new Window Server 2019, everything seemed to be running OK.

But apparently after the 1st backup there where a lot of errors in the Event viewer ID 19100.

Error 0x8007052F


After that point no backups would run anymore, until the Hyper-V host was restarted.

Next backup cycle the same story Sad smile

So I checked the VSS writer to see if all was OK. But I saw that there was an error reported?

Microsoft Hyper-V VSS writer : Unexpected Error ?


So that did not help a lot ?

Next I ran some VSS diagnostics apps, but no errors found ?

VSSDoctor :


VssDiag :


Everything pointed out to be OK, but it was not … Sad smile

Solution :

Conclusion was that this could be nothing else then a Permission issue.

So I ran the Resultant Set of Policy – rsop.msc


I noticed that some policies where overruled by a Domain Policy so I started cleaning up.

But still no success until I noticed that the Local Log on As a Service Policy again I clean this one up.

And check the local Policy settings for this policy using SecPol.msc


I noticed that the ‘NT VIRTUAL MACHINE\Virtual Machines’ was not in there ?

After adding the NT VIRTUAL MACHINE\Virtual Machines to the LOCAL Policy ‘Allow run as a Service’

All Backup problems were solved. Smile


Make sure the Hyper-V Guest Integration Services and the Backup (Volums Shadow Copy) are active as well


And the CheckPoints are set like this


See also here :

Enjoy !

Window Server 2019 – Error DCOM Event ID 10000

March 19, 2020

On a Hyper-V Guest you might see the Event Id 10000 DCOM error


Vdsldr.exe is a “Virtual Disk service loader”

This event look very similar to the DCOM Error Event ID 10016 ?

See here for more info.

I go and open the registry to look for the GUID {9C38ED61-D565-4728-AEEE-C80952F0ECDE}


Also make note of the AppID GUID {5364ED0E-493F-4B16-9DBF-AE486CF22660}

Use the Reg Query command to check it :

reg query "HKEY_CLASSES_ROOT\CLSID\{9C38ED61-D565-4728-AEEE-C80952F0ECDE}" /ve
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{5364ED0E-493F-4B16-9DBF-AE486CF22660}" /ve



1. Open the Component Services Manager using the DCOMCNFG command

And look for Virtual Disk Service Loader


Next check the AppId GUID is matching the one in the Event Viewer


This is the one we found in the registry Smile

2. Check the Security for this DCOM App

Go to the Security Tab to see who has access…


Hmm the buttons are greyed out !

That is that reason why we get errors reported… !


See on the AppID GUID permission is set the TrustedInstaller

Similar as to the 10016 Event Errors you can fix the restricted access the same way.

3. Fix the Access

First in the Registry you need to change the OWNER of the RegKeys to the Administrator,

Instead of the TrustedInstaller.

And set the Adminstrator to have FULL CONTROL


If this still does not help go back to the DCOMCNFG and add Full Control for the

Administrator to the LAUNCH and ACTIVATION Permissions



Windows 2019 – SceCli Error Event ID 1202

March 18, 2020

When you see this Event ID 1202. follow this procedure to fix it.


Follow the steps as indicated in the Event Viewer :


Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done.

Advanced help for this problem is available on Query for “troubleshooting 1202 events”.

Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. 

This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO.  To resolve this event, contact an administrator in the domain to perform the following actions:

1.    Identify accounts that could not be resolved to a SID:

From the command prompt, type: FIND /I “Cannot find”  %SYSTEMROOT%\Security\Logs\winlogon.log

The string following “Cannot find” in the FIND output identifies the problem account names.

Example: Cannot find JohnDough.

In this case, the SID for username “JohnDough” could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. “JohnDoe”).

2.    Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts:

a.    Start -> Run -> RSoP.msc
b.    Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer
     Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X.

c.    For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled “Source GPO”.
     Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors.

3.    Remove unresolved accounts from Group Policy

a.    Start -> Run -> MMC.EXE
b.    From the File menu select “Add/Remove Snap-in…”
c.    From the “Add/Remove Snap-in” dialog box select “Add…”
d.    In the “Add Standalone Snap-in” dialog box select “Group Policy” and click “Add”
e.    In the “Select Group Policy Object” dialog box click the “Browse” button.
f.    On the “Browse for a Group Policy Object” dialog box choose the “All” tab
g.    For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2.
     These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

If you run step 1 :

FIND /I "Cannot find"  %SYSTEMROOT%\Security\Logs\winlogon.log


You will find out easily which account entries are causing the errors.

Open the GPEDIT.msc again and remove the entries from the Domain or Local Policy


Because the Policy Editor will accept any kind of string that you enter.

If the account SID does not exist it starts complain using Event ID 1202


Windows Server 2019 – Hyper-V VMMS Errors Event ID 15300 – 19600 – 15010 – 16010

March 13, 2020

After restarting the Hyper-V manager or creating a new VM you can get these errors

Event ID 15300 & 19600 & 15010 & 16010 Errors


It took me some time to figure out what was causing this …


Open the Hyper-V Settings

The reason was an incorrect path in the Hyper-V settings


After correcting the PATH to the new destination, all was OK again Smile


Windows Server 2019 – Hyper-V Backup Error Event ID 19100 & Event ID 32

March 12, 2020

After running a backup of the Hyper-V Virtual Machines you might get this error Event ID 19100

“Either the component that raises this event is not installed on your local computer

or the installation is corrupted. You can install or repair the component on the local computer.”


1. I noticed that the Guest Services was not activated…


Make sure this is selected. A reboot of the VM might be needed.

If this is not fixed see the next steps

2. Run this PowerShell command

Get-VM | Format-List Name, ID


Check the Event ID 19600 error code details


As you can see the GUID is the same as the one returned from the PS command.

3. Run this iCALCS command using Admin Privileges

Icacls <the path to the folder containing the VHDS files> /grant "NT VIRTUAL MACHINE\":(OI)F


See here for more details :


After this step it did not yet start ! Sad smile

I could not INPSECT the disk, there was always an error !


There are Event ID 32 reported !!



So I decided to stop the VM and next manually MERGE the checkpoints.

There where 4 in total in the chain


The MERGE operation did not go as planned too Sad smile

The first 3 where OK …. the last one did not want to merge !

It ended up in a error as well …


So you need to this manually 1 by 1 or use PowerShell…


Select the AVHDX file .


Select MERGE




It will end up in a new VHDX file …

But I could not connect it to the previous VM… ?

Once I DELTEDED the VM from the Hyper-V manager and created a NEW VM in a new Folder.

Connected the NEW MERGED VM to the new VM all was OK Smile


Windows Server 2016 – How to Blacklist Public IP Addresses, Alert Event ID 20271

June 21, 2019

If you notice unauthorised attacks on you network in your event viewer Event ID 20271 Remote Access





Create a BLACKLIST rule using Windows Firewall

Open Windows Firewall with Advanced Security by running wf.msc

On the left, select Inbound Rules, then under the Action menu, choose New Rule

On the Rule Type page, choose Custom.

On Program, choose “All programs”

On Protocol and Ports, leave the default of Any

On Scope, select “These IP addresses” in the remote addresses section and add the problematic IP address in the Add dialog

On Action, choose “Block the connection”


On Profile, leave the defaults of everything checked.


Finally, on Name give the rule a name like “Blacklisting”, and optionally a description.



See here on how to automate this using PowerShell Event Viewer Scanning & Firewall rules

1. First check if the DENY property is set on your DHCP server



If not you can activate it like this

Set-DhcpServerv4FilterList -ComputerName "YourDHCPServer" -Allow $False -Deny $True

Next you can list all IP’s


And check if they exist as blocked.


If you need to add extra you can use this Cmd

Add-DhcpServerv4Filter -List Deny -MacAddress "F0-DE-F1-7A-00-5E" -Description "iphone 09"


See here on how to Blacklist based on MAC Address


Safety First …

Done !

Write cache enabled Event ID 32 Error

March 11, 2019

After physical to Virtual conversion, we get this event ID 32 Error on a regular basis..


The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

Solution :

See here :
Turn Disk Write Caching On or Off
  1. Right-click My Computer, and then click Properties.
  2. Click the Hardware tab, and then click Device Manager.
  3. Expand Disk Drives.
  4. Right-click the drive on which you want to turn disk write caching on or off, and then click Properties.
  5. Click the Policies tab.
  6. Click to select or clear the Enable write caching on the disk check box as appropriate.
  7. Click OK.
For Windows Server 2008
  1. Right-click Computer, and then click Properties.
  2. Click the Device Manager link under Tasks.
  3. Expand Disk Drives.
  4. Right-click the drive on which you want to turn disk write caching on or off, and then click Properties.
  5. Click the Policies tab.
  6. Click to select or clear the Enable write caching on the disk check box as appropriate.
  7. Click OK.

To find out the DISK number relation use this SysInternal tool, diskext.exe :


\Device\Harddisk0\DR0 = C drive

If you see the yellow exclamation mark saying you are not allowed to change the caching …


See here for more Information :


Windows Server 2016 – CleanUp Stale Devices – DeviceSetupManager Event ID 121

February 1, 2019

How to cleanup stale devices on your servers …

On one of our servers that is running as a Hyper-V Host and using a non windows backup software to backup the VM’s I see a lot of VSS copies hanging around …. ?

When looking at the HIDDEN devices


I saw a lot of Generic volume Shadow Copies

See here to know why this is occurs


And as well INACTIVE Storage volumes


The know why this is happening see here

Solution :

1. CleanUp all stale devices and registry related entries

Download the DriveCleanup Tool here


You can run this command to run in TEST MODE

drivecleanup -t > dc-output.txt

You can see this detailed output


In my case it suggest these entries to be removed.


I could see a clear relationship between the Event ID 121 Errors and output of the drivecleanup tool



To delete the stale devices and Registry Keys you need to use the Admin Privileges

Make sure you have good backups before removing anything !

2. Remove all VSS copies

Run this command to cleanup

vssadmin list shadows

vssadmin delete shadows /all

Check again the Event logs after the next backups.

And in my case all disk errors where gone. Smile

Enjoy !